Management Report: Improvements Needed in IRS's Internal Controls
(04-JUN-08, GAO-08-368R).					 
                                                                 
In November 2007, we issued our report on the results of our	 
audit of the Internal Revenue Service's (IRS) financial 	 
statements as of, and for the fiscal years ending, September 30, 
2007, and 2006, and on the effectiveness of its internal controls
as of September 30, 2007. We also reported our conclusions on	 
IRS's compliance with significant provisions of selected laws and
regulations and on whether IRS's financial management systems	 
substantially comply with the requirements of the Federal	 
Financial Management Improvement Act of 1996 (FFMIA). The purpose
of this report is to discuss issues identified during our audit  
of IRS's financial statements as of, and for the fiscal year	 
ending, September 30, 2007, regarding internal controls that	 
could be improved for which we currently do not have a specific  
recommendation outstanding. Although not all of these issues were
discussed in our fiscal year 2007 audit report, they all warrant 
management's consideration. This report contains 24		 
recommendations that we are proposing IRS implement to improve	 
its internal controls. We will issue a separate report on the	 
implementation status of recommendations from our prior IRS	 
financial audits and related financial management reports,	 
including this one. We conducted our audit in accordance with	 
U.S. generally accepted government auditing standards.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-368R					        
    ACCNO:   A82258						        
  TITLE:     Management Report: Improvements Needed in IRS's Internal 
Controls							 
     DATE:   06/04/2008 
  SUBJECT:   Access control					 
	     Accounting procedures				 
	     Contract oversight 				 
	     Data collection					 
	     Data integrity					 
	     Documentation					 
	     Federal regulations				 
	     Financial management				 
	     Financial management systems			 
	     Financial statement audits 			 
	     Financial statements				 
	     Internal controls					 
	     Policy evaluation					 
	     Program evaluation 				 
	     Program management 				 
	     Records management 				 
	     Tax administration systems 			 
	     Tax information confidentiality			 
	     Tax return audits					 
	     Taxpayers						 
	     Human capital management				 
	     Employees						 
	     Staff utilization					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-368R

This is the accessible text file for GAO report number GAO-08-368R 
entitled 'Management Report: Improvements Needed in IRS's Internal 
Controls' which was released on June 4, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-08-368R: 

United States Government Accountability Office: 
Washington, DC 20548: 

June 4, 2008: 

The Honorable Douglas H. Shulman:
Commissioner of Internal Revenue: 

Subject: Management Report: Improvements Needed in IRS's Internal 
Controls: 

Dear Mr. Shulman: 

In November 2007, we issued our report on the results of our audit of 
the Internal Revenue Service's (IRS) financial statements as of, and 
for the fiscal years ending, September 30, 2007, and 2006, and on the 
effectiveness of its internal controls as of September 30, 2007. 
[Footnote 1] We also reported our conclusions on IRS's compliance with 
significant provisions of selected laws and regulations and on whether 
IRS's financial management systems substantially comply with the 
requirements of the Federal Financial Management Improvement Act of 
1996 (FFMIA). 

The purpose of this report is to discuss issues identified during our 
audit of IRS's financial statements as of, and for the fiscal year 
ending, September 30, 2007, regarding internal controls that could be 
improved for which we currently do not have a specific recommendation 
outstanding. Although not all of these issues were discussed in our 
fiscal year 2007 audit report, they all warrant management's 
consideration. This report contains 24 recommendations that we are 
proposing IRS implement to improve its internal controls. We will issue 
a separate report on the implementation status of recommendations from 
our prior IRS financial audits and related financial management 
reports, including this one. We conducted our audit in accordance with 
U.S. generally accepted government auditing standards. 

Results in Brief: 

During our audit of IRS's fiscal year 2007 financial statements, we 
identified several internal control matters not addressed by previous 
recommendations. These matters concern the following: 

* Summary information reported in the Interim Revenue Accounting 
Control System (IRACS), IRS's general ledger system for tax-related 
transactions, could not be traced to the underlying detailed 
transaction records. 

* Supervisory review procedures for IRS's unpaid assessments estimation 
process were not effective in preventing or detecting errors. 

* Controls over computer programs affecting penalty assessments did not 
ensure that the programs always functioned in accordance with IRS's 
policies and procedures. 

* Documentation of off-site Taxpayer Assistance Center (TAC) managers' 
reviews was not always readily available and, when provided, lacked the 
information needed to effectively assess the internal control 
environment at 5 of the 10 TACs we visited.[Footnote 2] In addition, 
these managers lacked clear, comprehensive, and up-to-date guidance for 
conducting and documenting TAC reviews. 

* Computer access rights of employees responsible for processing cash 
deposits were not properly restricted to prevent unauthorized 
adjustments to certain taxpayer account information at 4 of the 10 TACs 
we visited. 

* First responders to duress alarms were not always qualified or 
located to effectively respond to emergencies at 5 of the 10 TACs we 
visited. 

* Documentary evidence demonstrating that background investigations-- 
with favorable results--had been completed for contractors before they 
were given unescorted access to the facilities was not obtained at six 
TACs and three field offices[Footnote 3] we visited. 

* Documentary evidence that background investigations--with favorable 
results--had been completed for contractors working at off-site 
shredding facilities was not obtained before they were given access to 
taxpayer and sensitive information. IRS also was not performing 
periodic, unannounced inspections of these facilities. 

* New policies and procedures for hiring juveniles were not fully 
implemented. 

* Evidence of supervisory reviews of documentation demonstrating 
compliance with key controls related to the processing of Tax Exempt/ 
Government Entity (TE/GE) user fees was lacking.[Footnote 4] 

* Key controls over IRS's purchase card program were not adequate. 

* Information on new assets was not always recorded in IRS's property 
and equipment inventory system within required time frames. 

* Travel authorizations for employees were not always approved before 
travel was initiated. 

These internal control matters increase the risk that IRS may fail to 
prevent or timely detect (1) errors in financial data and reporting, 
computer-generated penalty assessments, and user fee processing; (2) 
the loss, theft, or misuse of taxpayer receipts, information, and 
government property; (3) improper or fraudulent procurement; and (4) 
unauthorized travel. 

At the end of our discussion of each of the internal control matters in 
the following sections, we make recommendations for strengthening IRS's 
internal controls. These recommendations are intended to bring IRS into 
conformance with IRS's policies or with the Standards for Internal 
Control in the Federal Government, or both.[Footnote 5] 

In its comments, IRS agreed with our recommendations and described 
actions it had taken or planned to take to address the control 
weaknesses described in this report. At the end of our discussion of 
each of the issues in this report, we have summarized IRS's related 
comments and provide our evaluation. We have also reprinted IRS's 
comments in enclosure II. 

Scope and Methodology: 

This report addresses issues we observed during our audit of IRS's 
fiscal years 2007 and 2006 financial statements. As part of our audit, 
we tested IRS's internal controls and its compliance with selected 
provisions of laws and regulations. We designed our audit procedures to 
test relevant controls, including those for proper authorization, 
execution, accounting, and reporting of transactions. To assess 
internal controls related to safeguarding taxpayer receipts and 
information, we visited 5 service center campuses, 4 lockbox banks, 10 
TACs, and 4 field offices. We conducted our fieldwork between January 
2007 and November 2007. 

Further details on our audit scope and methodology are included in our 
report on the results of our audits of IRS's fiscal years 2007 and 2006 
financial statements.[Footnote 6] Additionally, details on our 
methodology are reproduced in their entirety in enclosure I. 

Interim Revenue Accounting Control System: 

During our audit of IRS's fiscal year 2007 financial statements, we 
found that balances reported in IRS's core general ledger system for 
reporting tax-related transactions are not traceable to source 
documents for underlying transactions, and reported this issue as a 
component of the material weakness in IRS's financial reporting 
process.[Footnote 7] This system, the Interim Revenue Accounting 
Control System (IRACS), does not appropriately document, or permit 
independent verification, that the transactions it reports were 
recorded in conformance with the posting requirements of the U.S. 
Government Standard General Ledger (SGL). As a result, IRACS does not 
substantially comply with the (1) SGL at the transaction level or (2) 
Federal Financial Management Systems Requirements (FFMSR) as embodied 
in the Office of Management and Budget (OMB) Circular No. A-127, 
Financial Management Systems. Thus, it did not comply with the 
requirements of the Federal Financial Management Improvement Act of 
1996 (FFMIA).[Footnote 8] The transactions recorded in IRACS primarily 
consist of tax revenue, tax refunds, and unpaid tax assessments, 
including taxes receivable. Taxes receivable accounts for over 80 
percent of the assets IRS reports on its balance sheet, and tax 
revenues and related refunds preponderantly account for the activity 
IRS reports on its Statement of Custodial Activity. However, since its 
inception in October 1984, IRACS's reported balances have not been 
supported by audit trails traceable to source documents for individual 
transactions. 

FFMSR require application of the SGL at the transaction level and state 
that conformance requires, among other items, that transaction detail 
for SGL accounts be readily available in the financial management 
system and traceable to specific SGL account codes. Similarly, internal 
control standards require that all transactions and other significant 
events be clearly documented, and that the documentation be readily 
available for examination. However, IRACS does not conform to these 
standards because tax revenue and tax refund transactions are posted to 
it at a summary level, and are not traceable from IRACS to underlying 
supporting transaction records. Consequently, in order to assure that 
IRACS balances reported in the financial statements for revenue and 
refunds are supported by transaction detail in taxpayer accounts, IRS 
must first compare IRACS to its master files to demonstrate that they 
materially agree, and then trace individual items back from the master 
files to underlying documentation.[Footnote 9] In addition, IRS's 
balance for taxes receivable, which accounted for over 83 percent of 
IRS's total assets on its balance sheet as of September 30, 2007, was 
derived from a complex statistical estimation process rather than the 
traditional posting of individual transactions. Consequently, IRS's 
taxes receivable were neither posted to IRACS nor traceable to 
underlying transaction detail. 

During fiscal year 2006, IRS implemented the first phase of the 
Custodial Detail Data Base (CDDB), which is an automated system that 
IRS ultimately intends will provide transaction traceability for all of 
its tax-related transactions. As part of its progress toward this goal, 
IRS informed us that during fiscal year 2008, it added trace 
identification numbers to revenue and refund transactions to provide 
the traceability required by FFMSR. We will follow-up during our audit 
of IRS's fiscal year 2008 financial statements to assess the 
effectiveness of this approach. However, it is unclear when IRS will 
achieve similar traceability for its more complex taxes receivable 
transactions. 

Recommendation: 

We recommend that you direct appropriate IRS officials to verify that 
when it becomes fully operational, CDDB, when used in conjunction with 
IRACS, will provide IRS with the direct transaction traceability for 
all of its tax-related transactions as required by the SGL and FFMSR, 
and thus FFMIA. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendation and stated it will verify that 
summary tax revenue, tax refunds, and unpaid assessments recorded in 
IRACS are directly traceable to transactions in CDDB when it is fully 
implemented by September 30, 2009. We will evaluate the effectiveness 
of IRS's efforts after they are fully implemented during future audits. 

IRS's Unpaid Assessments Estimation Process: 

During our fiscal year 2007 financial audit, we identified errors in 
IRS's unpaid assessments[Footnote 10] estimation process that its 
internal review procedures either did not detect or did not detect in a 
timely manner. As we have reported previously,[Footnote 11] IRS lacks a 
detailed listing, or subsidiary ledger, that tracks and accumulates 
unpaid assessments and their status on an ongoing basis. This is a 
primary reason we have been reporting a long-standing material internal 
control weakness with respect to IRS's unpaid assessments. 
Consequently, IRS must rely on a labor-intensive compensating 
estimation process to report balances for taxes receivable and other 
unpaid assessments in its financial statements and supplemental 
information. This estimation process involves a combination of: (1) 
computer programs, (2) statistical sampling, (3) manual case file 
review, (4) statistical projections, and (5) the use of spreadsheets to 
compile results and to roll forward the results to fiscal year-end. 

Strong controls over its estimation process are critical to IRS's 
ability to report a reliable balance for the largest component of its 
balance sheet. However, we found several errors that were not detected 
by its internal reviews. Specifically, we found that IRS personnel did 
the following: 

* They did not include all taxes receivable account modules[Footnote 
12] in the population from which the taxes receivable sample was 
selected. Although IRS did identify this error, it did not do so until 
after it had begun obtaining the source documentation for the sample to 
conduct the manual case file reviews. Since it had already expended 
significant resources to obtain the source documents, IRS chose to 
select and test an additional sample from the omitted subpopulation 
rather than reselecting the taxes receivable sample from the population 
of all taxes receivable account modules. This increased the total 
number of cases its staff had to review.[Footnote 13] Consequently, IRS 
expended additional resources to retrieve documents and to review 
additional case files. 

* IRS personnel made a $2,000 data entry error when entering the case 
file review results into the statistical projection computer program, 
resulting in an overstatement of the projected error in the write-off 
population of approximately $10 million. 

* IRS personnel erroneously deducted $2.6 billion when calculating the 
fiscal year-end write-off balance, understating the write-off amount 
that would have been reported in its supplemental information by $2.6 
billion. 

We also found that IRS currently does not have documented procedures 
detailing the steps that its statistician should perform throughout the 
process, nor does it have documented procedures supervisors should 
perform as part of their reviews. Due to the complexity of the 
estimation process, officials responsible for reviewing IRS's unpaid 
assessments statistical estimates require documented detailed 
procedural guidance to assist them in performing effective and timely 
reviews. 

Internal control standards require internal control and all 
transactions and other significant events to be clearly documented, and 
the documentation to be readily available for examination. Such 
documentation should appear in management directives, administrative 
policies, or operating manuals. Furthermore, internal control standards 
require that qualified and continual supervision be provided to ensure 
that internal control objectives are achieved. The lack of clear, 
documented procedures for the preparation and review of IRS's unpaid 
assessments estimation process inhibits effective supervisory review. 
The lack of effective supervisory review, in turn, increases the risk 
that errors made in the preparation of IRS's unpaid assessments 
estimates will not be detected or detected in a timely manner, 
increasing the risk that inaccurate amounts will be reported in its 
financial statements. 

According to IRS officials, the various aspects of its estimation 
process undergo supervisory review. Nevertheless, these officials could 
not explain why this review did not detect the errors we identified. In 
addition, the lack of detailed guidance describing the procedures the 
statistician should perform in the unpaid assessments estimation 
process and detailed review procedures for supervisors increase the 
risk that errors will not be detected and that erroneous balances will 
be reported in IRS's financial statements. 

Recommendations: 

We recommend that you direct appropriate IRS officials to do the 
following: 

* Document and implement the specific procedures to be performed by the 
statistician in each step of the unpaid assessments estimation process. 

* Document and implement specific detailed procedures for reviewers to 
follow in their review of unpaid assessments statistical estimates. 
Specifically, IRS should require that a detailed supervisory review be 
performed to ensure: (1) the statistical validity of the sampling 
plans, (2) data entered into the sample selection programs agree with 
the sampling plans, (3) data entered into the statistical projection 
programs agree with IRS's sample review results, (4) data on the 
spreadsheets used to compile the interim projections and roll-forward 
results trace back to supporting statistical projection results, and 
(5) the calculations on these spreadsheets are mathematically correct. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning documented procedures 
for preparing and reviewing its unpaid assessments statistical 
estimates. IRS stated that by June 30, 2008, it will document 
procedures to be (1) performed by the statistician in each step of the 
unpaid assessments estimation process and (2) followed by reviewers 
during their review of the unpaid assessments statistical estimates. We 
will evaluate the effectiveness of IRS's efforts in this area during 
our audit of IRS's fiscal year 2008 financial statements. 

Computer Programs Affecting Penalty Assessments: 

IRS's controls over computer programs affecting penalty assessments did 
not always ensure that the programs were designed or functioned in 
accordance with the intent of established policies and procedures. 

The Internal Revenue Code (IRC)[Footnote 14] grants IRS broad authority 
to assess penalties against taxpayers for noncompliance with tax laws 
such as failing to file a tax return, failing to pay taxes owed, or 
inaccurately reporting taxes. IRS establishes the specific policies and 
procedures for calculating and assessing penalties in its Internal 
Revenue Manual (IRM).[Footnote 15] In accordance with the IRM, IRS's 
business operating divisions work with its Modernization and 
Information Technology Services to implement computerized programs 
within its master files[Footnote 16] to calculate and assess penalties 
against taxpayers in relation to unpaid tax assessments or violations 
of the tax laws. Our tests of penalty and interest transactions in each 
of the past 2 years have identified issues that, while not a violation 
of the IRC, resulted in IRS making modifications to computer programs 
affecting penalty assessments. 

During our fiscal year 2007 IRS financial audit, we found that IRS did 
not apply the same rule for assigning the effective date of accuracy 
penalties against business and individual taxpayers. The IRC authorizes 
IRS to assess taxes and penalize taxpayers if taxpayers substantially 
underreport their income tax liability.[Footnote 17] If IRS determines 
that a taxpayer substantially underreported the amount of taxes owed, 
it can assess the taxpayer an accuracy penalty and a failure-to-pay 
penalty, along with the additional taxes owed. Since IRS makes this 
determination on examining the taxpayer's return, the assessment of the 
additional taxes due and the related penalties occurs later than the 
due date of the tax return. When IRS assesses a business an accuracy 
penalty, the computer program in its Business Master File (BMF) assigns 
the effective date of the accuracy penalty to match the due date of the 
original tax return. However, when IRS assesses the same type of 
penalty against an individual taxpayer, the computer program in its 
Individual Master File (IMF) assigns the effective date of the accuracy 
penalty to match the date of the subsequent additional tax assessment. 

The date assigned as the effective date of the accuracy penalty is 
significant because it ultimately affects the amount of the associated 
failure to pay penalty[Footnote 18] that IRS assesses against the 
taxpayers. IRS policies generally require that taxpayer payments first 
be applied to reduce assessed tax until it is fully paid off, then to 
reduce assessed penalties, and finally to reduce assessed interest. 
However, IRS policies also allow it to apply taxpayer payments to pay 
off penalties before the assessed tax if payment is made before the 
subsequent deficiency tax assessment (deficiency assessment).[Footnote 
19] The failure-to-pay penalty program uses the posted transaction date 
of a penalty to determine the effective date of that penalty. BMF uses 
the return due date as the transaction date for the accuracy penalty, 
while IMF uses the deficiency assessment date. Consequently, if, as in 
the case of the BMF, the effective date of the accuracy penalty is the 
due date of the original tax return, any taxpayer payments received 
prior to a deficiency assessment and a related accuracy penalty 
assessment are applied first to this penalty before they are applied to 
the deficiency assessment. In contrast, for IMF taxpayer accounts, any 
taxpayer payments received are applied first to the deficiency 
assessment because the accuracy penalty has the same effective date as 
this deficiency assessment. The result is that, for individuals, 
payments received before the effective date of the deficiency 
assessment will always reduce the deficiency assessment before reducing 
the accuracy penalty while, for businesses, those payments will first 
reduce the accuracy penalty, then the deficiency assessment, when the 
failure-to-pay is computed. Because of the inconsistent way that 
transaction dates are assigned to the accuracy penalty between the BMF 
and the IMF, businesses are assessed a higher failure-to-pay penalty 
than individuals if they prepay part of the additional assessments but 
fail to pay the balance by the date indicated on the notice and demand 
for payment. 

Neither the IRC nor the IRM specifically addresses the assignment of 
effective dates for accuracy penalties. After we brought the 
inconsistency we identified to their attention, IRS officials 
determined that it would treat business and individual taxpayers the 
same when assigning the effective date of an accuracy penalty, and that 
the date of the deficiency assessment would be used as the effective 
date of the accuracy penalty for both. 

During our fiscal year 2006 financial audit,[Footnote 20] we also 
identified and previously reported a computer program error that 
overassessed penalties against some taxpayers.[Footnote 21] Internal 
control standards require agencies to establish controls to enforce 
adherence to management policies and procedural requirements. In each 
of the above situations, IRS was unaware of the issues until we 
identified them, and then it agreed that modifications to the computer 
programs were needed. Although we determined that neither of these two 
conditions constituted a violation of the IRC, the condition we 
identified in fiscal year 2007 resulted in different treatment among 
taxpayers, while the condition we identified in fiscal year 2006 
resulted in the overassessment of penalties against some taxpayers. 
According to IRS officials, these issues date back to when these 
programs were initially implemented in the 1980s. Consequently, IRS did 
not have adequate procedures in place to ensure that programs affecting 
penalty calculations were designed and functioning in accordance with 
management policies and procedures. 

IRS has instituted additional internal control procedures to ensure 
that current computer programs are designed and function in accordance 
with the intent of IRS policies and procedures. However, until mid- 
2007, IRS had not implemented any processes or procedures to review 
existing computer programs to ensure they were functioning in 
accordance with IRS policies. According to IRS officials, IRS formed a 
task force in August 2007 to initiate a broad-based review of the 
various programs affecting penalty calculations in its master files. 
These officials informed us that they have identified other issues that 
may require additional changes to existing programs in its master files 
that affect penalty assessments. Until IRS completes a comprehensive 
review of its computer programs affecting penalty assessments to verify 
that these programs are designed and functioning in accordance with its 
policies, it will continue to be at risk that its computer programs may 
not function as intended by its established policies, which could 
result in inequitable treatment of taxpayers or potential lost revenue 
to the federal government. 

Recommendations: 

To address the inconsistency in assigning the effective date of an 
accuracy penalty, we recommend that you direct the appropriate IRS 
officials to modify the BMF computer program so that the date of the 
deficiency assessment is used as the effective date of any related 
accuracy penalty. 

To address other issues that may exist in IRS's master files that 
affect penalty calculations, we recommend that you direct appropriate 
IRS officials to do the following: 

* Complete and document the review of existing programs in the master 
files that affect penalty calculations to identify any instances in 
which programs are not functioning in accordance with the intent of the 
IRM. 

* In instances where programs are not functioning in accordance with 
the intent of the IRM, take appropriate action to correct the programs 
so that they function in accordance with the IRM. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning computer programs 
affecting penalty assessments. IRS plans to complete its ongoing review 
of the master file programs to identify instances where they are not 
functioning in accordance with the intent of the IRM by July 31, 2008. 
We will evaluate the results of IRS's study as part of our fiscal year 
2008 audit. IRS also stated that it will not be able to implement 
changes to the BMF computer program to establish the date of the 
deficiency assessment as the effective date of any related accuracy 
penalty until July 31, 2009. We will evaluate the effectiveness of 
IRS's efforts after they are fully implemented during future audits. 

Reviews Performed by Off-site Taxpayer Assistance Center Managers: 

During our fiscal year 2007 financial audit, we found that the 
documentation maintained by IRS to summarize managerial visits by off- 
site taxpayer assistance center (TAC) managers was not always readily 
available and, when provided, did not address whether the visits 
determined whether key controls and policies governing the safeguarding 
of taxpayer receipts and information were operating as intended. 
Additionally, the documentation of their visits did not include 
evidence showing whether previously identified weaknesses were 
addressed. This occurred because TAC managers were not provided clear 
and comprehensive guidance instructing them to cover these key controls 
and policies during their reviews and how to document the results of 
these reviews. We also found that TAC managers were not always aware of 
recent IRM updates. As a result, IRS lacks assurance that the scope and 
content of these reviews are sufficient to achieve management's 
objectives, and their utility as a tool to facilitate timely and 
effective resolution of any issues identified is impaired. 

Some TACs do not have an on-site TAC manager to provide day-to-day 
supervision of personnel and monitoring of daily activities. In such 
cases, IRS policy requires that a designated off-site TAC manager 
periodically visit and perform various supervisory reviews intended to 
ensure that operations are performed according to applicable IRS 
policies and procedures outlined in the IRM. However, during our audit, 
we found the following: 

* At the five TACs we visited that were managed by an off-site manager, 
documentation supporting the TAC managers' routine reviews was not 
readily available and did not address controls intended to safeguard 
taxpayer receipts and information nor the status of previously 
identified issues. 

* TAC managers did not have clear and comprehensive guidance 
instructing them both to review, and how to review, key controls 
designed to (1) prevent unauthorized access to the TAC; (2) process and 
protect taxpayer receipts present in the TAC; and (3) safeguard 
taxpayer receipts and related taxpayer information during transit from 
one IRS location to another. In addition, there was no guidance clearly 
instructing the managers how to document the results of their reviews. 

* TAC managers and their supervisors were either unaware of the July 
2006 IRM update or were unaware of the specific procedures it required. 

Internal control standards require agencies to establish controls to 
enforce adherence to management policies and procedural requirements, 
such as management review, to create and maintain records providing 
evidence that these controls are executed, and to assure that ongoing 
monitoring occurs to assess the quality of performance over time. These 
monitoring controls include ongoing management and supervisory 
activities, comparisons, and reconciliations. However, if TAC managers 
are not adequately documenting reviews, are not provided clear guidance 
for conducting reviews, and are not aware of updated IRM requirements 
and procedures, IRS cannot be assured that the internal controls over 
this activity are being effectively carried out. This, in turn, 
increases the risk that IRS will not timely detect or prevent the 
theft, loss, or unauthorized accessing of taxpayer receipts and 
information. 

Recommendations: 

We recommend that you direct appropriate IRS officials to do the 
following: 

* Develop and provide comprehensive guidance to assist TAC managers in 
conducting reviews of outlying TACs and documenting the results. This 
guidance should include a description of the key controls that should 
be in place at outlying TACs, specify how often these key controls 
should be reviewed, and specify how the results of each review should 
be documented, including follow-up on issues identified in previous TAC 
reviews. 

* Establish a process to periodically update and communicate the 
specific required reviews for all off-site TAC managers. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the need to develop and 
better communicate updated guidance to help off-site TAC managers 
conduct reviews of outlying TACs. IRS stated that it would update the 
IRM to include (1) the expectation that Area Directors are responsible 
and accountable for the oversight of all TAC activities, and (2) the 
requirement to maintain documentation of managerial reviews. IRS 
indicated that Field Assistance will use the remittance and security 
database to validate that all required reviews are complete, and it 
will include directions related to this issue in the field operational 
reviews at the group, area, and territory levels by July 31, 2008. IRS 
also stated that the Director, Field Assistance, will issue a quarterly 
reminder for the required reviews beginning in July 2008. We will 
verify the changes to IRS guidance during our audit of IRS's fiscal 
year 2008 financial statements and evaluate the effectiveness of IRS's 
efforts during future audits. 

Computer Access Rights of Employees Accepting Cash Payments: 

During our fiscal year 2007 financial audit, we found that at 4 of the 
10 TACs we visited, TAC managers did not always properly restrict the 
computer access rights of those employees who had the authority to 
accept cash payments from taxpayers. By not ensuring that the computer 
access rights of employees responsible for accepting cash payments from 
taxpayers have been appropriately restricted, IRS increases the risk of 
loss, theft, or misappropriation of such receipts. 

The IRM requires that for TAC employees who receive cash payments from 
taxpayers, computer access to taxpayer account information be 
restricted to prevent them from improperly adjusting taxpayer account 
balances or changing the status of the taxpayer's liability. In 
addition, the IRM states that TAC managers are responsible for ensuring 
that the computer access rights of these employees be restricted. 
Internal control standards require key duties and responsibilities to 
be divided, or segregated, among different people to reduce the risk of 
error or fraud. This includes separating the responsibilities for 
authorizing transactions, processing and recording transactions, 
reviewing the transactions, and handling any related assets. No one 
individual should be in a position to both cause and conceal an error 
or irregularity by controlling certain key aspects of a transaction or 
event. 

Recommendation: 

We recommend that you direct appropriate IRS officials to establish a 
mechanism to monitor compliance with the existing requirement that TAC 
employees responsible for accepting taxpayer payments in cash have 
their computer system access appropriately restricted to limit their 
ability to adjust taxpayer accounts. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendation and stated that it updated the IRM 
in April 2008 to require the use of the "restrict" command code on 
computer access rights for all employees with the responsibility for 
collecting cash. IRS indicated that the Form 809 annual reconciliation 
will now include a reminder to group managers of the requirement to use 
restrict command codes. IRS also stated that it will direct areas and 
territories to review command code restrictions during ongoing 
operational reviews, and it will look for ways to systemically monitor 
compliance. We will verify the changes to IRS guidance during our audit 
of IRS's fiscal year 2008 financial statements and evaluate the 
effectiveness of IRS's efforts during future audits. 

Duress Alarm First Responders: 

During our fiscal year 2007 financial audit, we found that the persons 
IRS designated as the first person contacted by the central monitoring 
station (first responder) in the event a duress alarm sounds were not 
always appropriately qualified nor were they geographically located in 
sufficiently close proximity to the facility to enable them to provide 
a timely and effective response. IRS uses duress alarms to notify 
security personnel of situations that are potentially dangerous to its 
employees and to help protect its facilities, property, and taxpayer 
information and receipts. In about 97 percent of all TACs, the duress 
alarms are linked to a central monitoring station that is responsible 
for notifying a designated official or officials when an alarm is set 
off. We found that for one large metropolitan area, IRS had designated 
a physical security analyst to be contacted as the first responder by 
the central monitoring station for five of the TACs we visited. 
However, IRS officials informed us that physical security analysts are 
not qualified to act as first responders to duress alarm incidents 
because such alarms may indicate an event that the analyst is not 
trained to deal with, such as a crime in progress. In addition, we 
found that at any given time, this specific physical security analyst 
could be as far as 100 miles away from one of the five TACs. Depending 
on where the analyst happened to be at the time an alarm sounded, this 
could preclude a timely response. Also, the effectiveness of the 
central monitoring stations in facilitating timely and effective 
response to such emergencies can be diminished over time due to changes 
in the status or contact information of the individuals who are 
designated as first responders, or due to ongoing changes in IRS's 
policies and procedures that might alter their responsibilities and 
thereby require additional training or otherwise affect which 
individuals are qualified to fulfill these responsibilities. However, 
we found that IRS did not routinely monitor the first responder 
designations provided to central monitoring stations to verify that on 
an ongoing basis, they were current, accurate and included only 
qualified personnel. 

Internal control standards require physical controls to limit access to 
vulnerable assets and require that access to resources and records, 
such as IRS receipts and taxpayer information, be limited to authorized 
individuals to reduce the risk of unauthorized use or loss to the 
government. IRS's IRM establishes security requirements intended to 
minimize the potential for loss of life and property, the disruption of 
services and functions, and the unauthorized disclosure of documents 
and information. However, the IRM does not establish requirements 
governing the qualifications or geographical proximity of individuals 
designated as first responders to duress alarms installed at IRS 
facilities, nor does it require that IRS peridocially review these 
elements to enforce adherence to such requirements over time. The 
effectiveness of security procedures, such as responding to a duress 
alarm, is impaired if the first responders are not appropriately 
qualified and properly positioned to handle emergency situations in an 
effective and timely manner. This increases the risk that IRS will not 
appropriately respond in an emergency situation to protect its 
employees and facilities, and to safeguard taxpayer receipts and 
information. 

Recommendations: 

We recommend that you direct appropriate IRS officials to do the 
following: 

* Establish procedures requiring periodic verification that all 
individuals designated as first responders to TAC duress alarms are 
appropriately qualified and geographically located to respond to the 
potentially dangerous situations in an effective and timely manner. 

* Modify the IRM to specify qualifications and geographical proximity 
requirements for individuals designated as first responders to duress 
alarms at IRS facilities, and to require that the responsibilities and 
qualifications of all designated first responders be periodically 
reviewed to verify that over time, they continue to be qualified and 
appropriately located, and to make any necessary adjustments. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the qualifications and 
proximity of designated first responders to TAC duress alarms. IRS 
stated that by August 31, 2008, it would reissue guidance on the 
requirement that first responders be armed officials, such as on-site 
contract guards, Federal Protective Service Police, or local police, 
and that it is revising the IRM to include this requirement. IRS 
indicated that it will monitor that Territory Managers are periodically 
verifying the accuracy of the call listing for first responders 
provided to the Security Console/Mega Center by requiring that managers 
put the date of verification on the monthly TAC Duress Alarm Report. We 
will verify the changes to IRS guidance during our audit of IRS's 
fiscal year 2008 financial statements and evaluate the effectiveness of 
IRS's efforts during future audits. 

Contractor Access to Taxpayer Assistance Centers and Field Offices: 

During our fiscal year 2007 financial audit, we found that IRS's 
physical security controls at several TACs and IRS field office units 
we visited were not adequate to prevent unauthorized individuals from 
accessing areas that contained taxpayer receipts and information. This 
occurred at locations where contractors were working under General 
Services Administration-negotiated (GSA) cleaning service contracts and 
had unescorted access to IRS space during nonoperating hours.[Footnote 
22] We found that IRS does not have evidence demonstrating completion 
of favorable background investigations for contractors performing work 
at IRS facilities under GSA-negotiated contracts. 

Specifically, during our fiscal year 2007 financial audit, we found the 
following: 

* At 6 of 10 TACs we visited, IRS was unable to provide evidence 
documenting that contractors performing janitorial services in IRS 
space during nonoperating hours received favorable background 
investigation results prior to being allowed access. In addition, at 
one of the TACs we visited, we observed a janitor disarm and then reset 
the security system to the IRS space. 

* At three field offices we visited, IRS was unable to provide evidence 
documenting that janitorial contractors, who had unescorted access to 
IRS-controlled space, received favorable background investigation 
results prior to being given access. 

Internal control standards require that agencies establish physical 
control to secure and safeguard vulnerable assets, including providing 
security for, and limiting access to, assets that might be vulnerable 
to unauthorized use, such as taxpayer receipts and related confidential 
information. 

On August 27, 2004, the President signed Homeland Security Presidential 
Directive 12, Policy for a Common Identification Standard for Federal 
Employees and Contractors, which requires federal agencies to conduct 
background investigations on contractors who require routine access to 
federally controlled facilities. Under this directive, background 
investigations were to be completed on all applicable contractors, 
including those covered under GSA-negotiated contracts, by October 27, 
2007. 

IRS's policies prohibit individuals without favorable background 
investigations from entering IRS space without an IRS escort. According 
to the IRM, all contractor employees associated with IRS-administered 
contracts whose duration of employment equals or exceeds 30 days must 
undergo, at a minimum, limited criminal history background checks as a 
condition of employment under the government contract. When a 
contractor's access is to be limited to less than 30 days total or 
access is infrequent, a background investigation is not required but he 
or she is to be escorted while in the IRS space. In addition, IRS 
issued a memorandum in August 2006 establishing a requirement for new 
and replacement leases and cleaning contracts negotiated by GSA. Under 
this requirement, new and replacement leases and new cleaning contracts 
for all IRS office space provide for janitorial services during normal 
business hours. Under this 2006 requirement, individuals responsible 
for review and clearance of the request for space will be expected to 
include this new provision in these leases and contracts. While 
requiring cleaning only during operating hours may reduce the risks 
associated with permitting cleaning staff to enter a controlled area 
after nonoperating hours, it will not address the risk of unauthorized 
access during operating hours. In addition, this policy will take time 
to implement due to the large number of existing leases and contracts 
that the IRS currently has in place that will need to be modified. 

While the IRM requires that background investigations be completed and 
adequate documentation maintained for all contractors performing work 
at IRS facilities under IRS-administered contracts, it does not contain 
comparable requirements for contractors working at IRS facilities under 
contracts negotiated by GSA. Until IRS obtains evidence that favorable 
background investigations have been completed for contractors working 
at IRS facilities under non-IRS contracts, IRS will continue to lack 
assurance that contractor personnel with unescorted access to its 
facilities had the required background investigations completed before 
being allowed access. 

Recommendation: 

We recommend that you direct appropriate IRS officials to establish 
procedures to require documentation demonstrating that favorable 
background checks have been completed for all contractors prior to 
allowing them access to TAC and other field offices. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendation and stated that it expects to have 
agreement with GSA on established procedures for performing background 
investigations on GSA contractors by October 31, 2009. IRS also stated 
that it will use compensating controls outlined in the IRM to safeguard 
valuable assets, such as financial instruments and taxpayer and other 
sensitive data, from GSA contractors until background check 
requirements are implemented. We will evaluate the effectiveness of 
IRS's efforts after they are fully implemented during future audits. 

Off-site Contractor Access to Sensitive Information: 

During our fiscal year 2007 financial audit, we found that IRS did not 
have evidence that background investigations were being performed on 
shredding contractor personnel before they began work at the 
contractor's off-site facilities where sensitive IRS information was 
being shredded. IRS contracts with vendors to perform shredding of 
federal taxpayer information and other sensitive materials at many of 
its facilities, including Service Center Campuses, Computing Centers, 
TACs, and field offices. At these facilities, materials to be shredded 
are picked up by the contractor and taken to the contractor's off-site 
shredding facility for destruction. The materials being entrusted to 
these contractors for purposes of being shredded routinely include 
taxpayer and other sensitive information. We also found that IRS did 
not perform periodic unannounced inspections of contractor off-site 
shredding facilities where sensitive information was sent for disposal 
to ensure that sensitive IRS information was being properly 
safeguarded. 

Specifically, during our audit, we found the following: 

* Of the 16 shredding services contracts we reviewed: (1) 11 contracts, 
covering 14 IRS facilities, did not require that off-site contractors 
undergo background investigations before being granted access to 
sensitive IRS information, including federal taxpayer information, and 
(2) 10 contracts, covering 13 IRS facilities, did not require routine 
IRS inspections of off-site shredding contractor facilities. 

* At 10 IRS facilities we visited (one service center campus, six TACs, 
and three field office units), IRS officials were unable to provide 
evidence indicating that off-site shredding contractors had undergone 
background investigations prior to being granted access to sensitive 
IRS information. 

* At two of the five service center campuses we visited, IRS officials 
were unable to provide evidence that inspections of the off-site 
shredding facilities were performed. 

The IRM requires that when the work is performed outside an IRS 
facility, contractor employees may not have access to IRS sensitive 
information or data unless IRS has received favorable background 
investigation results. However, as noted above, IRS's contracts with 
vendors providing IRS with off-site shredding services did not always 
require background checks or make provisions for periodic inspections 
by IRS. In addition, we found that the IRM does not require that IRS 
perform periodic unannounced inspections of off-site shredding 
contractor facilities to ensure that contractors continue to 
appropriately safeguard sensitive IRS information on an ongoing basis. 

Internal control standards require that agencies establish physical 
controls to secure and safeguard vulnerable assets, which includes 
taxpayer information. The standards also state that internal controls 
should be designed to assure that ongoing monitoring occurs in the 
course of normal operations. By not requiring background investigations 
for off-site shredding contractors and not continually monitoring 
adherence to related safeguard requirements by performing periodic 
unannounced inspections of off-site contractor facilities, IRS 
increases the risk of allowing unauthorized access to sensitive IRS 
information, including federal taxpayer information. 

Since IRS did not always enforce its requirement that background checks 
be performed on contractor employees at off-site shredding locations 
nor conduct periodic unannounced inspections of these facilities, IRS 
lacked assurance that the sensitive information being entrusted to 
these contractors was being properly safeguarded. 

Recommendations: 

We recommend that you direct appropriate IRS officials to do the 
following: 

* Require including, in all shredding service contracts, provisions 
requiring (1) completed background investigations for contractor 
employees before they are granted access to sensitive IRS information, 
and (2) periodic, unannounced inspections at off-site shredding 
facilities by IRS to verify ongoing compliance with IRS safeguards and 
security requirements. 

* Revise the IRM to include a requirement that IRS conduct periodic, 
unannounced inspections at off-site contractor facilities entrusted 
with sensitive IRS information, document the results, including 
identification of any security issues, and verify that the contractor 
has taken appropriate corrective actions on any security issues 
observed. 

* Establish procedures to require obtaining and reviewing documentation 
of completed background investigations for all shredding contractors 
before granting them access to taxpayer or other sensitive IRS 
information. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning off-site contractor 
access to sensitive information. IRS stated that it is developing a 
statement of work for a National Shred/Burn Contract that will result 
in standard security procedures for the handling of sensitive 
information and will require specialized background investigations for 
employees who handle these materials before granting them access to IRS 
information. IRS also stated that these contracts will include 
provisions requiring periodic, random, and unannounced inspections of 
contractor facilities in line with the IRM, which requires contract 
provisions to allow IRS inspections in order to ensure the safeguarding 
of IRS information. IRS stated that it expects to implement the 
National Contract by October 31, 2008. Because IRS's planned actions in 
this area will not be completed until near the end of our fiscal year 
2008 audit, we will evaluate the effectiveness of IRS's efforts during 
future audits. 

Juvenile Hiring Practices: 

During our fiscal year 2007 financial audit, we found that IRS 
employment office staff had not fully implemented new policies and 
procedures recently formulated to address related issues we identified 
during our audit of IRS's fiscal year 2005 financial statements. 
Specifically, during our fiscal year 2005 IRS financial audit, we found 
that for juvenile employee candidates, IRS (1) only required references 
for those individuals hired to work in receipt-processing functions, 
although taxpayer receipts and information are also accessible in other 
functions, and (2) accepted written references that were hand-delivered 
to IRS by the candidates themselves without independently verifying 
their source.[Footnote 23] This condition increased the risk of 
unsuitable candidates being hired and permitted access to taxpayer 
receipts and information. In response to recommendations we made to 
address these issues, IRS issued a new Human Capital policy in August 
2006 requiring employment office staff to utilize a revised Form 13094, 
Recommendation for Juvenile Employment with the Internal Revenue 
Service. The revised form required prospective juvenile employees to 
provide a character reference and detail the relationship and number of 
years the juvenile has known the reference. The new policy also 
required that employment office staff make direct contact with 
character references provided by juveniles on the Form 13094 to verify 
that information. However, as noted above, IRS did not fully implement 
these new policies in fiscal year 2007. 

Specifically, we found that of the 142 juveniles IRS hired from October 
2006 through April 2007: 

* 118 were hired without the use of the newly revised Form 13094, and: 

* 140 were hired without IRS contacting and verifying character 
references provided by the potential juvenile hires. 

IRS attributed these issues to its employment office staff's lack of 
awareness of recent revisions to its juvenile hiring policies. 

Internal control standards require that agencies establish controls to 
safeguard vulnerable assets, including limiting access to these assets 
to only authorized persons. By not fully implementing its revised 
juvenile hiring policies, IRS increases the risk that juveniles with 
unacceptable backgrounds could be hired, thus increasing the risk of 
theft of taxpayer receipts and unauthorized access to taxpayer receipts 
and information. 

Recommendations: 

We recommend that you direct the appropriate IRS officials to reinforce 
existing policies requiring IRS personnel to do the following: 

* Use the revised Form 13094 when hiring juveniles. 

* Verify the information on Form 13094 by contacting the reference 
directly and documenting the details of this contact. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning reinforcing existing 
policies related to hiring juveniles. IRS stated that its Human Capital 
Office (HCO) issued notices in July and September 2007 to each 
Employment Branch Chief emphasizing the requirement to use the revised 
Form 13094 and to follow up on juvenile hiring recommendations. IRS 
also stated that it revised the form 13094 in December 2007 to include 
a signature and date block to document the verification process. IRS 
indicated that it reemphasized these policies during a recent 
Continuing Professional Education meeting and will monitor policy 
compliance as a part of the HCO's accountability program reviews. We 
will evaluate the effectiveness of IRS's efforts in this area during 
our audit of IRS's fiscal year 2008 financial statements. 

Review of Tax Exempt/Government Entity User Fee Deposit Processing: 

During our fiscal year 2007 financial audit, we found that IRS lacked 
evidence of supervisory reviews of key functions in its processing of 
Tax Exempt/Government Entity (TE/GE) user fees it collected from 
employee pension plans and other organizations for making rulings and 
determinations about their tax exempt status. IRS's Receipt and Control 
Operations Unit (RCO), at the Cincinnati Service Center Campus, records 
TE/GE user fee information in the Letter Information Network User Fee 
System (LINUS), a database established for tracking such fees collected 
from tax exempt entities. Using the fee code, LINUS automatically 
calculates the amount of user fees to be allocated to the Treasury 
General Fund and the amount to be retained by the IRS.[Footnote 24] 

We tested a statistical sample of 14 TE/GE user fee transactions IRS 
recorded in LINUS from October 1, 2006, through June 30, 2007, to 
determine whether IRS adequately supported, properly classified, and 
recorded the TE/GE user fees in its accounting systems.[Footnote 25] 
While conducting the substantive testing, we found several cases that 
did not include evidence of required supervisory review and approval by 
the RCO Unit Manager or Lead Technician of various key documents used 
in the TE/GE user fee receipt and deposit process. Specifically, of the 
14 user fee transactions we reviewed, we found: 

* 11 transactions in which there was no evidence of supervisory review 
on the encoding tapes, which list the checks received and grouped for 
processing by sequence number; 

* 8 transactions in which there was no evidence of supervisory review 
on the Recapitulation of Remittances, which is a concise summary of 
TE/GE user fees IRS processed for deposit on a particular day at a 
specific IRS location; and; 

* 7 transactions in which there was no evidence of supervisory review 
on the deposit ticket, which in some cases contained manual adjustments 
to computer-generated amounts. 

The IRM requires the Unit Manager or Lead Technician to conduct 
supervisory reviews of the TE/GE deposit encoding tapes, Recapitulation 
of Remittances, and deposit tickets, and sign or initial the documents 
as evidence of their reviews. However, IRS staff did not adhere to its 
policy requiring signatures on deposit documentation. In addition, 
internal control standards require internal control activities to help 
ensure that management's directives are carried out and that all 
transactions are completely and accurately recorded. Control activities 
include the proper execution and accurate recording of transactions and 
events and reviews by management at the functional and activity level. 
Internal control should assure that monitoring, which includes regular 
management and supervisory activities, comparisons, reconciliations, 
and other actions people take in performing their duties, occurs in the 
course of normal operations. 

By not conducting and documenting supervisory reviews of TE/GE user fee 
collection and deposit activities, IRS faces increased risk that it may 
not detect errors in the processing of TE/GE user fee receipts or that 
it may incur losses from unrecorded and improperly recorded receipts. 

Recommendation: 

We recommend that you issue a memorandum to RCO Unit staff reiterating 
existing requirements for (1) supervisory reviews of the processing of 
TE/GE user fee deposits, and (2) key documentation to be signed and 
dated by the supervisor as evidence of that review. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendation and stated it issued a memorandum in 
April 2008 to appropriate managers reiterating the requirement to 
follow IRM procedures for supervisory review of key TE/GE documents and 
to sign and initial these documents as evidence of their review. We 
will evaluate the effectiveness of IRS's efforts in this area during 
our audit of IRS's fiscal year 2008 financial statements. 

Controls over Purchase Card Processing: 

During our fiscal year 2007 financial audit, we found that IRS lacked 
key internal controls over the processing of its purchase card 
transactions to prevent or detect erroneous, improper, or fraudulent 
purchases. IRS's business units use purchase cards primarily to make 
micropurchases. For micropurchases, IRS established a per transaction 
limit of $2,000 for construction transactions, $2,500 for services, and 
$3,000 for goods or supplies.[Footnote 26] 

As part of our fiscal year 2007 financial audit, we statistically 
sampled 49 purchase and travel card transactions processed between 
October 9, 2006, and May 8, 2007.[Footnote 27] In testing these 
transactions, we identified internal control weaknesses related to the 
lack of (1) evidence of supervisory reviews, (2) fund control, and (3) 
key documentation for purchase card transactions. Based on the results 
of our work, we estimate that 92.9 percent of total purchase and travel 
card transactions processed between October 9, 2006 and May 8, 2007 had 
control weaknesses and we are 95 percent confident that the actual 
percent is not more than 98.0 percent. This estimate exceeds the 
tolerable percentage in error of 5 percent. 

Specifically, of the 49 sampled transactions we reviewed, we found the 
following: 

* Thirty-five transactions in which the purchase card approving 
officials did not sign and date the monthly reports provided by the 
credit card company attesting to their review of the purchase card 
accounts' activity under their authority. On the basis of this work, we 
estimate that 79.6 percent of total purchase card transactions were not 
signed and dated by an approving official, and we are 95 percent 
confident that the actual percentage of purchase card transactions that 
are not signed and dated by an approving official is not more than 88.9 
percent. 

* One transaction in which the purchase cardholder did not obtain 
funding approval or verify that funds were available for the specific 
unit before making purchases. On the basis of this work, we estimate 
that 2.3 percent of total purchase card transactions did not have 
funding approval, and we are 95 percent confident that the actual 
percentage of purchase card transactions that did not have funding 
approval is not more than 10.3 percent. 

* Twenty transactions in which the purchase cardholders did not 
properly document their purchase card monthly statement reconciliations 
to supporting documents or sign and date them when completed. On the 
basis of this work, we estimate that 45.5 percent of the total purchase 
card monthly statement reconciliations were not signed and dated, and 
we are 95 percent confident that the actual percentage of purchase card 
monthly statement reconciliations that were not signed and dated is not 
more than 58.9 percent. 

* One transaction in which the purchase cardholder and purchase card 
approving official failed to retain their reconciliation documents for 
a reasonable period of time, such as 3 years. Based on this work, we 
estimate that for 2.3 percent of total purchase card transactions, the 
cardholders and approving officials did not retain their reconciliation 
documentation for a reasonable period of time, and we are 95 percent 
confident that the actual percentage of purchase card transactions for 
which the cardholders and approving officials did not retain their 
reconciliation documentation is not more than 10.3 percent. 

Internal control standards require transactions to be authorized and 
executed only by persons acting within their scope and authority. This 
is defined as the principal means of assuring that only valid 
transactions to exchange, transfer, use, or commit resources and other 
events occur. The standards further state that internal control should 
assure that ongoing monitoring occurs in the course of normal 
operations. Monitoring includes regular management and supervisory 
activities, comparisons, and reconciliations. Finally, the standards 
require that internal control and all transactions and other 
significant events be clearly documented, and that documentation be 
readily available for examination. 

Although IRS issued guidelines to govern the use of purchase cards, we 
found that the guidelines did not provide the detailed documented 
procedures needed to minimize the occurrence of the control weaknesses 
that we identified. By not requiring the proper documentation and 
implementation of appropriate controls over the processing of purchase 
card transactions, IRS's risk is increased that it may not detect 
erroneous, improper, or fraudulent purchase card transactions and 
uncontrolled or unintended use of agency funds. 

Recommendations: 

We recommend that you direct appropriate IRS officials to modify 
existing guidelines to require documentation and implementation of 
detailed internal control procedures for IRS's purchase card program. 
Specifically, existing guidelines should be modified to provide for 
detailed internal control procedures requiring that: 

* purchase card approving officials and purchase cardholders sign and 
date monthly account statements attesting to their review and 
completion of the required reconciliation process, 

* purchase cardholders obtain funding approval or verify that funds are 
available for the intended purpose prior to making a purchase, 

* purchase card approving officials update and maintain appropriate 
supporting documentation, and: 

* purchase cardholders and purchase card approving officials retain 
copies of all supporting documents for a reasonable period of time, 
such as 3 years. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning detailed internal 
control procedures over its purchase card program. IRS stated that in 
October 2007, it implemented its electronic Purchase Card Module, which 
allows cardholders and approving officials to electronically reconcile 
and approve purchase card transactions and maintains evidence of their 
signatures, approvals, and dates of action. IRS also stated it issued 
guidance in July 2007 requiring verification of funds availability 
before purchases are made by cardholders and approved by managers. This 
guidance was incorporated in the IRM and purchase card training 
courses. IRS added that its Requisition Tracking System must show 
available funds in order to create a commitment for any purchase. 
Furthermore, IRS indicated that it modified its purchase card 
documentation guidelines in October 2007. Under this modified guidance, 
electronic records of purchase card activities and paper documents, 
such as packing slips and receipts, will be retained by IRS for 3 
years. We will evaluate the effectiveness of IRS's efforts in this area 
during our audit of IRS's fiscal year 2008 financial statements. 

Recording of Property and Equipment: 

During our fiscal year 2007 financial audit, we found that IRS did not 
always record new assets in its property and equipment inventory system 
within required time frames. IRS policy requires that new assets be 
recorded in its inventory system within 10 days after receipt. In 
addition, internal control standards require agencies to implement 
internal control procedures to ensure the accurate and timely recording 
of transactions and events. The standards further state that 
transactions should be promptly recorded to maintain their relevance 
and value to management in controlling operations and making decisions. 

As part of our fiscal year 2007 audit, we selected 168 transactions of 
new assets IRS paid for between October 1, 2006, and May 31, 2007, on a 
nonstatistical basis and tested whether IRS recorded the assets in its 
inventory records. For each of the selected items, we obtained 
identifying information from the purchase documents such as requisition 
numbers, receipt dates, descriptions, order numbers, and serial numbers 
from invoices and traced the asset to IRS's property and equipment 
inventory records. In performing this test, we found four instances in 
which the recently acquired asset was not recorded in IRS's inventory 
system as of July 12, 2007. These assets had receipt and acceptance 
dates ranging from August 31, 2006, to February 27, 2007, which well 
exceeded the 10 days required by IRS for recording new assets into its 
inventory system.[Footnote 28] 

Property records that are incomplete or out of date impede management's 
ability to make sound operating decisions and control operations. 
Furthermore, these control weaknesses impede IRS's ability to timely 
detect the loss, theft, or misuse of government property. 

Recommendation: 

We recommend that you direct appropriate IRS officials to issue a 
memorandum addressed to all personnel responsible for updating 
inventory records that reiterates IRS existing policy requiring that 
new assets be inputted into the inventory system within 10 days after 
receipt. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendation and stated it will issue a 
memorandum by October 31, 2008, to all personnel responsible for 
updating the inventory records reiterating the IRS policy to record 
accountability data related to new assets into the inventory system 
within 10 days after receipt. We will review the memorandum to be 
issued during our audit of IRS's fiscal year 2008 financial statements 
and evaluate the effectiveness of IRS's efforts during future audits. 

Employee Travel Authorization: 

During our fiscal year 2007 financial audit, we found that IRS lacked 
controls to ensure that all employee travel was authorized before 
employees were allowed to travel. In conducting detailed testing of 
nonpayroll expense transactions that occurred from October 1, 2006 to 
May 31, 2007, we tested 14 employee travel transactions. In 5 of the 14 
travel transactions, we found that an IRS approving official had not 
approved the employee's travel authorization prior to the beginning of 
the travel period.[Footnote 29] As a result, IRS lacked assurance that 
these travel costs were necessary to accomplish the mission in the most 
economic and effective manner and that they were in compliance with 
IRS's travel policies. 

In accordance with IRS's Official Travel Guide as reflected in the IRM, 
travel authorizations must be approved before travel commences. 
Furthermore, internal control standards require that transactions and 
other significant events be authorized and executed only by persons 
acting within the scope of their authority. According to the standards, 
this is the principal means of assuring that only valid transactions to 
exchange, transfer, use, or commit resources and other events occur. 

In the five cases cited above, IRS did not follow its documented travel 
procedures or the federal internal control standards and, as a result, 
was at risk of being unable to ensure that the costs incurred for 
employee travel were valid or necessary. 

Recommendation: 

We recommend that you direct the appropriate IRS officials to issue a 
memorandum to employees that reiterates IRS policy requiring all 
employees to obtain appropriate approval of travel authorizations prior 
to the initiation of their travel. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendation and stated it has already issued 
periodic notices to employees in 2007 and 2008 that reiterated the 
policy to obtain approval of travel authorizations before initiation of 
travel. IRS also stated that from May through July 2008, it will 
implement an integrated travel system that will prevent employees from 
completing reservations in its online booking tool without an approved 
travel authorization. We will evaluate the effectiveness of IRS's 
efforts in this area during our audit of IRS's fiscal year 2008 
financial statements. 

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. ï¿½ 720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Homeland Security and Governmental 
Affairs and the House Committee on Oversight and Government Reform 
within 60 days of the date of this report. A written statement must 
also be sent to the House and Senate Committees on Appropriations with 
the agency's first request for appropriations made more than 60 days 
after the date of the report. Furthermore, to assure GAO has accurate, 
up-to-date information on the status of your agency's actions on our 
recommendations, we request that you also provide us with a copy of 
your agency's statement of actions taken on open recommendations. 
Please send your statement of action to me or Ted Hu, Assistant 
Director, at [email protected]. 

This report is intended for use by the management of IRS. We are 
sending copies to the Chairmen and Ranking Members of the Senate 
Committee on Appropriations; Senate Committee on Finance; Senate 
Committee on Homeland Security and Governmental Affairs; and 
Subcommittee on Taxation and IRS Oversight, Senate Committee on 
Finance. We are also sending copies to the Chairmen and Ranking Members 
of the House Committee on Appropriations and House Committee on Ways 
and Means, the Chairman and Vice-Chairman of the Joint Committee on 
Taxation, the Secretary of the Treasury, the Director of OMB, the 
Chairman of the IRS Oversight Board, and other interested parties. The 
report is available at no charge on GAO's Web site at [hyperlink, 
http://www.gao.gov]. 

We acknowledge and appreciate the cooperation and assistance provided 
by IRS officials and staff during our audits of IRS's fiscal years 2007 
and 2006 financial statements. Please contact me at (202) 512-3406 or 
[email protected] if you or your staff have any questions concerning 
this report. Contact points for our Offices of Congressional Relations 
and Public Affairs may be found on the last page of this report. GAO 
staff who made major contributions to this report are listed in 
enclosure III. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian:
Director:
Financial Management and Assurance: 

Enclosures - 3: 

Enclosure I: 

Details on Audit Methodology: 

To fulfill our responsibilities as the auditor of the Internal Revenue 
Service's (IRS) financial statements, we did the following: 

* We examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. This included selecting 
statistical samples of unpaid assessment, revenue, refund, accrued 
expenses, payroll, nonpayroll, property and equipment, accounts 
payable, and undelivered order transactions. These statistical samples 
were selected primarily to substantiate balances and activities 
reported in IRS's financial statements. Consequently, dollar errors or 
amounts can and have been statistically projected to the population of 
transactions from which they were selected. In testing some of these 
samples, certain attributes were identified that indicated deficiencies 
in the design or operation of internal control. These attributes, where 
applicable, can be and have been statistically projected to the 
appropriate populations. 

* We assessed the accounting principles used and significant estimates 
made by management. 

* We evaluated the overall presentation of the financial statements. 

* We obtained an understanding of internal controls related to 
financial reporting (including safeguarding assets) and compliance with 
laws and regulations (including the execution of transactions in 
accordance with budget authority). 

* We obtained an understanding of the design of internal controls 
relating to the existence and completeness assertions related to the 
performance measures reported in IRS's Management Discussion and 
Analysis, and determined that they have been placed in operation. 

* We tested relevant internal controls over financial reporting 
(including safeguarding assets) and compliance, and evaluated the 
design and operating effectiveness of internal controls. 

* We considered IRS's process for evaluating and reporting on internal 
controls and financial management systems under 31 U.S.C. ï¿½ 3512 (c), 
(d), commonly referred to as the Federal Managers' Financial Integrity 
Act of 1982, and Office of Management and Budget Circular No. A-123, 
Management's Responsibility for Internal Control. 

* We tested compliance with selected provisions of the following laws 
and regulations: Anti-Deficiency Act, as amended (31 U.S.C. ï¿½ 
1341(a)(1) and 31 U.S.C. ï¿½ 1517(a)); Purpose Statute (31 U.S.C. ï¿½ 
1301); Release of lien or discharge of property (26 U.S.C. ï¿½ 6325); 
Interest on underpayment, nonpayment, or extensions of time for payment 
of tax (26 U.S.C. ï¿½ 6601); Interest on overpayments (26 U.S.C. ï¿½ 6611); 
Determination of rate of interest (26 U.S.C. ï¿½ 6621); Failure to file 
tax return or to pay tax (26 U.S.C. ï¿½ 6651); Failure by individual to 
pay estimated income tax (26 U.S.C. ï¿½ 6654); Failure by corporation to 
pay estimated income tax (26 U.S.C. ï¿½ 6655); Prompt Payment Act (31 
U.S.C. ï¿½ 3902(a), (b), and (f) and 31 U.S.C. ï¿½ 3904); Pay and Allowance 
System for Civilian Employees (5 U.S.C. ï¿½ï¿½ 5332 and 5343, and 29 U.S.C. 
ï¿½ 206); Federal Employees' Retirement System Act of 1986, as amended (5 
U.S.C. ï¿½ï¿½ 8422, 8423, and 8432); Social Security Act, as amended (26 
U.S.C. ï¿½ï¿½ 3101 and 3121 and 42 U.S.C. ï¿½ 430); Federal Employees Health 
Benefits Act of 1959, as amended (5 U.S.C. ï¿½ï¿½ 8905, 8906, and 8909); 
Department of the Treasury Appropriations Act, 2006, Pub. L. No. 109- 
115, div. A, tit. II, 119 Stat. 2396, 2432 (Nov. 30, 2005); and Revised 
Continuing Appropriations Resolution, 2007, Pub. L. No. 110-5, 121 
Stat. 8 (Feb. 15, 2007). 

* We tested whether IRS's financial management systems substantially 
comply with the three requirements of the Federal Financial Management 
Improvement Act of 1996. Pub. L. No. 104-208, div. A, ï¿½ 101(f), title 
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996). 

Enclosure II: 

Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224: 

May 16, 2008: 

Mr. Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

I am writing in response to the Government Accountability Office (GAO) 
draft of the Fiscal Year (FY) 2007 Management Report titled, 
Improvements Needed in IRS's Internal Controls (GAO-08-386R). As GAO 
noted in the report titled, Financial Audit: IRS's Fiscal Years 2007 
and 2006 Financial Statements, we continue to make progress in 
addressing our financial management challenges and have substantially 
mitigated weaknesses in our internal controls. 

In FY 2007, we separately reported estimated receipts of Social 
Security and Medicare taxes in our other accompanying information to 
the financial statements and significantly accelerated the 
certification of excise tax receipts to the recipient trust funds. 
These improvements enabled you to conclude that these matters no longer 
constitute internal control deficiencies. We also enhanced the 
capabilities of the Custodial Detail Database (CDDB) to begin 
journalizing tax debt information from our master file systems to our 
general ledger weekly. These improvements enabled you to conclude that 
this was the first step in establishing CDDB's capability to serve as a 
subsidiary ledger for unpaid tax debt. We believe our work this year in 
implementing corrective actions will further improve our financial 
management. I have enclosed a response which addresses all of your 
recommendations separately. 

We are committed to implementing appropriate improvements to ensure 
that the IRS maintains sound financial management practices. If you 
have any questions, please contact Alison Doone, Chief Financial 
Officer, at (202) 622-6400. 

Sincerely, 

Signed by: 
Douglas H. Shulman: 

Enclosure: 

GAO Recommendations and IRS Responses to GAO FY 2007 Management Report
Improvements Needed in IRS Internal Controls (GAO-08-386R): 

Recommendation: Verify that when it becomes fully operational, 
Custodial Detail Database (CDDB), when used in conjunction with Interim 
Revenue Control System (IRACS), will provide the Internal Revenue 
Service (IRS) with the direct transaction traceability for all of its 
tax related transactions as required by the Standard General Ledger 
(SGL) and Federal Financial Management Systems Requirement (FFMSR), and 
thus Federal Financial Managers Integrity Act (FFMIA). 

Comments: We agree with this recommendation. The Revenue Financial 
Management Unit will verify that the summary tax revenue, tax refunds, 
and unpaid assessments recorded in IRACS are traceable to the direct 
transactions in CDDB when CDDB is fully implemented by September 30, 
2009. As part of the FY 2008 financial statement audit, the IRS is 
providing GAO the information posted in CDDB to show that tax revenue 
is traceable through use of the Trace ID number and that tax refunds 
are traceable using the refund schedule number. The IRS also provided 
GAO the high-level requirements to incorporate the SGL into Redesign 
Revenue Accounting Control System (RRACS) Release 1 scheduled for 
Fiscal Year (FY) 2010 implementation. 

Recommendation: Document and implement the specific procedures to be 
performed by the statistician in each step of the unpaid assessments 
estimation process. 

Comments: We agree with this recommendation. The Revenue Financial 
Management Unit will document the procedures the statistician performs 
in each step of the unpaid assessments estimation process by June 30, 
2008. 

Recommendation: Document and implement specific detailed procedures for 
reviewers to follow in their review of unpaid assessments statistical 
estimates. Specifically, IRS should require that a detailed supervisory 
review be performed to ensure: (1) the statistical validity of the 
sampling plans, (2) data entered into the sample selection programs 
agree with the sampling plans, (3) data entered into the statistical 
projection programs agree with the IRS sample review results, (4) data 
on the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection 
results, and (5) the calculations on these spreadsheets are 
mathematically correct. 

Comments: We agree with this recommendation. The Revenue Financial 
Management Unit will document procedures for reviewers to follow during 
their review of the unpaid assessments statistical estimates by June 
30, 2008. 

Recommendation: Modify the Business Master File (BMF) computer program 
so that the date of the deficiency assessment is used as the effective 
date of any related accuracy penalty. 

Comments: We agree with this recommendation. The IRS plans to implement 
changes to the BMF computer program so that the date of the deficiency 
assessment is the effective date of any related accuracy penalty by 
July 31, 2009. 

Recommendation: Complete and document the review of existing programs 
in the master files that affect penalty calculations to identify any 
instances in which programs are not functioning in accordance with the 
intent of the IRM. 

Comments: We agree with this recommendation. The IRS is reviewing 
master file programs to identify any instances in which programs are 
not functioning in accordance with the IRM and plans to complete the 
review by July 31, 2008. 

Recommendation: To address other issues that may exist in the IRS 
master files that affect penalty calculations, in instances where 
programs are not functioning in accordance with the intent of the IRM, 
take appropriate action to correct the programs so that they function 
in accordance with the IRM. 

Comments: We agree with this recommendation. The IRS has initiated 
corrective actions in instances where programs were not functioning in 
accordance with the IRM. 

Recommendation: Develop and provide comprehensive guidance to assist 
Taxpayer Assistance Centers (TAG) managers to use in conducting reviews 
of outlying TACs and documenting the results. This guidance should 
include a description of the key controls that should be in place at 
outlying TACs, specify how often these key controls should be reviewed, 
and specify how the results of each review should be documented, 
including follow-up on issues identified in previous TAC reviews. 

Comments: We agree with this recommendation. The Director, Field 
Assistance established the expectation that Area Directors are 
responsible and accountable for the oversight of all TAC activities, 
including outlying posts of duty, and is updating IRM 1.4.11.6 to 
include this statement. IRM 1.4.11.6 also will include the requirement 
to maintain documentation of managerial reviews, including operational 
reviews and site visits. IRM 1.4.11.9, "Reviews/Reports/Certifications 
Template" provides a description of the key controls that should be in 
place in all TACs, including the frequency of the reviews and how to 
document the results of the reviews. Field Assistance will review the 
reports and annotate which reports are required for each TAC location 
with the necessary documentation and summarize these in IRM 1.4.11.6. 
Field Assistance will validate the reviews are complete using the 
remittance and security database and will include these directions in 
the field operational reviews at the group, area, and territory levels 
by July 31, 2008. 

Recommendation: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC 
managers. 

Comments: We agree with this recommendation. The Director, Field 
Assistance will issue a quarterly reminder for the required reviews 
beginning in July 2008. Field Assistance will review IRM 1.4.11.9 
before the issuance of the quarterly reminders to ensure its accuracy. 
Field Assistance requires the area offices to routinely report on 
corrective actions identified during the operational review process to 
ensure completion of needed improvements. 

Recommendation: Establish a mechanism to monitor compliance with the 
existing requirement that TAC employees responsible for accepting 
taxpayer payments in cash have their computer system access 
appropriately restricted to limit their ability to adjust taxpayer 
accounts. 

Comments: We agree with this recommendation. The Director, Field 
Assistance revised the language in IRM 1.4.11.19.4.1.1 in April 2008 to 
mandate the use of the "restrict" command code in all cases. The change 
is reflected in the annual reconciliation of official receipts process, 
IRM 1.4.11.19.4.1.1, that provides for the Separation of Duties and 
Form 809, Receipt for Payment of Taxes. Group managers will continue to 
be reminded as part of the Form 809 annual reconciliation of the 
existing requirements to restrict command codes. We will direct areas 
and territories to include restricted Integrated Data Retrieval System 
(IDRS) command codes in on-going operational reviews. Field Assistance 
will explore systemic ways to monitor use of restricting command codes. 

Recommendation: Establish procedures requiring periodic verification 
that all individuals designated as first responders to TAC duress 
alarms are appropriately qualified and geographically located to 
respond to the potentially dangerous situations in an effective and 
timely manner. 

Comments: We agree with this recommendation. Agency-Wide Shared 
Services (AWSS) will reissue by August 31, 2008, guidance requiring 
that first responders to TAC duress alarms be armed officials such as 
onsite contract guards, Federal Protective Service Police, or local 
police, whoever may respond in the most expedient manner. We are 
modifying the existing monthly TAC Duress Alarm Report that the 
Territory Managers submit to the Physical Security Headquarters Office 
to show the date the managers verified that the call listing for first 
responders located at the Security Console/Mega Center is accurate. 

Recommendation: Modify the IRM to specify qualifications and 
geographical proximity requirements for individuals designated as first 
responders to duress alarms at IRS facilities, and to require that the 
responsibilities and qualifications of all designated first responders 
be periodically reviewed to verify that over time, they continue to be 
qualified and appropriately located, and to make any necessary 
adjustments. 

Comments: We agree with this recommendation. AWSS is revising IRM 
10.2.14 to include the requirement that first responders to duress 
alarms be armed officials such as onsite contract guards, Federal 
Protective Service Police, or local police. 

Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. 

Comments: We agree with this recommendation. AWSS is working with the 
General Services Administration (GSA) to establish procedures for 
performing background investigations on GSA contractors/janitors and 
expects completion by October 31, 2009, contingent on full cooperation 
and support from GSA. In the interim, the controls identified in IRMs 
1.16.3, 5.1.2, 1.16.14.2, 1.16.14.5, and 1.16.15 address safeguarding 
valuable assets, including financial instruments and protection of 
taxpayer and other sensitive data. Compliance with these IRMs should 
address concerns regarding physical controls to secure and safeguard 
vulnerable assets from GSA contractors. 

Recommendation: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information, and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. 

Comments: We agree with this recommendation. AWSS is developing a 
Statement of Work (SOW) for a National Shred/Burn Contract. This will 
result in standard security procedures for the handling of shred and 
specialized background investigations for employees who will handle IRS 
materials to be shredded. Additionally, the IRS will establish 
provisions to ensure periodic, unannounced inspections of contractor 
facilities, and combine local contracts into the national contract to 
create a standardized process for overseeing thorough and timely 
background investigations and maintaining records. We expect 
implementation by October 31, 2008. 

Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information, document the 
results, including identification of any security issues, and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed. 

Comments: We agree with this recommendation. IRM 1.16.13 Document 
Protection requires contract provisions to allow IRS inspection of the 
contractor facility and operations to ensure the safeguarding of IRS 
information. We are currently developing a National Shred/Burn Contract 
and will include provisions for off-site inspections on a periodic, 
random, and unannounced basis by October 31, 2008. 

Recommendation: Establish procedures to require obtaining and reviewing 
documentation of completed background investigations for all shredding 
contractors before granting them access to taxpayer or sensitive IRS 
information. 

Comments: We agree with this recommendation. AWSS is working on a SOW 
for a National Shred/Burn Contract that will ensure that contractor 
background investigations are completed before granting access to IRS 
information. The IRS expects to combine local contracts into the 
national contract by October 31, 2008. 

Recommendation: Reinforce existing policies requiring use of the 
revised Form 13094, Recommendation for Juvenile Employment with IRS 
when hiring juveniles. 

Comments: We agree with this recommendation. The Human Capital Office 
(HCO) issued a notice in September 2007 to each Employment Branch Chief 
emphasizing adherence and compliance with these policies and reinforced 
adherence at a recent Continuing Professional Education (CPE) meeting 
and through periodic reminders to the Employment Offices. 

Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
document the details of this contact. 

Comments: We agree with this recommendation. In July 2007, the HCO 
issued a notice to the Employment Operations Centers reemphasizing the 
requirement to use the revised Form 13094 and to implement follow-up 
procedures on juvenile recommendations. The IRS revised Form 13094 in 
December 2007 to include a signature and date block for the Human 
Resources specialist to document completion of the verification 
process. HCO provided the form and accompanying instructions to 
employment staff in January 2008, and HCO reiterated compliance with 
this policy and mandatory use of the revised Form 13094 during a recent 
CPE with Human Resources specialists. HCO will monitor policy 
compliance as a part of its accountability program reviews. 

Recommendation: Issue a memorandum to Receipt Control Operations Unit 
staff reiterating existing requirements for supervisory reviews of the 
processing of TE/GE user fee deposits and for key documentation to be 
signed and dated by the supervisor as evidence of that review. 

Comments: We agree with this recommendation. Wage and Investment issued 
a memorandum in April 2008 to the Operations Manager, Receipt and 
Control, reiterating the requirement to follow procedures in IRM 3.45.1 
to conduct supervisory reviews of the deposit encoding tapes, the 
Recapitulation of Remittances, deposit tickets, and to sign or initial 
the documents as evidence that the reviews were completed. 

Recommendation: Modify existing guidelines to require documentation and 
implementation of detailed internal control procedures for the IRS 
purchase card program. Specifically, existing guidelines should be 
modified to provide for detailed internal control procedures requiring 
that purchase card approving officials and purchase cardholders sign 
and date monthly account statements attesting to their review and 
completion of the required reconciliation process. 

Comments: We agree with this recommendation. In October 2007, AWSS 
began using the electronic Purchase Card Module that provides the 
cardholder and approving official the ability to electronically 
reconcile and approve the transactions and provides evidence they 
signed and approved the transactions. This electronic reconciliation 
maintains separation of duties between purchaser and approver and 
produces an audit trail by maintaining history on the user login name 
and date of the action. 

Recommendation: Modify existing guidelines to require documentation and 
implementation of detailed internal control procedures for the IRS 
purchase card program. Specifically, existing guidelines should be 
modified to provide for detailed internal control procedures requiring 
that purchase cardholders obtain funding approval or verify that funds 
are available for the intended purpose prior to making a purchase. 

Comments: We agree with this recommendation. AWSS included funds 
verification requirements in guidance issued in July 2007, Purchase 
Card Holder Roles and Responsibilities, and in IRMs 1.32.4 and 1.32.6. 
Cardholders receive these requirements and guidelines, including the 
requirement to verify funds availability before making a purchase, 
during initial training and refresher training. The guidelines are also 
available in the Purchase Card Guide and on the IRS intranet. In 
addition, the requirement was included in the transition guidelines 
provided during conversion to the Purchase Card Module in October 2007. 
These controls also exist during the approval process. The business 
unit plan manager must approve all purchases, verifying both 
appropriateness of the purchase and available funds. The Requisition 
Tracking System must show available funds in order to create a 
commitment for any purchase. 

Recommendation: Modify existing guidelines to require documentation and 
implementation of detailed internal control procedures for the IRS 
purchase card program. Specifically, existing guidelines should be 
modified to provide for detailed internal control procedures requiring 
that purchase card approving officials update and maintain appropriate 
supporting documentation. 

Comments: We agree with this recommendation. AWSS modified the existing 
guidelines in October 2007 with the implementation of the Purchase Card 
Module. Documentation for purchase card activity is maintained 
electronically in the Purchase Card Module, and packing slips and 
receipts are kept by the cardholder. This documentation is available 
for review by the approving official. 

Recommendation: Modify existing guidelines to require documentation and 
implementation of detailed internal control procedures for the IRS 
purchase card program. Specifically, existing guidelines should be 
modified to provide for detailed internal control procedures requiring 
that purchase cardholders and purchase card approving officials retain 
copies of all supporting documents for a reasonable period of time, 
such as three years. 

Comments: We agree with this recommendation. AWSS modified the 
guidelines in October 2007 to require cardholders and approving 
officials to maintain documentation for three years; paper 
documentation by the cardholders and electronic archives in the 
Purchase Card Module. 

Recommendation: Issue a memorandum addressed to all personnel 
responsible for updating inventory records that reiterates its existing 
policy requiring that new assets be input into the inventory system 
within 10 days after receipt. 

Comments: We agree with this recommendation. MITS will issue a 
memorandum by October 31, 2008, to all personnel responsible for 
updating inventory records reiterating the IRS policy that new assets 
be input into the inventory system within 10 days after receipt. 

Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approval of travel 
authorizations prior to the initiation of their travel. 

Comments: We agree with this recommendation. We issue communications to 
all employees reiterating the policy requiring employees to obtain 
approval of travel authorizations before initiation of travel through 
periodic notices on the IRS intranet with links to Travel Times. In 
Travel Times, we have issued: Travel Authorization Reminders (October 
2007 and February 2008) and Travel Authorization Reminder News from the 
business units (December 2007, February 2008, and May 2008). Further, 
the IRS is implementing GovTrip, an integrated travel system, from May 
through July 2008. GovTrip will not allow an employee to complete 
reservations in the on-line booking tool until the travel authorization 
has been approved. 

[End of section] 

Enclosure III: 

GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Steven J. Sebastian, (202) 512-3406 or [email protected]: 

Acknowledgments: 

The following individuals made major contributions to this report: Ted 
Hu, Assistant Director; Stephanie Chen; Oliver Culley; John Davis; 
Charles Fox; Margery Glover; Bradley Klingsporn; Delores Lee; Gail 
Luna; Cynthia Ma; Joshua Marcus; Charles Payton; John Sawyer; Angel 
Sharma; Peggy Smith; Christopher Spain; LaDonna Towler; Gary Wiggins; 
Danietta Williams; and Ting-Ting Wu. 

[End of section] 

Footnotes: 

[1] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial 
Statements, GAO-08-166 (Washington, D.C.: Nov. 9, 2007). 

[2] TACs are field assistance units, located within IRS's Wage and 
Investment operating division, designed to serve taxpayers who choose 
to seek help from IRS in person. Services provided include interpreting 
tax laws and regulations, preparing tax returns, resolving inquiries on 
taxpayer accounts, receiving payments, forwarding those payments to 
appropriate service center campuses for deposit and further processing, 
and performing other services designed to minimize the burden on 
taxpayers in satisfying their tax obligations. These offices are much 
smaller facilities than service center campuses or lockbox banks, with 
staffing ranging from 1 to about 35 employees. 

[3] Field offices comprise various units located within IRS's Small 
Business and Self Employed (SB/SE), Large and Mid-Size Business (LMSB), 
and Tax-Exempt and Government Entities (TE/GE) operating divisions that 
administer tax services to corporations, partnerships, small 
businesses, state and Indian tribal governments, major universities, 
community organizations, municipalities, pension funds, and individuals 
with certain types of nonsalary income. 

[4] IRS collects user fees from employee pension plans and other 
organizations for making rulings and determinations about their tax 
exempt status. 

[5] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999) contains the internal 
control standards to be followed by executive agencies in establishing 
and maintaining systems of internal control as required by 31 U.S.C. ï¿½ 
3512 (c), (d) (commonly referred to as the Federal Managers' Financial 
Integrity Act of 1982). 

[6] GAO-08-166. 

[7] GAO-08-166. 

[8] Federal Financial Management Improvement Act of 1996, Pub. L. No. 
104-208, div. A., ï¿½ 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 
30, 1996). 

[9] The master files contain detailed records of taxpayer accounts. 
However, the information residing in this system is not integrated with 
nor directly traceable to related information in IRACS. 

[10] Unpaid tax assessments consist of (1) federal taxes receivable, 
which are taxes due from taxpayers for which IRS can support the 
existence of a receivable through taxpayer agreement or a favorable 
court ruling; (2) compliance assessments where neither the taxpayer nor 
the court has affirmed that the amounts are owed; and (3) write-offs, 
which represent unpaid tax assessments for which IRS does not expect 
further collections because of factors such as the taxpayer's death, 
bankruptcy, or insolvency. Of these three classifications of unpaid tax 
assessments, only net federal taxes receivable are reported on the 
principal financial statements. 

[11] GAO-08-166. 

[12] A taxpayer may have multiple account modules within IRS's master 
files under a unique taxpayer identification number (i.e., social 
security number or an employer identification number). Each unique 
account module is identified by the taxpayer identification number, 
specific tax period (e.g., year, quarter), and tax type (e.g., excise 
tax, individual tax, payroll tax, etc.) 

[13] IRS's estimation methodology requires the selection and testing of 
465 taxes receivable account modules. If IRS reselected this sample 
from the complete taxes receivable population, the number of items 
selected and tested would still have been 465. However, by choosing to 
select and test an additional sample from the omitted subpopulation, 
IRS tested the original 465 account modules plus an additional 20 
account modules. 

[14] See 26 U.S.C. ï¿½ 6651, 6654, 6655, 6662. 

[15] See IRM, ï¿½ 20.1.2, Failure to File/Failure to Pay Penalties (July 
31, 2001). 

[16] IRS's master file system consists of two major files, the 
individual master files (IMF) and business master files (BMF). 

[17] See 26 U.S.C. ï¿½ 6662 and IRS guidance in the Internal Revenue 
Manual at Section 20.1.5, Return Related Penalties (Oct. 1, 2005). 

[18] Failure-to-pay penalty is a penalty that IRS assesses against 
taxpayers when taxpayers fail to pay their outstanding tax liability by 
the return due date. The failure-to-pay penalty is calculated based on 
the amount of taxes outstanding in the taxpayer's account module, a 
penalty rate stipulated in the IRC and IRM, and the number of months 
the taxes remain unpaid. 

[19] Internal Revenue Manual, ï¿½ 20.2.6.7.1, Payment Allocation (March 
1, 2002). 

[20] GAO, Management Report: Improvements Needed in IRS's Internal 
Controls, GAO-07-689R (Washington, D.C.: May 11, 2007). 

[21] The specific situation involved taxpayers who: (1) owed 
outstanding taxes for a specific tax period, (2) failed to pay 
following repeated notification of taxes due, (3) subsequently paid off 
the outstanding taxes, and (4) were assessed additional taxes by IRS on 
the same tax period after paying off the original balance. 

[22] The GSA is responsible for contracting cleaning services at 
federal government buildings and when the IRS leases space from third 
parties. 

[23] GAO, Management Report: Improvements Needed in IRS's Internal 
Controls, GAO-06-543R (Washington, D.C.: May 12, 2006). 

[24] IRS is allowed to retain a portion of the user fees it collects, 
based on criteria established in legislation, primarily in a provision 
included in the Treasury, Postal Service and General Government 
Appropriations Act, 1995, Pub. L. No. 103-329, 108 Stat. 2382, 2388 
(Sept. 30, 1994) (reprinted in 26 U.S.C. ï¿½ 7801 note). For the user 
fees it is allowed to retain, IRS records revenue and offsetting 
collections which are credited back to the operating appropriations. 
For the user fees it is not allowed to retain, IRS records revenue and 
transfers the funds to the General Fund of the Treasury. 

[25] We selected a monetary unit sample from a population of 55,384 TE/ 
GE user fee transactions totaling $31.9 million primarily for the 
purpose of testing the accuracy of the recorded balance and projecting 
any substantive exceptions that occur to the entire population. While 
our testing included reviewing certain internal control attributes, our 
sample was not specifically designed for the purpose of projecting 
internal control exceptions. 

[26] This is consistent with the "micro-purchase threshold" in the 
Federal Acquisition Regulation. See 48 C.F.R. ï¿½ 2.101. 

[27] The sample population consisted of 155,264 purchase and travel 
card transactions totaling $29.8 million. 

[28] We selected transactions on a nonstatistical basis from IRS asset 
payments made during the first 8 months of fiscal year 2007. Therefore, 
we could and do select items that were delivered in an earlier period 
and paid in our audit year. Such items should be accrued in the period 
received but they are reversed out and recorded anew when paid. 

[29] We selected two monetary unit samples, from a population of all 
nonpayroll expense transactions, consisting of those transactions 
greater than or equal to $50,000 and those less than $50,000. The 
sample populations consisted of 740,589 nonpayroll transactions 
totaling $1,525.3 million. Because our sample was designed to test all 
nonpayroll expense transactions, not just those related to travel, we 
are unable to project the exceptions that only applied to travel 
transactions to the entire population. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***