This is the accessible text file for GAO report number GAO-06-543R 
entitled 'Management Report: Improvements Needed in IRS's Internal 
Controls' which was released on May 12, 2006.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

United States Government Accountability Office: 
Washington, DC 20548:

May 12, 2006:

The Honorable Mark W. Everson:
Commissioner of Internal Revenue:

Subject: Management Report: Improvements Needed in IRS's Internal 
Controls:

Dear Mr. Everson:

In November 2005, we issued our report on the results of our audit of 
the Internal Revenue Service's (IRS) financial statements as of, and 
for the fiscal years ending, September 30, 2005 and 2004, and on the 
effectiveness of its internal controls as of September 30, 
2005.[Footnote 1] We also reported our conclusions on IRS's compliance 
with significant provisions of selected laws and regulations and on 
whether IRS's financial management systems substantially comply with 
requirements of the Federal Financial Management Improvement Act of 
1996. A separate report on the implementation status of recommendations 
from our prior IRS financial audits and related financial management 
reports, including this one, will be issued shortly.

The purpose of this report is to discuss issues identified during our 
audit of IRS's financial statements as of, and for the fiscal year 
ending September 30, 2005, regarding internal controls that could be 
improved for which we do not currently have any recommendations 
outstanding. Although not all of these issues were discussed in our 
fiscal year 2005 audit report, they all warrant management's 
consideration. This report contains 22 recommendations that we are 
proposing IRS implement to improve its internal controls. We conducted 
our audit in accordance with U.S. generally accepted government 
auditing standards.

Results in Brief:

During our fiscal year 2005 audit, we identified a number of internal 
control issues that adversely affected safeguarding of tax receipts and 
information, and the reliability of expense, and property & equipment 
(P&E) records. These issues concern (1) taxpayer receipts and data 
transmittal documents, (2) physical security controls at taxpayer 
assistance centers, (3) the roles and responsibilities of security 
guards, (4) candling procedures, (5) timely processing of large 
remittances at lockbox banks, (6) access to tax return processing 
facilities, (7) juvenile hiring policy, (8) classification of 
procurement transactions as P&E or expense, and (9) recording P&E 
disposals.

Specifically, we found the following:

* At three of the four service center campuses (SCCs), seven of the 
eight Taxpayer Assistance Centers (TACs),[Footnote 2] and two of the 
six field offices we visited, we found no evidence of managerial review 
of the transmittal documents and acknowledgment forms used to transmit 
and monitor taxpayer receipts and information shipped from one IRS 
location to another. Additionally, at five TACs and both field offices, 
we found no evidence of follow-up on the overdue unacknowledged 
transmittals we reviewed.

* At four TAC sites, physical security controls were not adequate to 
preclude individuals from entering controlled areas and gaining access 
to taxpayer receipts and information. At three of these TACs, we found 
that individuals were able to enter controlled areas[Footnote 3] of the 
TAC or other IRS office space unnoticed. In addition, one of the four 
TACs did not have an operable emergency alarm and at another of the 
four TACs, the door separating the customer area from the controlled 
area was not locked nor marked with a sign alerting customers that they 
were not permitted to enter unescorted.

* At one SCC, one TAC, and one lockbox bank[Footnote 4] we visited, we 
found that security guard personnel did not always effectively fulfill 
their responsibilities in (1) controlling access to IRS tax return 
facilities, (2) responding to intrusion alarms, and (3) recording, 
maintaining, and reporting security incidents or violations.

* At three SCCs we visited, we found that IRS did not always ensure 
that envelopes were opened and candled[Footnote 5] twice before 
destruction, as required by its procedures, to provide assurance that 
all contents have been extracted.

* At two lockbox banks, we found that large dollar checks were not 
always immediately processed and deposited according to IRS's 
guidelines.

* At two SCCs and one lockbox bank, controls over access to facilities 
were not adequate to provide reasonable assurance that unauthorized 
personnel would not be admitted. Credentials of persons entering one 
SCC and one lockbox bank were not always validated before admission 
and, at one SCC, (1) alarms were not always functional and (2) gaps 
existed in perimeter security.

* Limitations in IRS's juvenile[Footnote 6] hiring policy increased the 
risk of unsuitable candidates being hired and permitted access to 
taxpayer receipts and data. For juvenile employee candidates, IRS (1) 
only required references for those individuals hired to work in receipt 
processing functions although taxpayer receipts and data are also 
accessible in other functions, and (2) accepted written references that 
were hand delivered to IRS by the candidates themselves without 
independently verifying their source.

* IRS did not always ensure that it properly classified its procurement 
transactions as P&E and recognized assets when they met its 
capitalization criteria or classified these transactions as expense 
when they did not. Of 267 sample transactions we tested from IRS's non- 
payroll expenses and P&E acquisitions recorded during the first 9 
months of fiscal year 2005 and accounts payable as of September 30, 
2005, six were incorrectly classified and reported.

* Disposals of property and equipment were not recorded in a timely 
manner at five IRS locations, resulting in inventory records that were 
inaccurate and out-of-date.

The issues noted above increase the risk that (1) taxpayer receipts and 
information could be lost, stolen, misused, or destroyed, and (2) 
physical assets could be stolen or valued incorrectly.

At the end of our discussion of each of these issues in the following 
sections, we make recommendations for strengthening IRS's internal 
controls. These recommendations are intended to bring IRS into 
conformance with its own policies and with the internal control 
standards that all federal agencies are required to follow.[Footnote 7]

In its comments, IRS agreed with our recommendations and described 
actions it had taken or planned to take to address the control 
weaknesses described in this report. At the end of our discussion of 
each of the issues in this report, we have summarized IRS's related 
comments and provide our evaluation.

Scope and Methodology:

As part of our audit of IRS's fiscal years 2005 and 2004 financial 
statements, we tested IRS's internal controls and its compliance with 
selected provisions of laws and regulations. We designed our audit 
procedures to test relevant controls, including those for proper 
authorization, execution, accounting, and reporting of transactions. 
This report addresses issues we observed during our fiscal year 2005 
audit. For issues related to safeguarding taxpayer receipts and 
information, we visited four SCCs, four lockbox banks, eight TACs, and 
six other IRS field offices; and for issues related to procurement and 
property and equipment (P&E), we performed our testing at 22 IRS 
offices and at the IRS Finance Center.

Further details on our audit scope and methodology are included in our 
report on the results of our audits of IRS's fiscal years 2005 and 2004 
financial statements[Footnote 8] and are reproduced in enclosure II. We 
requested comments on a draft of this report from the Commissioner of 
IRS or his designee. We received written comments from the 
Commissioner, which we have incorporated as appropriate and have 
reprinted them as Enclosure 1.

Transmission of Taxpayer Receipts and Information:

IRS's controls over transmissions of taxpayer receipts and information 
between offices did not always ensure that transmissions were reviewed 
to make certain that potential errors were promptly identified and 
corrected and that transmissions were timely received and acknowledged. 
When IRS transmits taxpayer receipts and/or information between 
locations, IRS personnel are required to use either a Daily Report of 
Collection Activity (form 795) or a Document Transmittal (form 3210) to 
record and document the items being transmitted.[Footnote 9] However, 
during our fiscal year 2005 audit, we found that these forms were not 
always (1) subject to a documented supervisory review prior to 
submitting the documents for final processing, or (2) tracked to ensure 
that recipients timely acknowledged receipt of the transmitted 
documents. Specifically, we found:

* at three of the four SCCs we visited, managers or supervisors within 
the Refund Inquiry Unit did not document their review of forms used to 
record and transmit returned refund checks before they were mailed to 
the Austin Regional Finance Center for final processing.

* at five of the eight TACs and at three Large and Mid-Size Business 
(LMSB) and three Tax-Exempt and Government Entities (TEGE) field 
units,[Footnote 10] document transmittals were not always acknowledged 
by the recipient within the timeframe required by IRS. In addition, 
there was no evidence that the originators of the transmittals 
contacted the recipient to follow-up on the status of the 
unacknowledged transmittals.

* at seven of the eight TACs, four LMSB units, and one TEGE unit, there 
was no evidence that managers periodically reviewed the logbooks used 
to track acknowledged transmittals.

GAO's Standards for Internal Control in the Federal Government[Footnote 
11] require agencies to establish controls to enforce adherence to 
management policies and procedural requirements, such as management 
reviews, to create and maintain records providing evidence that these 
controls are executed, and to appropriately safeguard assets. 
Additionally, the Internal Revenue Manual (IRM)[Footnote 12] requires 
that area offices take responsibility for the security and 
accountability of taxpayer receipts and information during transit. 
Specifically, the IRM requires senders to establish a control to ensure 
timely delivery of taxpayer receipts and information and to follow up 
with the recipient if the acknowledgement has not been received within 
10 workdays. The lack of documentation of review and follow-up on 
overdue acknowledgements increases the risk that these procedures are 
not in place and operating effectively and that, consequently, errors, 
theft, or loss of taxpayer receipts and information may occur and not 
be timely detected.

