Internal Revenue Service: Results of Fiscal Year 1998 Financial Statement
Audit (Testimony, 03/01/99, GAO/T-AIMD-99-103).

This report presents the results of GAO's audit of the Internal Revenue
Service's (IRS) financial statements for fiscal year 1998. GAO found
that pervasive weaknesses in the design and operation of IRS' financial
management systems, accounting procedures, documentation, recordkeeping,
and internal controls prevented IRS from reliably reporting on the
results of its administrative activities. IRS was able to reliably
report on the results of its custodial activities for fiscal year 1998,
including tax revenue received, tax refunds disbursed, and taxes
receivable due from the public. However, this achievement required
extensive, costly, and time-consuming ad hoc procedures to overcome
pervasive and long-standing internal control and systems weaknesses.
IRS' major accounting, reporting, and internal control deficiencies
include, among other things, (1) poor preventive controls over tax
refunds, which have resulted in millions of dollars in fraudulent
refunds; (2) the inability to properly safeguard or reliably report its
property and equipment; (3) vulnerabilities in computer security that
may allow unauthorized persons access to taxpayer information; and (4)
an inability to properly account for, report, and control its budgetary
resources. Such weaknesses, as they relate to IRS' administrative
activities, prevented GAO from rendering an unqualified opinion on five
of IRS' six principal financial statements. IRS acknowledges these
weaknesses and plans to address them. This testimony summarized GAO's
March 1999 report, GAO/AIMD-99-75.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-99-103
     TITLE:  Internal Revenue Service: Results of Fiscal Year 1998 
             Financial Statement Audit
      DATE:  03/01/99
   SUBJECT:  Financial statement audits
             Financial management
             Internal controls
             Reporting requirements
             Computer security
             Tax administration systems
             Auditing procedures
             Accounting procedures
             Noncompliance
             Tax refunds

             
******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved.  Major          **
** divisions and subdivisions of the text, such as Chapters,    **
** Sections, and Appendixes, are identified by double and       **
** single lines.  The numbers on the right end of these lines   **
** indicate the position of each of the subsections in the      **
** document outline.  These numbers do NOT correspond with the  **
** page numbers of the printed product.                         **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************


Cover
================================================================ COVER


Before the Subcommittee on Government Management, Information and
Technology, Committee on Government Reform, House of Representatives

For Release on Delivery
Expected at
10 a.m.
Monday,
March 1, 1999

INTERNAL REVENUE SERVICE - RESULTS
OF FISCAL YEAR 1998 FINANCIAL
STATEMENT AUDIT

Statement of Gregory D.  Kutz
Associate Director, Governmentwide Accounting and Financial
Management Issues
Accounting and Information Management Division

GAO/T-AIMD-99-103

GAO/AIMD-99-103t


(919360)


Abbreviations
=============================================================== ABBREV

  EITC -
  FFMIA -
  FFMSR -
  GPRA -
  IRS -
  P&E -
  SGL -

============================================================ Chapter 0

Mr.  Chairman and Members of the Subcommittee: 

We are pleased to be here today to discuss the results of our audit
of the Internal Revenue Service's (IRS) fiscal year 1998 financial
statements, for which we are issuing our report today.\1 IRS'
financial statements are important to the federal government because
they report on the nearly $1.8 trillion in federal tax revenues, $151
billion in tax refunds, and $26 billion in net taxes
receivable--referred to as IRS' custodial activities.  They also
report on IRS' activities associated with its fiscal year 1998
appropriations of nearly $8 billion--referred to as IRS'
administrative activities. 

The results of our fiscal year 1998 financial audit reveal that
serious internal control and financial management issues continue to
plague the agency.  Pervasive weaknesses in the design and operation
of IRS' financial management systems, accounting procedures,
documentation, recordkeeping, and internal controls, including
computer security controls, prevented IRS from reliably reporting on
the results of its administrative activities.  In contrast, IRS was
able to report reliably on the results of its custodial activities
for fiscal year 1998, including tax revenue received, tax refunds
disbursed, and taxes receivable due from the public.  This was the
second year we have been able to render an unqualified opinion with
respect to IRS' financial reporting of its custodial activities. 
This achievement, however, required extensive, costly, and
time-consuming ad hoc procedures to overcome pervasive internal
control and systems weaknesses. 

IRS' major accounting, reporting, and internal control deficiencies
include the following: 

  -- an inadequate financial reporting process that resulted in IRS'
     inability to reliably prepare several of the required principal
     financial statements and financial management systems that do
     not comply with the requirements of the Federal Financial
     Management Improvement Act (FFMIA) of 1996;

  -- the lack of a subsidiary ledger to properly manage taxes
     receivable and other unpaid assessments, resulting in instances
     of both taxpayer burden and lost revenue to the government;

  -- deficiencies in preventive controls over tax refunds that have
     permitted the disbursement of millions of dollars of fraudulent
     refunds;

  -- vulnerabilities in controls over tax receipts and taxpayer data
     that increase the government's and the taxpayers' risk of loss
     or inappropriate disclosure of sensitive taxpayer data;

  -- a failure to reconcile its fund balance to Treasury records
     during fiscal year 1998 and an inability to provide assurance
     that its budgetary resources are being properly accounted for,
     reported, and controlled;

  -- the inability to properly safeguard or reliably report its
     property and equipment; and

  -- vulnerabilities in computer security that may allow unauthorized
     individuals to access, alter, or abuse proprietary IRS programs
     and data and taxpayer information. 

Most of these issues have plagued IRS since we began auditing the
agency's financial statements in fiscal year 1992, first under the
authority of the Chief Financial Officer's Act of 1990 and later
under the authority of the Government Management Reform Act of 1994. 
Since our first audit, we have issued reports containing numerous
recommendations to assist IRS in correcting these deficiencies.  IRS
has had some success in addressing these issues, most notably in the
area of computer security, where management has taken an aggressive,
hands-on approach to fully understanding these issues and addressing
them.  In other instances, IRS has been able to compensate for some
of these deficiencies through ad hoc computer programming and
substantial manual intervention to derive reliable year-end
information on its custodial revenue collection activities.  However,
this continues to be an interim measure and does not provide the
necessary reliable information on an ongoing basis to assist in
decision-making. 

Many of these problems will take years to fully correct.  They
represent serious agencywide financial and other management
challenges that will require a substantial commitment of resources,
time, effort, and expertise to correct.  Others, while serious
issues, can be effectively addressed in the near term through a
concerted effort on the part of IRS management.  In IRS' response to
our audit, the agency has acknowledged the issues raised in our audit
and has pledged to take the corrective actions needed to resolve
these serious internal control and financial management issues. 

I would now like to summarize the major issues identified in our
fiscal year 1998 audit, several of which directly affected our
opinions on IRS' fiscal year 1998 financial statements. 


--------------------
\1 See Financial Audit:  IRS' Fiscal Year 1998 Financial Statements
(GAO/AIMD-99-75, March 1, 1999). 


   IRS' FINANCIAL REPORTING
   CONTROLS ARE INADEQUATE AND ITS
   FINANCIAL MANAGEMENT SYSTEMS DO
   NOT COMPLY WITH FFMIA
---------------------------------------------------------- Chapter 0:1

IRS does not have internal controls over its financial reporting
process adequate to provide reasonable assurance that its principal
financial statements are reliable.  As a result, IRS (1) was unable
to prepare reliable statements of net cost, changes in net position,
budgetary resources, and financing and (2) could not support material
amounts reported on its balance sheet, including fund balance with
Treasury, accounts payable, and net position.  In addition, we found
that property and equipment is likely to be materially understated. 
We found that

  -- the custodial and administrative general ledger systems which
     support the principal financial statements are not in
     conformance with the U.S.  Government Standard General Ledger
     (SGL)\2 at the transaction level and do not provide a complete
     audit trail for recorded transactions,

  -- material balances reported on IRS' principal financial
     statements are not supported by detailed subsidiary records, and

  -- IRS' principal financial statements are not subject to
     management oversight adequate to provide reasonable assurance
     that significant errors and omissions are identified and
     corrected before the principal financial statements are issued. 

In an effort to overcome these deficiencies, IRS employs a costly,
labor intensive, and time-consuming process involving extensive and
complex analysis and ad hoc procedures to assist in preparing its
principal financial statements.  IRS continues to utilize specialized
computer programs to extract information from databases underlying
the administrative and custodial general ledgers to derive and/or
support amounts to be reported in the principal financial statements. 
For example, IRS must use this process to identify the portion of its
unpaid assessments that represent taxes receivable for financial
reporting purposes.  However, as in fiscal year 1997, the amounts
produced by this approach needed material audit adjustments totaling
tens of billions of dollars to produce reliable balances for
custodial activities.  With respect to IRS' administrative
activities, this approach was unsuccessful in producing reliable
balances. 

In addition, IRS' basic approach was designed specifically for the
narrowly defined purpose of preparing auditable balances at year-end
only.  This mechanism is not capable of producing reliable agencywide
principal financial statements or financial performance information
to measure results throughout the year as a management tool, which is
standard practice in private industry and some federal entities. 

We also found that IRS' previously separate financial reporting
processes for its custodial and administrative activities\3 have not
been integrated under unified supervision at the operational level. 
This unnecessarily complicates IRS' year-end financial reporting
process and hampers efforts to provide interim IRS-wide financial
information as a management tool. 

IRS' complex and often manual financial reporting process requires
extensive technical computer and accounting expertise and is highly
vulnerable to human error.  It is therefore critical that this
process be adequately staffed and supervised and be subject to
adequate management oversight at each stage as balances and
disclosures are developed.  However, IRS' financial reporting process
often lacked these basic controls.  For example, during fiscal year
1998, key personnel with responsibilities for financial systems and
reporting on IRS' administrative activities left IRS and had not been
replaced by year-end.  Consequently, IRS was compelled to attempt to
prepare its financial statements without the necessary staff.  This
occurred at the same time as the implementation of new federal
accounting and reporting requirements that required IRS to prepare
four new financial statements.  In addition, throughout the process,
we found numerous errors and omissions in financial reporting
documentation as well as in the draft financial statements
themselves, which likely would have been caught and corrected had
these records been appropriately reviewed by management. 

In our previous audit,\4 we reported that IRS' custodial financial
management systems did not substantially comply with Federal
Financial Management Systems Requirements (FFMSR),\5 federal
accounting standards, and the SGL at the transaction level, which are
the core requirements of FFMIA.  During fiscal year 1998, we found
that this condition continued and that IRS' administrative financial
management systems also had significant problems.  IRS (1) cannot
reliably prepare four of the six principal financial statements
required by the Office of Management and Budget, which prescribes the
form and content of federal financial statements, (2) does not have a
general ledger(s) that conforms to the SGL, (3) lacks a subsidiary
ledger for its unpaid assessments, accounts payable, and undelivered
orders, and (4) lacks an effective audit trail from its general
ledgers back to subsidiary detailed records and transaction source
documents. 

In addition, IRS does not consistently capture costs as required by
federal accounting standards to permit it to (1) routinely prepare
reliable cost-based performance measures for inclusion in the
management discussion and analysis that accompanies its principal
financial statements or (2) prepare the information to be included in
its annual performance plan as required by the Government Performance
and Results Act (GPRA) of 1993.  This deficiency also renders IRS
unable to include reliable cost-based performance information in its
budget submission to Congress. 


--------------------
\2 The SGL establishes the general ledger account structure for
federal agencies as well as the rules for agencies to follow in
recording financial events. 

\3 During fiscal year 1998, IRS combined the financial reporting of
its administrative and custodial activities, which had previously
been reported and audited separately, into a single set of principal
financial statements.  We audited the administrative and custodial
activities through fiscal year 1996 and audited the custodial
activities in fiscal year 1997.  The fiscal year 1997 results of IRS
administrative activities were audited by the Department of the
Treasury Office of Inspector General.  See Internal Revenue Service
Accountability Report, Fiscal Year 1997, Department of the Treasury
(March 1998). 

\4 See Financial Audit:  Examination of IRS' Fiscal Year 1997
Custodial Financial Statements (GAO/AIMD-98-77, February 26, 1998). 

\5 FFMSR are a series of requirements produced by the Joint Financial
Management Improvement Program to improve federal financial
management through uniform requirements for financial information,
financial systems, and financial organization. 


   IRS CONTINUES TO LACK A
   SUBSIDIARY LEDGER AND ADEQUATE
   SUPPORTING DOCUMENTATION FOR
   UNPAID ASSESSMENTS
---------------------------------------------------------- Chapter 0:2

As we have previously reported,\6 IRS does not have a subsidiary
ledger which tracks and accumulates unpaid assessments and their
status\7 on an ongoing basis, the absence of which adversely affects
its ability to effectively manage and accurately report unpaid
assessments.  To compensate for this, IRS runs computer programs
against its master files--the only detailed record of taxpayer
information it maintains--to identify, extract, and classify the
universe of unpaid assessments for financial reporting purposes. 
However, this approach is only designed for the limited purpose of
allowing IRS to report auditable financial statement totals at
year-end and is not an adequate substitute for a reliable subsidiary
ledger which provides an accurate outstanding balance for each
taxpayer on an ongoing basis.  Additionally, this approach still
resulted in the need for tens of billions of dollars of audit
adjustments to IRS' principal financial statements to correct
duplicate or otherwise misstated unpaid assessment balances
identified by our testing. 

Without the information an effective subsidiary ledger should
provide, IRS cannot ensure that payments and assessments are promptly
posted to the appropriate taxpayer accounts.  We found in our
statistical sample of unpaid assessments that this problem resulted
in inaccurate taxpayer account balances and led IRS to pursue
collection efforts against taxpayers who had already paid their taxes
in full.  In addition, in our sample we found that IRS
inappropriately issued refunds to taxpayers with outstanding tax
assessment balances. 

We previously reported that IRS had significant problems locating
supporting documentation for unpaid assessment transactions.  To
address this issue, we worked closely with IRS and identified various
forms of documentation to support these items, and we requested these
documents in performing our fiscal year 1998 testing.  While we did
note some improvement, we continued to find that IRS experienced
difficulties in providing supporting documentation.  The lack of
adequate supporting documentation made it difficult to assess the
classification and collectibility of unpaid assessments reported in
the principal financial statements as federal taxes receivable and
may make it difficult for IRS to readily identify and focus
collection efforts. 


--------------------
\6 See GAO/AIMD-98-77, February 26, 1998. 

\7 Unpaid assessments consist of (1) taxes due from taxpayers for
which IRS can support the existence of a receivable through taxpayer
agreement or a favorable court ruling (federal taxes receivable), (2)
compliance assessments where neither the taxpayer nor the court has
affirmed that the amounts are owed, and (3) write-offs, which
represent unpaid assessments for which IRS does not expect further
collections due to factors such as the taxpayer's death, bankruptcy,
or insolvency.  Of these three classifications of unpaid assessments,
only federal taxes receivable are reported on the principal financial
statements.  As of September 30, 1998, IRS reported $26 billion (net
of an allowance for doubtful accounts of $55 billion), $22 billion,
and $119 billion in these three categories, respectively.  See the
attachment to this statement for a graphic breakdown of IRS' balance
of unpaid assessments at September 30, 1998. 


   VULNERABILITIES IN CONTROLS
   OVER REFUNDS CONTINUE TO EXIST
---------------------------------------------------------- Chapter 0:3

As in prior years, we continued to find that IRS does not have
sufficient preventive controls over refunds to reduce to an
acceptable level the risk that inappropriate payments for tax refunds
will be disbursed.  Inappropriate refund payments continued to be
issued in fiscal year 1998 due to (1) IRS comparing the information
on tax returns and third party data such as W-2s (Wage and Tax
Statement) too late to identify and correct discrepancies between
these documents, (2) significant levels of invalid Earned Income Tax
Credit (EITC) claims, and (3) deficiencies in controls that allowed
duplicate refunds to be issued.  We also found instances of erroneous
refunds being issued as a result of errors or delays in posting
assessments to taxpayer accounts.  Errors and posting delays such as
these impair IRS' ability to effectively offset refunds due taxpayers
against amounts owed by the same taxpayers on another account. 

Although IRS has detective (post-refund) controls in place, the lack
of sufficient preventive controls exposes the government to
potentially significant losses due to inappropriate disbursements for
refunds.  According to IRS' records, IRS investigators identified
over $17 million in alleged fraudulent refunds that had been
disbursed during the first 9 months of calendar year 1998 and
prevented the disbursement of an additional $65 million in alleged
fraudulent refund claims.  During calendar year 1997, IRS' records
indicate that intervention by IRS investigators prevented the
disbursement of additional alleged fraudulent refund claims totaling
over $1.5 billion.  However, the full magnitude of invalid refunds
disbursed by IRS is unknown. 

In addition, rates of invalid EITC claims have historically been
high.\8 During fiscal year 1998, IRS reported that it processed EITC
claims totaling over
$29 billion, including over $23 billion (79 percent) in refunds.\9 In
an effort to minimize losses due to invalid EITC claims, IRS
electronically screens tax returns claiming EITC to identify those
exhibiting characteristics considered indicative of potentially
questionable claims based on past experience and then selects those
claims considered most likely to be invalid for detailed examination. 
During fiscal year 1998, IRS examiners reviewed over 290,000 tax
returns claiming $662 million in EITC of which $448 million (68
percent) was found to be invalid.  These examinations are an
important control mechanism for detecting questionable claims and
providing a deterrent to future invalid claims.  However, because
examinations are often performed after any related refunds are
disbursed, they cannot substitute for effective preventive controls
designed to identify invalid claims before refunds are disbursed. 

In fiscal year 1998, IRS began implementing a 5-year EITC compliance
initiative intended to expand customer service to increase taxpayers'
awareness of their rights and responsibilities related to EITC,
strengthen enforcement of EITC requirements, and enhance research
into the sources of EITC noncompliance.  However, most of IRS'
efforts under that initiative had not progressed far enough at the
time we completed our audit for us to make any judgment about their
effectiveness. 

While we were able to substantiate the amounts of refunds disbursed
as reported on IRS' fiscal year 1998 principal financial statements,
IRS nevertheless lacks effective preventive controls to minimize its
vulnerability to payment of inappropriate refunds.  Once an
inappropriate refund has been disbursed, IRS is compelled to expend
both the time and expense to attempt to recover it, with dubious
prospects of success. 


--------------------
\8 High-Risk Series:  An Update (GAO/HR-99-1, January 1999) and Major
Management Challenges and Program Risks:  Department of the Treasury
(GAO/OCG-99-14, January 1999). 

\9 EITC claims do not always result in refunds.  They may also reduce
tax assessments. 


   PHYSICAL SECURITY OVER MANUAL
   TAX RECEIPTS AND TAXPAYER
   INFORMATION IS INADEQUATE
---------------------------------------------------------- Chapter 0:4

As we have previously reported,\10 IRS' controls over cash, checks,
and related hardcopy taxpayer data it manually receives from
taxpayers are not adequate to reduce to an acceptably low level the
risk that these payments will not be properly credited to taxpayer
accounts and deposited in the Treasury or that proprietary taxpayer
information will not be properly safeguarded.  Strong physical
security is critical to ensure that receipts are not lost or stolen
or that sensitive taxpayer data are not compromised, and is thus
critical to IRS' customer service goals. 

However, we found that (1) unattended checks and tax returns were
often stored in open and easily accessible areas, (2) hundreds of
millions of dollars of receipts in the form of checks, and in one
case cash, were transported from IRS field offices to financial
institutions by unarmed couriers who often used unmarked civilian
vehicles including, in one instance, a bicycle, and (3) individuals
were hired and entrusted with access to cash, checks, and sensitive
taxpayer data before completion of background or fingerprint checks. 
This problem is particularly acute during peak filing season when IRS
typically hires thousands of temporary employees.  IRS'
investigations of 80 thefts at service centers between January 1995
and July 1997 found that 15 percent of these were committed by
individuals who had previous arrest records or convictions that were
not identified prior to their employment.  At commercial lockbox
banks IRS contracts with to process tax receipts, we found similar
weaknesses, including the use of unarmed couriers and the hiring of
temporary employees before background checks are completed. 

In fiscal years 1997 and 1998, IRS identified 56 actual or alleged
cases of employee theft of receipts at IRS field offices and lockbox
banks totaling about $1 million.  An additional 100 cases were opened
during the period in which the amount potentially stolen was not
quantified.  Further, the magnitude of thefts not identified by IRS
is unknown.  The weaknesses we identified also expose taxpayers to
increased risk of losses due to financial crimes committed by
individuals who inappropriately gain access to confidential
information entrusted to IRS.  For example, this information -- which
includes names, addresses, social security and bank account numbers,
and details of financial holdings -- may be used to commit identity
fraud.  Although receipts and taxpayer information will always be
vulnerable to theft, IRS has a responsibility to protect the
government and taxpayers from such losses.