This is the accessible text file for GAO report number GAO-07-629 
entitled 'Internal Revenue Service: Status of GAO Financial Audit and 
Related Financial Management Report Recommendations' which was released 
on June 7, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Acting Commissioner of Internal Revenue: 

United States Government Accountability Office: 

GAO: 

June 2007: 

Internal Revenue Service: 

Status of GAO Financial Audit and Related Financial Management Report 
Recommendations: 

GAO-07-629: 

GAO Highlights: 

Highlights of GAO-07-629, a report to the Acting Commissioner of 
Internal Revenue 

Why GAO Did This Study: 

In its role as the nationís tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility in annually collecting over $2 
trillion in taxes, processing hundreds of millions of tax and 
information returns, and enforcing the nationís tax laws. Since its 
first audit of IRSís financial statements in fiscal year 1992, GAO has 
identified a number of weaknesses in IRSís financial management 
operations. In related reports, GAO has recommended corrective action 
to address those weaknesses. 

Each year, as part of the annual audit of IRSís financial statements, 
GAO not only makes recommendations to address any new weaknesses 
identified but also follows up on the status of weaknesses GAO 
identified in previous yearsí audits. The purpose of this report is to 
(1) assist IRS management in tracking the status of audit 
recommendations and actions needed to fully address them and (2) 
demonstrate how the recommendations relate to control activities 
central to IRSís mission and goals. GAO is making no new 
recommendations in this report. 

What GAO Found: 

IRS has made significant progress in improving its internal controls 
and financial management since its first financial statement audit in 
1992, as evidenced by 7 consecutive years of clean audit opinions on 
its financial statements, the resolution of several material internal 
control weaknesses, and the closing of over 200 financial management 
recommendations. This progress has been the result of hard work and 
commitment at the top levels of the agency. 

However, IRS still faces financial management challenges. At the 
beginning of GAOís audit of IRSís fiscal year 2006 financial 
statements, 72 financial management-related recommendations from prior 
audits remained open because IRS had not fully addressed the issues 
that gave rise to them. During the fiscal year 2006 financial audit, 
IRS took actions that enabled GAO to close 25 of those recommendations. 
At the same time, GAO identified additional internal control issues 
resulting in 28 new recommendations. In total, 75 recommendations 
currently remain open. 

To assist IRS in evaluating and improving internal controls, GAO 
categorized the 75 open recommendations by various internal control 
activities which, in turn, were grouped into three broad control 
activity groupings. 

Table: Summary of Open Recommendations: 

Control activity group: Safeguarding of assets and security activities; 
Open at the beginning of 2006: 29; 
Closed during 2006 audit: 17; 
New from 2006 audit: 7; 
Total open for 2007: 19. 

Control activity group: Proper recording and documenting of 
transactions; 
Open at the beginning of 2006: 26; 
Closed during 2006 audit: 4; 
New from 2006 audit: 11; 
Total open for 2007: 33. 

Control activity group: Effective management review and oversight; 
Open at the beginning of 2006: 17; 
Closed during 2006 audit: 4; 
New from 2006 audit: 10; 
Total open for 2007: 23. 

Total; 
Open at the beginning of 2006: 72; 
Closed during 2006 audit: 25; 
New from 2006 audit: 28; 
Total open for 2007: 75. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

The continued existence of internal control weaknesses that gave rise 
to these recommendations represents a serious obstacle that IRS needs 
to overcome. Effective implementation of GAOís recommendations can 
greatly assist IRS in improving its internal controls and achieving 
sound financial management and can help enable it to more effectively 
carry out its tax administration responsibilities. IRS acknowledged the 
status of GAOís recommendations and indicated its desire to ensure that 
its corrective actions appropriately address its internal control 
issues. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-629]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Steven J. Sebastian at 
(202) 512-3406 or sebastians@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Scope and Methodology: 

IRS's Progress on Financial Management Recommendations: 

Open Recommendations Grouped by Control Activity: 

Concluding Observations: 

Agency Comments and Our Evaluation: 

Appendix I: Status of GAO Recommendations from IRS Financial Audits and 
Related Management Reports: 

Appendix II: Comments from the Internal Revenue Service: 

Appendix III: Staff Acknowledgments: 

Tables: 

Table 1: Summary of Open Recommendations: 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

Table 4: Recommendation to Improve IRS's Controls over Information 
Processing: 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

Table 8: Recommendation to Improve IRS's Execution of Transaction and 
Events: 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

Table 11: Recommendations to Improve IRS's Management of Human Capital: 

Abbreviations: 

ALS: Automated Lien System: 

AM: accounts management: 

ATFR: Automated Trust Fund Recovery: 

AUR: Automated Under Reporter: 

AWSS: Agency-Wide Shared Services: 

BPMS: Business Performance Management System: 

CCTV: closed-circuit television: 

CDDB: Custodial Detail Data Base: 

CFO: chief financial officer: 

COTR: contracting officer's technical representative: 

DCI: data collection instrument: 

FA: Field Assistance: 

FC: field coordinator: 

FISCAM: Federal Information System Controls Audit Manual: 

FISMA: Federal Information Security Management Act of 2002: 

FMFIA: Federal Managers' Financial Integrity Act of 1982: 

FMIS: Financial Management Information System: 

FMS: Financial Management Service: 

IAR: initial account representative: 

IDRS: Integrated Data Retrieval System: 

IFS: Integrated Financial System: 

IRACS: Interim Revenue and Accounting Control System: 

IRM: Internal Revenue Manual: 

IRS: Internal Revenue Service: 

JFMIP: Joint Financial Management Improvement Project: 

LEB: Lockbox Electronic Bulletin: 

LEM: Security Law Enforcement Manual: 

LFC: lockbox field coordinators: 

LMSB: Large and Mid-sized Business: 

LPG: Lockbox Processing Guidelines: 

LSG: Lockbox Security Guide: 

MA: Mission Assurance: 

MITS: Modernization & Information Technology Services: 

MOU: Memorandum of Understanding: 

NBIC: National Background Investigations Center: 

NFC: National Finance Center: 

OMB: Office of Management and Budget: 

P&E: property and equipment: 

PSEP: Physical Security and Emergency Preparedness Office: 

REFM: Real Estate and Facilities Management: 

SB/SE: Small Business/Self-Employed: 

SCC: service center campus: 

SERP: Service-wide Electronic Research Program: 

SETS: Security Entry and Tracking System: 

SP: Submission Processing: 

SPC: submission processing center: 

SS: Security Services: 

TAC: taxpayer assistance center: 

TE/GE: Tax Exempt and Government Entities: 

TFRP: Trust Fund Recovery Penalty: 

TGA: Treasury's General Account: 

TIGTA: Treasury Inspector General for Tax Administration: 

USR: unit security representative: 

USSGL: United States Government Standard General Ledger: 

W&I: Wage and Investment: 

United States Government Accountability Office: 
Washington, DC 20548: 

June 7, 2007: 

The Honorable Kevin M. Brown: 
Acting Commissioner of Internal Revenue: 

Dear Mr. Brown: 

In its role as the nation's tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility to collect taxes, process tax 
returns, and enforce the nation's tax laws. In fiscal year 2006, IRS 
collected about $2.5 trillion in tax payments, processed hundreds of 
millions of tax and information returns, and paid about $277 billion in 
refunds to taxpayers. Because of its role and overall mission, IRS's 
activities touch on virtually all of the nation's citizens. It is 
therefore critical that the agency strive to maintain sound financial 
management practices. 

IRS has made much progress in improving its financial management since 
it was first required to prepare and have audited a set of financial 
statements in fiscal year 1992. This progress was reflected in its 
ability to obtain and maintain a clean audit opinion on its financial 
statements each year beginning in fiscal year 2000, and to correct 
several material internal control weaknesses over the years and make 
many other improvements in internal control. At the same time, more 
remains to be done to address long-standing internal control issues 
that continue to plague the agency. IRS continues to have weak or 
ineffective internal controls over fundamental elements of its 
operations that leave it vulnerable to a greater risk of fraud, waste, 
abuse, and mismanagement. This, in turn, has the potential to impact 
the lives of the nation's taxpayers, as our audits over the years have 
demonstrated. 

An agency's internal control environment serves as the first line of 
defense in safeguarding its assets and in preventing and detecting 
errors and fraud, as well as in helping to effectively manage its 
stewardship over public resources.[Footnote 1] Unfortunately, IRS 
continues to be challenged with several long-standing material 
weaknesses in internal control that are at the heart of IRS's 
operations.[Footnote 2] During our audit of IRS's fiscal year 2006 
financial statements, we continued to find material weaknesses in 
controls over: 

* financial reporting (including safeguarding of assets), 

* unpaid tax assessments, 

* identifying and collecting tax revenues due and issuing tax refunds, 
and: 

* information systems security. 

In addition to the material weaknesses, we continued to identify a 
reportable condition involving controls over hard-copy tax receipts and 
taxpayer data, which increase the government's and taxpayer's risk of 
loss or inappropriate disclosure of taxpayer data. 

To assist IRS in strengthening its internal controls and improving its 
operations, we have made numerous recommendations as part of our annual 
financial statement audits and other financial management-related work 
at IRS. This report is being provided to you to (1) assist IRS 
management in tracking the status of financial audit and financial 
management-related recommendations and the actions needed to address 
them and (2) demonstrate how the recommendations relate to control 
activities central to IRS's mission and goals. We are making no new 
recommendations in this report. 

We conducted our review from December 2006 through April 2007 in 
accordance with U. S. generally accepted government auditing standards. 

Results in Brief: 

IRS management continues to make progress in addressing many of the 
internal control issues that challenge the agency. IRS's actions have 
enabled us to close over 200 financial management-related 
recommendations over the years since our first audit of its financial 
statements in 1992. At the beginning of the fiscal year 2006 IRS 
financial statement audit, 72 financial management-related 
recommendations from prior audits remained open. During the fiscal year 
2006 financial statement audit, IRS took actions to effectively address 
issues that gave rise to numerous recommendations, enabling us to close 
25 of those recommendations. Thus, 47 recommendations remained open 
from prior years' audits at the end of fiscal year 2006. In addition, 
during our fiscal year 2006 financial audit, we made 28 new 
recommendations to address newly identified issues. As a result, a 
total of 75 recommendations to address IRS's internal control issues 
remain open. 

In analyzing the nature of these open financial management 
recommendations, we determined that 19 recommendations (25 percent) 
relate to issues associated with IRS's lack of effective controls over 
safeguarding assets and security activities. Another 33 recommendations 
(approximately 44 percent) relate to issues associated with IRS's 
inability to properly record and document transactions. The remaining 
23 recommendations (31 percent) relate to issues associated with lack 
of effective management review and oversight. Effectively and fully 
addressing these open recommendations would greatly assist IRS in 
improving its internal controls and achieving sound financial 
management. 

In commenting on a draft of this report, IRS expressed its appreciation 
for our acknowledgement of the agency's progress in addressing its 
financial management challenges as evidence by our closure of 25 of the 
72 open financial management recommendations from last year's report. 
We have reprinted IRS's written comments in appendix II. 

Background: 

Internal control is not one event, but a series of actions and 
activities that occur throughout an entity's operations and on an 
ongoing basis. Internal control should be recognized as an integral 
part of each system that management uses to regulate and guide its 
operations rather than as a separate system within an agency. In this 
sense, internal control is management control that is built into the 
entity as a part of its infrastructure to help managers run the entity 
and achieve their goals on an ongoing basis. 

Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as the 
Federal Managers' Financial Integrity Act of 1982 (FMFIA)), requires 
agencies to establish and maintain internal control. The agency head 
must annually evaluate and report on the control and financial systems 
that protect the integrity of federal programs. The requirements of 
FMFIA serve as an umbrella under which other reviews, evaluations, and 
audits should be coordinated and considered to support management's 
assertion about the effectiveness of internal control over operations, 
financial reporting, and compliance with laws and regulations. 

Office of Management and Budget (OMB) Circular No. A-123, "Management's 
Responsibility for Internal Control" (revised Dec. 21, 2004), provides 
the implementing guidance for FMFIA, and sets out the specific 
requirements for assessing and reporting on internal controls[Footnote 
3] consistent with the internal control standards issued by the 
Comptroller General of the United States.[Footnote 4] The circular, 
which was revised in 2004 with the revisions effective for fiscal year 
2006, defines management's responsibilities related to internal control 
and the process for assessing internal control effectiveness, and 
provides specific requirements for conducting management's assessment 
of the effectiveness of internal control over financial reporting. The 
circular requires management to annually provide assurances on internal 
control in its Performance and Accountability Report, and for the 24 
Chief Financial Officers (CFO) Act agencies to include a separate 
assurance on internal control over financial reporting, along with a 
report on identified material weaknesses and corrective 
actions.[Footnote 5] The circular also emphasizes the need for 
integrated and coordinated internal control assessments that 
synchronize all internal control-related activities. 

FMFIA requires GAO to issue standards for internal control in the 
federal government. GAO's Standards for Internal Control in the Federal 
Government provides the overall framework for establishing and 
maintaining internal control and for identifying and addressing major 
performance and management challenges and areas at greatest risk of 
fraud, waste, abuse, and mismanagement. 

As summarized in GAO's Standards for Internal Control in the Federal 
Government, the minimum level of quality acceptable for internal 
control in the government is defined by the following five standards, 
which also provide the basis against which internal controls are to be 
evaluated: 

* Control environment: Management and employees should establish and 
maintain an environment throughout the organization that sets a 
positive and supportive attitude toward internal control and 
conscientious management. 

* Risk assessment: Internal control should provide for an assessment of 
the risks the agency faces from both external and internal sources. 

* Control activities: Internal control activities help ensure that 
management's directives are carried out. The control activities should 
be effective and efficient in accomplishing the agency's control 
objectives. 

* Information and communications: Information should be recorded and 
communicated to management and others within the entity who need it and 
in a form and within a time frame that enables them to carry out their 
internal control and other responsibilities. 

* Monitoring: Internal control monitoring should assess the quality of 
performance over time and ensure that the findings of audits and other 
reviews are promptly resolved. 

The third control standard--internal control activities--helps ensure 
that management's directives are carried out. Control activities are 
the policies, procedures, techniques, and mechanisms that enforce 
management's directives. In other words, they are the activities 
conducted in the everyday course of business that accomplish a control 
objective, such as ensuring IRS employees successfully complete 
background checks prior to being granted access to taxpayer information 
and receipts. As such, control activities are an integral part of an 
entity's planning, implementing, reviewing, and accountability for 
stewardship of government resources and achievement of effective 
results. 

A key objective in our annual audits of IRS's financial statements is 
to obtain reasonable assurance about whether IRS maintained effective 
internal controls with respect to financial reporting, including 
safeguarding of assets, and compliance with laws and regulations. While 
all five internal control standards are critical and are used by us as 
a basis for evaluating the effectiveness of IRS's internal controls, we 
place a heavy emphasis on testing control activities. This has resulted 
in the identification of issues in certain internal controls over the 
years and recommendations for corrective action. 

Scope and Methodology: 

To accomplish our objectives, we evaluated the effectiveness of IRS's 
corrective actions implemented in response to open recommendations 
during fiscal year 2006 as part of our fiscal years 2006 and 2005 
financial audits. To determine the current status of the 
recommendations, we (1) obtained the status of each recommendation and 
corrective action taken or planned as of April 2007, as reported to us 
by IRS and (2) compared IRS's assessment to our fiscal year 2006 audit 
findings to identify any differences between IRS's and our conclusions 
regarding the status of each recommendation. 

In order to determine how these recommendations fit within IRS's 
management and internal control structure, we compared the open 
recommendations, and the issues that gave rise to them, to the control 
activities listed in GAO's Standards for Internal Control in the 
Federal Government and to the list of major factors and examples 
outlined in our Internal Control Management and Evaluation 
Tool.[Footnote 6] We also considered how the recommendations and the 
underlying issues were categorized in our prior reports, whether IRS 
had addressed, in whole or in part, the underlying control issues that 
gave rise to the recommendations, and other legal requirements and 
implementing guidance, such as OMB Circular No. A-123; FMFIA; and the 
Federal Information System Controls Audit Manual (FISCAM), GAO/AIMD- 
12.19.6 (revised June 2001). 

We conducted our review from December 2006 through April 2007 in 
accordance with U. S. generally accepted government auditing standards. 
We requested comments on a draft of this report from the Commissioner 
of Internal Revenue or his designee on May 7, 2007. We received 
comments from IRS on May 18, 2007. 

IRS's Progress on Financial Management Recommendations: 

IRS continues to make progress on addressing its significant financial 
management challenges. Over the years since we first began auditing 
IRS's financial statements in fiscal year 1992, we have closed out over 
200 financial management-related recommendations we made based on 
actions IRS has taken to improve its internal controls and operational 
efficiency. This includes 25 recommendations we are closing based on 
actions IRS took during the period covered by our fiscal year 2006 
financial audit. At the same time, however, our audits continue to 
identify internal control issues, resulting in our making further 
recommendations for corrective action, including 28 new financial 
management-related recommendations resulting from our fiscal year 2006 
financial audit. These internal control issues, and the resulting 
recommendations, can be directly traced to the control activities in 
GAO's Standards for Internal Control in the Federal Government. As 
such, it is essential that they be fully addressed and resolved to 
strengthen IRS's overall financial management and to assist it in 
achieving its goals and mission. 

Status of Recommendations Based on the Fiscal Year 2006 Financial 
Statement Audit: 

In June 2006, we issued a report on the status of IRS's efforts to 
implement corrective actions to address financial management 
recommendations stemming from our fiscal year 2005 and prior year 
financial audits and other financial management-related work.[Footnote 
7] In that report, we identified 72 audit recommendations that at that 
time remained open and thus required corrective action by IRS. A 
significant number of these recommendations had been open for several 
years, either because IRS had not taken corrective action or because 
the actions taken had not fully and effectively resolved the issues 
that gave rise to the recommendations. 

IRS continued to work to address many of the internal control issues to 
which these open recommendations relate. In the course of performing 
our fiscal year 2006 financial audit, we identified numerous actions 
IRS took to address many of its internal control issues. On the basis 
of IRS's actions, which we were able to substantiate through our audit, 
we are able to close 25 of these prior years' recommendations. IRS 
considers another 26 of the prior years' recommendations to be 
effectively addressed. However, we still consider them to be open 
either because we had not yet been able to verify the effectiveness of 
IRS's actions--they occurred subsequent to completion of our audit 
testing and thus have not been verified, which is a prerequisite to our 
closing a recommendation--or because the actions taken did not fully 
address the issue that gave rise to the recommendation. 

However, continued efforts are needed by IRS to address its internal 
control issues. While we are able to close 25 financial management 
recommendations made in prior years, 47 recommendations from prior 
years remain open, a significant number of which have been outstanding 
for several years. In some cases, IRS may have effectively addressed 
the issues that gave rise to the recommendations subsequent to our 
fiscal year 2006 audit testing. However, in many cases, our fiscal year 
2006 audit determined that the actions taken to date had not fully and 
effectively addressed the underlying internal control issues. 
Additionally, during our audit of IRS's fiscal year 2006 financial 
statements, we identified additional issues that will require 
corrective action by IRS. In two recent management reports to 
IRS,[Footnote 8] we discussed these issues, and made 28 new 
recommendations to IRS to address these new issues. Consequently, a 
total of 75 financial management-related recommendations are currently 
open and need to be addressed by IRS. Of these, we consider 66 short 
term and 9 long term.[Footnote 9] 

Appendix I presents a list of (1) recommendations we have made based on 
our financial statement audits and other financial management-related 
work that we had not previously reported as closed prior to our fiscal 
year 2006 audit, (2) the status of each of these recommendations and 
corrective actions taken or planned as of April 2007 as reported to us 
by IRS, and (3) our analysis of whether the issues that gave rise to 
the recommendations have been effectively and fully addressed based on 
the work performed during our fiscal year 2006 financial statement 
audit. The appendix also lists new recommendations we have made based 
on our fiscal year 2006 financial statement audit. The appendix lists 
the recommendations by the date on which the recommendation was made 
and by report number. 

Open Recommendations Grouped by Control Activity: 

Linking the open recommendations from our financial audits and other 
financial management-related work, and the issues that gave rise to 
them, to internal control activities that are central to IRS's tax 
administration responsibilities provides insight regarding their 
significance. 

Control activities, one of the five broad standards contained in GAO's 
Standards for Internal Control in the Federal Government, are the 
policies, procedures, techniques, and mechanisms that enforce 
management's directives. As such, they are an integral part of an 
entity's planning, implementing, reviewing, and accountability for 
stewardship of government resources and achievement of results. GAO's 
Standards for Internal Control in the Federal Government defines 11 
control activities. These control activities can be further grouped 
into three broad categories: 

* Safeguarding of assets and security activities, including: 

- physical control over vulnerable assets, 

- segregation of duties, 

- controls over information processing, and: 

- access restrictions to and accountability for resources and records. 

* Proper recording and documenting of transactions, including: 

- appropriate documentation of transactions and internal control, 

- accurate and timely reporting of transactions and events, and: 

- proper execution of transactions and events. 

* Effective management review and oversight, including: 

- reviews by management at the functional or activity level, 

- establishment and review of performance measures and indicators, 

- management of human capital, and: 

- top-level reviews of actual performance. 

Each of the open recommendations from our financial audits and 
financial management-related work, and the underlying issues that gave 
rise to them, can be traced back to the 11 control activities and their 
three broad categories. Table 1 presents a summary of the open 
recommendations, each tied back to the control activity to which it 
relates. 

Table 1: Summary of Open Recommendations: 

Safeguarding of assets and security activities. 

Control activity: Physical control over vulnerable assets; Open at 
start of fiscal year 2006 audit: 13; Closed during fiscal year 2006 
audit: 7; New from fiscal year 2006 audit: 6; Total open for fiscal 
year 2007: 12; Percentage: 16. 

Control activity: Segregation of duties; 
Open at start of fiscal year 2006 audit: 3; 
Closed during fiscal year 2006 audit: 0; 
New from fiscal year 2006 audit: 1; 
Total open for fiscal year 2007: 4; Percentage: 5. 

Control activity: Controls over information processing; 
Open at start of fiscal year 2006 audit: 6; 
Closed during fiscal year 2006 audit: 5; 
New from fiscal year 2006 audit: 0; 
Total open for fiscal year 2007: 1; Percentage: 1. 

Control activity: Access restrictions to and accountability for 
resources and records; 
Open at start of fiscal year 2006 audit: 7; 
Closed during fiscal year 2006 audit: 5; 
New from fiscal year 2006 audit: 0; 
Total open for fiscal year 2007: 2; Percentage: 3. 

Control activity: Subtotal; 
Open at start of fiscal year 2006 audit: 29; 
Closed during fiscal year 2006 audit: 17; 
New from fiscal year 2006 audit: 7; 
Total open for fiscal year 2007: 19; Percentage: 25. 

Proper recording and documenting of transactions. 

Control activity: Appropriate documentation of transactions and 
internal controls; 
Open at start of fiscal year 2006 audit: 11; 
Closed during fiscal year 2006 audit: 2; 
New from fiscal year 2006 audit: 4; 
Total open for fiscal year 2007: 13; Percentage: 17. 

Control activity: Accurate and timely recording of transactions and 
events; 
Open at start of fiscal year 2006 audit: 14; 
Closed during fiscal year 2006 audit: 2; 
New from fiscal year 2006 audit: 7; 
Total open for fiscal year 2007: 19; Percentage: 26. 

Control activity: Proper execution of transactions and events; 
Open at start of fiscal year 2006 audit: 1; 
Closed during fiscal year 2006 audit: 0; 
New from fiscal year 2006 audit: 0; 
Total open for fiscal year 2007: 1; Percentage: 1. 

Control activity: Subtotal; 
Open at start of fiscal year 2006 audit: 26; 
Closed during fiscal year 2006 audit: 4; 
New from fiscal year 2006 audit: 11; 
Total open for fiscal year 2007: 33; Percentage: 44. 

Effective management review and oversight. 

Control activity: Reviews by management at the functional or activity 
level; 
Open at start of fiscal year 2006 audit: 12; 
Closed during fiscal year 2006 audit: 3; 
New from fiscal year 2006 audit: 8; 
Total open for fiscal year 2007: 17; Percentage: 23. 

Control activity: Establishment and review of performance measures and 
indicators; 
Open at start of fiscal year 2006 audit: 4; 
Closed during fiscal year 2006 audit: 1; 
New from fiscal year 2006 audit: 0; 
Total open for fiscal year 2007: 3; Percentage: 4. 

Control activity: Management of human capital; 
Open at start of fiscal year 2006 audit: 1; 
Closed during fiscal year 2006 audit: 0; 
New from fiscal year 2006 audit: 2; 
Total open for fiscal year 2007: 3; Percentage: 4. 

Control activity: Subtotal; 
Open at start of fiscal year 2006 audit: 17; 
Closed during fiscal year 2006 audit: 4; 
New from fiscal year 2006 audit: 10; 
Total open for fiscal year 2007: 23; Percentage: 31. 

Control activity: Total; 
Open at start of fiscal year 2006 audit: 72; 
Closed during fiscal year 2006 audit: 25; 
New from fiscal year 2006 audit: 28; 
Total open for fiscal year 2007: 75; Percentage: [Empty]. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

As table 1 indicates, 19 recommendations (25 percent) relate to issues 
associated with IRS's lack of effective controls over safeguarding of 
assets and security activities. Another 33 recommendations (44 percent) 
relate to issues associated with IRS's inability to properly record and 
document transactions. The remaining 23 open recommendations (31 
percent) relate to issues associated with the lack of effective 
management review and oversight. 

On the following pages, we group the 75 open recommendations under the 
control activity to which the condition that gave rise to them most 
appropriately fits. We first define each control activity as presented 
in GAO's Standards for Internal Control in the Federal Government and 
briefly identify some of the key IRS operations that fall under that 
control activity. Although not comprehensive, the descriptions are 
intended to help explain why actions to strengthen these control 
activities are important for IRS to effectively carry out its overall 
mission. For each recommendation, we also indicate whether it is a 
short-term or long-term recommendation. 

Safeguarding of Assets and Security Activities: 

Given IRS's mission, the sensitivity of the data it maintains, and its 
processing of trillions of dollars of tax receipts each year, one of 
the most important control activities at IRS is the safeguarding of 
assets. Internal control in this important area should be designed to 
provide reasonable assurance regarding prevention or prompt detection 
of unauthorized acquisition, use, or disposition of an agency's assets. 
We have grouped together the four control activities in GAO's Standards 
for Internal Control in the Federal Government that relate to 
safeguarding of assets (including tax receipts) and security activities 
(such as limiting access to only authorized personnel): (1) physical 
control over vulnerable assets, (2) segregation of duties, (3) controls 
over information processing, and (4) access restrictions to and 
accountability for resources and records. 

Text Box: Physical Control over Vulnerable Assets: 

An agency must establish physical control to secure and safeguard 
vulnerable assets. Examples include security for and limited access to 
assets such as cash, securities, inventories, and equipment which might 
be vulnerable to risk of loss or unauthorized use. Such assets should 
be periodically counted and compared to control records. 

[End of text box] 

IRS is charged with collecting over $2 trillion in taxes each year, a 
significant amount of which is collected in the form of checks and cash 
accompanied by tax returns and related information. IRS collects taxes 
both at its own facilities as well as at lockbox banks that operate 
under contract with the Department of the Treasury's Financial 
Management Service (FMS) to provide processing services for certain 
taxpayer receipts for IRS. IRS acts as custodian for (1) the tax 
payments it receives until they are deposited in the General Fund of 
the U.S. Treasury and (2) the tax returns and related information it 
receives until they are either sent to the Federal Records Center or 
destroyed. IRS is also charged with controlling many other assets, such 
as computers and other equipment, but IRS's legal responsibility to 
safeguard tax returns and the confidential information taxpayers 
provide on tax returns makes the effectiveness of its internal controls 
with respect to physical security essential. 

IRS receives cash and checks mailed to its service centers or lockbox 
banks with accompanying tax returns and information or payment vouchers 
and payments made in person at one of its offices. While effective 
physical safeguards over receipts should exist throughout the year, it 
is especially important during the peak tax filing season. Each year 
during the weeks preceding and shortly after April 15, an IRS service 
center campus (SCC) or lockbox bank may receive and process daily over 
100,000 pieces of mail containing returns, receipts, or both. The 
dollar value of receipts each service center and lockbox bank processes 
increases to hundreds of millions of dollars a day during the April 15 
time frame. 

Of our 75 open recommendations, the following 12 open recommendations 
are designed to improve IRS's physical controls over vulnerable assets. 
All are short-term in nature. (See table 2.) 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

ID. No.: 99-19; 
Recommendations: Ensure that walk-in payment receipts are recorded in a 
control log prior to depositing the receipts in the locked container 
and ensure that the control log information is reconciled to receipts 
prior to submission of the receipts to another unit for payment 
processing. To ensure proper segregation of duties, an employee not 
responsible for logging receipts in the control log should perform the 
reconciliation. (short-term). 

ID. No.: 04-08; 
Recommendations: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms. (short-term). 

ID. No.: 06-05; 
Recommendations: Equip all taxpayer assistance centers (TAC) with 
adequate physical security controls to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers such as locked doors marked with signs 
barring entrance by unescorted customers. (short- term). 

ID. No.: 06-08; 
Recommendations: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms regardless of the 
circumstances that may have caused the activation. (short-term). 

ID. No.: 06-09; 
Recommendations: Reemphasize the need for the security guards at all 
TACs to ensure that key posts of duty, such as entrances to facilities, 
are not left unattended. (short-term). 

ID. No.: 06-15; 
Recommendations: Revise the physical security procedures in the 
Internal Revenue Manual (IRM) to require that all SCCs and any 
respective annex facilities processing taxpayer receipts and/or 
information perform and document monthly tests of the facility's 
intrusion detection alarms. At a minimum, these procedures should (1) 
outline the type of test to be conducted, (2) include criteria for 
assessing whether the controls used to respond to the alarm were 
effective, and (3) require that a logbook be maintained to document the 
test dates, results, and response information. (short-term). 

ID. No.: 07-01; 
Recommendations: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information. 
(short-term). 

ID. No.: 07-02; 
Recommendations: Ensure that lockbox banks store backup media 
containing federal taxpayer information at an off-site location as 
required by the 2006 Lockbox Security Guide. (short-term). 

ID. No.: 07-03; 
Recommendations: Revise instructions for the annual reviews of lockbox 
banks to encompass routine monitoring of backup media containing 
personally identifiable information to ensure that this information is 
(1) encrypted prior to transmission and (2) stored in an appropriate 
off-site location. (short-term). 

ID. No.: 07-04; 
Recommendations: Develop and implement appropriate corrective actions 
for any gaps in closed circuit TV (CCTV) camera coverage that do not 
provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions. (short-term). 

ID. No.: 07-05; 
Recommendations: Revise instructions for quarterly physical security 
reviews to require analysts to (1) document any issues identified as 
well as planned implementation dates of corrective actions to be taken 
and (2) track the status of corrective actions identified during the 
quarterly assessments to ensure they are promptly implemented. (short-
term). 

ID. No.: 07-20; 
Recommendations: Establish and maintain sufficient secured storage 
space to properly secure and safeguard its property and equipment 
inventory, including in-stock inventories assets from incoming 
shipments, and assets that are in the process of being excessed and/or 
shipped out. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Segregation of Duties: 

Text box: 

Key duties and responsibilities need to be divided or segregated among 
different people to reduce the risk of error or fraud. This should 
include separating the responsibilities for authorizing transactions, 
processing and recording them, reviewing the transactions, and handling 
any related assets. No one individual should control all key aspects of 
a transaction or event. 

[End of text box] 

IRS employees are responsible for processing trillions of dollars of 
tax receipts each year, of which hundreds of billions are received in 
the form of cash or checks,[Footnote 10] and for processing hundreds of 
billions of dollars in refunds to taxpayers. Consequently, it is 
critical that IRS maintain appropriate separation of duties to allow 
for adequate oversight of staff and protection of these vulnerable 
resources so that no single individual would be in a position of both 
causing an error or irregularity, potentially converting the asset to 
their personal use, and then concealing it. For example, when an IRS 
field office or lockbox bank receives taxpayer receipts and returns, it 
is responsible for depositing the cash and checks in a depository 
institution and forwarding the related information received to an SCC 
for further processing. In order to adequately safeguard receipts from 
theft, the person responsible for recording the information from the 
taxpayer receipts on a voucher should be different from the individual 
who prepares those receipts for transmittal to the SCC for further 
processing. 

The following four open recommendations would help IRS improve its 
separation of duties, which will in turn strengthen its controls over 
both tax receipts and refunds. All are short-term in nature. (See table 
3.) 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

(Continued From Previous Page) 

ID. No.: 02-16; 
Recommendations: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term). 

ID. No.: 05-32; 
Recommendations: Establish policies and procedures to require 
appropriate segregation of duties in small business/self- employed 
units of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term). 

ID. No.: 05-41; 
Recommendations: Specify in the IRM that staff members are not to 
review their own command code profiles. (short-term). 

ID. No.: 07-21; 
Recommendations: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Controls over Information Processing: 

Text box: 

A variety of control activities are used in information processing. 
Examples include edit checks of data entered, accounting for 
transactions in numerical sequences, and comparing file totals with 
control totals. There are two broad groupings of information systems 
control--general control (for hardware such as mainframe, network, end- 
user environments) and application control (processing of data within 
the application software). General controls include entitywide security 
program planning, management, and backup recovery procedures, and 
contingency and disaster planning. Application controls are designed to 
help ensure completeness, accuracy, authorization, and validity of all 
transactions during application processing. 

[End of text box] 

IRS relies extensively on computerized systems to support its financial 
and mission-related operations. To efficiently fulfill its tax 
processing responsibilities, IRS relies extensively on interconnected 
networks of computer systems to perform various functions, such as 
collecting and storing taxpayer data, processing tax returns, 
calculating interest and penalties, generating refunds, and providing 
customer service. 

As part of our annual audits of IRS's financial statements, we assess 
the effectiveness of IRS's information security controls[Footnote 11] 
over key financial systems, data, and interconnected networks at IRS's 
critical data processing facilities that support the processing, 
storage, and transmission of sensitive financial and taxpayer data. 
From that effort over the years, we have identified information 
security control weaknesses that impair IRS's ability to ensure the 
confidentiality, integrity, and availability of its sensitive financial 
and taxpayer data. As of March 2007, there were 48 open recommendations 
from our information security work designed to improve IRS's 
information security controls.[Footnote 12] Recommendations resulting 
from our information security work are reported separately and are not 
included in this report primarily because of the sensitive nature of 
some of these issues. 

However, the following open short-term recommendation is related to 
systems limitations and IRS's need to enhance its computer programs. 
(See table 4.) 

Table 4: Recommendation to Improve IRS's Controls over Information 
Processing: 

ID. No.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Access Restrictions to and Accountability for Resources and Records: 

Text box: 

Access to resources and records should be limited to authorized 
individuals, and accountability for their custody and use should be 
assigned and maintained. Periodic comparison of resources with the 
recorded accountability should be made to help reduce the risk of 
errors, fraud, misuse, or unauthorized alteration. 

[End of text box] 

Because IRS deals with a large volume of cash and checks, it is 
imperative that it maintain strong controls to appropriately restrict 
access to those assets, the records that track those assets, and 
sensitive taxpayer information. Although IRS has a number of both 
physical and information system controls in place, some of the issues 
we have identified in our financial audits over the years pertain to 
ensuring that those individuals who have direct access to these cash 
and checks are appropriately vetted before being granted access to 
taxpayer receipts and information and to ensuring that IRS maintains 
effective access security control. 

The following two open short-term recommendations would help IRS 
improve its access restrictions to assets and records. (See table 5.) 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

ID. No.: 05-11; 
Recommendations: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at service center campuses selected for 
significant reductions in their submission processing functions. (short-
term). 

ID. No.: 05-13; 
Recommendations: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Recording and Documenting of Transactions: 

One of the largest obstacles continuing to face IRS management is the 
agency's lack of an integrated financial management system capable of 
producing the accurate, useful, and timely information IRS managers 
need to assist in making well-informed day-to-day decisions. While IRS 
is making progress in modernizing its financial management 
capabilities, it nonetheless continues to face many pervasive internal 
control weaknesses related to its long-standing systems deficiencies 
that we have reported each year since we began auditing its financial 
statements in fiscal year 1992. 

However, IRS also has a number of internal control issues that relate 
to recording transactions, documenting events, and tracking the 
processing of taxpayer receipts or information, which do not depend 
upon improvements in information systems. 

We have grouped three control activities together that relate to proper 
recording and documenting of transactions: (1) appropriate 
documentation of transactions and internal controls, (2) accurate and 
timely recording of transactions and events, and (3) proper execution 
of transactions and events. 

Appropriate Documentation of Transactions and Internal Control: 

Text box: 

Internal control and all transactions and other significant events need 
to be clearly documented, and the documentation should be readily 
available for examination. The documentation should appear in 
management directives, administrative policies, or operating manuals 
and may be in paper or electronic form. All documentation and records 
should be properly managed and maintained. 

