This is the accessible text file for GAO report number GAO-07-689R 
entitled 'Management Report: Improvements Needed in IRS's Internal 
Controls' which was released on May 14, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

May 11, 2007: 

The Honorable Mark W. Everson: 
Commissioner of Internal Revenue: 

Subject: Management Report: Improvements Needed in IRS's Internal 
Controls: 

Dear Mr. Everson: 

In November 2006, we issued our report on the results of our audit of 
the Internal Revenue Service's (IRS) financial statements as of, and 
for the fiscal years ending, September 30, 2006, and 2005, and on the 
effectiveness of its internal controls as of September 30, 
2006.[Footnote 1] We also reported our conclusions on IRS's compliance 
with significant provisions of selected laws and regulations and on 
whether IRS's financial management systems substantially comply with 
requirements of the Federal Financial Management Improvement Act of 
1996. A separate report on the implementation status of recommendations 
from our prior IRS financial audits and related financial management 
reports, including this one, will be issued shortly. 

The purpose of this report is to discuss issues identified during our 
audit of IRS's financial statements as of, and for the fiscal year 
ending September 30, 2006, regarding internal controls that could be 
improved for which we do not currently have any recommendations 
outstanding. Although not all of these issues were discussed in our 
fiscal year 2006 audit report, they all warrant management's 
consideration. This report contains 21 recommendations that we are 
proposing IRS implement to improve its internal controls. We conducted 
our audit in accordance with U.S. generally accepted government 
auditing standards. 

Results in Brief: 

During our audit of IRS's fiscal year 2006 financial statements, we 
identified a number of internal control issues that adversely affected 
tax data, tax receipts, tax refunds, taxpayer penalties and fees, tax 
liens, and property and equipment. These issues concern: (1) encryption 
of off-site taxpayer data files, (2) placement of security cameras at 
tax return processing facilities, (3) manual refund policies and 
procedures, (4) refunds to taxpayers who owe payroll taxes, (5) 
assessment of taxpayer penalties, (6) timeliness of tax lien releases, 
(7) processing of Installment Agreement fees, and (8) procurement and 
security of property and equipment. 

Specifically, we found the following: 

* At three of the four lockbox banks[Footnote 2] we visited, the banks 
did not encrypt off-site backup files containing taxpayer information 
as required by IRS's guidelines. 

* At two of the six service center campuses (SCCs) we visited, security 
cameras did not provide complete coverage of the building exterior or 
the facility's external perimeter. 

* At two service center campuses, employees responsible for initiating 
manual refunds were not always monitoring taxpayer accounts to prevent 
duplicate refunds or documenting their review. 

* IRS issued refunds to taxpayers who owed trust fund recovery 
penalties associated with unpaid payroll taxes. 

* Errors in IRS's computer programs caused it to charge taxpayers 
excess penalties. 

* IRS did not always timely release its liens against taxpayers because 
it did not have procedures to expeditiously research and apply 
available credits from one tax period of the taxpayer's account to 
other tax periods that contained outstanding balances. 

* IRS did not always timely release its liens against taxpayers because 
it did not always follow its procedures to timely record bankruptcy 
discharges. 

* IRS did not always follow its policy of maintaining documentation to 
demonstrate that it delivered lien releases to the local court house 
after taxpayers fully satisfied their outstanding tax liabilities. 

* Errors occurred in IRS's processing of installment agreement user 
fees it collected from taxpayers. 

* At one site we visited, internal controls were not adequate to secure 
and safeguard property and equipment. 

The issues noted above increase the risk that (1) taxpayer receipts and 
information could be lost, stolen, misused, or destroyed; (2) erroneous 
tax refunds could be issued; (3) taxpayers could be charged excess 
penalties or incorrect user fees; (4) tax liens may not be released 
promptly; and (5) physical assets could be stolen. 

At the end of our discussion of each of the issues in the following 
sections, we make recommendations for strengthening IRS's internal 
controls. These recommendations are intended to bring IRS into 
conformance with its own policies and with the internal control 
standards that all federal executive agencies are required to 
follow.[Footnote 3] 

In its comments, IRS agreed with our recommendations and described 
actions it had taken or planned to take to address the control 
weaknesses described in this report. At the end of our discussion of 
each of the issues in this report, we have summarized IRS's related 
comments and provide our evaluation. 

Scope and Methodology: 

This report addresses issues we observed during our audit of IRS's 
fiscal years 2006 and 2005 financial statements. As part of this audit, 
we tested IRS's internal controls and its compliance with selected 
provisions of laws and regulations. We designed our audit procedures to 
test relevant controls, including those for proper authorization, 
execution, accounting, and reporting of transactions. We conducted our 
fieldwork between January 2006 and November 2006. 

To assess internal control issues related to safeguarding taxpayer 
receipts and information, we visited six SCCs and four lockbox banks; 
for issues related to tax refunds, we visited two SCCs; and for issues 
related to property and equipment, we performed our testing at five IRS 
offices. 

Further details on our audit scope and methodology are included in our 
report on the results of our audits of IRS's fiscal years 2006 and 2005 
financial statements[Footnote 4] and are reproduced in enclosure II. 

Safeguarding Backup Media: 

Lockbox banks are financial institutions under contract with the 
federal government to process mail-in tax payments and related 
documents on behalf of IRS. IRS expects these lockbox banks to 
appropriately safeguard the confidentiality of tax returns and the 
related information they process. Accordingly, IRS established 
requirements in its Internal Revenue Manual (IRM)[Footnote 5] and 
lockbox security guidelines (LSG)[Footnote 6] addressing backup 
procedures for information media (e.g., data tapes, cartridges, etc.) 
processed at lockbox banks. Specifically, in addition to specifying 
that backup media be stored off-site for recovery purposes and that the 
off-site storage location be geographically separate from the lockbox 
bank location, these requirements state that backup media containing 
taxpayer information must be encrypted prior to transmitting the 
information to a storage location outside of IRS's facilities. GAO's 
Standards for Internal Control in the Federal Government require that 
agencies establish physical controls to secure and safeguard vulnerable 
data and media files to reduce the risk of unauthorized use or loss to 
the government. In addition, the Office of Management and Budget (OMB) 
issued a memorandum[Footnote 7] in June 2006 requiring that all federal 
departments and agencies encrypt personally identifiable information 
that is physically transported outside of the agency's secured, 
physical perimeter. 

However, during our fiscal year 2006 audit, we found that three of the 
four lockbox banks we visited sent unencrypted backup tapes that 
contained taxpayer information to off-site storage facilities. When we 
initially notified IRS of the lack of encryption of backup tapes sent 
to off-site locations, IRS responded that two of the three lockbox 
banks would cease using off-site storage facilities and would instead 
securely store these backup tapes on-site at the lockbox bank. While 
retaining the backup information on-site avoids exposing it to 
potential compromise during transmission, it is inconsistent with the 
IRM and federal information security standards for off-site 
storage[Footnote 8] and thus increases the risk that the backup 
information may be lost along with the current information in the event 
of disaster, whether of accidental, criminal, or natural origin. At the 
third lockbox bank, we were informed that the bank would request a 
waiver from IRS's encryption requirement. However, granting of such a 
waiver by IRS is not consistent with the requirement contained in the 
OMB memorandum. Shipping unencrypted backup data off-site increases the 
risk that data containing taxpayer information may be compromised. 

During fiscal year 2006, IRS began conducting annual physical security 
reviews of lockbox banks to monitor their performance and adherence to 
key IRS physical security policies and procedures. In carrying out its 
reviews, IRS uses a physical security data collection instrument to 
assess controls and record the results of those assessments. While 
these reviews address various controls designed to safeguard taxpayer 
receipts and information, they do not address key controls designed to 
safeguard backup media containing personally identifiable information. 
For example, there are no questions on the physical security data 
collection instrument designed to ascertain whether lockbox banks are 
complying with the requirement to have backup tapes, which contain 
sensitive information, encrypted and stored at an approved off-site 
location. The lack of routine monitoring by IRS officials regarding 
data encryption and off-site storage of backup media increases the risk 
that lockbox bank deviations from related IRS procedures may not be 
timely identified, thereby increasing the risk of loss, theft, and/or 
misuse of media files containing taxpayer information. 

Recommendations: 

We recommend that IRS: 

* enforce the existing policy requiring that all lockbox banks encrypt 
backup media containing federal taxpayer information; 

* ensure that lockbox banks store backup media containing federal 
taxpayer information at an off-site location as required by the 2006 
LSG; and: 

* revise instructions for its annual reviews of lockbox banks to 
encompass routine monitoring of backup media containing personally 
identifiable information to ensure that this information is (1) 
encrypted prior to transmission and (2) stored in an appropriate off- 
site location. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the encryption and 
storage of backup media containing federal taxpayer information. IRS 
indicated it will implement an Information Technology Security Audit 
Process by July 2007 and use it to ensure compliance with its policy of 
requiring that all lockbox banks encrypt backup media containing 
federal taxpayer information. IRS also indicated it will use this audit 
process to validate that all backup media, including files that may 
need to be recovered, are stored off-site. In addition, IRS stated that 
it will modify the Lockbox Security Guidelines to emphasize that all 
backup media, including files that may need to be recovered, is to be 
stored off-site. We will evaluate the effectiveness of IRS's efforts in 
this area during our audit of IRS's fiscal year 2007 financial 
statements. 

Maintenance and Placement of Security Cameras: 

To safeguard the hundreds of billions of dollars in payments and the 
related information entrusted to it annually by the nation's taxpayers, 
IRS has implemented physical security controls intended to prevent 
unauthorized access to its tax return processing facilities. Among 
these controls are security cameras, also referred to as closed circuit 
television (CCTV) cameras, which are used to aid security personnel in 
monitoring the exterior of these facilities. To be effective, security 
cameras must be properly maintained and placed at critical locations to 
collectively provide an unobstructed view of the entire exterior of the 
facility. However, at two of the six SCCs we visited during our fiscal 
year 2006 audit, we found that security cameras monitoring the 
facilities' exterior did not allow security personnel unobstructed 
coverage of the entire fence line of the property and the perimeter of 
the facility. At one of these SCCs, we found that guards were aware of 
the obstructions and had reported them to their superiors. However, no 
corrective actions were initiated nor was a time frame established 
identifying when the obstructions and weaknesses in the CCTV cameras 
would be corrected. 

Specifically, we found: 

* At one SCC, the views of five security cameras used to monitor the 
perimeter of the buildings were obstructed by trees situated between 
the cameras and the property fence line. In addition, the views of two 
other exterior security cameras were obstructed by a structural support 
column. 

* At the second SCC, three security cameras' views of entrances/exits 
and the perimeter of certain buildings were obstructed by overgrown 
trees and shrubs. 

GAO's Standards for Internal Control in the Federal Government require 
that management establish physical controls to secure and safeguard 
vulnerable assets and that access to resources and records should be 
limited to authorized individuals. Further, the IRM guidelines for 
security cameras at SCCs include placing cameras at critical locations 
to provide direct visual monitoring from a vantage point. However, 
because IRS's security cameras at SCCs do not always provide 
unobstructed exterior coverage of the entire fence line and perimeter 
of its facilities, the risk is increased that unauthorized individuals 
may access IRS facilities and compromise taxpayer records and data and/ 
or disrupt operations. 

Over the past 2 years, IRS has implemented quarterly physical security 
reviews of key perimeter access and other controls designed to monitor 
physical security controls used to safeguard taxpayer information and 
receipts and IRS's facilities, employees, taxpayers, and other 
visitors. These reviews include assessing whether security cameras at 
SCCs provide complete and unobstructed exterior coverage of the entire 
fence line and perimeter of the facility. However, we found that 
analysts performing these reviews are not required to (1) document 
planned implementation dates of the corrective actions cited to address 
any issues identified, and (2) follow up on prior findings to assess 
whether they were appropriately addressed according to plans. To be 
effective, any issues identified by these reviews should be 
systematically documented, appropriate corrective actions planned, and 
their status formally tracked to monitor disposition and final closure. 
Absent this, IRS lacks assurance that issues affecting CCTV cameras 
identified during these reviews are being effectively communicated and 
promptly and appropriately addressed. 

Recommendations: 

We recommend that IRS: 

* develop and implement appropriate corrective actions for any gaps in 
CCTV camera coverage that do not provide an unobstructed view of the 
entire exterior of the SCC's perimeter, such as adding or repositioning 
existing CCTV cameras or removing obstructions; and: 

* revise instructions for quarterly physical security reviews to 
require analysts to (1) document any issues identified as well as 
planned implementation dates of corrective actions to be taken and (2) 
track the status of corrective actions identified during the quarterly 
assessments to ensure they are promptly implemented. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the maintenance and 
placement of security cameras at SCCs. IRS indicated that it is 
developing a plan to assess all CCTVs and mitigate findings by December 
30, 2007. IRS also indicated that by June 30, 2007, it will implement 
procedures requiring Physical Security Analysts to document concerns 
identified during quarterly reviews, establish corrective action 
implementation dates, and track corrective actions to ensure they are 
implemented. Because IRS's planned actions in this area will not be 
completed for our fiscal year 2007 audit, we will evaluate the 
effectiveness of IRS's efforts during future audits. 

Manual Refund Policies and Procedures: 

IRS's internal controls for processing manual refunds were not fully 
effective in minimizing the risk of issuing duplicate refunds. We found 
that employees responsible for initiating manual refunds at the two 
service center campuses we visited were not always adhering to IRS's 
policies and procedures intended to minimize this risk. Specifically, 
manual refund initiators were not appropriately (1) monitoring taxpayer 
accounts to prevent duplicate refunds, or (2) documenting their 
monitoring activity. GAO's Standards for Internal Control in the 
Federal Government require that control activities, which are 
identified as necessary and described in the agency's policies and 
procedures, are in place and being applied properly so that only valid 
transactions are processed. Additionally, the IRM requires manual 
refund initiators to monitor manual refund accounts and to 
appropriately document their monitoring activities to prevent the 
issuance of a duplicate refund. However, because IRS staff at the two 
centers we visited did not consistently follow these procedures, the 
risk of duplicate refunds is increased. 

Most refunds are generated automatically by IRS's automated systems 
after the taxpayers' returns are posted to their accounts. However, in 
certain situations, various units within IRS's campuses process refunds 
manually to expedite the refund process when it is considered to be in 
the best interest of IRS or the taxpayer. A manual refund is a refund 
that is not generated through routine IRS automated system processing. 
Manual refunds bypass most of the automated validity checks performed 
and may be issued within a few days of initiation. However, while 
manual refunds can be paid out quickly, IRS's system does not record 
the manual refund generated on the taxpayer's master file account until 
several weeks after the manual refund is initiated. Conversely, 
automated refunds are first posted to the taxpayer's master file 
account and issued to taxpayers afterwards. The delay in recording 
manual refunds to taxpayer accounts increases the potential for 
erroneous or duplicate refunds because IRS's manual and automated 
refund processing are not systematically coordinated to prevent both 
refunds from being issued. 

To prevent duplicate refunds from being issued, the IRM requires manual 
refund initiators, who process manual refunds, to (1) closely monitor 
the taxpayer's account and (2) document their monitoring activity until 
the manual refund posts to the taxpayer's master file account. Once the 
manual refund posts to the master file, IRS's automated system is to 
prevent a duplicate automated refund from being issued. Throughout the 
period it takes for the manual refund to post, the manual refund 
initiators are responsible for monitoring the accounts for the posting 
of duplicate automated refunds. When manual refund initiators identify 
the posting of a duplicate automated refund, they must take the 
necessary action to stop the automated refund from actually being 
issued to the taxpayer. IRS provides a Manual Refund Desk Reference for 
manual refund initiators to use as a guide to initiate and process 
manual refunds. In most cases, the initiators primarily rely on the 
Manual Refund Desk Reference to process manual refunds and do not refer 
to the IRM. 

However, during our review of monitoring actions to prevent duplicate 
refunds at two service center campuses, we found the Manual Refund Desk 
Reference did not provide instructions to (1) monitor refund accounts 
to prevent duplicate refunds, and (2) document monitoring activity as 
required by the IRM. For example, at one site, the various units 
processing manual refunds were using different versions of the Manual 
Refund Desk Reference (i.e., April 2002, January 2003, April 2003, 
April 2004, March 2005, and April 2006), none of which complied with 
the IRM requirements. We also found that some of the initiators and 
their supervisors were not familiar with the procedures in the desk 
reference. As a result, the manual refund initiators in some of the 
units (1) were not monitoring the refund accounts to prevent the 
issuance of a duplicate refund; (2) stated that they monitor the 
taxpayer account, but were not documenting their monitoring activities; 
or (3) were only observing the account to see if the manual refund 
posted so they could close out their case, rather than also monitoring 
to detect and stop the issuance of duplicate automated refunds. As a 
result, the risk is increased that a duplicate refund generated will 
not be detected and stopped before being disbursed. 

Recommendations: 

We recommend that IRS: 

* revise procedures contained in the Manual Refund Desk Reference to 
reflect the IRM requirements for manual refund initiators to (1) 
monitor the manual refund accounts in order to prevent duplicate 
refunds, and (2) document their monitoring actions; 

* provide to all the IRS units responsible for processing manual 
refunds the same and most current version of the Manual Refund Desk 
Reference; and: 

* require that managers or supervisors provide the manual refund 
initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning monitoring manual 
refunds to prevent duplicate refunds and the need to document such 
monitoring actions. IRS stated that it will replace the Manual Refund 
Desk Reference with revisions to sections of its Internal Revenue 
Manual, which will be the official authoritative guidance for 
processing manual refunds and stated that it plans to inform its staff 
of this change by the end of May 2007. IRS also stated that it will 
ensure its managers and supervisors conduct training for manual refund 
initiators in its Submission Processing, Accounts Management, and 
Compliance operations to prevent the issuance of duplicate refunds, 
issue an information Alert to campuses, directing them to provide 
refresher training to the areas responsible for initiating manual 
refunds, and conduct classroom training for employees who initiate 
manual refunds. In addition, IRS indicated that it will ensure that Tax 
Examiners are reminded of their responsibility to monitor manual 
refunds to prevent the issuance of duplicate refunds and to document 
such monitoring. IRS stated that all of these actions will be complete 
by the end of July 2007. We will evaluate the effectiveness of IRS's 
efforts in this area during our audit of IRS's fiscal year 2007 
financial statements. 

Refunds to Tax Debtors With Unpaid Payroll Taxes: 

During our fiscal year 2006 financial audit, we found that IRS issued 
refunds to tax debtors who still owed the government for unpaid payroll 
taxes. When an employer withholds taxes from an employee's wages, the 
employer is deemed to have a responsibility to hold these amounts "in 
trust" for the federal government until the employer makes a federal 
tax deposit in that amount.[Footnote 9] Employers are required to 
periodically deposit the withholdings from employees' wages with IRS. 
To the extent these withheld amounts are not forwarded to the federal 
government, the employer is liable for these amounts, as well as the 
employer's matching Federal Insurance Contribution Act (FICA)[Footnote 
10] contributions. Individuals within the business (e.g., corporate 
officers) may be held personally liable for the withheld amounts not 
forwarded and assessed a civil monetary penalty known as a Trust Fund 
Recovery Penalty (TFRP).[Footnote 11] IRS has the authority to assess 
all responsible officers individually for the unpaid payroll taxes. 
Thus, IRS may record a TFRP assessment against several individuals for 
the employee-withholding component of the payroll tax liability of a 
given business in an effort to collect an employer's total tax 
liability. Although assessed to multiple parties, the employer's 
liability need only be paid once. When IRS records a TFRP assessment 
against an individual, it creates a separate subaccount on the 
taxpayer's master file account to distinguish this from the taxpayer's 
personal income tax liability. 

In our prior audits,[Footnote 12] we found errors involving IRS's 
failure to properly record payments made by individual officers to all 
related parties associated with the TFRP. Thus, as part of our fiscal 
year 2006 audit, we tested a statistical sample of payments recorded on 
TFRP accounts to determine the extent of any such errors in IRS's 
systems. In performing our work, we found that IRS issued refunds to 
seven individuals when they still had an outstanding balance in their 
TFRP account.[Footnote 13] In one of these cases, IRS recorded a TFRP 
assessment against the officer in 2001. The officer then filed joint 
individual tax returns with the officer's spouse in subsequent years 
and received three computer-generated refunds totaling approximately 
$6,700. 

According to the IRM, IRS is required to apply any overpayment of taxes 
from one tax period[Footnote 14] against outstanding tax liabilities 
from other tax periods before issuing a refund to the taxpayer. If a 
taxpayer made payments that exceeded the balance owed for one tax 
period (i.e., credits), IRS relies on its automated processes to check 
the taxpayer's account for outstanding balances in other tax periods or 
subaccounts and to apply these credits to outstanding balances before 
issuing a refund. However, IRS's computer program only checks for 
outstanding tax liabilities associated with the social security number 
(SSN) of the first person listed on joint tax returns and does not 
check for outstanding tax liabilities associated with the secondary SSN 
listed on the return. In the cases we identified, the officer owing the 
TFRP was the second person (secondary SSN) indicated on the joint tax 
return. Consequently, IRS's automated process failed to detect that the 
second person associated with the joint return owed the outstanding 
penalty assessment. This control deficiency cost IRS the opportunity to 
recover at least some of the outstanding balances owed on these 
accounts. 

Recommendations: 

We recommend that IRS: 

* enhance its computer program to check for outstanding tax liabilities 
associated with both the primary and secondary SSNs shown on a joint 
tax return and apply credits to those balances before issuing any 
refund; and: 

* instruct revenue officers making the TFRP assessments to research 
whether the responsible officers are filing jointly with their spouses 
and to place a refund freeze on the joint account until the computer 
programming change can be completed. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning refunds to tax debtors 
with Trust Fund Recovery Penalties. IRS stated that the IRM instructs 
revenue officers to request entering a transaction code into its 
systems to freeze any potential refunds for all individuals liable for 
the TFRP. IRS noted that it has requested an IRS Counsel opinion on 
whether it would be acceptable for revenue officers to also freeze the 
refund of a liable taxpayer's spouse at the time of approval of the 
TFRP assessment or at the time the assessment is made. IRS stated that 
it would implement this change by August 2007 if the IRS Counsel 
determines that this action is appropriate. We will evaluate the 
effectiveness of IRS's efforts in this area during our audit of IRS's 
fiscal year 2007 financial statements. 

Assessment of Penalties: 

IRS's controls over its process for assessing penalties against 
taxpayers who owe outstanding taxes did not always ensure that the 
correct amounts of penalties were assessed. Under the Internal Revenue 
Code (IRC), IRS has the authority to assess penalties against taxpayers 
for a variety of reasons, such as the failure to pay taxes owed. IRS 
largely uses automated processes and systems to assess both interest 
and penalties using the parameters contained in the IRC, as stipulated 
in the IRM.[Footnote 15] For example, if the tax debtor fails to pay 
the taxes owed, IRS is required to assess penalties at one-half of 1 
percent of the outstanding tax liability. IRS then increases this 
penalty rate from one-half of 1 percent to 1 percent if the taxpayer 
does not comply after repeated notifications. If the taxpayer pays off 
the outstanding balance, IRS is then required to reduce the penalty 
rate back to one-half of 1 percent on any subsequent tax assessment 
associated with this specific tax period. 

In our testing of a statistical sample of IRS interest and penalty 
calculations on 59 taxpayer accounts in IRS's master file from the 
first 9 months of fiscal year 2006, we found 2 instances where IRS's 
computer programs incorrectly calculated and assessed the failure to 
pay the penalty amount. In each case, IRS's computer program 
appropriately increased the penalty rate assessed against the taxpayer 
for failing to pay taxes owed from one-half of 1 percent to 1 percent 
when the taxpayer failed to pay following repeated notification of the 
taxes due. The taxpayer eventually paid the outstanding balance for the 
specific tax period. IRS then later assessed additional taxes against 
the taxpayer for the same tax period. However, the penalty calculation 
program did not reset the penalty rate back to one-half of 1 percent 
and continued to assess penalties related to the subsequent tax 
assessment at the higher 1 percent rate. As a result, IRS overassessed 
penalties against these taxpayers. 

After we brought this issue to its attention, IRS researched its master 
files and determined that the program errors would have affected 
taxpayer accounts where (1) the penalty rate had increased to 1 
percent, (2) the taxpayer had subsequently paid off the balance for the 
tax period, and (3) IRS later assessed the taxpayer additional taxes 
owed for the same tax period. Its research indicated that the 
programming errors may have affected about 62,000 taxpayers with about 
69,000 accounts in its current inventory of unpaid 
assessments.[Footnote 16] The total outstanding balance associated with 
these accounts was approximately $745 million. Although IRS was able to 
identify taxpayers who may have been affected by this error, its 
research did not determine whether any of these taxpayers may have 
already paid any overassessed penalties. 

Recommendations: 

We recommend that IRS: 

* correct the penalty calculation programs in its master file so that 
penalties are calculated in accordance with the applicable IRC and 
implementing IRM guidance; and: 

* research each of the taxpayer accounts that may have been affected by 
the programming errors to determine whether they contain overassessed 
penalties and correct the accounts as needed. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the overassessment of 
tax penalties. IRS stated that it implemented system changes in January 
2007 to correct the penalty calculation program and the taxpayer 
accounts that were affected by the programming error. We will evaluate 
the effectiveness of IRS's efforts in this area during our audit of 
IRS's fiscal year 2007 financial statements. 

Timeliness of Lien Releases: 

Under the IRC, IRS has the power to file a lien against the property of 
any taxpayer who neglects or refuses to pay all assessed federal taxes. 
The lien serves to protect the interest of the federal government and 
as a public notice to current and potential creditors of the 
government's interest in the taxpayer's property.[Footnote 17] IRS uses 
its Automated Lien System (ALS)[Footnote 18] to process the initial 
filing of the lien as well as the lien release upon satisfaction of the 
tax liability. ALS generates the physical lien document, which IRS 
mails to the taxpayer's local courthouse to officially file the 
lien.[Footnote 19] Concurrent with generating the lien document, ALS 
electronically updates the taxpayer's account in IRS's master file to 
show that a lien was filed. The lien becomes effective when it is filed 
with a designated office, such as a courthouse, in the county where the 
taxpayer's property is located. Under section 6325 of the IRC, IRS is 
required to release federal tax liens within 30 days of the date the 
tax liability is satisfied or becomes legally unenforceable. The 
failure to promptly release tax liens could cause undue hardship and 
burden to taxpayers who are attempting to sell property or apply for 
commercial credit. 

In each year beginning with our audit of IRS's fiscal year 1999 
financial statements, we found that IRS did not always release the 
applicable tax lien within 30 days of the tax liability being either 
paid off or abated as required by the IRC. During our fiscal 2006 
financial audit, we continued to find weaknesses in the IRS lien 
release process that contributed to liens not being timely released. 
These weaknesses resulted from IRS relying too heavily on automated 
processes and employees who did not follow established procedures. 
Specifically, IRS did not (1) have procedures to promptly research and 
apply credits[Footnote 20] that were available in one tax period 
against the taxpayers' outstanding tax liabilities in other tax 
periods, (2) follow its procedures to promptly record bankruptcy 
discharges of tax liabilities, and (3) follow its procedures to 
maintain stamped billing support vouchers to document IRS's timely 
issuance of lien releases to the local courthouse. 

Timely Application of Credits: 

IRS's lien release process relies heavily upon its automated systems 
and the information that resides within these systems. Within its 
master file database, IRS records collection actions and the current 
status of tax debts through a series of codes. The codes, referred to 
as status and transaction codes, display a host of information, 
including whether the account is paid in full or otherwise satisfied. 
Consequently, the status and transaction codes in each taxpayer's 
account in IRS's database are critical to the timely release of liens. 
IRS's automated lien release process begins when a taxpayer's account 
is paid in full or otherwise relieved. Each week, the master file 
database automatically downloads to ALS all the satisfied taxpayer 
accounts with liens. When notified via the master file download that a 
taxpayer account with a lien has been fully paid or otherwise 
satisfied, ALS generates a lien release document. Since liens can cover 
tax debt arising from one or more tax periods,[Footnote 21] ALS will 
not generate a lien release document until all the tax periods covered 
by the lien are satisfied. 

In fiscal year 2006, IRS tested the effectiveness of its lien release 
process as part of implementing the requirements of OMB Circular No. A- 
123,[Footnote 22] and we validated these test results. In reviewing 
IRS's test results for 84 statistically selected tax cases with liens 
in which the taxpayers' total outstanding liabilities were either paid 
off or abated, we identified 6 cases in which IRS did not release the 
liens within 30 days because it did not promptly apply tax credits 
available in one of the taxpayers' tax periods against the outstanding 
balances the taxpayers owed in other tax periods.[Footnote 23] In these 
6 cases, the time between the point at which the taxpayer had credits 
available to satisfy all of their outstanding tax liabilities and 
release of the lien ranged from 37 days to 183 days. 

In one case, IRS recorded the taxpayer's entire payment against the 
outstanding tax liability in one tax period of the taxpayer's master 
file account and relied on the system to automatically transfer the 
amounts paid that exceeded the balance owed for that tax period (i.e., 
credits) to pay off the balances in other tax periods. In another case, 
IRS partially abated the tax assessed against the taxpayer for one tax 
period, creating a credit, and waited for its automated systems to 
transfer the credits or to generate a refund to the taxpayer. In each 
of these six cases, IRS relied on its automated systems to 
automatically transfer the credits. However, the automatic transfers 
did not occur within 30 days because the taxpayers' accounts contained 
freeze codes[Footnote 24] that prevented the automatic transfers. The 
presence of these freeze codes required IRS personnel to manually 
review and, as needed, resolve issues with the taxpayer's account 
before the credits could be applied to other outstanding tax period 
balances owed by the taxpayer. IRS eventually resolved the issues on 
the accounts of each of these six taxpayers and did not assess 
additional taxes against any of them. However, because IRS did not have 
procedures in place to promptly research and properly apply the 
credits, it did not release the liens against these taxpayers within 
the statutorily required 30 days. 

Timely Recording of Discharge by Bankruptcy Court: 

Taxpayers may have their tax liability fully discharged through 
bankruptcy filings. When a taxpayer is discharged of his or her tax 
liability by the bankruptcy court and the court notifies IRS, employees 
in IRS's Centralized Insolvency Office (CIO) are responsible for 
recording the discharge on the taxpayer's master file account or to 
manually record the lien release in ALS. As mentioned earlier, IRS's 
lien release process relies heavily upon its automated computer 
systems. Consequently, the Centralized Insolvency Office must record 
this information timely in order for IRS to complete the lien release 
process within 30 days. 

In reviewing IRS's lien release test results, we identified five cases 
in which IRS did not timely release the lien because it did not timely 
record that the taxpayer had been fully discharged of his or her tax 
liability by the bankruptcy courts.[Footnote 25] According to IRS, the 
lien release was delayed because Centralized Insolvency Office 
employees did not follow procedures established in the IRM. The IRM 
requires Centralized Insolvency Office employees to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in ALS on bankruptcy cases 
assigned to the unit. This was not done, resulting in the delay of the 
release of the tax liens associated with these cases. The time between 
the bankruptcy discharge and release of the liens in these five cases 
ranged from 52 days to 298 days. 

Maintaining Documentation to Support Lien Release: 

In a prior audit, we noted instances of long delays between the time 
that IRS generated the ALS lien release document and the official 
release date recorded at the local courthouse.[Footnote 26] Although 
some of these delays may have been attributable to delays by the 
courthouse in legally releasing the liens, IRS did not have procedures 
to track the status of lien releases up to the point of delivery to the 
local courthouse. Consequently, neither IRS nor we could determine if 
the delays occurred at IRS, at the local courthouse, or both. For this 
reason, we recommended that IRS establish procedures to track the 
status of lien releases up to the point of delivery to the local 
courthouse. In response to our recommendation, in fiscal year 2003, IRS 
established and implemented procedures to date stamp billing support 
vouchers[Footnote 27] to document the date it sent the lien release to 
the local courthouse. 

In reviewing IRS's lien release test results, we found nine cases in 
which IRS could not produce a date stamped billing support voucher to 
document when it sent the lien release to the local 
courthouse.[Footnote 28] During fiscal year 2005, IRS completed 
consolidation of its lien processing into one Centralized Lien 
Processing/Case Processing Unit at the Cincinnati Service Center 
Campus. According to IRS officials, employees in the Centralized Lien 
Processing/Case Processing Unit did not follow the IRM procedures for 
date stamping and maintaining copies of the billing support vouchers. 
Without a stamped billing support voucher, IRS was unable to provide 
evidence that it had sent the lien release to the local courthouse 
within the statutorily required 30 days. 

Recommendations: 

We recommend that IRS: 

* establish procedures and specify in the IRM that at the time of 
receipt, employees recording taxpayer payments should (1) determine if 
the payment is more than sufficient to cover the tax liability of the 
tax period specified on the payment or earliest outstanding tax period, 
(2) perform additional research to resolve any outstanding issues on 
the account, (3) determine whether the taxpayer has outstanding 
balances in other tax periods, and (4) apply available credits to 
satisfy the outstanding balances in other tax periods; 

* establish procedures and specify in the IRM that employees review 
taxpayer accounts with freeze codes that contain credits weekly to (1) 
research and resolve any outstanding issues on the account, (2) 
determine whether the taxpayer has outstanding balances in other tax 
periods, and (3) apply available credits to satisfy the outstanding 
balances in other tax periods; 

* issue a memorandum to employees in the Centralized Insolvency Office 
reiterating the IRM requirement to timely record bankruptcy discharge 
information onto taxpayer accounts in the master file or to manually 
release the liens in ALS; and: 

* issue a memorandum to employees in the Centralized Lien Processing 
Unit reiterating the IRM requirement to date stamp and maintain the 
billing support voucher as evidence of timely processing by IRS. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the timeliness of tax 
lien releases. IRS stated that it issued a memorandum to all functions 
in January 2007 that directed liens to be released manually when 
systemic processes do not release liens, including when credit 
transfers are necessary between accounts, and noted that it plans to 
update the IRM to include the information contained in the memorandum 
by the end of May 2007. IRS also stated that it developed a report to 
identify cases where a bankruptcy discharge was granted by the court 
and a lien was filed on dischargeable periods so that, when 
appropriate, manual lien releases are requested to ensure timely 
release of the tax liens. IRS indicated that it updated the IRM in 
March 2007 with instructions for the new report and conducted training 
on the new report and process prior to issuing the IRM. In addition, 
IRS stated that in November 2006 it began a new process of scanning 
billing support vouchers and associating these vouchers with Specific 
Lien Identification (SLID) numbers in order to ensure the voucher is 
retrievable and to show liens were timely released. IRS noted that it 
had trained its employees on this process as it was rolled out. 
According to IRS, it will complete its 2007 OMB Circular A-123 review 
on the timeliness of lien releases by the end of May 2007, and will 
issue additional guidance by November 2007 if the review indicates that 
untimely tax lien releases and BSV errors still exist. We will evaluate 
the effectiveness of IRS's efforts in this area during our audit of 
IRS's fiscal year 2007 financial statements. 

Installment Agreement User Fees: 

During our fiscal year 2006 audit, we found that IRS's control 
procedures did not always prevent or detect errors that occurred in the 
recording of installment agreement[Footnote 29] (IA) user fees that IRS 
collects from taxpayers. When IRS enters into an IA arrangement with 
taxpayers to satisfy tax debts, it charges a user fee for services 
provided, whether establishing a new agreement or reinstating a 
previous agreement.[Footnote 30] IRS requires taxpayers to pay the user 
fee with the first installment payment by designating, on the 
remittance coupon IRS provides to the taxpayer, the user fee and tax 
payment amounts and submitting it to a lockbox bank. Errors can occur 
when taxpayers do not make the proper designations on remittance 
coupons, and IRS records improper user fee amounts or incorrectly 
applies payments to the taxpayers' debts. 

To identify and correct payment errors, IRS runs periodic edit routines 
on its master file records to identify cases where it did not collect 
IA user fees when it was entitled to do so and executes actions to 
transfer such user fees from the taxpayers' tax accounts to user fee 
accounts. IRS also runs edit checks to test the validity of the user 
fees it records in the master file by identifying (1) fees for which 
there is no installment agreement on file, (2) inconsistent user fee 
codes used for recorded fees, (3) duplicate user fees recorded, and (4) 
fees paid with dishonored checks from taxpayers. These edit checks 
result in the generation of an Installment Agreement Accounts Listing 
which provides details of items requiring further action. However, IRS 
did not always timely follow up and resolve items that appeared on the 
listing. 

We tested 12 transactions in which IRS recorded IA user fees in amounts 
that exceeded the amount that IRS was authorized to charge and found 
that 9 were recorded in error. Specifically, we found the following: 

* In four instances, IRS personnel erroneously recorded tax payments as 
IA user fees when no user fee was due and the entire amount should have 
been recorded against the taxpayers' tax debt. In the most egregious of 
these instances, IRS recorded a $15,000 tax payment as an installment 
agreement user fee when the maximum amount it could charge as IA fees 
was $43. IRS did not detect or correct this error in its normal course 
of operations. 

* In three instances, IRS was entitled to collect an IA user fee but 
deducted an incorrect user fee amount from the taxpayer's payment. For 
example, in one case, IRS recorded a taxpayer's payment of $200 as an 
IA user fee when only $43 should have been recorded as a user fee and 
the remaining $157 should have been recorded against the taxpayer's 
outstanding tax debt. 

* In the remaining two instances, IRS made erroneous adjustments to 
move payments from taxpayers' tax accounts to IA user fee accounts and 
thus recorded more user fees than it was entitled to receive. 

According to IRS, the errors we found that resulted in duplicate user 
fees, such as the fees recorded when none were due, appeared on the 
Installment Agreement Account Listing. The IRM requires that matters 
that appear on the listing be addressed within 5 business days. 
However, we found that IRS staff did not always timely and accurately 
resolve user fee errors that appeared on the listing as required in its 
IRM. The errors we found that appeared on the listing were not 
corrected until we brought them to IRS's attention. 

GAO's Standards for Internal Control in the Federal Government require 
agencies to (1) implement internal control procedures to ensure the 
accurate and timely recording of transactions and events, and (2) 
perform sufficient management review to detect and eliminate errors. By 
not properly recording IA user fees collected from taxpayers, IRS runs 
the risk of misstating its unpaid assessments and exchange revenue. 
Additionally, and most importantly, by not crediting taxpayer accounts 
with proper payments, IRS faces increased risk of charging interest and 
penalties to taxpayers who have satisfied their tax debts, or taking 
more stringent enforcement actions and overcollecting tax debts. 

Recommendations: 

We recommend that IRS: 

* monitor IA user fee activity on a regular basis, 

* adjust errors in recorded IA user fees as necessary to correctly 
reflect the user fees IRS earned and collected from taxpayers, and: 

* establish sufficient review procedures to help ensure that 
adjustments to IA user fees collected from taxpayers are accurately and 
timely recorded. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the need for accurate 
and timely recording of installment agreement user fees and routing 
monitoring and review of this activity. IRS indicated that it currently 
uses the Installment Agreement Accounts Listings report to identify and 
resolve user fee errors, and that in January 2008 it will implement 
enhancements to this report. IRS stated that it currently utilizes a 
quarterly process to reconcile installment agreement payments and 
adjusts those with discrepancies or errors, but that it will increase 
the frequency of this reconciliation process from quarterly to weekly 
beginning in January 2008. IRS also indicated it will update the 
section of the IRM dealing with IA user fee review procedures by 
January 2008. Because IRS's planned actions in this area will not be 
completed for our fiscal year 2007 audit, we will evaluate the 
effectiveness of IRS's efforts during future audits. 

Property and Equipment: 

During our fiscal year 2006 audit, we found that internal controls were 
not adequate to ensure the security and safeguarding of property and 
equipment at one of five locations we visited. At this location, IRS's 
designated secured storage area was not large enough to store all of 
the property and equipment not currently in use. Consequently, IRS 
stored its overflow inventory items, including computer equipment, in 
an unlocked room. At the same location, IRS allowed one individual to 
both order property and equipment from vendors and perform receipt and 
acceptance when the assets were delivered. 

GAO's Standards for Internal Control in the Federal Government state 
that an agency must establish physical control to secure and safeguard 
vulnerable assets. In addition, the IRM requires Single Point Inventory 
Function (SPIF)[Footnote 31] personnel to have secured storage space 
where access is restricted to inventory personnel. GAO's standards 
further state that key duties and responsibilities should be divided or 
segregated among different people to reduce the risk of error or fraud. 
Such control activities are an integral part of an agency's 
accountability for stewardship of government resources. The storage of 
equipment in an unlocked room increases the risk that assets may be 
stolen or misplaced. Also, the lack of segregation of duties increases 
the risk that error, waste, or fraud may occur in the procurement 
process and not be detected and that IRS may pay for property and 
equipment that it did not receive. 

Recommendations: 

We recommend that IRS: 

* establish and maintain sufficient secured storage space to properly 
secure and safeguard its property and equipment inventory, including in-
stock inventories, assets from incoming shipments, and assets that are 
in the process of being excessed and/or shipped out; and: 

* develop and implement procedures to require that separate individuals 
place orders with vendors and perform receipt and acceptance functions 
when the orders are delivered. 

IRS Comments and Our Evaluation: 

IRS agreed with our recommendations concerning the secure storage of 
property and equipment and the separation of ordering and receipt 
duties. IRS stated that it is identifying locations that need 
additional secured storage space and will obtain the necessary space as 
appropriate. IRS also stated that it has policies and procedures in 
place regarding the separation of receipt and acceptance duties but 
will reissue communications to remind those with procurement authority 
about the specific IRS acquisition procedure which provides this 
guidance. We will evaluate the effectiveness of IRS's efforts in this 
area during our audit of IRS's fiscal year 2007 financial statements. 

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C.  720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Homeland Security and Governmental 
Affairs and the House Committee on Oversight and Government Reform 
within 60 days of the date of this report. A written statement must 
also be sent to the House and Senate Committees on Appropriations with 
the agency's first request for appropriations made more than 60 days 
after the date of the report. 

This report is intended for use by the management of IRS. We are 
sending copies to the Chairmen and Ranking Minority Members of the 
Senate Committee on Appropriations; Senate Committee on Finance; Senate 
Committee on Homeland Security and Governmental Affairs; and 
Subcommittee on Taxation and IRS Oversight and Long-Term Growth, Senate 
Committee on Finance. We are also sending copies to the Chairmen and 
Ranking Minority Members of the House Committee on Appropriations; 
House Committee on Ways and Means; the Chairman and Vice-Chairman of 
the Joint Committee on Taxation; the Secretary of the Treasury; the 
Director of the Office of Management and Budget; the Chairman of the 
IRS Oversight Board; and other interested parties. The report is 
available at no charge on GAO's Web site at http://www.gao.gov. 

We acknowledge and appreciate the cooperation and assistance provided 
by IRS officials and staff during our audits of IRS's fiscal years 2006 
and 2005 financial statements. Please contact me at (202) 512-3406 or 
sebastians@gao.gov if you or your staff have any questions concerning 
this report. Contact points for our Offices of Congressional Relations 
and Public Affairs may be found on the last page of this report. GAO 
staff who made major contributions to this report are listed in 
enclosure III. 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

Enclosures - 3: 

[End of section] 

Enclosure I: Comments from the Internal Revenue Service: 

Department Of The Treasury:
Internal Revenue Service: 
Washington, D.C. 20224: 
Commissioner: 

May 2, 2007: 

Mr. Steven J. Sebastian:
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office:
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

I am writing in response to the Government Accountability Office (GAO) 
draft of the Fiscal Year (FY) 2006 Management Report titled, 
Improvements Needed in IRS's Internal Controls (GAO-07-689R). As GAO 
noted in the report titled, Financial Audit. IRS's Fiscal Years 2006 
and 2005 Financial Statements, we continue to make progress in 
addressing our financial management challenges and have substantially 
mitigated weaknesses in our internal controls. 

In FY 2006, we improved the reliability of our property and equipment 
(P&E) accounting records and streamlined our analysis of P&E 
transactions most susceptible to misclassification. These improvements 
along with the progress we made last year enabled you to conclude that 
P&E no longer constitutes a reportable condition. We believe our work 
this year in implementing corrective actions will further improve our 
financial management. I have enclosed a response which addresses all of 
your recommendations separately. 

We appreciate your recommendations to strengthen our controls over 
encryption of data files, facilities security, property and equipment, 
and improving financial management. We are committed to implementing 
appropriate improvements to ensure that the IRS maintains sound 
financial management practices. If you have any questions, please 
contact Janice Lambert, Chief Financial Officer, at (202) 622-6400. 

Sincerely, 

Signed by: 

Mark W. Everson: 

Enclosure: 

GAO Recommendations and IRS Responses to GAO FY 2006 Management Report 
Improvements Needed in the IRS's Internal Controls GAO-07-689R: 

Recommendation: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information. 

Comments: We agree with this recommendation. We will ensure compliance 
with the policy of requiring all lockbox banks to encrypt backup media 
containing federal taxpayer information through the Information 
Technology Security Audit Process that will be implemented by July 
2007. 

Recommendation: Ensure that lockbox banks store backup media containing 
federal taxpayer information at an offsite location as required by the 
2006 Lockbox Security Guidelines (LSG). 

Comments: We agree with this recommendation. By July 2007, as part of 
our Information Technology Security Audit Process, we will validate 
that all backup media, including files that may need to be recovered, 
are stored offsite. By July 2007, we will modify the Lockbox Security 
Guidelines (LSG) to emphasize that all backup media, including files 
that may need to be recovered, will be stored offsite. 

Recommendation: Revise instructions for IRS annual reviews of lockbox 
banks to encompass routine monitoring of backup media containing 
personally identifiable information to ensure that this information is 
(1) encrypted prior to transmission and (2) stored in an appropriate 
offsite location. 

Comments: We agree with this recommendation. We will ensure that the 
annual Information Technology Security Audit Process which will be 
implemented by July 2007 includes a review to ensure backup media 
containing personally identifiable information (PII) are encrypted and 
also stored at an appropriate offsite location. 

Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the 
service center campuses (SCC's) perimeter, such as adding or 
repositioning existing CCTV cameras or removing obstructions. 

Comments: We agree with this recommendation. Mission Assurance and 
Security Services (MA&SS) Physical Security & Emergency Preparedness 
(PS&EP) is developing a plan to assess all CCTVs and mitigate findings 
by December 30, 2007. 

Recommendation: Revise instructions for quarterly physical security 
reviews to require analysts (1) document any issues identified and 
planned implementation dates of corrective actions to be taken and (2) 
track the status of corrective actions identified during the quarterly 
assessments to ensure they are promptly implemented. 

Comments: We agree with this recommendation. By June 30, 2007, MA&SS 
will implement procedures requiring Physical Security Analysts to 
document concerns identified during quarterly reviews, establish 
corrective action implementation dates, and track corrective actions to 
ensure they are implemented. 

Recommendation: Revise procedures contained in the Manual Refund Desk 
Reference to reflect the Internal Revenue Manual (IRM) requirements for 
manual refund initiators to (1) monitor the manual refund accounts in 
order to prevent duplicate refunds, and (2) document their monitoring 
actions. 

Comments: We agree with this recommendation. We will replace the Manual 
Refund Desk Reference with IRM 3.17.79.0 and IRM 21 as the official 
authoritative guidance for processing manual refunds. We will inform 
Submission Processing sites and other IRS staff of this change by the 
end of May 2007. 

Recommendation: Provide to all the IRS units responsible for processing 
manual refunds the same and most current version of the Manual Refund 
Desk Reference. 

Comments: We agree with this recommendation. We will replace the Manual 
Refund Desk Reference with IRM 3.17.79.0 and IRM 21 as the official 
authoritative guidance for processing manual refunds. We will inform 
Submission Processing sites and other IRS staff of this change by the 
end of May 2007. 

Recommendation: Require that managers or supervisors provide the manual 
refund initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds. 

Comments: We agree with this recommendation. Wage and Investment (W&I) 
will ensure its managers and supervisors conduct training for manual 
refund initiators in its Submission Processing, Accounts Management, 
and Compliance operations to prevent the issuance of duplicate refunds. 
Submission Processing will issue an Information Alert to the campuses, 
directing them to provide refresher training to the areas responsible 
for initiating manual refunds. Accounts Management will also conduct 
classroom training for employees who initiate manual refunds. 
Compliance will ensure the Integrated Data Retrieval System (IDRS) 
Morning Message includes a reminder about Tax Examiners responsibility 
to monitor manual refunds to prevent the issuance of duplicate refunds 
and document monitoring accordingly. The IDRS Morning Message will 
refer Tax Examiners to the appropriate IRM, and this issue will also be 
discussed in follow-up unit meetings in all W&I Compliance campuses. We 
will complete all of these actions by the end of July 2007. 

Recommendation: Enhance IRS's computer program to check for outstanding 
tax liabilities associated with both the primary and secondary social 
security numbers (SSNs) shown on a joint tax return and apply credits 
to those balances before issuing any refund. 

Comments: We agree with this recommendation. IRM 5.7.4 (1) instructs 
the revenue officer to prepare Form 3177, Notice of Action on the 
Master File, to request input of the transaction code (TC) 130 to 
freeze any potential refunds for all individuals liable for the Trust 
Fund Recovery Penalty (TFRP). While the systemic cross reference will 
occur when a joint return is filed, we have requested an IRS Counsel 
opinion to determine if it would be acceptable for the revenue officer 
to also freeze the refund of any spouse at the time of the approval of 
the Form 4183, Recommendation re: Trust Fund Recovery Penalty 
Assessment, or at the time the TFRP assessment is made because the TC 
130 freeze would also freeze the refund of the non-liable spouse if a 
separate return was filed. If IRS Counsel determines that this action 
is appropriate, we will implement this change by August 2007. 

Recommendation: Instruct Revenue Officers making the TFRP assessments 
to research whether the responsible officers are filing jointly with 
their spouses and to place a refund freeze on the joint account until 
the computer programming change can be completed. 

Comments: We agree with this recommendation. IRM 5.7.4 (1) instructs 
the revenue officer to prepare Form 3177, Notice of Action on the 
Master File, to request input of the transaction code (TC) 130 to 
freeze any potential refunds for all individuals liable for the Trust 
Fund Recovery Penalty (TFRP). While the systemic cross reference will 
occur when a joint return is filed, we have requested an IRS Counsel 
opinion to determine if it would be acceptable for the revenue officer 
to also freeze the refund of any spouse at the time of the approval of 
the Form 4183, Recommendation re: Trust Fund Recovery Penalty 
Assessment, or at the time the TFRP assessment is made because the TC 
130 freeze would also freeze the refund of the nonliable spouse if a 
separate return was filed. If IRS Counsel determines that this action 
is appropriate, we will implement this change by August 2007. 

Recommendation: Correct the penalty calculation programs in IRS's 
master file so that penalties are calculated in accordance with the 
applicable Internal Revenue Code (IRC) and implementing IRM guidance. 

Comments: We agree with this recommendation. We implemented a system 
change in January 2007 to correct the penalty calculation program. 

Recommendation: Research each of the taxpayer accounts that may have 
been affected by the programming errors to determine whether they 
contain over-assessed penalties and correct the accounts as needed. 

Comments: We agree with this recommendation. We implemented a system 
change in January 2007 that corrected debit balance taxpayer accounts 
affected by the programming error. 

Recommendation: Establish procedures and specify in the IRM that at the 
time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods. 

Comments: We agree with this recommendation. The Deputy Commissioner 
for Services and Enforcement issued a memorandum to all functions 
titled, "Servicewide Action to Prevent Late Lien Releases" in January 
2007. The memorandum directed manual lien releases when systemic 
processes do not release liens, including when credit transfers are 
necessary between accounts. The IRM will be updated to include the 
information contained in the Deputy Commissioner memorandum by the end 
of May 2007. 

Recommendation: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods. 

Comments: We agree with this recommendation. The Deputy Commissioner 
for Services and Enforcement issued a memorandum to all functions 
titled, "Servicewide Action to Prevent Late Lien Releases" in January 
2007. The memorandum directed manual lien releases when systemic 
processes do not release liens, including when credit transfers are 
necessary between accounts. The IRM will be updated to include the 
information contained in the Deputy Commissioner memorandum by the end 
of May 2007. 

Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in master file 
or to manually release the liens in the Automated Lien System (ALS). 

Comments: We agree with this recommendation. The Centralized Insolvency 
Operation developed a report to identify cases where a discharge was 
granted by the court, and a lien was filed on dischargeable periods. 
When appropriate, manual lien releases are requested to ensure timely 
release of Notice of Federal Tax Liens. This report is generated and 
worked weekly, and quarterly reviews are conducted by Campus Compliance 
analysts to ensure that appropriate actions were taken. We included 
instructions in IRM 5.9 dated March 2007 and conducted training on the 
new report and process prior to the issuance of the IRM. 

IRS will complete its 2007 A-123 review on the timeliness of lien 
releases at the Centralized Lien Unit by the end of May 2007. We will 
determine if the new bankruptcy discharge guidance reduced the 
incidence of untimely releases, and if errors still exist, we will 
issue additional guidance by November 2007. 

Recommendation: Issue a memorandum to employees in the Centralized Lien 
Processing Unit reiterating the IRM requirement to date stamp and 
maintain the billing support voucher as evidence of timely processing 
by IRS. 

Comments: We agree with this recommendation. The IRM for the 
Centralized Lien Unit (CLU) contains direction to date stamp and 
maintain the billing support voucher (BSV) as evidence of timely 
release of the federal tax lien. In November 2006, the CLU began a new 
process of scanning BSVs, and associated BSVs with Specific Lien 
Identification (SLID) Numbers in order to ensure the BSV is retrievable 
and to show liens were timely released. We trained employees on this 
process as it was rolled out. 

IRS will complete the 2007 A-123 review on the timeliness of lien 
releases at the CLU by the end of May 2007. We will determine if new 
BSV procedures reduced the incidence of missing BSVs, and if we find 
BSV errors occurred after implementation of the new process, we will 
issue additional guidance by November 2007. 

Recommendation: Monitor installment agreement (IA) user fee activity on 
a regular basis. 

Comments: We agree with this recommendation. We currently use reports 
from the Collection Activity and Interim Revenue Accounting Control 
System (IRACS) to monitor and report on IA activity each month. We 
extract from these reports the number of IA's issued, number of user 
fees paid, and user fee dollar amounts. The Chief Financial Officer 
(CFO) and Small Business/Self-Employed (SB/SE) Headquarters offices use 
these reports to conduct trend analyses, such as month-to-month and 
year-to-year comparisons, and to identify potential issues related to 
the proper posting of user fee revenue. We also use the Installment 
Agreement Accounts Listings (IAAL) report to resolve user fee errors. 
In January 2008, we will implement enhancements to the IAAL, add it to 
Desktop Integration (DI), and will increase the frequency of the sweep 
process used to correct accounts from quarterly to weekly. 

Recommendation: Adjust errors in recorded IA user fees as necessary to 
correctly reflect the user fees IRS earned and collected from 
taxpayers. 

Comments: We agree with this recommendation. We currently use a 
quarterly sweep process that reconciles installment agreement payments 
and adjusts those with discrepancies or errors to ensure that fees are 
accurately posted to the user fee account. In January 2008, we will 
increase the frequency of the sweep process from quarterly to weekly. 

Recommendation: Establish sufficient review procedures to help ensure 
that adjustments to IA user fees collected from taxpayers are 
accurately and timely recorded. 

Comments: We agree with this recommendation. We currently use the 
Installment Agreement Accounts Listings (IAAL) to identify accounts 
with user fee errors, underpayments, and overpayments that require 
adjustments. W&I consolidated the IAAL at one location to provide 
improved oversight of the process. The IAAL is reviewed by W&I and SB/ 
SE program analysts, managers, operations management, and headquarters 
staff. In January 2008, we will implement enhancements to the IAAL, add 
it to Desktop Integration (DI), and will increase the frequency of the 
sweep process used to correct accounts from quarterly to weekly. We 
will update IRM 5.19.1 to include DI requirements for case analysis and 
documentation by the January 2008 implementation. 

Recommendation: Establish and maintain sufficient secured storage space 
to properly secure and safeguard IRS property and equipment inventory, 
including in-stock inventories, assets from incoming shipments, and 
assets that are in the process of being excessed and/or shipped out. 

Comments: We agree with this recommendation. We are identifying 
locations that need additional secured storage space and will obtain 
the necessary space as appropriate. 

Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. 

Comments: We agree with this recommendation. Policy and procedures are 
in place regarding separation of receipt and acceptance duties. We will 
reissue communications to remind those with procurement authority about 
IRS Acquisition Procedure, dated December 2002, which provides this 
guidance. Also, we will reference Policy and Procedures Memorandum No. 
46.5, "Receipt, Quality Assurance and Acceptance," issued by the Office 
of Procurement Policy, which reiterates the separation of duties 
requirement. 

[End of section] 

Enclosure II: Details on Audit Methodology: 

To fulfill our responsibilities as the auditor of the Internal Revenue 
Service's (IRS) financial statements for fiscal years 2006 and 2005, we 
took the following actions: 

 Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. This included selecting 
statistical samples of unpaid assessment, revenue, refund, accrued 
expenses, payroll, nonpayroll, property and equipment, accounts 
payable, and undelivered order transactions. These statistical samples 
were selected primarily to substantiate balances and activities 
reported in IRS's financial statements. Consequently, dollar errors or 
amounts can and have been statistically projected to the population of 
transactions from which they were selected. In testing these samples, 
certain attributes were identified that indicated either significant 
deficiencies in the design or operation of internal control or 
compliance with provisions of laws and regulations. These attributes, 
where applicable, can be and have been statistically projected to the 
appropriate populations. 

 Assessed the accounting principles used and significant estimates 
made by management. 

 Evaluated the overall presentation of the financial statements. 

 Obtained an understanding of internal controls related to financial 
reporting (including safeguarding assets), compliance with laws and 
regulations (including the execution of transactions in accordance with 
budget authority), and the existence and completion assertions related 
to performance measures reported in the Management Discussion and 
Analysis. 

 Tested relevant internal controls over financial reporting (including 
safeguarding assets) and compliance, and evaluated the design and 
operating effectiveness of internal controls. 

 Considered IRS's process for evaluating and reporting on internal 
controls and financial management systems under 31 U.S.C.  3512 (c), 
(d), commonly referred to as the Federal Managers' Financial Integrity 
Act of 1982, and Office of Management and Budget (OMB) Circular No. A- 
123, Management's Responsibility for Internal Control. 

 Tested compliance with selected provisions of the following laws and 
regulations: Anti-Deficiency Act, as amended (31 U.S.C.  1341(a)(1) 
and 31 U.S.C.  1517(a)); Purpose Statute (31 U.S.C.  1301); Release 
of lien or discharge of property (26 U.S.C.  6325); Interest on 
underpayment, nonpayment, or extensions of time for payment of tax (26 
U.S.C.  6601); Interest on overpayments (26 U.S.C.  6611); 
Determination of rate of interest (26 U.S.C.  6621); Failure to file 
tax return or to pay tax (26 U.S.C.  6651); Failure by individual to 
pay estimated income tax (26 U.S.C.  6654); Failure by corporation to 
pay estimated income tax (26 U.S.C.  6655); Prompt Payment Act (31 
U.S.C.  3902(a), (b), and (f) and 31 U.S.C.  3904); Pay and Allowance 
System for Civilian Employees (5 U.S.C.  5332 and 5343, and 29 U.S.C. 
 206); Federal Employees' Retirement System Act of 1986, as amended (5 
U.S.C.  8422, 8423, and 8432); Social Security Act, as amended (26 
U.S.C.  3101 and 3121 and 42 U.S.C.  430); Federal Employees Health 
Benefits Act of 1959, as amended (5 U.S.C.  8905, 8906, and 8909); 
Transportation, Treasury, Independent Agencies, and General Government 
Appropriations Act, 2005, Pub. L. No. 108-447, div. H, tit. II, 118 
Stat. 2809, 3199 (Dec. 8, 2004); and Department of the Treasury 
Appropriations Act, 2006, Pub. L. No. 109-115, div. A, tit. II, 119 
Stat. 2396, 2432 (Nov. 30, 2005). 

Tested whether IRS's financial management systems substantially comply 
with the three requirements of the Federal Financial Management 
Improvement Act of 1996 (Pub. L. No. 104-208, div. A,  101(f), title 
VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996): 

[End of section] 

Enclosure III: Staff Acknowledgments: 

Acknowledgments: The following individuals made major contributions to 
this report: John Davis, Assistant Director, Gloria Cano, Stephanie 
Chen, Nina Crocker, Oliver Culley, Chuck Fox, John Gates, Ted Hu, 
Richard Larsen, Olivia Lopez, Joshua Marcus, George Ogilvie, Jerrod 
O'Nelio, John Sawyer, Angel Sharma, Peggy Smith, LaDonna Towler, and 
Gary Wiggins. 

(196152): 

FOOTNOTES 

[1] GAO, Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial 
Statements, GAO-07-136 (Washington, D.C.: Nov. 9, 2006). 

[2] Lockbox banks are financial institutions designated as depositories 
and financial agents of the U.S. government to perform certain 
financial services, including processing tax documents, depositing the 
receipts, and then forwarding the documents and data to IRS service 
center campuses, which update taxpayers' accounts. During fiscal year 
2006, there were eight lockbox banks processing taxpayer receipts on 
behalf of IRS. 

[3] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999) contains the internal 
control standards to be followed by executive agencies in establishing 
and maintaining systems of internal control as required by 31 U.S.C.  
3512 (c), (d) (commonly referred to as the Federal Managers' Financial 
Integrity Act of 1982). 

[4] GAO-07-136. 

[5] The IRM outlines business rules and administrative procedures and 
guidelines IRS uses to conduct its operations and contains policy, 
direction, and delegations of authority necessary to carry out IRS's 
responsibilities to administer tax law and other legal provisions. 

[6] The LSG outlines security guidelines for lockbox bank managers to 
use so that they adhere to IRS's physical, personnel, and data 
protection requirements to ensure protection of taxpayer receipts and 
information. 

[7] OMB, Protection of Sensitive Agency Information, M-06-16 
(Washington, D.C.: June 23, 2006). 

[8] U.S. Department of Commerce, National Institute of Standards and 
Technology, Recommended Security Controls for Federal Information 
Systems (Washington, D.C.: December 2006). 

[9] 26 U.S.C.  7501(a) The law further provides that withheld income 
and employment taxes are to be held in a separate bank account 
considered to be a special fund in trust for the federal government. 26 
U.S.C.  7512(b). 

[10] FICA provides for a federal system of old-age, survivors, 
disability, and hospital insurance benefits. Payments to trust funds 
established for these programs are financed by payroll taxes on 
employee wages and tips, employers' matching payments, and a tax on 
self-employment income. 

[11] See 26 U.S.C.  6672 and implementing IRS guidance in the Internal 
Revenue Manual at  4.23.9.13, Trust Fund Recovery Penalty (Mar. 1, 
2003). 

[12] GAO-06-137. 

[13] The primary purpose of our test was to determine whether IRS 
properly recorded the sample payment to all related parties. However, 
we also performed other tests of IRS's controls using this same sample. 
Although we identified officers with outstanding balances on their TFRP 
accounts that received refunds from IRS, we are unable to project these 
results to IRS's population of TFRP accounts because the sampling unit 
was payments rather than accounts. 

[14] A "tax period" varies by tax type. For example, the tax period for 
individual income or corporate tax is 1 year. In contrast, a tax period 
for payroll and excise taxes is generally one quarter of a year. 

[15] See 26 U.S.C.  6651 and implementing IRS guidance in the Internal 
Revenue Manual at  20.1.2, Failure to File/Failure to Pay Penalties 
(July 31, 2001). 

[16] We reviewed IRS's criteria for identifying the affected taxpayers 
and concur that the problem was confined to those identified by IRS. 
Consequently, we did not project these errors to IRS's population of 
penalty assessments. 

[17] 26 U.S.C.  6321, 6323. 

[18] ALS is a comprehensive database that prints federal tax liens and 
lien releases, stores taxpayer information, and documents lien 
activity. 

[19] The local courthouse is the courthouse in the county where the 
taxpayer's property is located. Liens can also be filed elsewhere as 
determined by state law. 26 U.S.C.  6323. 

[20] Tax credits can result from taxpayer payments in excess of the tax 
liability owed for a specific tax period or from IRS's abatement of 
taxes in a specific tax period which the taxpayer had previously paid. 
Abatements are reductions to taxpayers' tax liabilities. In cases where 
the taxpayer had already paid the tax liability, the abatement would 
result in a credit that could be applied against other outstanding tax 
liabilities owed by the taxpayer or if none exist, would be refunded to 
the taxpayer. 

[21] IRS can file a lien on the taxpayer's property for one or multiple 
tax periods that contain an outstanding tax liability. 

[22] OMB revised Circular A-123, Management's Responsibility for 
Internal Control, in December 2004. The revised OMB Circular No. A-123, 
which first became effective in fiscal year 2006, included a new 
appendix, Appendix A, which prescribed a strengthened management 
process for assessing internal control over financial reporting for the 
24 major executive branch departments and agencies. Circular A-123 also 
required a new management assurance statement specifically addressing 
the effectiveness of the internal control over financial reporting 
based on the results of management's assessment. 

[23] The primary purpose of IRS's test was to determine whether it 
released liens filed against taxpayers whose liability had either been 
paid off or abated in a timely manner. However, the sample was not 
designed to specifically identify the causes for any instances in which 
IRS did not release liens timely. Consequently, while we were able to 
determine the causes for those sampled cases in which liens were not 
timely released, we are unable to project each cause to the total 
population. We reviewed IRS's test procedures and concurred with its 
results. 

[24] IRS records "freeze codes" onto taxpayer accounts in the master 
file to prevent certain automated processes from occurring because 
these accounts may require additional manual review. 

[25] As noted earlier, the primary purpose of IRS's test was to 
determine whether it released liens filed against taxpayers whose 
liability had either been paid off or abated in a timely manner. The 
sample was not designed to specifically identify the causes for any 
instances in which IRS did not release liens timely. Consequently, 
while we were able to determine the causes for those sampled cases in 
which liens were not timely released, we are unable to project each 
cause to the total population. 

[26] GAO, Management Report: Improvements Needed in IRS's Accounting 
Procedures and Internal Controls, GAO-02-746R (Washington, D.C.: July 
18, 2002). 

[27] IRS uses the "billing support voucher" to support its payment for 
recording fees to the local courthouse. The billing support voucher 
lists all the lien releases sent to the local courthouse for processing 
on a given date. 

[28] Again, as the primary purpose of IRS's test was to determine 
whether it released liens filed against taxpayers whose liability had 
either been paid off or abated in a timely manner, the sample was not 
designed to specifically identify the causes for any instances in which 
IRS did not release liens timely. Consequently, we are unable to 
project each cause to the total population. 

[29] IRS is authorized by 26 U.S.C.  6159 to allow taxpayers to enter 
into installment agreement arrangements to satisfy their tax debts. 
Under such arrangements, IRS agrees to let taxpayers pay their tax 
liabilities in installments over a specified period of time instead of 
immediately paying the amount in full. 

[30] IRS charges taxpayers IA user fees under the authority of 31 
U.S.C.  9701. For fiscal year 2006, the fee to establish a new IA was 
$43 and the fee to reinstate an old IA was $24. 

[31] Single Point Inventory Function units are responsible for the 
management and control of all computer equipment at all IRS offices.

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: