Internal Revenue Service: Status of GAO Financial Audit and	 
Related Financial Management Report Recommendations (07-JUN-07,  
GAO-07-629).							 
                                                                 
In its role as the nation's tax collector, the Internal Revenue  
Service (IRS) has a demanding responsibility in annually	 
collecting over $2 trillion in taxes, processing hundreds of	 
millions of tax and information returns, and enforcing the	 
nation's tax laws. Since its first audit of IRS's financial	 
statements in fiscal year 1992, GAO has identified a number of	 
weaknesses in IRS's financial management operations. In related  
reports, GAO has recommended corrective action to address those  
weaknesses. Each year, as part of the annual audit of IRS's	 
financial statements, GAO not only makes recommendations to	 
address any new weaknesses identified but also follows up on the 
status of weaknesses GAO identified in previous years' audits.	 
The purpose of this report is to (1) assist IRS management in	 
tracking the status of audit recommendations and actions needed  
to fully address them and (2) demonstrate how the recommendations
relate to control activities central to IRS's mission and goals. 
GAO is making no new recommendations in this report.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-629 					        
    ACCNO:   A70426						        
  TITLE:     Internal Revenue Service: Status of GAO Financial Audit  
and Related Financial Management Report Recommendations 	 
     DATE:   06/07/2007 
  SUBJECT:   Accountability					 
	     Accounting procedures				 
	     Auditing procedures				 
	     Data integrity					 
	     Financial management				 
	     Financial management systems			 
	     Financial records					 
	     Financial statements				 
	     Internal audits					 
	     Internal controls					 
	     Tax administration systems 			 
	     Corrective action					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-629

   

     * [1]Results in Brief
     * [2]Background
     * [3]Scope and Methodology
     * [4]IRS's Progress on Financial Management Recommendations

          * [5]Status of Recommendations Based on the Fiscal Year 2006 Fina

     * [6]Open Recommendations Grouped by Control Activity

          * [7]Safeguarding of Assets and Security Activities
          * [8]Proper Recording and Documenting of Transactions
          * [9]Effective Management Review and Oversight

     * [10]Concluding Observations
     * [11]Agency Comments and Our Evaluation
     * [12]Appendix I: Status of GAO Recommendations from IRS Financial
     * [13]Appendix II: Comments from the Internal Revenue Service
     * [14]Appendix III: Staff Acknowledgments

          * [15]Acknowledgments

               * [16]Order by Mail or Phone

Report to the Acting Commissioner of Internal Revenue

United States Government Accountability Office

GAO

June 2007

INTERNAL REVENUE SERVICE

Status of GAO Financial Audit and Related Financial Management Report
Recommendations

GAO-07-629

Contents

Letter 1

Results in Brief 3
Background 4
Scope and Methodology 6
IRS's Progress on Financial Management Recommendations 7
Open Recommendations Grouped by Control Activity 9
Concluding Observations 27
Agency Comments and Our Evaluation 27
Appendix I Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports 29
Appendix II Comments from the Internal Revenue Service 81
Appendix III Staff Acknowledgments 82

Tables

Table 1: Summary of Open Recommendations 11
Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets 13
Table 3: Recommendations to Improve IRS's Segregation of Duties 15
Table 4: Recommendation to Improve IRS's Controls over Information
Processing 16
Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records 17
Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control 18
Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events 20
Table 8: Recommendation to Improve IRS's Execution of Transaction and
Events 22
Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level 23
Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators 26
Table 11: Recommendations to Improve IRS's Management of Human Capital 27

Abbreviations

ALS Automated Lien System AM accounts management
ATFR Automated Trust Fund Recovery
AUR Automated Under Reporter
AWSS Agency-Wide Shared Services
BPMS Business Performance Management System
CCTV closed-circuit television
CDDB Custodial Detail Data Base
CFO chief financial officer
COTR contracting officer's technical representative
DCI data collection instrument
FA Field Assistance
FC field coordinator
FISCAM Federal Information System Controls Audit Manual
FISMA Federal Information Security Management Act of 2002
FMFIA Federal Managers' Financial Integrity Act of 1982
FMIS Financial Management Information System
FMS Financial Management Service
IAR initial account representative
IDRS Integrated Data Retrieval System
IFS Integrated Financial System
IRACS Interim Revenue and Accounting Control System
IRM Internal Revenue Manual
IRS Internal Revenue Service
JFMIP Joint Financial Management Improvement Project
LEB Lockbox Electronic Bulletin
LEM Security Law Enforcement Manual
LFC lockbox field coordinators
LMSB Large and Mid-sized Business
LPG Lockbox Processing Guidelines
LSG Lockbox Security Guide
MA Mission Assurance
MITS Modernization & Information Technology Services
MOU Memorandum of Understanding
NBIC National Background Investigations Center
NFC National Finance Center
OMB Office of Management and Budget
P&E property and equipment
PSEP Physical Security and Emergency Preparedness Office
REFM Real Estate and Facilities Management
SB/SE Small Business/Self-Employed
SCC service center campus
SERP Service-wide Electronic Research Program
SETS Security Entry and Tracking System
SP Submission Processing
SPC submission processing center
SS Security Services
TAC taxpayer assistance center
TE/GE Tax Exempt and Government Entities
TFRP Trust Fund Recovery Penalty
TGA Treasury's General Account
TIGTA Treasury Inspector General for Tax Administration
USR unit security representative
USSGL United States Government Standard General Ledger
W&I Wage and Investment

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

June 7, 2007

The Honorable Kevin M. Brown
Acting Commissioner of Internal Revenue

Dear Mr. Brown:

In its role as the nation's tax collector, the Internal Revenue Service
(IRS) has a demanding responsibility to collect taxes, process tax
returns, and enforce the nation's tax laws. In fiscal year 2006, IRS
collected about $2.5 trillion in tax payments, processed hundreds of
millions of tax and information returns, and paid about $277 billion in
refunds to taxpayers. Because of its role and overall mission, IRS's
activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices. In its role as the nation's tax collector, the
Internal Revenue Service (IRS) has a demanding responsibility to collect
taxes, process tax returns, and enforce the nation's tax laws. In fiscal
year 2006, IRS collected about $2.5 trillion in tax payments, processed
hundreds of millions of tax and information returns, and paid about $277
billion in refunds to taxpayers. Because of its role and overall mission,
IRS's activities touch on virtually all of the nation's citizens. It is
therefore critical that the agency strive to maintain sound financial
management practices.

IRS has made much progress in improving its financial management since it
was first required to prepare and have audited a set of financial
statements in fiscal year 1992. This progress was reflected in its ability
to obtain and maintain a clean audit opinion on its financial statements
each year beginning in fiscal year 2000, and to correct several material
internal control weaknesses over the years and make many other
improvements in internal control. At the same time, more remains to be
done to address long-standing internal control issues that continue to
plague the agency. IRS continues to have weak or ineffective internal
controls over fundamental elements of its operations that leave it
vulnerable to a greater risk of fraud, waste, abuse, and mismanagement.
This, in turn, has the potential to impact the lives of the nation's
taxpayers, as our audits over the years have demonstrated. IRS has made
much progress in improving its financial management since it was first
required to prepare and have audited a set of financial statements in
fiscal year 1992. This progress was reflected in its ability to obtain and
maintain a clean audit opinion on its financial statements each year
beginning in fiscal year 2000, and to correct several material internal
control weaknesses over the years and make many other improvements in
internal control. At the same time, more remains to be done to address
long-standing internal control issues that continue to plague the agency.
IRS continues to have weak or ineffective internal controls over
fundamental elements of its operations that leave it vulnerable to a
greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has
the potential to impact the lives of the nation's taxpayers, as our audits
over the years have demonstrated.

An agency's internal control environment serves as the first line of
defense in safeguarding its assets and in preventing and detecting errors
and fraud, as well as in helping to effectively manage its stewardship
over public An agency's internal control environment serves as the first
line of defense in safeguarding its assets and in preventing and detecting
errors and fraud, as well as in helping to effectively manage its
stewardship over public resources.^1 Unfortunately, IRS continues to be
challenged with several long-standing material weaknesses in internal
control that are at the heart of IRS's operations.^2 During our audit of
IRS's fiscal year 2006 financial statements, we continued to find material
weaknesses in controls over

           o financial reporting (including safeguarding of assets),
           o unpaid tax assessments,
           o identifying and collecting tax revenues due and issuing tax
           refunds, and
           o information systems security.

           In addition to the material weaknesses, we continued to identify a
           reportable condition involving controls over hard-copy tax
           receipts and taxpayer data, which increase the government's and
           taxpayer's risk of loss or inappropriate disclosure of taxpayer
           data.
			  
^1Management is responsible for establishing and maintaining internal
control to achieve the objectives of effective and efficient operations,
reliable financial reporting, and compliance with applicable laws and
regulations. Part of the actions required by agencies and individual
federal managers includes taking proactive measures to develop and
implement appropriate, cost-effective internal control for
results-oriented management; to assess the adequacy of internal control in
federal programs and operations; to identify needed improvements; and to
take corresponding corrective actions.

^2Prior to December 15, 2006, a material weakness was defined as a
reportable condition that precludes the entity's internal controls from
providing reasonable assurance that material misstatements in the
financial statements would be prevented or detected on a timely basis.
Reportable conditions represent significant deficiencies in the design or
operation of internal controls that could adversely affect an entity's
ability to initiate, authorize, record, process, or report financial data
reliably. In May 2006, the American Institute of Certified Public
Accountants (AICPA) issued the Statement on Auditing Standard (SAS) 112,
which became effective for audits of financial statements for periods
ending on or after December 15, 2006. SAS 112 established standards and
provides guidance on the auditor's responsibilities for identifying,
evaluating, and communicating matters related to an entity's internal
control over financial reporting identified in an audit of financial
statements. Under the new SAS, the auditor is required to communicate
control deficiencies that are significant deficiencies or material
weaknesses in internal controls. A control deficiency, which is a new term
under SAS 112, exists when the design or operation of a control does not
allow management or employees, in the course of performing their assigned
functions, to prevent or detect misstatements on a timely basis. A
material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected. A significant deficiency is a control deficiency,
or combination of deficiencies, that adversely affects the entity's
ability to initiate, authorize, record, process, or report financial data
reliably in accordance with generally accepted accounting principles such
that there is more than a remote likelihood that a misstatement of the
entity's financial statements that is more than inconsequential will not
be prevented or detected. As a result of SAS 112, the term reportable
condition is no longer used.

           To assist IRS in strengthening its internal controls and improving
           its operations, we have made numerous recommendations as part of
           our annual financial statement audits and other financial
           management-related work at IRS. This report is being provided to
           you to (1) assist IRS management in tracking the status of
           financial audit and financial management-related recommendations
           and the actions needed to address them and (2) demonstrate how the
           recommendations relate to control activities central to IRS's
           mission and goals. We are making no new recommendations in this
           report.
			  
           We conducted our review from December 2006 through April 2007 in
           accordance with U. S. generally accepted government auditing
           standards.
			  
  			  Results in Brief

           IRS management continues to make progress in addressing many of
           the internal control issues that challenge the agency. IRS's
           actions have enabled us to close over 200 financial
           management-related recommendations over the years since our first
           audit of its financial statements in 1992. At the beginning of the
           fiscal year 2006 IRS financial statement audit, 72 financial
           management-related recommendations from prior audits remained
           open. During the fiscal year 2006 financial statement audit, IRS
           took actions to effectively address issues that gave rise to
           numerous recommendations, enabling us to close 25 of those
           recommendations. Thus, 47 recommendations remained open from prior
           years' audits at the end of fiscal year 2006. In addition, during
           our fiscal year 2006 financial audit, we made 28 new
           recommendations to address newly identified issues. As a result, a
           total of 75 recommendations to address IRS's internal control
           issues remain open.

           In analyzing the nature of these open financial management
           recommendations, we determined that 19 recommendations (25
           percent) relate to issues associated with IRS's lack of effective
           controls over safeguarding assets and security activities. Another
           33 recommendations (approximately 44 percent) relate to issues
           associated with IRS's inability to properly record and document
           transactions. The remaining 23 recommendations (31 percent) relate
           to issues associated with lack of effective management review and
           oversight. Effectively and fully addressing these open
           recommendations would greatly assist IRS in improving its internal
           controls and achieving sound financial management.

           In commenting on a draft of this report, IRS expressed its
           appreciation for our acknowledgement of the agency's progress in
           addressing its financial management challenges as evidence by our
           closure of 25 of the 72 open financial management recommendations
           from last year's report. We have reprinted IRS's written comments
           in appendix II.
			  
			  Background

           Internal control is not one event, but a series of actions and
           activities that occur throughout an entity's operations and on an
           ongoing basis. Internal control should be recognized as an
           integral part of each system that management uses to regulate and
           guide its operations rather than as a separate system within an
           agency. In this sense, internal control is management control that
           is built into the entity as a part of its infrastructure to help
           managers run the entity and achieve their goals on an ongoing
           basis.

           Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as
           the Federal Managers' Financial Integrity Act of 1982 (FMFIA)),
           requires agencies to establish and maintain internal control. The
           agency head must annually evaluate and report on the control and
           financial systems that protect the integrity of federal programs.
           The requirements of FMFIA serve as an umbrella under which other
           reviews, evaluations, and audits should be coordinated and
           considered to support management's assertion about the
           effectiveness of internal control over operations, financial
           reporting, and compliance with laws and regulations.

           Office of Management and Budget (OMB) Circular No. A-123,
           "Management's Responsibility for Internal Control" (revised Dec.
           21, 2004), provides the implementing guidance for FMFIA, and sets
           out the specific requirements for assessing and reporting on
           internal controls^3 consistent with the internal control standards
           issued by the Comptroller General of the United States.^4 The
           circular, which was revised in 2004 with the revisions effective
           for fiscal year 2006, defines management's responsibilities
           related to internal control and the process for assessing internal
           control effectiveness, and provides specific requirements for
           conducting management's assessment of the effectiveness of
           internal control over financial reporting. The circular requires
           management to annually provide assurances on internal control in
           its Performance and Accountability Report, and for the 24 Chief
           Financial Officers (CFO) Act agencies to include a separate
           assurance on internal control over financial reporting, along with
           a report on identified material weaknesses and corrective
           actions.^5 The circular also emphasizes the need for integrated
           and coordinated internal control assessments that synchronize all
           internal control-related activities.

^3The circular was revised in December 2004. The circular states that the
revision followed a reexamination of the existing internal control
requirements for federal agencies that was initiated in light of the new
internal control requirements for publicly traded companies contained in
the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (July
30, 2002).

^4GAO, Standards for Internal Control in the Federal Government,
[18]GAO/AIMD-00-21 .3.1 (November 1999).

           FMFIA requires GAO to issue standards for internal control in the
           federal government. GAO's Standards for Internal Control in the
           Federal Government provides the overall framework for establishing
           and maintaining internal control and for identifying and
           addressing major performance and management challenges and areas
           at greatest risk of fraud, waste, abuse, and mismanagement.

           As summarized in GAO's Standards for Internal Control in the
           Federal Government, the minimum level of quality acceptable for
           internal control in the government is defined by the following
           five standards, which also provide the basis against which
           internal controls are to be evaluated:

           o Control environment: Management and employees should establish
           and maintain an environment throughout the organization that sets
           a positive and supportive attitude toward internal control and
           conscientious management.
           o Risk assessment: Internal control should provide for an
           assessment of the risks the agency faces from both external and
           internal sources.
           o Control activities: Internal control activities help ensure that
           management's directives are carried out. The control activities
           should be effective and efficient in accomplishing the agency's
           control objectives.
           o Information and communications: Information should be recorded
           and communicated to management and others within the entity who
           need it and in a form and within a time frame that enables them to
           carry out their internal control and other responsibilities.

^5The circular requires agencies and individual federal managers to take
systematic and proactive measures to (1) develop and implement
appropriate, cost-effective internal control for results-oriented
management; (2) assess the adequacy of internal control in federal
programs and operations; (3) separately assess and document internal
control over financial reporting consistent with the process defined in
Appendix A of the circular; (4) identify needed improvements; (5) take
corresponding corrective action; and (6) report annually on internal

           o Monitoring: Internal control monitoring should assess the
           quality of performance over time and ensure that the findings of
           audits and other reviews are promptly resolved.

           The third control standard--internal control activities--helps
           ensure that management's directives are carried out. Control
           activities are the policies, procedures, techniques, and
           mechanisms that enforce management's directives. In other words,
           they are the activities conducted in the everyday course of
           business that accomplish a control objective, such as ensuring IRS
           employees successfully complete background checks prior to being
           granted access to taxpayer information and receipts. As such,
           control activities are an integral part of an entity's planning,
           implementing, reviewing, and accountability for stewardship of
           government resources and achievement of effective results.

           A key objective in our annual audits of IRS's financial statements
           is to obtain reasonable assurance about whether IRS maintained
           effective internal controls with respect to financial reporting,
           including safeguarding of assets, and compliance with laws and
           regulations. While all five internal control standards are
           critical and are used by us as a basis for evaluating the
           effectiveness of IRS's internal controls, we place a heavy
           emphasis on testing control activities. This has resulted in the
           identification of issues in certain internal controls over the
           years and recommendations for corrective action.
			  
			  Scope and Methodology

           To accomplish our objectives, we evaluated the effectiveness of
           IRS's corrective actions implemented in response to open
           recommendations during fiscal year 2006 as part of our fiscal
           years 2006 and 2005 financial audits. To determine the current
           status of the recommendations, we (1) obtained the status of each
           recommendation and corrective action taken or planned as of April
           2007, as reported to us by IRS and (2) compared IRS's assessment
           to our fiscal year 2006 audit findings to identify any differences
           between IRS's and our conclusions regarding the status of each
           recommendation.

           In order to determine how these recommendations fit within IRS's
           management and internal control structure, we compared the open
           recommendations, and the issues that gave rise to them, to the
           control activities listed in GAO's Standards for Internal Control
           in the Federal Government and to the list of major factors and
           examples outlined in our Internal Control Management and
           Evaluation Tool.^6 We also considered how the recommendations and
           the underlying issues were categorized in our prior reports,
           whether IRS had addressed, in whole or in part, the underlying
           control issues that gave rise to the recommendations, and other
           legal requirements and implementing guidance, such as OMB Circular
           No. A-123; FMFIA; and the Federal Information System Controls
           Audit Manual (FISCAM), [17]GAO/AIMD-12.19.6 (revised June 2001).

           We conducted our review from December 2006 through April 2007 in
           accordance with U. S. generally accepted government auditing
           standards. We requested comments on a draft of this report from
           the Commissioner of Internal Revenue or his designee on May 7,
           2007. We received comments from IRS on May 18, 2007.
			  
			  IRS's Progress on Financial Management Recommendations

           IRS continues to make progress on addressing its significant
           financial management challenges. Over the years since we first
           began auditing IRS's financial statements in fiscal year 1992, we
           have closed out over 200 financial management-related
           recommendations we made based on actions IRS has taken to improve
           its internal controls and operational efficiency. This includes 25
           recommendations we are closing based on actions IRS took during
           the period covered by our fiscal year 2006 financial audit. At the
           same time, however, our audits continue to identify internal
           control issues, resulting in our making further recommendations
           for corrective action, including 28 new financial
           management-related recommendations resulting from our fiscal year
           2006 financial audit. These internal control issues, and the
           resulting recommendations, can be directly traced to the control
           activities in GAO's Standards for Internal Control in the Federal
           Government. As such, it is essential that they be fully addressed
           and resolved to strengthen IRS's overall financial management and
           to assist it in achieving its goals and mission.

^6GAO, Internal Control Standards: Internal Control Management and
Evaluation Tool, [19]GAO-01-1008G (Washington, D.C.: August 2001).

           Status of Recommendations Based on the Fiscal Year 2006 Financial
			  Statement Audit

           In June 2006, we issued a report on the status of IRS's efforts to
           implement corrective actions to address financial management
           recommendations stemming from our fiscal year 2005 and prior year
           financial audits and other financial management-related work.^7 In
           that report, we identified 72 audit recommendations that at that
           time remained open and thus required corrective action by IRS. A
           significant number of these recommendations had been open for
           several years, either because IRS had not taken corrective action
           or because the actions taken had not fully and effectively
           resolved the issues that gave rise to the recommendations.

           IRS continued to work to address many of the internal control
           issues to which these open recommendations relate. In the course
           of performing our fiscal year 2006 financial audit, we identified
           numerous actions IRS took to address many of its internal control
           issues. On the basis of IRS's actions, which we were able to
           substantiate through our audit, we are able to close 25 of these
           prior years' recommendations. IRS considers another 26 of the
           prior years' recommendations to be effectively addressed. However,
           we still consider them to be open either because we had not yet
           been able to verify the effectiveness of IRS's actions--they
           occurred subsequent to completion of our audit testing and thus
           have not been verified, which is a prerequisite to our closing a
           recommendation--or because the actions taken did not fully address
           the issue that gave rise to the recommendation.

           However, continued efforts are needed by IRS to address its
           internal control issues. While we are able to close 25 financial
           management recommendations made in prior years, 47 recommendations
           from prior years remain open, a significant number of which have
           been outstanding for several years. In some cases, IRS may have
           effectively addressed the issues that gave rise to the
           recommendations subsequent to our fiscal year 2006 audit testing.
           However, in many cases, our fiscal year 2006 audit determined that
           the actions taken to date had not fully and effectively addressed
           the underlying internal control issues. Additionally, during our
           audit of IRS's fiscal year 2006 financial statements, we
           identified additional issues that will require corrective action
           by IRS. In two recent management reports to IRS,^8 we discussed
           these issues, and made 28 new recommendations to IRS to address
           these new issues. Consequently, a total of 75 financial
           management-related recommendations are currently open and need to
           be addressed by IRS. Of these, we consider 66 short term and 9
           long term.^9
			  
^7GAO, Internal Revenue Service: Status of Recommendations from Financial
Audits and Related Financial Management Reports, [20]GAO-06-560
(Washington, D.C.: June 6, 2006).

^8GAO, Management Report: Improvements Needed in IRS's Internal Controls,
[21]GAO-07-689R (Washington, D.C.: May 11, 2007), and Management Report:
IRS's First Year Implementation of the Requirements of the Office of
Management and Budget's (OMB) Revised Circular No. A-123, [22]GAO-07-692R
(Washington, D.C.: May 18, 2007).

^9We define short-term recommendations as those that could be addressed
within 2 years at the time we made the recommendation. We define long-term
recommendations as those expected to require 2 years or more to implement
at the time we made the recommendation.			  

           Appendix I presents a list of (1) recommendations we have made
           based on our financial statement audits and other financial
           management-related work that we had not previously reported as
           closed prior to our fiscal year 2006 audit, (2) the status of each
           of these recommendations and corrective actions taken or planned
           as of April 2007 as reported to us by IRS, and (3) our analysis of
           whether the issues that gave rise to the recommendations have been
           effectively and fully addressed based on the work performed during
           our fiscal year 2006 financial statement audit. The appendix also
           lists new recommendations we have made based on our fiscal year
           2006 financial statement audit. The appendix lists the
           recommendations by the date on which the recommendation was made
           and by report number.
			  
			  Open Recommendations Grouped by Control Activity

           Linking the open recommendations from our financial audits and
           other financial management-related work, and the issues that gave
           rise to them, to internal control activities that are central to
           IRS's tax administration responsibilities provides insight
           regarding their significance.

           Control activities, one of the five broad standards contained in
           GAO's Standards for Internal Control in the Federal Government,
           are the policies, procedures, techniques, and mechanisms that
           enforce management's directives. As such, they are an integral
           part of an entity's planning, implementing, reviewing, and
           accountability for stewardship of government resources and
           achievement of results. GAO's Standards for Internal Control in
           the Federal Government defines 11 control activities. These
           control activities can be further grouped into three broad
           categories:

           o Safeguarding of assets and security activities, including

                        o physical control over vulnerable assets,
                        o segregation of duties,
                        o controls over information processing, and
                        o access restrictions to and accountability for
                        resources and records.

           o Proper recording and documenting of transactions, including

                        o appropriate documentation of transactions and
                        internal control,
                        o accurate and timely reporting of transactions and
                        events, and
                        o proper execution of transactions and events.

           o Effective management review and oversight, including

                        o reviews by management at the functional or activity
                        level,
                        o establishment and review of performance measures
                        and indicators,
                        o management of human capital, and
                        o top-level reviews of actual performance.

           Each of the open recommendations from our financial audits and
           financial management-related work, and the underlying issues that
           gave rise to them, can be traced back to the 11 control activities
           and their three broad categories. Table 1 presents a summary of
           the open recommendations, each tied back to the control activity
           to which it relates.

Table 1: Summary of Open Recommendations

Source: GAO analysis of financial management recommendations made to IRS.

As table 1 indicates, 19 recommendations (25 percent) relate to issues
associated with IRS's lack of effective controls over safeguarding of
assets and security activities. Another 33 recommendations (44 percent)
relate to issues associated with IRS's inability to properly record and
document transactions. The remaining 23 open recommendations (31 percent)
relate to issues associated with the lack of effective management review
and oversight.

On the following pages, we group the 75 open recommendations under the
control activity to which the condition that gave rise to them most
appropriately fits. We first define each control activity as presented in
GAO's Standards for Internal Control in the Federal Government and briefly
identify some of the key IRS operations that fall under that control
activity. Although not comprehensive, the descriptions are intended to
help explain why actions to strengthen these control activities are
important for IRS to effectively carry out its overall mission. For each
recommendation, we also indicate whether it is a short-term or long-term
recommendation.

Safeguarding of Assets and Security Activities

Given IRS's mission, the sensitivity of the data it maintains, and its
processing of trillions of dollars of tax receipts each year, one of the
most important control activities at IRS is the safeguarding of assets.
Internal control in this important area should be designed to provide
reasonable assurance regarding prevention or prompt detection of
unauthorized acquisition, use, or disposition of an agency's assets. We
have grouped together the four control activities in GAO's Standards for
Internal Control in the Federal Government that relate to safeguarding of
assets (including tax receipts) and security activities (such as limiting
access to only authorized personnel): (1) physical control over vulnerable
assets, (2) segregation of duties, (3) controls over information
processing, and (4) access restrictions to and accountability for
resources and records.

Physical Control over Vulnerable Assets

IRS is charged with collecting over $2 trillion in taxes each year, a
significant amount of which is collected in the form of checks and cash
accompanied by tax returns and related information. IRS collects taxes
both at its own facilities as well as at lockbox banks that operate under
contract with the Department of the Treasury's Financial Management
Service (FMS) to provide processing services for certain taxpayer receipts
for IRS. IRS acts as custodian for (1) the tax payments it receives until
they are deposited in the General Fund of the U.S. Treasury and (2) the
tax returns and related information it receives until they are either sent
to the Federal Records Center or destroyed. IRS is also charged with
controlling many other assets, such as computers and other equipment, but
IRS's legal responsibility to safeguard tax returns and the confidential
information taxpayers provide on tax returns makes the effectiveness of
its internal controls with respect to physical security essential.

IRS receives cash and checks mailed to its service centers or lockbox
banks with accompanying tax returns and information or payment vouchers
and payments made in person at one of its offices. While effective
physical safeguards over receipts should exist throughout the year, it is
especially important during the peak tax filing season. Each year during
the weeks preceding and shortly after April 15, an IRS service center
campus (SCC) or lockbox bank may receive and process daily over 100,000
pieces of mail containing returns, receipts, or both. The dollar value of
receipts each service center and lockbox bank processes increases to
hundreds of millions of dollars a day during the April 15 time frame.

Of our 75 open recommendations, the following 12 open recommendations are
designed to improve IRS's physical controls over vulnerable assets. All
are short-term in nature. (See table 2.)

Table 2: Recommendations to Improve IRS's Physical Controls over
Vulnerable Assets

Source: GAO analysis of financial management recommendations made to IRS.

Segregation of Duties

IRS employees are responsible for processing trillions of dollars of tax
receipts each year, of which hundreds of billions are received in the form
of cash or checks,^10 and for processing hundreds of billions of dollars
in refunds to taxpayers. Consequently, it is critical that IRS maintain
appropriate separation of duties to allow for adequate oversight of staff
and protection of these vulnerable resources so that no single individual
would be in a position of both causing an error or irregularity,
potentially converting the asset to their personal use, and then
concealing it. For example, when an IRS field office or lockbox bank
receives taxpayer receipts and returns, it is responsible for depositing
the cash and checks in a depository institution and forwarding the related
information received to an SCC for further processing. In order to
adequately safeguard receipts from theft, the person responsible for
recording the information from the taxpayer receipts on a voucher should
be different from the individual who prepares those receipts for
transmittal to the SCC for further processing.

^10The vast majority of federal tax payments are made for both businesses
and individuals via the Electronic Federal Tax Payment System (EFTPS).

The following four open recommendations would help IRS improve its
separation of duties, which will in turn strengthen its controls over both
tax receipts and refunds. All are short-term in nature. (See table 3.)

Table 3: Recommendations to Improve IRS's Segregation of Duties

Source: GAO analysis of financial management recommendations made to IRS.

Controls over Information Processing

IRS relies extensively on computerized systems to support its financial
and mission-related operations. To efficiently fulfill its tax processing
responsibilities, IRS relies extensively on interconnected networks of
computer systems to perform various functions, such as collecting and
storing taxpayer data, processing tax returns, calculating interest and
penalties, generating refunds, and providing customer service.

As part of our annual audits of IRS's financial statements, we assess the
effectiveness of IRS's information security controls^11 over key financial
systems, data, and interconnected networks at IRS's critical data
processing facilities that support the processing, storage, and
transmission of sensitive financial and taxpayer data. From that effort
over the years, we have identified information security control weaknesses
that impair IRS's ability to ensure the confidentiality, integrity, and
availability of its sensitive financial and taxpayer data. As of March
2007, there were 48 open recommendations from our information security
work designed to improve IRS's information security controls.^12
Recommendations resulting from our information security work are reported
separately and are not included in this report primarily because of the
sensitive nature of some of these issues.

However, the following open short-term recommendation is related to
systems limitations and IRS's need to enhance its computer programs. (See
table 4.)

Table 4: Recommendation to Improve IRS's Controls over Information
Processing

Source: GAO analysis of financial management recommendations made to IRS.

Access Restrictions to and Accountability for Resources and Records

^11Information security controls include electronic access controls,
software change controls, physical security, segregation of duties, and
service continuity. These controls are designed to ensure that access to
data is appropriately restricted, that only authorized changes to computer
programs are made, that physical access to sensitive computing resources
and facilities is protected, that computer security duties are segregated,
and that backup and recovery plans are adequate to ensure the continuity
of essential operations.

^12GAO, Information Security: Further Efforts Needed to Address
Significant Weaknesses at the Internal Revenue Service, [23]GAO-07-364
(Washington, D.C.: Mar. 30, 2007).

Because IRS deals with a large volume of cash and checks, it is imperative
that it maintain strong controls to appropriately restrict access to those
assets, the records that track those assets, and sensitive taxpayer
information. Although IRS has a number of both physical and information
system controls in place, some of the issues we have identified in our
financial audits over the years pertain to ensuring that those individuals
who have direct access to these cash and checks are appropriately vetted
before being granted access to taxpayer receipts and information and to
ensuring that IRS maintains effective access security control.

The following two open short-term recommendations would help IRS improve
its access restrictions to assets and records. (See table 5.)

Table 5: Recommendations to Improve IRS's Access Restrictions to and
Accountability for Resources and Records

Source: GAO analysis of financial management recommendations made to IRS.

Proper Recording and Documenting of Transactions

One of the largest obstacles continuing to face IRS management is the
agency's lack of an integrated financial management system capable of
producing the accurate, useful, and timely information IRS managers need
to assist in making well-informed day-to-day decisions. While IRS is
making progress in modernizing its financial management capabilities, it
nonetheless continues to face many pervasive internal control weaknesses
related to its long-standing systems deficiencies that we have reported
each year since we began auditing its financial statements in fiscal year
1992.

However, IRS also has a number of internal control issues that relate to
recording transactions, documenting events, and tracking the processing of
taxpayer receipts or information, which do not depend upon improvements in
information systems.

We have grouped three control activities together that relate to proper
recording and documenting of transactions: (1) appropriate documentation
of transactions and internal controls, (2) accurate and timely recording
of transactions and events, and (3) proper execution of transactions and
events.

Appropriate Documentation of Transactions and Internal Control

IRS collects and processes trillions of dollars in taxpayer receipts
annually both at its own facilities and at lockbox banks under contract to
process taxpayer receipts for the federal government. Therefore, it is
important that IRS maintain effective controls to ensure that all
documents and records are properly managed and maintained both at its
facilities and at the lockbox banks. In addition, IRS must adequately
document and disseminate its procedures to ensure that they are available
for IRS employees.

The following 13 open recommendations would assist IRS in improving its
documentation of transactions and internal control procedures. All are
short-term in nature (See table 6.)

Table 6: Recommendations to Improve IRS's Documentation of Transactions
and Internal Control

Source: GAO analysis of financial management recommendations made to IRS.

Accurate and Timely Recording of Transactions and Events

IRS is responsible for maintaining taxpayer records for tens of millions
of taxpayers in addition to maintaining its own financial records. To
carry out this responsibility, IRS often has to rely on outdated computer
systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping
difficulties we have reported on over the years will not be addressed
until it can replace its aging systems, which is a long-term effort and is
dependent on future funding.

The following 19 open recommendations would strengthen IRS's recordkeeping
abilities. (See table 7.) Thirteen of these recommendations are
short-term, and 6 are long-term. They include some specific
recommendations regarding requirements for new systems for maintaining
taxpayer records. Several of the recommendations listed affect financial
reporting processes, such as subsidiary records and appropriate allocation
of costs. Some of the issues that gave rise to certain of our
recommendations directly affect taxpayers, such as those involving
duplicate assessments, errors in calculating and reporting manual
interest, errors in calculating penalties, and recovery of trust fund
penalty assessments. About 47 percent of these recommendations are almost
5 years or older and 1 is over 10 years old, reflecting the long-term
nature of the resolution of some of these issues.

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of
Transactions and Events

Source: GAO analysis of financial management recommendations made to IRS.

Proper Execution of Transactions and Events

IRS employs tens of thousands of people in its 10 SCCs, three computing
centers, and numerous field offices throughout the United States. In
addition, the number of staff increases significantly during the peak of
the tax filing season. Because of the tremendous number of personnel
involved, IRS must maintain effective control over which employees are
authorized to either view or change sensitive taxpayer data. IRS's ability
to establish access rights and permissions for information systems is a
critical control.

Each year, IRS pays out hundreds of billions of dollars in tax refunds,
some of which are distributed to taxpayers manually.^13 IRS requires that
all manual refunds be approved by designated officials. However,
weaknesses in the authorization of such approving officials expose the
federal government to losses because of the issuance of improper refunds.
The following open short-term recommendation would improve IRS's controls
over its manual refund transactions. (See table 8.)

Table 8: Recommendation to Improve IRS's Execution of Transaction and
Events

Source: GAO analysis of financial management recommendations made to IRS.

Effective Management Review and Oversight

All personnel within IRS have an important role in establishing and
maintaining effective internal controls, but IRS's managers have
additional review and oversight responsibilities. Management must set the
objectives, put the control mechanisms and activities in place, and
monitor and evaluate controls. Without effective monitoring by managers,
internal control activities may not be carried out consistently and on
time.

We have grouped three control activities together related to effective
management review and oversight: (1) reviews by management at the
functional or activity level, (2) establishment and review of performance
measures and indicators, and (3) management of human capital. Although we
also include the control activity "top-level reviews of actual
performance" in this grouping, we do not have any open recommendations to
IRS related to this internal control activity.

^13Most refunds are generated automatically. However, under certain
circumstances, IRS processes refunds manually to expedite payment. Such
refunds include those over $10 million, those requested by taxpayers for
immediate payment due to hardship or emergency, those to beneficiaries of
deceased taxpayers, and those that need to be expedited because IRS is in
jeopardy of paying interest for exceeding the 45-day limit for processing
a return.

Reviews by Management at the Functional or Activity Level

IRS has over 80,000 full-time employees and hires over 20,000 seasonal
personnel to assist during the tax filing season. In addition, as
discussed earlier, Treasury's Financial Management Service contracts with
banks to process tens of thousands of individual receipts, totaling
hundreds of billions of dollars. At any organization, management oversight
of operations is important, but with an organization as vast in scope as
IRS, management oversight is imperative.

The following 17 open short-term recommendations would improve IRS's
management oversight. (See table 9.) Many of these recommendations were
made to correct instances where an internal control activity either does
not exist or where an established control is not being adequately or
consistently applied. Several of these recommendations emphasize
improvements needed to IRS's oversight of lockbox banks and contracted
courier programs in order to ensure appropriate physical control over
vulnerable assets, such as taxpayer receipts. However, a number of these
recommendations are aimed at enhancing IRS's own assessment of its
internal controls over financial reporting in accordance with the
requirements of the revised OMB Circular No. A-123.

Table 9: Recommendations to Improve IRS's Reviews by Management at the
Functional or Activity Level

Source: GAO analysis of financial management recommendations made to IRS.

Establishment and Review of Performance Measures and Indicators

IRS's operations include a vast array of activities encompassing educating
taxpayers, processing of taxpayer receipts and data, disbursing hundreds
of billions of dollars in refunds to millions of taxpayers, maintaining
extensive information on tens of millions of taxpayers, and seeking
collection from individuals and businesses that fail to comply with the
nation's tax laws. Within its compliance function, IRS has numerous
activities, including identifying businesses and individuals that
underreport income, collecting from taxpayers that do not pay, and
collecting from those receiving refunds for which they are not eligible.
Although IRS has at its peak over 100,000 employees, it still faces
resource constraints in attempting to fulfill its duties. Because of this,
it is vitally important for IRS to have sound performance measures to
assist it in assessing its performance and targeting its resources to
maximize the government's return on investment.

However, in past audits we have reported that IRS did not capture costs at
the program or activity level to assist in developing cost-based
performance measures for its various programs and activities. As a result,
IRS is unable to measure the costs and benefits of its various collection
and enforcement efforts to best target its available resources.
Additionally, we have reported that IRS's controls over its reporting of
interim performance measurement data were not effective throughout the
year because the data reported at interim periods for certain performance
measures were either not accurate or were outdated.

The following three open recommendations are designed to assist IRS in
evaluating its operations, determining which activities are the most
beneficial, and establishing a good system for oversight. (See table 10.)
These recommendations--two long-term and one short-term--call for IRS to
measure, track, and evaluate the cost, benefits, or outcomes of its
operations--particularly with regard to identifying its most effective tax
collection activities.

Table 10: Recommendations to Improve IRS's Establishment and Review of
Performance Measures and Indicators

Source: GAO analysis of financial management recommendations made to IRS.

Management of Human Capital

IRS's operations cover a wide range of technical competencies with
specific expertise needed in tax-related matters; financial management;
and systems design, development, and maintenance. Because IRS has tens of
thousands of employees spread throughout the country, management's
responsibility to keep its guidance up-to-date and its staff properly
trained is imperative.

The following three open short-term recommendations would assist IRS in
its management of human capital. (See table 11.)

Table 11: Recommendations to Improve IRS's Management of Human Capital

Source: GAO analysis of financial management recommendations made to IRS.

Concluding Observations

Increased budgetary pressures and an increased public awareness of the
importance of internal control require IRS to carry out its mission more
efficiently and more effectively while protecting taxpayers and their
information.

Sound financial management and effective internal controls are essential
if IRS is to efficiently and effectively achieve its goals. IRS has made
substantial progress in improving its financial management since its first
financial audit, as evidenced by consecutive clean audit opinions on its
financial statements for the past 7 years, resolution of several material
internal control weaknesses, and the closing of hundreds of financial
management recommendations. This progress has been the result of hard work
throughout IRS and sustained commitment of IRS leadership. Nonetheless,
more needs to be done to fully address the financial management challenges
the agency faces. Efforts must continue to address the internal control
deficiencies that continue to exist. Effective implementation of the
recommendations we have made and continue to make through our financial
audits and related work could greatly assist IRS in improving its internal
controls and achieving sound financial management. While we recognize that
some actions--primarily those related to modernizing automated
systems--will take a number of years to resolve, most of our outstanding
recommendations can be addressed in the short-term.

Agency Comments and Our Evaluation

In commenting on a draft of this report, IRS expressed its appreciation
for our acknowledgment of the agency's progress in addressing its
financial management challenges as evidenced by our closure of 25 of the
72 open financial management recommendations from last year's report. IRS
also indicated its continued commitment to work with us to take corrective
actions that appropriately address the issues identified in our
recommendations. We will review the effectiveness of further corrective
actions IRS has taken or will take and the status of IRS's progress in
addressing all open recommendations as part of our audit of IRS's fiscal
year 2007 financial statements.

We are sending copies of this report to the Chairmen and Ranking Minority
Members of the Senate Committee on Appropriations; Senate Committee on
Finance; Senate Committee on Homeland Security and Governmental Affairs;
and Subcommittee on Taxation, IRS Oversight and Long-Term Growth, Senate
Committee on Finance. We are also sending copies to the Chairmen and
Ranking Minority Members of the House Committee on Appropriations; and the
House Committee on Ways and Means; Chairman and Vice Chairman of the Joint
Committee on Taxation; the Secretary of the Treasury; the Director of OMB;
the Chairman of the IRS Oversight Board; and other interested parties.
Copies will be made available to others upon request. In addition, the
report will be available at no charge on GAO's Web site at
http://www.gao.gov .

If you have any questions concerning this report, please contact me at
(202) 512-3406 or [email protected] . Contact points for our Offices
of Congressional Relations and Public Affairs can be found on the last
page of this report. GAO staff who made major contributions to this report
are listed in appendix III.

Sincerely yours,

Steven J. Sebastian
Director
Financial Management and Assurance

Appendix I: Status of GAO Recommendations from IRS Financial Audits and
Related Management Reports 

Source: IRS updates detailing its actions to address GAO's recommendations
and GAO's analysis of IRS's actions.

Appendix II: Comments from the Internal Revenue Service

Appendix III: Staff Acknowledgments

Acknowledgments

The following individuals made major contributions to this report: Gloria
Cano, Stephanie Chen, William J. Cordrey, Nina Crocker, John Davis,
Charles Ego, Charles Fox, John Gates, Ted Hu, Jerrod O'Nelio, John Sawyer,
Angel Sharma, Peggy Smith, Cynthia Teddleton, LaDonna Towler, Truc Tuck,
and Gary Wiggins.

(196125)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537 Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

www.gao.gov/cgi-bin/getrpt?GAO-07-629 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Steven J. Sebastian at (202) 512-3406 or
[email protected].

Highlights of [33]GAO-07-629 , a report to the Acting Commissioner of
Internal Revenue

June 2007

INTERNAL REVENUE SERVICE

Status of GAO Financial Audit and Related Financial Management Report
Recommendations

In its role as the nation's tax collector, the Internal Revenue

Service (IRS) has a demanding responsibility in annually collecting over
$2 trillion in taxes, processing hundreds of millions of tax and
information returns, and enforcing the nation's tax laws. Since its first
audit of IRS's financial statements in fiscal year 1992, GAO has
identified a number of weaknesses in IRS's financial management
operations. In related reports, GAO has recommended corrective action to
address those weaknesses.

Each year, as part of the annual audit of IRS's financial statements, GAO
not only makes recommendations to address any new weaknesses identified
but also follows up on the status of weaknesses GAO identified in previous
years' audits. The purpose of this report is to (1) assist IRS management
in tracking the status of audit recommendations and actions needed to
fully address them and (2) demonstrate how the recommendations relate to
control activities central to IRS's mission and goals. GAO is making no
new recommendations in this report.

IRS has made significant progress in improving its internal controls and
financial management since its first financial statement audit in 1992, as
evidenced by 7 consecutive years of clean audit opinions on its financial
statements, the resolution of several material internal control
weaknesses, and the closing of over 200 financial management
recommendations. This progress has been the result of hard work and
commitment at the top levels of the agency.

However, IRS still faces financial management challenges. At the beginning
of GAO's audit of IRS's fiscal year 2006 financial statements, 72
financial management-related recommendations from prior audits remained
open because IRS had not fully addressed the issues that gave rise to
them. During the fiscal year 2006 financial audit, IRS took actions that
enabled GAO to close 25 of those recommendations. At the same time, GAO
identified additional internal control issues resulting in 28 new
recommendations. In total, 75 recommendations currently remain open.

To assist IRS in evaluating and improving internal controls, GAO
categorized the 75 open recommendations by various internal control
activities which, in turn, were grouped into three broad control activity
groupings.

Summary of Open Recommendations

Source: GAO analysis of financial management recommendations made to IRS.

The continued existence of internal control weaknesses that gave rise to
these recommendations represents a serious obstacle that IRS needs to
overcome. Effective implementation of GAO's recommendations can greatly
assist IRS in improving its internal controls and achieving sound
financial management and can help enable it to more effectively carry out
its tax administration responsibilities. IRS acknowledged the status of
GAO's recommendations and indicated its desire to ensure that its
corrective actions appropriately address its internal control issues.

References

Visible links
  17. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-12.19.6
  18. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21
  19. http://www.gao.gov/cgi-bin/getrpt?GAO-01-1008G
  20. http://www.gao.gov/cgi-bin/getrpt?GAO-06-560
  21. http://www.gao.gov/cgi-bin/getrpt?GAO-07-689R
  22. http://www.gao.gov/cgi-bin/getrpt?GAO-07-692R
  23. http://www.gao.gov/cgi-bin/getrpt?GAO-07-364
  33. http://www.gao.gov/cgi-bin/getrpt?GAO-07-629
*** End of document. ***