[End of text box] 

IRS collects and processes trillions of dollars in taxpayer receipts 
annually both at its own facilities and at lockbox banks under contract 
to process taxpayer receipts for the federal government. Therefore, it 
is important that IRS maintain effective controls to ensure that all 
documents and records are properly managed and maintained both at its 
facilities and at the lockbox banks. In addition, IRS must adequately 
document and disseminate its procedures to ensure that they are 
available for IRS employees. 

The following 13 open recommendations would assist IRS in improving its 
documentation of transactions and internal control procedures. All are 
short-term in nature (See table 6.) 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

ID. No.: 04-03; 
Recommendations: Develop procedures to require lockbox managers to 
provide satisfactory evidence that managerial reviews are performed in 
accordance with established guidelines. At a minimum, reviewers should 
sign and date the reviewed documents and provide any comments that may 
be appropriate in the event that their reviews identified problems or 
raised questions. (short-term). 

ID. No.: 05-12; 
Recommendations: Document a methodology for estimating anticipated 
rapid changes in mail volume at future SCCs selected for significant 
reductions in their submission processing functions, taking into 
consideration factors such as the prior rampdown experience at 
Brookhaven. (short-term). 

ID. No.: 05-14; 
Recommendations: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term). 

ID. No.: 05-39; 
Recommendations: Enforce requirements for documenting monitoring 
actions and supervisory review. (short-term). 

ID. No.: 06-01; 
Recommendations: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term). 

ID. No.: 06-02; 
Recommendations: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term). 

ID. No.: 06-03; 
Recommendations: Provide instructions to document the follow-up 
procedures performed in those cases where transmittals have not been 
timely acknowledged. (short-term). 

ID. No.: 06-04; 
Recommendations: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term). 

ID. No.: 06-07; 
Recommendations: Document supervisory visits by offsite managers to 
TACS not having a manager permanently on-site. This documentation 
should be signed by the manager and should (1) record the time and date 
of the visit, (2) identify the manager performing the visit, (3) 
indicate the tasks performed during the visit, (4) note any problems 
identified, and (5) describe corrective actions planned. (short-term). 

ID. No.: 07-06; 
Recommendations: Revise procedures contained in the Manual Refund Desk 
Reference to reflect the IRM requirements for manual refund initiators 
to (1) monitor the manual refund accounts in order to prevent duplicate 
refunds, and (2) document their monitoring actions. (short-term). 

ID. No.: 07-07; 
Recommendations: Provide to all IRS units responsible for processing 
manual refunds the most current version of the Manual Refund Desk 
Reference. (short-term). 

ID. No.: 07-15; 
Recommendations: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in the Automated Lien System 
(ALS). (short-term). 

ID. No.: 07-16; 
Recommendations: Issue a memorandum to employees in the Centralized 
Lien Processing Unit reiterating the IRM requirement to date stamp and 
maintain the billing support voucher as evidence of timely processing 
by IRS. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Accurate and Timely Recording of Transactions and Events: 

Text box: 

Transactions should be promptly recorded to maintain their relevance 
and value to management in controlling operations and making decisions. 
This applies to the entire process or life cycle of a transaction or 
event from the initiation and authorization through its final 
classification in summary records. In addition, control activities help 
to ensure that all transactions are completely and accurately recorded. 

[End of text box] 

IRS is responsible for maintaining taxpayer records for tens of 
millions of taxpayers in addition to maintaining its own financial 
records. To carry out this responsibility, IRS often has to rely on 
outdated computer systems or manual work-arounds. Unfortunately, some 
of IRS's recordkeeping difficulties we have reported on over the years 
will not be addressed until it can replace its aging systems, which is 
a long-term effort and is dependent on future funding. 

The following 19 open recommendations would strengthen IRS's 
recordkeeping abilities. (See table 7.) Thirteen of these 
recommendations are short-term, and 6 are long-term. They include some 
specific recommendations regarding requirements for new systems for 
maintaining taxpayer records. Several of the recommendations listed 
affect financial reporting processes, such as subsidiary records and 
appropriate allocation of costs. Some of the issues that gave rise to 
certain of our recommendations directly affect taxpayers, such as those 
involving duplicate assessments, errors in calculating and reporting 
manual interest, errors in calculating penalties, and recovery of trust 
fund penalty assessments. About 47 percent of these recommendations are 
almost 5 years or older and 1 is over 10 years old, reflecting the long-
term nature of the resolution of some of these issues. 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

ID. No.: 94-02; 
Recommendations: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short- term). 

ID. No.: 99-01; 
Recommendations: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term). 

ID. No.: 99-03; 
Recommendations: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term). 

ID. No.: 99-20; 
Recommendations: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance. (long-term). 

ID. No.: 99-36; 
Recommendations: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term). 

ID. No.: 01-17; 
Recommendations: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term). 

ID. No.: 01-39; 
Recommendations: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long- term). 

ID. No.: 02-08; 
Recommendations: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term). 

ID. No.: 02-09; 
Recommendations: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term). 

ID. No.: 05-36; 
Recommendations: Assess options to prevent the generation or 
disbursement of refunds associated with accounts with unresolved 
Automated Under Reporter (AUR) discrepancies, including placement of a 
freeze or hold on all such accounts, until the AUR review has been 
completed. (short-term). 

ID. No.: 06-21; 
Recommendations: Generate aging reports when an asset remains in 
pending disposal status for longer than a specified period of time. 
(short-term). 

ID. No.: 06-22; 
Recommendations: Direct Facilities Management Branch managers to 
research and resolve the aging reports. (short-term). 

ID. No.: 07-09; 
Recommendations: Enhance its computer program to check for outstanding 
tax liabilities associated with both the primary and secondary Social 
Security Numbers shown on a joint tax return and apply credits to those 
balances before issuing any refund. (short-term). 

ID. No.: 07-10; 
Recommendations: Instruct Revenue Officers making the TFRP assessments 
to research whether the responsible officers are filing jointly with 
their spouses and to place a refund freeze on the joint account until 
the computer programming change can be completed. (short-term). 

ID. No.: 07-11; 
Recommendations: Correct the penalty calculation programs in the master 
file so that penalties are calculated in accordance with the applicable 
Internal Revenue Code and implementing IRM guidance. (short-term). 

ID. No.: 07-12; 
Recommendations: Research each of the taxpayer accounts that may have 
been affected by the programming errors to determine whether they 
contain overassessed penalties and correct the accounts as needed. 
(short-term). 

ID. No.: 07-13; 
Recommendations: Establish procedures and specify in the IRM that at 
the time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods. 
(short-term). 

ID. No.: 07-14; 
Recommendations: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods. (short-term). 

ID. No.: 07-18; 
Recommendations: Adjust errors in recorded installment agreement user 
fees as necessary to correctly reflect the user fees IRS earned and 
collected from taxpayers. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Execution of Transactions and Events: 

Text box: 

Transactions and other significant events should be authorized and 
executed only by persons acting within the scope of their authority. 
This is the principal means of assuring that only valid transactions to 
exchange, transfer, use, or commit resources and other events are 
initiated or entered into. Authorizations should be clearly 
communicated to managers and employees. 

[End of text box] 

IRS employs tens of thousands of people in its 10 SCCs, three computing 
centers, and numerous field offices throughout the United States. In 
addition, the number of staff increases significantly during the peak 
of the tax filing season. Because of the tremendous number of personnel 
involved, IRS must maintain effective control over which employees are 
authorized to either view or change sensitive taxpayer data. IRS's 
ability to establish access rights and permissions for information 
systems is a critical control. 

Each year, IRS pays out hundreds of billions of dollars in tax refunds, 
some of which are distributed to taxpayers manually.[Footnote 13] IRS 
requires that all manual refunds be approved by designated officials. 
However, weaknesses in the authorization of such approving officials 
expose the federal government to losses because of the issuance of 
improper refunds. The following open short-term recommendation would 
improve IRS's controls over its manual refund transactions. (See table 
8.) 

Table 8: Recommendation to Improve IRS's Execution of Transaction and 
Events: 

ID. No.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Effective Management Review and Oversight: 

All personnel within IRS have an important role in establishing and 
maintaining effective internal controls, but IRS's managers have 
additional review and oversight responsibilities. Management must set 
the objectives, put the control mechanisms and activities in place, and 
monitor and evaluate controls. Without effective monitoring by 
managers, internal control activities may not be carried out 
consistently and on time. 

We have grouped three control activities together related to effective 
management review and oversight: (1) reviews by management at the 
functional or activity level, (2) establishment and review of 
performance measures and indicators, and (3) management of human 
capital. Although we also include the control activity "top-level 
reviews of actual performance" in this grouping, we do not have any 
open recommendations to IRS related to this internal control activity. 

Reviews by Management at the Functional or Activity Level: 

Text box: 

Managers need to compare actual performance to planned or expected 
results throughout the organization and analyze significant 
differences. 

[End of text box] 

IRS has over 80,000 full-time employees and hires over 20,000 seasonal 
personnel to assist during the tax filing season. In addition, as 
discussed earlier, Treasury's Financial Management Service contracts 
with banks to process tens of thousands of individual receipts, 
totaling hundreds of billions of dollars. At any organization, 
management oversight of operations is important, but with an 
organization as vast in scope as IRS, management oversight is 
imperative. 

The following 17 open short-term recommendations would improve IRS's 
management oversight. (See table 9.) Many of these recommendations were 
made to correct instances where an internal control activity either 
does not exist or where an established control is not being adequately 
or consistently applied. Several of these recommendations emphasize 
improvements needed to IRS's oversight of lockbox banks and contracted 
courier programs in order to ensure appropriate physical control over 
vulnerable assets, such as taxpayer receipts. However, a number of 
these recommendations are aimed at enhancing IRS's own assessment of 
its internal controls over financial reporting in accordance with the 
requirements of the revised OMB Circular No. A-123. 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

ID. No.: 99-22; 
Recommendations: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term). 

ID. No.: 01-06; 
Recommendations: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term). 

ID. No.: 05-22; 
Recommendations: Provide a written reminder to courier contractors of 
the need to adhere to all courier service procedures. (short-term). 

ID. No.: 05-23; 
Recommendations: Periodically verify that contractors entrusted with 
taxpayer receipts and information off site adhere to IRS procedures. 
(short-term). 

ID. No.: 05-33; 
Recommendations: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term). 

ID. No.: 05-38; 
Recommendations: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts. (short-term). 

ID. No.: 05-40; 
Recommendations: Enforce the requirement that command code profiles be 
reviewed at least once annually. (short-term). 

ID. No.: 06-11; 
Recommendations: Refine the scope and nature of its periodic reviews of 
candling processes at SCCs to ensure they (1) encompass tests of 
whether envelopes are properly candled through observation of candling 
in process and inquiry of employees who perform initial and final 
candling and (2) document the nature and scope of the test and 
observation results. (short-term). 

ID. No.: 06-14; 
Recommendations: Refine the scope and nature of its periodic security 
reviews to encompass (1) testing the effectiveness of controls intended 
to ensure that only individuals with proper credentials are permitted 
access to SCCs and lockbox banks, and (2) reviewing the integrity of 
perimeter security at SCCs. (short-term). 

ID. No.: 07-17; 
Recommendations: Monitor installment agreement user fee activity on a 
regular basis. (short-term). 

ID. No.: 07-19; 
Recommendations: Establish sufficient review procedures to help ensure 
that adjustments to installment agreement user fees collected from 
taxpayers are accurately and timely recorded. (short- term). 

ID. No.: 07-22; 
Recommendations: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation. (short-term). 

ID. No.: 07-23; 
Recommendations: Clearly document how it considered existing reviews 
and audits in determining the nature, scope, and timing of procedures 
it planned to conduct under its A-123 process. (short-term). 

ID. No.: 07-24; 
Recommendations: To the extent that it intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work. (short- term). 

ID. No.: 07-25; 
Recommendations: Revise test plans to include appropriate consideration 
of the design of internal controls in addition to implementation of 
controls over individual transactions. (short-term). 

ID. No.: 07-26; 
Recommendations: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews. (short-term). 

ID. No.: 07-27; 
Recommendations: Begin devising appropriate A-123 follow-up procedures 
for the last three months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Establishment and Review of Performance Measures and Indicators: 

Text box: 

Activities need to be established to monitor performance measures and 
indicators. These controls could call for comparisons and assessments 
relating different sets of data to one another so that analyses of the 
relationships can be made and appropriate actions taken. Controls 
should also be aimed at validating the propriety and integrity of both 
organizational and individual performance measures and indicators. 

[End of text box] 

IRS's operations include a vast array of activities encompassing 
educating taxpayers, processing of taxpayer receipts and data, 
disbursing hundreds of billions of dollars in refunds to millions of 
taxpayers, maintaining extensive information on tens of millions of 
taxpayers, and seeking collection from individuals and businesses that 
fail to comply with the nation's tax laws. Within its compliance 
function, IRS has numerous activities, including identifying businesses 
and individuals that underreport income, collecting from taxpayers that 
do not pay, and collecting from those receiving refunds for which they 
are not eligible. Although IRS has at its peak over 100,000 employees, 
it still faces resource constraints in attempting to fulfill its 
duties. Because of this, it is vitally important for IRS to have sound 
performance measures to assist it in assessing its performance and 
targeting its resources to maximize the government's return on 
investment. 

However, in past audits we have reported that IRS did not capture costs 
at the program or activity level to assist in developing cost-based 
performance measures for its various programs and activities. As a 
result, IRS is unable to measure the costs and benefits of its various 
collection and enforcement efforts to best target its available 
resources. Additionally, we have reported that IRS's controls over its 
reporting of interim performance measurement data were not effective 
throughout the year because the data reported at interim periods for 
certain performance measures were either not accurate or were outdated. 

The following three open recommendations are designed to assist IRS in 
evaluating its operations, determining which activities are the most 
beneficial, and establishing a good system for oversight. (See table 
10.) These recommendations--two long-term and one short-term--call for 
IRS to measure, track, and evaluate the cost, benefits, or outcomes of 
its operations--particularly with regard to identifying its most 
effective tax collection activities. 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

ID. No.: 99-29; 
Recommendations: Develop the data to support meaningful cost 
information categories and cost-based performance measures. (long- 
term). 

ID. No.: 01-04; 
Recommendations: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, administrative support), as well as the expected 
additional tax collections generated. (short-term). 

ID. No.: 01-12; 
Recommendations: For (1) IRS's Automated Underreporter and Combined 
Annual Wage Reporting programs, (2) screening and examination of Earned 
Income Tax Credit claims, and (3) identifying and collecting previously 
disbursed improper refunds, use the best available information to 
develop reliable cost-benefit data to estimate the tax revenue 
collected by, and the amount of improper refunds returned to, IRS for 
each dollar spent pursuing these outstanding amounts. These data would 
include (1) an estimate of the full cost incurred by IRS in performing 
each of these efforts, including the salaries and benefits of all staff 
involved, as well as any related nonpersonnel costs, such as supplies 
and utilities and (2) the actual amount (a) collected on tax amounts 
assessed and (b) recovered on improper refunds disbursed. (long-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Management of Human Capital: 

Text box: 

Effective management of an organization's workforce--its human capital-
-is essential to achieving results and an important part of internal 
control. Management should view human capital as an asset rather than a 
cost. Only when the right personnel for the job are on board and are 
provided the right training, tools, structure, incentives, and 
responsibilities is operational success possible. Management should 
ensure that skill needs are continually assessed and that the 
organization is able to obtain a workforce that has the required skills 
that match those necessary to achieve organizational goals. Training 
should be aimed at developing and retaining employee skill levels to 
meet changing organizational needs. Qualified and continuous 
supervision should be provided to ensure that internal control 
objectives are achieved. Performance evaluation and feedback, 
supplemented by an effective reward system, should be designed to help 
employees understand the connection between their performance and the 
organization's success. As a part of its human capital planning, 
management should also consider how best to retain valuable employees, 
plan for their eventual succession, and ensure continuity of needed 
skills and abilities. 

[End of text box] 

IRS's operations cover a wide range of technical competencies with 
specific expertise needed in tax-related matters; financial management; 
and systems design, development, and maintenance. Because IRS has tens 
of thousands of employees spread throughout the country, management's 
responsibility to keep its guidance up-to-date and its staff properly 
trained is imperative. 

The following three open short-term recommendations would assist IRS in 
its management of human capital. (See table 11.) 

Table 11: Recommendations to Improve IRS's Management of Human Capital: 

ID. No.: 99-25; 
Recommendations: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term). 

ID. No.: 07-08; 
Recommendations: Require that managers or supervisors provide the 
manual refund initiators in their units with training on the most 
current requirements to help ensure they fulfill their responsibilities 
to monitor manual refunds and document their monitoring actions to 
prevent the issuance of duplicate refunds. (short-term). 

ID. No.: 07-28; 
Recommendations: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Concluding Observations: 

Increased budgetary pressures and an increased public awareness of the 
importance of internal control require IRS to carry out its mission 
more efficiently and more effectively while protecting taxpayers and 
their information. 

Sound financial management and effective internal controls are 
essential if IRS is to efficiently and effectively achieve its goals. 
IRS has made substantial progress in improving its financial management 
since its first financial audit, as evidenced by consecutive clean 
audit opinions on its financial statements for the past 7 years, 
resolution of several material internal control weaknesses, and the 
closing of hundreds of financial management recommendations. This 
progress has been the result of hard work throughout IRS and sustained 
commitment of IRS leadership. Nonetheless, more needs to be done to 
fully address the financial management challenges the agency faces. 
Efforts must continue to address the internal control deficiencies that 
continue to exist. Effective implementation of the recommendations we 
have made and continue to make through our financial audits and related 
work could greatly assist IRS in improving its internal controls and 
achieving sound financial management. While we recognize that some 
actions--primarily those related to modernizing automated systems-- 
will take a number of years to resolve, most of our outstanding 
recommendations can be addressed in the short-term. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, IRS expressed its appreciation 
for our acknowledgment of the agency's progress in addressing its 
financial management challenges as evidenced by our closure of 25 of 
the 72 open financial management recommendations from last year's 
report. IRS also indicated its continued commitment to work with us to 
take corrective actions that appropriately address the issues 
identified in our recommendations. We will review the effectiveness of 
further corrective actions IRS has taken or will take and the status of 
IRS's progress in addressing all open recommendations as part of our 
audit of IRS's fiscal year 2007 financial statements. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate Committee on Appropriations; Senate 
Committee on Finance; Senate Committee on Homeland Security and 
Governmental Affairs; and Subcommittee on Taxation, IRS Oversight and 
Long-Term Growth, Senate Committee on Finance. We are also sending 
copies to the Chairmen and Ranking Minority Members of the House 
Committee on Appropriations; and the House Committee on Ways and Means; 
Chairman and Vice Chairman of the Joint Committee on Taxation; the 
Secretary of the Treasury; the Director of OMB; the Chairman of the IRS 
Oversight Board; and other interested parties. Copies will be made 
available to others upon request. In addition, the report will be 
available at no charge on GAO's Web site at http://www.gao.gov. 

If you have any questions concerning this report, please contact me at 
(202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs can be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix III. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

[End of section] 

Appendix I: Status of GAO Recommendations from IRS Financial Audits and 
Related Management Reports: 

Count: 1; 
ID. No.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short-term); 
Source report: Financial Management: Important IRS Revenue Information 
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); 
Status per IRS: Open. An internal action plan has been established to 
improve weaknesses identified. Short-term actions include training for 
those who calculate interest, increased program reviews to verify 
adherence to procedures, and establishment of a process to resolve 
elevated issues; 
Status per GAO: Open. In testing a statistical sample of 45 manual 
interest transactions recorded during fiscal year 2006, we found eight 
errors relating to the calculation and recording of manually calculated 
interest. We estimate that 18 percent of IRS's manual interest 
population contains errors and concluded that IRS controls over this 
area remain ineffective. We will continue to monitor IRS's actions to 
address its control weakness in this area and determine whether to test 
the effectiveness of these controls in future audits. 

Count: 2; 
ID. No.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. As of October 2006, the Small Business/Self- 
Employed (SBSE) division completed nationwide implementation of the new 
web based Automated Trust Fund Recovery (ATFR) Area Office application 
and centralized processing of all Trust Fund Recovery Penalty (TFRP) 
assessments (both automated and manual) at the Ogden campus. In 
addition, SB/SE conducted an analysis of the ATFR campus component. 
This analysis resulted in the submission of numerous work requests and 
Information Technology Asset Management System tickets to address 
deficiencies found in the current programming. SB/SE met with both 
Modernization & Information Technology Services (MITS) and the Chief 
Financial Officer (CFO) and secured concurrence on an action plan; 
Status per GAO: Open. We continue to recognize that automation of the 
current TFRP is needed. IRS has taken several actions to strengthen 
controls and correct programming or procedural deficiencies in the 
cross referencing of payments, including consolidating its TFRP 
processing at the Ogden campus. However, IRS's efforts to date have not 
been fully effective. In fiscal year 2006, we reviewed a statistical 
sample of 80 TFRP payments, made on accounts created since August 2001. 
We found nine instances in which IRS did not properly record the 
payment to all related taxpayer accounts. Of these nine payments, four 
were not properly recorded to all related accounts even though the 
accounts contained the required cross-referencing at the time the 
payments were made. We estimate that 11 percent of these payments may 
not be properly recorded. We will continue to review IRS's initiatives 
to improve posting of TFRP cases and test cases for proper postings to 
all related accounts as part of our fiscal year 2007 financial audit. 

Count: 3; 
ID. No.: 99-03; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. IRS implemented Release 1 of the Custodial Detail 
Data Base (CDDB) in February 2006 and successfully used it for the 
fiscal year 2006 audit to classify unpaid assessments by capturing 
cross- reference information on certain TFRP cases to reduce audit 
reclassifications a year ahead of schedule. This created the unpaid 
assessment subsidiary ledger that is to send weekly data to the Interim 
Revenue Accounting and Control System (IRACS) to post duplicate and non-
duplicate TFRP assessments, all financial classifications, and accrued 
penalty and interest during 2007. IRS also implemented Release 2A in 
January 2006 and added Revenue Trace ID numbers to all payments in the 
Electronic Federal Tax Payment System (EFTPS) associating the payments 
to the deposit tickets at the transaction level for 80 percent of all 
payments. IRS completed the database design for Release 2B to create a 
subsidiary ledger for posting revenue receipts to IRACS, and plans to 
put this into production by October 2007. IRS is developing Release 3 
to address the component of the material weakness to create a 
subsidiary ledger for refunds to IRACS, and to add Trace ID numbers to 
all remaining pre-posted revenue receipt transactions (i.e., Federal 
Tax Deposits, Lockbox, and Integrated Submission and Remittance 
Processing (ISRP). Release 3 is planned to be in production by January 
2008. IRS developed requirements and a business case in December 2006 
for redesigning IRACS to become United States Government Standard 
General Ledger (USSGL) and Joint Financial Management Improvement 
Project (JFMIP) compliant, and we are pursuing funding to complete this 
work in fiscal year 2009; 
Status per GAO: Open. Although IRS successfully implemented the first 
release of CDDB during 2006, its capability of functioning as IRS's 
custodial subsidiary ledger is still years away. We will continue to 
monitor IRS's development of CDDB and will continue to test its 
effectiveness in classifying TFRP cases in IRS's unpaid assessment 
inventory as part of our fiscal year 2007 financial audit. 

Count: 4; 
ID. No.: 99-19; 
Recommendation: Ensure that walk-in payment receipts are recorded in a 
control log prior to depositing the receipts in the locked container 
and ensure that the control log information is reconciled to receipts 
prior to submission of the receipts to another unit for payment 
processing. To ensure proper segregation of duties, an employee not 
responsible for logging receipts in the control log should perform the 
reconciliation. (short-term); 
Source report: Internal Revenue Service: Physical Security Over 
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 
1998); 
Status per IRS: Closed. Internal Revenue Manual (IRM) 21.3.4.7.4 was 
updated on January 20, 2006, to require the review of Form 795 and all 
supporting documents for accuracy (by an employee other than the 
recipient of the funds) before they are transmitted to Submission 
Processing (SP). The review is required in Taxpayer Assistance Centers 
(TAC) where staffing permits the completion of the review. The staffing 
requirement is where the group manager, secretary, or initial account 
representative (IAR) is collocated with other technical employees 
performing this work. Locations where the review is not 
administratively feasible will not be completed. Still, Field 
Assistance (FA) continued its efforts to mitigate circumstances that 
prevent proper segregation of duties in TACs with limited staffing and, 
in July 2006, approved a Service-wide Electronic Research Program 
(SERP) update for IRM 1.4.11.19.5 to require TAC managers to conduct 
quarterly reviews for payment processing and reconciliation procedures. 
Each employee is to be reviewed a minimum of two times each quarter and 
reviews are to be discussed with the employee as an evaluative record 
of performance. The requirement to conduct the reviews will increase 
the presence of TAC managers in all TACs, including outlying sites and 
those with limited staffing. Increased managerial presence and reviews 
will help mitigate the risks associated with not having segregation of 
duties in small TACs; 
Status per GAO: Open. During our fiscal year 2006 audit, we found that 
payment receipts were recorded in a control log. The control log 
information was agreed to the receipts prior to sending the receipts 
and control log to the submission processing center for further 
processing. However, during our subsequent review of IRS's corrective 
actions in this area we found that the reviews required in the July 
2006 IRM update were not always performed as intended. We will continue 
to evaluate IRS's corrective actions to ensure that receipts are 
processed according to standards and properly segregated among 
employees during our fiscal year 2007 audit. 

Count: 5; 
ID. No.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting TFRP assessments. Once these factors have been 
determined, IRS should develop procedures to reduce the impact of these 
factors and to ensure timely posting to all applicable accounts and 
proper offsetting of refunds against unpaid assessments before 
issuance. (long-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD- 99-193, Aug. 4, 1999); 
Status per IRS: Open. As of October 2006, SBSE completed nationwide 
implementation of the new Web based ATFR Area Office application and 
centralized processing of all TFRP assessments (both automated and 
manual) at the Ogden campus. In addition, SB/SE conducted an analysis 
of the ATFR campus component. This analysis resulted in the submission 
of numerous work requests and Information Technology Asset Management 
System tickets to address deficiencies found in the current 
programming. SB/SE met with both MITS and CFO and secured concurrence 
on an action plan; 
Status per GAO: Open. We continued to find long delays in IRS's 
processing and posting of TFRP assessments during our fiscal year 2006 
financial audit. In one case, we noted that the revenue officer made 
the TFRP determination in March of 2003 but IRS did not record the 
assessment on the officer's account until February 2006. We will 
continue to review IRS's initiatives to improve posting of TFRP 
assessments and monitor TFRP processing timeliness as part of our 
fiscal year 2007 audit. 

Count: 6; 
ID. No.: 99-22; 
Recommendation: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD- 99-193, Aug. 4, 1999); 
Status per IRS: Open. To ensure that all TE/GE Examination employees 
were familiar with the overstamping requirement, TE/GE took a number of 
steps to educate employees. In addition, all TE/ GE Examination groups 
were required to order a "United States Treasury" stamp, and the 
directors confirmed that all managers in their areas had ordered the 
stamps. Finally, TE/GE included in the annual performance plan of 
critical executives and other managers who oversee examination 
functions a commitment to implement a 12-point action plan. TE/GE has 
addressed the safeguarding of receipts through the publication of a 
"Quick Reference Guide for Processing Checks in TE/GE Examination" and 
a July 18, 2005 Managers Alert. TE/GE also developed a checklist for 
use in Examination groups to ensure conformance with GAO's concerns and 
this checklist was incorporated in appropriate fiscal year 2006 
performance plans. Large and Mid-sized Business (LMSB) issued two 
memorandums to all field executives on the need for proper endorsement 
of checks by proper use of this stamp. LMSB required that each field 
executive "certify" that each group either had in their possession or 
was able to obtain the stamp. LMSB will be requesting that its Training 
Branch include this topic when the module on remittance training is 
presented. LMSB has procedures in place to safeguard receipts. Small 
Business/Self-Employed (SB/SE) issued a Managers Message regarding 
overstamping and receipt transmittal (Form 3210) controls in April 
2006. SB/SE also updated Collection and Examination IRM procedures 
regarding overstamping, physical security over remittances, and Form 
3210 controls. SB/SE will continue to reinforce these procedures 
through management communications and other area-level reviews; 
Status per GAO: Open. IRS's corrective actions affecting the (1) SB/SE, 
(2) LMSB, and (3) TE/GE tax operating divisions do not entail the 
recommended expansion of IRS's current reviews at the service center 
campuses (SCC) and taxpayer assistance centers. In addition, during our 
fiscal year 2006 audit, we found a lack of controls over safeguarding 
taxpayer receipts and information at one SB/SE unit. We will evaluate 
IRS's corrective actions during our fiscal year 2007 audit. 

Count: 7; 
ID. No.: 99-25; 
Recommendation: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Open. IRS is enhancing the Service's existing Financial 
Management Information System (FMIS) with the new CDDB and by pursuing 
funding to enhance the IRACS to interface with future releases of CDDB 
and the Customer Account Data Engine (CADE). This will reduce the 
material weaknesses by improving financial reporting compliance, and 
making the general ledger system USSGL and JFMIP requirements 
compliant. This will reduce the level of effort each year for the 
audit, and reduce the reliance on master file extracts and ad hoc 
procedures. Contractor support will continue to supplement compensating 
procedures while CDDB is finalized, and until the IRACS redesign is 
funded and in development; 
Status per GAO: Open. The objective of this recommendation was to 
ensure that IRS had appropriate staff resources at key positions to 
perform the master file extraction and other ad hoc procedures to 
support IRS's preparation of the financial statements in the event of 
staff attrition. In fiscal year 2006, IRS continued to augment its own 
resources with contractor support to produce auditable financial 
statements. In addition, during our review of the key master file 
reconciliations used to support preparation of the financial 
statements, we found that these reconciliations were hampered when a 
former IRS staff was no longer available to perform them. We will 
continue to assess IRS's actions during our fiscal year 2007 audit. 

Count: 8; 
ID. No.: 99-29; 
Recommendation: Develop the data to support meaningful cost information 
categories and cost-based performance measures. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD- 99-196, Aug. 9, 
1999); 
Status per IRS: Open. The Integrated Financial System (IFS), 
implemented on November 10, 2004, includes a cost module that provides 
basic cost data to managers. IRS cannot rely on the system as a 
significant planning and decision-making tool. It will likely require 
several years and implementation of additional components, such as a 
workload management system, as well as integration with its tax 
administration activities, before the full potential of IRS's cost 
accounting module will be realized. In the interim, IRS is working on 
two cost pilots in which it is determining the full cost for two 
product lines; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing a cost accounting system and populating 
it with the cost information needed to support meaningful cost-based 
performance measures. We will also review the cost pilots IRS is 
developing in the interim. 

Count: 9; 
ID. No.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Status per IRS: Closed. IFS, implemented on November 10, 2004, property 
and equipment, including capital leases, are recorded as assets when 
purchased. During fiscal year 2006, IRS improved the accuracy and 
reliability of its P&E accounting records by enhancing accounting code 
definitions, improving coordination, and streamlining analysis of P&E 
transactions. On the basis of these actions and elimination of the 
reportable condition on P&E, this recommendation is closed; 
Status per GAO: Open. IRS implemented the first release of IFS on 
November 10, 2004, which allowed recording the majority of P&E activity 
as assets when purchased. However, due to ongoing technological 
advances and budgetary constraints, IRS is no longer committed to 
implementing additional releases of IFS, which were to include an 
integrated property asset module. Rather, IRS is considering all other 
options available to provide these capabilities. We will monitor IRS's 
strategy in addressing these financial management system issues. 

Count: 10; 
ID. No.: 01-04; 
Recommendation: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, administrative support), as well as the expected 
additional tax collections generated. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS's Collection Governance Council (consisting 
of executives in SB/SE, W&I, and LMSB), established in August 2005, 
continues to mature, enhancing coordination across the enterprise for 
collection issues. The following initiatives will drive improvement in 
the agency's collection resource allocation decisions: IRS created a 
workload delivery model that integrates the work plans of each source 
of assessment to evaluate the overall impact on downstream collection 
operations. It also developed a study group, called Corporate Approach 
to Collection Inventory (CACI), to look at case delivery practices from 
an overall perspective and make recommendations for changes to case 
routing and assignment priorities. It also monitors its non-filer 
strategy and work plan to improve the identification of and selection 
of non-filer cases, then balances the working of non-filer inventory 
with balance-due inventory. In addition, IRS has an ongoing project to 
enhance its decision analytical models used for selecting cases based 
on their predicted collection potential to apply decision analytics to 
both delinquent accounts and unfiled returns; apply decision analytics 
to all categories of taxpayer not just small business, self-employed; 
expand the use of internal and external data sources to improve the 
portion of cases predicted by the models; ultimately develop 
alternative treatment strategies based on the least costly treatment 
indicated by the models; and update definitions for complex cases to 
improve routing to field collection; 
Status per GAO: Open. IRS has initiated several projects to build 
additional analytical models to improve its ability to route cases to 
the appropriate collection activity and is developing a corporate 
strategy for working collection cases. We will continue to review IRS's 
initiatives to manage resource allocation levels for its collection 
efforts. 

Count: 11; 
ID. No.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS continues to address the root causes of 
untimely lien releases such as untimely posting of payments, untimely 
credit transfers, certificate of release missing from automated lien 
system/ one taxpayer released from lien by bankruptcy discharge, 
billing support vouchers with no date stamp for proof of mailing, and 
untimely adjustments; 
Status per GAO: Open. During our fiscal year 2006 audit, we continued 
to find delays in release of liens. In fiscal year 2006, IRS performed 
its own test of the effectiveness of its lien release process as part 
of implementing the requirements of the revised OMB Circular No.A-123 
and we reviewed and validated its test results. IRS found 26 instances 
out of 84 cases tested in which it did not release the applicable 
federal tax lien within the statutory period. On the basis of these 
results, IRS estimates that for 31 percent of unpaid tax assessment 
cases in which it had filed a tax lien that were resolved in fiscal 
year 2006, IRS did not release the lien within 30 days. The time 
between the satisfaction of the liability and release of the lien 
ranged from 44 days to 638 days. We will assess the impact of IRS's 
latest actions and continue to review IRS's release of tax liens as 
part of our fiscal year 2007 financial audit. 

Count: 12; 
ID. No.: 01-12; 
Recommendation: For (1) IRS's Automated Underreporter and Combined 
Annual Wage Reporting programs, (2) screening and examination of Earned 
Income Tax Credit claims, and (3) identifying and collecting previously 
disbursed improper refunds, use the best available information to 
develop reliable cost-benefit data to estimate the tax revenue 
collected by, and the amount of improper refunds returned to, IRS for 
each dollar spent pursuing these outstanding amounts. These data would 
include (1) an estimate of the full cost incurred by IRS in performing 
each of these efforts, including the salaries and benefits of all staff 
involved, as well as any related nonpersonnel costs, such as supplies 
and utilities and (2) the actual amount (a) collected on tax amounts 
assessed and (b) recovered on improper refunds disbursed. (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS's cost allocation methodology was reviewed 
and enhanced for fiscal year 2006 and further refinements will be 
implemented each year. The first year's data will be reviewed in fiscal 
year 2006 and a plan developed for integrating cost data in decision 
making. The use of the data will be tested in fiscal year 2007 with 
baseline data. However, to achieve maximum benefit in decision making, 
several years' data will be needed. As a result, IRS will fully 
implement the use of cost accounting data for resource allocation 
decisions in fiscal year 2008; 
Status per GAO: Open. During our fiscal year 2006 audit, IRS indicated 
that the objective of the first year's cost data review process was to 
make sure the data were accurate, the cost accounting system was 
working properly, and the data could be used to make budgetary 
decisions. IRS has indicated that its plan for integrating cost data in 
the decision-making process will be determined after the baseline data 
are established. IRS plans to conduct several cost pilots in fiscal 
year 2007 and intends to use the test data from the pilots to establish 
the baseline data. IRS has indicated that it is planning to fully 
implement the use of cost accounting data for resource allocation 
decisions in fiscal year 2008 to the extent possible. We will continue 
to follow up on IRS's progress on this issue during our fiscal year 
2007 audit. 

Count: 13; 
ID. No.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Closed. P&E, including capital leases, are recorded as 
assets when purchased. During fiscal year 2006, IRS improved the 
accuracy and reliability of its P&E accounting records by enhancing 
accounting code definitions, improving coordination, and streamlining 
analysis of P&E transactions. Based on these actions and elimination of 
the reportable condition on P&E, this recommendation is closed; 
Status per GAO: Open. IRS implemented the first release of IFS on 
November 10, 2004, which allowed recording leasehold improvements as 
assets when purchased. However, due to ongoing technological advances 
and budgetary constraints, IRS is no longer committed to implementing 
additional releases of IFS, which were to include an integrated 
property asset module. Rather, IRS is considering all other options 
available to provide these capabilities. We will monitor IRS's strategy 
in addressing these financial management system issues. 

Count: 14; 
ID. No.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term); 
Source report: Management Letter: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 
2001); 
Status per IRS: Open. IRS has developed guidance for costing 
reimbursable agreements, which includes instructions on tracking labor. 
IFS includes a cost module that provides basic cost data to managers. 
During fiscal year 2006, IRS further improved its methodology for 
allocating its costs of operations to its business units. This 
methodology uses the cost accounting module of IFS, allows IRS to 
accumulate the full costs of operating each business unit, and provides 
more detail on allocated costs. Actions are ongoing in fiscal year 2007 
to begin gathering the actual cost of selected reimbursable projects; 
Status per GAO: Open. We confirmed that IRS has procedures for costing 
reimbursable agreements that provide the basic framework for the 
accumulation of both direct and indirect costs at the necessary level 
of detail. IRS has improved its methodology for allocating its costs of 
operations to its business units. However, as indicated by IRS, further 
actions are needed for it to accumulate and report actual costs 
associated with reimbursable projects. We will continue to monitor 
IRS's efforts to fully implement its cost accounting system and, once 
it has been fully implemented, evaluate the effectiveness of IRS 
procedures for developing cost information for its reimbursable 
agreements. 

Count: 15; 
ID. No.: 02-08; 
Recommendation: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Status per IRS: Open. IRS agreed with the objective of this 
recommendation, which is to allow it to collect and report the full 
payroll costs associated with its activities. Most IRS employees 
already itemize their time charges in functional tracking systems. IFS 
provides basic cost data to managers. During fiscal year 2006, IRS 
further improved its methodology for allocating its costs of operations 
to its business units. This methodology uses the cost accounting module 
of IFS, allows IRS to accumulate the full costs of operating each 
business unit, and provides more detail on allocated costs; 
Status per GAO: Open. We confirmed that IRS had improved its cost 
accounting capability from prior fiscal years. However, the cost 
accounting module did not provide IRS with the ability to produce full 
cost information for specific activities and programs. IRS is 
developing a strategy and action plan to enhance cost data and 
integrate budget and performance data. We will continue to monitor 
IRS's efforts to fully implement its cost accounting system, and, once 
it has been fully implemented, evaluate the effectiveness of IRS's 
procedures for developing cost information to use in resource 
allocation decisions. 

Count: 16; 
ID. No.: 02-09; 
Recommendation: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Status per IRS: Open. IFS provides basic cost data to managers. During 
fiscal year 2006, IRS further improved its methodology for allocating 
its costs of operations to its business units. This methodology uses 
the cost accounting module of IFS, allows IRS to accumulate the full 
costs of operating each business unit, and provides more detail on 
allocated costs; 
Status per GAO: Open. We confirmed that IRS has improved its cost 
accounting capabilities by developing and implementing a methodology 
for allocating its costs of operations to its business units. However, 
further actions are needed to enable IRS to allocate nonpersonnel costs 
associated with specific programs and activities. We will continue to 
monitor IRS's efforts to fully implement its cost accounting system 
and, once it has been fully implemented, evaluate the effectiveness of 
IRS's procedures for developing cost information to use in resource 
allocation decisions. 

Count: 17; 
ID. No.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Closed. IRM 21.3.4.7.4 was updated on January 20, 2006, 
to require the review of Form 795 and all supporting documents for 
accuracy (by an employee other than the recipient of the funds) before 
they are transmitted to SP. The review is required in TACs where 
staffing permits. In exploring procedures in January 2006 for TACs with 
limited staffing where there is no manager, secretary, or IAR, FA 
determined proposed procedures to be burdensome, difficult to 
administer, and not administratively feasible (e.g., copying and faxing 
Form 795 to the manager). Also, based on a September 2005 report by the 
Treasury Inspector General for Tax Administration (TIGTA) on payments 
received at TACs (report No. 2005-40-148), 99 percent of payments 
posted appropriately to taxpayer accounts. This accuracy rate combined 
with compensating controls at the Submission Processing Centers (SPC) 
effectively reduces risks associated with not having reconciliation 
processes in small TACs. Still, FA continued its efforts to mitigate 
circumstances that prevent proper segregation of duties in TACs with 
limited staffing and, in July 2006, approved a SERP update for IRM 
1.4.11.19.5 to require TAC managers to conduct quarterly reviews for 
payment processing and reconciliation procedures. Each employee is to 
be reviewed a minimum of two times each quarter and reviews are to be 
discussed with the employee as an evaluative record of performance. The 
requirement to conduct the reviews will increase the presence of TAC 
managers in all TACs, including outlying sites and those with limited 
staffing. Increased managerial presence and reviews will help mitigate 
the risks associated with not having segregation of duties in small 
TACs; 
Status per GAO: Open. During our fiscal year 2006 audit, we found a 
lack of segregation of duties related to preparation and review of 
receipt transmittals (Form 3210) at two of the nine TACs we visited. At 
these locations, the TAC managers implemented the review process for 
Forms 3210 on the dates of our internal control test. While the TIGTA 
report cited by IRS addresses the accuracy of the payments posted, it 
does not address the risk of payments not being recorded. Segregation 
of duties is a key control used to reduce the risk of unposted payments 
due to error and fraud related to revenue receipt transactions. Also, 
IRS has noted that changes were made to its IRM in July 2006 to require 
quarterly reviews of payment processing and reconciliation procedures. 
However, we found that the required reviews were not always performed 
as intended. We will continue to evaluate IRS's corrective actions 
during our fiscal year 2007 audit. 

Count: 18; 
ID. No.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Closed. In July 2005, NFC demonstrated a Web-version of 
SETS and more IRS requirements are to be accommodated in that system. 
To date, IRS has not received a projected implementation from NFC. 
Monthly reports are being reviewed and analyzed. Problems are reported 
to Agency-Wide Shared Services (AWSS) to address with the Department of 
the Treasury and NFC. AWSS continues to monitor SETS reports for each 
pay period and coordinates with employment offices when corrections are 
needed. IRS and NFC continue to engage in ongoing discussions on 
reconciliations and error adjustments as needed. NFC controls the time-
table for deploying a web version of SETS; however, no time table has 
been set and no meetings are being convened; 
Status per GAO: Open. As of the end of our fiscal year 2006 audit, IRS 
and NFC had not completed their deployment of the Web-based version of 
the SETS database. We will continue to monitor IRS's actions during our 
fiscal year 2007 audit. 

Count: 19; 
ID. No.: 03-15; 
Recommendation: Require lockbox management to ensure that envelopes are 
properly candled and that IRS takes steps to monitor adherence to this 
requirement. (short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits are Needed (GAO-03-
299, Jan. 15, 2003); 
Status per IRS: Closed. Effective October 2005, candling reviews are 
conducted at all lockbox bank sites to ensure all candling requirements 
are met. These internal control reviews ensure that envelopes opened 
(manually or by OPEX) on three or more sides are candled once and that 
envelopes other than the ones opened on three or more sides are candled 
twice. The results of these reviews are used to calculate each bank's 
performance score. As a result of implementing these measures in the 
first year, an unfavorable score can result in IRS deeming the subject 
bank ineligible to bid for new work or additional volume, loss of 
current work, or placing the bank in a probationary status. 
Additionally, there were no lockbox findings issued for candling during 
the fiscal year 2006 financial statement audit; 
Status per GAO: Closed. We verified that lockbox management conducts 
reviews to ensure that envelopes are properly candled. During our 
fiscal year 2006 audit, we did not find any instances in which 
envelopes were not being properly candled at the four lockbox banks 
that we visited. 

Count: 20; 
ID. No.: 03-29; 
Recommendation: Confirm with FMS that IRS's requirements for background 
and fingerprint checks for courier services are met regardless of 
whether IRS or FMS negotiates the service agreement. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-03-562R, May 30, 2003); 
Status per IRS: Closed. During 2002, FMS issued an amendment to the 
courier Memorandum of Understanding (MOU), which included the 
requirement that all courier employees satisfy the basic investigation, 
including a Federal Bureau of Investigation (FBI) fingerprint and name 
check. All 10 IRS campuses now have a contact responsible for 
submitting paperwork to the National Background Investigations Center 
(NBIC) and ensuring courier employees are granted clearance. During 
2003, IRS required NBIC to provide monthly status reports of the campus 
compliance with this requirement. During fiscal year 2006, all courier 
MOUs and NBIC reports were received monthly, enabling IRS to identify 
problems and issues more quickly; 
Status per GAO: Closed. During our fiscal year 2006 audit, we found no 
instances in which updated courier service contracts did not contain 
the requirements for background and fingerprint checks. 

Count: 21; 
ID. No.: 03-32; 
Recommendation: Prohibit the storage of employees' personal belongings 
with cash payments and receipts at IRS's taxpayer assistance centers. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-03-562R, May 30, 2003); 
Status per IRS: Closed. TAC procedures (IRM 21.3.4.7.3.1(2)) prohibit 
storing of personal items with any taxpayer- related documents. 
Procedures further prohibit storing taxpayer receipts in the same 
storage container with employee personal items. Personal items and 
taxpayer-related documents must not be stored in the same container 
under the same locking device; 
Status per GAO: Closed. We verified that IRS prohibits its employees 
from storing personal belongings with any taxpayer-related documents. 

Count: 22; 
ID. No.: 04-03; 
Recommendation: Develop procedures to require lockbox managers to 
provide satisfactory evidence that managerial reviews are performed in 
accordance with established guidelines. At a minimum, reviewers should 
sign and date the reviewed documents and provide any comments that may 
be appropriate in the event that their reviews identified problems or 
raised questions. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. During fiscal year 2006, IRS established and 
implemented a new Data Collection Instrument (DCI) review, entitled 
"Processing-Internal Controls." During on-site reviews, the following 
logs are required to be reviewed: desk and work area, date stamp, cash, 
candling, shred, and mail. The results of these DCI reviews are rolled 
into a calculation to determine each bank's score in the new bank 
performance measurement process. In addition, lockbox personnel are 
required to perform similar reviews monthly and report results to the 
lockbox field coordinators (FC). The report must contain the following: 
date of review, shifts reviewed, results of the review (even when no 
items are found), and reviewer's and site manager's initials and/or 
signature as required by the Lockbox Processing Guidelines (LPG). To 
further strengthen this internal control, effective June 1, 2006, 
additional review of the monthly reports (F9535/Discovered Remittance, 
candling log, disk checks/audits, and shred) received from the lockbox 
site was performed by the lockbox FC. Specific check points were added 
to the "Monthly Reports" DCI that is a part of the procedural DCI 
performed at the SPC. In addition to confirming the receipt and 
timeliness of the reports, coordinators reviewed the reports to ensure 
they were complete per the LPG requirements and that all required 
management signatures/initials were present to provide satisfactory 
evidence that the managerial reviews are performed; 
Status per GAO: Open. We verified that IRS established and implemented 
a processing internal control DCI and scorecard to measure whether 
managerial reviews are performed at lockbox banks of logs, including 
desk and work area, date stamp, cash, candling, shred, and mail. 
However, during our fiscal year 2006 audit, we identified instances at 
two lockbox banks we visited where lockbox managers or their designees 
had not documented managerial reviews of courier logs. We will continue 
to evaluate IRS's corrective actions during our fiscal year 2007 audit. 

Count: 23; 
ID. No.: 04-07; 
Recommendation: Develop procedures to enhance adherence to existing 
instructions on safeguarding discovered remittances at service center 
campuses. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. IRM 3.8.46, Discovered Remittances, was issued 
during 2003 and 10,000 copies were distributed to all campuses. Form 
4287 (Record of Discovered Remittances) was revised to enhance 
adherence to existing instructions by including a check box for 
managers to indicate the reconciliation was performed. Additionally, SP 
revised the monthly security checklist to include a review of the 
discovered remittance procedures. A Discovered remittances job aid was 
added to IRM 3.8.46. During the monthly security checklist reviews, it 
was observed that noncompliance generally occurred in functions outside 
SP. Therefore, SP is committed to conducting quarterly meetings with 
the noncompliant offices to reinforce discovered remittances 
procedures; 
Status per GAO: Closed. We verified that the IRM contains a discovered 
remittances job aid to be used for recording discovered remittances. 

Count: 24; 
ID. No.: 04-08; 
Recommendation: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04- 553R, April 26, 2004); 
Status per IRS: Closed. IRM 1.16.12 has been revised and implemented to 
reflect the testing of alarms and guard response requirements. The 
Physical Security and Emergency Preparedness Office (PSEP) has 
developed self-assessment procedures to conduct random testing of guard 
response to alarms at all campuses and computing centers. Report forms 
have also been developed to capture test results. The unannounced tests 
are performed quarterly and guard responses as well as any malfunction 
of equipment will be documented and followed up for corrective action. 
The testing ensures that guards respond to alarms expeditiously and 
that malfunctioning equipment is identified and corrective actions are 
identified and followed through until the correction is completed; 
Status per GAO: Open. We verified that IRS has taken steps to ensure 
that SCC security guards respond to alarms, which include revising the 
IRM to reflect the testing of alarms and guard response requirements 
and conducting unannounced alarm tests. However, during our fiscal year 
2006 audit, we found instances at two of four SCCs we visited where 
guards did not respond to our tests of door alarms. We will evaluate 
IRS's corrective actions during our fiscal year 2007 audit. 

Count: 25; 
ID. No.: 04-09; 
Recommendation: Establish compensating controls in the event that 
automated security systems malfunction, such as notifying guards and 
managers of the malfunction, and immediately deploying guards to better 
protect the processing center's perimeter. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. Mission Assurance (MA) developed alarm testing 
procedures which are used to supplement the requirements in IRM 
1.16.12. The IRM and supplemental procedures require the notification 
of local management whenever there is a malfunction of alarms. The 
procedures also require that guards are deployed or doors are secured, 
as necessary, either during tests or when otherwise identified. The 
contract guard force project manager is required to sign off on all 
unannounced alarm test reports. Test results are maintained by the PSEP 
office; 
Status per GAO: Closed. We verified that IRS revised language in the 
IRM that addresses specific compensating actions to be taken in the 
event of sporadic malfunctioning alarms or an overall system failure. 

Count: 26; 
ID. No.: 04-15; 
Recommendation: Until the Business Performance Management System (BPMS) 
is fully operational, implement procedures to ensure that all 
performance data reported in the MSP report are subject to effective, 
documented reviews to provide reasonable assurance that the data are 
current at interim periods. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. IRS has taken steps to ensure that the 
performance measures data reported in the monthly report are properly 
reviewed before being published. All divisions now submit most of their 
performance measures data directly to BPMS. The divisions are required 
to verify/certify the accuracy of the data before uploading to BPMS. 
Corporate Performance Budgeting staff implemented additional manual 
quality control procedures that include reviewing all tables, charts, 
and line graphs and visually inspecting the numbers and comparing the 
information to the previous month's report for consistency. In 
addition, IRS is working with Treasury to streamline its current set of 
performance measures. Its purpose is to increase the value of the 
information provided to stakeholders, focus priorities, and reduce 
administrative burden; 
Status per GAO: Closed. During our fiscal year 2006 financial audit of 
IRS, we reviewed IRS's process for compiling its performance measures, 
including its BPMS, and reviewed supporting documentation and 
calculations of two interim performance measures. We did not identify 
any exceptions in our test of IRS's performance measures at the interim 
testing period. 

Count: 27; 
ID. No.: 05-03; 
Recommendation: Research and resolve the current backlog of unresolved 
unmatched exception reports. (short- term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Status per IRS: Closed. All backlogs were resolved the week ending May 
12, 2006, and an extract was run to verify that all entries had been 
resolved; 
Status per GAO: Closed. IRS's Centralized Case Process/Lien Processing 
Unit at the Cincinnati campus researched and resolved its backlog of 
unresolved unmatched exception reports. In February 2007, we observed 
that there was no backlog of unresolved, unmatched exception reports. 

Count: 28; 
ID. No.: 05-04; 
Recommendation: Research and resolve unmatched exception reports 
weekly. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Status per IRS: Closed. Lien Unit managers ensure that the unmatched 
exception report is pulled and resolved weekly within 5 business days. 
As an additional control, a subsequent extract report is produced to 
identify any potentially unresolved modules in order to ensure all 
accounts are worked. With the implementation of the September 2006 
Automated Lien System (ALS) 8.3 release, the extract will no longer be 
necessary as the weekly report will be cumulative. Existing inventory 
is captured weekly on local monitoring reports; 
Status per GAO: Closed. IRS's Centralized Case Process/Lien Processing 
Unit is currently researching and resolving unmatched exception reports 
weekly within 5 business days. In February 2007, we observed that IRS 
was researching and resolving unmatched exception reports weekly. 

Count: 29; 
ID. No.: 05-06; 
Recommendation: Research and resolve the current backlog of unresolved 
manual interest or penalties reports. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Status per IRS: Closed. This recommendation is closed based on the 
completion of the backlog as verified by an extract report showing no 
inventory for restricted interest; 
Status per GAO: Closed. IRS's Centralized Case Process/Lien Processing 
Unit completed researching and resolving its backlog of unresolved 
manual interest or penalties reports. In February 2007, we verified 
that there was no backlog of unresolved manual interest or penalties 
reports. 

Count: 30; 
ID. No.: 05-07; 
Recommendation: Research and resolve exception reports containing liens 
with manually calculated interest or penalties weekly, as called for in 
the Internal Revenue Manual and the ALS User Guide. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Status per IRS: Closed. ALS receives a master file data extract listing 
modules where liabilities have been fully paid. The data extract that 
is matched against information in the ALS system automatically releases 
liens when there is a match, including restricted interest and penalty 
modules. After a review of 300 satisfied modules, IRS identified five 
cases with additional restricted interest or penalty. The remaining 
amounts due after computation were for very small amounts, less than 
$10. On the basis of those reviews, IRS determined these cases should 
receive systemic releases; 
Status per GAO: Closed. IRS reprogrammed its ALS to automatically 
release liens once the taxpayer's account was fully paid, even if it 
contains a manual interest indicator. Previously, IRS's IRM required it 
to review accounts containing a manual interest or penalty indicator, 
to determine whether the manually recorded interest and penalty amounts 
were correct and whether it should assess the taxpayer any additional 
interest or penalty before releasing the lien. IRS has decided not to 
hold up the lien release on such accounts for a review and has changed 
its computer programming to automatically release the lien once the 
account balance reaches zero. We obtained and reviewed a computer 
extract from February 2007 showing that accounts containing manual 
interest or penalty are no longer held up from automated lien release. 

Count: 31; 
ID. No.: 05-09; 
Recommendation: Improve the current unmatched exception report by 
including a cumulative list of all unmatched taxpayer accounts that 
have not been resolved to date. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Status per IRS: Closed. Effective July 21, 2006, the Satisfied Module 
Rejected Report became a cumulative report. Rejected releases are 
listed and remain on the report until resolved; 
Status per GAO: Closed. We verified that IRS improved the current 
unmatched exception report by changing it to a cumulative list of all 
unmatched taxpayer accounts that have not been resolved to date. 

