Management Report: Improvements Needed in IRS's Internal Controls
(11-MAY-07, GAO-07-689R).					 
                                                                 
In November 2006, we issued our report on the results of our	 
audit of the Internal Revenue Service's (IRS) financial 	 
statements as of, and for the fiscal years ending, September 30, 
2006, and 2005, and on the effectiveness of its internal controls
as of September 30, 2006. We also reported our conclusions on	 
IRS's compliance with significant provisions of selected laws and
regulations and on whether IRS's financial management systems	 
substantially comply with requirements of the Federal Financial  
Management Improvement Act of 1996. A separate report on the	 
implementation status of recommendations from our prior IRS	 
financial audits and related financial management reports,	 
including this one, will be issued shortly. The purpose of this  
report is to discuss issues identified during our audit of IRS's 
financial statements as of, and for the fiscal year ending	 
September 30, 2006, regarding internal controls that could be	 
improved for which we do not currently have any recommendations  
outstanding. Although not all of these issues were discussed in  
our fiscal year 2006 audit report, they all warrant management's 
consideration. This report contains 21 recommendations that we	 
are proposing IRS implement to improve its internal controls. We 
conducted our audit in accordance with U.S. generally accepted	 
government auditing standards.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-689R					        
    ACCNO:   A69566						        
  TITLE:     Management Report: Improvements Needed in IRS's Internal 
Controls							 
     DATE:   05/11/2007 
  SUBJECT:   Accounting procedures				 
	     Financial statements				 
	     Internal controls					 
	     Personal income taxes				 
	     Tax administration systems 			 
	     Tax credit 					 
	     Tax refunds					 
	     Tax return audits					 
	     User fees						 
	     Financial statement audits 			 
	     Information management				 
	     Accounting errors					 
	     Facility security					 
	     IRS Automated Trust Fund Recovery System		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-689R

   

     * [1]end of correspond & Test.pdf

          * [2]PDF6-Ordering Information.pdf

               * [3]Order by Mail or Phone

May 11, 2007

The Honorable Mark W. Everson
Commissioner of Internal Revenue

Subject: Management Report: Improvements Needed in IRS's Internal Controls

Dear Mr. Everson:

In November 2006, we issued our report on the results of our audit of the
Internal Revenue Service's (IRS) financial statements as of, and for the
fiscal years ending, September 30, 2006, and 2005, and on the
effectiveness of its internal controls as of September 30, 2006.^1 We also
reported our conclusions on IRS's compliance with significant provisions
of selected laws and regulations and on whether IRS's financial management
systems substantially comply with requirements of the Federal Financial
Management Improvement Act of 1996. A separate report on the
implementation status of recommendations from our prior IRS financial
audits and related financial management reports, including this one, will
be issued shortly.

The purpose of this report is to discuss issues identified during our
audit of IRS's financial statements as of, and for the fiscal year ending
September 30, 2006, regarding internal controls that could be improved for
which we do not currently have any recommendations outstanding. Although
not all of these issues were discussed in our fiscal year 2006 audit
report, they all warrant management's consideration. This report contains
21 recommendations that we are proposing IRS implement to improve its
internal controls. We conducted our audit in accordance with U.S.
generally accepted government auditing standards.

Results in Brief

During our audit of IRS's fiscal year 2006 financial statements, we
identified a number of internal control issues that adversely affected tax
data, tax receipts, tax refunds, taxpayer penalties and fees, tax liens,
and property and equipment. These issues concern: (1) encryption of
off-site taxpayer data files, (2) placement of security cameras at tax
return processing facilities, (3) manual refund policies and procedures,
(4) refunds to taxpayers who owe payroll taxes, (5) assessment of taxpayer
penalties, (6) timeliness of tax lien releases, (7) processing of
Installment Agreement fees, and (8) procurement and security of property
and equipment.

^1GAO, Financa Audt: IRS's Fiscal Years 2006 and 2005 Financa Satements,
GAO-07-136 (Washington, D.C.: Nov. 9, 2006).

Specifically, we found the following:

           o At three of the four lockbox banks^2 we visited, the banks did
           not encrypt off-site backup files containing taxpayer information
           as required by IRS's guidelines.

           o At two of the six service center campuses (SCCs) we visited,
           security cameras did not provide complete coverage of the building
           exterior or the facility's external perimeter.

           o At two service center campuses, employees responsible for
           initiating manual refunds were not always monitoring taxpayer
           accounts to prevent duplicate refunds or documenting their review.

           o IRS issued refunds to taxpayers who owed trust fund recovery
           penalties associated with unpaid payroll taxes.

           o Errors in IRS's computer programs caused it to charge taxpayers
           excess penalties.

           o IRS did not always timely release its liens against taxpayers
           because it did not have procedures to expeditiously research and
           apply available credits from one tax period of the taxpayer's
           account to other tax periods that contained outstanding balances.

           o IRS did not always timely release its liens against taxpayers
           because it did not always follow its procedures to timely record
           bankruptcy discharges.

           o IRS did not always follow its policy of maintaining
           documentation to demonstrate that it delivered lien releases to
           the local court house after taxpayers fully satisfied their
           outstanding tax liabilities.

           o Errors occurred in IRS's processing of installment agreement
           user fees it collected from taxpayers.

           o At one site we visited, internal controls were not adequate to
           secure and safeguard property and equipment.

^2 Lockbox banks are financial institutions designated as depositories and
financial agents of the U.S. government to perform certain financial
services, including processing tax documents, depositing the receipts, and
then forwarding the documents and data to IRS service center campuses,
which update taxpayers' accounts. During fiscal year 2006, there were
eight lockbox banks processing taxpayer receipts on behalf of IRS.

The issues noted above increase the risk that (1) taxpayer receipts and
information could be lost, stolen, misused, or destroyed; (2) erroneous
tax refunds could be issued; (3) taxpayers could be charged excess
penalties or incorrect user fees; (4) tax liens may not be released
promptly; and (5) physical assets could be stolen.

At the end of our discussion of each of the issues in the following
sections, we make recommendations for strengthening IRS's internal
controls. These recommendations are intended to bring IRS into conformance
with its own policies and with the internal control standards that all
federal executive agencies are required to follow.^3

In its comments, IRS agreed with our recommendations and described actions
it had taken or planned to take to address the control weaknesses
described in this report. At the end of our discussion of each of the
issues in this report, we have summarized IRS's related comments and
provide our evaluation.

Scope and Methodology

This report addresses issues we observed during our audit of IRS's fiscal
years 2006 and 2005 financial statements. As part of this audit, we tested
IRS's internal controls and its compliance with selected provisions of
laws and regulations. We designed our audit procedures to test relevant
controls, including those for proper authorization, execution, accounting,
and reporting of transactions. We conducted our fieldwork between January
2006 and November 2006.

To assess internal control issues related to safeguarding taxpayer
receipts and information, we visited six SCCs and four lockbox banks; for
issues related to tax refunds, we visited two SCCs; and for issues related
to property and equipment, we performed our testing at five IRS offices.

Further details on our audit scope and methodology are included in our
report on the results of our audits of IRS's fiscal years 2006 and 2005
financial statements^4 and are reproduced in enclosure II.

Safeguarding Backup Media

Lockbox banks are financial institutions under contract with the federal
government to process mail-in tax payments and related documents on behalf
of IRS. IRS expects these lockbox banks to appropriately safeguard the
confidentiality of tax returns and the related information they process.
Accordingly, IRS established requirements in its nernal Revenue Manual
(IRM)^5 and lockbox security guidelines (LSG)^6 addressing backup
procedures for information media (e.g., data tapes, cartridges, etc.)
processed at lockbox banks. Specifically, in addition to specifying that
backup media be stored off-site for recovery purposes and that the
off-site storage location be geographically separate from the lockbox bank
location, these requirements state that backup media containing taxpayer
information must be encrypted prior to transmitting the information to a
storage location outside of IRS's facilities. GAO's Standards for Inerna
Control in the Federal Government require that agencies establish physical
controls to secure and safeguard vulnerable data and media files to reduce
the risk of unauthorized use or loss to the government. In addition, the
Office of Management and Budget (OMB) issued a memorandum^7 in June 2006
requiring that all federal departments and agencies encrypt personally
identifiable information that is physically transported outside of the
agency's secured, physical perimeter.

^3 GAO, Standards for Interna Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999) contains the internal
control standards to be followed by executive agencies in establishing and
maintaining systems of internal control as required by 31 U.S.C. S 3512
(c), (d) (commonly referred to as the Federal Managers' Financial
Integrity Act of 1982).

^4GAO-07-136.

However, during our fiscal year 2006 audit, we found that three of the
four lockbox banks we visited sent unencrypted backup tapes that contained
taxpayer information to off-site storage facilities. When we initially
notified IRS of the lack of encryption of backup tapes sent to off-site
locations, IRS responded that two of the three lockbox banks would cease
using off-site storage facilities and would instead securely store these
backup tapes on-site at the lockbox bank. While retaining the backup
information on-site avoids exposing it to potential compromise during
transmission, it is inconsistent with the IRM and federal information
security standards for off-site storage^8 and thus increases the risk that
the backup information may be lost along with the current information in
the event of disaster, whether of accidental, criminal, or natural origin.
At the third lockbox bank, we were informed that the bank would request a
waiver from IRS's encryption requirement. However, granting of such a
waiver by IRS is not consistent with the requirement contained in the OMB
memorandum. Shipping unencrypted backup data off-site increases the risk
that data containing taxpayer information may be compromised.

During fiscal year 2006, IRS began conducting annual physical security
reviews of lockbox banks to monitor their performance and adherence to key
IRS physical security policies and procedures. In carrying out its
reviews, IRS uses a physical security data collection instrument to assess
controls and record the results of those assessments. While these reviews
address various controls designed to safeguard taxpayer receipts and
information, they do not address key controls designed to safeguard backup
media containing personally identifiable information. For example, there
are no questions on the physical security data collection instrument
designed to ascertain whether lockbox banks are complying with the
requirement to have backup tapes, which contain sensitive information,
encrypted and stored at an approved off-site location. The lack of routine
monitoring by IRS officials regarding data encryption and off-site storage
of backup media increases the risk that lockbox bank deviations from
related IRS procedures may not be timely identified, thereby increasing
the risk of loss, theft, and/or misuse of media files containing taxpayer
information.

^5 The IRM outlines business rules and administrative procedures and
guidelines IRS uses to conduct its operations and contains policy,
direction, and delegations of authority necessary to carry out IRS's
responsibilities to administer tax law and other legal provisions.

^6 The LSG outlines security guidelines for lockbox bank managers to use
so that they adhere to IRS's physical, personnel, and data protection
requirements to ensure protection of taxpayer receipts and information.

^7 OMB, Protection o Senstive Agency Information, M-06-16 (Washington,
D.C.: June 23, 2006).

^8 U.S. Department of Commerce, National Institute of Standards and
Technology, Recommended Security Controls for Federal Inormaion Systems
(Washington, D.C.: December 2006).

Recommendations

We recommend that IRS

           o enforce the existing policy requiring that all lockbox banks
           encrypt backup media containing federal taxpayer information;

           o ensure that lockbox banks store backup media containing federal
           taxpayer information at an off-site location as required by the
           2006 LSG; and

           o revise instructions for its annual reviews of lockbox banks to
           encompass routine monitoring of backup media containing personally
           identifiable information to ensure that this information is (1)
           encrypted prior to transmission and (2) stored in an appropriate
           off-site location.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning the encryption and storage
of backup media containing federal taxpayer information. IRS indicated it
will implement an Information Technology Security Audit Process by July
2007 and use it to ensure compliance with its policy of requiring that all
lockbox banks encrypt backup media containing federal taxpayer
information. IRS also indicated it will use this audit process to validate
that all backup media, including files that may need to be recovered, are
stored off-site. In addition, IRS stated that it will modify the Lockbox
Security Guidelines to emphasize that all backup media, including files
that may need to be recovered, is to be stored off-site. We will evaluate
the effectiveness of IRS's efforts in this area during our audit of IRS's
fiscal year 2007 financial statements.

Maintenance and Placement of Security Cameras

To safeguard the hundreds of billions of dollars in payments and the
related information entrusted to it annually by the nation's taxpayers,
IRS has implemented physical security controls intended to prevent
unauthorized access to its tax return processing facilities. Among these
controls are security cameras, also referred to as closed circuit
television (CCTV) cameras, which are used to aid security personnel in
monitoring the exterior of these facilities. To be effective, security
cameras must be properly maintained and placed at critical locations to
collectively provide an unobstructed view of the entire exterior of the
facility. However, at two of the six SCCs we visited during our fiscal
year 2006 audit, we found that security cameras monitoring the facilities'
exterior did not allow security personnel unobstructed coverage of the
entire fence line of the property and the perimeter of the facility. At
one of these SCCs, we found that guards were aware of the obstructions and
had reported them to their superiors. However, no corrective actions were
initiated nor was a time frame established identifying when the
obstructions and weaknesses in the CCTV cameras would be corrected.

Specifically, we found:

           o At one SCC, the views of five security cameras used to monitor
           the perimeter of the buildings were obstructed by trees situated
           between the cameras and the property fence line. In addition, the
           views of two other exterior security cameras were obstructed by a
           structural support column.

           o At the second SCC, three security cameras' views of
           entrances/exits and the perimeter of certain buildings were
           obstructed by overgrown trees and shrubs.

GAO's Standards for Internal Control in the Federal Government require
that management establish physical controls to secure and safeguard
vulnerable assets and that access to resources and records should be
limited to authorized individuals. Further, the IRM guidelines for
security cameras at SCCs include placing cameras at critical locations to
provide direct visual monitoring from a vantage point. However, because
IRS's security cameras at SCCs do not always provide unobstructed exterior
coverage of the entire fence line and perimeter of its facilities, the
risk is increased that unauthorized individuals may access IRS facilities
and compromise taxpayer records and data and/or disrupt operations.

Over the past 2 years, IRS has implemented quarterly physical security
reviews of key perimeter access and other controls designed to monitor
physical security controls used to safeguard taxpayer information and
receipts and IRS's facilities, employees, taxpayers, and other visitors.
These reviews include assessing whether security cameras at SCCs provide
complete and unobstructed exterior coverage of the entire fence line and
perimeter of the facility. However, we found that analysts performing
these reviews are not required to (1) document planned implementation
dates of the corrective actions cited to address any issues identified,
and (2) follow up on prior findings to assess whether they were
appropriately addressed according to plans. To be effective, any issues
identified by these reviews should be systematically documented,
appropriate corrective actions planned, and their status formally tracked
to monitor disposition and final closure. Absent this, IRS lacks assurance
that issues affecting CCTV cameras identified during these reviews are
being effectively communicated and promptly and appropriately addressed.

Recommendations

We recommend that IRS

           o develop and implement appropriate corrective actions for any
           gaps in CCTV camera coverage that do not provide an unobstructed
           view of the entire exterior of the SCC's perimeter, such as adding
           or repositioning existing CCTV cameras or removing obstructions;
           and

           o revise instructions for quarterly physical security reviews to
           require analysts to (1) document any issues identified as well as
           planned implementation dates of corrective actions to be taken and
           (2) track the status of corrective actions identified during the
           quarterly assessments to ensure they are promptly implemented.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning the maintenance and
placement of security cameras at SCCs. IRS indicated that it is developing
a plan to assess all CCTVs and mitigate findings by December 30, 2007. IRS
also indicated that by June 30, 2007, it will implement procedures
requiring Physical Security Analysts to document concerns identified
during quarterly reviews, establish corrective action implementation
dates, and track corrective actions to ensure they are implemented.
Because IRS's planned actions in this area will not be completed for our
fiscal year 2007 audit, we will evaluate the effectiveness of IRS's
efforts during future audits.

Manual Refund Policies and Procedures

IRS's internal controls for processing manual refunds were not fully
effective in minimizing the risk of issuing duplicate refunds. We found
that employees responsible for initiating manual refunds at the two
service center campuses we visited were not always adhering to IRS's
policies and procedures intended to minimize this risk. Specifically,
manual refund initiators were not appropriately (1) monitoring taxpayer
accounts to prevent duplicate refunds, or (2) documenting their monitoring
activity. GAO's Standards for Inernal Control in the Federal Government
require that control activities, which are identified as necessary and
described in the agency's policies and procedures, are in place and being
applied properly so that only valid transactions are processed.
Additionally, the IRM requires manual refund initiators to monitor manual
refund accounts and to appropriately document their monitoring activities
to prevent the issuance of a duplicate refund. However, because IRS staff
at the two centers we visited did not consistently follow these
procedures, the risk of duplicate refunds is increased.

Most refunds are generated automatically by IRS's automated systems after
the taxpayers' returns are posted to their accounts. However, in certain
situations, various units within IRS's campuses process refunds manually
to expedite the refund process when it is considered to be in the best
interest of IRS or the taxpayer. A manual refund is a refund that is not
generated through routine IRS automated system processing. Manual refunds
bypass most of the automated validity checks performed and may be issued
within a few days of initiation. However, while manual refunds can be paid
out quickly, IRS's system does not record the manual refund generated on
the taxpayer's master file account until several weeks after the manual
refund is initiated. Conversely, automated refunds are first posted to the
taxpayer's master file account and issued to taxpayers afterwards. The
delay in recording manual refunds to taxpayer accounts increases the
potential for erroneous or duplicate refunds because IRS's manual and
automated refund processing are not systematically coordinated to prevent
both refunds from being issued.

To prevent duplicate refunds from being issued, the IRM requires manual
refund initiators, who process manual refunds, to (1) closely monitor the
taxpayer's account and (2) document their monitoring activity until the
manual refund posts to the taxpayer's master file account. Once the manual
refund posts to the master file, IRS's automated system is to prevent a
duplicate automated refund from being issued. Throughout the period it
takes for the manual refund to post, the manual refund initiators are
responsible for monitoring the accounts for the posting of duplicate
automated refunds. When manual refund initiators identify the posting of a
duplicate automated refund, they must take the necessary action to stop
the automated refund from actually being issued to the taxpayer. IRS
provides a Manual Refund Desk Reference for manual refund initiators to
use as a guide to initiate and process manual refunds. In most cases, the
initiators primarily rely on the Manual Refund Desk Reference to process
manual refunds and do not refer to the IRM.

However, during our review of monitoring actions to prevent duplicate
refunds at two service center campuses, we found the Manual Refund Desk
Reference did not provide instructions to (1) monitor refund accounts to
prevent duplicate refunds, and (2) document monitoring activity as
required by the IRM. For example, at one site, the various units
processing manual refunds were using different versions of the Manual
Refund Desk Reference (i.e., April 2002, January 2003, April 2003, April
2004, March 2005, and April 2006), none of which complied with the IRM
requirements. We also found that some of the initiators and their
supervisors were not familiar with the procedures in the desk reference.
As a result, the manual refund initiators in some of the units (1) were
not monitoring the refund accounts to prevent the issuance of a duplicate
refund; (2) stated that they monitor the taxpayer account, but were not
documenting their monitoring activities; or (3) were only observing the
account to see if the manual refund posted so they could close out their
case, rather than also monitoring to detect and stop the issuance of
duplicate automated refunds. As a result, the risk is increased that a
duplicate refund generated will not be detected and stopped before being
disbursed.

Recommendations

We recommend that IRS

           o revise procedures contained in the Manual Refund Desk Reference
           to reflect the IRM requirements for manual refund initiators to
           (1) monitor the manual refund accounts in order to prevent
           duplicate refunds, and (2) document their monitoring actions;

           o provide to all the IRS units responsible for processing manual
           refunds the same and most current version of the Manual Refund
           Desk Reference; and

           o require that managers or supervisors provide the manual refund
           initiators in their units with training on the most current
           requirements to help ensure that they fulfill their
           responsibilities to monitor manual refunds and document their
           monitoring actions to prevent the issuance of duplicate refunds.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning monitoring manual refunds
to prevent duplicate refunds and the need to document such monitoring
actions. IRS stated that it will replace the Manual Refund Desk Reference
with revisions to sections of its Internal Revenue Manual, which will be
the official authoritative guidance for processing manual refunds and
stated that it plans to inform its staff of this change by the end of May
2007. IRS also stated that it will ensure its managers and supervisors
conduct training for manual refund initiators in its Submission
Processing, Accounts Management, and Compliance operations to prevent the
issuance of duplicate refunds, issue an information Alert to campuses,
directing them to provide refresher training to the areas responsible for
initiating manual refunds, and conduct classroom training for employees
who initiate manual refunds. In addition, IRS indicated that it will
ensure that Tax Examiners are reminded of their responsibility to monitor
manual refunds to prevent the issuance of duplicate refunds and to
document such monitoring. IRS stated that all of these actions will be
complete by the end of July 2007. We will evaluate the effectiveness of
IRS's efforts in this area during our audit of IRS's fiscal year 2007
financial statements.

Refunds to Tax Debtors With Unpaid Payroll Taxes

During our fiscal year 2006 financial audit, we found that IRS issued
refunds to tax debtors who still owed the government for unpaid payroll
taxes. When an employer withholds taxes from an employee's wages, the
employer is deemed to have a responsibility to hold these amounts "in
trust" for the federal government until the employer makes a federal tax
deposit in that amount.^9 Employers are required to periodically deposit
the withholdings from employees' wages with IRS. To the extent these
withheld amounts are not forwarded to the federal government, the employer
is liable for these amounts, as well as the employer's matching Federal
Insurance Contribution Act (FICA)^10 contributions. Individuals within the
business (e.g., corporate officers) may be held personally liable for the
withheld amounts not forwarded and assessed a civil monetary penalty known
as a Trust Fund Recovery Penalty (TFRP).^11 IRS has the authority to
assess all responsible officers individually for the unpaid payroll taxes.
Thus, IRS may record a TFRP assessment against several individuals for the
employee-withholding component of the payroll tax liability of a given
business in an effort to collect an employer's total tax liability.
Although assessed to multiple parties, the employer's liability need only
be paid once. When IRS records a TFRP assessment against an individual, it
creates a separate subaccount on the taxpayer's master file account to
distinguish this from the taxpayer's personal income tax liability.

^9 26 U.S.C. S 7501(a) The law further provides that withheld income and
employment taxes are to be held in a separate bank account considered to
be a special fund in trust for the federal government. 26 U.S.C. S
7512(b).

In our prior audits,^12 we found errors involving IRS's failure to
properly record payments made by individual officers to all related
parties associated with the TFRP. Thus, as part of our fiscal year 2006
audit, we tested a statistical sample of payments recorded on TFRP
accounts to determine the extent of any such errors in IRS's systems. In
performing our work, we found that IRS issued refunds to seven individuals
when they still had an outstanding balance in their TFRP account.^13 In
one of these cases, IRS recorded a TFRP assessment against the officer in
2001. The officer then filed joint individual tax returns with the
officer's spouse in subsequent years and received three computer-generated
refunds totaling approximately $6,700.

According to the IRM, IRS is required to apply any overpayment of taxes
from one tax period^14 against outstanding tax liabilities from other tax
periods before issuing a refund to the taxpayer. If a taxpayer made
payments that exceeded the balance owed for one tax period (i.e.,
credits), IRS relies on its automated processes to check the taxpayer's
account for outstanding balances in other tax periods or subaccounts and
to apply these credits to outstanding balances before issuing a refund.
However, IRS's computer program only checks for outstanding tax
liabilities associated with the social security number (SSN) of the first
person listed on joint tax returns and does not check for outstanding tax
liabilities associated with the secondary SSN listed on the return. In the
cases we identified, the officer owing the TFRP was the second person
(secondary SSN) indicated on the joint tax return. Consequently, IRS's
automated process failed to detect that the second person associated with
the joint return owed the outstanding penalty assessment. This control
deficiency cost IRS the opportunity to recover at least some of the
outstanding balances owed on these accounts.

^10 FICA provides for a federal system of old-age, survivors, disability,
and hospital insurance benefits. Payments to trust funds established for
these programs are financed by payroll taxes on employee wages and tips,
employers' matching payments, and a tax on self-employment income.

^11 See 26 U.S.C. S 6672 and implementing IRS guidance in the nerna
Revenue Manual at S 4.23.9.13, Trust Fund Recovery Penalty (Mar. 1, 2003).

^12 GAO-06-137.

^13The primary purpose of our test was to determine whether IRS properly
recorded the sample payment to all related parties. However, we also
performed other tests of IRS's controls using this same sample. Although
we identified officers with outstanding balances on their TFRP accounts
that received refunds from IRS, we are unable to project these results to
IRS's population of TFRP accounts because the sampling unit was payments
rather than accounts.

^14 A "tax period" varies by tax type. For example, the tax period for
individual income or corporate tax is 1 year. In contrast, a tax period
for payroll and excise taxes is generally one quarter of a year.

Recommendations

We recommend that IRS

           o enhance its computer program to check for outstanding tax
           liabilities associated with both the primary and secondary SSNs
           shown on a joint tax return and apply credits to those balances
           before issuing any refund; and

           o instruct revenue officers making the TFRP assessments to
           research whether the responsible officers are filing jointly with
           their spouses and to place a refund freeze on the joint account
           until the computer programming change can be completed.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning refunds to tax debtors with
Trust Fund Recovery Penalties. IRS stated that the IRM instructs revenue
officers to request entering a transaction code into its systems to freeze
any potential refunds for all individuals liable for the TFRP. IRS noted
that it has requested an IRS Counsel opinion on whether it would be
acceptable for revenue officers to also freeze the refund of a liable
taxpayer's spouse at the time of approval of the TFRP assessment or at the
time the assessment is made. IRS stated that it would implement this
change by August 2007 if the IRS Counsel determines that this action is
appropriate. We will evaluate the effectiveness of IRS's efforts in this
area during our audit of IRS's fiscal year 2007 financial statements.

Assessment of Penalties

IRS's controls over its process for assessing penalties against taxpayers
who owe outstanding taxes did not always ensure that the correct amounts
of penalties were assessed. Under the Internal Revenue Code (IRC), IRS has
the authority to assess penalties against taxpayers for a variety of
reasons, such as the failure to pay taxes owed. IRS largely uses automated
processes and systems to assess both interest and penalties using the
parameters contained in the IRC, as stipulated in the IRM.^15 For example,
if the tax debtor fails to pay the taxes owed, IRS is required to assess
penalties at one-half of 1 percent of the outstanding tax liability. IRS
then increases this penalty rate from one-half of 1 percent to 1 percent
if the taxpayer does not comply after repeated notifications. If the
taxpayer pays off the outstanding balance, IRS is then required to reduce
the penalty rate back to one-half of 1 percent on any subsequent tax
assessment associated with this specific tax period.

^15 See 26 U.S.C. S 6651 and implementing IRS guidance in the nerna
Revenue Manual at S 20.1.2, Failure to File/Failure to Pay Penalties (July
31, 2001).

In our testing of a statistical sample of IRS interest and penalty
calculations on 59 taxpayer accounts in IRS's master file from the first 9
months of fiscal year 2006, we found 2 instances where IRS's computer
programs incorrectly calculated and assessed the failure to pay the
penalty amount. In each case, IRS's computer program appropriately
increased the penalty rate assessed against the taxpayer for failing to
pay taxes owed from one-half of 1 percent to 1 percent when the taxpayer
failed to pay following repeated notification of the taxes due. The
taxpayer eventually paid the outstanding balance for the specific tax
period. IRS then later assessed additional taxes against the taxpayer for
the same tax period. However, the penalty calculation program did not
reset the penalty rate back to one-half of 1 percent and continued to
assess penalties related to the subsequent tax assessment at the higher 1
percent rate. As a result, IRS overassessed penalties against these
taxpayers.

After we brought this issue to its attention, IRS researched its master
files and determined that the program errors would have affected taxpayer
accounts where (1) the penalty rate had increased to 1 percent, (2) the
taxpayer had subsequently paid off the balance for the tax period, and (3)
IRS later assessed the taxpayer additional taxes owed for the same tax
period. Its research indicated that the programming errors may have
affected about 62,000 taxpayers with about 69,000 accounts in its current
inventory of unpaid assessments.^16 The total outstanding balance
associated with these accounts was approximately $745 million. Although
IRS was able to identify taxpayers who may have been affected by this
error, its research did not determine whether any of these taxpayers may
have already paid any overassessed penalties.

Recommendations

We recommend that IRS

           o correct the penalty calculation programs in its master file so
           that penalties are calculated in accordance with the applicable
           IRC and implementing IRM guidance; and

           o research each of the taxpayer accounts that may have been
           affected by the programming errors to determine whether they
           contain overassessed penalties and correct the accounts as needed.

^16 We reviewed IRS's criteria for identifying the affected taxpayers and
concur that the problem was confined to those identified by IRS.
Consequently, we did not project these errors to IRS's population of
penalty assessments.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning the overassessment of tax
penalties. IRS stated that it implemented system changes in January 2007
to correct the penalty calculation program and the taxpayer accounts that
were affected by the programming error. We will evaluate the effectiveness
of IRS's efforts in this area during our audit of IRS's fiscal year 2007
financial statements.

Timeliness of Lien Releases

Under the IRC, IRS has the power to file a lien against the property of
any taxpayer who neglects or refuses to pay all assessed federal taxes.
The lien serves to protect the interest of the federal government and as a
public notice to current and potential creditors of the government's
interest in the taxpayer's property.^17 IRS uses its Automated Lien System
(ALS)^18 to process the initial filing of the lien as well as the lien
release upon satisfaction of the tax liability. ALS generates the physical
lien document, which IRS mails to the taxpayer's local courthouse to
officially file the lien.^19 Concurrent with generating the lien document,
ALS electronically updates the taxpayer's account in IRS's master file to
show that a lien was filed. The lien becomes effective when it is filed
with a designated office, such as a courthouse, in the county where the
taxpayer's property is located. Under section 6325 of the IRC, IRS is
required to release federal tax liens within 30 days of the date the tax
liability is satisfied or becomes legally unenforceable. The failure to
promptly release tax liens could cause undue hardship and burden to
taxpayers who are attempting to sell property or apply for commercial
credit.

In each year beginning with our audit of IRS's fiscal year 1999 financial
statements, we found that IRS did not always release the applicable tax
lien within 30 days of the tax liability being either paid off or abated
as required by the IRC. During our fiscal 2006 financial audit, we
continued to find weaknesses in the IRS lien release process that
contributed to liens not being timely released. These weaknesses resulted
from IRS relying too heavily on automated processes and employees who did
not follow established procedures. Specifically, IRS did not (1) have
procedures to promptly research and apply credits^20 that were available
in one tax period against the taxpayers' outstanding tax liabilities in
other tax periods, (2) follow its procedures to promptly record bankruptcy
discharges of tax liabilities, and (3) follow its procedures to maintain
stamped billing support vouchers to document IRS's timely issuance of lien
releases to the local courthouse.

^17 26 U.S.C. SS 6321, 6323.

^18 ALS is a comprehensive database that prints federal tax liens and lien
releases, stores taxpayer information, and documents lien activity.

^19 The local courthouse is the courthouse in the county where the
taxpayer's property is located. Liens can also be filed elsewhere as
determined by state law. 26 U.S.C. S 6323.

^20 Tax credits can result from taxpayer payments in excess of the tax
liability owed for a specific tax period or from IRS's abatement of taxes
in a specific tax period which the taxpayer had previously paid.
Abatements are reductions to taxpayers' tax liabilities. In cases where
the taxpayer had already paid the tax liability, the abatement would
result in a credit that could be applied against other outstanding tax
liabilities owed by the taxpayer or if none exist, would be refunded to
the taxpayer.

Timely Application of Credits

IRS's lien release process relies heavily upon its automated systems and
the information that resides within these systems. Within its master file
database, IRS records collection actions and the current status of tax
debts through a series of codes. The codes, referred to as status and
transaction codes, display a host of information, including whether the
account is paid in full or otherwise satisfied. Consequently, the status
and transaction codes in each taxpayer's account in IRS's database are
critical to the timely release of liens. IRS's automated lien release
process begins when a taxpayer's account is paid in full or otherwise
relieved. Each week, the master file database automatically downloads to
ALS all the satisfied taxpayer accounts with liens. When notified via the
master file download that a taxpayer account with a lien has been fully
paid or otherwise satisfied, ALS generates a lien release document. Since
liens can cover tax debt arising from one or more tax periods,^21 ALS will
not generate a lien release document until all the tax periods covered by
the lien are satisfied.

In fiscal year 2006, IRS tested the effectiveness of its lien release
process as part of implementing the requirements of OMB Circular No.
A-123,^22 and we validated these test results. In reviewing IRS's test
results for 84 statistically selected tax cases with liens in which the
taxpayers' total outstanding liabilities were either paid off or abated,
we identified 6 cases in which IRS did not release the liens within 30
days because it did not promptly apply tax credits available in one of the
taxpayers' tax periods against the outstanding balances the taxpayers owed
in other tax periods.^23 In these 6 cases, the time between the point at
which the taxpayer had credits available to satisfy all of their
outstanding tax liabilities and release of the lien ranged from 37 days to
183 days.

In one case, IRS recorded the taxpayer's entire payment against the
outstanding tax liability in one tax period of the taxpayer's master file
account and relied on the system to automatically transfer the amounts
paid that exceeded the balance owed for that tax period (i.e., credits) to
pay off the balances in other tax periods. In another case, IRS partially
abated the tax assessed against the taxpayer for one tax period, creating
a credit, and waited for its automated systems to transfer the credits or
to generate a refund to the taxpayer. In each of these six cases, IRS
relied on its automated systems to automatically transfer the credits.
However, the automatic transfers did not occur within 30 days because the
taxpayers' accounts contained freeze codes^24 that prevented the automatic
transfers. The presence of these freeze codes required IRS personnel to
manually review and, as needed, resolve issues with the taxpayer's account
before the credits could be applied to other outstanding tax period
balances owed by the taxpayer. IRS eventually resolved the issues on the
accounts of each of these six taxpayers and did not assess additional
taxes against any of them. However, because IRS did not have procedures in
place to promptly research and properly apply the credits, it did not
release the liens against these taxpayers within the statutorily required
30 days.

^21 IRS can file a lien on the taxpayer's property for one or multiple tax
periods that contain an outstanding tax liability.

^22 OMB revised Circular A-123, Management's Responsibility for Internal
Control, in December 2004. The revised OMB Circular No. A-123, which first
became effective in fiscal year 2006, included a new appendix, Appendix A,
which prescribed a strengthened management process for assessing internal
control over financial reporting for the 24 major executive branch
departments and agencies. Circular A-123 also required a new management
assurance statement specifically addressing the effectiveness of the
internal control over financial reporting based on the results of
management's assessment.

^23 The primary purpose of IRS's test was to determine whether it released
liens filed against taxpayers whose liability had either been paid off or
abated in a timely manner. However, the sample was not designed to
specifically identify the causes for any instances in which IRS did not
release liens timely. Consequently, while we were able to determine the
causes for those sampled cases in which liens were not timely released, we
are unable to project each cause to the total population. We reviewed
IRS's test procedures and concurred with its results.

Timely Recording of Discharge by Bankruptcy Court

Taxpayers may have their tax liability fully discharged through bankruptcy
filings. When a taxpayer is discharged of his or her tax liability by the
bankruptcy court and the court notifies IRS, employees in IRS's
Centralized Insolvency Office (CIO) are responsible for recording the
discharge on the taxpayer's master file account or to manually record the
lien release in ALS. As mentioned earlier, IRS's lien release process
relies heavily upon its automated computer systems. Consequently, the
Centralized Insolvency Office must record this information timely in order
for IRS to complete the lien release process within 30 days.

In reviewing IRS's lien release test results, we identified five cases in
which IRS did not timely release the lien because it did not timely record
that the taxpayer had been fully discharged of his or her tax liability by
the bankruptcy courts.^25 According to IRS, the lien release was delayed
because Centralized Insolvency Office employees did not follow procedures
established in the IRM. The IRM requires Centralized Insolvency Office
employees to timely record bankruptcy discharge information onto taxpayer
accounts in the master file or to manually release the liens in ALS on
bankruptcy cases assigned to the unit. This was not done, resulting in the
delay of the release of the tax liens associated with these cases. The
time between the bankruptcy discharge and release of the liens in these
five cases ranged from 52 days to 298 days.

Maintaining Documentation to Support Lien Release

In a prior audit, we noted instances of long delays between the time that
IRS generated the ALS lien release document and the official release date
recorded at the local courthouse.^26 Although some of these delays may
have been attributable to delays by the courthouse in legally releasing
the liens, IRS did not have procedures to track the status of lien
releases up to the point of delivery to the local courthouse.
Consequently, neither IRS nor we could determine if the delays occurred at
IRS, at the local courthouse, or both. For this reason, we recommended
that IRS establish procedures to track the status of lien releases up to
the point of delivery to the local courthouse. In response to our
recommendation, in fiscal year 2003, IRS established and implemented
procedures to date stamp billing support vouchers^27 to document the date
it sent the lien release to the local courthouse.

^24 IRS records "freeze codes" onto taxpayer accounts in the master file
to prevent certain automated processes from occurring because these
accounts may require additional manual review.

^25 As noted earlier, the primary purpose of IRS's test was to determine
whether it released liens filed against taxpayers whose liability had
either been paid off or abated in a timely manner. The sample was not
designed to specifically identify the causes for any instances in which
IRS did not release liens timely. Consequently, while we were able to
determine the causes for those sampled cases in which liens were not
timely released, we are unable to project each cause to the total
population.

In reviewing IRS's lien release test results, we found nine cases in which
IRS could not produce a date stamped billing support voucher to document
when it sent the lien release to the local courthouse.^28 During fiscal
year 2005, IRS completed consolidation of its lien processing into one
Centralized Lien Processing/Case Processing Unit at the Cincinnati Service
Center Campus. According to IRS officials, employees in the Centralized
Lien Processing/Case Processing Unit did not follow the IRM procedures for
date stamping and maintaining copies of the billing support vouchers.
Without a stamped billing support voucher, IRS was unable to provide
evidence that it had sent the lien release to the local courthouse within
the statutorily required 30 days.

Recommendations

We recommend that IRS

           o establish procedures and specify in the IRM that at the time of
           receipt, employees recording taxpayer payments should (1)
           determine if the payment is more than sufficient to cover the tax
           liability of the tax period specified on the payment or earliest
           outstanding tax period, (2) perform additional research to resolve
           any outstanding issues on the account, (3) determine whether the
           taxpayer has outstanding balances in other tax periods, and (4)
           apply available credits to satisfy the outstanding balances in
           other tax periods;

           o establish procedures and specify in the IRM that employees
           review taxpayer accounts with freeze codes that contain credits
           weekly to (1) research and resolve any outstanding issues on the
           account, (2) determine whether the taxpayer has outstanding
           balances in other tax periods, and (3) apply available credits to
           satisfy the outstanding balances in other tax periods;
           o issue a memorandum to employees in the Centralized Insolvency
           Office reiterating the IRM requirement to timely record bankruptcy
           discharge information onto taxpayer accounts in the master file or
           to manually release the liens in ALS; and

           o issue a memorandum to employees in the Centralized Lien
           Processing Unit reiterating the IRM requirement to date stamp and
           maintain the billing support voucher as evidence of timely
           processing by IRS.

^26 GAO, Management Report: Improvements Needed in IRS's Accounting
Procedures and InternalControls, GAO-02-746R (Washington, D.C.: July 18,
2002).

^27 IRS uses the "billing support voucher" to support its payment for
recording fees to the local courthouse. The billing support voucher lists
all the lien releases sent to the local courthouse for processing on a
given date.

^28 Again, as the primary purpose of IRS's test was to determine whether
it released liens filed against taxpayers whose liability had either been
paid off or abated in a timely manner, the sample was not designed to
specifically identify the causes for any instances in which IRS did not
release liens timely. Consequently, we are unable to project each cause to
the total population.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning the timeliness of tax lien
releases. IRS stated that it issued a memorandum to all functions in
January 2007 that directed liens to be released manually when systemic
processes do not release liens, including when credit transfers are
necessary between accounts, and noted that it plans to update the IRM to
include the information contained in the memorandum by the end of May
2007. IRS also stated that it developed a report to identify cases where a
bankruptcy discharge was granted by the court and a lien was filed on
dischargeable periods so that, when appropriate, manual lien releases are
requested to ensure timely release of the tax liens. IRS indicated that it
updated the IRM in March 2007 with instructions for the new report and
conducted training on the new report and process prior to issuing the IRM.
In addition, IRS stated that in November 2006 it began a new process of
scanning billing support vouchers and associating these vouchers with
Specific Lien Identification (SLID) numbers in order to ensure the voucher
is retrievable and to show liens were timely released. IRS noted that it
had trained its employees on this process as it was rolled out. According
to IRS, it will complete its 2007 OMB Circular A-123 review on the
timeliness of lien releases by the end of May 2007, and will issue
additional guidance by November 2007 if the review indicates that untimely
tax lien releases and BSV errors still exist. We will evaluate the
effectiveness of IRS's efforts in this area during our audit of IRS's
fiscal year 2007 financial statements.

Installment Agreement User Fees

During our fiscal year 2006 audit, we found that IRS's control procedures
did not always prevent or detect errors that occurred in the recording of
installment agreement^29 (IA) user fees that IRS collects from taxpayers.
When IRS enters into an IA arrangement with taxpayers to satisfy tax
debts, it charges a user fee for services provided, whether establishing a
new agreement or reinstating a previous agreement.^30 IRS requires
taxpayers to pay the user fee with the first installment payment by
designating, on the remittance coupon IRS provides to the taxpayer, the
user fee and tax payment amounts and submitting it to a lockbox bank.
Errors can occur when taxpayers do not make the proper designations on
remittance coupons, and IRS records improper user fee amounts or
incorrectly applies payments to the taxpayers' debts.

^29 IRS is authorized by 26 U.S.C. S 6159 to allow taxpayers to enter into
installment agreement arrangements to satisfy their tax debts. Under such
arrangements, IRS agrees to let taxpayers pay their tax liabilities in
installments over a specified period of time instead of immediately paying
the amount in full.

^30 IRS charges taxpayers IA user fees under the authority of 31 U.S.C. S
9701. For fiscal year 2006, the fee to establish a new IA was $43 and the
fee to reinstate an old IA was $24.

To identify and correct payment errors, IRS runs periodic edit routines on
its master file records to identify cases where it did not collect IA user
fees when it was entitled to do so and executes actions to transfer such
user fees from the taxpayers' tax accounts to user fee accounts. IRS also
runs edit checks to test the validity of the user fees it records in the
master file by identifying (1) fees for which there is no installment
agreement on file, (2) inconsistent user fee codes used for recorded fees,
(3) duplicate user fees recorded, and (4) fees paid with dishonored checks
from taxpayers. These edit checks result in the generation of an
Installment Agreement Accounts Listing which provides details of items
requiring further action. However, IRS did not always timely follow up and
resolve items that appeared on the listing.

We tested 12 transactions in which IRS recorded IA user fees in amounts
that exceeded the amount that IRS was authorized to charge and found that
9 were recorded in error. Specifically, we found the following:

           o In four instances, IRS personnel erroneously recorded tax
           payments as IA user fees when no user fee was due and the entire
           amount should have been recorded against the taxpayers' tax debt.
           In the most egregious of these instances, IRS recorded a $15,000
           tax payment as an installment agreement user fee when the maximum
           amount it could charge as IA fees was $43. IRS did not detect or
           correct this error in its normal course of operations.

           o In three instances, IRS was entitled to collect an IA user fee
           but deducted an incorrect user fee amount from the taxpayer's
           payment. For example, in one case, IRS recorded a taxpayer's
           payment of $200 as an IA user fee when only $43 should have been
           recorded as a user fee and the remaining $157 should have been
           recorded against the taxpayer's outstanding tax debt.

           o In the remaining two instances, IRS made erroneous adjustments
           to move payments from taxpayers' tax accounts to IA user fee
           accounts and thus recorded more user fees than it was entitled to
           receive.

According to IRS, the errors we found that resulted in duplicate user
fees, such as the fees recorded when none were due, appeared on the
Installment Agreement Account Listing. The IRM requires that matters that
appear on the listing be addressed within 5 business days. However, we
found that IRS staff did not always timely and accurately resolve user fee
errors that appeared on the listing as required in its IRM. The errors we
found that appeared on the listing were not corrected until we brought
them to IRS's attention.

GAO's Standards for Internal Control in the Federal Government require
agencies to (1) implement internal control procedures to ensure the
accurate and timely recording of transactions and events, and (2) perform
sufficient management review to detect and eliminate errors. By not
properly recording IA user fees collected from taxpayers, IRS runs the
risk of misstating its unpaid assessments and exchange revenue.
Additionally, and most importantly, by not crediting taxpayer accounts
with proper payments, IRS faces increased risk of charging interest and
penalties to taxpayers who have satisfied their tax debts, or taking more
stringent enforcement actions and overcollecting tax debts.

Recommendations

We recommend that IRS

           o monitor IA user fee activity on a regular basis,

           o adjust errors in recorded IA user fees as necessary to correctly
           reflect the user fees IRS earned and collected from taxpayers, and

           o establish sufficient review procedures to help ensure that
           adjustments to IA user fees collected from taxpayers are
           accurately and timely recorded.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning the need for accurate and
timely recording of installment agreement user fees and routing monitoring
and review of this activity. IRS indicated that it currently uses the
Installment Agreement Accounts Listings report to identify and resolve
user fee errors, and that in January 2008 it will implement enhancements
to this report. IRS stated that it currently utilizes a quarterly process
to reconcile installment agreement payments and adjusts those with
discrepancies or errors, but that it will increase the frequency of this
reconciliation process from quarterly to weekly beginning in January 2008.
IRS also indicated it will update the section of the IRM dealing with IA
user fee review procedures by January 2008. Because IRS's planned actions
in this area will not be completed for our fiscal year 2007 audit, we will
evaluate the effectiveness of IRS's efforts during future audits.

Property and Equipment

During our fiscal year 2006 audit, we found that internal controls were
not adequate to ensure the security and safeguarding of property and
equipment at one of five locations we visited. At this location, IRS's
designated secured storage area was not large enough to store all of the
property and equipment not currently in use. Consequently, IRS stored its
overflow inventory items, including computer equipment, in an unlocked
room. At the same location, IRS allowed one individual to both order
property and equipment from vendors and perform receipt and acceptance
when the assets were delivered.

GAO's Standards for Internal Control in the Federal Government  state that
an agency must establish physical control to secure and safeguard
vulnerable assets. In addition, the IRM requires Single Point Inventory
Function (SPIF)^31 personnel to have secured storage space where access is
restricted to inventory personnel. GAO's standards further state that key
duties and responsibilities should be divided or segregated among
different people to reduce the risk of error or fraud. Such control
activities are an integral part of an agency's accountability for
stewardship of government resources. The storage of equipment in an
unlocked room increases the risk that assets may be stolen or misplaced.
Also, the lack of segregation of duties increases the risk that error,
waste, or fraud may occur in the procurement process and not be detected
and that IRS may pay for property and equipment that it did not receive.

Recommendations

We recommend that IRS

           o establish and maintain sufficient secured storage space to
           properly secure and safeguard its property and equipment
           inventory, including in-stock inventories, assets from incoming
           shipments, and assets that are in the process of being excessed
           and/or shipped out; and

           o develop and implement procedures to require that separate
           individuals place orders with vendors and perform receipt and
           acceptance functions when the orders are delivered.

IRS Comments and Our Evaluation

IRS agreed with our recommendations concerning the secure storage of
property and equipment and the separation of ordering and receipt duties.
IRS stated that it is identifying locations that need additional secured
storage space and will obtain the necessary space as appropriate. IRS also
stated that it has policies and procedures in place regarding the
separation of receipt and acceptance duties but will reissue
communications to remind those with procurement authority about the
specific IRS acquisition procedure which provides this guidance. We will
evaluate the effectiveness of IRS's efforts in this area during our audit
of IRS's fiscal year 2007 financial statements.

                                   - - - - -

This report contains recommendations to you. The head of a federal agency
is required by 31 U.S.C. S 720 to submit a written statement on actions
taken on these recommendations. You should submit your statement to the
Senate Committee on Homeland Security and Governmental Affairs and the
House Committee on Oversight and Government Reform within 60 days of the
date of this report. A written statement must also be sent to the House
and Senate Committees on Appropriations with the agency's first request
for appropriations made more than 60 days after the date of the report.

^31Single Point Inventory Function units are responsible for the
management and control of all computer equipment at all IRS offices.

This report is intended for use by the management of IRS. We are sending
copies to the Chairmen and Ranking Minority Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate Committee
on Homeland Security and Governmental Affairs; and Subcommittee on
Taxation and IRS Oversight and Long-Term Growth, Senate Committee on
Finance. We are also sending copies to the Chairmen and Ranking Minority
Members of the House Committee on Appropriations; House Committee on Ways
and Means; the Chairman and Vice-Chairman of the Joint Committee on
Taxation; the Secretary of the Treasury; the Director of the Office of
Management and Budget; the Chairman of the IRS Oversight Board; and other
interested parties. The report is available at no charge on GAO's Web site
at http://www.gao.gov .

We acknowledge and appreciate the cooperation and assistance provided by
IRS officials and staff during our audits of IRS's fiscal years 2006 and
2005 financial statements. Please contact me at (202) 512-3406 or
[email protected] if you or your staff have any questions concerning
this report. Contact points for our Offices of Congressional Relations and
Public Affairs may be found on the last page of this report. GAO staff who
made major contributions to this report are listed in enclosure III.

Steven J. Sebastian
Director
Financial Management and Assurance

Enclosures - 3

Enclosure I:  Comments from the Internal Revenue Service

Enclosure II:  Details on Audit Methodology

To fulfill our responsibilities as the auditor of the Internal Revenue
Service's (IRS) financial statements for fiscal years 2006 and 2005, we
took the following actions:

           o Examined, on a test basis, evidence supporting the amounts and
           disclosures in the financial statements. This included selecting
           statistical samples of unpaid assessment, revenue, refund, accrued
           expenses, payroll, nonpayroll, property and equipment, accounts
           payable, and undelivered order transactions. These statistical
           samples were selected primarily to substantiate balances and
           activities reported in IRS's financial statements. Consequently,
           dollar errors or amounts can and have been statistically projected
           to the population of transactions from which they were selected.
           In testing these samples, certain attributes were identified that
           indicated either significant deficiencies in the design or
           operation of internal control or compliance with provisions of
           laws and regulations. These attributes, where applicable, can be
           and have been statistically projected to the appropriate
           populations.

           o Assessed the accounting principles used and significant
           estimates made by management.

           o Evaluated the overall presentation of the financial statements.

           o Obtained an understanding of internal controls related to
           financial reporting (including safeguarding assets), compliance
           with laws and regulations (including the execution of transactions
           in accordance with budget authority), and the existence and
           completion assertions related to performance measures reported in
           the Management Discussion and Analysis.

           o Tested relevant internal controls over financial reporting
           (including safeguarding assets) and compliance, and evaluated the
           design and operating effectiveness of internal controls.

           o Considered IRS's process for evaluating and reporting on
           internal controls and financial management systems under 31 U.S.C.
           S 3512 (c), (d), commonly referred to as the Federal Managers'
           Financial Integrity Act of 1982, and Office of Management and
           Budget (OMB) Circular No. A-123, Management's Responsibility for
           Internal Control.
           o Tested compliance with selected provisions of the following laws
           and regulations: Anti-Deficiency Act, as amended (31 U.S.C. S
           1341(a)(1) and 31 U.S.C. S 1517(a)); Purpose Statute (31 U.S.C. S
           1301); Release of lien or discharge of property (26 U.S.C. S
           6325); Interest on underpayment, nonpayment, or extensions of time
           for payment of tax (26 U.S.C. S 6601); Interest on overpayments
           (26 U.S.C. S 6611); Determination of rate of interest (26 U.S.C. S
           6621); Failure to file tax return or to pay tax (26 U.S.C. S
           6651); Failure by individual to pay estimated income tax (26
           U.S.C. S 6654); Failure by corporation to pay estimated income tax
           (26 U.S.C. S 6655); Prompt Payment Act (31 U.S.C. S 3902(a), (b),
           and (f) and 31 U.S.C. S 3904); Pay and Allowance System for
           Civilian Employees (5 U.S.C. SS 5332 and 5343, and 29 U.S.C. S
           206); Federal Employees' Retirement System Act of 1986, as amended
           (5 U.S.C. SS 8422, 8423, and 8432); Social Security Act, as
           amended (26 U.S.C. SS 3101 and 3121 and 42 U.S.C. S 430); Federal
           Employees Health Benefits Act of 1959, as amended (5 U.S.C. SS
           8905, 8906, and 8909); Transportation, Treasury, Independent
           Agencies, and General Government Appropriations Act, 2005, Pub. L.
           No. 108-447, div. H, tit. II, 118 Stat. 2809, 3199 (Dec. 8, 2004);
           and Department of the Treasury Appropriations Act, 2006, Pub. L.
           No. 109-115, div. A, tit. II, 119 Stat. 2396, 2432 (Nov. 30,
           2005).

           o Tested whether IRS's financial management systems substantially
           comply with the three requirements of the Federal Financial
           Management Improvement Act of 1996 (Pub. L. No. 104-208, div. A, S
           101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996)

Enclosure III:  Staff Acknowledgments

Acknowledgments

The following individuals made major contributions to this report:  John Davis,
Assistant Director, Gloria Cano, Stephanie Chen, Nina Crocker, Oliver Culley,
Chuck Fox, John Gates, Ted Hu, Richard Larsen, Olivia Lopez, Joshua Marcus,
George Ogilvie, Jerrol O'Nelio, John Sawyer, Angel Sharma, Peggy Smith,
LaDonna Towler, and Gary Wiggins.                                                


(196152)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

*** End of document. ***