This is the accessible text file for GAO report number GAO-04-553R
entitled 'Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures' which was released on April 28, 
2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

April 26, 2004:

The Honorable Mark W. Everson 
Commissioner of Internal Revenue:

Subject: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures:

Dear Mr. Everson:

In November 2003, we issued our report on the results of our audit of 
the Internal Revenue Service's (IRS) financial statements as of and for 
the fiscal years ending September 30, 2003 and 2002, and on the 
effectiveness of its internal controls as of September 30, 
2003.[Footnote 1] We also reported our conclusions on IRS's compliance 
with significant provisions of selected laws and regulations and on 
whether IRS's financial management systems substantially comply with 
requirements of the Federal Financial Management Improvement Act of 
1996. A separate report on the implementation status of recommendations 
from our prior IRS financial audits and related financial management 
reports including this one will be issued shortly.

The purpose of this report is to discuss issues identified during our 
fiscal year 2003 audit regarding internal controls and accounting 
procedures that could be improved for which we do not presently have 
any recommendations outstanding. Although not all of these issues were 
discussed in our fiscal year 2003 audit report, they all warrant 
management's consideration. This report contains 15 recommendations 
that we are proposing IRS implement in order to improve its internal 
controls and accounting procedures. We conducted our audit in 
accordance with U.S. generally accepted government auditing standards.

Results in Brief:

During fiscal year 2003, we identified a number of internal control 
issues that adversely affected safeguarding of tax receipts, budgeting, 
operating costs, and financial reporting. These issues concern (1) 
enforcement of lockbox bank[Footnote 2] contractor policies, (2) 
courier service requirements, (3) lockbox bank management reviews, (4) 
candling,[Footnote 3] (5) safeguarding of taxpayer receipts and 
information at IRS field offices and service center campuses, (6) 
physical security, (7) deobligation of funds, (8) overpayments to 
employees' Thrift Savings Plan (TSP) accounts, (9) financial statement 
disclosures, and (10) interim performance measures.

Specifically, we found the following:

IRS did not require lockbox banks to maintain information on the 
employment start dates of their contractors[Footnote 4] who have access 
to taxpayer receipts and related information. As a result, there is no 
evidence that lockbox managers are adhering to IRS's criterion that 
contractors receive favorable fingerprint results prior to having 
access to taxpayer receipts and information. IRS allowed immediate 
family members to serve as couriers together, thereby undermining the 
intent of IRS's requirements that two-person courier teams transport 
taxpayer receipts to depositories. Allowing two-person courier teams to 
consist of related individuals or individuals in close relationships 
increases the risk of collusion and consequently the theft of taxpayer 
receipts.

IRS did not require documentary evidence that lockbox management 
performed required reviews of certain control logs and transmittal 
documents. At the lockbox banks we visited, there were several 
instances for which no evidence of required reviews was available. The 
lack of such evidence reduces IRS's assurance that the reviews are 
performed, in turn increasing the risk of untimely detection of theft 
of, loss of, or unauthorized access to taxpayer information and 
receipts.

Automated mail extraction machines used to perform candling were not 
checked prior to use to ensure that they were operating properly. As a 
result, IRS's risk of loss of receipts and taxpayer information was 
increased.

IRS did not always follow the required procedures to safeguard taxpayer 
receipts and information in its facilities. We found (1) taxpayer 
receipts and information kept in unsecured containers and areas at 
field offices and (2) discovered remittances[Footnote 5] stored in 
unsecured containers and areas at a service center campus. The reduced 
level of protection given to these taxpayer receipts and data increases 
the risk of their theft, loss, or misuse.

Security guards did not respond to alarms at two of the four service 
center campuses we visited. The lack of timely response to alarms 
increases the risk of theft of taxpayer receipts and information as 
well as untimely detection of such incidents.

IRS did not always timely identify and deobligate outstanding 
obligations, hindering its ability to use the funds for other programs 
and initiatives.

IRS did not have controls in place to provide reasonable assurance that 
payroll calculations made on its behalf by the National Finance Center 
(NFC) were not adversely affected by control weaknesses at NFC, 
resulting in inaccurate contributions to employee TSP accounts.

IRS's controls over the calculation and reporting of Other Claims for 
Refunds in the supplemental information to its financial statements 
were not effective in preventing errors from occurring in the reporting 
of those amounts.

IRS lacked adequate controls over the preparation of interim period 
performance management data. As a result, IRS reported inaccurate or 
outdated interim performance data, and program managers lacked 
consistent and reliable information to make informed decisions on 
interim program performance.

At the end of our discussion of each of these issues in the following 
sections, we make recommendations for strengthening IRS's internal 
controls. These recommendations are intended to bring IRS into 
conformance with the internal control standards that federal agencies 
are required to follow.[Footnote 6]

In its comments, IRS agreed with our recommendations and described 
actions it was taking or planned to take to address the control 
weaknesses described in this report. At the end of our discussion of 
each of the issues in this report, we have summarized IRS's related 
comments and provided our evaluation.

Scope and Methodology:

As part of our audit of IRS's fiscal years 2003 and 2002 financial 
statements, we evaluated IRS's internal controls and its compliance 
with selected provisions of laws and regulations. We designed our audit 
procedures to test relevant controls, including those for proper 
authorization, execution, accounting, and reporting of transactions.

We requested comments on a draft of this report from the Commissioner 
of Internal Revenue. We received written comments from the Commissioner 
and have reprinted the comments in enclosure I. Further details on our 
audit scope and methodology are included in our report on the results 
of our audits of IRS's fiscal years 2003 and 2002 financial statements 
and are reproduced in enclosure II.[Footnote 7]

Enforcement of Lockbox Contractor Background Investigation Policies:

In previous years, we found that IRS allowed lockbox bank employees and 
contractors access to cash, checks, and other taxpayer data at lockbox 
banks before lockbox management had received satisfactory results of 
the individuals' background investigations, thereby subjecting IRS to 
an increased risk of theft or misuse of taxpayer receipts and 
data.[Footnote 8] During our fiscal year 2003 audit, we found that IRS 
had made substantial progress in this area with regard to lockbox bank 
employees and, as a result, had substantially reduced its exposure 
related to the risks of hiring individuals prior to receiving the 
results of satisfactory background investigations. Additionally, IRS 
procedures require lockbox bank managers to ensure that they have 
received satisfactory results of fingerprint checks from the National 
Background Investigation Center (NBIC) for lockbox bank contractors, 
such as couriers, before they are granted staff-like access to the 
lockbox processing area or are entrusted with taxpayer receipts and 
information. However, at two of the four lockbox bank locations we 
visited this year, lockbox bank managers could not provide the 
necessary data to demonstrate that they had not granted contractors, 
such as couriers, access to taxpayer data without having previously 
received satisfactory fingerprint check results from NBIC.

At one of the two locations where management was unable to demonstrate 
that it had received satisfactory fingerprint check results before it 
had granted couriers access to taxpayer receipts and data, the 
couriers' start dates were inconsistent with data gathered from that 
same location during the prior year's audit. As a result, we concluded 
that the lockbox bank's data on contractor start dates were unreliable. 
At the second location, lockbox bank management informed us that 
maintaining information on start dates for contractors was not a 
requirement. From the information provided by the lockbox bank 
managers, we were not able to verify the controls the lockbox bank uses 
to validate its adherence to the fingerprinting requirement for 
contractors. GAO's Standards for Internal Control in the Federal 
Government requires agencies to establish controls to safeguard 
vulnerable assets.[Footnote 9] Until IRS ensures that lockbox bank 
managers allow only contractors who have successfully met the 
background investigation requirements to have access to taxpayer 
receipts and data and sensitive IRS information, the federal government 
will be unnecessarily exposed to the risk of loss, theft, or misuse of 
taxpayer receipts and information.

Recommendation:

We recommend that IRS require lockbox bank managers to maintain 
appropriate documentation on-site demonstrating that satisfactory 
fingerprint results have been received before contractors are granted 
access to taxpayer receipts and data.

IRS Comments and Our Evaluation:

IRS agreed with our recommendation and indicated that its current 
Lockbox Processing Guideline (LPG) now requires appropriate 
documentation for couriers and guards before they are granted access to 
taxpayer receipts. Additionally, to ensure compliance with the LPG, IRS 
has included the requirement in its security and administrative 
reviews. We will evaluate the effectiveness of IRS's efforts during our 
fiscal year 2004 financial audit.

Courier Requirements:

In a number of reports, we have pointed out that IRS lacks effective 
controls over various aspects of courier services used to transport 
taxpayer receipts.[Footnote 10] We have made numerous recommendations 
to IRS to strengthen related controls. IRS has made significant efforts 
to address the courier security weaknesses we identified by adopting 
more stringent security standards for couriers who transport IRS's 
daily deposits to depositary institutions. In particular, IRS adopted a 
requirement that courier service employees work in pairs to mitigate 
the risk of loss.

While this modification was well conceived, it does not satisfactorily 
reduce risk in certain atypical situations we found at two service 
center campuses and one lockbox bank location we visited. At the two 
campuses, we found courier teams consisting of (1) a husband and wife 
and (2) a mother and daughter. At the lockbox bank location, we found 
one team consisting of a husband and wife[Footnote 11] and another team 
consisting of a father and son. When courier team members have close 
relationships, the risk of collusion is increased and the assurance 
provided by having two-person courier teams is diminished.

Recommendation:

We recommend that IRS revise its policy on two-person courier teams to 
prohibit the use of courier teams consisting of closely related 
individuals to further minimize the risk of collusion in the theft of 
taxpayer receipts and data.

IRS Comments and Our Evaluation:

In response to our recommendation, IRS agreed to work with its Revenue 
and Deposit Branch to assess the risks associated with its current 
courier policy and determine if changes are needed. We will evaluate 
IRS's conclusions and any corrective actions during our fiscal year 
2004 financial audit.

Lockbox Management Reviews:

During our fiscal year 2003 financial audit, we found instances in 
which there was no evidence that lockbox management performed certain 
required reviews. GAO's Standards for Internal Control in the Federal 
Government[Footnote 12] requires agencies to establish controls to 
enforce adherence to requirements, such as management reviews, and to 
create and maintain records providing evidence that these controls are 
executed.

We visited four lockbox banks during our fiscal year 2003 audit. We 
found that at all four of these lockbox banks, there was no documentary 
or other evidence that some required management reviews of control logs 
and transmittal documents relating to transport of taxpayer receipts 
and access to taxpayer receipts and data had been performed. The lack 
of such evidence increases the risk that the reviews are not performed, 
thereby increasing the risk of untimely detection of theft of, loss of, 
or unauthorized access to taxpayer receipts and data.

As discussed above, lockbox banks use couriers to transport taxpayer 
receipts and taxpayer information to depositories and to service center 
campuses. Each lockbox bank is required to maintain a log showing the 
courier driver's signature, date and time of pickup, and number of 
boxes transported for all courier services, and lockbox bank managers 
are required to review these control logs monthly. At three of the four 
lockbox banks we visited, we found no evidence such as a reviewer's 
signature or initial, date, or comment, that managers had reviewed 
these logs. On two of the logs we reviewed, we noted that the courier 
drivers' signatures were missing, and at one lockbox bank we noted that 
no log existed for service center campus shipments or depository 
pickups. We also noted that at one of the lockbox banks, the 
transmittal document that is required to accompany all shipments of 
IRS-and taxpayer-related information, including cartridges and 
microfilm, from any bank site to the service center campus was 
frequently incomplete and often lacked a complete count of the items 
shipped. This transmittal document is extremely important since it is 
the only way assure that all packages included in each shipment are 
properly and timely received and acknowledged by the addressee at the 
service center campus.

IRS also requires that lockbox banks using automated entry systems 
(AES) to the lockbox processing areas establish and maintain logs 
controlling key, proximity, and swipe cards in order to provide an up-
to-date audit trail of employee access and to deter unauthorized access 
to restricted areas. Lockbox managers are required to review these logs 
monthly. At two of four lockbox banks we visited, managers either 
lacked evidence of their monthly review or did not perform the review 
in accordance with established guidelines. At one of these two lockbox 
banks, we noted that the AES control log did not list the dates that 
proximity cards were enabled or disabled.

The lack of evidence of managerial reviews reduces IRS's assurance that 
such reviews are performed, thereby increasing the risk of untimely 
detection of theft of, loss of, or unauthorized access to taxpayer 
receipts and data.

Recommendation:

We recommend that IRS develop procedures to require lockbox managers to 
provide satisfactory evidence that managerial reviews are performed in 
accordance with established guidelines. At a minimum, reviewers should 
sign and date the reviewed documents and provide any comments that may 
be appropriate in the event that their reviews identified problems or 
raised questions.

IRS Comments and Our Evaluation:

IRS agreed with our recommendation and stated that it would (1) 
consider the risk level of each document log, (2) assess each one to 
determine the appropriate level of review, and (3) follow up with 
additional guidelines, if necessary. We will evaluate the effectiveness 
of IRS's efforts in future audits.

Automated Candling Procedures:

In our previous audits, we reported that IRS did not always ensure that 
opened envelopes were candled twice before destruction, as required by 
its procedures to provide assurance that all contents have been 
extracted. During our fiscal year 2003 financial audit, we continued to 
find weaknesses in IRS candling procedures. GAO's Standards for 
Internal Control in the Federal Government[Footnote 13] requires that 
management establish physical controls to secure and safeguard 
vulnerable assets and provide qualified and continuous supervision to 
ensure that control objectives are achieved.

During our testing at one of the four lockbox banks we visited, we 
found that machines were used to assist in the extraction of taxpayer 
remittances. These machines, after the operator extracted the contents 
from envelopes, subjected the envelopes to a light source and a sensor 
and were designed to notify the operator in the event that envelopes 
had not been fully emptied of their contents. We tested 4 of 14 such 
machines by placing items in envelopes, and found that all four 
machines were not notifying the operators that envelopes were not 
emptied. IRS's procedures for the lockbox banks require managers to 
monitor equipment and personnel for extraction accuracy and institute 
additional measures should trends occur or discovered remittance 
volumes increase. However, no specific guidance exists to help ensure 
that automated candling equipment is functioning as intended throughout 
the process. In addition, no evidence exists documenting that lockbox 
bank managers periodically reviewed the effectiveness of the automated 
candling equipment. The lack of such guidance increases the risk of 
loss of taxpayer receipts and data.

Recommendations:

We recommend that IRS:

revise its candling procedures at lockbox banks to require testing of 
automated candling machines at appropriate intervals, taking into 
account such factors as use time, volume processed, machine 
requirements, and shift cycles, and 
require lockbox managers to maintain logs of these tests and to 
periodically review their logs.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations and indicated that corrective 
actions have been or will be implemented. Specifically, IRS stated that 
it now requires an additional candling of all envelopes processed by 
extractors using automated candling machines. In addition, IRS agreed 
to include our recommendation on maintaining logs of the tests 
conducted as part of its assessment of testing standards for machines 
with automated candling equipment. We will evaluate the effectiveness 
of IRS's efforts in future audits.

Safeguarding of Taxpayer Receipts and Information:

During our fiscal year 2003 financial audit, we found instances in 
which IRS was not following its procedures for safeguarding taxpayer 
receipts and information in its facilities, thus increasing the risk 
that taxpayer receipts and information could be lost, stolen, or 
destroyed. GAO's Standards for Internal Control in the Federal 
Government requires agencies to establish physical controls to secure 
and safeguard vulnerable assets.[Footnote 14]

We visited three IRS Taxpayer Assistance Centers (TAC) during our 
fiscal year 2003 audit. All three centers were receiving and storing 
taxpayer receipts and information in unsecured areas without properly 
securing them. From our observations, taxpayers were greeted, upon 
entering a TAC, by an IRS representative who was responsible for 
determining the type of assistance needed, assigning taxpayers a 
service number, and receiving drop-off payments. These functions were 
performed outside the secured area of the TAC. We observed the IRS 
representatives receiving taxpayer remittances and storing them in an 
unlocked drawer at the information desk. When the representatives left 
the information desk to assist other taxpayers waiting in the TAC, they 
did not secure or remove the remittances from the desk. The:

failure to properly safeguard assets created an opportunity for 
unauthorized access to and theft of taxpayer receipts and data.

In addition, at one of the service center campuses, we observed 
discovered remittances outside a secured area and not stored in secured 
containers as required by IRS procedures. Storing receipts in unsecured 
containers in an unsecured area significantly increases the risk of 
theft of taxpayer receipts because anyone with access to the service 
center could gain access to the receipts. In our audits of IRS's 
financial statements for fiscal years 1997 through 2001, we found 
similar weaknesses in controls over receipts discovered outside of 
designated receipt processing areas within IRS's service center 
campuses. We recommended that IRS correct the weaknesses by providing 
secure containers in which service center employees could immediately 
store and inventory discovered remittances. In our May 2003 report 
following up on this and other issues,[Footnote 15] IRS officials 
stated that locked containers had been provided to all services 
centers, that instructions had been issued to service centers 
concerning proper handling and recording of discovered remittances, and 
that monitoring steps had been put in place. Our fiscal year 2003 audit 
finding, however, raises concern about IRS's ability to effectively 
monitor its service center campuses' implementation of sound controls 
over safeguarding discovered remittances.

Recommendations:

We recommend that IRS:

discontinue its practice of storing taxpayer receipts and data outside 
TAC secured areas without storing the receipts in a secured locked 
container and:

develop procedures to enhance adherence to existing instructions on 
safeguarding discovered remittances at service center campuses.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations and reiterated its Internal Revenue 
Manual (IRM) guidance on both recommendations. In both instances, IRS 
stated that it would continue to monitor adherence to the IRM guidance 
in its operational reviews at TAC offices and its monthly reviews of 
the service center campus revenue receipt and control process. We will 
evaluate the effectiveness of IRS's efforts during our fiscal year 2004 
and future financial audits.

Response to Alarms:

GAO's Standards for Internal Control in the Federal Government[Footnote 
16] requires that access to resources and records, such as IRS receipts 
and taxpayer data, be limited to authorized individuals to reduce the 
risk of unauthorized use or loss to the government. Tax receipts, such 
as cash and checks, are highly susceptible to theft, and unauthorized 
use of taxpayer data could result in identity theft and financial 
fraud.[Footnote 17] Due to the large volume of receipts and the 
assembly-line nature of tax receipt processing, taxpayer data and 
receipts are easily accessible to individuals on the processing floor. 
This vulnerability underscores the need for effective controls to deter 
and detect unauthorized access.

As part of our fiscal year 2003 financial audit of IRS, we conducted 
tests of physical security controls at four IRS service center 
campuses, including tests to determine the responsiveness of security 
guards to activated building perimeter door alarms. We found that at 
two of four service center campuses we visited, security guards did not 
respond to the activated alarms. At one location, IRS officials told us 
that the exit door we tested did not show up as a breach in security on 
the monitoring equipment. However, a subsequent test of the same door 
resulted in a prompt response by the guards. At the second location, 
IRS officials informed us that the computer for the alarm system had 
gone down and was in the process of being rebooted at the time of 
breach. Nonetheless, the security guards' lack of response increases 
the risk of theft of taxpayer receipts and information and reduces the 
possibility of timely detection of such incidents.

Recommendations:

We recommend that IRS:

enforce its policies and procedures to ensure that service center 
campus security guards respond to alarms and:

establish compensating controls in the event that automated security 
systems malfunction, such as notifying guards and managers of the 
malfunction and immediately deploying guards to better protect the 
processing center's perimeter.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations and stated that by August 30, 2004, 
it would modify its IRM to include (1) the development, integration, 
and review of self-assessments for guards' response capabilities to 
alarms; (2) initial, periodic, and annual security exercises; and (3) 
written reports to support the security exercises conducted. Also, IRS 
stated that its Physical Security Program within Mission Assurance 
would develop, within the same time frame, procedures to ensure that 
local management is notified whenever there is a malfunction of alarms 
and that guards are deployed or doors are secured, as necessary, either 
during tests or when otherwise identified. We will evaluate the 
effectiveness of IRS's efforts in future audits.

Timeliness of Deobligations:

In prior years, we identified deficiencies in IRS's process for 
deobligating funds that were no longer valid or needed.[Footnote 18] 
Over the past several years, IRS has made substantial progress in 
addressing internal control deficiencies related to deobligations. IRS 
issued policy memorandums and implemented procedures to more frequently 
review obligations that are no longer active and thus need to be 
deobligated. These improvements have allowed IRS to better manage its 
financial resources and improve its reporting on the status of 
budgetary resources. While we recognize IRS's progress in reviewing 
outstanding obligations, our work performed as part of our fiscal year 
2003 financial audit indicates that further improvements are needed.

During our fiscal year 2003 audit, we found instances in which IRS did 
not timely identify and deobligate outstanding obligations. In our 
testing of a statistical sample of 110 undelivered orders[Footnote 19] 
as of August 31, 2003, we found four instances in which IRS did not 
deobligate undelivered orders that were no longer valid. These 
exceptions resulted primarily from (1) a system deficiency that 
prevented IRS personnel responsible for reviewing inactive obligations 
from having accurate information on when activity last occurred against 
the obligation and (2) IRS personnel's failure to timely review certain 
obligations. Consistent with GAO's Standards for Internal Control in 
the Federal Government,[Footnote 20]agencies are required to properly 
execute and accurately record transactions.

In fiscal year 2003, IRS issued a memorandum that provides financial 
plan managers[Footnote 21] guidelines for reviewing and identifying 
obligations to be deobligated. This memorandum supplemented existing 
guidance by providing the business unit finance staff with more 
detailed direction for reviewing outstanding obligations. For example, 
these guidelines state that IRS's business units are required to review 
aging unliquidated obligations (AUO) reports monthly and certify that 
all outstanding obligations with no activity for more than 180 days 
have been reviewed and validated as either (1) requiring deobligation 
or (2) valid obligations. IRS's Beckley Finance Center (BFC) generates 
AUO reports by running a program to extract information on outstanding 
obligations from the accounting system. AUO reports provide lists of 
all open obligations, along with such information as the outstanding 
obligation amount and the obligation's last activity date. The business 
units then review the obligations and make entries in the reports 
indicating whether the obligations are valid or should be deobligated.

We found that AUO reports did not capture the information necessary for 
reviewers to correctly identify inactive obligations. IRS may issue an 
obligation to purchase several types of equipment or services for 
various units within the organization, each of which is reported as a 
separate obligation line amount in the accounting system. However, when 
generating an AUO report, the most recent date activity occurred 
against the obligation is extracted and applied to all of the line 
amounts. For example, in one of the cases, an AUO report for an 
obligation with five obligation line amounts had a last activity date 
of June 9, 2003, recorded for all five obligation line amounts. The 
last date on which any goods or services were charged against the line 
item in our sample, however, was September 25, 2002. Because the AUO 
reports did not capture the correct activity date for each outstanding 
obligation line amount, IRS's business units did not have accurate data 
with which to identify all the inactive undelivered orders for possible 
deobligation.

For certain obligations, IRS's guidelines require concurrence between 
business unit staff and procurement office staff before an obligation 
can be deobligated. These are obligations that are processed through 
IRS's Integrated Procurement System, such as interagency agreements and 
large-dollar contracts. In order to respond to the business units, 
procurement office staff perform research on the status of the 
contract, contact the vendor, or obtain additional documentation to 
support a deobligation. If the procurement office is silent as to 
whether the obligations should be deobligated, the business units 
certify that the obligations are valid.

We found three instances in which obligations were not properly 
deobligated because the procurement office did not provide timely 
responses to the business units. In one case, IRS had ordered computer 
equipment and services at a cost of $334,910 on September 18, 2001. In 
October 2001, IRS received all the equipment and services ordered at a 
cost of $267,676. According to the documentation we reviewed, the 
vendor provided preliminary notification to IRS in November 2001 that 
IRS did not owe any additional funds because the vendor did not charge 
for goods and services that were initially ordered at $67,234. When we 
performed our testing, in August 2003, the procurement office had not 
yet confirmed with the vendor that the remaining $67,234 was a no-
charge item and thus had not requested that this amount be deobligated. 
In another case, an undelivered order for computer equipment and 
services totaling $28,268 had not had activity since November 2000. As 
of August 2003, the business unit had not received a response from the 
procurement office as to whether to deobligate the funds. Based on our 
review of these two files, IRS followed up on these cases and 
subsequently deobligated the funds.

Since the AUO reports did not capture the information necessary to 
ensure that all outstanding obligations with more than one line amount 
had the appropriate activity dates, IRS's financial plan managers did 
not identify all the obligations that needed to be reviewed for 
possible deobligation. Additional delays in deobligating funds were 
caused by the procurement office staff's failure to provide responses 
to business units in a timely manner. Based on our testing, we estimate 
that $37 million of undelivered orders were not valid.[Footnote 22] By 
not promptly deobligating funds, IRS affected its ability to use its 
financial resources effectively. If IRS had deobligated the funds 
within their periods of availability, the funds could have been used 
for other initiatives and programs.

Recommendations:

We recommend that IRS:

modify AUO reports to ensure that they report the last activity date 
for each outstanding obligation line amount and:

require procurement office staff to review and sign off on whether 
obligations are valid or require deobligation before business units 
complete their quarterly certifications.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations. In its comments, IRS stated that 
its BFC revised the AUO report in March 2004 to accurately report the 
last activity date for each obligation line amount. Moreover, IRS 
stated that it is currently evaluating its approach toward reviewing 
open obligations and approving those obligations that require 
deobligation. This includes studying the relative responsibilities of 
the procurement office, business units, and BFC with respect to 
validating and certifying deobligations. IRS will issue new guidelines 
at the conclusion of its internal review. We will evaluate the 
effectiveness of IRS's efforts during our fiscal year 2004 financial 
audit.

Excess Contributions to Employees' Thrift Savings Plan Accounts:

During fiscal year 2003, IRS did not have procedures in place to timely 
detect mathematical errors in its payroll information made by the 
NFC.[Footnote 23] We found that while processing IRS's payroll in 
fiscal year 2003, NFC made mathematical errors when it calculated the 
mandatory agency TSP contribution for some IRS employees. IRS did not 
detect these errors because, although it had control procedures in 
place to test certain payroll information processed by NFC, these 
procedures did not include verifying the accuracy of NFC's 
calculations. IRS relied on NFC to accurately process the biweekly 
payroll for its employees. Consistent with GAO's Standards for Internal 
Control in the Federal Government, IRS's internal controls should 
provide reasonable assurance that its financial transactions, including 
those processed by NFC, are accurately recorded.[Footnote 24] The 
errors we identified with respect to employee contributions to TSP were 
not material to IRS's financial statements. Nonetheless, because it did 
not have controls in place to verify NFC's calculations, IRS had less 
assurance that government funds were used as intended and that employee 
TSP accounts were accurate.

We found that in fiscal year 2003, a total of 131 IRS employees 
erroneously received excess mandatory contributions to their TSP 
accounts equaling 2 percent of their base pay, rather than the 1 
percent required by law. IRS must identify and recover amounts overpaid 
to TSP on behalf of its employees within 1 year of the time of payment 
or forfeit the funds to the Federal Retirement Thrift Investment Board 
or to the employees' TSP accounts. IRS did not detect these errors 
through its review process but became aware of them when we informed 
the agency about them. Some of these errors related to overpayments 
that had exceeded the 1-year limitation for recovery.

For the past several years, the Department of Agriculture's Office of 
Inspector General has reported weaknesses in internal controls over 
NFC's payroll operations.[Footnote 25] In addition, in a previous audit 
report,[Footnote 26] we stated that any agency that uses a service 
organization, such as NFC, to process its payroll transactions should 
establish adequate policies and procedures to ensure that the services 
provided meet the objectives of agency management. We further stated 
that adequate internal controls over input and output data to prevent 
or detect material misstatements are particularly critical when it has 
been determined that the service organization's internal controls do 
not provide reasonable assurance that payroll transactions were 
processed and reported accurately. In our report, we recommended that 
IRS implement control procedures to compensate for the weaknesses 
identified in NFC's payroll operations.

In response to our recommendation, IRS implemented compensating internal 
control procedures to ensure that NFC accurately processed IRS's 
payroll each pay period. Specifically, each pay period, IRS's 
Transactional Processing Operations Division reviews a 
nonrepresentative selection of employee Social Security numbers from a 
list of IRS employees paid that pay period and compares key payroll 
information (e.g., hours worked, leave taken, and payroll deductions) 
received from NFC to information that IRS submitted to NFC (e.g., time 
and attendance data, employee health plan, and life insurance 
election). Our findings during fiscal year 2003 also indicate that the 
mathematical errors we detected in NFC's payroll calculations occurred 
as a result of the NFC internal control weaknesses identified. However, 
since IRS's compensating control procedures do not include a test of 
the mathematical accuracy of NFC's calculations of payroll amounts, 
they do not give IRS the capability to timely detect errors in payroll 
calculations made by NFC during the processing of IRS payroll 
transactions. Because IRS did not have controls in place to verify 
NFC's calculations within the period allowed for recovery, it lost the 
ability to recover the erroneously contributed funds and use them to 
pay for its operations.

Recommendations:

We recommend that IRS:

enhance its compensating internal controls by including tests or 
recalculations of payroll computations performed by NFC for the IRS 
employees selected for review each pay period and:

timely investigate and resolve any identified errors.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations and stated that its Transactional 
Processing Operations (TPO) division will expand its current random 
sample payroll review and validation process to include the 
recalculation of agency TSP contributions. IRS expects implementation 
of the review process by June 2004. The TPO division will also be 
responsible for following up immediately on any discrepancies found and 
ensuring that NFC responds timely. We will evaluate the effectiveness 
of IRS's efforts during our fiscal year 2004 financial audit.

Supplemental Information for Other Claims for Refund:

During our audit of IRS's fiscal year 2003 financial statements, we 
found that IRS reported incorrect information in the supplemental 
information to the financial statements. Specifically, IRS incorrectly 
reported the total estimated payout for refund claims pending review by 
IRS's Appeals organization[Footnote 27] or federal courts. This error 
occurred because IRS's controls over the calculation and reporting of 
estimated payouts for refund claims were ineffective. GAO's Standards 
for Internal Control in the Federal Government[Footnote 28] requires 
that transactions be properly executed and accurately recorded. Because 
IRS did not have effective controls in place to ensure proper 
calculation and reporting of estimates of Other Claims for Refund, 
management did not have relevant, reliable, and timely information to 
achieve its objectives, increasing the risk that these amounts could be 
misstated.

During our audit, we found two errors relating to Other Claims for 
Refund in the supplemental information contained in IRS's draft fiscal 
year 2003 financial statements.

IRS's draft financial statements disclosed that the total estimated 
payout for claims pending review by IRS's Appeals organization was $5.2 
billion. However, based on our review of the supporting documentation, 
we found that the correct amount was $7.6 billion. This misstatement 
occurred because IRS used the wrong amount for interest in its 
computation. As a result, the supplemental information to the draft 
financial statements was misstated. When we informed IRS of the error, 
IRS corrected the amount reported in the supplemental information for 
the final financial statements.

IRS's financial statements disclosed that the estimated amount of 
claims pending review by federal courts was $6.5 billion. However, in 
its November 7, 2003, update for contingencies as of September 30 
through November 1, 2003, IRS counsel reported estimated claims pending 
review by federal courts as $6.2 billion. The updated data were not 
included in IRS's final supplemental information because of weaknesses 
in controls over reporting this information.

These misstatements did not materially affect IRS's financial 
statements, but without effective controls in place to ensure that 
amounts estimated for Other Claims for Refund are correctly reported, 
the risk of misstatement increases, and the accuracy of information 
available to IRS management for decision-making purposes is impaired.

Recommendation:

We recommend that IRS establish review procedures for amounts being 
reported in Supplemental Information to the financial statements for 
Other Claims for Refund.

IRS Comments and Our Evaluation:

IRS agreed with our recommendation and stated that it would add a 
second level of management review to its final financial statements to 
ensure that changes are identified and reported before final print. In 
addition, IRS stated that it would work closely with our financial 
audit team to determine the last day of fieldwork, and notify its Chief 
Counsel's office to determine if there are any material changes needed 
to its final financial statements. We will evaluate the effectiveness 
of IRS's efforts during our fiscal year 2004 financial audit.

Controls over Reporting Interim Performance Measures:

During our audit of IRS's fiscal year 2003 financial statements, we 
found that IRS's controls over its reporting of interim performance 
measurement data were not effective throughout the year. Specifically, 
we found that data reported at interim periods for certain performance 
measures were either not accurate or were outdated. This occurred 
because of data entry errors made in the reports generated from the 
performance data submitted by IRS's divisions. We also found that 
review of the reports was not documented. GAO's Standards for Internal 
Control in the Federal Government[Footnote 29] requires the review of 
performance measurement data. Such reviews should be designed to 
validate the propriety and integrity of performance measurement data 
and indicators. IRS reviews the Monthly Summary of Performance (MSP) 
reports from performance data submitted by IRS divisions, but these 
reviews were undocumented and were not effective in identifying the 
erroneous performance data reported. While we did not identify any 
errors in the performance data IRS reported in its year-end Management 
Discussion and Analysis, IRS management did not always have reliable 
performance measurement data available at interim periods to assist 
managers in making decisions.

IRS's Corporate Planning and Performance Division (CPPD) collects and 
reports performance data for each of its 69 performance measures. Each 
month and at year-end, CPPD compiles performance data submitted by 
operating divisions in an MSP report. These reports contain records of 
tax enforcement results that IRS uses for such purposes as forecasting, 
financial planning, and resource management. Information reported for 
each performance measure includes full-year performance, year-to-date 
comparison of performance data, and current fiscal year actual and 
planned performance data. Staff in CPPD review the data submitted by 
IRS's operating divisions. To identify any anomalies, the CPPD review 
includes comparisons of current-month data to prior-month data and 
current-year data to prior-year data. Generally, the offices 
responsible for submitting the data can explain any anomalies or, if 
data errors are found, will correct them. CPPD staff, using the 
reviewed and corrected performance data submissions, then manually 
prepare the MSP report. At the end of the fiscal year, IRS uses the MSP 
report to prepare the performance measure results reported in the 
Management and Discussion Analysis section of its financial statements.

As part of our fiscal year 2003 audit, we reviewed a nonrepresentative 
selection of five performance measures. For each measure, we obtained 
the supporting documentation and compared the support to what was 
reported in IRS's MSP reports for July and August 2003. In conducting 
our review, we identified data that were not current or not accurate 
for two of the five performance measures:

The number reported for the "Criminal Investigations Completed" 
performance measure as of July 2003 was the planned, rather than the 
actual, amount.

The number reported for the "Federal Tax Payment Transactions Paid 
Electronically" performance measure in both July and August 2003 was 
actually the April 2003 amount.