Count: 32; 
ID. No.: 05-11; 
Recommendation: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at service center campuses selected for 
significant reductions in their submission processing functions. (short-
term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO- 05-319R, Mar. 10, 2005); 
Status per IRS: Closed. IRS has enforced adherence to existing 
instructions on safeguarding taxpayer receipts and information by 
including this requirement in the monthly Campus Security Reviews which 
are also reviewed annually by the National Office Security Review Team 
at selected sites. Local management continually reinforces these 
requirements through employee counseling and individual and group 
meetings with security clerks to ensure procedures for issuance of 
badges, inventory of badges, and security of taxpayer receipts and 
information. Meetings have also been held to discuss candling 
procedures. Local management conducts weekly and monthly reviews to 
ensure adherence to these procedures. Additional refresher training, 
alerts, and managerial review were implemented to reinforce compliance 
with IRM 1.4.16.5.9 requirements for managerial and clerical reviews; 
Status per GAO: Open. We verified that IRS has implemented monthly 
Campus Security Reviews, local management reviews, and alerts to 
enforce adherence to existing instructions on safeguarding taxpayer 
receipts and information by SCCs selected for significant reductions in 
their submission processing functions. However, during our fiscal year 
2006 audit, we found instances at one SCC selected for significant 
reductions in its submission processing functions where mail 
potentially containing taxpayer receipts was not secured overnight. We 
will evaluate IRS's corrective actions during our fiscal year 2007 
audit. 

Count: 33; 
ID. No.: 05-12; 
Recommendation: Document a methodology for estimating anticipated rapid 
changes in mail volume at future SCCs selected for significant 
reductions in their submission processing functions, taking into 
consideration factors such as the prior rampdown experience at 
Brookhaven. (short-term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar. 10, 2005); 
Status per IRS: Open. IRS has drafted a methodology using historical 
data obtained from the Brookhaven and Memphis campus ramp- down. 
Pending approval by the Director of Accounts Management for Wage and 
Investment (W&I), this methodology will be used in future 
consolidations to ensure that IRS has reliable data to effectively 
manage resources during and after the consolidation period; 
Status per GAO: Open. We will evaluate IRS's efforts to develop and 
document an approved methodology for estimating mail volume for future 
sites selected for ramp-down during our fiscal year 2007 audit. 

Count: 34; 
ID. No.: 05-13; 
Recommendation: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. MA & Security Service (SS) physical security 
analysts issue identification (ID) media to contractors upon receipt of 
the following from the Contracting Officer's Technical Representative 
(COTR): (1) Non-IRS Identification Card Request, (2) Request for ID 
Media/Access Card for Contract Employee or similar request form, (3) 
NBIC clearance letter, and (4) Personal Identity Verification for 
Federal Employees and Contractors form. These documents are maintained 
on-site by the MA & SS Physical Security Office where ID media is 
issued; 
Status per GAO: Open. We verified that IRS issued guidance to enforce 
its existing background investigation requirement. However, a recent 
TIGTA report on IRS's background investigation process indicates that 
IRS continues to allow contractors to access its facilities and 
computer systems before favorable background investigations are 
completed. We will continue to evaluate IRS's enforcement, oversight, 
and implementation of its contractor background investigation policies 
during our fiscal year 2007 audit. 

Count: 35; 
ID. No.: 05-14; 
Recommendation: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. MA & SS physical security analysts issue ID 
media to contractors upon receipt of the following from the COTR: (1) 
Non-IRS Identification Card Request, (2) Request for ID Media/Access 
Card for Contract Employee or similar request form, (3) NBIC clearance 
letter, and (4) Personal Identity Verification for Federal Employees 
and Contractors form. These documents are maintained onsite by the MA & 
SS Physical Security Office where ID media is issued; 
Status per GAO: Open. We were not able to verify that IRS requires the 
results of background investigation for contractors be maintained at 
the contractor's work site. In addition, according to a recent TIGTA 
report on IRS's background investigation process, TIGTA was unable to 
complete its analysis on whether contractor employees were granted 
access to IRS's systems before favorable background checks were 
completed because IRS could not provide the proper documentation 
verifying that all prescreening tests had been completed. We will 
continue to evaluate IRS's corrective actions and implementation of its 
contractor background investigation policies in our fiscal year 2007 
audit. 

Count: 36; 
ID. No.: 05-22; 
Recommendation: Provide a written reminder to courier contractors of 
the need to adhere to all courier service procedures. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. Effective January 1, 2006, the lockbox banks 
must provide an annual memorandum to the courier contractor reminding 
them that they must adhere to all of the courier service procedures in 
the Lockbox Security Guidelines (LSG). For the campuses, Service Center 
Accounting held a conference on January 31, 2006, with Treasury's 
Financial Management Service (FMS), the Federal Reserve Banks, and the 
servicing Treasury's General Account (TGA) banks and reinforced all 
policies and procedures governing the courier process as outlined in 
IRM 3.8.45. We will continue to reinforce policies and procedures 
governing the courier. For lockbox banks, the Security Team verified 
that all lockbox bank sites issued an annual memorandum to courier 
contractors reminding them to adhere to all courier service procedures 
in the LSG; 
Status per GAO: Open. IRS's response does not address written reminders 
provided to SCC couriers. Also, during our fiscal year 2006 audit we 
did not observe that notifications to SCC couriers had been made by the 
end of our fieldwork. We will continue to evaluate IRS's corrective 
actions in our fiscal year 2007 audit. 

Count: 37; 
ID. No.: 05-23; 
Recommendation: Periodically verify that contractors entrusted with 
taxpayer receipts and information off site adhere to IRS procedures. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. Lockbox banks' LSG 2.12 requires that while 
transporting the data from the lockbox facility, the courier vehicle 
used to transport taxpayer data/remittances must be locked and secured, 
driven directly to the destination, and must always be under the 
supervision of the courier. All couriers are required to complete the 
same National Agency Check and Inquiry with Credit Investigation 
(NACIC) as bank management officials. For specific transport 
activities, deposit ticket and deposit transport time frames are 
reviewed as part of Lockbox Performance Measures. For lockbox banks, a 
new requirement will become effective in early 2007 that ensures that 
the lockbox bank sites are receiving dedicated transport service that 
complies with the requirement of the LSG. Lockbox management shall 
follow the courier service vehicle while the courier is carrying IRS 
lockbox deposits. This review shall be conducted unannounced at least 
once per quarter. This procedure has been included in LSG under 2.15 
"Lockbox Bank Courier Service review, Transport of Deposit." Also, 
effective January 1, 2007, the Courier's DCI requires the Security Team 
to observe a courier run at each lockbox site to ensure dedicated 
courier service is being provided. For campuses, couriers sign, date, 
and notate the time of pick up on Form 10160. When the couriers drop 
off the deposit, Form 10160 is date and time stamped. Each campus 
reviews the form and notes any time discrepancies. Couriers are 
questioned if discrepancies are found and the information is notated in 
the Courier Incident Log. If something out of the ordinary is noted, 
the centers use their discretion to make a determination whether or not 
it is necessary to trail the couriers; 
Status per GAO: Open. We verified that IRS revised its LSG to provide 
for periodic verification that couriers adhere to IRS policy while in 
transit. However, IRS's corrective actions occurred subsequent to our 
fieldwork. We will evaluate IRS's corrective actions during our fiscal 
year 2007 audit. 

Count: 38; 
ID. No.: 05-25; 
Recommendation: Formulate a policy to require that critical utility or 
security controls not be located in areas requiring frequent access. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr. 27, 2005); 
Status per IRS: Closed. MA & SS worked with the Business Operating 
Divisions (BOD) and Procurement to formulate policy guidelines. The 
Lockbox Policy Guidelines, dated January 10, 2006, have been revised. 
LSG 2.2.1 Main Utility Feeds, includes physical protection of all 
utilities against accidental or intentional disruption of services. 
Exterior utilities will be physically protected with bollards, fencing, 
or similar obstruction to prevent destruction. Where critical controls 
relative to utility feeds and security systems are located in rooms or 
areas frequented by contract employees, there must be continuous closed-
circuit television (CCTV) coverage as well as tamper-proof devices on 
those controls such as fencing, locks, or other protections. LSG 
2.2.2.12 page 18(5) has been revised to state that to prevent 
unauthorized access to control panels or critical systems, keys must be 
secured and controlled; 
Status per GAO: Closed. We verified that the LSG requires physical 
protection of all main utility feeds against accidental or intentional 
disruption of service. While the LSG does not require that critical 
utility or security controls not be located in areas requiring frequent 
access, the LSG does require that frequently accessed areas where 
utility feeds are present must be continuously monitored with CCTV 
coverage as well as tamper-proof devices installed on those controls 
such as fencing, locks, or other protections. Therefore, we believe 
that IRS's corrective actions meet the objective of our recommendation. 

Count: 39; 
ID. No.: 05-26; 
Recommendation: Require lockbox bank management to position closed-
circuit television cameras to enable monitoring of secured areas 
containing sensitive systems or controls. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. Mission Assurance has developed and 
incorporated a CCTV evaluation matrix into the security review process 
ensuring that critical areas and assets are monitored. The January 1, 
2007, LSG was revised under (CCTV Cameras) LSG 2.2.2.13.1 (6) and it 
states that Pan, Tilt, Zoom (PTZ) cameras shall be installed in mail 
sorting, mail delivery, mail extraction, exceptions processing ,and 
certified mail processing areas to ensure sites have the capability to 
observe, monitor, and record mail extraction activity and to assist in 
monitoring. Also, the LSG requires that IRS security controls, 
equipment, and utilities must be locked to prevent tampering and that 
keys will be controlled and limited to authorized bank employees. 
Mission Assurance also included key and combination controls and 
management as part of its review process at the banks; 
Status per GAO: Closed. We verified that the LSG requires physical 
protection of all main utility feeds against accidental or intentional 
disruption of service. While the LSG does not require that critical 
utility or security controls not be located in areas requiring frequent 
access, the LSG does require that frequently accessed areas where 
utility feeds are present must be continuously monitored with CCTV 
coverage as well as tamper proof devices installed on those controls 
such as fencing, locks, or other protections. Therefore, we believe 
that IRS's corrective actions meet the objective of our recommendation. 

Count: 40; 
ID. No.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed units 
of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. The procedures have been established, updated, 
and approved for IRM 5.1.2. Hard copies were shipped to all applicable 
employees on September 15, 2006; 
Status per GAO: Open. IRS has taken corrective actions to address this 
recommendation. However, the corrective actions do not address 
segregation of duties in SB/SE business units. We will continue to 
evaluate IRS's corrective action in our fiscal year 2007 audit. 

Count: 41; 
ID. No.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. Since 2005, W&I Field Assistance has taken a 
number of actions to emphasize the requirement for including a document 
transmittal form listing the Daily Report of Collection Activity forms 
in transmittal packages. These actions include (1) providing remittance 
training to all TAC managers in 2005 that covered procedures for 
remittance processing, (2) conducting operational reviews in fiscal 
year 2006 to ensure TAC adherence to required IRM procedures, (3) 
identifying best practice ideas, and (4) assessing conformance to 
current policies and procedures. A review of error reports for fiscal 
year 2005 and fiscal year 2006 shows a 38 percent decrease in the 
number of "Other 795/3210" errors. IRS attributes the decrease in 
errors (from 2,753 to 1,696) to the actions described above and others 
designed to improve remittance procedures. The SB/SE procedures have 
been established, updated, and approved in IRM 5.1.2. Hard copies were 
shipped to all applicable employees on September 15, 2006; 
Status per GAO: Open. During our fiscal year 2006 audit, we identified 
that a document transmittal was not always included when multiple Daily 
Report of Collection Activity forms were sent to the aligned service 
center campus. We will continue to evaluate IRS's corrective actions 
during our fiscal year 2007 fieldwork. 

Count: 42; 
ID. No.: 05-34; 
Recommendation: Establish a procedure for SB/SE field office units to 
track Document Transmittal forms and acknowledgements of receipt of 
Document Transmittal forms. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. The procedures have been established, updated, 
and approved for IRM 5.1.2. Hard copies were shipped to all applicable 
employees on September 15, 2006; 
Status per GAO: Closed. We verified that IRS has established procedures 
that require SB/SE employees to track document transmittal forms and 
the acknowledgement of receipt for these forms. 

Count: 43; 
ID. No.: 05-35; 
Recommendation: Require evidence of managerial review of recording, 
transmittal, and receipt of acknowledgments of taxpayer receipts and 
information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. The procedures have been established and 
incorporated into the latest revision of IRM 1.4.50; 
Status per GAO: Closed. We verified that IRS has established 
procedures, which require SB/SE to review the recording, transmittal, 
and receipt of acknowledgements of the document transmittal forms. 

Count: 44; 
ID. No.: 05-36; 
Recommendation: Assess options to prevent the generation or 
disbursement of refunds associated with accounts with unresolved AUR 
discrepancies, including placement of a freeze or hold on all such 
accounts, until the AUR review has been completed. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. The procedures in IRM 3.8.45 were revised on 
February 1, 2007. A Hot Topic was also issued on January 25, 2007, 
which will add procedures to IRM 3.17.10 to check for cases that can be 
identified as an Automated Under Reporter (AUR) payment and research 
IDRS for CP2000 Indicators: TC 922, "F" Freeze Code, and campus 
underreporter programs; 
Status per GAO: Open. We verified that the IRM 3.8.45 was revised on 
February 1, 2007 and the Hot Topic was issued on January 25, 2007. 
However, the IRM revision and the Hot Topic issuance were subsequent to 
our field work. We will continue to follow up on IRS's progress on this 
issue during our fiscal year 2007 audit. 

Count: 45; 
ID. No.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. Hot Topics were issued on July 26, 2006, and 
August 28, 2006, reinforcing the requirements for the authorization 
memorandum. This is also being reviewed as part of the Monthly Security 
Review Checklist; 
Status per GAO: Open. During our fiscal year 2006 audit, we continued 
to find that the documentation requirements on memorandums, which are 
submitted to the manual refund units' listing officials authorized to 
approve manual refunds, were incomplete. We verified that IRS (1) 
issued the Hot Topics, and (2) included the documentation requirements 
for the authorization memorandum in their Checklist. However, the Hot 
Topics and Checklist were issued subsequent to our fieldwork. We will 
continue to follow up on IRS's efforts to improve the documentation 
requirements during our fiscal year 2007 financial audit. 

Count: 46; 
ID. No.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. An alert (#07021) was issued on October 24, 
2006 to enforce the manual refund guideline procedures to monitor 
accounts to prevent duplicate refunds. IRM requirements to make certain 
refunds are controlled and monitored will be emphasized during yearly 
training (and quarterly meetings with IRS organizations that initiate 
manual refunds); 
Status per GAO: Open. During our fiscal year 2006 audit, we continued 
to find instances where the manual refund initiators did not monitor 
accounts to prevent duplicate refunds. We also found that the 
supervisors did not review the initiator's work to ensure that the 
monitoring of accounts was performed. We verified that IRS issued Alert 
No.07021; however, it was issued subsequent to our field work. We will 
continue to review IRS's monitoring and review efforts during our 
fiscal year 2007 financial audit. 

Count: 47; 
ID. No.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring actions 
and supervisory review. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. An alert (#07021) was issued on October 24, 
2006, to enforce the documentation requirements. IRM requirements to 
make certain refunds are controlled and monitored will be emphasized 
during yearly training. Likewise, IRS continues to leverage tools such 
as the Manual Refund Check Sheet and Monthly Security Reviews to ensure 
compliance with IRM requirements; 
Status per GAO: Open. During our fiscal year 2006 audit, we continued 
to find instances where the requirements for documenting monitoring 
actions and documenting supervisory review were not always enforced. We 
verified that IRS issued Alert No. 07021; however, it was issued 
subsequent to our field work. We will continue to monitor IRS's efforts 
in documenting monitoring actions and supervisory review during our 
fiscal year 2007 financial audit. 

Count: 48; 
ID. No.: 05-40; 
Recommendation: Enforce the requirement that command code profiles be 
reviewed at least once annually. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. Submission Processing issued a Hot Topic 
January 10, 2007. To verify accounting is in compliance with IRM 
3.17.79.1.7, the Manual Refund Unit will include a signed and dated 
copy of the Command Code: RSTRK input (action performed through the use 
of the Integrated Data Retrieval System (IDRS)) in the file with the 
authorization memorandums. This documentation will be included in the 
fiscal year 2007 File. A conference call was held with all of the 
Accounting Operations on January 25, 2007 to answer any questions 
related to the Hot Topic. In addition, an item has been added to the 
Monthly Security Review Checklist that includes a review of this 
requirement; 
Status per GAO: Open. During our fiscal year 2006 audit, we found one 
case where a Certifying Officer's command code profile had not been 
reviewed in over 12 months. We verified that IRS issued the Hot Topic 
in January 2007, and modified the Monthly Security Review Checklist 
reminding centers of the requirement. However, the Hot Topic and 
modifications were issued subsequent to our fieldwork. We will continue 
to follow up on IRS's efforts to improve the review requirements during 
our fiscal year 2007 financial audit. 

Count: 49; 
ID. No.: 05-41; 
Recommendation: Specify in the IRM that staff members are not to review 
their own command code profiles. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed June 30, 2006. The IDRS Security Law Enforcement 
Manual (LEM) and IRM have been updated and implemented to reflect 
employees are not to review their own command code profiles. MA & SS 
Chief also signed a memorandum advising business units of the 
requirement to not have reviewing employees in the same IDRS unit as 
the employees they review. In addition, MA & SS worked with business 
units to set up separate IDRS units so that unit security 
representatives and managers can ensure separation of reviewer from 
reviewed. This latter activity is being tracked to ensure the required 
separation is put into effect; 
Status per GAO: Open. During our fiscal year 2006 audit, we found that 
the IRM wording to specify that staff members do not review their own 
command code profiles had not been updated. We will continue to monitor 
IRS's efforts in preventing staff members from reviewing their own 
command code profiles during our fiscal year 2007 audit. 

Count: 50; 
ID. No.: 05-42; 
Recommendation: Specify in the IRM how to properly verify interest and 
penalties for accounts with liens with manually calculated interest or 
penalties. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr. 27, 2005); 
Status per IRS: Closed. ALS receives a master file data extract listing 
modules where liabilities have been fully paid. The data extract that 
is matched against information in the ALS system automatically releases 
liens when there is a match, including restricted interest and penalty 
modules. After a review of 300 satisfied modules, IRS identified five 
cases with additional restricted interest or penalty. The remaining 
amounts due after computation were for very small amounts, less than 
$10. On the basis of those reviews, IRS determined these cases should 
receive systemic releases; 
Status per GAO: Closed. IRS reprogrammed its ALS to automatically 
release liens once the taxpayer's account was fully paid, even if it 
contains a manual interest indicator. Previously, IRS's IRM required it 
to review accounts containing a manual interest or penalty indicator, 
to determine whether the manually recorded interest and penalty amounts 
were correct and whether it should assess the taxpayer any additional 
interest or penalty before releasing the lien. IRS has decided not to 
hold up the lien release on such accounts for a review and has changed 
its computer programming to automatically release the lien once the 
account balance reaches zero. We obtained and reviewed a computer 
extract from February 2007 showing that accounts containing manual 
interest or penalty are no longer held up from automated lien release. 

Count: 51; 
ID. No.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. Form 3210 is the only form used by W&I accounts 
management (AM). IRM 21.4.3 Returned Refunds/Releases contains 
procedures for transmitting returned refund checks to the Regional 
Finance Center utilizing Form 3210. Although the procedures do not 
require the manager to initial the Form 3210, procedures are in place 
in the Manager's IRM to do periodic reviews. AM will explore an 
effective plan to address this control during fiscal year 2007. It has 
been determined that adding reminders to the AM Program Letter will not 
produce the desired result. Procedures for consistent review of Forms 
3210 have been drafted for addition to IRM 1.4.16. This will enhance 
guidelines on periodic reviews. The draft procedures are pending 
approval through the IRM clearance process; 
Status per GAO: Open. During our fiscal year 2006 audit, we identified 
instances at two of four SCCs we visited in which Refund Inquiry Unit 
managers or supervisors did not document their review of all forms used 
to transmit returned refund checks prior to sending them for final 
processing. We will continue to evaluate IRS's corrective actions 
during our fiscal year 2007 audit. 

Count: 52; 
ID. No.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within LMSB and 
TE/GE, establish a system to track acknowledged copies of document 
transmittals. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I Accounts Management has drafted procedures 
for the consistent review of receipt transmittals (Form 3210) for 
inclusion in IRM 1.4.16. Reviews will enforce existing requirements. 
Newly drafted procedures have been written to provide additional time 
frames and documentation requirements for Accounts Management employees 
sending transmittal forms. The draft procedures are pending approval. 
W&I Field Assistance approved SERP updates on July 14, 2006, to 
establish a process to monitor acknowledgements of transmittal forms 
received from the service centers. IRMs 21.3.4.7 and 1.4.11.19.1 were 
revised to provide procedures for requiring TACs to follow-up with 
Submission Processing Centers (SPC) when acknowledgements are not 
received within 10 days. The acknowledgement copies of transmittals 
received from SPCs must be documented with the date received in the 
TAC. When missing acknowledgement copies are identified, the TAC 
employee must document follow-up actions to resolve the missing 
acknowledgements. The documentation must either be recorded on or 
attached to the group copy of the transmittals. IRM 1.4.11.19.5 was 
revised to require TAC group managers to prepare weekly payment 
processing and reconciliation reviews and to provide documentation 
feedback to employees. LMSB has issued procedures to the field on the 
responsibilities for using receipt transmittals. TE/GE addressed this 
issue during the fiscal year 2006 Annual Assurance Review by responding 
to question 6.2, "Checks received from taxpayers are sent to the 
Service Center within one business day via Form 3210 (Document 
Transmittal), and the Service Center is contacted if the 
acknowledgement copy of Form 3210 is not received from the Service 
Center within 10 days." All managers responded "yes."; 
Status per GAO: Open. During our fiscal year 2006 audit, we identified 
multiple instances at two TACs (and at one SCC we visited) where IRS 
employees did not follow existing requirements when transmitting 
taxpayer receipts and information. In addition, during our subsequent 
review of TAC corrective actions in this area, we found that the 
reviews required by the TAC managers were not always performed as 
intended. We will continue to evaluate IRS's corrective actions during 
our fiscal year 2007audit. 

Count: 53; 
ID. No.: 06-03; 
Recommendation: Provide instructions to document the follow-up 
procedures performed in those cases where transmittals have not been 
timely acknowledged. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I Accounts Management has drafted procedures 
for the consistent review of receipt transmittals (Form 3210) for 
inclusion in IRM 1.4.16. Reviews will enforce existing requirements. 
Newly drafted procedures have been written to provide additional time 
frames and documentation requirements for Accounts Management employees 
sending transmittal forms. The draft procedures are pending approval. 
W&I Field Assistance approved SERP updates on July 14, 2006, to 
establish a process to monitor acknowledgements of transmittal forms 
received from the service centers. IRMs 21.3.4.7 and 1.4.11.19.1 were 
revised to provide procedures for requiring TACs to follow-up SPCs when 
acknowledgements are not received within 10 days. The acknowledgement 
copies of transmittals received from SPCs must be documented with the 
date received in the TAC. When missing acknowledgement copies are 
identified, the TAC employee must document follow-up actions to resolve 
the missing acknowledgements. The documentation must either be recorded 
on or attached to the group copy of the transmittals. IRM 1.4.11.19.5 
was revised to require TAC group managers to prepare weekly payment 
processing and reconciliation reviews and to provide documentation 
feedback to employees. LMSB has issued procedures to the field on the 
responsibilities for using receipt transmittals. TE/GE addressed this 
issue during the fiscal year 2006 Annual Assurance Review by responding 
to question 6.2, "Checks received from taxpayers are sent to the 
Service Center within one business day via Form 3210 (Document 
Transmittal), and the Service Center is contacted if the 
acknowledgement copy of Form 3210 is not received from the Service 
Center within 10 days." All managers responded "yes."; 
Status per GAO: Open. This recommendation affects TAC, LMSB, and TE/GE 
business units. We were only able to verify that for TACs, IRS has 
issued guidance for employees to document the follow-up procedures in 
those cases where transmittals have not been timely acknowledged. 
However, during our subsequent review of TAC corrective actions in this 
area, we found that the reviews required in the July 2006 IRM update 
were not always performed as intended. We will continue to evaluate 
IRS's corrective actions in our fiscal year 2007 audit. 

Count: 54; 
ID. No.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I Accounts Management has drafted procedures 
for the consistent review of receipt transmittals (Form 3210) for 
inclusion in IRM 1.4.16. Reviews will enforce existing requirements. 
Newly drafted procedures have been written to provide additional time 
frames and documentation requirements for Accounts Management employees 
sending transmittal forms. The draft procedures are pending approval. 
W&I Field Assistance approved SERP updates on July 14, 2006, to 
establish a process to monitor acknowledgement of transmittal forms 
received from the service centers. IRMs 21.3.4.7 and 1.4.11.19.1 were 
revised to provide procedures for requiring TACs to follow-up with SPCs 
when acknowledgements are not received within 10 days. The 
acknowledgement copies of transmittals received from SPCs must be 
documented with the date received in the TAC. When missing 
acknowledgement copies are identified, the TAC employee must document 
follow-up actions to resolve the missing acknowledgements. The 
documentation must either be recorded on or attached to the group copy 
of the transmittals. IRM 1.4.11.19.5 was revised to require TAC group 
managers to prepare weekly payment processing and reconciliation 
reviews and to provide documentation feedback to employees. LMSB has 
issued procedures to the field on the responsibilities for using 
receipt transmittals. TE/GE addressed this issue during the fiscal year 
2006 Annual Assurance Review by responding to question 6.2, "Checks 
received from taxpayers are sent to the Service Center within one 
business day via Form 3210 (Document Transmittal), and the Service 
Center is contacted if the acknowledgement copy of Form 3210 is not 
received from the Service Center within 10 days." All managers 
responded "yes."; 
Status per GAO: Open. This recommendation affects SCC, TAC, LMSB, and 
TE/GE business units. During our fiscal year 2006 audit, we continued 
to find instances where managers/designees did not document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations were tracked 
according to guidelines. In addition, during our subsequent review of 
TAC corrective actions, we found that the reviews required in the July 
2006 IRM update were not always performed as intended. We will continue 
to evaluate IRS's corrective actions during our fiscal year 2007audit. 

Count: 55; 
ID. No.: 06-05; 
Recommendation: Equip all TACs with adequate physical security controls 
to deter and prevent unauthorized access to restricted areas or office 
space occupied by other IRS units, including those TACs that are not 
scheduled to be reconfigured to the "new TAC" model in the near future. 
This includes appropriately separating customer service waiting areas 
from restricted areas in the near future by physical barriers such as 
locked doors marked with signs barring entrance by unescorted 
customers. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO- 06-543R, May 12, 2006); 
Status per IRS: Open. FA surveyed each area office and provided this 
information to AWSS and MA & SS; 
Status per GAO: Open. During our fiscal year 2006 audit, IRS continued 
to develop guidelines to address unauthorized access to restricted 
areas. These corrective actions were not complete at the conclusion of 
our fiscal year 2006 audit. We will continue to evaluate IRS's 
corrective actions during our fiscal year 2007 audit. 

Count: 56; 
ID. No.: 06-06; 
Recommendation: Connect duress alarms to a central monitoring station 
or local police department or institute appropriate compensating 
controls when these alarm systems are not operable or in place. (short-
term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. MA & SS has coordinated with AWSS/Real Estate 
and Facilities Management (REFM) and W&I to ensure duress alarms for 
387 (97 percent) of the 400 TAC offices are currently connected to a 
central monitoring station and will work in partnership to address 
reported deficiencies. MA & SS and FA have determined that testing of 
duress alarms will be not less than once each calendar quarter (3 
months) and results will be reviewed and documented. Plans to connect 
the remaining 13 offices are in progress and are being tracked until 
complete (status report provided as supporting documentation). Each of 
these 13 offices are currently equipped with duress alarms that 
annunciate locally and compensating control procedures are in place to 
ensure 911 is contacted for emergency assistance. IRM 1.16.12 has been 
revised to set forth alarm testing procedures and to ensure TAC 
personnel are aware to contact 911 when alarms are not operable or in 
place; 
Status per GAO: Closed. During fiscal year 2006, we verified that IRS 
revised its policy, which outlines duress alarm testing requirements at 
TACs as well as guidelines for employees to follow when working with 
duress alarms, particularly at TACs with nonoperable duress alarms. 

Count: 57; 
ID. No.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to TACS 
not having a manager permanently on-site. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. The checklist for managers to use to document 
visits to outlying TACs was included as an exhibit in the April 27, 
2006 update of IRM 1.4.11.6.2; 
Status per GAO: Open. We verified during our fiscal year 2006 audit 
that the IRM had been updated to include a method for managers to 
document their visits to remote TACs. However, during our subsequent 
review of the reports prepared by TAC managers, we were unable to 
determine the scope and content of what was observed or accomplished 
during the visit. We will continue to evaluate IRS's implementation of 
its corrective actions during our fiscal year 2007audit. 

Count: 58; 
ID. No.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms regardless of the 
circumstances that may have caused the activation. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. In January 2006, LSG 2.2.3.1.5 (6) was revised 
to add the requirement that the banks maintain a logbook of incident 
reports and any applicable supporting documentation, noting corrective 
follow-up actions taken on each incident. The logbook must be 
maintained in sequential date order. This was reinforced in the 2007 
LSG. It states "The bank must maintain a logbook of incident reports 
and any applicable supporting documentation." Corrective follow-up 
actions must be documented and included with the original incident 
report. The logbook must be maintained in sequential date order. A 
review of the incident reports and associated logbooks has shown that 
although not specifically directed at intrusion alarms, the logbook of 
incident reports is also used to record all alarm events. LSG section 
2.2.2.14 Intrusion Detection System (IDS), paragraph (7) will be 
revised to add "A record of all instances involving the activation of 
intrusion alarms, regardless of the circumstances that may have caused 
the activation, must be maintained in the Daily Activity Report/Log or 
other incident logbook."' At the SCCs, field security analysts have 
been advised to reiterate to the campus guard force that all activation 
of intrusion alarms whether during tests (by staff or oversight 
auditors), inadvertently, or by actual security breach violations must 
be recorded/documented. Existing unannounced alarm testing procedures 
and the associated Alarm Test Report form have been modified to 
incorporate a review of the guard console timeline log to test guard 
adherence to this requirement. Recording of all alarm activations has 
been added to the Physical Security Audit Management Checklist, 
reviewed by field management; 
Status per GAO: Open. During our fiscal year 2006 audit, we identified 
instances at two of four lockbox banks we visited in which the 
activation of intrusion alarms were not recorded by security guards. We 
will evaluate IRS's planned corrective actions during our fiscal year 
2007 audit. 

Count: 59; 
ID. No.: 06-09; 
Recommendation: Reemphasize the need for the security guards at all 
TACs to ensure that key posts of duty, such as entrances to facilities, 
are not left unattended. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I has issued a memorandum to MA & SS to address 
this issue; 
Status per GAO: Open. IRS's actions to address this issue are currently 
in process. We will evaluate IRS's corrective actions in our fiscal 
year 2007 audit. 

Count: 60; 
ID. No.: 06-10; 
Recommendation: Revise its lockbox bank's security review checklist to 
ensure that it encompasses reviewing security incident reports to 
validate whether security personnel are providing corrective actions 
related to the incidents cited. (short- term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. The Security Review Checklist was updated June 
5, 2006, and all follow- up actions have been completed by the Lockbox 
Security Team. SP worked with IRS Mission Assurance and FMS to ensure 
the physical security review checklist was updated to include reviews 
of the security incident reports and to validate that security 
personnel are providing corrective actions related to the incidents 
that were cited; 
Status per GAO: Closed. We verified that the lockbox bank physical 
security DCI had been updated to include a review to ensure that 
security incidents are documented. 

Count: 61; 
ID. No.: 06-11; 
Recommendation: Refine the scope and nature of its periodic reviews of 
candling processes at SCCs to ensure they (1) encompass tests of 
whether envelopes are properly candled through observation of candling 
in process and inquiry of employees who perform initial and final 
candling and (2) document the nature and scope of the test and 
observation results. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. The Security Review Checklist has been revised 
to document, through observation, the effectiveness of the initial and 
final candling process. Employee inquiry continues to be a part of the 
Monthly Campus and National Office Security Reviews; 
Status per GAO: Open. We verified that IRS revised its Security Review 
Checklist to document, through observation, the effectiveness of the 
initial and final candling process. IRS states that employee inquiry 
continues to be part of the monthly campus and national office security 
reviews. However, IRS did not provide documentation demonstrating (1) 
that inquiries were made of employees who perform initial and final 
candling, (e.g., evaluate employees awareness of candling procedures) 
and (2) the nature and scope of the tests conducted (e.g., number of 
employees and a brief description of the extent of the candling 
observation). We will continue to monitor IRS's corrective actions 
during our fiscal year 2007 audit. 

Count: 62; 
ID. No.: 06-12; 
Recommendation: Enforce its existing policies and procedures at lockbox 
banks to ensure that all remittances of $50,000 or more are processed 
immediately and deposited at the first available opportunity. (short-
term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. On April 13, 2006, Lockbox Electronic Bulletin 
(LEB) 200613 (Remittances of $50,000 or more) was distributed 
throughout the Lockbox Network. The LEB updated LPG 3.2(4) and LPG 
3.2.7.1(1) to state the following: "If 50,000 or more is discovered in 
any type of work, it should be expedited and deposited on the first 
available deposit." In addition, lockbox management must ensure that 
remittances of $50,000 or more are not left unattended, including at 
disruptive times such as shift changes, breaks, meetings, etc. These 
remittances must be collected and then batched for expedited 
processing. Additionally, management will continue to provide training 
reminders and actively monitor the work in process for compliance with 
high-dollar procedures; 
Status per GAO: Closed. We verified that the LPG requires remittances 
of $50,000 or greater are not to be left unattended, including at 
disruptive times such as shift changes, breaks, meetings, and are to be 
expedited and deposited on the first available deposit. Also, we 
verified that a review checkpoint was added to the Processing Internal 
Controls DCI for lockbox banks to ensure that remittances of $50,000 or 
greater are processed expeditiously and are not to be left unattended, 
including at disruptive times such as shift changes, breaks, and 
meetings. During our fiscal year 2006 audit, we found no instances of 
remittances of $50,000 or more that were not processed immediately or 
deposited at the first available opportunity. 

Count: 63; 
ID. No.: 06-13; 
Recommendation: Refine the scope and nature of its periodic reviews of 
lockbox banks to include high dollar remittances to better monitor 
adherence to the requirement that they are processed immediately and 
deposited at the first available opportunity. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. A review checkpoint was added to the Processing 
Internal Controls DCI, which was implemented during the April 2006 on-
site review performed by the lockbox field coordinators (LFC). The 
review requires the LFC to ensure that there is an internal control in 
place to expedite remittances of $50,000 and over; and that lockbox 
management is ensuring these remittances are collected from all areas 
at the end of each shift and prior to breaks, then batched and sent for 
processing; 
Status per GAO: Closed. We verified that a review checkpoint was added 
to the Processing Internal Controls DCI for lockbox banks to ensure 
that remittances of $50,000 or greater are processed expeditiously and 
are not to be left unattended, including at disruptive times such as 
shift changes, breaks, and meetings. During our fiscal year 2006 audit, 
we found no instances of remittances of $50,000 or more that were not 
processed immediately or deposited at the first available opportunity. 

Count: 64; 
ID. No.: 06-14; 
Recommendation: Refine the scope and nature of its periodic security 
reviews to encompass (1) testing the effectiveness of controls intended 
to ensure that only individuals with proper credentials are permitted 
access to SCCs and lockbox banks, and (2) reviewing the integrity of 
perimeter security at SCCs. (short- term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed: The physical security of submission processing 
centers is a key priority for IRS. IRS has many physical security 
controls protecting the perimeter of facilities and access to 
buildings. Protections include fencing, CCTV, perimeter entrances 
protected with electronic gates, and security guards. Building access 
is protected with electronic access controls (key cards), portals, and 
security guards. We continually monitor the physical security of our 
submission processing facilities and conduct various reviews to 
continually assess our security posture. Our continuous monitoring 
includes (1) comprehensive risk assessments conducted every 2 years, 
(2) physical security compliance reviews conducted every 2 years, and 
(3) an Audit Management Checklist process that is conducted quarterly. 
The quarterly Audit Management Checklist process includes specific 
evaluations of the effectiveness of controls intended to ensure that 
only individuals with proper credentials are permitted access to 
submission processing centers and the review of the integrity of 
perimeter security. Additionally, for lockbox banks, on January 1, 
2007, IRS revised LSG, Section 2.2.3.1(6)k, to restrict access of all 
delivery personnel. The IRS Lockbox Security Review Team observed the 
Lockbox Site's process of delivery personnel while on site to ensure 
compliance with the LSG requirement. In addition, section 2.2.2.13.1 
(CCTV Cameras) (2)g of the LSG was revised to add that cameras must 
capture images of all persons entering and exiting perimeter doors and 
other critical ingress/egress points to include but not limited to the 
computer room and closets containing main utility feeds; 
Status per GAO: Open. We verified that (1) the Audit Management 
Checklist verifies that guards check photo identification of all 
visitors before permitting access to SCCs and ensures that CCTV 
surveillance systems at SCCs provide complete and unobstructed exterior 
coverage of the entire fenceline and perimeter of the facility and (2) 
the LSG was revised to restrict access of all delivery personnel at 
lockbox banks. However, during our fiscal year 2006 audit, we continued 
to find weaknesses in controls over access to the facility and/or 
surrounding perimeter at three SCCs and one lockbox bank we visited. We 
found instances of gaps in security fences at two SCCs, overgrown 
shrubbery that obstructed the view of security personnel at one SCC, 
courier company personnel delivering the lockbox accounting package 
that were not always listed on the hard copy access list at the entry 
gate at one SCC, and a courier face and/or badge that was not 
recognizable through a camera prior to granting courier access to the 
loading dock area at one lockbox bank. The corrective actions cited by 
IRS were subsequent to our fiscal year 2006 audit. We will evaluate the 
effectiveness of these actions during our fiscal year 2007 audit. 

Count: 65; 
ID. No.: 06-15; 
Recommendation: Revise the physical security procedures in the Internal 
Revenue Manual (IRM) to require that all SCCs and any respective annex 
facilities processing taxpayer receipts and/or information perform and 
document monthly tests of the facility's intrusion detection alarms. At 
a minimum, these procedures should (1) outline the type of test to be 
conducted, (2) include criteria for assessing whether the controls used 
to respond to the alarm were effective, and (3) require that a logbook 
be maintained to document the test dates, results, and response 
information. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. MA & SS and Agency-Wide Shared Services (AWSS) 
will update the IRMs and LPG related to the SCCs alarm testing 
procedures to include a description of the types of tests to be 
conducted, criteria for assessing controls, and the logging 
requirements by August 2007; 
Status per GAO: Open. We will continue to evaluate IRS's corrective 
actions during our fiscal year 2007 audit. 

Count: 66; 
ID. No.: 06-16; 
Recommendation: Amend its policy to require that a completed form 13094 
with a positive recommendation be provided for every juvenile hired to 
any position that will allow access to taxpayer receipts and/or 
taxpayer information. (short-term); 
Source report: Management Report: Improvements needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. Policy was amended to require that all 
juveniles being considered for employment with IRS complete Form 13094 
(Recommendation for Juvenile Employment with IRS) with a positive 
recommendation. This requirement is mandatory for employment with IRS; 
Status per GAO: Closed. During our fiscal year 2006 audit, we verified 
that IRS amended its juvenile hiring policy to ensure that only those 
juveniles receiving positive recommendations will be permitted access 
to taxpayer receipt and information. 

Count: 67; 
ID. No.: 06-17; 
Recommendation: Require IRS personnel to verify the information on the 
form 13094 by contacting the reference directly. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. Policy was amended to establish procedures that 
require IRS personnel to verify all completed forms with a positive 
recommendation by contacting the reference directly; 
Status per GAO: Closed. During our fiscal year 2006 audit, we verified 
that IRS amended its juvenile hiring policy to ensure that IRS 
personnel verify the information provided on Form 13094 via direct 
contact with the reference. 

Count: 68; 
ID. No.: 06-18; 
Recommendation: Revise the form 13094 to require the reference to 
describe his/her relationship with the juvenile including extent of 
first-hand contact, to allow IRS to review the forms and assess whether 
the referencer has sufficient basis to recommend that juvenile to a 
position of trust. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. Form 13094 was modified to include two 
additional boxes for the reference to include their relationship to the 
juvenile and the number of years they have known the juvenile. Form 
13094 has a revision date of August 20, 2006 and is available on the 
IRS' publication Web site; 
Status per GAO: Closed. During our fiscal year 2006 audit, we verified 
that IRS amended its juvenile hiring policy to require that the 
references indicate how well they know the potential juvenile hire. In 
addition, Form 13094 was also revised to request the references provide 
this information via a check-box system. 

Count: 69; 
ID. No.: 06-19; 
Recommendation: Establish procedures for hiring juveniles who do not 
have a current teacher, principal, counselor, employer or former 
employer, and clarify that IRS's current policies and procedures should 
not be interpreted to mean that such juveniles should be allowed access 
to taxpayer receipts and information without a form 13094 or its 
equivalent. These procedures could include a list of acceptable 
alternatives that may serve as references for juveniles who do not have 
a current teacher, principal or guidance counselor. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. Form 13094 was modified with the following 
sentences added, "Form should be completed by a person who has personal 
knowledge of the applicant's character and trustworthiness. If the 
applicant is attending school or has graduated, this form must be 
completed and signed by the current or former school official (i.e., 
principal, guidance counselor, or teacher). If the applicant is not in 
school and is currently employed or unemployed, the form must be 
completed and signed by either a current or former employer." Form 
13094 has a revision date of August 20, 2006 and is available on the 
IRS' publication Web site; 
Status per GAO: Closed. During our fiscal year 2006 audit, we verified 
that IRS amended its juvenile hiring policy to provide accepted 
alternative references if the juvenile does not have a current teacher, 
principal, or guidance counselor. The revised Form 13094 has also been 
revised to include this information. 

Count: 70; 
ID. No.: 06-20; 
Recommendation: To assure proper accounting treatment of expense and 
P&E transactions and reliable financial reporting, enforce existing 
property and equipment capitalization policy to ensure that it is 
properly implemented to fully achieve management's objectives, 
including recognizing assets when its capitalization criteria is met 
and recognizing expenses when it is not. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. IRS implemented a dollar threshold for the 
ongoing monthly review of P&E transactions beginning in March 2006. In 
addition, the CFO and Chief, Agency-Wide Shared Services, jointly 
issued a memorandum to all executives entitled, "Internal Transaction 
Control and Accuracy Improvement," emphasizing responsibility for 
accurate transaction coding, in April 2006. Also, the CFO and 
procurement offices jointly completed a review of material code 
descriptions and implemented appropriate changes in the requisition 
tracking system and IFS; implemented a process to review the material 
group assigned to transactions at the point of requisition to drive the 
transaction coding as either P&E or expense; and initiated a feedback 
process regarding material group coding errors found after receipt and 
acceptance; 
Status per GAO: Closed. On the basis of our fiscal year 2006 testing of 
P&E and nonpayroll expenses, we confirm that IRS has improved the 
accuracy and reliability of its P&E records by enhancing accounting 
code definitions in its new financial management system to make it 
easier for users to select the proper accounting codes for recording 
transactions, improving coordination among units involved in processing 
P&E activity, and streamlining its analysis of P&E transactions most 
susceptible to misclassification. 

Count: 71; 
ID. No.: 06-21; 
Recommendation: Generate aging reports when an asset remains in pending 
disposal status for longer than a specified period of time. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. IRS has initiated a reengineering effort 
focused on the entire asset retirement and disposal process. As such, 
reports are currently available to monitor aging transactions during 
the disposal life cycle. Additionally, procedures are in place that 
require reviews of aging reports for the timely recording of disposal 
transactions. Substantial software modifications were designed to 
improve the recording of information by replacing manual data entry 
methods by using electronic forms, signatures, and processes. In August 
2006, these modifications and review procedures were implemented to 
streamline the recording of asset disposal activity as required by IRS 
policy; 
Status per GAO: Open. During fiscal year 2006, IRS reengineered the P&E 
asset retirement and disposal process. The new process was intended to 
generate exception reports that would enable management to monitor the 
aging of transactions during the disposal process. Since this 
reengineering was still in process during our fiscal year 2006 P&E 
testing, we will test the new process during our fiscal year 2007audit. 

Count: 72; 
ID. No.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. AWSS and the Chief Information Officer property 
managers reengineered the entire asset retirement and disposal process 
to mitigate issues raised in GAO's fiscal year 2005 Financial Statement 
Audit. As such, reports are regularly available on a weekly basis for 
management to monitor the status of aging transaction dates until the 
disposal process is complete. Also, review procedures were streamlined 
to ensure the timely recording of disposal transactions. In August 
2006, reengineered process modifications and review procedures were 
implemented and guidance for conducting reviews was issued; 
Status per GAO: Open. During fiscal year 2006, IRS reengineered the P&E 
asset retirement and disposal process. The new process was intended to 
generate exception reports that would enable management to monitor the 
aging of transactions during the disposal process. Since this re- 
engineering was still in process during our fiscal year 2006 P&E 
testing, we will test the new process during our fiscal year 2007 
audit. 

Count: 73; 
ID. No.: 07-01; 
Recommendation: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 74; 
ID. No.: 07-02; 
Recommendation: Ensure that lockbox banks store backup media containing 
federal taxpayer information at an off- site location as required by 
the 2006 LSG. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 75; 
ID. No.: 07-03; 
Recommendation: Revise instructions for the annual reviews of lockbox 
banks to encompass routine monitoring of backup media containing 
personally identifiable information to ensure that this information is 
(1) encrypted prior to transmission and (2) stored in an appropriate 
off-site location. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 76; 
ID. No.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit TV (CCTV) camera coverage that do not 
provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 77; 
ID. No.: 07-05; 
Recommendation: Revise instructions for quarterly physical security 
reviews to require analysts to (1) document any issues identified as 
well as planned implementation dates of corrective actions to be taken 
and (2) track the status of corrective actions identified during the 
quarterly assessments to ensure they are promptly implemented. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 78; 
ID. No.: 07-06; 
Recommendation: Revise procedures contained in the Manual Refund Desk 
Reference to reflect the IRM requirements for manual refund initiators 
to (1) monitor the manual refund accounts in order to prevent duplicate 
refunds, and (2) document their monitoring actions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 79; 
ID. No.: 07-07; 
Recommendation: Provide to all IRS units responsible for processing 
manual refunds the same and most current version of the Manual Refund 
Desk Reference. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 80; 
ID. No.: 07-08; 
Recommendation: Require that managers or supervisors provide the manual 
refund initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 81; 
ID. No.: 07-09; 
Recommendation: Enhance its computer program to check for outstanding 
tax liabilities associated with both the primary and secondary Social 
Security Numbers shown on a joint tax return and apply credits to those 
balances before issuing any refund. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 82; 
ID. No.: 07-10; 
Recommendation: Instruct Revenue Officers making the TFRP assessments 
to research whether the responsible officers are filing jointly with 
their spouses and to place a refund freeze on the joint account until 
the computer programming change can be completed. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 83; 
ID. No.: 07-11; 
Recommendation: Correct the penalty calculation programs in the master 
file so that penalties are calculated in accordance with the applicable 
IRC and implementing IRM guidance. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 84; 
ID. No.: 07-12; 
Recommendation: Research each of the taxpayer accounts that may have 
been affected by the programming errors to determine whether they 
contain overassessed penalties and correct the accounts as needed. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 85; 
ID. No.: 07-13; 
Recommendation: Establish procedures and specify in the IRM that at the 
time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 86; 
ID. No.: 07-14; 
Recommendation: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 87; 
ID. No.: 07-15; 
Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in ALS. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 88; 
ID. No.: 07-16; 
Recommendation: Issue a memorandum to employees in the Centralized Lien 
Processing Unit reiterating the IRM requirement to date stamp and 
maintain the billing support voucher as evidence of timely processing 
by IRS. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 89; 
ID. No.: 07-17; 
Recommendation: Monitor installment agreement user fee activity on a 
regular basis. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 90; 
ID. No.: 07-18; 
Recommendation: Adjust errors in recorded installment agreement user 
fees as necessary to correctly reflect the user fees IRS earned and 
collected from taxpayers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 91; 
ID. No.: 07-19; 
Recommendation: Establish sufficient review procedures to help ensure 
that adjustments to installment agreement user fees collected from 
taxpayers are accurately and timely recorded. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 92; 
ID. No.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage space 
to properly secure and safeguard its property and equipment inventory, 
including in-stock inventories assets from incoming shipments, and 
assets that are in the process of being excessed and/or shipped out. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 93; 
ID. No.: 07-21; 
Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered.(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 94; 
ID. No.: 07-22; 
Recommendation: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 95; 
ID. No.: 07-23; 
Recommendation: Clearly document how it considered existing reviews and 
audits in determining the nature, scope, and timing of procedures it 
planned to conduct under its A-123 process. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 96; 
ID. No.: 07-24; 
Recommendation: To the extent that it intends to use the information 
security work conducted under Federal Information Security Management 
Act of 2002 (FISMA) to meet related A- 123 requirements, identify the 
areas where the work conducted under FISMA does not meet the 
requirements of OMB Circular No. A-123 and, considering the findings 
and recommendations of our work on IRS's information security, expand 
FISMA procedures or perform additional procedures as part of the A-123 
reviews to augment FISMA work. (short- term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 97; 
ID. No.: 07-25; 
Recommendation: Revise test plans to include appropriate consideration 
of the design of internal controls in addition to implementation of 
controls over individual transactions. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 98; 
ID. No.: 07-26; 
Recommendation: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 99; 
ID. No.: 07-27; 
Recommendation: Begin devising appropriate A-123 follow-up procedures 
for the last three months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Count: 100; 
ID. No.: 07-28; 
Recommendation: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Source: IRS updates detailing its actions to address GAO's 
recommendations and GAO's analysis of IRS's actions. 

[End of table] 

[End of section] 

Appendix II: Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224: 
Deputy Commissioner: 

May 18, 2007: 

Mr. Steven J. Sebastian, Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

I am writing in response to the draft Government Accountability Office 
(GAO) report titled "Internal Revenue Service: Status of GAO Financial 
Audit and Related Financial Management Report Recommendations" (GAO-07- 
629). 

We are pleased that you acknowledged our progress in addressing our 
financial management challenges and agreed to close 25 of the 72 open 
financial management recommendations from last year's report. You added 
28 new recommendations bringing the total to 75 recommendations 
currently open. 

I appreciate your continued support and commitment to work with the IRS 
to ensure that our corrective actions appropriately address the issues 
identified in your recommendations. If you have any questions, please 
contact Mary E. Davis, Associate Chief Financial Officer for Corporate 
Planning and Internal Control, at (202) 622-2955. 

Sincerely, 

Signed by: 

Linda E. Stiff: 
Deputy Commissioner for Operations Support: 

[End of section] 

Appendix III: Staff Acknowledgments: 

Acknowledgments: 

The following individuals made major contributions to this report: 
Gloria Cano, Stephanie Chen, William J. Cordrey, Nina Crocker, John 
Davis, Charles Ego, Charles Fox, John Gates, Ted Hu, Jerrod O'Nelio, 
John Sawyer, Angel Sharma, Peggy Smith, Cynthia Teddleton, LaDonna 
Towler, Truc Tuck, and Gary Wiggins. 

FOOTNOTES 

[1] Management is responsible for establishing and maintaining internal 
control to achieve the objectives of effective and efficient 
operations, reliable financial reporting, and compliance with 
applicable laws and regulations. Part of the actions required by 
agencies and individual federal managers includes taking proactive 
measures to develop and implement appropriate, cost-effective internal 
control for results-oriented management; to assess the adequacy of 
internal control in federal programs and operations; to identify needed 
improvements; and to take corresponding corrective actions. 

[2] Prior to December 15, 2006, a material weakness was defined as a 
reportable condition that precludes the entity's internal controls from 
providing reasonable assurance that material misstatements in the 
financial statements would be prevented or detected on a timely basis. 
Reportable conditions represent significant deficiencies in the design 
or operation of internal controls that could adversely affect an 
entity's ability to initiate, authorize, record, process, or report 
financial data reliably. In May 2006, the American Institute of 
Certified Public Accountants (AICPA) issued the Statement on Auditing 
Standard (SAS) 112, which became effective for audits of financial 
statements for periods ending on or after December 15, 2006. SAS 112 
established standards and provides guidance on the auditor's 
responsibilities for identifying, evaluating, and communicating matters 
related to an entity's internal control over financial reporting 
identified in an audit of financial statements. Under the new SAS, the 
auditor is required to communicate control deficiencies that are 
significant deficiencies or material weaknesses in internal controls. A 
control deficiency, which is a new term under SAS 112, exists when the 
design or operation of a control does not allow management or 
employees, in the course of performing their assigned functions, to 
prevent or detect misstatements on a timely basis. A material weakness 
is a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a 
material misstatement of the financial statements will not be prevented 
or detected. A significant deficiency is a control deficiency, or 
combination of deficiencies, that adversely affects the entity's 
ability to initiate, authorize, record, process, or report financial 
data reliably in accordance with generally accepted accounting 
principles such that there is more than a remote likelihood that a 
misstatement of the entity's financial statements that is more than 
inconsequential will not be prevented or detected. As a result of SAS 
112, the term reportable condition is no longer used. 

[3] The circular was revised in December 2004. The circular states that 
the revision followed a reexamination of the existing internal control 
requirements for federal agencies that was initiated in light of the 
new internal control requirements for publicly traded companies 
contained in the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 
Stat. 745 (July 30, 2002). 

[4] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (November 1999). 

[5] The circular requires agencies and individual federal managers to 
take systematic and proactive measures to (1) develop and implement 
appropriate, cost-effective internal control for results-oriented 
management; (2) assess the adequacy of internal control in federal 
programs and operations; (3) separately assess and document internal 
control over financial reporting consistent with the process defined in 
Appendix A of the circular; (4) identify needed improvements; (5) take 
corresponding corrective action; and (6) report annually on internal 
control through management assurance statements. 

[6] GAO, Internal Control Standards: Internal Control Management and 
Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). 

[7] GAO, Internal Revenue Service: Status of Recommendations from 
Financial Audits and Related Financial Management Reports, GAO-06-560 
(Washington, D.C.: June 6, 2006). 

[8] GAO, Management Report: Improvements Needed in IRS's Internal 
Controls, GAO-07-689R (Washington, D.C.: May 11, 2007), and Management 
Report: IRS's First Year Implementation of the Requirements of the 
Office of Management and Budget's (OMB) Revised Circular No. A-123, GAO-
07-692R (Washington, D.C.: May 18, 2007). 

[9] We define short-term recommendations as those that could be 
addressed within 2 years at the time we made the recommendation. We 
define long-term recommendations as those expected to require 2 years 
or more to implement at the time we made the recommendation. 

[10] The vast majority of federal tax payments are made for both 
businesses and individuals via the Electronic Federal Tax Payment 
System (EFTPS). 

[11] Information security controls include electronic access controls, 
software change controls, physical security, segregation of duties, and 
service continuity. These controls are designed to ensure that access 
to data is appropriately restricted, that only authorized changes to 
computer programs are made, that physical access to sensitive computing 
resources and facilities is protected, that computer security duties 
are segregated, and that backup and recovery plans are adequate to 
ensure the continuity of essential operations. 

[12] GAO, Information Security: Further Efforts Needed to Address 
Significant Weaknesses at the Internal Revenue Service, GAO-07-364 
(Washington, D.C.: Mar. 30, 2007). 

[13] Most refunds are generated automatically. However, under certain 
circumstances, IRS processes refunds manually to expedite payment. Such 
refunds include those over $10 million, those requested by taxpayers 
for immediate payment due to hardship or emergency, those to 
beneficiaries of deceased taxpayers, and those that need to be 
expedited because IRS is in jeopardy of paying interest for exceeding 
the 45-day limit for processing a return. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: