Management Report: IRS's First-Year Implementation of the	 
Requirements of the Office of Management and Budget's (OMB)	 
Revised Circular No. A-123 (18-MAY-07, GAO-07-692R).		 
                                                                 
This letter summarizes our review of the Internal Revenue	 
Service's (IRS) implementation of the requirements of the Office 
of Management and Budget's (OMB) revised Circular No. A-123,	 
Management's Responsibility for Internal Control (A-123) during  
fiscal year 2006. These requirements are applicable to the 24	 
Chief Financial Officer (CFO) Act agencies, including the	 
Department of the Treasury (Treasury), of which IRS is a	 
significant component. The objectives of our review, which was	 
conducted as part of our audit of IRS's fiscal year 2006	 
financial statements, were to determine whether (1) IRS 	 
appropriately planned and implemented its assessment of internal 
controls over financial reporting in accordance with the	 
requirements of OMB Circular No. A-123, (2) IRS performed	 
sufficient work to support its related assurance statement to	 
Treasury, and (3) IRS's assurance statement appropriately	 
represented the status of IRS's internal control over financial  
reporting.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-692R					        
    ACCNO:   A69771						        
  TITLE:     Management Report: IRS's First-Year Implementation of the
Requirements of the Office of Management and Budget's (OMB)	 
Revised Circular No. A-123					 
     DATE:   05/18/2007 
  SUBJECT:   Accounting procedures				 
	     Federal regulations				 
	     Financial records					 
	     Financial statement audits 			 
	     Financial statements				 
	     Information security				 
	     Internal controls					 
	     Policy evaluation					 
	     Reporting requirements				 
	     Strategic planning 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-692R

   

     * [1]PDF6-Ordering Information.pdf

          * [2]Order by Mail or Phone

May 18, 2007

The Honorable Mark W. Everson
Commissioner of Internal Revenue

Subject: Management Report: IRS's First-Year Implementation of the
Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123

Dear Mr. Everson:

This letter summarizes our review of the Internal Revenue Service's (IRS)
implementation of the requirements of the Office of Management and
Budget's (OMB) revised Circular No. A-123, Management's Responsibility for
Internal Control (A-123)  during fiscal year 2006. These requirements are
applicable to the 24 Chief Financial Officer (CFO) Act agencies, including
the Department of the Treasury (Treasury), of which IRS is a significant
component. The objectives of our review, which was conducted as part of
our audit of IRS's fiscal year 2006 financial statements,^1 were to
determine whether (1) IRS appropriately planned and implemented its
assessment of internal controls over financial reporting in accordance
with the requirements of OMB Circular No. A-123, (2) IRS performed
sufficient work to support its related assurance statement to Treasury,
and (3) IRS's assurance statement appropriately represented the status of
IRS's internal control over financial reporting.

We performed our work from January through October 2006 as part of our
audits of IRS's fiscal years 2006 and 2005 financial statements. We
conducted our work in accordance with U.S. generally accepted government
auditing standards.

Results in Brief

IRS appropriately planned and implemented its first-year assessment of
internal controls over financial reporting in accordance with the
requirements of OMB Circular No. A-123 sufficient to support its assurance
statement to Treasury as of June 30, 2006. Overall, we were impressed by
IRS's commitment to the successful implementation of OMB Circular No.
A-123, and its diligent efforts to effectively execute the circular's
requirements. IRS's approach was indicative of management's recognition of
its responsibility for the integrity of the organization's internal
control structure and its desire to make the most of this process and
effectively resolve its internal control issues. However, full
implementation of the requirements of the revised OMB Circular No. A-123
at an agency as large and complex as IRS is a major undertaking that will
require a significant commitment of resources and several years to
achieve.

^1GAO, Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial
Statements, GAO-07-136 (Washington, D.C.: Nov. 9, 2006).

As we noted in our report on our audit of IRS's fiscal year 2006 financial
statements and communicated to IRS during the course of our audit, we
identified several areas where IRS could enhance its A-123 review process.
Specifically, we found that IRS did not always clearly document procedures
performed or how test results were linked to the resultant conclusions. In
addition, although IRS was aware of the findings of audits performed by
GAO and the Treasury Inspector General for Tax Administration (TIGTA), we
did not always find documentation that these findings were consistently
utilized by IRS in planning its A-123 reviews. We also did not find
documentation that in planning its A-123 review, IRS appropriately
considered the most recent audit of the Department of Agriculture's
National Finance Center, which processes IRS's payroll transactions, or
the extent to which its own information security work conducted in
accordance with the Federal Information Security Management Act of 2002
(FISMA),^2 met the objectives of OMB Circular No. A-123. Identifying
existing reviews and audits related to internal controls over financial
reporting, determining the extent to which these efforts can be used to
complement the A-123 work, and assessing how that use might affect the
scope and nature of procedures to be performed are an important part of
the related planning process. Clearly documenting procedures conducted and
consideration of existing reviews and audits reduces the risk that IRS may
provide a degree of assurance on the effectiveness of its control over
financial reporting that is not warranted by existing conditions.

We also found that while the scope and nature of A-123 procedures
performed by IRS during fiscal year 2006 were appropriate in the
circumstances, as IRS's A-123 process moves to the next stage, additional
work will be required. We found that (1) the tests IRS conducted focused
on the execution of controls over individual transaction types, and have
not yet effectively addressed the design of controls; (2) IRS has not yet
tested controls over compliance with all significant
financial-reporting-related laws and regulations; and (3) information
security work IRS conducted under FISMA did not identify many of the
vulnerabilities we identified during our testing of its information
security as part of our fiscal year 2006 financial audit. Consequently,
IRS's A-123 process was not at a point where it would have identified all
of IRS's existing control deficiencies nor been sufficient to support an
unqualified statement of assurance as of June 30, 2006, had that been
appropriate in the circumstances. Also, once IRS is in a position to
support an unqualified assurance statement, it will become necessary for
it to conduct follow-up procedures during the last 3 months of the year
subsequent to the June 30 A-123 reporting date to support an unqualified
assurance statement as of September 30 to correspond with the date of our
opinion on the effectiveness of IRS's internal controls.

^2FISMA was enacted as Title III of the E-Government Act of 2002, Pub. L.
No. 107-347, 116 Stat. 2946 (Dec. 17, 2002).

Because IRS had four material weaknesses in its internal controls in
fiscal year 2006, the additional procedures that would be needed to
support unqualified assurance were not necessary. However, IRS is working
diligently to resolve its material weaknesses. As these issues are
resolved, the scope and nature of procedures IRS will need to perform will
gradually increase. As IRS continues to enhance its A-123 effort, it will
need to consider these issues and take appropriate steps to address them
in order to position it to support statements of unqualified assurance as
of June 30 and September 30 as will become appropriate at such time as IRS
fully resolves its material weaknesses.

This report contains seven recommendations intended to assist IRS in
strengthening its A-123 process as it continues to mature, so that once
the process is fully developed, IRS will be able to rely on it to identify
any existing material weaknesses or other significant control
deficiencies. In so doing, IRS will also position itself so that once its
existing material internal control weaknesses are resolved, it will be
able to rely on its A-123 process to support appropriate unqualified
statements of assurance as of June 30 and September 30.

In its comments, IRS agreed with our recommendations and described actions
it had taken or plans to take to address the issues we raised in this
report. At the end of our recommendations for executive action, we have
summarized IRS's related comments and provided our evaluation.

Scope and Methodology

In conducting our review of IRS's implementation of OMB Circular No.
A-123, we reviewed documentation and conducted discussions with IRS and
Treasury officials concerning how the A-123 process was planned,
implemented, summarized, and reported. Specifically, we reviewed and
discussed the following:

           o Treasury's and IRS's strategy and overall plans for implementing
           OMB Circular No. A-123 at IRS, including (1) how the process was
           to be organized, staffed, supervised, and conducted, and (2) how
           the results were to be summarized and reported, and appropriate
           corrective action plans developed and implemented;
           o Treasury's and IRS's selection of transaction processes
           considered material to IRS;
           o IRS's workpapers supporting its tests of controls over the 12 of
           the 45 transaction processes that we considered to be the most
           material to IRS's financial statements, including internal
           controls over tax revenue, tax refunds, taxes receivable,
           expenses, and budgetary transactions;
           o IRS's evaluation of entitywide controls, such as the overall
           control environment, integrity and ethical values, information and
           communications, and monitoring; and
           o IRS's A-123 assurance statement to Treasury and its relationship
           to the underlying work and results.

We also observed IRS's tests of internal controls over (1) tax revenue at
one service center campus and one Taxpayer Assistance Center, and (2) tax
refunds at one service center campus. Additional details on our scope and
methodology are included in our fiscal year 2006 financial statement audit
report.

Background

The passage of the Sarbanes-Oxley Act of 2002 (SOX)^3 served as an impetus
for the federal government to review its existing internal control
requirements.^4 SOX requires that management of publicly traded companies
strengthen their processes for assessing and reporting on their internal
control over financial reporting. Consistent with the intent of SOX, the
joint Chief Financial Officers Council (CFOC)^5 and President's Council on
Integrity and Efficiency (PCIE)^6 committee recommended that OMB Circular
No. A-123 be strengthened to require a more rigorous assessment of federal
agencies' internal control over financial reporting. OMB accepted this
recommendation and worked with the CFOC/PCIE working group to
significantly revise its Circular No. A-123.

OMB's revised Circular No. A-123, along with its related implementation
guide,^7 were effective for fiscal year 2006. OMB Circular No. A-123
provides specific requirements for the 24 major departments and agencies
covered under the Chief Financial Officers Act of 1990 (CFO Act)^8 to
follow in conducting management's assessment of the effectiveness of
internal control over financial reporting. The assessment process requires
(1) understanding the control environment including the financial
reporting process, (2) understanding the design of internal controls, (3)
identifying and evaluating significant classes of transactions and
assessing risks, and (4) testing controls to assess compliance. Based on
the results of the assessment process, each CFO Act agency is required to
prepare a statement asserting the effectiveness of its internal control
over financial reporting as of June 30 of each fiscal year, which is to be
included in the agency's Performance and Accountability Report (PAR).

^3Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002).

^4OMB Circular No. A-123, at App. A, Part 1, at p. 20 (rev. Dec 21, 2004).

^5The CFOC, established pursuant to the CFO Act of 1990 (Pub. L. No.
101-576, S 302, 104 Stat. 2838, 2848 [Nov. 15, 1990]), is an organization
of Chief Financial Officers (CFO) and Deputy CFOs of the largest Federal
agencies and senior officials of OMB and Treasury. The purpose of the
council is to advise and coordinate the activities of the agencies of its
members on such matters as consolidation and modernization of financial
systems, improved quality of financial information, financial data and
information standards, internal controls, legislation affecting financial
operations and organizations, and any other financial management matter.
The Deputy Director for Management of OMB is the CFOC's chair.

^6The PCIE--which is governed by Executive Order No. 12805 of May 11,
1992--was established to (1) address integrity, economy, and effectiveness
issues that transcend individual government agencies and (2) increase the
professionalism and effectiveness of inspectors general personnel
throughout the government. The PCIE is composed primarily of the
presidentially appointed inspectors general. Officials from OMB, the
Federal Bureau of Investigation, Office of Government Ethics, Office of
Special Counsel, and Office of Personnel Management serve on the PCIE as
well. The PCIE acts as a liaison with the CFOs by attending the CFOC
meetings and participating and planning joint meetings, sessions, and task
forces.

^7OMB, Implementation Guide for OMB Circular A-123, Management's
Responsibility for Internal Control. Appendix A, Internal Control Over
Financial Reporting (Washington, D.C.: July 2005).

^8Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 5, 1990). The 24 CFO Act
agencies are listed at 31 U.S.C. S 901(b).

IRS does not produce its own PAR. As a bureau of Treasury, however, IRS's
assurance statement is used by Treasury as a basis for its own assurance
statement, which is included in the department's PAR. The assurance
provided in this statement can take one of three forms: (1) unqualified
assurance, indicating that no material weaknesses were found, (2)
qualified assurance, indicating that one or more material weaknesses were
identified, or (3) a statement of no assurance, indicating that no
internal control process was in place or that pervasive material
weaknesses were found. Based on their A-123 assessment, agencies are
required to develop an appropriate corrective action plan to address any
control deficiencies identified. OMB Circular No. A-123 requires that
agencies document their control over financial reporting and the related
assessment process, including key decisions, the assessment methodology
and its implementation, the testing of controls and related results, and
any corrective action plan.

In fiscal year 2006, Treasury established the framework for the
implementation of the revised OMB Circular No. A-123 for all of its
bureaus, including IRS. This included establishing an overall
departmentwide implementation plan, identifying and documenting controls
significant to Treasury and assessing related risks, and establishing
milestones for implementation and completion of the A-123 process.
Treasury also established a threshold to determine which of the bureaus'
transactions were considered material to the department's consolidated
financial statements.^9 Based on this threshold, Treasury required its
bureaus to test controls over certain specific financial transactions.

Within this overall framework, IRS established a management structure
under the direction of the CFO to organize and oversee IRS's
implementation of OMB Circular No. A-123. Major elements of IRS's A-123
process included

           o developing an IRS's specific implementation guide for the
           implementation of OMB Circular No. A-123;
           o identifying transaction processes considered material to IRS
           that had not been identified by Treasury;
           o planning and conducting tests of controls over 45 transaction
           processes considered material to Treasury or IRS;
           o reviewing the effectiveness of entitywide controls, including
           the overall control environment, integrity and ethical values,
           information and communications, and monitoring; and
           o reviewing compliance with certain laws and regulations pertinent
           to financial reporting and internal control, including the Federal
           Financial Management Improvement Act of 1996 (FFMIA);^10 31 U.S.C.
           S 3512(c), (d), commonly referred to as the Financial Managers'
           Financial Integrity Act of 1982 (FIA); the CFO Act;  and FISMA.

^9Treasury determined that every Treasury's consolidated financial
statement line item greater than 1.5 percent of the section total is
material to Treasury. Further, if a bureau contributed 10 percent or more
of the balance of one of these material line items, Treasury directed that
the bureau must test the applicable process transaction controls for A-123
purposes.

^10Pub. L. No. 104-208, div. A, S101(f), title VIII, 110 Stat. 3009,
3009-389 (Sept. 30, 10996).

Based on the results of these procedures and considering the material
weaknesses reported by us in our previous audit of IRS's financial
statements,^11 IRS provided Treasury qualified assurance that its controls
over financial reporting were effective as of June 30, 2006.

IRS Successfully Implemented the Revised OMB Circular No. A-123 in Fiscal
Year 2006

IRS appropriately planned and implemented its assessments of internal
controls over financial reporting in accordance with the requirements of
OMB Circular No. A-123 sufficient to support its assurance statement to
Treasury as of June 30, 2006. We also noted that IRS elected to implement
this process using its own staff rather than contractors, thereby taking
advantage of the opportunity for IRS staff and management to gain a better
understanding of the intricacies of, and issues associated with, the
agency's complex internal control structure. This, in turn, better
positioned management and staff to benefit from the lessons learned
through this first year of implementation. This approach was indicative of
management's recognition of its responsibility for the integrity of the
organization's internal control structure and its desire to make the most
of this process and effectively resolve its internal control issues.

We also found that we were able to use some of the procedures performed by
IRS, such as its tests of entitywide controls and compliance with the
statutory requirement regarding the timing of tax lien releases, to
supplement or reduce the scope of our internal control testing conducted
as part of our audit of IRS's fiscal years' 2006 and 2005 financial
statements.

Full implementation of the requirements of the revised OMB Circular No.
A-123 at an agency as large and complex as IRS is a major undertaking that
will require a significant commitment of resources and several years to
achieve. Additionally, due to the presence of four material weaknesses in
internal controls as of September 30, 2005,^12 the scope and nature of the
A-123 work IRS needed to perform in fiscal year 2006 was significantly
less than would have been necessary had these reported weaknesses not
existed. In this context, we found that (1) IRS appropriately planned and
implemented its assessment of internal controls in accordance with the
requirements of OMB Circular No. A-123, (2) IRS performed sufficient work
to support its related assurance statement to Treasury, and (3) IRS's
assurance statement appropriately represented the status of IRS's internal
control over financial reporting.

Opportunities for IRS to Enhance the A-123 Process

While we found that IRS's first-year implementation of the revised OMB
Circular No. A-123 enabled it to fully support its June 30, 2006,
assurance statement, our review identified several opportunities to
enhance the process to better ensure that future reviews will fully
address the requirements of the revised OMB Circular No. A-123 as IRS's
implementation process continues to develop. Specifically, we identified
opportunities with respect to (1) the documentation of completed test
procedures and (2) the scope and nature of test procedures conducted.

^11GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005).

^12GAO-06-137.

Documentation of Test Procedures Conducted

We found that the conclusions IRS reached concerning the effectiveness of
its controls were appropriate. Nevertheless, IRS's documentation of the
results of certain specific transaction tests did not always clearly
indicate what internal control test procedures were performed or how
conclusions were reached. For example, IRS's summary of work on its tests
of invoice or voucher payment and approval noted that there were no errors
found, and concluded that controls were effective. However, the summary
also noted that IRS personnel found 3 errors in testing 45 sample items,
which appeared to indicate that controls were not effective.^13 Based on
discussions with IRS staff, we determined that although it was not
apparent from the documentation in the workpapers, the 3 errors noted were
actually not related to the control attributes being tested and hence, did
not affect the conclusion. However, such ambiguity and lack of clarity in
test documentation and its relationship to the related conclusions
increases the risk that conclusions may not reflect actual existing
control conditions.

As provided for in OMB Circular No. A-123, and in accordance with the
overall approach defined by Treasury, IRS used the results of existing
audits and reviews to supplement its testing. We found that, in its
remediation plans prepared in accordance with FIA, IRS considered the
findings of the audits of GAO and TIGTA. Also, we noted that several of
IRS's A-123 test plans incorporated procedures for consideration of prior
audits and reviews relevant to the controls being tested. However, IRS did
not always document how it considered these audits and reviews in
determining the nature, scope, and timing of procedures it planned to
conduct under OMB Circular No. A-123. For example, the IRS planning
documents and workpapers did not always document how it considered the
results of the following audits and reviews in formulating the nature,
scope, and timing of its test procedures: (1) GAO audits, such as our
prior audits of IRS's financial statements, (2) TIGTA audits or reviews
that may have been relevant to IRS's internal control over financial
reporting, or (3) its own information security work conducted under FISMA.
We also did not see documentation of IRS's consideration of the results of
the most recent audit of the controls over the Department of Agriculture's
National Finance Center, which IRS relies on to process its payroll
transactions. By consistently documenting how it considered these prior
audits and reviews, IRS would reduce the risk that it may (1) not
appropriately consider issues significant to IRS's internal control over
financial reporting, (2) place undue reliance on reviews whose scope and
methodology is not well suited to the objectives set out in OMB Circular
No. A-123, or (3) perform unnecessary duplicative work.

^13With a sample size of 45 items, the auditor concludes that if more than
one deviation is found, the controls being tested are not operating
effectively. GAO/PCIE, Financial Audit Manual, section 450.13, GAO-01-765G
(Washington, D.C.: July 2001).

Scope and Nature of Test Procedures Conducted

As noted above, the procedures conducted by IRS were adequate to support
the qualified assurance it provided as of June 30, 2006. However, as IRS
moves to an unqualified opinion on its internal control in the future, its
procedures will need to further evolve.

IRS's control testing approach was not yet at the stage that it fully
considered the design of control over financial reporting. Rather, the
approach was largely transaction based. Consequently, IRS's tests would
not likely have identified some of the significant systemic control design
deficiencies that we have reported in our audits of IRS's financial
statements, including IRS's lack of (1) a subsidiary ledger for taxes
receivable, (2) cost accounting capabilities necessary to readily
determine the costs of its activities and programs in multiple business
units, or (3) a U.S. Standard General Ledger-compliant general ledger for
its tax-related transactions. Because IRS had not yet fully considered the
design of internal control over financial reporting, the risk is increased
that in the absence of our annual audit of IRS's financial statements, it
may not identify all deficiencies in the design of its related controls.

As noted above, IRS reviewed compliance with FFMIA, FIA, the CFO Act, and
FISMA. IRS also tested compliance with the legal requirement that liens on
taxpayer property be released within 30 days of the satisfaction of the
debt.^14 However, IRS had not yet tested controls over compliance with
other significant financial-related laws and regulations. For example, its
testing did not address controls over compliance with the Anti-Deficiency
Act, as amended^15 or the Prompt Payment Act.^16 OMB Circular No. A-123
defines the scope of assessing and documenting internal control over
financial reporting to include compliance with laws and regulations.
However, since IRS did not test controls over compliance with several laws
and regulations significant to financial reporting, its management could
not have provided unqualified assurance regarding the design and operating
effectiveness of controls in this area, had that been warranted.

IRS's use of work it performed under FISMA to meet the requirements of OMB
Circular No. A-123 as it relates to information technology security
controls was permitted by A-123 and was in accordance with Treasury's
overall approach. Such use requires that the work be conducted in a manner
sufficient to meet the requirements of OMB Circular No. A-123, as well as
FISMA. However, we did not see evidence that IRS assessed whether the work
being conducted under FISMA was sufficient to meet the objectives set out
in OMB Circular No. A-123, for which the FISMA work was not originally
designed. Our review of IRS's information security conducted as part of
our fiscal year 2006 financial audit found weaknesses indicating that
IRS's FISMA work was not always sufficient to meet the related objectives
of the OMB circular. For example, as part of IRS's FISMA work, it tested
and evaluated security controls for each of the automated systems we
reviewed as part of our fiscal year 2006 financial audit.^17 However, we
found that IRS's FISMA testing did not address many of the vulnerabilities
we reported based on our work. For example, IRS's test and evaluation plan
for its procurement system did not include tests for password expiration,
insecure protocols, or removal of employees' system access after
separation from the agency. Consequently, the information security work
IRS conducted in accordance with FISMA did not identify many of the
vulnerabilities we identified during our audit of IRS's fiscal year 2006
financial statements, nor assess the risks associated with those
vulnerabilities. This increases the risk that IRS's information security
work conducted to comply with FISMA may not satisfy the related objectives
set out in OMB Circular No. A-123.

^1426 U.S.C. S 6325.

^15See 31 U.S.C. S 1341(a)(1) and 31 U.S.C. S 1517(a).

^16Codified, as amended, in part of at 31 U.S.C. S 3902(a), (b), and (f)
and 31 U.S.C. S 3904.

IRS did not perform procedures under OMB Circular No. A-123 during the
last 3 months of fiscal year 2006 to verify that the state of its internal
controls had not significantly changed since the date of its assurance
statement, which was June 30. OMB Circular No. A-123 does not require such
procedures, but does permit agencies to adjust the "as of" date of their
assurance statement if the agency is receiving a separate audit opinion on
its internal controls as of September 30. Given the four material
weaknesses in IRS's internal control that we had identified during our
audit of IRS's financial statements,^18 not testing internal control
during the fourth quarter did not affect IRS's assurance statement for
internal controls as of September 30, 2006.^19 In future years, at such
time as IRS has effectively resolved its existing material internal
control deficiencies, follow-up procedures to test controls during the
last 3 months of the fiscal year will become necessary in order for IRS to
assert that its internal controls are effective as of September 30.

As noted above, fiscal year 2006 was the first year IRS implemented the
requirements of the revised OMB Circular No. A-123, and this process will
likely take several more years to fully mature. As the process continues
to develop, IRS will need to overcome a number of significant challenges,
such as balancing the significant resource needs of this process with the
ongoing demands of its daily operations. In addition, many of the related
tasks, such as documenting internal controls, assessing related risks,
evaluating the design of controls, conducting appropriate tests of the
operating effectiveness of controls, evaluating and reporting the results
of these tests, and appropriately documenting these internal control
procedures, are skills typically associated with financial auditors.
Implementing OMB Circular No. A-123 has required IRS's staff to assume
responsibilities for which their prior training and operational experience
had typically not prepared them. As it continues to implement OMB Circular
No. A-123, IRS will need to successfully meet these challenges in order to
minimize the risk that, in the absence of our annual financial audit,
significant deficiencies in internal controls might exist and not be
identified in this process. Should this occur, IRS might provide a level
of assurance on the effectiveness of its internal controls not warranted
by existing conditions.

^17GAO, Information Security: Further Efforts Needed to Address
Significant Weaknesses at the Internal Revenue Service,  GAO-07-364
(Washington, D.C.: Mar. 30, 2007).

^18GAO-06-137.

^19In addition to its qualified A-123 statement of assurance on the
effectiveness of its internal control over financial reporting as of June
30, 2006, IRS also provided a statement of qualified assurance concerning
the effectiveness of its internal control over financial reporting,
compliance with laws and regulations, and performance reporting as of
September 30, 2006, in the management representation letter it provided to
us as part of our audit of IRS's fiscal year 2006 financial statements.
Due to the existence of four material weaknesses in IRS's internal
control, we rendered our opinion directly on the effectiveness of IRS's
internal control as of September 30, 2006, rather than on its assurance
statement. However, once our tests of IRS's internal control, including
control over financial reporting, determine that IRS has resolved all its
material weaknesses and IRS provides the related unqualified statement of
assurance on its overall internal control as of September 30, we will
render our opinion on IRS's internal control based on the appropriateness
of IRS's assurance statement.

Conclusion

IRS did a commendable job in its first-year implementation of the
requirements of the revised OMB Circular No. A-123. IRS's decision to rely
on its own staff to conduct this work, while presenting challenges in the
short term, also has the potential to pay significant dividends in the
future in terms of IRS's ability to make effective use of its A-123
findings to improve operations. As IRS moves forward, it should work to
enhance the documentation of the procedures it performs. In addition,
while IRS's A-123 process in fiscal year 2006 was adequate to support its
June 30, 2006, assurance statement to Treasury, it is important to
recognize that additional work will be needed to provide the unqualified
assurance statement that will become appropriate once IRS has addressed
the long-standing material weaknesses it is currently confronting. IRS is
working diligently to correct its material weaknesses. It is therefore
important that as IRS continues to make progress in this regard, it also
enhance its A-123 process to be better positioned to support an
unqualified statement of assurance on the effectiveness of its internal
control over financial reporting once its material weaknesses have been
resolved.

Recommendations for Executive Action

To assist IRS in strengthening its implementation of A-123 reviews in
future years, we recommend that IRS

           o document the results of internal control tests conducted in a
           manner sufficiently clear and complete to explain how control
           procedures were tested, what results were achieved, and how
           conclusions were derived from those results, without reliance on
           supplementary oral explanation;

           o clearly document how it considered existing reviews and audits
           in determining the nature, scope, and timing of procedures it
           planned to conduct under its A-123 process;

           o to the extent that it intends to use the information security
           work conducted under FISMA to meet related A-123 requirements,
           identify the areas where the work conducted under FISMA does not
           meet the requirements of OMB Circular No. A-123 and, considering
           the findings and recommendations of our work on IRS's information
           security, expand FISMA procedures or perform additional procedures
           as part of the A-123 reviews to augment FISMA work;

           o revise test plans to include appropriate consideration of the
           design of internal controls in addition to implementation of
           controls over individual transactions;

           o work with Treasury to identify laws and regulations that are
           significant to financial reporting, test controls over compliance
           with those laws and regulations, and evaluate and report on the
           results of such control reviews;

           o begin devising appropriate A-123 follow-up procedures for the
           last 3 months of the fiscal year to be implemented once the
           material weaknesses identified through the annual financial
           statement audits have been resolved; and

           o provide A-123 review staff appropriate training, such as that
           available for financial auditors, to enhance their skills in
           workpaper documentation, identification and testing of internal
           controls, and evaluation and documentation of results.

Agency Comments and Our Evaluation

In commenting on a draft of this report, IRS agreed with our
recommendations and expressed its appreciation that we acknowledged the
agency's commitment and diligence in implementing the revised OMB Circular
No. A-123 requirements during fiscal year 2006. IRS noted that it had
established a credible A-123 program and used the results of the tests
conducted to improve IRS's internal control environment.

IRS agreed with our recommendations to clearly document the results of
tests conducted and how it considered existing reviews and audits in
determining the extent of its test procedures, and to provide staff
involved in the A-123 review process with appropriate training. IRS
indicated that it had provided enhanced training to testers and reviewers
in preparation for its fiscal year 2007 A-123 process covering such
aspects as evaluating audit evidence, preparing workpapers, reviewing and
evaluating internal controls, and evaluating the materiality of errors.
IRS also agreed with our recommendation that it should revise its test
plans to include an appropriate consideration of the design of internal
controls in addition to implementation of controls over individual
transactions. IRS stated that it will include such analysis of the design
for each transaction set tested in its fiscal year 2008 A-123 process.

IRS also agreed with our recommendation that it identify the areas where
its work conducted under FISMA does not meet A-123 requirements, and
either expand FISMA procedures or perform additional procedures as part of
the A-123 reviews to augment its FISMA work. IRS stated that it will
continue to work with Treasury and us to improve its FISMA procedures or
A-123 test plans.

Additionally, IRS agreed with our recommendation that it work with
Treasury to identify laws and regulations that are significant to
financial reporting, test controls over compliance with laws and
regulations, and evaluate and report on the results of such control
reviews. IRS indicated that it has performed an initial crosswalk of laws
and regulations significant to financial reporting during fiscal year 2007
and will further refine this linkage in preparation for the fiscal year
2008 A-123 process. Finally, IRS agreed with our recommendation that it
devise appropriate A-123 follow-up procedures for the last three months of
the fiscal year to be implemented once the material weaknesses identified
through the annual financial statement audits have been resolved. IRS
stated that in fiscal year 2008, it will begin to develop follow-up
procedures that provide assurance for the last three months of the fiscal
year. We will evaluate the effectiveness of IRS's efforts in addressing
our recommendations during our future audits of IRS financial statements.

                                   - - - - -

This report contains recommendations to you. The head of a federal agency
is required by 31 U.S.C. S 720 to submit a written statement on actions
taken on these recommendations. You should submit your statement to the
Senate Committee on Homeland Security and Governmental Affairs and the
House Committee on Oversight and Government Reform within 60 days of the
date of this report. A written statement must also be sent to the Senate
and House Committees on Appropriations with the agency's first request for
appropriations made more than 60 days after the date of the report.

This report is intended for use by the management of IRS. We are sending
copies to the Chairmen and Ranking Minority Members of the Senate
Committee on Appropriations; Senate Committee on Finance; Senate Committee
on Homeland Security and Governmental Affairs; Subcommittee on Taxation
and IRS Oversight, and Long-Term Growth, Senate Committee on Finance;
House Committee on Appropriations; House Committee on Ways and Means; and
House Committee on Oversight and Government Reform. We are also sending
copies of this report to the Chairman and Vice Chairman of the Joint
Committee on Taxation, the Secretary of the Treasury, the Director of OMB,
the Chairman of the IRS Oversight Board, and other interested parties.
Copies will be made available to others upon request. In addition, the
report is available at no charge on GAO's Web site at
http://www.gao.gov .

We acknowledge and appreciate the cooperation and assistance provided by
IRS officials and staff during our review. If you have any questions or
need assistance in addressing these matters, please contact me at (202)
512-3406 or [email protected] . GAO staff who made major contributions
to this report are listed in enclosure III.

Sincerely yours,

Steven J. Sebastian
Director
Financial Management and Assurance

Enclosures

Enclosure I:  Comments from the Department of the Treasury

Enclosure II:  Staff Acknowledgments

Acknowledgments

The following individuals made major contributions to this report: Charles
Fox, Assistant Director; Charles Ego; Nina Crocker; John Davis; Ted Hu;
Jerrod O'Nelio; John Sawyer; Angel Sharma; Cynthia Teddleton; and Truc
Tuck.

(196151)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

*** End of document. ***