IRS agreed that the data were incorrect due to errors in data entry by 
CPPD staff during preparation of the MSP report. However, IRS is in the 
process of implementing a Business Performance Management System (BPMS) 
that when fully operational, is intended to be able to accept 
performance data directly from the operation divisions' reporting 
systems and would eliminate the need for data entry by CPPD staff. BPMS 
is expected to validate the accuracy of the data submitted by IRS's 
operating divisions.

Recommendation:

Until BPMS is fully operational, we recommend that IRS implement 
procedures to ensure that all performance data reported in MPS reports 
are subject to effective, documented reviews to provide reasonable 
assurance that the data are current at interim periods.

IRS Comments and Our Evaluation:

IRS agreed with our recommendation. In its comments, IRS stated that it 
has taken steps to ensure that performance measurement data are 
properly reviewed before being published. IRS plans to increase control 
over data by (1) increasing the number of measures reported through the 
automated BPMS, (2) requiring the submitting divisions to certify that 
their data are accurate, and (3) reducing the number of measures 
manually reported in the monthly report. We will evaluate the 
effectiveness of IRS's efforts during our fiscal year 2004 financial 
audit.

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. 720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Governmental Affairs and the House 
Committee on Government Reform within 60 days of the date of this 
report. A written statement must also be sent to the House and Senate 
Committees on Appropriations with the agency's first request for 
appropriations made more than 60 days after the date of the report.

This report is intended for use by the management of IRS. We are 
sending copies to Chairmen and Ranking Minority Members of the Senate 
Committee on Appropriations; Senate Committee on Finance; Senate 
Committee on Governmental Affairs; Senate Committee on the Budget; 
Subcommittee on Treasury and General Government, Senate Committee on 
Appropriations; Subcommittee on Taxation and IRS Oversight, Senate 
Committee on Finance; and the Subcommittee on Oversight of Government 
Management, Restructuring, and the District of Columbia, Senate 
Committee on Governmental Affairs. We are also sending copies to the 
Chairmen and Ranking Minority Members of the House Committee on 
Appropriations; House Committee on Ways and Means; House Committee on 
Government Reform; House Committee on the Budget; Subcommittee on 
Treasury, Postal Service, and General Government, House Committee on 
Appropriations; Subcommittee on Government Efficiency, Financial 
Management, and Intergovernmental Relations, House Committee on 
Government Reform; and the Subcommittee on Oversight, House Committee 
on Ways and Means. In addition, we are sending copies of this report to 
the Chairman and Vice-Chairman of the Joint Committee on Taxation, the 
Secretary of the Treasury, the Director of the Office of Management and 
Budget, the Chairman of the IRS Oversight Board, and other interested 
parties. Copies will be made available to others upon request. The 
report is also available at no charge on GAO's Web site at http://
www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided 
by IRS officials and staff during our audits of IRS's fiscal year 2003 
and 2002 financial 
statements. If you have any questions or need assistance in addressing 
these matters, please contact Larry Malenich, Assistant Director, at 
(202) 512-9399.

Sincerely yours,

Signed by: 

Steven J. Sebastian 
Director, Financial Management and Assurance:

Enclosures - 3:

Enclosure I:

Comments from the Internal Revenue Service:

COMMISSIONER:

DEPARTMENT OF THE TREASURY 
INTERNAL REVENUE SERVICE 
WASHINGTON, D.C. 20224:

April 16, 2004:

Mr. Steven J. Sebastian 
Director:

Financial Management and Assurance 
U.S. General Accounting Office:

441 G Street, NW Washington, DC 20548:

Dear Mr. Sebastian:

I am responding to your draft of the FY 2003 Management Report titled, 
Improvements Needed in IRS's Internal Controls and Accounting 
Procedures (GAO-04-553R). I believe the issues presented in your draft 
report will help us continue to improve our accounting procedures and 
internal controls, and we are committed to strengthening our oversight 
in these areas. We have instituted a number of changes that I believe 
will improve our controls related to safeguarding tax receipts. 
Specifically we:

* Established the Mission Assurance organization to combine key security 
activities into a single organization:

* Increased management awareness and our commitment to ensuring 
compliance with the policies and procedures we have implemented in the 
campuses, lockboxes, and field locations:

As evidenced in our response to the recommendations, we have already 
taken actions to correct many of these matters. The following comments 
address your recommendations separately.

Recommendation: The GAO recommended that the IRS require lockbox 
managers to maintain appropriate documentation on-site demonstrating 
that satisfactory fingerprint results have been received before 
contractors are granted access to taxpayer receipts and data.

Comments: We agree with this recommendation. The current Lockbox 
Processing Guideline (LPG) requires appropriate documentation for 
couriers and guards before we grant contractors access to taxpayer 
receipts. To ensure compliance with the LPG, we have included this in 
both the Financial Management Service (FMS) and our security and 
administrative reviews.

Recommendation: The GAO recommended that IRS revise its policy on two-
person courier teams to prohibit the use of courier teams consisting of 
closely related 
individuals to further minimize the risk of collusion in the theft of 
taxpayer receipts and data.

Comments: We agree the Revenue and Deposit Branch will work with 
Mission Assurance to assess the risks in the current guidelines by June 
30, 2004, and determine if we need to make any changes. We will provide 
you with any new guidelines we develop.

Recommendation: The GAO recommended that IRS develop procedures to 
require lockbox managers to provide satisfactory evidence that 
managerial reviews are performed in accordance with established 
guidelines. At a minimum, reviewers should sign and date the reviewed 
documents and provide any comments that may be appropriate in the event 
that their reviews identified problems or raised questions.

Comments: We agree with this recommendation. Our Lockbox Processing 
Guidelines instruct the banks to perform numerous managerial reviews. 
We will consider the risk level of each of the document logs, and 
assess each one to determine the appropriate level of review, and 
determine if more guidelines are necessary.

Recommendation: The GAO recommended that IRS revise its candling 
procedures at lockbox banks to require testing of automated candling 
machines at appropriate intervals, taking into account such factors as 
use time, volume processed, machine requirements, and shift cycles.

Comments: We agree with this recommendation. The IRS now requires an 
additional candling of all envelopes processed by extractors using 
machines that have automated candling equipment. This requirement 
mitigates the risk identified by the GAO. We agree to assess our 
current guidelines for possible inclusion of testing standards for 
equipment with automated candling equipment.

Recommendation: The GAO recommended that IRS require lockbox managers 
to maintain logs of these tests and to periodically review their logs.

Comments: We agree with the recommendation. We will include this 
recommendation as part of the assessment of testing standards for 
machines with automated candling equipment.

Recommendation: The GAO recommended that the IRS discontinue its 
practice of storing taxpayer receipts and data outside Taxpayer 
Assistance Center (TAC) secured areas without storing the receipts in a 
secured locked container.

Comments: We agree with this recommendation. We have provided written 
procedures to the TAC employees for safeguarding taxpayer receipts when 
received. The Internal Revenue Manual (IRM) 21.3.4.7(6), issued in June 
2003, provides guidance stating that payments received from taxpayers 
will be immediately placed in a locked container. The receipts are also 
stored away from employees' personal belongings. We will continue to 
conduct operational reviews at TAC offices to ensure our employees are 
following these IRM procedures.

For the TAC location you referenced in your letter that secured 
payments from taxpayers outside the secure area of the TAC, we 
contacted that location and they have moved the desk inside the secured 
area of TAC. We have also instructed the TAC managers to ensure we 
perform all TAC operations inside the secured TAC area.

Recommendation: The GAO recommended that the IRS develop procedures to 
enhance adherence to existing instructions on safeguarding discovered 
remittances at service center campuses.

Comments: We agree with this recommendation. In February 2003, we 
produced and distributed IRM 3.8.46 to all of our campuses. Form 4287 
(Record of Discovered Remittances) has been revised to include a box 
for managers to indicate that reconciliation has been performed. We 
also added a review for the discovered remittance procedures to the 
monthly security checklist.

Recommendation: The GAO recommended that IRS enforce its policies and 
procedures to ensure that service center campus security guards respond 
to alarms.

Comments: We agree with this recommendation. The IRS Physical Security 
Programs within Mission Assurance will modify IRM 16.12, Facility and 
Property Protection by August 30, 2004, to require the following:

* Develop self-assessments, which may be used to test the response 
capabilities for guards, as these relate to alarms:

* Integrate self-assessments into IRM 1.16 Physical and Property 
Protection 

* Conduct initial and then periodic security exercises, which 
are realistic, to ensure security guards respond to alarms, required by 
Operational Assurance personnel:

* Operational Assurance will provide written reports to the Physical 
Security Program Office to support the conducting of security 
exercises:

* Review self-assessment reports for alarm response and coordinate 
corrective action of outstanding issues:

* Conduct annual security exercises at each of their assigned facilities 
to test alarm responses:

Recommendation: The GAO recommended that IRS establish compensating 
controls in the event that automated security systems malfunction, such 
as notifying guards and managers of the malfunction, and immediately 
deploying guards to better protect the processing center's perimeter.

Comments: We agree with this recommendation. The IRS Physical Security 
Program within Mission Assurance will develop procedures by August 30, 
2004, to be used in conjunction with the policies developed to ensure 
that local management is notified whenever there is a malfunction of 
alarms and that guards are deployed or doors are secured, as necessary, 
either during tests or when otherwise identified.

Recommendation: The GAO recommended that IRS modify Aging Unliquidated 
Obligations (AUO) reports to ensure that they report the last activity 
date for each outstanding obligation line amount.

Comments: We agree with this recommendation. The Beckley Finance Center 
(BFC) revised the AUO report in March 2004 so that it accurately 
reports the last activity date for each obligation line amount.

Recommendation: The GAO recommended that IRS require procurement office 
staff to review and sign off on whether obligations are valid or 
require deobligation before business units complete their quarterly 
certifications.

Comments: We agree with this recommendation. The IRS is evaluating its 
current approach toward reviewing open obligations and approving those 
that require deobligation. This includes studying the relative 
responsibilities of the procurement office, business units, and the BFC 
with respect to validating and certifying deobligations. We will issue 
new guidelines at the conclusion of this internal review.

Recommendation: The GAO recommended that IRS enhance its compensating 
internal controls by including tests or recalculations of payroll 
computations performed by the National Finance Center (NFC) for the IRS 
employees selected for review each pay period.

Comments: We agree with this recommendation. The IRS Transactional 
Processing Operations (TPO) division will expand its current random 
sample payroll review and validation process to include the 
recalculation of agency TSP contributions. They are developing a 
detailed Standard Operating Procedure outlining the complete review 
process, and expect implementation of this process by June 2004.

Recommendation: The GAO recommended that IRS timely investigate and 
resolve any identified errors.

Comments: We agree with this recommendation. The IRS TPO Division is 
responsible for following up immediately on any discrepancies with NFC, 
and ensures the NFC takes corrective action within a timely manner.

Recommendation: The GAO recommended that IRS establish review 
procedures for amounts being reported in Supplemental Information to 
the financial statements for Other Claims for Refund.

Comments: We agree with this recommendation. The Office of Revenue 
reports currently provides in the draft financial statements, 
information from Appeals and Chief Counsel that are interim through the 
period of the draft statements. We agree to add a second level of 
management review to ensure we identify and report any changes in our 
final financial statements.

For the claims pending review by federal courts, our Chief Counsel's 
office sends their final contingencies as of September 30 and through 
November 1 directly to your office, and simultaneously to the CFO. We 
established this process with you because of the timing of this 
information related to the completion of your fieldwork, and finalizing 
our financial statements. Last year, we received this information after 
you had completed your fieldwork, and we jointly decided the changes 
were not material, and therefore not to adjust our final statements. 
For this year's audit, we will work closely with your office to 
determine the last day for your fieldwork, and notify our Chief 
Counsel's office so we can accelerate getting this information in time 
to determine if there are any material changes to make to our final 
financial statements.

Recommendation: Until Business Performance Management System (BPMS) is 
fully operational, we recommend that IRS implement procedures to ensure 
that all performance data reported in MPS reports are subject to 
effective, documented reviews to provide reasonable assurance that the 
data are current at interim periods.

Comments: We agree with this recommendation. The IRS has taken steps to 
ensure that the performance measures data reported in the monthly 
report is properly reviewed before being published. The IRS is 
increasing the control over the data by increasing the number of 
measures reported through the automated BPMS, requiring the submitting 
divisions to certify that their data is accurate, and reducing the 
number of measures manually reported in the monthly report. In 
addition, the Corporate Planning and Performance Unit (CPPU) staff 
continues to complete the manual review process as described by GAO. 
This review process requires that CPPU staff review the draft document, 
compare it to the data provided by the divisions, and compare it to 
the 
previous month's report for consistency. This review process validates 
the accuracy of the manual input of data to the report.

I appreciate your input and will continue to take the necessary steps 
to improve our financial management. With the continued dedication and 
cooperation of both our staffs, we will further enhance the IRS' 
accounting procedures and internal controls.

If you have any questions, please contact me or Eileen Powell, Chief 
Financial Officer, at (202) 622-6400.

Sincerely,

Signed by: 

Mark W. Everson:

Enclosure II:

Details on Audit Methodology:

To fulfill our responsibilities as the auditor of the Internal Revenue 
Service's (IRS) financial statements, we did the following:

Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. This included testing selected 
statistical samples of unpaid assessment, revenue, refund, accrued 
expenses, payroll, nonpayroll, property and equipment, and undelivered 
order transactions. These statistical samples were selected primarily 
to substantiate balances and activities reported in IRS's financial 
statements. Consequently, dollar errors or amounts can and have been 
statistically projected to the population of transactions from which 
they were selected. In testing these samples, certain attributes were 
identified that indicated either significant deficiencies in the design 
or operation of internal control or compliance with provisions of laws 
and regulations. These attributes, where applicable, can be and have 
been statistically projected to the appropriate populations.

Assessed the accounting principles used and significant estimates made 
by management.

Evaluated the overall presentation of the financial statements.

Obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets), compliance with laws and 
regulations (including the execution of transactions in accordance with 
budget authority), and performance measures reported in IRS' Management 
Discussion and Analysis.

Tested relevant internal controls over financial reporting (including 
safeguarding assets) and compliance, and evaluated the design and 
operating effectiveness of internal controls.

Considered the process for evaluating and reporting on internal 
controls and financial management systems under 31 U.S.C.  3512 (c), 
(d), (commonly referred to as the Federal Managers' Financial Integrity 
Act of 1982).

Tested compliance with selected provisions of the following laws and 
regulations: Anti-Deficiency Act, as amended (31 U.S.C.  1341(a)(1) 
and 31 U.S.C.  1517(a)); Agreements for payment of tax liability in 
installments (26 U.S.C.  6159); Purpose Statute (31 U.S.C.  1301); 
Release of lien or discharge of property (26 U.S.C.  6325); Interest 
on underpayment, nonpayment, or extensions of time for payment of tax 
(26 U.S.C.  6601); Interest on overpayments (26 U.S.C.  6611); 
Determination of rate of interest (26 U.S.C.  6621); Failure to file 
tax return or to pay tax (26 U.S.C.  6651); Failure by individual to 
pay estimated income tax (26 U.S.C.  6654); Failure by corporation to 
pay estimated income tax (26 U.S.C.  6655); Prompt Payment Act (31 
U.S.C.  3902(a), (b), and (f) and 31 U.S.C.  3904); Pay and Allowance 
System for Civilian Employees (5 U.S.C.  5332 and 5343 and 29 U.S.C. 
 206); Federal Employees' Retirement System Act of 1986, as amended (5 
U.S.C.  8422 and 8423 and 8432); Social Security Act, as amended (26 
U.S.C.  3101 and 3121 and 42 U.S.C.  430); Federal Employees Health 
Benefits Act of 1959, as amended (5 U.S.C.  8905, 8906, and 8909); 
and Consolidated Appropriations Resolution, 2003 (Pub. L. No. 108-7).

Tested whether IRS's financial management systems substantially comply 
with the three requirements of the Federal Financial Management 
Improvement Act of 1996.[Footnote 30]

Enclosure III:

GAO Contacts and Staff Acknowledgments:

GAO Contacts:

J. Lawrence Malenich, (202) 512-9399 John D. Sawyer, (202) 512-9566:

Acknowledgments:

Staff who made key contributions to this report were Nina Crocker, John 
Davis, Alain Dubois, Valerie Freeman, Patrick McCray, Ryan Holden, 
Theresa Patrizio, and Robert Preshlock.

(196013):


GAO/AIMD-00.21.3.1.

FOOTNOTES

[1] U.S. General Accounting Office, Financial Audit: IRS's Fiscal Years 
2003 and 2002 Financial Statements, GAO-04-126 (Washington, D.C.: Nov. 
13, 2003).

[2] Lockbox banks are financial institutions designated as depositories 
and financial agents of the U.S. government to perform certain 
financial services, including processing tax documents, depositing the 
receipts, and then forwarding the documents and data to IRS's service 
center campuses, which update taxpayers' accounts. 

[3] Candling is a process used by IRS to determine if any contents 
remain in open envelopes. This is often achieved by passing the 
envelopes over a light source.

[4] For the purpose of this report, the term "lockbox bank contractors" 
refers to all individuals in a contractual relationship with a lockbox 
bank who are granted staff-like access to the lockbox bank but are not 
involved in the extraction and posting of receipts. This would include 
couriers and janitorial and equipment maintenance personnel. 

[5] Discovered remittances are cash and noncash taxpayer receipts that 
instead of being identified and processed during the initial mail 
extraction phase are found later during further processing of mail.

[6] U.S. General Accounting Office, Standards for Internal Control in 
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 
1999).

[7] GAO-04-126.

[8] U.S. General Accounting Office, Internal Revenue Service: Progress 
Made, but Further Actions Needed to Improve Financial Management, GAO-
02-35 (Washington, D.C.: Oct. 19, 2001).

[9] GAO/AIMD-00.21.3.1.

[10] U.S. General Accounting Office, Internal Revenue Service: Physical 
Security Over Taxpayer Receipts and Data Needs Improvement, GAO/AIMD-
99-15 (Washington, D.C.: Nov. 30, 1998); Internal Revenue Service: 
Custodial Financial Management Weaknesses, GAO/AIMD-99-193 
(Washington, D.C.: Aug. 4, 1999); Internal Revenue Service: 
Recommendations to Improve Financial and Operational Management, GAO-
01-42 (Washington, D.C.: Nov. 17, 2000); Management Report: 
Improvements Needed in IRS's Accounting Procedures and Internal 
Controls, GAO-02-746R (Washington, D.C.: July 18, 2002); and GAO-02-35.

[11] This husband and wife team is the same husband and wife team we 
noted at one of the service center campuses.

[12] GAO/AIMD-00-21.3.1.

[13] GAO/AIMD-00-21.3.1.

[14] GAO/AIMD-00-21.3.1.

[15] U.S. General Accounting Office, Internal Revenue Service: Status 
of Recommendations from Financial Audits and Related Financial 
Management Reports, GAO-03-665 (Washington, D.C.: May 29, 2003).

[16] GAO/AIMD-00-21.3.1. 

[17] Taxpayer data on tax forms could include taxpayer name, Social 
Security number, and address.

[18] Deobligations are downward adjustments of previously recorded 
obligations. Deobligations can occur for a variety of reasons, such as 
if the actual expense was less than the amount obligated, a project or 
contract was canceled, an initial obligation was determined to be 
invalid, or previously recorded estimates were reduced.

[19] Undelivered orders represent the value of goods and services that 
were ordered and for which funds were obligated but have not been 
received. 

[20] GAO/AIMD-00.21.3.1.

[21] Financial plan managers are responsible for managing the spending 
plans under their control.

[22] We are 95 percent confident that the amount of invalid undelivered 
orders did not exceed $82 million. 

[23] NFC is a component of the U.S. Department of Agriculture that 
provides administrative and financial services to many federal 
agencies, including IRS.

[24] GAO/AIMD-00.21.3.1.

[25] U.S. Department of Agriculture, Office of Inspector General, 
Fiscal Year 2003 National Finance Center Review of Internal Control 
Structure, 11401-15-FM (Washington, D.C.: Nov. 19, 2003), is the most 
recently issued inspector general audit report on NFC's internal 
controls.

[26] U.S. General Accounting Office, Management Letter: Suggested 
Improvements in IRS' Accounting Procedures and Internal Controls, GAO/
AIMD-99-182R (Washington, D.C.: June 30, 1999).

[27] The purpose of the Appeals organization is to resolve tax 
controversies without litigation on a basis that is fair and impartial 
to both the government and the taxpayer. Appeals provide an independent 
channel for taxpayers who wish to dispute recommended enforcement 
actions.

[28] GAO/AIMD-00.21.3.1.

[29] GAO/AIMD-00.21.3.1.

[30] Pub. L. No. 104-208, div. A.,  101 (f), title VIII, 110 Stat. 3009, 
3009-389 (Sept. 30, 1996).