Recommendations:

We recommend that IRS:

* require that Refund Inquiry Unit managers or supervisors document 
their review of all forms used to record and transmit returned refund 
checks prior to sending them for final processing;

* enforce compliance with existing requirements that all IRS units 
transmitting taxpayer receipts and information from one IRS facility to 
another, including SCCs, TACs, and units within LMSB and TEGE, 
establish a system to track acknowledged copies of document 
transmittals;

* provide instructions to document the follow-up procedures performed 
in those cases where transmittals have not been timely acknowledged; 
and:

* require that managers or supervisors document their reviews of 
document transmittals to ensure that taxpayer receipts and/or taxpayer 
information mailed between IRS locations are tracked according to 
guidelines.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations concerning its documentation of 
controls over transmission of taxpayer receipts and information between 
offices. IRS indicated it will remind all SCCs of the requirement to 
conduct periodic reviews of the document transmittal form and that 
verifying this will be included as part of the site review process by 
March 2007. IRS also indicated it had conducted an education effort to 
ensure that all managers in Examination are familiar with existing IRMs 
related to check processing procedures and provided their personnel 
additional instruction on requirements for transmitting taxpayer 
receipts, checks, and taxpayer information in order to ensure their 
personnel comply with policy. Specifically, IRS stated that it had 
conducted an information presentation for Examination managers, 
developed a flowchart to document the process, and developed a quick 
reference guide for processing checks in TEGE. IRS stated it also 
developed training materials to provide additional guidance on handling 
transmittals and will perform periodic reviews to ensure transmittals 
are handled appropriately. IRS also indicated that it will revise the 
IRM to require documentation of follow-up actions with SCCs when 
transmittal documents are not acknowledged timely. We will evaluate the 
effectiveness of IRS's efforts during our fiscal year 2006 financial 
audit.

Physical Security at Taxpayer Assistance Centers:

During our fiscal year 2005 audit, we found that physical security 
controls at several TAC sites we visited were not adequate to prevent 
unauthorized individuals from accessing areas which contained taxpayer 
receipts and information. For example:

* At one TAC, upon entering the facility at the time of our audit, we 
were able to repeatedly walk from the public entrance to a controlled 
area without being noticed or challenged. The only obstacle was a door 
which was not locked nor marked with a sign alerting individuals that 
they were not permitted to enter unescorted. This area was also 
accessible through a separate door that was also not locked nor marked.

* Another TAC was staffed by two Technical Research Representatives 
(TRRs),[Footnote 13] whose responsibilities included monitoring the 
public reception area of the TAC and preventing customers from 
venturing into controlled areas of the office that were shared by other 
IRS business units. However, TRRs sometimes found it necessary to leave 
their desks and the public reception area to perform their other 
duties, thereby leaving the area unattended and potentially allowing 
individuals to enter controlled areas of the TAC unchallenged. We were 
informed that individuals had on occasion been found in the other 
business units' office space seeking assistance. Additionally, there 
were no signs posted in the TAC informing individuals that access 
within the office beyond a certain point was not permitted unless 
escorted by an employee.

IRS is currently in the process of reconfiguring the space at several 
of its TACs, and refers to the reconfigured TAC sites as the "new TAC" 
models.[Footnote 14] The IRM requires that layouts of the new TACs 
should incorporate certain security features to meet a controlled area 
requirement to protect taxpayer receipts and information from 
disclosure and prevent unauthorized access to both information and 
property. However, during our visits to two of the new TAC models, we 
found similar security problems as discussed above. For example, at one 
new TAC that was often staffed by 1 or 2 TRRs, the TRRs responsible for 
monitoring the entrance of the TAC at times would leave their 
workstations to perform other duties. Based on our observations and 
inquiries, we found that unauthorized individuals could access and had 
occasionally been found to have entered the controlled area of the TAC 
and offices shared by other IRS business units. At the same TAC, we 
noted that emergency alarms (known as duress alarms) were not connected 
to a central monitoring station or the local police department. We were 
informed that the contractor had not completed installing the duress 
alarm at the time the new TAC was opened to the public. At another new 
TAC, we found that a door separating the customer waiting area from the 
secured area was not equipped with a locking device nor marked with a 
sign to inform customers that they were not permitted to enter 
unescorted. We also found that three of the TAC sites discussed above 
were not supervised by an on-site manager. IRS policy requires that in 
such cases, designated responsible offsite TAC managers are required to 
make routine supervisory visits to ensure that operations are performed 
according to standards. However, IRS did not have documentation to 
demonstrate if or how often such supervisory visits to these locations 
actually occurred or what was accomplished during these visits. Without 
appropriate supervisory oversight, the risk is significantly increased 
that the physical security issues we identified may not be timely 
detected and corrected.

The IRM requires that access to assets be limited to those employees 
with a valid business need to access the information. GAO's Standards 
for Internal Control in the Federal Government requires physical 
controls to limit access to vulnerable assets and records to authorized 
individuals. Such controls may include an appropriate combination of 
locks, duress alarms, warning signs, and other measures. Not adequately 
implementing such measures to restrict access to taxpayer receipts and 
information increases the risk that loss, theft, and/or misuse of 
taxpayer receipts and information may occur and not be timely detected.

Recommendations:

We recommend that IRS:

* equip all TACs with adequate physical security controls to deter and 
prevent unauthorized access to controlled areas or office space 
occupied by other IRS units, including those TACs that are not 
scheduled to be reconfigured to the "new TAC" model in the near future. 
This includes appropriately separating customer service waiting areas 
from controlled areas by physical barriers such as locked doors marked 
with signs barring entrance by unescorted customers;

* connect duress alarms to a central monitoring station or local police 
department or institute appropriate compensating controls when these 
alarm systems are not operable or in place; and:

* document supervisory visits by offsite managers to TACS not having a 
manager permanently onsite. This documentation should be signed by the 
manager and should (1) record the time and date of the visit, (2) 
identify the manager performing the visit, (3) indicate the tasks 
performed during the visit, (4) note any problems identified, and (5) 
describe corrective actions planned.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations concerning physical security at the 
TACs. IRS indicated that it will identify those TACs that lack adequate 
physical barriers, evaluate this issue, and determine corrective 
actions by June 2006. IRS noted that its Field Assistance staff have 
developed procedures to canvass TACs twice a year for security, safety, 
health, and space concerns. IRS also stated that its Field Assistance 
staff have developed testing requirements to ensure that the alarms are 
appropriately monitored and working properly. In addition, IRS 
indicated that it will connect duress alarms to a central monitoring 
station or local police departments in TACs based on criticality and 
funding availability, and implement compensating controls when alarm 
systems are inoperable. IRS also stated that it had developed a 
checklist for managers to use to document their visits to TACs, which 
is scheduled to be added to the IRM by June 2006. We will evaluate the 
effectiveness of IRS's efforts during our fiscal year 2006 financial 
audit.

Security Guards' Roles and Responsibilities:

IRS relies heavily on security guards to (1) control access to IRS 
facilities and lockbox banks to safeguard taxpayer receipts and 
information from theft, loss, or abuse; (2) respond to intrusion alarms 
and other emergencies as needed; and (3) record, maintain, and report 
security incidents or violations to IRS for review or, when necessary, 
for corrective action. However, during our fiscal year 2005 audit, we 
found that security guards did not always effectively fulfill these 
responsibilities. Specifically, we found the following:

* Security guard personnel at one SCC and one lockbox bank did not 
document a tripped door alarm in their respective security logs. At the 
SCC, it took security guard personnel nearly 10 minutes to respond to 
an alarm and they later did not deem it necessary to document the 
incident as required by IRS policy because the door was malfunctioning 
and there was an "understanding" that such documentation was not 
necessary. The security personnel at the lockbox bank did not provide 
an explanation for why they did not record the tripped alarm.

* Security guards stationed at one TAC often left their assigned post 
of duty to escort customers to the workstations of IRS representatives. 
While the guards were absent from their post, customers were, at times, 
left unsupervised in the customer/visitor waiting area that was 
accessible to controlled space through a door that was unlocked at the 
time of our visit.

* Incident reports[Footnote 15] prepared by security guards at one 
lockbox bank did not include corrective follow-up actions as required 
by the lockbox processing guidelines (LPG).[Footnote 16] Additionally, 
we found that the lockbox bank security review checklist used by IRS to 
periodically monitor whether all incidents and alarms are recorded and 
reported does not ask whether corrective actions were included in the 
incident reports. Without documentation of the corrective action taken 
on each incident, IRS management does not have a record of what, if 
any, corrective actions the bank took and, consequently, will be unable 
to evaluate the appropriateness of these actions or analyze whether 
other actions are needed to minimize the incident from occuring at 
other lockbox banks.

GAO's Standards for Internal Control in the Federal Government require 
that management establish physical controls to secure and safeguard 
vulnerable assets and that access to resources and records, such as IRS 
receipts and taxpayer information, be limited to authorized individuals 
to reduce the risk of unauthorized use or loss to the government. 
Further, the IRM requires that access to assets be limited to those 
employees with a need due to their official duties and/or 
responsibilities. The IRM and LPG also require security guards to 
report and record significant conditions or situations to appropriate 
authorities. IRS relies heavily on security guards to control entry 
into all of its SCCs and lockbox banks and several of the TACs we 
visited, and to protect taxpayer receipts and information from theft, 
loss, or abuse. However, when they do not perform their duties in 
accordance with IRS policy, their effectiveness in achieving these 
objectives is impaired, thus increasing the risk that unauthorized 
individuals may access IRS offices and compromise taxpayer records and 
data and/or disrupt operations.

Recommendations:

We recommend that IRS:

* enforce the requirement that all security or other responsible 
personnel at SCCs and lockbox banks record all instances involving the 
activation of intrusion alarms regardless of the circumstances that may 
have caused the activation;

* reemphasize the need for the security guards at all TACs to ensure 
that key posts of duty, such as entrances to facilities, are not left 
unattended; and:

* revise its lockbox bank's security review checklist to ensure that it 
encompasses reviewing security incident reports to validate whether 
security personnel are providing corrective actions related to the 
incidents cited.

IRS Comments and Our Evaluation:

IRS substantially agreed with our recommendations concerning security 
guards' roles and responsibilities. Regarding our recommendation that 
IRS enforce the requirement that personnel responsible for security at 
SCCs and lockbox banks record all instances of activation of intrusion 
alarms, IRS stated that it had revised the Lockbox Security Guidelines 
in January 2006 to require documentation of such events. IRS also noted 
that field security analysts were advised to enforce this requirement. 
In addition, IRS indicated that it would prepare a memorandum to 
reemphasize security guards' duties and responsibilities and the 
importance of meeting security requirements, and provide it to all TACs 
by October 2006. IRS also stated that it would revise its physical 
security review checklist to ensure that it encompasses reviewing 
security incident reports to validate whether security personnel are 
providing corrective actions related to the incidents cited. We will 
evaluate the effectiveness of IRS's efforts during our fiscal year 2006 
financial audit.

Candling Reviews:

In previous audits, we found weaknesses in IRS's controls over candling 
and made several recommendations to IRS for improving its candling 
procedures at SCCs and lockbox banks.[Footnote 17] Generally, we 
recommended that IRS revise candling procedures to specify the precise 
candling methods to be used for various types of envelopes received, 
require management to ensure that envelopes are properly candled, and 
monitor adherence to these requirements. In response, IRS revised its 
candling procedures to (1) specify the precise candling method to be 
used for the first and final candling based on the dimensions of 
envelopes received, (2) require that all envelopes, including those 
manually extracted (e.g., non letter-size envelopes), be subject to 
initial and final candling prior to destruction, (3) require that non 
letter-size envelopes be sliced on three sides and opened flat to 
assure no contents are left inside the envelope, (4) require that 
envelopes opened on three or more sides manually or by machine still be 
candled, and (5) require that managers review and document evidence of 
their review of items found during candling every day for each work 
shift. Additionally, IRS modified the LPG and IRM, as applicable, to 
(1) require recording of receipts discovered during candling in a 
control log, (2) prohibit a single, isolated employee from performing 
candling, and (3) require that all envelopes opened on three or more 
sides including those opened by machine, be candled one more time on a 
candling table.

Despite these actions, during our fiscal year 2005 audit, we continued 
to find deficiencies in IRS's oversight and implementation of candling 
procedures at three of the four SCCs we visited. At these SCCs, IRS 
management did not always enforce the requirement that opened envelopes 
receive at least two candlings before they are made available for 
destruction. Specifically, we found the following:

* At one SCC, we observed that an extractor did not perform initial 
candling of regular letter-size envelopes by placing the envelope over 
a light source. The employee indicated that there was no need to place 
the envelope over the light source because they "knew" the envelope was 
empty. We also found several non letter-size envelopes[Footnote 18] 
that were not slit open on all three sides as required by IRS policy. 
In each instance, the envelopes had not received initial candling or 
been properly candled before being made available for destruction.

* At another SCC, we observed extractors splitting non letter-size 
envelopes on three sides and placing them in the bin for shredding 
without the benefit of a final candling. Also, we observed that 
employees performing final candling did not immediately record the 
items found upon discovery. After further inquiry, we found that there 
was no candling log available at the candling table for employees to 
record the discovered items.

* At two SCCs, we found non letter-size envelopes that had been slit 
only once in a bin scheduled for final destruction. This indicates that 
these envelopes were either only candled once or not properly candled 
before being made available for destruction.

Over the past several years IRS has conducted monthly security reviews 
of its receipt and control function responsible for opening and 
candling envelopes. While these reviews address various controls 
designed to safeguard taxpayer receipts and information, including 
candling, they do not address the effectiveness of the candling 
procedures performed. For example, there are no questions on the 
checklist designed to test the usefulness of the candling procedures or 
discussions and observations with employees performing initial and 
final candling to assess their awareness of the required candling 
procedures. GAO's Standards for Internal Control in the Federal 
Government requires that management establish physical controls to 
secure and safeguard vulnerable assets and provide qualified and 
continuous supervision to ensure that control objectives are 
achieved.[Footnote 19] Candling is a key control employed by IRS to 
ensure that taxpayer receipts are not inadvertently overlooked and 
destroyed. The lack of adherence to the prescribed candling procedures 
limits the effectiveness of this control and increases the risk of 
inadvertent loss or destruction of taxpayer receipts.

Recommendation:

We recommend that IRS refine the scope and nature of its periodic 
reviews of candling processes at SCCs to ensure they (1) encompass 
tests of whether envelopes are properly candled through observation of 
candling in process and inquiry of employees who perform initial and 
final candling, and (2) document the nature and scope of the test and 
observation results.

IRS Comments and Our Evaluation:

IRS agreed with our recommendation and stated it will revise its 
Internal Control Checklist used for the monthly security reviews by 
January 2007 to address the effectiveness of the candling procedures 
performed. We will evaluate the effectiveness of IRS's efforts during 
future audits.

Processing of Remittances:

During our fiscal year 2005 audit, we found that lockbox banks were not 
always timely processing large dollar remittances.[Footnote 20] 
Specifically, at two of the lockbox banks we visited, we found large 
dollar checks that were not processed immediately. At one of the 
lockbox banks, six large checks totaling $1.25 million had been 
extracted from envelopes but were left in the extraction area; bank 
management informed us that the checks were not immediately processed 
because they were extracted by an earlier shift and that the current 
shift leaders were not aware of them. At the other bank, we found 
similar large checks in the extraction area that were not immediately 
processed but rather were left in bins while the extraction team went 
on a break.

GAO's Standards for Internal Control in the Federal Government require 
that transactions be promptly recorded to maintain their relevance and 
value to management in controlling operations and making decisions. 
This includes the timely processing of transactions. In addition, the 
LPG requires that remittances of $50,000 or more be immediately 
processed and deposited as part of the first available deposit. IRS 
conducts periodic performance and operational reviews of lockbox banks 
to ensure compliance with guidelines over processing and securing 
taxpayer receipts and information. However, the review process does not 
assess controls designed to ensure whether large checks are immediately 
processed and deposited as part of the first available deposit, as 
required by the LPG. By not always processing high dollar remittances 
immediately, IRS increases the risk of loss, theft, or misappropriation 
of such checks.

Recommendations:

We recommend that IRS:

* enforce its existing policies and procedures at lockbox banks to 
ensure that all remittances of $50,000 or more are processed 
immediately and deposited at the first available opportunity; and:

* refine the scope and nature of its periodic reviews of lockbox banks 
to include high dollar remittances to better monitor adherence to the 
requirement that they are processed immediately and deposited at the 
first available opportunity.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations concerning controls over processing 
high dollar remittances. IRS stated that it will add appropriate 
language to the LPG to enforce its existing policies and procedures at 
lockbox banks for handling remittances of $50,000 or more. IRS also 
stated that by May 2006, it will add a review checkpoint for high 
dollar remittances to the Processing Internal Controls Data Collection 
Instrument used by Lockbox Field Coordinators during on-site reviews. 
We will evaluate the effectiveness of IRS's efforts during our fiscal 
year 2006 financial audit.

Physical Access Controls at Tax Return Processing Facilities:

As the U.S. government's principal revenue-collecting agency, IRS 
collects more than two trillion dollars in taxes each year, accounting 
for more than 95 percent of the U.S. government's total revenues. This 
includes hundreds of millions of dollars in hardcopy tax payments and 
related information which is submitted to IRS tax processing facilities 
by millions of taxpayers. IRS has a responsibility to safeguard these 
payments and the related information entrusted to it by the nation's 
taxpayers. To fulfill this responsibility, it is essential that IRS 
have effective physical security controls to prevent unauthorized 
access to its tax return processing facilities. However, we found 
deficiencies in several of these controls during our fiscal year 2005 
audit. Specifically, at two of the SCCs and at one of the lockbox banks 
we visited as part of our audit, we found weaknesses in controls over 
access to the facility and/or surrounding perimeter that increase the 
risk of penetration by unauthorized individuals. For example:

* At one SCC, we observed flaws in the security over the facility's 
perimeter that could allow unauthorized individuals to bypass security 
guards and enter the grounds unobserved. These flaws included (1) 
unguarded entrances to perimeter grounds, (2) gaps in the security 
fence, and (3) overgrown shrubbery which obstructed the view of 
security personnel.

* At the same SCC, we observed that employees entering the facility 
were not always subject to verification of their credentials. At the 
SCC, we observed employees closely following an employee who had opened 
a secure door with their proximity access card; these individuals were 
able to enter without presenting credentials of their own (a practice 
known as "piggybacking"). In testing another entrance, we found the 
same weakness by entering via piggybacking on IRS employees who had 
presented access cards.

* At the second SCC's annex facility, we found two loading dock door 
alarms that were both inoperable. IRS officials at the facility 
informed us that they had been inoperable since they had been 
inadvertently deactivated while performing maintenance on an adjacent 
door three weeks earlier.

* At the lockbox bank, we found that couriers from two different mail 
delivery services were allowed to enter the facility without first 
presenting proper identification.

GAO's Standards for Internal Control in the Federal Government requires 
that agencies establish physical controls to limit access to vulnerable 
assets and records to authorized individuals. To help ensure that its 
physical security controls are effective, IRS routinely reviews the 
security at all SCCs and lockbox banks, identifies weaknesses, and 
pursues corrective actions. However, at SCCs, these reviews do not 
encompass reviewing controls over access to the grounds through the 
outer perimeter. Additionally, at both SCCs and lockbox banks, the 
reviews do not encompass testing the effectiveness of controls intended 
to prevent individuals without proper credentials from entering the 
facility. Also, while the IRM requires that SCC intrusion alarm systems 
be tested, it only requires that the testing be conducted annually. 
Consequently, an alarm could potentially be dysfunctional for an 
extended period and remain undetected for several months. Also, the IRM 
does not offer guidance as to how these tests should be conducted and 
the results documented. These weaknesses increase the risk that 
unauthorized individuals may enter these tax return processing 
facilities and potentially disrupt operations or compromise the 
taxpayer receipts or information they process.

Recommendations:

We recommend that IRS:

* refine the scope and nature of its periodic security reviews to 
encompass (1) testing the effectiveness of controls intended to ensure 
that only individuals with proper credentials are permitted access to 
SCCs and lockbox banks, and (2) reviewing the integrity of perimeter 
security at SCCs; and:

* revise the physical security procedures contained in the IRM to 
require that all SCCs and any respective annex facilities processing 
taxpayer receipts and/or information perform and document monthly tests 
of the facility's intrusion detection alarms. At a minimum, these 
procedures should (1) outline the type of test to be conducted, (2) 
include criteria for assessing whether the controls used to respond to 
the alarm were effective, and (3) require that a logbook be maintained 
to document the test dates, results, and response information.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations concerning physical access controls 
at tax processing facilities. In response to our recommendation that 
IRS refine the nature of its periodic security reviews, IRS stated that 
the lockbox bank site discussed in the audit report that did not 
restrict access of unauthorized employees was instructed to immediately 
prohibit entry and acceptance of deliveries from these and similar 
unauthorized employees in the loading dock area. IRS stated that its 
review team will add this requirement as a specific review item in 
their physical security review process. Additionally, IRS indicated 
that it had updated its Security Review Procedures and Checklist for 
SCCs and lockbox banks and conducted quarterly reviews with the new 
procedures/checklist to assess employee piggybacking attempts, fence 
lines, landscaping, and alarm testing. IRS noted that it will update 
the IRM and LPG related to the SCCs alarm testing procedures to include 
a description of the types of tests to be conducted, criteria for 
assessing controls, and the logging of requirements by August 2007. We 
will evaluate the effectiveness of IRS's efforts during future audits.

Hiring Juveniles for Access to Taxpayer Receipts and Information:

IRS requires background investigations on every prospective contract or 
non-contract employee prior to granting them access to taxpayer 
receipts and information. However, legal restrictions limit the scope 
of background investigations for juvenile applicants. Specifically, 
title 18 of the United States Code, section 5038, prevents the release 
of criminal records on juveniles when the request is related to an 
application for employment. To compensate, IRS policy requires that 
juveniles hired to perform receipt and control processing functions 
submit a Recommendation for Juvenile Employment (form 13094) or an 
equivalent document from an individual recommending the juvenile for 
employment in a position of trust.[Footnote 21] However, during our 
fiscal year 2005 audit, we found limitations in IRS's design and 
implementation of its policy. Specifically, we found the following:

* IRS policy requiring the completed form 13094 only applies to 
juveniles hired to perform receipt processing functions. However, 
access to taxpayer information is not limited to staff assigned to 
receipt processing functions. Thus, this policy may allow juveniles 
access to taxpayer information without providing any references.

* The form 13094s are provided directly to IRS by the juvenile as part 
of the application package, and IRS personnel officials do not verify 
the source of the information submitted. Consequentially, IRS does not 
have adequate assurance that the individual whose name appears on the 
form actually exists and that they completed the form as represented.

* The form does not require that the reference describe his or her 
relationship with the juvenile, including the number of years known and 
the nature of the relationship, in order to allow IRS to assess whether 
the reference has sufficient basis to recommend the juvenile for 
employment.

* IRS did not obtain form 13094s for three juveniles hired in the 
receipt and control processing function during fiscal year 2005. 
According to IRS officials, they decided not to request the form from 
these three individuals because they graduated from high school prior 
to attaining the age of 18 and did not have a current or former 
employer or a current teacher, counselor, or principal as required by 
the form's instructions. As a result, these three juveniles were given 
access to taxpayer receipts and information without an independent 
assessment of their character, as required by IRS policy.

GAO's Standards for Internal Control in the Federal Government requires 
that access to resources and records, such as IRS receipts and taxpayer 
data, be limited to authorized individuals to reduce the risk of 
unauthorized use or loss to the government.[Footnote 22] By not (1) 
always obtaining a character reference for juveniles to be permitted 
access to taxpayer receipts and information and (2) independently 
verifying the source of the information on the form, IRS increases the 
risk that juveniles with inappropriate backgrounds may obtain access to 
sensitive taxpayer receipts and information.

Recommendations:

We recommend that IRS:

* amend its policy to require that a completed form 13094 with a 
positive recommendation be provided for every juvenile hired to any 
position that will allow access to taxpayer receipts and/or taxpayer 
information;

* require IRS personnel to verify the information on the form 13094 by 
contacting the reference directly;

* revise the form 13094 to require the reference to describe his/her 
relationship with the juvenile, including extent of first-hand contact, 
to allow IRS to review the forms and assess whether the referencer has 
sufficient basis to recommend that juvenile to a position of trust; and:

* establish procedures for hiring juveniles who do not have a current 
teacher, principal, counselor, employer or former employer, and clarify 
that IRS's current policies and procedures should not be interpreted to 
mean that such juveniles should be allowed access to taxpayer receipts 
and information without a form 13094 or its equivalent. These 
procedures could include a list of acceptable alternatives that may 
serve as references for juveniles who do not have a current teacher, 
principal, or guidance counselor.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations concerning controls over hiring 
juveniles. To address these recommendations, IRS stated that (1) it 
will amend its policy to require that a completed Recommendation for 
Juvenile Employment (form 13094) with a positive recommendation be 
provided for every juvenile hired to any position allowing access to 
taxpayer receipts and/or taxpayer information; (2) once the Office of 
Management and Budget (OMB) approves the revised form 13094, it will, 
by August 2006, issue a new policy requiring IRS personnel to verify 
the information on the form 13094 by contacting the reference directly; 
(3) it will make appropriate revisions to the form 13094 to require the 
reference to describe his/her relationship with the juvenile; and (4) 
after OMB approves the revised form 13094, it will issue a new policy 
establishing procedures for hiring juveniles who do not have a current 
teacher, principal, counselor, employer or former employer, and clarify 
that IRS's current policies and procedures should not be interpreted to 
mean that such juveniles should be allowed access to taxpayer receipts 
and information without a form 13094 or its equivalent. We will 
evaluate the effectiveness of IRS's efforts during our fiscal year 2006 
financial audit.

Classifying and Reporting Expense and P&E Transactions:

During our fiscal year 2005 audit, we found deficiencies in IRS's 
controls over the classification and reporting of transactions relating 
to its expenses and property and equipment (P&E) acquisitions. 
Specifically, IRS did not always assure that it properly classified its 
procurement transactions as P&E and recognized assets when they met its 
capitalization criteria, or as expenses when they did not. IRS's 
property and equipment capitalization policy, which is consistent with 
Statement of Federal Financial Accounting Standards No. 6[Footnote 23] 
and provides criteria on the capitalization of P&E, requires the 
recognition of assets when its capitalization criteria is met and the 
recognition of expense when it is not. To implement this policy, IRS 
requires its staff to classify expense and P&E acquisition transactions 
at the time orders are placed and assign and record the classification 
and accounting codes in the general ledger when they record the 
obligations. At the end of each month, IRS personnel review the entries 
to expense and P&E accounts considered more susceptible to error to 
determine if any classification errors occurred and, if so, to make the 
necessary corrections to properly classify and record them. We noted 
that IRS's established policy, if properly implemented, could help its 
staff differentiate between expense and P&E transactions and, through 
periodic reviews, detect and correct transactions improperly recorded 
in the expense and P&E accounts. However, IRS's staff did not always 
follow the capitalization policy effectively in fiscal year 2005.

We tested a total of 267 sampled transactions from IRS's non-payroll 
expenses and P&E acquisitions recorded during the first 9 months of 
fiscal year 2005 and accounts payable as of September 30, 2005, and 
found that 6 of the transactions were classified and reported 
incorrectly. Specifically:

* We found two instances where IRS initially recorded purchases of 
automated data processing equipment with a total cost of $7.8 million 
correctly as P&E acquisitions but subsequently reviewed the initial 
accounting treatment, removed the transactions from P&E, and 
erroneously included them in the expense accounts. In another instance, 
IRS initially recorded a $266,000 purchase of information services 
correctly as an expense but, after one of its periodic reviews, removed 
it from expense and erroneously included it as capitalized P&E.

* In the remaining 3 instances, IRS initially misclassified procurement 
transactions totaling $1.7 million that should have been recorded as 
expenses and incorrectly recorded them as P&E. One transaction involved 
an operating lease payment that IRS capitalized as an asset instead of 
including it in expenses. The other 2 transactions involved charges for 
support services that IRS misclassified and incorrectly recorded as P&E 
instead of expenses. IRS did not detect and correct these misclassified 
transactions either when they were initially recorded or during its 
periodic review process.

GAO's Standards for Internal Control in the Federal Government require 
that transactions and other events be accurately and timely recorded to 
maintain their relevance and value to management in controlling 
operations and making decisions. This applies to the entire process or 
life cycle of a transaction or event from the initiation and 
authorization through its final classification in summary records. In 
addition, control activities help to ensure that all transactions are 
completely and accurately recorded.

The errors we found occurred because IRS's controls over its property 
and equipment capitalization process were not always effective. While 
these errors did not result in a material misstatement to IRS's fiscal 
year 2005 financial statements, the control weaknesses that gave rise 
to these errors precludes IRS from having assurance that its financial 
records for expenses and capital assets are capable of generating 
reliable reports on an ongoing basis throughout the year.

Recommendation:

To assure proper accounting treatment of expense and P&E transactions 
and reliable financial reporting, we recommend that IRS enforce its 
property and equipment capitalization policy to ensure that it is 
properly implemented to fully achieve management's objectives, 
including recognizing assets when its capitalization criteria is met 
and recognizing expenses when it is not.

IRS Comments and Our Evaluation:

IRS agreed with our recommendation. IRS's stated that its Chief 
Financial Officer and Procurement Office implemented new procedures for 
reviewing the classification of P&E into its accounting system. The 
Procurement Office will begin reviewing classification codes to ensure 
correctness and will take all necessary steps to ensure end users 
correct errors prior to entering the obligations. IRS expects these new 
procedures to be fully operational for the fourth quarter of fiscal 
year 2006. IRS also stated that it modified the scope of its monthly 
review of P&E transactions to include only obligations above a pre- 
determined dollar threshold. IRS indicated that these procedures were 
implemented in April 2006 for P&E acquired in March 2006. We will 
evaluate the effectiveness of IRS's efforts during our fiscal year 2006 
financial statement audit.

Recording Disposals of Property and Equipment:

In prior years, we identified deficiencies in IRS's process for 
recording property and equipment (P&E) transactions in its inventory 
records. Over the past several years, IRS has made substantial progress 
in improving the accuracy and reliability of its inventory records. 
While we recognize IRS's progress, our work performed as part of our 
fiscal year 2005 audit indicates that further improvements are needed. 
During our audit, we found that IRS staff did not always follow the 
agency's procedures requiring the prompt recording of disposals of 
property and equipment in its inventory records.

The P&E disposal process is initiated when the function utilizing P&E 
notifies the local Single Point Inventory Function (SPIF) unit that 
they have P&E to be excessed or retired. The local SPIF unit arranges 
to remove the P&E, prepares the necessary paperwork, updates the 
inventory records to reflect that the asset is pending disposal, and 
turns custody of the P&E over to the Facilities Management Branch 
(FMB). FMB has responsibility for physical disposition of the P&E and 
updating the inventory records to reflect the final disposal. The IRM 
specifies that P&E inventory records must be updated to reflect all 
disposals within ten days of the action.

During our fiscal year 2005 audit, we found that eight of 220 items 
selected from IRS's inventory records could not be located.[Footnote 
24] All of these assets had been disposed of, but the inventory records 
reflected the assets as pending disposal. FMB had not updated the 
inventory system to change the disposal status from pending to final. 
For three of the exceptions found at one location, the assets were 
retired on May 15, 2004, but the disposals were still reflected as 
pending as of July 15, 2005, more than one year after the date of 
disposal. IRS's property management system does not generate aging 
reports to indicate the length of time assets have remained in pending 
status.

GAO's Standards for Internal Control in the Federal Government require 
agencies to implement internal control procedures to ensure the 
accurate and timely recording of transactions and events. This standard 
further states that transactions should be promptly recorded to 
maintain their relevance and value to management in controlling 
operations and making decisions. Property records that are out of date 
impede management's ability to make sound operating decisions, monitor 
performance, and allocate resources, and can result in undetected theft 
or loss of assets.

Recommendation:

We recommend that IRS:

* generate aging reports when an asset remains in pending disposal 
status for longer than a specified period of time; and:

* direct FMB managers to research and resolve the aging reports.

IRS Comments and Our Evaluation:

IRS agreed with our recommendations concerning recording disposals of 
property and equipment. IRS indicated that issues raised in the fiscal 
year 2005 financial statement audit were being addressed through an IRS 
re-engineering effort focused on the entire asset retirement and 
disposal process. IRS stated that it currently has reports available to 
monitor aging transactions during the disposal life cycle. IRS also 
indicated that it is (1) developing procedures to require reviews of 
aging reports to streamline the process to ensure timely recording of 
disposal transactions, and (2) modifying software to electronically 
record such transactions. IRS intends to implement these modifications 
and review procedures by August 2006. We will evaluate the 
effectiveness of IRS's efforts during our fiscal year 2006 financial 
statement audit.

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C.  720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Homeland Security and Governmental 
Affairs and the House Committee on Government Reform within 60 days of 
the date of this report. A written statement must also be sent to the 
House and Senate Committees on Appropriations with the agency's first 
request for appropriations made more than 60 days after the date of the 
report.

This report is intended for use by the management of IRS. We are 
sending copies to the Chairmen and Ranking Minority Members of the 
Senate Committee on Appropriations; Senate Committee on Finance; Senate 
Committee on Homeland Security and Governmental Affairs; and 
Subcommittee on Taxation and IRS Oversight, Senate Committee on 
Finance. We are also sending copies to the Chairmen and Ranking 
Minority Members of the House Committee on Appropriations; House 
Committee on Ways and Means; the Chairman and Vice-Chairman of the 
Joint Committee on Taxation, the Secretary of the Treasury, the 
Director of the Office of Management and Budget, the Chairman of the 
IRS Oversight Board, and other interested parties. The report is 
available at no charge on GAO's Web site at [Hyperlink, 
http://www.gao.gov].

We acknowledge and appreciate the cooperation and assistance provided 
by IRS officials and staff during our audits of IRS's fiscal years 2005 
and 2004 financial statements. Please contact me at (202) 512-3406 or 
sebastians@gao.gov if you or your staff have any questions concerning 
this report. Contact points for our Offices of Congressional Relations 
and Public Affairs may be found on the last page of this report. GAO 
staff who made major contributions to this report are listed in 
enclosure III. 

Signed By:

Steven J. Sebastian:
Director:
Financial Management and Assurance: 

[End of section]

Enclosure I:

Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224:

May 1, 2006:

Mr. Steven J. Sebastian: 
Director:
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W.:
Washington, D.C. 20548:

Dear Mr. Sebastian:

I am writing in response to your draft of the FY 2005 Management Report 
titled, Improvements Needed in IRS' Internal Controls (GAO-06-532R). I 
appreciate your continued assistance during our fiscal year financial 
statement audit. The issues you presented in your report will help us 
to take the necessary steps to strengthen our controls over property 
and equipment, safeguarding tax receipts, and improving financial 
management.

We continue to make progress in addressing our financial management 
challenges. We successfully closed 33 recommendations during fiscal 
year 2005. We expanded our remediation plans to better address the 
reportable condition on lockbox to include the controls over hard-copy 
tax receipts at our service center campuses, Taxpayer Assistance 
Centers, and field offices. We have developed corrective action plans 
for each of these areas and will monitor the plans through 
implementation. We are working with your staff to trace each of the 
remaining open recommendations to the underlying issues and ensure that 
our corrective actions will address all of the controls to which they 
relate. I have enclosed a response addressing all of your 
recommendations separately.

We appreciate your recommendations and will continue to work with you 
to address each of them. We are committed to implementing appropriate 
improvements to ensure that the IRS maintains sound financial 
management practices. If you have any questions, please contact Janice 
Lambert, Chief Financial Officer, at (202) 622-6400.

Sincerely, 

Signed By:

Mark W. Everson:

Enclosure:

GAO Recommendations and IRS Responses to GAO FY 2005 Management Report 
Improvements Needed in the IRS' Internal Controls GAO-06-532R:

Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing.

Comments: We agree with this recommendation. Internal Revenue Manual 
(IRM) 21.4.3, Returned Refunds/Releases, contains procedures for 
transmitting returned refund checks to the Regional Finance Center 
utilizing Document Transmittal - Form 3210. Although the procedures do 
not require the manager to initial the Form 3210, procedures are in 
place in the Manager's IRM to conduct periodic reviews. Accounts 
Management (AM) will include a reminder to all centers of the 
requirement to conduct periodic Form 3210 reviews in the annual AM 
Program Letter. This item will also be included as part of the site 
review process by March 2007.

Recommendation: Enforce compliance with existing requirements that all 
Internal Revenue Service (IRS) units transmitting taxpayer receipts and 
information from one IRS facility to another, including Service Center 
Campuses (SCCs), Taxpayer Assistance Centers (TACs), and units within 
Large & Mid-Size Business (LMSB) and Tax Exempt & Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals.

Comments: We agree with this recommendation. TEIGE conducted an 
education effort to ensure all managers in Examination are familiar 
with existing IRMs related to check processing procedures, including 
proper maintenance of log books for document transmittals. These 
efforts included conducting an information presentation at a meeting 
that included managers from TEIGE, developing a Quick Reference Guide 
for Processing Checks in TE/GE Examination, documenting the process via 
a flowchart, and revising our Exam Revenue Agent basic training course.

Document Transmittal - Form 3210 is one method used Service-wide to 
transmit information. IRM 3.13.62, Media Transport and Control, 
contains Form 3210 procedures, including the acknowledgement process. 
AM will include a reminder to all centers of the requirement to conduct 
periodic Form 3210 reviews in the annual AM Program Letter. This item 
will also be included as part of the site review process by March 2007.

By July 2006, Field Assistance will establish a process to monitor 
acknowledgements of Report of Collection Activity - Form 795 and Form 
3210 - when received from the service centers. Specific actions 
underway include revising IRM procedures to require documentation of 
follow-up actions with Submission Processing Centers when an identified 
Form 795 or Form 3210 is not acknowledged timely. The documentation 
will be retained with the group copy of Form 795 or Form 3210.

Recommendation: Provide instructions to document the follow-up 
procedures performed in those cases where transmittals have not been 
timely acknowledged.

Comments: We agree with this recommendation. TE/GE developed a 
flowchart and quick reference guide on proper check handling procedures 
and also incorporated these into its Examination Phase 1 training 
materials.

By July 2006, Field Assistance will establish a process to monitor 
acknowledgements of Form 795 and Form 3210 when received from the 
service centers. Specific actions underway include revising IRM 
procedures to require documentation of follow-up actions with 
Submission Processing Centers when an identified Form 795 or Form 3210 
is not acknowledged timely. The documentation will be placed with the 
group copy of Form 795 or Form 3210.

Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts and/
or taxpayer information mailed between IRS locations are tracked 
according to guidelines.

Comments: We agree with this recommendation. TE/GE conducted an 
education effort to ensure all managers in Examination are familiar 
with existing IRMs. An informational presentation was conducted at the 
Examination manager's meeting on check processing procedures and proper 
maintenance of log books for document transmittals. TE/GE developed a 
Quick Reference Guide for Processing Checks in TE/GE Examination and 
documented the process via a flowchart. TE/GE has also added a new 
commitment to the performance plan of its managers regarding 
implementation of the TE/GE action plan to address the General 
Accountability Office (GAO) repeat findings for safeguarding hard copy 
receipts.

Field Assistance will identify and, as appropriate, develop and 
implement methods to improve the consistent use of Form 3210 for 
documenting the shipment of taxpayer receipts and information to the 
service centers. Specific actions underway include developing 
procedures by September 2006, to require TAC managers to perform a 
weekly review of the Forms 3210 as part of the payment reconciliation 
review and to document the review.

Recommendation: Equip all TACs with adequate physical security controls 
to deter and prevent unauthorized access to restricted areas or office 
space occupied by other IRS units, including those TACs that are not 
scheduled to be reconfigured to the "new TAC" model in the near future. 
This includes appropriately separating customer service waiting areas 
from restricted areas by physical barriers such as locked doors marked 
with signs barring entrance by unescorted customers.

Comments: We agree with this recommendation. Field Assistance will 
identify TACs that lack the physical barriers to prevent unauthorized 
access to TAC space and work with IRS Agency-Wide Shared Services / 
Real Estate Facilities Management (AWSS/REFM) to address alternatives 
to controlling access. Meetings with AWSS/REFM began in January 2006, 
and they agreed to evaluate barrier issues within the TACs and 
determine corrective actions by June 2006. Field Assistance has also 
developed procedures to canvas TACs twice a year for security, safety, 
health, and space concerns.

Recommendation: Connect duress alarms to a central monitoring station 
or local police department or institute appropriate compensating 
controls when these alarm systems are not operable or in place.

Comments: We agree with this recommendation. Field Assistance has 
developed testing requirements to ensure security equipment (e.g., 
duress alarms) is functioning properly. Field Assistance will 
coordinate with AWSS/REFM and Mission Assurance and Security Services 
(MA&SS) on any reported deficiencies, especially when the new TAC 
models are completed. Otherwise, Field Assistance will work with MA&SS 
to ensure testing of duress alarms is performed semi-annually.

MA&SS, Wage and Investment (W&I), and AWSS will connect duress alarms 
to a central monitoring station or local police departments in TACs 
based upon criticality and funding availability, and enact compensating 
controls when the systems are inoperable. The IRS will address 
appropriate compensating controls at TACs not connected to central 
monitoring/local police departments by December 2006.

Recommendation: Document supervisory visits by offsite managers to TACs 
not having a manager permanently onsite. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned.

Comments: We agree with this recommendation. Field Assistance has 
developed a checklist for managers to use to document visits to 
outlying TACs. The checklist includes the manager's name and date of 
visit, as well as the issues discussed with employees, the 
Commissioner's Representative, and the Union President. The checklist 
will be added to the IRM 1.4.11 by June 2006.

Recommendation: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms regardless of the 
circumstances that may have caused the activation.

Comments: We believe we have addressed this recommendation. We revised 
the Lockbox Security Guideline under L.S.G.2.2.3.1.6 (6) in January 
2006 to add the requirement that the banks maintain a logbook of 
incident reports and any applicable supporting documentation, noting 
corrective follow-up actions taken on each incident. The logbook must 
be maintained in sequential date order.

Additionally, field security analysts were advised to enforce the 
recordation requirement for all activations of intrusion alarms with 
guards. The IRS updated alarm testing procedures and checklists to 
include a review of guard console logs, and IRS will check compliance 
in unannounced alarm tests.

Recommendation: Reemphasize the need for the security guards at all 
TACs to ensure that key posts of duty, such as entrances to facilities, 
are not left unattended.

Comments: We agree with this recommendation, MA&SS, W&I, and AWSS will 
prepare a memorandum that reemphasizes security guards' duties and 
responsibilities (post orders) and the importance of meeting security 
requirements, and provide to all TAC locations by October 2006.

Recommendation: Revise its lockbox bank's security review checklist to 
ensure that it encompasses reviewing security incident reports to 
validate whether security personnel are providing corrective actions 
related to the incidents cited.

Comments: We agree with this recommendation. Submission Processing will 
work with MA&SS and Treasury Financial Management Service (FMS) to 
ensure the physical security review checklist is updated to include 
reviews of the security incident reports and to validate that the 
security personnel are providing corrective actions related to the 
incidents that are cited by May 2006.

Recommendation: Refine the scope and nature of its periodic reviews of 
candling processes at SCCs to ensure they (1) encompass tests of 
whether envelopes are properly candled through observation of candling 
in process and inquiry of employees who perform initial and final 
candling, and (2) document the nature and scope of the test and 
observation results.

Comments: We agree with this recommendation. We will revise the 
Internal Control Checklist used for the monthly security reviews by 
January 2007, to address the effectiveness of the candling procedures 
performed.

Recommendation: Enforce its existing policies and procedures at lockbox 
banks to ensure that all remittances of $50,000 or more are processed 
immediately and deposited at the first available opportunity.

Comments: We agree with this recommendation. To further enhance our 
current requirements, we will add the following language by May 2006, 
to L.P.G.3.2 (4) and L.P.G.3.2.7.1: "In addition, Lockbox management 
must ensure remittances of $50,000 or more are not left unattended; for 
example: shift changes, breaks, meetings, etc. These remittances must 
be collected and then batched for expedited processing.":

Recommendation: Refine the scope and nature of its periodic reviews of 
lockbox banks to include high dollar remittances to better monitor 
adherence to the requirement that they are processed immediately and 
deposited at the first available opportunity.

Comments: We agree with this recommendation. A review checkpoint for 
high dollar remittances will be added by May 2006, to the Processing 
Internal Controls Data Collection Instrument that the Lockbox Field 
Coordinators use during their on-site reviews.

Recommendation: Refine the scope and nature of its periodic security 
reviews to encompass (1) testing the effectiveness of controls intended 
to ensure that only individuals with proper credentials are permitted 
access to SCCs and lockbox banks, and (2) reviewing the integrity of 
perimeter security at SCCs.

Comments: We agree with this recommendation. The lockbox site discussed 
in the audit report that did not restrict access of unauthorized 
employees has been instructed to immediately prohibit entry and 
acceptance of deliveries from these and similar unauthorized employees 
in the loading dock area. The IRS Review Team will add this requirement 
as a specific review item in our physical security review process.

Additionally, the IRS updated its Security Review Procedures and 
Checklists for SCCs and lockbox banks, and conducted quarterly security 
reviews with the new procedures/checklist to assess employee 
piggybacking attempts, fence lines, landscaping, and alarm testing.

Recommendation: Revise the physical security procedures contained in 
the IRM to require that all SCCs and any respective annex facilities 
processing taxpayer receipts and/or information perform and document 
monthly tests of the facility's intrusion detection alarms. At a 
minimum, these procedures should (1) outline the type of test to be 
conducted, (2) include criteria for assessing whether the controls used 
to respond to the alarm were effective, and(3) require that a logbook 
be maintained to document the test dates, results, and response 
information.

Comments: We agree with this recommendation. MA&SS and AWSS will update 
the IRMs and Lockbox Processing Guidelines related to the SCCs alarm 
testing procedures to include a description of the types of tests to be 
conducted, criteria for assessing controls, and the logging 
requirements by August 2007.

Recommendation: Amend its policy to require that a completed 
Recommendation for Juvenile Employment - Form 13094 with a positive 
recommendation be provided for every juvenile hired to any position 
that will allow access to taxpayer receipts and/or taxpayer 
information.

Comments: We agree with this recommendation. After the Office of 
Management Budget (OMB) approves Form 13094, the Human Capital Office 
(HCO) will issue a new policy requiring a positive recommendation for 
juveniles hired to any position that will allow access to taxpayer 
receipts and/or taxpayer information by August 2006.

Recommendation: Require IRS personnel to verify the information on the 
Form 13094 by contacting the reference directly.

Comments: We agree with this recommendation. After the OMB approves 
Form 13094, the HCO will issue new policy requiring IRS personnel to 
verify the information on the Form 13094 by contacting the reference 
directly by August 2006.

Recommendation: Revise the Form 13094 to require the reference to 
describe his/her relationship with the juvenile, including extent of 
first-hand contact, to allow IRS to review the forms and assess whether 
the referencer has sufficient basis to recommend that juvenile to a 
position of trust.

Comments: We agree with this recommendation. The HCO will revise Form 
13094 to require that the reference describe their relationship with 
the juvenile and how long they have known the juvenile. This will allow 
the HCO offices to assess whether the reference has sufficient basis to 
recommend the juvenile for employment. After Form 13094 is revised, it 
will be submitted to OMB for formal approval to be used as a pre-
employment form by August 2006.

Recommendation: Establish procedures for hiring juveniles who do not 
have a current teacher, principal, counselor, employer or former 
employer, and clarify that IRS's current policies and procedures should 
not be interpreted to mean that such juveniles should be allowed access 
to taxpayer receipts and information without a Form 13094 or its 
equivalent. These procedures could include a list of acceptable 
alternatives that may serve as references for juveniles who do not have 
a current teacher, principal or guidance counselor.

Comments: We agree with this recommendation. After the OMB approves 
Form 13094, the HCO will issue a new policy establishing procedures for 
hiring juveniles who do not have a current teacher, principal, 
counselor, employer or former employer, and clarify that IRS' current 
policies and procedures should not be interpreted to mean that such 
juveniles should be allowed access to taxpayer receipts and information 
without a Form 13094 or its equivalent by August 2006. Additionally, 
the revised Form 13094 will offer alternative reference documentation 
if the juvenile does not have a current teacher, principal or guidance 
counselor.

Recommendation: Enforce its property and equipment capitalization 
policy to ensure that it is properly implemented to fully achieve 
management's objectives, including recognizing assets when its 
capitalization criteria is met and recognizing expenses when it is not.

Comments: We agree with this recommendation. The Chief Financial 
Officer (CFO) and Procurement implemented new procedures for reviewing 
the classification of property and equipment (P&E) prior to entering 
transactions into the accounting system. In the past, Procurement was 
not required to review classification codes end users provided prior to 
entering obligations into the accounting system. Going forward, 
Procurement will now review classification codes to ensure correctness, 
and will take all necessary steps to ensure end users correct errors 
prior to entering the obligations. We anticipate the new procedures to 
be fully operational for the fourth quarter of FY 2006.

Additionally, the CFO's Internal Financial Management (IFM) improved 
its monthly review of P&E transactions. In the past, IFM reviewed 
virtually all transactions related to capitalized P&E or expendable 
purchases. With advance approval from GAO in FY 2006, I FM has modified 
the scope of its review to include only purchases above a material 
dollar threshold. As a result, reviews will concentrate primarily on 
ensuring the transactions are properly classified as capital assets or 
expense. The new review procedures will be implemented in April 2006, 
for P&E acquired during the month of March 2006 and each month 
thereafter.

Recommendation: Generate, aging reports when an asset remains in 
pending disposal status for longer than a specified period of time.

Comments: We agree with this recommendation. In March 2006, the Chief 
Information Officer (CIO) property program manager informed GAO that 
issues raised in the FY 2005 Financial Statement Audit are being 
addressed via a re-engineering effort focused on the entire asset 
retirement and disposal process. As such, reports are currently 
available to monitor aging transactions during the disposal life cycle. 
Additionally, procedures are being developed to require reviews of 
aging reports for the timely recording of disposal transactions. 
Substantial software modifications are being designed to improve the 
recording of information by replacing manual data entry methods by 
using electronic forms, signatures, and processes. These 
modifications and review procedures will be implemented to streamline 
the recording of asset disposal activity as required by IRS policy by 
August 2006.

Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports.

Comments: We agree with this recommendation. AWSS and CIO property 
program managers are working to reengineer the entire asset retirement 
and disposal process and discussed this initiative with GAO in March 
2006. Reports are currently available for management to monitor the 
status of aging transaction dates until the disposal process is 
complete. Also, we are developing review procedures to streamline the 
process to ensure the timely recording of disposal transactions. 
Reengineered process modifications, review procedures, and guidance for 
conducting reviews, will be implemented by August 2006. 

[End of section]

Enclosure II:

Details on Audit Methodology:

To fulfill our responsibilities as the auditor of the Internal Revenue 
Service's (IRS) financial statements, we did the following:

* Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. This included testing selected 
statistical samples of unpaid assessment, revenue, refund, accrued 
expenses, payroll, nonpayroll, property and equipment, and undelivered 
order transactions. These statistical samples were selected primarily 
to substantiate balances and activities reported in IRS's financial 
statements. Consequently, dollar errors or amounts can and have been 
statistically projected to the population of transactions from which 
they were selected. In testing these samples, certain attributes were 
identified that indicated either significant deficiencies in the design 
or operation of internal control or compliance with provisions of laws 
and regulations. These attributes, where applicable, can be and have 
been statistically projected to the appropriate populations.

* Assessed the accounting principles used and significant estimates 
made by management.

* Evaluated the overall presentation of the financial statements.

* Obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets), compliance with laws and 
regulations (including the execution of transactions in accordance with 
budget authority), and performance measures reported in the Management 
Discussion and Analysis.

* Tested relevant internal controls over financial reporting (including 
safeguarding assets) and compliance, and evaluated the design and 
operating effectiveness of internal controls.

* Considered the process for evaluating and reporting on internal 
controls and financial management systems under 31 U.S.C.  3512 (c), 
(d), commonly referred to as the Federal Managers' Financial Integrity 
Act of 1982.

* Tested compliance with selected provisions of the following laws and 
regulations: Anti-Deficiency Act, as amended (31 U.S.C.  1341(a)(1) 
and 31 U.S.C.  1517(a)); Purpose Statute (31 U.S.C.  1301); Release 
of lien or discharge of property (26 U.S.C.  6325); Interest on 
underpayment, nonpayment, or extensions of time for payment of tax (26 
U.S.C.  6601); Interest on overpayments (26 U.S.C.  6611); 
Determination of rate of interest (26 U.S.C.  6621); Failure to file 
tax return or to pay tax (26 U.S.C.  6651); Failure by individual to 
pay estimated income tax (26 U.S.C.  6654); Failure by corporation to 
pay estimated income tax (26 U.S.C.  6655); Prompt Payment Act (31 
U.S.C.  3902(a), (b), and (f) and 31 U.S.C.  3904); Pay and Allowance 
System for Civilian Employees (5 U.S.C.  5332 and 5343, and 29 U.S.C. 
 206); Federal Employees' Retirement System Act of 1986, as amended (5 
U.S.C.  8422, 8423, and 8432); Social Security Act, as amended (26 
U.S.C.  3101 and 3121 and 42 U.S.C.  430); Federal Employees Health 
Benefits Act of 1959, as amended (5 U.S.C.  8905, 8906, and 8909); 
Transportation, Treasury, and Independent Agencies Appropriations Act, 
2004, Pub. L. No. 108-199, div. F, tit. II, 118 Stat. 314 (Jan. 23, 
2004); and Transportation, Treasury, Independent Agencies, and General 
Government Appropriations Act, 2005, Pub. L. No. 108-447, div. H, tit. 
II, 118 Stat. 3235 (Dec. 8, 2004).

* Tested whether IRS's financial management systems substantially 
comply with the three requirements of the Federal Financial Management 
Improvement Act of 1996 (Pub. L. No. 104-208, div. A,  101(f), title 
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996). 

[Signed By:] 

Enclosure III:

Staff Acknowledgments: 

Acknowledgments:

The following individuals made major contributions to this report: 
Charles Fox-Assistant Director, Manmei Chen, John Davis, Paul Foderaro, 
Ted Hu, Jerrod O'Nelio, Theresa Patrizio, Robert Preshlock, John 
Sawyer, Angel Sharma, Peggy Smith, and Gary Wiggins.

(196092): 

[End of section]

FOOTNOTES

[1] GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial 
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005).

[2] TACs are field assistance units designed to serve taxpayers who 
choose to seek help from the IRS in person. Services provided include 
interpreting tax laws and regulations, preparing some tax returns, 
resolving inquiries on taxpayer accounts, receiving payments and 
forwarding those payments to their respective SCC for deposit and 
further processing, and performing other services designed to minimize 
the burden on taxpayers in satisfying their tax obligations. These 
offices are typically much smaller facilities than SCCs or lockbox 
banks with staff sizes ranging from 1 to about 35 employees.

[3] IRS defines controlled areas as space to which access is limited to 
IRS employees with a valid business purpose. Within such controlled 
space, certain areas are designated as restricted and are subject to a 
further elevated level of security to safeguard such sensitive assets 
as hardcopy taxpayer receipts and computer facilities. 

[4] Lockbox banks are financial institutions designated as depositories 
and financial agents of the U.S. government to perform certain 
financial services, including processing tax documents, depositing the 
receipts, and then forwarding the documents and data to their 
respective SCC, which update taxpayers' accounts.

[5] Candling is a process used by IRS to determine if any contents 
remain in open envelopes, which is often achieved by passing the 
envelopes over a light source.

[6] IRS defines juvenile as a person who is not yet eighteen years of 
age.

[7] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999).

[8] GAO-06-137.

[9] The Daily Report of Collection Activity is generally used to 
transmit taxpayer receipts from an IRS facility to a SCC. A Document 
Transmittal is used interchangeably to transmit (1) taxpayer receipts 
or several form 795s from an IRS facility to a SCC for final processing 
or (2) non-payment related taxpayer information (e.g., case files and 
other sensitive tax related data) between IRS facilities. 

[10] LMSB units are field office units charged with administering taxes 
for corporations and partnerships with assets over $10 million. TEGE 
units are field office units that serve a wide range of customers 
including small local community organizations, municipalities, major 
universities, pension funds, state governments, Indian tribal 
governments, and tax exempt bond issuers. All other corporations, 
partnerships, small businesses, and individuals with certain types of 
non-salary income with assets under $10 million are serviced by IRS's 
Small Business and Self-Employed (SB/SE) units. We addressed similar 
monitoring weaknesses within several SB/SE units in our management 
report from our fiscal year 2004 audit, see GAO, Management Report: 
Improvements Needed in IRS's Internal Controls, GAO-05-247R 
(Washington, D.C.: April 2005). 

[11] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[12] The IRM outlines business rules and administrative procedures and 
guidelines IRS uses to conduct its operations and contains policy, 
direction, and delegations of authority necessary to carry out IRS's 
responsibilities to administer tax law and other legal provisions. 

[13] One of the TRRs at this location worked a part-time schedule.

[14] As of March 2006, IRS had reconfigured 115 of its 400 TACs located 
throughout the United States, has an additional 29 such projects 
underway, and plans on reconfiguring the remaining TACs by 2014.

[15] Incident reports are used by security guards to document and 
record their response to suspicious events, incidents, and activities. 
In addition, lockbox banks are required to maintain a log of incident 
reports, noting the action that the lockbox bank took to correct the 
incident.

[16] Internal Revenue Service, "2005 Lockbox Processing Guidelines" 
(Washington, D.C.: January 2005), and subsequent 2005 updates. The 2005 
LPG provides guidelines for processing work at lockbox banks serving 
IRS for the 2005 filing season.

[17] GAO-05-247R.

[18] Non letter-size envelopes refer to envelopes that are either 
larger or smaller than the standard white business-size envelopes that 
are used for mailing such items as personal or business mail (e.g., 
utility bills, tax returns, general correspondences).

[19] GAO/AIMD-00-21.3.1.

[20] In the LPG, IRS defines large dollar remittances as those with 
amounts $50,000 or greater.

[21] The Recommendation for Juvenile Employment form asks the reference 
provider to check off whether he or she feels that the juvenile is 
suitable for a position of trust or to disclaim his/her knowledge of 
the juvenile. Other data captured includes the name of the reference 
and information related to the school and current/former employer of 
the juvenile. 

[22] GAO/AIMD-00-21.3.1.

[23] U.S. Federal Accounting Standards Advisory Board (FASAB), SFFAS 
No. 6, Accounting for Property, Plant, and Equipment.

[24] For our book-to-floor sample, we selected a two-stage cluster 
sample of P&E items. In the first stage, we selected a sample of 22 
buildings in probabilities proportionate to the number of P&E items in 
each building's inventory records. In the second stage, we randomly 
selected a sample of 10 assets located at each of the 22 buildings.

GAO's Mission:

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548:

To order by Phone:

Voice: (202) 512-6000:

TDD: (202) 512-2537:

Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: