This is the accessible text file for GAO report number GAO-10-597 
entitled 'Internal Revenue Service: Status of GAO Financial Audit and 
Related Financial Management Report Recommendations' which was 
released on June 30, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Commissioner of Internal Revenue: 

United States Government Accountability Office:
GAO: 

June 2010: 

Internal Revenue Service: 

Status of GAO Financial Audit and Related Financial Management Report 
Recommendations: 

GAO-10-597: 

GAO Highlights: 

Highlights of GAO-10-597, a report to the Commissioner of Internal 
Revenue. 

Why GAO Did This Study: 

In its role as the nationís tax collector, the Internal Revenue 
Service (IRS) has a demanding responsibility to annually collect 
trillions of dollars in taxes, process hundreds of millions of tax and 
information returns, and enforce the nationís tax laws. Since its 
first audit of IRSís financial statements in fiscal year 1992, GAO has 
identified a number of weaknesses in IRSís financial management 
operations. In related reports, GAO has recommended corrective actions 
to address those weaknesses. 

Each year, as part of the annual audit of IRSís financial statements, 
GAO makes recommendations to address any new weaknesses identified and 
follows up on the status of IRSís efforts to address the weaknesses 
GAO identified in previous yearsí audits. The purpose of this report 
is to (1) provide an overview of the financial management challenges 
still facing IRS, (2) provide the status of financial audit and 
financial managementĖrelated recommendations and the actions needed to 
address them, and (3) highlight the relationship between GAOís 
recommendations and internal control activities central to IRSís 
mission and goals. 

What GAO Found: 

IRS has made progress in improving its internal controls and financial 
management since its first financial statement audit in 1992, as 
evidenced by 10 consecutive years of clean audit opinions on its 
financial statements, the resolution of several material internal 
control weaknesses, and actions resulting in the closure of over 250 
financial management recommendations. This progress has been the 
result of hard work throughout IRS and sustained commitment at the top 
levels of the agency. However, IRS still faces significant financial 
management challenges in (1) resolving its remaining material 
weaknesses in internal control, (2) developing outcome-oriented 
performance metrics, and (3) correcting numerous other internal 
control issues, especially those relating to safeguarding tax receipts 
and taxpayer information. At the beginning of GAOís audit of IRSís 
fiscal year 2009 financial statements, 62 financial managementĖrelated 
recommendations from prior audits remained open because IRS had not 
fully addressed the issues that gave rise to them. During the fiscal 
year 2009 financial audit, IRS took actions that GAO considered 
sufficient to close 18 recommendations. At the same time, GAO 
identified additional internal control issues resulting in 41 new 
recommendations. In total, 85 recommendations remain open. 

To assist IRS in evaluating and improving internal controls, GAO 
categorized the 85 open recommendations by various internal control 
activities, which, in turn, were grouped into three broad control 
categories. 

Table: Summary of Open Recommendations by Control Category: 

Safeguarding of assets and security activities: 
Open at the beginning of 2009: 20; 
Closed during 2009 audit: 5; 
New from 2009 audit: 4; 
Total remaining open: 19. 

Proper recording and documenting of transactions: 
Open at the beginning of 2009: 24; 
Closed during 2009 audit: 8; 
New from 2009 audit: 23; 
Total remaining open: 39. 

Effective management review and oversight: 
Open at the beginning of 2009: 18; 
Closed during 2009 audit: 5; 
New from 2009 audit: 14; 
Total remaining open: 27. 

Total: 
Open at the beginning of 2009: 62; 
Closed during 2009 audit: 18; 
New from 2009 audit: 41; 
Total remaining open: 85. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

The continued existence of internal control weaknesses that gave rise 
to these recommendations represents a serious obstacle that IRS needs 
to overcome. Effective implementation of GAOís recommendations can 
greatly assist IRS in improving its internal controls and achieving 
sound financial management and can help enable it to more effectively 
carry out its tax administration responsibilities. Most can be 
addressed in the short term (the next 2 years). However, a few 
recommendations, particularly those concerning the functionality of IRSí
s automated systems, are complex and will require several more years 
to effectively address. 

What GAO Recommends: 

GAO is not making any recommendations in this report. In commenting on 
a draft report, IRS stated that it is committed to implementing 
appropriate improvements to maintain sound financial management 
practices. 

View [hyperlink, http://www.gao.gov/products/GAO-10-597] or key 
components. For more information, contact Steven J. Sebastian at (202) 
512-3406 or sebastians@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Scope and Methodology: 

IRS Faces Significant Financial Management Challenges: 

Status of Recommendations Based on the Fiscal Year 2009 Financial 
Statement Audit: 

Open Recommendations Grouped by Internal Control Activity: 

Concluding Observations: 

Agency Comments and Our Evaluation: 

Appendix I: Status of GAO Recommendations from Internal Revenue 
Service Financial Audits and Related Management Reports: 

Appendix II: Open Recommendations Arranged by Material Weakness, 
Compliance, or Other Control Issue: 

Appendix III: Comments from the Internal Revenue Service: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Summary of Open Recommendations: 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

Table 4: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

Table 5: Recommendations to Improve IRS's Documentation of 
Transactions and Internal Control: 

Table 6: Recommendations to Improve IRS's Accurate and Timely 
Recording of Transactions and Events: 

Table 7: Recommendations to Improve IRS's Execution of Transactions 
and Events: 

Table 8: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

Table 9: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

Table 10: Recommendations to Improve IRS's Management of Human Capital: 

Table 11: Recommendations to Improve Top-Level Reviews of Actual 
Performance: 

Table 12: Recommendations Not Previously Reported as Closed: 

Table 13: Material Weakness: Controls over Unpaid Assessments: 

Table 14: Compliance with Laws and Regulations: Timely Release of 
Liens: 

Table 15: Other Control Issues Not Associated with a Material Weakness 
or Significant Deficiency: 

Abbreviations: 

ATFR: Automated Trust Fund Recovery: 

CCTV: Closed Circuit Television: 

CDDB: Custodial Detail Data Base: 

CFO: Chief Financial Office: 

CIMIS: Criminal Investigation Management Information System: 

FASAB: Financial Accounting Standards Advisory Board: 

FFMIA: Federal Financial Management Improvement Act of 1996: 

FFMSR: Federal Financial Management System Requirements: 

FISMA: Federal Information Security Management Act of 2002: 

FMFIA: Federal Managers' Financial Integrity Act of 1982: 

IFS: Integrated Financial System: 

IRACS: Interim Revenue and Accounting Control System: 

IRM: Internal Revenue Manual: 

IRS: Internal Revenue Service: 

ITAMS: Information Technology Asset Management System: 

LMSB: Large and Mid-sized Business: 

NFC: National Finance Center: 

OMB: Office of Management and Budget: 

P&E: Property and Equipment: 

RRACS: Redesign Revenue Accounting Control System: 

SB/SE: Small Business/Self Employed: 

SCC: Service Center Campus: 

SGL: Standard General Ledger: 

SP: Submission Processing: 

TAC: Taxpayer Assistance Center: 

TE/GE: Tax Exempt and Government Entities: 

TFRP: Trust Fund Recovery Penalty: 

Treasury: Department of the Treasury: 

W&I: Wage and Investment: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

June 30, 2010: 

The Honorable Douglas H. Shulman: 
Commissioner of Internal Revenue: 

Dear Mr. Shulman: 

In its role as the nation's tax collector, the Internal Revenue 
Service (IRS) has a demanding responsibility to collect taxes, process 
tax returns, and enforce the nation's tax laws. In fiscal year 2009, 
IRS collected about $2.3 trillion in tax payments, processed hundreds 
of millions of tax and information returns, and paid about $438 
billion in refunds to taxpayers. Because of its role and overall 
mission, IRS's activities affect virtually all of the nation's 
citizens. It is therefore critical that the agency strive to maintain 
sound internal control and financial management practices. 

IRS has made much progress in improving its financial management since 
it was first required to prepare a set of financial statements nearly 
two decades ago. This progress is reflected in IRS's 10-year record of 
obtaining a clean audit opinion on its financial statements and 
correcting several material internal control weaknesses[Footnote 1] 
and significant deficiencies[Footnote 2] in internal controls over the 
years. At the same time, IRS continues to face significant financial 
management challenges in achieving the overarching goals of federal 
financial management--accountability and useful management 
information. To enable more effective financial and operational 
management, IRS needs to (1) address its remaining long-standing 
material internal control weaknesses, (2) develop data and performance 
metrics that will enhance its ability to manage for outcomes, and (3) 
implement corrective actions to address other identified internal 
control issues. 

An agency's internal control serves as the first line of defense in 
safeguarding its assets and in preventing and detecting errors and 
fraud, as well as in helping to effectively manage its stewardship 
over public resources.[Footnote 3] For many years, IRS has had 
weaknesses in internal controls over fundamental elements of its 
operations that leave it vulnerable to a greater risk of fraud, waste, 
abuse, and mismanagement. Specifically, during our audit of IRS's 
fiscal year 2009 financial statements,[Footnote 4] we found that IRS 
continued to be challenged with two long-standing material weaknesses 
in internal control that are at the heart of its operations--
weaknesses in internal controls over unpaid tax assessments[Footnote 
5] and over information systems security. We also found that IRS faces 
a significant management challenge in enhancing and using its 
financial management capabilities to develop outcome-oriented 
performance metrics[Footnote 6] critical to providing the foundation 
upon which an agency can manage its operations for outcomes. Finally, 
we found that IRS has other internal control issues that need 
management attention, especially those that relate to safeguarding tax 
receipts and taxpayer information. 

To assist IRS in strengthening its internal controls and improving its 
operations, we have made numerous recommendations as part of our prior 
annual financial statement audits and other financial management- 
related work at IRS. This report (1) provides an overview of financial 
management challenges still facing IRS; (2) describes the status of 
financial audit and financial management-related recommendations and 
the actions needed to address them, as presented in appendix I; and 
(3) discusses how the unresolved recommendations relate to control 
activities central to IRS's mission and goals. To assist IRS in 
addressing those control activities, appendix II provides summary 
information regarding the primary internal control issue to which each 
open recommendation is related. This report does not include our 
recommendations related to information systems security even though 
they also are the result of our annual financial audits and are 
financial management-related; those recommendations are reported 
separately because of the sensitive nature of many of the issues that 
give rise to the recommendations.[Footnote 7] We are not making any 
new recommendations in this report. 

Our work was performed from December 2009 through May 2010 in 
accordance with generally accepted government auditing standards. For 
further details regarding our approach to this audit, see the Scope 
and Methodology section. 

Background: 

Internal control is not one event, but a series of activities that 
occur throughout an entity's operations and on an ongoing basis. 
Internal control should be an integral part of each system that 
management uses to regulate and guide its operations rather than as a 
separate system within an agency. In this sense, internal control is 
management control that is built into the entity as a part of its 
infrastructure to help managers run the entity and achieve their goals 
on an ongoing basis. 

Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the 
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires 
agencies to establish and maintain effective internal control. The 
agency head must annually evaluate and report on the control and 
financial systems that protect the integrity of its federal programs. 
The requirements of FMFIA serve as an umbrella under which other 
reviews, evaluations, and audits should be coordinated and considered 
to support management's assertion about the effectiveness of internal 
control over operations, financial reporting, and compliance with laws 
and regulations. 

Office of Management and Budget (OMB) Circular No. A-123, Management's 
Responsibility for Internal Control, provides the implementing 
guidance for FMFIA, and prescribes the specific requirements for 
assessing and reporting on internal controls consistent with the 
Standards for Internal Control in the Federal Government (internal 
control standards) issued by the Comptroller General of the United 
States.[Footnote 8] The circular defines management's responsibilities 
related to internal control and the process for assessing internal 
control effectiveness, and provides specific requirements for 
conducting management's assessment of the effectiveness of internal 
control over financial reporting. Specifically, the circular requires 
management to annually provide assurances on internal control in its 
performance and accountability report, and, for each of the 24 Chief 
Financial Officers (CFO) Act[Footnote 9] agencies, to include a 
separate assurance on internal control over financial reporting, along 
with a report on identified material weaknesses and corrective 
actions.[Footnote 10] The circular also emphasizes the need for 
integrated and coordinated internal control assessments that 
synchronize all internal control-related activities. 

FMFIA requires GAO to issue standards for internal control in the 
federal government. The internal control standards provide the overall 
framework for establishing and maintaining effective internal control 
and for identifying and addressing major performance and management 
challenges and areas at greatest risk of fraud, waste, abuse, and 
mismanagement. 

As summarized in the internal control standards, internal control in 
the government is defined by the following five elements, which also 
provide the basis against which internal controls are to be evaluated: 

* Control environment: Management and employees should establish and 
maintain an environment throughout the organization that sets a 
positive and supportive attitude toward internal control and 
conscientious management. 

* Risk assessment: Internal control should provide for an assessment 
of the risks the agency faces from both external and internal sources. 

* Control activities: Internal control activities help ensure that 
management's directives are carried out. The control activities should 
be effective and efficient in accomplishing the agency's control 
objectives. 

* Information and communication: Information should be recorded and 
communicated to management and others within the entity who need it 
and in a form and within a time frame that enables them to carry out 
their internal control and other responsibilities. 

* Monitoring: Internal control monitoring should assess the quality of 
performance over time and ensure that the findings of audits and other 
reviews are promptly resolved. 

A key objective in our annual audits of IRS's financial statements is 
to obtain reasonable assurance that IRS maintained effective internal 
control with respect to financial reporting. While we use all five 
elements of internal control as a basis for evaluating the 
effectiveness of IRS's internal controls, our ongoing evaluations and 
tests have focused heavily on control activities, where we have 
identified numerous internal control weaknesses and have provided 
recommendations for corrective action. Control activities are the 
policies, procedures, techniques, and mechanisms that enforce 
management's directives. In other words, they are the activities 
conducted in the everyday course of business that are intended to 
accomplish a control objective, such as ensuring IRS employees 
successfully complete background checks prior to being granted access 
to taxpayer information and receipts. As such, control activities are 
an integral part of an entity's planning, implementing, reviewing, and 
accountability for stewardship of government resources and achievement 
of effective results. 

Scope and Methodology: 

To accomplish our objectives, we evaluated the effectiveness of 
corrective actions IRS implemented during fiscal year 2009 in response 
to open recommendations as part of our fiscal years 2009 and 2008 
financial audits. To determine the current status of the 
recommendations, we (1) obtained IRS's reported status of each 
recommendation and corrective action taken or planned as of April 
2010, (2) compared IRS's reported status to our fiscal year 2009 audit 
findings to identify any differences between IRS's and our conclusions 
regarding the status of each recommendation, and (3) performed 
additional follow-up work to assess IRS's actions taken to address the 
open recommendations. For our recommendations to IRS regarding 
information security, this report includes only summary data on the 
number of those recommendations and their general nature. We have 
reported the objectives and results of our information security work 
separately to IRS because of the sensitive nature of many of the 
issues identified for which we have made recommendations for 
corrective action.[Footnote 11] 

In order to determine how IRS's open recommendations, including the 
latest ones in our June 2010 management report,[Footnote 12] fit 
within the agency's management and internal control structure, we 
compared the open recommendations and the issues that gave rise to 
them to the (1) control activities listed in the internal control 
standards, (2) list of major factors and examples outlined in our 
Internal Control Management and Evaluation Tool,[Footnote 13] and (3) 
criteria and objectives for federal financial management as discussed 
in the CFO Act of 1990 and the Federal Accounting Standards Advisory 
Board's (FASAB) Statement of Federal Financial Accounting Concepts No. 
1, Objectives of Federal Financial Reporting.[Footnote 14] We also 
considered whether IRS had addressed, in whole or in part, the 
underlying control issues that gave rise to the recommendations; and 
other legal requirements and implementing guidance, such as OMB 
Circular No. A-123 and FMFIA. 

Our work was performed from December 2009 through May 2010 in 
accordance with generally accepted government auditing standards. 

IRS Faces Significant Financial Management Challenges: 

IRS continues to make progress in resolving its internal control 
weaknesses and addressing outstanding recommendations, but it still 
faces significant financial management challenges. Since we first 
began auditing IRS's financial statements in fiscal year 1992, IRS has 
taken a significant number of actions that enabled us to eliminate 
several material weaknesses and significant deficiencies and to close 
over 250 of our previously reported financial management-related 
recommendations. This includes 18 recommendations we are closing with 
this report based on actions IRS took through April 2010. 
Nevertheless, IRS continues to face significant challenges in 
improving the effectiveness of its financial and operational 
management. Specifically, IRS continues to face management challenges 
in (1) resolving its two remaining material weaknesses in internal 
control, (2) developing performance measures and managing for 
outcomes, and (3) addressing its remaining internal control issues, 
particularly those dealing with safeguarding of taxpayer receipts and 
information. Further, as in previous years' audits, our fiscal year 
2009 audit continued to identify additional internal control issues, 
resulting in 41 new recommendations for corrective action we discussed 
in detail in our June 2010 management report to IRS.[Footnote 15] In 
addition, as noted earlier, we also identified several issues related 
to information security during our fiscal year 2009 audit that we 
reported separately because of the sensitive nature of many of those 
issues.[Footnote 16] 

Challenges in Resolving Two Long-standing Material Internal Control 
Weaknesses: 

As we reported in our audit of IRS's fiscal year 2009 financial 
statements,[Footnote 17] IRS's efforts to address its internal control 
weaknesses resulted in our closure of a material weakness in internal 
control over financial reporting and a significant deficiency in 
internal control over tax revenue and refunds. However, as we also 
reported in that audit, IRS continues to face significant challenges 
in resolving its two remaining material weaknesses in internal control 
concerning (1) unpaid tax assessments[Footnote 18] and (2) information 
security. 

IRS's continuing challenge in addressing its material weakness in 
internal control over unpaid tax assessments results from its (1) 
inability to use its core general ledger system for tax administration-
related transactions to support its reported balances for taxes 
receivable and other unpaid assessments, (2) lack of a subsidiary 
ledger for unpaid tax assessments that would allow it to produce 
reliable, useful, and timely information with which to manage and 
report externally on these key transactions, and (3) errors and delays 
in recording taxpayer information, payments, and other activities. 
These control deficiencies impede IRS's ability to properly manage and 
routinely report certain information on unpaid tax assessments and 
lead to increased taxpayer burden. 

IRS's continuing challenge in addressing its material weakness in 
internal control over information security is primarily due to IRS not 
having fully implemented its information security program. As we 
reported in our audit of IRS's fiscal year 2009 financial statements, 
IRS has not (1) restricted users' ability to bypass application 
controls, (2) removed separated employees' system access in a timely 
manner, (3) followed required procedures to timely review employee 
access to sensitive areas at data centers, (4) restricted system 
access to only those who needed it, (5) instituted adequate separation 
of duties for its procurement system, and (6) developed adequate 
encryption controls over user login. IRS's deficiencies in internal 
control over information security result in IRS's inability to rely on 
the controls embedded in its automated financial management systems to 
provide reasonable assurance that its (1) financial statements are 
fairly stated in accordance with U.S. generally accepted accounting 
principles, (2) financial information that management relies on to 
support day-to-day decision making is current, complete, and accurate, 
and (3) proprietary information processed by these automated systems 
is appropriately safeguarded. These deficiencies also increase the 
risk that unauthorized individuals could access, alter, or abuse 
proprietary IRS programs and electronic data and taxpayer information 
without detection. 

We have made numerous recommendations to IRS over the years--including 
new recommendations resulting from our fiscal year 2009 financial 
audit--to address the issues constituting these two material internal 
control weaknesses. Successfully implementing these recommendations 
would assist IRS in fully resolving these weaknesses. To its credit, 
IRS continues to work to address the issues underlying these two 
material weaknesses. 

Challenges in Developing and Implementing Performance Metrics to 
Assist in Managing for Outcomes: 

As we reported in our audit of IRS's fiscal year 2009 financial 
statements,[Footnote 19] IRS continues to face significant challenges 
in developing and instutionalizing the use of financial management 
information to assist it in making operational decisions and in 
measuring the effectiveness of its programs. IRS's management has not 
developed the data or outcome-oriented performance measures that would 
enhance its ability to manage for outcomes.[Footnote 20] For example, 
it has not integrated the use of cost-based (and when appropriate, 
revenue-based) performance metrics into its routine management and 
decision-making processes or externally reported performance 
metrics.[Footnote 21] Although IRS has developed projected return on 
investment estimates for new enforcement (tax collection) initiatives 
in its annual budget submissions, it has not developed similar outcome-
oriented performance metrics to determine whether funded initiatives 
achieve their estimated goals. IRS has also not developed outcome- 
oriented performance metrics for its existing enforcement programs. 
These limitations inhibit IRS's ability to more fully assess and 
monitor the relative merits of its existing programs, to evaluate new 
initiatives, or to consider alternatives and adjust its strategies as 
needed. Outcome-oriented performance metrics based on specific 
enforcement programs' costs and revenues should improve IRS's ability 
to (1) establish measurable outcome goals, (2) evaluate the relative 
merits of various program options, and (3) highlight opportunities for 
optimizing the allocation of resources. They can also help IRS more 
credibly demonstrate to Congress and the public that it is spending 
its appropriations wisely. 

IRS's existing metrics focus on process-oriented workload measures of 
program outputs[Footnote 22] rather than on measuring program 
outcomes. For example, for its enforcement programs, IRS focuses on 
measuring discrete activities within its overall tax collection 
efforts, such as the percentage of various types of tax returns 
examined, criminal investigations completed, and the number of tax 
returns examined and closed. While such output measures can be useful 
elements in assessing performance, they are not designed to measure 
the contribution each of these activities makes to the collection of 
unpaid taxes, nor do they compare the cost of collection activities to 
the tax revenue generated. IRS's enforcement metrics do not include 
revenue collected--a measure of outcome--compared to the cost of 
collection that could show the net monetary benefits of the 
enforcement programs. In addition, IRS's publicly available 
performance metrics do not measure the cost of IRS's programs either 
in the aggregate or per service or activity performed.[Footnote 23] 

As we report in the "Status per IRS" section of appendix I in this 
report, IRS has reported that it considers our recommendation to 
develop outcome-oriented performance measures and related performance 
goals for IRS's enforcement programs and activities to be closed. 
[Footnote 24] We do not agree. Part of IRS's justification for closing 
the recommendation is that IRS uses cost-benefit return on investment 
analysis to evaluate future scenarios and to support funding requests 
for new initiatives in its annual budget submissions. Such prospective 
return on investment information is useful for budgetary decision 
making, but our recommendation is for IRS to develop outcome data on 
the actual results of its programs and activities. We have also 
previously recommended that IRS (1) extend the use of return on 
investment in future budget proposals to include major enforcement 
programs and (2) develop return on investment data for its enforcement 
programs using actual revenue and full cost data and compare actual 
results to the projected return on investment data included in its 
budget request.[Footnote 25] Our recommendations regarding development 
of outcome-oriented performance metrics remain open because, as noted 
above, IRS does not develop such data for either funded initiatives or 
for ongoing enforcement programs and activities and it has not 
deployed outcome-oriented performance measures. 

IRS also reported that return on investment information is but one 
tool that can be utilized to improve resource-allocation decision 
making, and it is not prudent to rely exclusively on return on 
investment as the sole determinant of resource allocation. As we have 
reported previously,[Footnote 26] we acknowledge that IRS must 
consider other factors besides maximizing revenue collection and least-
cost operations. The fairness of IRS's implementation of the tax code 
and treatment of all taxpayers are important, and we are cognizant of 
the many factors, such as coverage, that are important considerations 
when making resource-allocation decisions. These factors, and the 
decisions IRS makes about how to respond to them, have a significant 
effect on taxpayers, as well as on tax collections. However, using 
full cost and collection outcome-oriented performance metrics are also 
important to make optimum use of its available resources and to be 
able to credibly demonstrate it is doing so to Congress and the public. 

For several years, IRS has been developing full cost data on its 
programs and activities in response to a recommendation we made in 
1999.[Footnote 27] However, as we have reported in the past,[Footnote 
28] IRS's efforts have been slowed because IRS cannot produce full 
cost information[Footnote 29] down to the program and activity levels 
[Footnote 30] directly from its cost accounting system, the Integrated 
Financial System (IFS).[Footnote 31] IRS has partially overcome this 
difficulty by developing the ability to manually combine cost data 
from IFS with personnel time-charge data from IRS's various workload 
management systems and revenue data for enforcement programs to 
develop full cost (and revenue) information for selected programs. 

IRS's lack of outcome-oriented performance metrics is inconsistent 
with federal financial management concepts as embodied in FASAB's 
Statement of Federal Financial Accounting Concepts No. 1, Objectives 
of Federal Financial Reporting.[Footnote 32] In its discussion of 
financial reporting concepts, FASAB notes that federal financial data 
should provide accountability and decision-useful information on the 
costs of programs and the outputs and outcomes achieved, and it should 
provide data for evaluating service efforts, costs, and 
accomplishments.[Footnote 33] 

The absence of outcome metrics is also inconsistent with the 
objectives of the CFO Act of 1990. A key objective of the act was for 
agencies to routinely develop and use appropriate financial management 
information to evaluate program effectiveness, make fully informed 
operational decisions, and ensure accountability. While obtaining a 
clean audit opinion on its financial statements is important in 
itself, it is not the end goal reflected in the act. The end goal is 
modern financial management systems that provide reliable, timely, and 
useful financial information to support day-to-day decision making and 
oversight. Such systems and practices should also provide for the 
systematic measurement of both outputs and outcomes. 

Developing the data and performance metrics necessary for a more 
outcome-oriented approach to managing operations requires active and 
sustained senior management leadership. We acknowledge that without 
the benefit of integrated financial management systems, IRS faces 
significant challenges in developing outcome-oriented performance 
metrics, including the data needed for such metrics. However, 
undertaking such an effort agencywide will enhance IRS's ability to 
effectively measure and compare the benefits of its programs to make 
better informed resource-allocation decisions and to better support 
its budget requests. 

We have made several recommendations to IRS over the years to address 
its financial management challenges in developing full cost data for 
its programs and activities and for outcome-oriented performance 
measures. Successfully addressing the remaining open recommendations 
would enhance IRS's ability to effectively manage for outcomes. 

Challenges in Resolving Other Internal Control Issues: 

As discussed earlier, IRS has taken significant actions over the years 
to resolve internal control weaknesses and this has enabled us to 
close over 250 internal control-related recommendations. The closure 
of such a high number of recommendations indicates that IRS has a 
strong commitment to improving its internal control. However, IRS also 
continues to face a challenge in addressing numerous other unresolved 
internal control issues in several aspects of its operations that, 
while neither individually nor collectively representing a material 
weakness, nonetheless merit management attention to ensure they are 
fully and effectively addressed. IRS now has a total of 70 open audit 
recommendations resulting from internal control issues that we report 
as "other control issues" in appendix II of this report. While most 
were identified during our recent financial audits, some were 
identified in our audits as far back as 1999 and 2001. 

Over half of those 70 open recommendations address issues related to 
the physical safeguarding of tax receipts and taxpayer information, a 
critical aspect of IRS's responsibilities. IRS processes billions of 
dollars annually in checks and currency and other valuable assets, and 
it must physically safeguard and account for them to prevent theft, 
fraud, and misuse. To do so, IRS has established physical security, 
accountability, and accounting policies, processes, and procedures to 
manage its activities involving the transportation and accounting for 
tax receipts and for handling and storing taxpayer information. 
Although IRS has made substantial improvements in safeguarding 
taxpayer receipts and information since our financial audits first 
began surfacing serious internal control issues in this area, the task 
of ensuring ongoing control over such critical responsibilities for 
IRS is a difficult one. Each year, we continue to identify control 
issues related to IRS's safeguarding of taxpayer receipts and 
information. For example, based on our fiscal year 2009 audit, we 
identified new internal control issues and made 19 additional 
recommendations that related either directly or indirectly to the 
physical safeguarding of taxpayer receipts and information. The 
internal control issues encompassed in our recommendations cover 
critical physical security functions, such as: 

* transporting taxpayer receipts and sensitive taxpayer information 
among IRS facilities and lockbox banks[Footnote 34] and maintaining 
physical security at IRS facilities to prevent loss, theft, or the 
potential for fraud regarding tax receipts and taxpayer information; 

* conducting inspections and audits of the design and operation of 
IRS's physical security processes and controls designed to safeguard 
tax receipts and taxpayer information; 

* conducting appropriate background investigations and screening of 
personnel, including contractors, with access to IRS facilities and 
lockbox bank operations; and: 

* ensuring the proper destruction of documents to prevent the 
inappropriate release of sensitive taxpayer information. 

Due to the volume of taxpayer receipts and sensitive taxpayer files 
that IRS is responsible for safeguarding, and the implications for 
IRS's mission if they are lost, stolen, or the subject of fraud or 
misuse, it is critical that IRS successfully resolve the internal 
control issues we have identified and work toward continually 
improving its internal controls to prevent new issues from arising. 

Status of Recommendations Based on the Fiscal Year 2009 Financial 
Statement Audit: 

In June 2009, we issued a report on the status of IRS's efforts to 
implement corrective actions to address financial management 
recommendations stemming from our fiscal year 2008 and prior year 
financial audits and other financial management-related work.[Footnote 
35] In that report, we identified 62 audit recommendations that 
remained open and thus required corrective action by IRS. A 
significant number of these recommendations had been open for several 
years, either because IRS had not taken corrective action or because 
the actions taken had not yet effectively resolved the issues that 
gave rise to the recommendations. 

IRS continued to work to address many of the internal control issues 
to which these open recommendations relate. In the course of 
performing our fiscal year 2009 financial audit, we identified 
numerous actions IRS took to address many of its internal control 
issues. On the basis of IRS's actions, which we were able to 
substantiate through our audit, we have closed 18 of these prior 
years' recommendations. However, a total of 44 recommendations from 
prior years remain open, a significant number of which have been 
outstanding for several years. IRS considers another 21 of the prior 
years' recommendations to be effectively addressed and therefore 
closed. However, we consider them to remain open. For 14 of the 21, in 
our view, IRS's actions did not fully address the issue that gave rise 
to the recommendations. For the remaining seven, we have not yet been 
able to verify the effectiveness of IRS's actions. (See app. I, 
"Status per GAO," for our assessment of IRS's actions on each 
recommendation). 

During our audit of IRS's fiscal year 2009 financial statements, we 
identified additional issues that require corrective action. In our 
June 2010 management report to IRS,[Footnote 36] we discussed these 
issues, and made 41 new recommendations to address them. Consequently, 
a total of 85 financial management-related recommendations need to be 
addressed--44 from prior years and 41 new ones from our fiscal year 
2009 audit. We consider all of the new recommendations to be short- 
term.[Footnote 37] We also consider the majority of the 
recommendations outstanding from prior years to be short-term; 
however, a few, particularly those concerning the functionality of 
IRS's automated systems, are complex and will require several more 
years to fully and effectively address. 

In addition to the 85 open recommendations from our financial audits 
and other financial management-related work, there are 88 additional 
open recommendations stemming from our assessment of IRS's information 
security controls over key financial systems, information, and 
interconnected networks conducted as an integral part of our annual 
financial audits. The issues that led to our previously reported and 
our newly identified recommendations related to information security 
increase the risk of unauthorized disclosure, modification, or 
destruction of financial and sensitive taxpayer data. Collectively, 
they constitute IRS's material weakness in internal control over 
information security for its financial and tax processing systems. As 
discussed earlier in this report, recommendations resulting from the 
information security issues identified in our annual audits of IRS's 
financial statements are reported separately because of the sensitive 
nature of many of these issues.[Footnote 38] 

Appendix I presents a combined listing of (1) the 62 non-information- 
systems security-related recommendations based on our financial 
statement audits and other financial management-related work that we 
had not previously reported as closed and the 41 new recommendations 
based on our fiscal year 2009 financial audit, (2) IRS-reported 
corrective actions taken or planned as of April 2010, and (3) our 
analysis of whether the issues that gave rise to the recommendations 
have been effectively addressed, based primarily on the work performed 
during our fiscal year 2009 financial statement audit. The appendix 
lists the recommendations by the date on which the recommendation was 
made and by report number. Appendix II presents the open 
recommendations arranged by related material weakness and compliance 
issue as described in our opinion report on IRS's financial 
statements,[Footnote 39] as well as other control issues we have 
identified and discussed in our annual management reports to IRS. 
[Footnote 40] 

Open Recommendations Grouped by Internal Control Activity: 

Linking the open recommendations from our financial audits and other 
financial management-related work, and the issues that gave rise to 
them, to internal control activities that are central to IRS's tax 
administration responsibilities provides insight regarding their 
significance. 

Internal control standards consist of five elements--control 
environment, risk assessment, control activities, information and 
communication, and monitoring.[Footnote 41] For the control activities 
element, the internal control standards explain that an agency's 
system of internal control should provide for an assessment of the 
risks the agency faces from both external and internal sources and 
that internal control activities help ensure that management's 
directives are carried out. The control activities should be effective 
and efficient in accomplishing the agency's control objectives. The 
control activities element defines 11 specific control activities, 
which we have grouped into three categories, as shown in table 1. Each 
of the unresolved recommendations from our financial audits and 
financial management-related work, and the underlying issues that gave 
rise to them, can be traced to 1 of the 11 specific control activities 
as shown in table 1. 

Table 1: Summary of Open Recommendations: 

Safeguarding of assets and security activities: 

Control activity: Physical control over vulnerable assets; 
Open at the beginning of 2009: 11; 
Closed during 2009 audit: 2; 
New from 2009 audit: 2; 
Total remaining open: 11; 
Percentage: 13. 

Control activity: Segregation of duties; 
Open at the beginning of 2009: 3; 
Closed during 2009 audit: 1; 
New from 2009 audit: 1; 
Total remaining open: 3; 
Percentage: 3. 

Control activity: Controls over information processing; 
Open at the beginning of 2009: 1; 
Closed during 2009 audit: 1; 
New from 2009 audit: 0; 
Total remaining open: 0; 
Percentage: 0. 

Control activity: Access restrictions to and accountability for 
resources and records; 
Open at the beginning of 2009: 5; 
Closed during 2009 audit: 1; 
New from 2009 audit: 1; 
Total remaining open: 5; 
Percentage: 6. 

Safeguarding of assets and security activities: Subtotal; 
Open at the beginning of 2009: 20; 
Closed during 2009 audit: 5; 
New from 2009 audit: 4; 
Total remaining open: 19; 
Percentage: 22. 

Proper recording and documenting of transactions: 

Control activity: Appropriate documentation of transactions and 
internal controls; 
Open at the beginning of 2009: 9; 
Closed during 2009 audit: 1; 
New from 2009 audit: 10; 
Total remaining open: 18; 
Percentage: 21. 

Control activity: Accurate and timely recording of transactions and 
events; 
Open at the beginning of 2009: 12; 
Closed during 2009 audit: 5; 
New from 2009 audit: 13; 
Total remaining open: 20; 
Percentage: 24. 

Control activity: Proper execution of transactions and events; 
Open at the beginning of 2009: 3; 
Closed during 2009 audit: 2; 
New from 2009 audit: 0; 
Total remaining open: 1; 
Percentage: 1. 

Proper recording and documenting of transactions: Subtotal; 
Open at the beginning of 2009: 24; 
Closed during 2009 audit: 8; 
New from 2009 audit: 23; 
Total remaining open: 39; 
Percentage: 46. 

Effective management review and oversight: 

Control activity: Reviews by management at the functional or activity 
level; 
Open at the beginning of 2009: 13; 
Closed during 2009 audit: 5; 
New from 2009 audit: 7; 
Total remaining open: 15; 
Percentage: 18. 

Control activity: Establishment and review of performance measures and 
indicators; 
Open at the beginning of 2009: 3; 
Closed during 2009 audit: 0; 
New from 2009 audit: 0; 
Total remaining open: 3; 
Percentage: 4. 

Control activity: Management of human capital; 
Open at the beginning of 2009: 2; 
Closed during 2009 audit: 0; 
New from 2009 audit: 6; 
Total remaining open: 8; 
Percentage: 9. 

Control activity: Top-level reviews of actual performance; 
Open at the beginning of 2009: 0; 
Closed during 2009 audit: 0; 
New from 2009 audit: 1; 
Total remaining open: 1; 
Percentage: 1. 

Effective management review and oversight: Subtotal; 
Open at the beginning of 2009: 18; 
Closed during 2009 audit: 5; 
New from 2009 audit: 14; 
Total remaining open: 27; 
Percentage: 32. 

Control activity: Total; 
Open at the beginning of 2009: 62; 
Closed during 2009 audit: 18; 
New from 2009 audit: 41; 
Total remaining open: 85; 
Percentage: 100. 

Source: GAO analysis of the status of financial management 
recommendations made to IRS. 

[End of table] 

As table 1 indicates, 19 (22 percent) of the unresolved 
recommendations relate to IRS's controls over safeguarding of assets 
and security activities, 39 (46 percent) relate to issues associated 
with IRS's ability to properly record and document transactions, and 
27 (32 percent) relate to issues associated with IRS's management 
review and oversight.[Footnote 42] 

On the following pages, we group the 85 open recommendations under the 
specific control activity to which the condition that gave rise to 
them most appropriately fits. We define each control activity as 
presented in the internal control standards and briefly identify some 
of the key IRS operations that fall under that control activity. 
Although not comprehensive, the descriptions are intended to help 
explain why actions to strengthen these control activities are 
important for IRS to efficiently and effectively carry out its overall 
mission. Each control activity description includes a table of the 
related open recommendations. The tables list the recommendations by 
the year in which we made them (ID no.). For each recommendation, we 
also indicate whether it is a short-term or long-term recommendation. 
We characterized a recommendation as short-term when we believe that 
IRS had the capability to implement solutions within 2 years of the 
year in which we first reported them. 

Safeguarding of Assets and Security Activities: 

Given IRS's mission, the sensitivity of the data it maintains, and its 
processing of trillions of dollars of tax receipts each year, one of 
the most important control activities at IRS is the safeguarding of 
assets. Internal control in this important area should be designed to 
provide reasonable assurance regarding prevention or prompt detection 
of unauthorized acquisition, use, or disposition of an agency's 
assets. IRS has outstanding recommendations in the following three 
control activities in the internal control standards that relate to 
safeguarding of assets (including buildings and equipment as well as 
tax receipts) and security activities (such as limiting access to only 
authorized personnel): (1) physical control over vulnerable assets; 
(2) segregation of duties; and (3) access restrictions to, and 
accountability for, resources and records. 

Physical Control over Vulnerable Assets: 

Internal control standard: An agency must establish physical control 
to secure and safeguard vulnerable assets. Examples include security 
for and limited access to assets such as cash, securities, 
inventories, and equipment which might be vulnerable to risk of loss 
or unauthorized use. Such assets should be periodically counted and 
compared to control records. 

Of the trillions of dollars in taxes that IRS collects each year, 
hundreds of billions is collected in the form of checks and cash 
accompanied by tax returns and related information.[Footnote 43] IRS 
collects taxes both at its own facilities as well as at lockbox 
banks.[Footnote 44] IRS acts as custodian for (1) the tax payments it 
receives until they are deposited in the General Fund of the U.S. 
Treasury and (2) the tax returns and related information it receives 
until they are either sent to the Federal Records Center or destroyed. 
IRS is also charged with controlling many other assets, such as 
computers and other equipment, but it is IRS's legal responsibility to 
safeguard tax returns and the confidential information taxpayers 
provided on those returns that makes the effectiveness of IRS's 
internal controls over physical security essential. 

While effective physical safeguards over receipts should exist 
throughout the year, such safeguards are especially important during 
the peak tax filing season. Each year during the weeks preceding and 
shortly after April 15, an IRS service center[Footnote 45] or lockbox 
bank may receive and process daily over 100,000 pieces of mail 
containing returns, receipts, or both. The dollar value of receipts 
each service center and lockbox bank processes increases to hundreds 
of millions of dollars a day during the April 15 time frame. 

The following 11 open recommendations in table 2 are designed to 
improve IRS's physical controls over vulnerable assets. They include 
recommendations for IRS to improve controls over (1) physical security 
at its Taxpayer Assistance Centers (TAC),[Footnote 46] (2) courier 
activities, and (3) lockbox banks' handling of unprocessable 
items.[Footnote 47] We consider all of these recommendations to be 
correctable on a short-term basis. 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

ID no.: 06-05; 
Recommendation: Equip all Taxpayer Assistance Centers with adequate 
physical security controls to deter and prevent unauthorized access to 
restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers, such as locked doors marked with 
signs barring entrance by unescorted customers. (short-term). 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the 
SCC's perimeter, such as adding or repositioning existing CCTV cameras 
or removing obstructions. (short-term). 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage 
space to properly secure and safeguard property and equipment 
inventory, including in-stock inventories, assets from incoming 
shipments, and assets that are in the process of being excessed and/or 
shipped out. (short-term). 

ID no.: 09-03; 
Recommendation: Document in the IRM minimum requirements for 
establishing criteria for time discrepancies or other inconsistencies, 
which if noted as part of the required monitoring of Form 10160, 
Receipt for Transport of IRS Deposit, would require off-site 
surveillance of couriers. (short-term). 

ID no.: 09-04; 
Recommendation: Document in the IRM minimum requirements for 
conducting off-site surveillance of couriers entrusted with taxpayer 
receipts and information. (short-term). 

ID no.: 09-06; 
Recommendation: Establish procedures to ensure that an inventory of 
all duress alarms is documented for each location and is readily 
available to individuals conducting duress alarm tests before each 
test is conducted. (short-term). 

ID no.: 09-07; 
Recommendation: Establish procedures to periodically update the 
inventory of duress alarms at each TAC location to ensure that the 
inventory is current and complete as of the testing date. (short-term). 

ID no.: 09-08; 
Recommendation: Provide instructions for conducting quarterly duress 
alarm tests to ensure that IRS officials conducting the test (1) 
document the test results for each duress alarm listed in the 
inventory, including date, findings, and planned corrective action and 
(2) track the findings until they are properly resolved. (short-term). 

ID no.: 09-09; 
Recommendation: Establish procedures requiring that each physical 
security analyst conduct a periodic documented review of the Emergency 
Signal History Report and emergency contact list for its respective 
location to ensure that (1) appropriate corrective actions have been 
planned for all incidents reported by the central monitoring station, 
and (2) the emergency contact list for each location is current and 
includes only appropriate contacts. (short-term). 

ID no.: 10-19; 
Recommendation: Establish procedures to track service center campus 
acknowledgments of unprocessable items with receipts. (short-term). 

ID no.: 10-20; 
Recommendation: Establish procedures to monitor the process used by 
service center campuses and lockbox banks to acknowledge and track 
transmittals of unprocessable items with receipts. These procedures 
should include monitoring discrepancies and instituting appropriate 
corrective actions as needed. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Segregation of Duties: 

Internal control standard: Key duties and responsibilities need to be 
divided or segregated among different people to reduce the risk of 
error or fraud. This should include separating the responsibilities 
for authorizing transactions, processing and recording them, reviewing 
the transactions, and handling any related assets. No one individual 
should control all key aspects of a transaction or event. 

As noted in the previous section, IRS employees process hundreds of 
billions of dollars in tax receipts in the form of cash and checks. 
Consequently, it is critical that IRS maintain appropriate separation 
of duties to allow for adequate oversight of staff and protection of 
these vulnerable resources so that no single individual would be in a 
position of causing an error or irregularity, or potentially 
converting the asset to personal use, and then concealing it. For 
example, when an IRS field office receives taxpayer receipts and 
returns, it is responsible for depositing the cash and checks in a 
depository institution and forwarding the related taxpayer information 
received, such as tax returns, to an IRS service center for further 
processing. In order to adequately safeguard receipts from theft, the 
person responsible for recording the information from the taxpayer 
receipts on a voucher should be different from the individual who 
prepares those receipts for transmittal to the service center for 
further processing. Also, IRS employees must properly account for the 
billions of dollars IRS spends each year on its operations. 

Implementing the following three recommendations in table 3 would help 
IRS improve its separation of duties, which will in turn strengthen 
its controls over tax receipts, procurement activities, and financial 
accounting processes. All are short-term in nature. 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. 
(short-term). 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed 
units of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term). 

ID no.: 10-12; 
Recommendation: Revise the IRM and cost allocation desk guide to 
require appropriate segregation of duties within the cost allocation 
process. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Access Restrictions to and Accountability for Resources and Records: 

Internal control standard: Access to resources and records should be 
limited to authorized individuals, and accountability for their 
custody and use should be assigned and maintained. Periodic comparison 
of resources with the recorded accountability should be made to help 
reduce the risk of errors, fraud, misuse, or unauthorized alteration. 

Because IRS handles, and is responsible for maintaining accountability 
over, a large volume of cash and checks, it is imperative that it 
maintain strong controls to appropriately restrict access to those 
assets, the records relied on to track those assets, and sensitive 
taxpayer information. Although IRS has a number of both physical and 
information systems controls in place, some of the issues we have 
identified in our financial audits over the years pertain to ensuring 
that (1) those individuals who have direct access to cash and checks 
are appropriately vetted, such as through appropriate background 
investigations, before being granted access to taxpayer receipts and 
information and (2) IRS maintains effective access security control. 
The following five short-term recommendations in table 4 were intended 
to help IRS improve its access restrictions to assets and records. 

Table 4: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

ID no.: 08-12; 
Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term). 

ID no.: 08-13; 
Recommendation: Require including in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information, and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term). 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and 
reviewing documentation of completed background investigations for all 
shredding contractors before granting them access to taxpayer or other 
sensitive IRS information. (short-term). 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact. (short-term). 

ID no.: 10-29; 
Recommendation: Analyze the various contractor access arrangements and 
establish a policy that requires security awareness training for all 
IRS contractors who are provided unescorted physical access to its 
facilities or taxpayer receipts and information. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Recording and Documenting of Transactions: 

IRS has a number of internal control issues that relate to recording 
transactions, documenting events, and tracking the processing of 
taxpayer receipts or information. IRS has outstanding recommendations 
in the following three control activities that relate to proper 
recording and documenting of transactions: (1) appropriate 
documentation of transactions and internal controls, (2) accurate and 
timely recording of transactions and events, and (3) proper execution 
of transactions and events. 

Appropriate Documentation of Transactions and Internal Control: 

Internal control standard: Internal control and all transactions and 
other significant events need to be clearly documented, and the 
documentation should be readily available for examination. The 
documentation should appear in management directives, administrative 
policies, or operating manuals and may be in paper or electronic form. 
All documentation and records should be properly managed and 
maintained. 

IRS collects and processes trillions of dollars in taxpayer receipts 
annually both at its own facilities and at lockbox banks under 
contract to process taxpayer receipts for the federal government. 
Therefore, it is important that IRS maintain effective controls to 
ensure that all documents and records are properly and timely 
recorded, managed, and maintained both at its facilities and at the 
lockbox banks. In this regard, it is critical that IRS adequately 
document and disseminate its procedures to ensure that they are 
available for IRS employees. IRS must also document its management 
reviews of controls, such as those regarding refunds and returned 
checks, credit card purchases, and reviews of TAC operations. To 
ensure future availability of adequate documentation, IRS must ensure 
that (1) its systems, particularly those now being developed and 
implemented, have appropriate capability to identify and trace 
individual transactions and (2) all critical steps in its accounting 
processes are adequately documented and controlled. Resolving the 
following 18 recommendations in table 5 would assist IRS in improving 
its documentation of transactions and related internal control 
procedures. Seventeen of these recommendations are short-term, and one 
is long-term. 

Table 5: Recommendations to Improve IRS's Documentation of 
Transactions and Internal Control: 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring 
actions and supervisory review for manual refunds. (short-term). 

ID no.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term). 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), and establish a system to track acknowledged copies of 
document transmittals. (short-term). 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term). 

ID no.: 06-07; 
Recommendation: Document supervisory visits by off-site managers to 
TACs not having a manager permanently on-site. This documentation 
should be signed by the manager and should (1) record the time and 
date of the visit, (2) identify the manager performing the visit, (3) 
indicate the tasks performed during the visit, (4) note any problems 
identified, and (5) describe corrective actions planned. (short-term). 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of the 
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it 
becomes fully operational and is used in conjunction with the Interim 
Revenue and Accounting Control System (IRACS), will provide IRS with 
the direct transaction traceability for all of its tax-related 
transactions as required by the U.S. Standard General Ledger (SGL), 
Federal Financial Management System Requirements (FFMSR), and the 
Federal Financial Management Improvement Act of 1996 (FFMIA). (long- 
term). 

ID no.: 08-02; 
Recommendation: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid 
assessment estimation process. (short-term). 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers in conducting reviews of outlying TACs and documenting 
the results. This guidance should include a description of the key 
controls that should be in place at outlying TACs, specify how often 
these key controls should be reviewed, and specify how the results of 
each review should be documented, including follow-up on issues 
identified in previous TAC reviews. (short-term). 

ID no.: 10-05; 
Recommendation: Revise the IRM to provide specific requirements for 
supervisors to review the accuracy of credit transactions related to 
TFRP payments processed through the ATFR system. This guidance should 
provide specific areas to review and list the ATFR system reports that 
can facilitate supervisory reviews. (short-term). 

ID no.: 10-09; 
Recommendation: Revise the existing methodology for extracting the 
preposted revenue component of the comparison to ensure that nontax 
revenues and tax revenue transactions already posted to the master 
files are properly excluded. (short-term). 

ID no.: 10-10; 
Recommendation: Update the desk procedures governing the comparison of 
general ledger tax revenue receipts to the master file to ensure that 
the procedures reflect the current process and controls. (short-term). 

ID no.: 10-11; 
Recommendation: Revise the cost allocation desk guide to better 
document the cost allocation process. This should include ensuring 
that all key processing steps are included and identifying the key 
sources of input data and the controls necessary to help ensure their 
reliability. (short-term). 

ID no.: 10-15; 
Recommendation: Revise the IRM to require CIO to promptly provide 
service center campuses an acknowledgment of receipt for each Form 
3210 transmittal related to a duplicate refund transcript sent to them 
by a service center campus for review. (short-term). 

ID no.: 10-16; 
Recommendation: Revise the IRM to require service center campuses to 
verify that an acknowledgment of receipt has been received from CIO 
for 100 percent of the Form 3210 transmittals related to duplicate 
refund transcripts they have forwarded to CIO for review. (short-term). 

ID no.: 10-17; 
Recommendation: Revise the IRM to require service center campuses to 
resolve any instances in which an acknowledgment of receipt for a Form 
3210 transmittal related to duplicate refund transcripts is not 
received. (short-term). 

ID no.: 10-21; 
Recommendation: Review the audit management checklist for clarity and 
revise the assessment questions as appropriate. (short-term). 

ID no.: 10-26; 
Recommendation: Review the TSRRD for clarity and revise review 
questions as appropriate. (short-term). 

ID no.: 10-35; 
Recommendation: Reiterate IRS's policy for personnel to indicate in 
WebRTS during receipt and acceptance that a payment is a final payment 
to close out a contract or purchase order to help ensure any remaining 
obligated funds are deobligated in a timely manner. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Accurate and Timely Recording of Transactions and Events: 

Internal control standard: Transactions should be promptly recorded to 
maintain their relevance and value to management in controlling 
operations and making decisions. This applies to the entire process or 
life cycle of a transaction or event from the initiation and 
authorization through its final classification in summary records. In 
addition, control activities help to ensure that all transactions are 
completely and accurately recorded. 

IRS maintains records for tens of millions of taxpayers in addition to 
maintaining its own financial records. To carry out this 
responsibility, IRS often has to rely on outdated computer systems or 
manual work-arounds. Unfortunately, some of IRS's recordkeeping 
difficulties we have reported on over the years will not be addressed 
until it can replace its aging systems, an effort that is long-term 
and, in part, dependent on obtaining future funding. 

Implementation of the following 20 recommendations in table 6 would 
strengthen IRS's recordkeeping abilities. Sixteen of these 
recommendations are short-term, and four are long-term regarding 
requirements for new systems for maintaining taxpayer records. Several 
of the recommendations listed deal with financial reporting processes, 
such as maintaining subsidiary records, recording budgetary 
transactions, and tracking program costs. Some of the issues that gave 
rise to several of our recommendations directly affect taxpayers, such 
as those involving duplicate assessments, errors in calculating and 
reporting manual interest, errors in calculating penalties, and 
collection of trust fund recovery penalty assessments. Three of these 
recommendations have remained open for over 10 years, reflecting the 
complex nature of the underlying systems issues that must be resolved 
to fully address some of these control deficiencies. 

Table 6: Recommendations to Improve IRS's Accurate and Timely 
Recording of Transactions and Events: 

ID no.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short-term). 

ID no.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all 
accounts related to a single assessment are appropriately credited for 
payments received. (short-term). 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term). 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term). 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term). 

ID no.: 08-06; 
Recommendation: In instances where computer programs that control 
penalty assessments are not functioning in accordance with the intent 
of the IRM, take appropriate action to correct the programs so that 
they function in accordance with the IRM. (long-term). 

ID no.: 09-13; 
Recommendation: Perform existing reviews of transactions recorded in 
undelivered orders obligation accounts in a more timely manner in an 
effort to detect and correct errors, such as duplicate receipt and 
acceptance charges, earlier in the process. (short-term). 

ID no.: 10-01; 
Recommendation: Review the results of IRS's unpaid assessments 
compensating statistical estimation process to identify and document 
instances where systemic limitations in CDDB resulted in 
misclassifications of account balances which, in turn resulted in 
material inaccuracies in the amounts of reported unpaid assessments. 
(short-term). 

ID no.: 10-02; 
Recommendation: Research and implement programming changes to allow 
CDDB to more accurately classify such accounts among the three 
categories of unpaid tax assessments. (short-term). 

ID no.: 10-03; 
Recommendation: Research and identify control weaknesses resulting in 
inaccuracies or errors in taxpayer accounts that materially affect the 
financial reporting of unpaid tax assessments. (short-term). 

ID no.: 10-04; 
Recommendation: Once IRS identifies the control weaknesses that result 
in inaccuracies or errors that materially affect the financial 
reporting of unpaid tax assessments, implement control procedures to 
routinely prevent, or to detect and correct, such errors. (short-term). 

ID no.: 10-07; 
Recommendation: Develop procedures to analyze the results of the 
quarterly reviews so that specific factors causing the errors are 
identified. (short-term). 

ID no.: 10-08; 
Recommendation: Develop procedures to address the factors causing 
errors in the processing of TFRP payment transactions identified 
through the analyses of the quarterly review results. (short-term). 

ID no.: 10-14; 
Recommendation: Establish controls over the cycle run spreadsheet to 
help minimize the risk of error or omission. At a minimum, this should 
include assigning a unique, sortable identifier to each row in the 
spreadsheet and implementing controls to promptly and accurately 
record the status of processing steps in a manner that ensures each 
cycle run is performed and is performed in the proper sequence. (short-
term). 

ID no.: 10-18; 
Recommendation: Require service center campuses to acknowledge 
unprocessable items with receipts received from lockbox banks. (short-
term). 

ID no.: 10-34; 
Recommendation: Establish procedures requiring COs/COTRs to obtain and 
retain written documentation from end users confirming receipt and 
acceptability of purchased goods or services prior to entering 
acknowledgment of receipt and acceptance in WebRTS. (short-term). 

ID no.: 10-36; 
Recommendation: Reevaluate and, as necessary, revise the aging 
criteria for the Aging Unliquidated Obligation reviews so that 
obligations are reviewed more frequently in order to detect and 
deobligate excess obligations in a timely manner. (short-term). 

ID no.: 10-38; 
Recommendation: Develop controls to improve the linked obligation 
transaction review process to detect and correct erroneous links 
between unrelated upward and downward adjustments to prior-year 
obligation transactions in a timely manner. (short-term). 

ID no.: 10-39; 
Recommendation: Establish a formal funds control process to set aside 
amounts for tax law enforcement and related support activities, as 
required by annual appropriations acts. (short-term). 

ID no.: 10-41; 
Recommendation: Based on the results of its periodic assessments, take 
action to allocate the required amount of appropriations to tax law 
enforcement and related support activities to comply with the set-
aside requirement. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Execution of Transactions and Events: 

Internal control standard: Transactions and other significant events 
should be authorized and executed only by persons acting within the 
scope of their authority. This is the principal means of ensuring that 
only valid transactions to exchange, transfer, use, or commit 
resources and other events are initiated or entered into. 
Authorizations should be clearly communicated to managers and 
employees. 

Each year, IRS spends approximately $250 million annually to cover the 
cost of its employees' travel. Failure to ensure that employees obtain 
appropriate authorizations for their travel leaves the government open 
to fraud, waste, or abuse. IRS actions to address the following short- 
term recommendation in table 7 would improve IRS's controls over 
travel costs. 

Table 7: Recommendations to Improve IRS's Execution of Transactions 
and Events: 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel. (short-
term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Effective Management Review and Oversight: 

All personnel within IRS have an important role in establishing and 
maintaining effective internal controls, but IRS's managers have 
additional review and oversight responsibilities. Management must set 
the objectives, put control activities in place, and monitor and 
evaluate controls to ensure that they are followed. Without adequate 
monitoring by managers, there is a risk that internal control 
activities may not be carried out effectively and in a timely manner. 
IRS has outstanding recommendations in the following four control 
activities related to effective management review and oversight: (1) 
reviews by management at the functional or activity level, (2) 
establishment and review of performance measures and indicators, (3) 
management of human capital, and (4) top-level reviews of actual 
performance. 

Reviews by Management at the Functional or Activity Level: 

Internal control standard: Managers need to compare actual performance 
to planned or expected results throughout the organization and analyze 
significant differences. 

IRS employs over 100,000 full-time and seasonal employees. In 
addition, as discussed earlier, lockbox banks process tens of 
thousands of individual receipts, totaling hundreds of billions of 
dollars for IRS. Management oversight of operations is important at 
any organization, but is imperative at IRS given its mission. 

Implementing the following 14 short-term and 1 long-term 
recommendations in table 8 would improve IRS's management oversight of 
several areas of its operations, including monitoring of contractor 
facilities, release of tax liens, issuance of manual refunds, and use 
of appropriated funds. These recommendations were made because an 
internal control activity either did not exist or the existing control 
was not being adequately or consistently applied. 

Table 8: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term). 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term). 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term). 

ID no.: 07-24; 
Recommendation: To the extent that IRS intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information 
security, expand FISMA procedures or perform additional procedures as 
part of the A-123 reviews to augment FISMA work. (short-term). 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term). 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; 
document the results, including identification of any security issues; 
and verify that the contractor has taken appropriate corrective 
actions on any security issues observed. (short-term). 

ID no.: 09-05; 
Recommendation: Establish procedures to track and routinely report the 
total dollar amounts and volumes of receipts collected by individual 
TAC location, group, territory, area, and nationwide. (long-term). 

ID no.: 09-11; 
Recommendation: Revise the IRM section related to the limited use of 
expired appropriations to provide additional guidance to help 
employees distinguish between procurement actions that constitute new 
obligations and those that merely adjust or liquidate prior 
obligations that the IRS incurred during an expired appropriation's 
original period of availability. (short-term). 

ID no.: 10-06; 
Recommendation: Formalize and implement the quarterly reviews of TFRP 
payment transactions to monitor compliance with IRM requirements. 
(short-term). 

ID no.: 10-13; 
Recommendation: Revise the IRM and cost allocation desk guide to 
require timely, documented supervisory reviews at key process points 
to help prevent and detect cost allocation processing errors. (short-
term). 

ID no.: 10-22; 
Recommendation: Issue written guidance to accompany the audit 
management checklist that explains the relevance of the questions and 
the methods that should be used to assess and test the related 
controls. (short-term). 

ID no.: 10-24; 
Recommendation: Establish and document the minimum frequency for how 
often the audit management checklist should be completed at each 
service center campus and field office. (short-term). 

ID no.: 10-25; 
Recommendation: Establish policies requiring documented managerial 
reviews of completed audit management checklists. These reviews should 
document (1) the time and date of the review, (2) the name of the 
manager performing the review, (3) the supporting documentation 
reviewed, (4) any problems identified with the responses on the 
checklists, and (5) corrective actions to be taken. (short-term). 

ID no.: 10-28; 
Recommendation: Establish policies that require territory managers or 
a manager at least one level above the group manager to periodically 
review the information entered into the TSRRD for accuracy and 
completeness prior to the results being forwarded to Field Assistance 
Office headquarters management. This review should be signed and 
documented, and include (1) the time and date of the review, (2) the 
name of the manager performing the review, (3) the task performed 
during the review, (4) any problems or questions identified, and (5) 
planned corrective actions. (short-term). 

ID no.: 10-33; 
Recommendation: Establish procedures requiring HCO LEADS or their 
designee to periodically monitor each business unit's progress in 
complying with mandatory briefing requirements. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Establishment and Review of Performance Measures and Indicators: 

Internal control standard: Activities need to be established to 
monitor performance measures and indicators. These controls could call 
for comparisons and assessments relating different sets of data to one 
another so that analyses of the relationships can be made and 
appropriate actions taken. Controls should also be aimed at validating 
the propriety and integrity of both organizational and individual 
performance measures and indicators. 

IRS's operations include a vast array of activities encompassing 
educating taxpayers, processing of taxpayer receipts and data, 
disbursing hundreds of billions of dollars in refunds to millions of 
taxpayers, maintaining extensive information on tens of millions of 
taxpayers, and seeking collection from individuals and businesses that 
fail to comply with the nation's tax laws. Within its compliance 
function, IRS has numerous activities, including identifying 
businesses and individuals that underreport income, collecting from 
taxpayers who do not pay taxes, and collecting from those receiving 
refunds for which they are not entitled. Although IRS has at its peak 
over 100,000 employees, it still faces resource constraints in 
attempting to fulfill its duties. It is vitally important for IRS to 
have sound performance measures to assist it in assessing its 
performance and targeting its resources to maximize the government's 
return on investment. However, in past audits we have reported that 
IRS did not capture costs at the program or activity level to assist 
in developing cost-based performance measures for its various programs 
and activities. As a result, IRS is unable to measure the costs and 
benefits of its various collection and enforcement efforts to best 
target its available resources. 

The following one short-term and two long-term recommendations in 
table 9 are designed to assist IRS in (1) evaluating its operations, 
(2) determining which activities are the most beneficial, and (3) 
establishing a good system for oversight. These recommendations are 
directed at improving IRS's ability to measure, track, and evaluate 
the costs, benefits, or outcomes of its operations--particularly with 
regard to identifying its most cost-effective tax collection 
activities. 

Table 9: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

ID no.: 09-14; 
Recommendation: Establish a formal, documented process for identifying 
over time the full range of IRS's programs and underlying activities, 
outputs, and services for which IRS believes full cost information 
would be useful to executives and program managers. Such a process 
should (1) be formally established and documented through policies, 
procedures, guidance, meeting minutes, and other appropriate means; 
(2) define the roles and responsibilities of the CFO and other 
business units in the process; 
and (3) be focused on the goal of determining what cost information 
would be useful and the most appropriate means of developing and 
reporting it for both existing programs and new programs as they are 
initiated. (short-term). 

ID no.: 09-15; 
Recommendation: For each of the IRS programs, activities, outputs, and 
services identified for which full cost information would be useful to 
IRS executives and program managers, complete the development of full 
cost methodologies to routinely accumulate and report on their full 
costs, including down to the activity level where appropriate. Such 
full cost data should be readily accessible to IRS program managers 
whenever they are needed and they should include both personnel costs 
based on time spent on specific activities as well as all associated 
nonpersonnel costs, and be drawn from or reconcilable to IRS's 
financial accounting system. (long-term). 

ID no.: 09-16; 
Recommendation: Develop outcome-oriented performance measures and 
related performance goals for IRS's enforcement programs and 
activities that include measures of the full cost of, and the revenue 
collected from, those programs and activities (return on investment) 
to assist IRS's managers in optimizing resource allocation decisions 
and evaluating the effectiveness of their activities. (long-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Management of Human Capital: 

Internal control standard: Effective management of an organization's 
workforce--its human capital--is essential to achieving results and an 
important part of internal control. Management should view human 
capital as an asset rather than a cost. Only when the right personnel 
for the job are on board and are provided the right training, tools, 
structure, incentives, and responsibilities is operational success 
possible. Management should ensure that skill needs are continually 
assessed and that the organization is able to obtain a workforce that 
has the required skills that match those necessary to achieve 
organizational goals. Training should be aimed at developing and 
retaining employee skill levels to meet changing organizational needs. 
Qualified and continuous supervision should be provided to ensure that 
internal control objectives are achieved. Performance evaluation and 
feedback, supplemented by an effective reward system, should be 
designed to help employees understand the connection between their 
performance and the organization's success. As a part of its human 
capital planning, management should also consider how best to retain 
valuable employees, plan for their eventual succession, and ensure 
continuity of needed skills and abilities. 

IRS's operations cover a wide range of technical activities requiring 
specific expertise needed in tax-related matters; financial 
management; and systems design, development, and maintenance. Because 
IRS has tens of thousands of employees spread throughout the country, 
it is imperative that management keep its guidance up-to-date and its 
staff properly trained. Taking action to implement the following eight 
short-term recommendations in table 10 would assist IRS in its 
management of human capital. 

Table 10: Recommendations to Improve IRS's Management of Human Capital: 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the 
manual refund initiators in their units with training on the most 
current requirements to help ensure that they fulfill their 
responsibilities to monitor manual refunds and document their 
monitoring actions to prevent the issuance of duplicate refunds. 
(short-term). 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures 
for reviewers to follow in their review of unpaid assessments 
statistical estimates. Specifically, IRS should require that a 
detailed supervisory review be performed to ensure (1) the statistical 
validity of the sampling plans, (2) data entered into the sample 
selection programs agree with the sampling plans, (3) data entered 
into the statistical projection programs agree with IRS's sample 
review results, (4) data on the spreadsheets used to compile the 
interim projections and roll-forward results trace back to supporting 
statistical projection results, and (5) the calculations on these 
spreadsheets are mathematically correct. (short-term). 

ID no.: 10-23; 
Recommendation: Provide training to physical security analysts 
responsible for completing the audit management checklist to help 
ensure that checklist questions are answered appropriately and 
accurately. (short-term). 

ID no.: 10-27; 
Recommendation: Provide training to TAC group managers to assist with 
their understanding of the TSRRD review questions and related 
objectives. This training should be provided on an ongoing basis to 
account for changes in TSRRD questions and for newly hired or 
appointed TAC group managers. (short-term). 

ID no.: 10-30; 
Recommendation: Designate management responsibility and establish a 
process for monitoring compliance with and enforcing the IRM 
requirement for all USRs to complete (1) the required initial USR 
training prior to assuming their responsibilities, and (2) annual 
refresher training each year thereafter. (short-term). 

ID no.: 10-31; 
Recommendation: Update USR training manuals to ensure they reflect 
current security policies and procedures. (short-term). 

ID no.: 10-32; 
Recommendation: Establish a process to periodically review and update 
training materials as appropriate. (short-term). 

ID no.: 10-37; 
Recommendation: Provide technicians and supervisors who are 
responsible for recording and reviewing obligation transactions with 
training on the proper use of manually linked obligation transactions 
to reinforce IRS's existing policy requiring that transactions be 
recorded accurately to the upward and downward adjustments to prior 
year obligation accounts. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Top-Level Reviews of Actual Performance: 

Internal control standard: Management should track major agency 
achievements and compare these to the plans, goals, and objectives 
established under the Government Performance and Results Act. 

IRS is responsible for developing and operating a system of internal 
control to ensure that it spends the billions of dollars appropriated 
to it each year for operations in accordance with the directions 
dictated by Congress. Implementing the following short-term 
recommendation in table 11 would improve IRS's management and 
oversight of its performance against legal mandates and requirements. 

Table 11: Recommendations to Improve Top-Level Reviews of Actual 
Performance: 

ID no: 10-40; 
Recommendation: Establish a policy to periodically monitor throughout 
the year the amount of different appropriations accounts attributed to 
the set-aside to asses IRS's progress toward complying with the 
requirement. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Concluding Observations: 

Increased budgetary pressures and an increased public awareness of the 
importance of internal control require IRS to carry out its mission 
more efficiently and more effectively while protecting taxpayers' 
information. 

Sound financial management and effective internal controls are 
essential if IRS is to efficiently and effectively achieve its goals. 
IRS has made substantial progress in improving its financial 
management and internal control since its first financial audit, as 
evidenced by unqualified audit opinions on its financial statements 
for the past 10 years; resolution of several material internal control 
weaknesses, significant deficiencies, and other control issues; and 
actions taken resulting in the closure of hundreds of financial 
management recommendations. This progress has been the result of hard 
work by many individuals throughout IRS and sustained commitment of 
IRS leadership. Nonetheless, more needs to be done to fully address 
the agency's continuing financial management challenges--resolving 
material internal control weaknesses; developing outcome-oriented 
performance metrics that can facilitate managing operations for 
outcomes; and correcting numerous other internal control issues. 
Effective implementation of the recommendations we have made and 
continue to make through our financial audits and related work could 
greatly assist IRS in improving its internal controls and achieving 
sound financial management. While we recognize that some actions--
primarily those related to modernizing automated systems--will take a 
number of years to resolve, most of the open recommendations can be 
addressed in the short term. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, IRS expressed it's 
appreciation for our acknowledgment of the agency's progress in 
addressing its financial management challenges as evidenced by our 
closure of 18 open financial management recommendations from prior GAO 
reports. IRS also commented that it is committed to implementing 
appropriate improvement to ensure that it maintains sound financial 
management practices. We will review the effectiveness of further 
corrective actions IRS has taken or will take to address all open 
recommendations as part of our audit of IRS's fiscal year 2010 
financial statements. 

We are sending copies of this report to the Chairmen and Ranking 
Members of the Senate Committee on Appropriations; Senate Committee on 
Finance; Senate Committee on Homeland Security and Governmental 
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term 
Growth, Senate Committee on Finance. We are also sending copies to the 
Chairmen and Ranking Members of the House Committee on Appropriations; 
House Committee on Ways and Means; the Chairman and Vice Chairman of 
the Joint Committee on Taxation; the Secretary of the Treasury; the 
Director of OMB; the Chairman of the IRS Oversight Board; and other 
interested parties. The report is also available at no charge on the 
GAO Web site at [hyperlink, http://www.gao.gov]. 

If you or your staffs have any questions concerning this report, 
please contact me at (202) 512-3406 or sebastians@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made major 
contributions to this report are listed in appendix IV. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

[End of section] 

Appendix I: Status of GAO Recommendations from Internal Revenue 
Service Financial Audits and Related Management Reports: 

This appendix presents a list of (1) the 62 recommendations that we 
had not previously reported as closed, (2) Internal Revenue Service 
(IRS) reported corrective actions taken or planned as of April 2010, 
and (3) our analysis of whether the issues that gave rise to the 
recommendations have been effectively addressed. It also includes 41 
recommendations based on our fiscal year 2009 financial statement 
audit. The appendix lists the recommendations by the year and 
recommendation number (ID no.) and also identifies the report in which 
the recommendation was made. 

Table 12: Recommendations Not Previously Reported as Closed: 

ID no.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short-term); 
Source report: Financial Management: Important IRS Revenue Information 
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); 
Status per IRS: Open. Small Business/Self-Employed (SB/SE) provided 
onsite training to functions that compute interest during fiscal year 
2009. SB/SE upgraded the commercial software program used to compute 
manual interest and in March 2009 issued guidance stressing the 
importance of using the Decision Modeling Incorporated/Automated 
Computational Tool software as the primary, authorized, manual 
interest computation tool. SB/SE Research stratified all fiscal year 
2009 manual interest transactions and reached an agreement on 
tentative sampling populations and rates needed to build the 
statistical sampling program. The sampling program is projected to be 
operational by September 2010 and will allow SB/SE to establish 
statistically valid accuracy rates, identify sources of significant 
errors, and develop necessary corrective actions; 
Status per GAO: Open. During our fiscal year 2006 audit, we tested a 
statistical sample of manual interest transactions and estimated that 
18 percent of IRS's manual interest calculations contain errors. We 
concluded that IRS controls over this area were ineffective. The 
ineffectiveness of these controls contributes to errors in taxpayer 
records, which is a major component of the material weakness in IRS's 
management of unpaid assessments. While IRS continues to take actions 
to strengthen controls over this area, such as updating guidance and 
providing training related to manual interest calculations, both we 
and IRS believe that the actions taken thus far would not improve the 
accuracy of the manual interest calculations. Consequently, we did not 
test IRS controls in this area as part of our fiscal year 2007-2009 
audits. We will continue to monitor IRS's actions to address this 
recommendation during future audits. 

ID no.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all 
accounts related to a single assessment are appropriately credited for 
payments received. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. SB/SE created a Quality Assurance Internal 
Review process to validate the accuracy of cross-referencing of 
payments and credits on assessed Trust Fund Recovery Penalty (TFRP) 
accounts. SB/SE completed a detailed analysis of the quarterly review 
process performed at the campuses and in October 2009 determined SB/SE 
would perform both a Current Payment Sample review to identify current 
cross-referencing errors and a Whole Case Review looking for all types 
of TFRP errors. SB/SE developed written procedures and specific Data 
Collection Instruments to document these reviews and met with the 
Ogden and Brookhaven Campuses in November 2009 to discuss the new 
review process and to perfect the DCIs and procedures. The Chief 
Financial Officer (CFO) and SB/SE are reviewing an extract of a 
statistically valid selection of TFRP cases for each type of review; 
Status per GAO: Open. IRS has made significant progress in this area 
over the past several years. For example, IRS established procedures 
to more clearly link each penalty assessment against a responsible 
corporate officer to a specific tax period of the business account. 
IRS also reported completing implementation of all phases of the 
Automated Trust Fund Recovery (ATFR) system in 2008. ATFR is intended 
to properly cross-reference payments received and automatically reduce 
the amounts owed on all related accounts when a payment is received 
from one related party. However, the system is currently unable to 
process all payments related to such cases. IRS officials reported 
that as of March 2010, ATFR can only automatically reduce the amounts 
owed on all related accounts for about 54 percent of TFRP payments 
that it receives. The remaining TFRP payments continue to require some 
form of manual processing to record the reduction to the liability in 
related accounts. Thus, the opportunity for errors and omissions 
continues to exist. Our most recent test in fiscal year 2009 indicates 
that IRS's controls in this area are still not effective in ensuring 
that all TFRP payments are accurately and timely credited to all 
related parties when received. We will continue to monitor IRS's 
actions to address this recommendation during our fiscal year 2010 and 
future audits. 

ID no.: 99-03; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Closed. IRS implemented the Custodial Detailed Data 
Base (CDDB). CDDB records unpaid assessments, including accrued 
penalties and interest to the general ledger by the various financial 
reporting categories (taxes receivable, compliance assessments, and 
write-offs), establishing CDDB as the subsidiary ledger for unpaid 
assessments. CDDB is classifying approximately 85 percent of the TFRP 
inventory where TFRP assessments are appropriately tracked for all 
taxpayers liable and counted only once for reporting purposes. 
Enhancements to CDDB during fiscal year 2009 resulted in more accurate 
classifications of unpaid assessments and continued to reduce the 
amount of the annual audit adjustments. CDDB is fully operational and 
will be used in conjunction with the Redesign Revenue Accounting 
Control System (RRACS) in February 2010 to record the unpaid 
assessment amounts using the United States Standard General Ledger 
format; 
Status per GAO: Closed. IRS has established CDDB to function as a 
transaction-level subsidiary ledger for unpaid tax debt. However, 
while CDDB has the capability to function as a subsidiary ledger for 
unpaid tax debt, systemic limitations and errors in taxpayer accounts 
prevent IRS from using CDDB as its subsidiary ledger to routinely and 
reliably report its balance of unpaid tax assessments. IRS must 
continue to use a labor-intensive, manual compensating process to 
estimate the year-end balances of the various categories of unpaid tax 
assessments to avoid materially misstating its financial statements. 
Specifically, IRS had to make almost $8 billion in adjustments to the 
fiscal year-end 2009 gross taxes receivable balance produced by CDDB 
as part of its manual estimation process. While IRS has made 
significant progress, full operational capability of CDDB depends on 
additional refinements to CDDB programs that classify unpaid 
assessments accounts into the various financial reporting categories, 
as well as IRS's ability to improve controls over the recording of 
information into taxpayer accounts. Additionally, we continue to find 
deficiencies in IRS's processes for accurately and timely crediting 
the accounts of all parties assessed for a TFRP when TFRP payments are 
received by IRS. Nevertheless, in order to provide recommendations 
more closely aligned with the current status of these control 
weaknesses, we have closed this recommendation based on IRS's 
progress. We have reported the remaining issues related to the 
reliability of IRS's subsidiary ledger and trust fund recovery 
penalties, along with new recommendations for corrective actions, in 
our June 2010 management report. See GAO-10-565R and recommendations 
10-03 and 10-04 in this report. 

ID no.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against 
unpaid assessments before issuance. (long-term); 
Source report: Internal Revenue Service: Custodial Financial 
Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Closed: IRS has completed the following actions to 
close this recommendation. With respect to systemic enhancements, IRS 
has implemented numerous ATFR enhancements to the Area Office 
application and to the Integrated Data Retrieval System. Examples 
include (1) implementation of ATFR programming, which automated the 
calculation of the penalties and assessment process to ensure accuracy 
and timeliness of assessments, (2) implementation of Area Office ATFR 
application, including the Web version of the Control Point Monitoring 
portion of the application, and (3) enhancements to increase system 
usability and features to help ensure timely processing. Through an 
end-to-end analysis of the TFRP process, IRS identified factors that 
caused delays in processing and posting trust fund recovery 
assessments. As a result, IRS established time frames for critical 
milestones in the IRM and include (1) an initial maximum 120-day 
period, starting when balance due accounts are assigned to a revenue 
officer to decide whether to pursue the TFRP, (2) beginning with the 
date the decision was made to pursue the TFRP, an additional maximum 
120-day period for submission of the TFRP recommendation package to 
the group manager, and (3) created an IRM requirement that establishes 
specific processing time frames for processing cases through the CPM. 
With respect to reports diagnostics and training, IRS has created 
numerous management-level reports to monitor cases as they progress 
through the various stages of determination, assessment and processing 
of the TFRP. Additionally, an extensive training and workshop program 
has been established to ensure all levels of management receive 
comprehensive and timely training on the effective use of TFRP reports; 
Status per GAO: Closed. Over the past several years, IRS determined 
several factors causing delays and took a series of actions to improve 
the timeliness of processing and posting TFRP assessments. IRS updated 
the Internal Revenue Manual to establish specific time frames for 
achieving critical milestones in processing TFRP assessments. These 
milestones include a maximum number of days that IRS staffs are given 
to (1) determine whether to pursue TFRP assessments against 
responsible business officers, (2) submit a case file for managerial 
approval of the recommended TFRP assessment, (3) review the case file, 
and (4) post the assessment to the responsible business officer's tax 
account. IRS has also established time frames for segments of the TFRP 
assessment process not currently covered in its IRM, and is working to 
finalize these criteria in the IRM. Additionally, IRS completed the 
nationwide implementation of the Automated Trust Fund Recovery - Area 
Office (ATFR-AO) application. According to IRS, ATFR-AO will 
facilitate the timely and accurate processing of TFRP assessments by 
automating the calculation of trust fund penalties. Furthermore, IRS 
developed several reports to help managers monitor the progress of 
TFRP assessment cases being processed. 

ID no.: 99-22; 
Recommendation: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and 
requirements for promptly overstamping checks made out to "IRS" with 
"Internal Revenue Service" or "United States Treasury." Based on the 
results, IRS should make appropriate changes to strengthen its 
physical security controls. (short-term); 
Source report: Internal Revenue Service: Custodial Financial 
Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Closed. All IRS field offices continue to provide 
training and perform reviews to strengthen controls over remittances. 
On August 15, 2008, SB/SE updated guidance and instructions to 
Collection Field function employees about overstamping checks made out 
to "IRS" or "Internal Revenue Service" with "United States Treasury." 
This includes Submission Processing (SP) sending a teller error advice 
through the Revenue Officer group manager to address remittance 
errors. Tax Exempt/Government Entity (TE/GE) covered remittance 
processing procedures during the new hire workshops and included text 
in the fiscal year 2009 Revenue Agent CPE. On August 20, 2009, Large 
and Mid-sized Business (LMSB) issued their annual executive memorandum 
to all IRS field offices on the use of Form 3210 procedures. On 
November 30, 2009, LMSB incorporated information on Form 3210 
procedures along with the proper procedure for overstamping of checks 
made out to the "IRS" with "United States Treasury" in the "Processing 
Advance Payments and Deposits" job aid module for new hires. TE/GE 
Employee Plans Division will revise two sections of the IRM and add a 
third section by May 31, 2010, to provide clear instructions on check 
handling procedures, including the importance of overstamping checks 
made out to IRS, and locking them in a secured area; 
Status per GAO: Closed. IRS has taken several actions to address this 
recommendation and improve its review of deterrent controls at its 
field offices. During our fiscal year 2009 audit, we did not find any 
instances of physical security control weaknesses over courier 
security, safeguarding of receipts in locked containers, requirements 
for fingerprinting employees, and requirements for promptly 
overstamping checks made out to "IRS" with "Internal Revenue Service" 
or "United States Treasury" at the field offices we visited. 
Therefore, we are closing this recommendation. We will continue to 
monitor IRS's implementation of its field office reviews during future 
audits. 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Status per IRS: Open. The IRS continues to strengthen internal 
controls and procedures to enhance its ability to account for Property 
and Equipment (P&E) in the Integrated Financial System (IFS). 
Currently, IRS is reviewing options to develop a new asset tracking 
system that will reconcile physical asset records to the financial 
records. The new system is scheduled to be implemented during the 
second quarter of 2011; 
Status per GAO: Open. During our fiscal year 2009 audit, we continued 
to find that IRS experienced problems with linking asset purchases 
recorded in the general ledger system (IFS) to the P&E inventory 
systems (Information Technology Asset Management System (ITAMS) and 
Criminal Investigation Management Information System (CIMIS)), which 
indicates that IRS's detailed P&E records do not yet fully reconcile 
to the financial records. We will continue to monitor IRS's progress 
in addressing these financial management system issues. 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS continues to address issues that cause late 
lien releases through an internal Lien Action Plan and by conducting 
reviews as part of its A-123 controls assessment process. Based on the 
fiscal year 2009 A-123 results, SB/SE initiated a semiannual 
independent review to identify areas of recurring errors, revise 
procedural guidance, correct systemic problems with dead cycles, and 
to work closely with stakeholders. SB/SE is reviewing a sample of lien 
releases and will establish target goals and review and adjust the 
Lien Action Plan based on these reviews throughout the year; 
Status per GAO: Open. During our fiscal 2009 audit, we continued to 
find that IRS did not always timely release liens. In IRS's own 
testing of lien releases, it identified 8 instances out of 59 cases 
tested in which it did not release the applicable federal tax lien 
within the statutory 30-day period. The time between the satisfaction 
of the liability and release of the lien ranged from 35 days to more 
than 123 days. Based on these results, IRS estimated that for about 14 
percent of unpaid tax assessment cases that were resolved in fiscal 
year 2009 in which it had filed a tax lien, it did not release the 
lien within 30 days of the resolution of the case. IRS's ineffective 
controls over this area results in its noncompliance with Internal 
Revenue Code Section 6325, which requires IRS to release tax liens 
within 30 days of the date the related tax liability is fully 
satisfied. We will continue to monitor IRS's actions to address this 
recommendation during our fiscal year 2010 and future audits. 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS implemented a methodology to calculate 
leasehold improvements disposal balances in time for the fiscal year 
2009 financial statements. The IRS continues to assess existing system 
capabilities and data sources to determine alternative approaches for 
leasehold improvements; 
Status per GAO: Open. During our fiscal year 2009 audit, we determined 
that IRS had not established a subsidiary ledger for leasehold 
improvements. However, IRS is pursuing alternative methodologies to 
enhance its ability to account for leasehold improvements. We will 
continue to monitor IRS's development of alternative methodologies to 
enhance its ability to account for leasehold improvements in future 
audits. 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term); 
Source report: Management Letter: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 
2001); 
Status per IRS: Open. IRS made significant improvements to its 
methodologies for cost estimation and actual cost tracking. The IRS 
published IRM 1.33.3, Reimbursable Operating Guidelines, on October 9, 
2009, which provides guidance for determining the full costs of 
estimated and actual costs for reimbursable agreements. IRS also 
published IRM 1.32.3, Managerial Cost Accounting, on July 13, 2009. 
The Office of Cost Accounting continues to work with the business 
units to provide guidance on proper recording of data and the use of 
the Integrated Financial System for reporting, data matching, and 
analysis; 
Status per GAO: Open. IRS has improved its methodology for allocating 
its costs of operations at the business unit level. However, further 
actions are needed for it to accumulate and report actual costs 
associated with specific reimbursable projects. We confirmed during 
our fiscal year 2009 audit that, for reimbursable projects that do not 
require payments to be made in advance, IRS business units manually 
track the actual costs for each project and bill the customer as costs 
are incurred. However, for projects that require advance payments, IRS 
does not have a process for determining the total actual costs 
incurred at the end of the agreement term, determining the difference 
between actuals and the advance payment amount, and refunding or 
billing for the difference. We also noted that neither the 
Reimbursable Operating Guidelines nor IRS's Managerial Cost Accounting 
Policy describe a mechanism for tracking and reporting actual costs 
associated with reimbursable activities. We will continue to monitor 
IRS's efforts to implement this recommendation during our fiscal year 
2010 audit. 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Closed. Wage and Investment (W&I) continues to 
emphasize the requirements of segregation of duties and annually 
performs operational reviews at all levels to ensure field offices 
comply with the requirements of segregation of duties. Follow-up 
reviews preformed by Territory Managers during March 2009 revealed 
that Taxpayer Assistance Centers (TAC) managers are following these 
requirements. W&I holds an annual Filing Season Readiness Workshop to 
address remittance and data security. New managers are trained using 
the "Managing a TAC" course that provides training on payment 
processing, managerial reviews, and segregation of duties between 
employees accepting, recording, and transmitting payments. Field 
Assistance delivered "Managing a TAC" classes in July 2009 and in 
October 2009. Additional "Managing a TAC" training is ongoing. Field 
Assistance Headquarters is conducting reviews on the remittance 
process during the first two quarters of fiscal year 2010 to obtain 
compliance; 
Status per GAO: Open. During our fiscal year 2009 audit, we identified 
instances at five TACs we visited where there was a lack of 
segregation of duties between the employees preparing Forms 795, which 
is used to record taxpayer payments (cash and non-cash), and mailing 
those forms to SCCs without having the forms reconciled by other 
employees or reviewed by managers. In addition, IRS asserts in its 
response that new managers are trained using the "Managing a TAC" 
course and that the course provides training on payment processing, 
managerial reviews, and segregation of duties between employees 
accepting, recording, and transmitting payments. However, from our 
review of the "Managing a TAC" course material, we did not find where 
the course material specifically addresses IRS's segregation of duties 
policy as outlined in IRM 21.3.4.7.3.2, which establishes procedures 
and protocols for segregation of duties but limits that activity only 
to those TACs where staffing levels permit such activity. We will 
continue to assess IRS's actions during our fiscal year 2010 audit. 

ID no.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Closed. The Personnel Security (PS) office 
successfully implemented all three short-term measures to reduce the 
instances of Security Entry and Tracking System (SETS) errors. PS 
continues to issue biweekly emails to all SETS users containing the 
most current reports to be used in identifying and reporting errors to 
the National Finance Center (NFC) and to compile weekly extracts of 
all enter-on-duty dates where there were no fingerprints results or 
where the results were after the enter-on-duty date. SETS users then 
send these reports to each Employment Office for updates and feedback. 
PS addressed the long-term measures to include writing Standard 
Operating Procedures and vetting with the Human Capital Office's 
employment offices, along with forming a working group to develop a 
collaborative report; 
Status per GAO: Closed. During our fiscal year 2009 audit, we found 
that IRS implemented compensating controls to address the weaknesses 
associated with this recommendation. Specifically, IRS implemented 
biweekly reminders and reviews of SETS data and began utilizing the 
comment field in the SETS database to annotate important dates and 
other key information that SETS is unable to track and update due to 
its technical limitations. 

ID no.: 04-08; 
Recommendation: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 
2004); 
Status per IRS: Closed: IRS enforces monthly unannounced monitoring of 
guard response to alarms. The Physical Security and Emergency 
Preparedness (PSEP) Risk Management (RM) office conducted an Alarm 
Monitoring Workshop on April 28, 2009, that included this topic. RM 
sends a calendar/reminder to alarm program coordinators each Friday 
before the monthly report is due, and continues to oversee and ensure 
compliance of alarm testing and results via internal reporting tools. 
A communication was distributed to PSEP Operational Readiness to 
reiterate policy on guard response to alarms on February 2, 2010; 
Status per GAO: Closed. IRS continually enforces its policies and 
procedures to ensure that SCC security guards respond to alarms. Each 
month, IRS sends reminders to alarm program coordinators to ensure 
that alarms are tested and guards' responses are evaluated in each 
test. Alarm program coordinators are required to summarize the test 
results and report them monthly to PSEP management. 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed 
(SB/SE) units of field offices with respect to preparation of Payment 
Posting Vouchers, Document Transmittal forms, and transmittal 
packages. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Open. SB/SE will revise IRM 5.1.2.4 by June 30, 2010, 
to add additional clarification to the policies and procedures related 
to Collection Field function payment posting vouchers, document 
transmittal forms, and transmittal packages to ensure an appropriate 
level of separation of duties; 
Status per GAO: Open. IRS did not revise its IRM during fiscal year 
2009 to address the additional clarifications for ensuring appropriate 
separation of duties. We will continue to assess IRS's actions during 
our fiscal year 2010 audit. 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. SB/SE revised IRM 5.1.2.4.4 on August 15, 
2008, to document the field office requirements for preparing Form 
3210, Document Transmittal, when more than one remittance package 
(sealed envelope containing Form 795/795A and remittances) is being 
sent to SP. Also, SB/SE revised IRM 1.4.50.2.1.9(11) on May 12, 2009, 
outlining procedures for group managers to review remittance package 
transmittals to SP. Fiscal year 2009 reviews of area operations 
included addressing group remittance processing controls; 
Status per GAO: Open. IRS's actions to date have not been fully 
effective in addressing the issue that gave rise to our 
recommendation. During our fiscal year 2009 audit, we identified one 
SB/SE unit that was not following the requirement to use a Form 3210 
while transmitting multiple Forms 795 to the SCC for further 
processing. We will continue to evaluate this issue during our fiscal 
year 2010 audit. 

ID no.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Closed. IRS continues to enforce documentation 
requirements relating to authorizing officials charged with approving 
manual refunds. IRS created a standard authorization Form 14031 in 
September 2008 for all offices to use, and as a result, monthly and 
annual security review reports show considerable decline in memorandum 
defects. IRS continues to issue its annual solicitation memorandum to 
authorizing officials charged with approving manual refunds. The IRS 
finalized the annual list of authorized signatures as required by IRM 
3.17.79.3.5 (4) (d) on October 31, 2009. SP Headquarters completes a 
sample review as part of the Monthly Security Review Checklist per IRM 
3.17.79.3.5 (3), ensuring compliance to documentation requirements-- 
including the signatures of Heads of Office that delegated officials 
the authority to approve manual refunds and the authorizing official's 
campus or field office organization information. Any defects 
identified are shared with management for correction; 
Status per GAO: Closed. IRS has taken significant steps to address 
this recommendation. During our fiscal year 2009 audit, we found that 
the documentation requirements on memorandums providing the list of 
officials authorized to approve manual refunds were completed 
satisfactorily. In August 2009, IRS issued a memorandum entitled 
"Annual Solicitation for Authorized Refunds" which provides the 
information to enforce documentation requirements. GAO verified that 
the memorandum contained the required information. Additionally, GAO 
reviewed a copy of the standardized memorandum listings in Form 14031 
to verify whether those charged with approving manual refunds are 
properly documented. No exceptions were noted. 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-05-247R, Apr. 27, 2005); 
Status per IRS: Open. IRS increased its oversight to enforce the 
requirements to monitor accounts related to manual refunds. This 
included updating IRM requirements and controls to consolidate and 
simplify the process related to manual refund monitoring, providing 
refresher training for manual refund initiators, and implementing 
internal control and operational reviews to ensure managers and 
employees are adhering to the prescribed IRM procedures. Any defects 
identified through these reviews are shared with management for 
correction. Additionally, the IRS utilizes the Taxpayer Advocate 
Service (TAS) Managers Forum to advise all TAS employees of the 
requirement to have a backup manual refund monitor when the Case 
Advocate is out of the office and to educate managers on the 
requirement to monitor all manual refunds entered by their employees; 
Status per GAO: Open. During our fiscal year 2009 audit, we continued 
to find instances where manual refund initiators did not monitor 
accounts for manual refunds and supervisors did not verify that manual 
refund initiators were following proper procedures for monitoring 
manual refunds. We will continue to evaluate IRS's actions during our 
fiscal year 2010 audit. 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring 
actions and supervisory review for manual refunds. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-05-247R, Apr, 27, 2005); 
Status per IRS: Open. IRS increased its oversight to enforce the 
requirements to monitor accounts related to manual refunds. On October 
1, 2009, SB/SE Campus Compliance Services updated IRM 21.7.8.4.5.3 (9) 
(d) to address manual refund monitoring requirements. Accounts 
Management (AM) revised IRM 21.4.4 to require centralized controls for 
monitoring and reviewing manual refunds at the team level. AM and 
Submission Processing (SP) sites completed the manual refund refresher 
training for their manual refund initiators and managers by October 
15, 2009. Manual refund issues continue to be part of the site's 
quarterly internal control review for AM, and as part of the Monthly 
Security Review Checklist for SP. Any defects identified are shared 
with management for correction. IRS also reminds its employees and 
managers of the monitoring requirement during team meetings, annual 
continuing professional education, and annual operational reviews. The 
Manager's Forum instructs managers on the requirement to monitor all 
manual refunds entered by their employees. In March 2009, the 
Executive Director of Case Advocacy (EDCA) sent to all Area offices a 
notice of "verification of action taken" that requires each office to 
verify all IRM requirements are followed concerning the issuance and 
monitoring of manual refunds. In the last year, the EDCA Office 
performed a physical review of TAS cases and evidence that Case 
Advocates and Managers monitored manual refunds in the 30 TAS offices 
reviewed. In TAS, the EDCA office, in addition to physical reviews 
performed, reminds management to discuss the manual refund monitoring 
requirements in all group meetings by referring Case Advocates to the 
IRM reference, 21.4.4.5.1, Monitoring Manual Refunds; 
Status per GAO: Open. Although IRS's response does not directly 
address requirements for documenting monitoring actions, we verified 
that IRS has updated its IRM to include guidance on the requirements 
to document monitoring actions for manual refunds. However, during our 
fiscal year 2009 audit, we continued to find instances where manual 
refund initiators did not document their monitoring actions or the 
unit supervisor did not document his/her review of monitoring actions, 
or both. The additional corrective actions cited by IRS were 
subsequent to our fieldwork. We will evaluate the effectiveness of 
IRS's corrective actions during our fiscal year 2010 audit. 

ID no.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. Accounts Management (AM) has procedures in 
place for the periodic supervisory review and documentation of the 
Form 3210 reconciliation process to follow up on unacknowledged forms. 
This process provides a timely account of any discrepancy between the 
documents listed on the Form 3210 and those received. Beginning in 
fiscal year 2009, AM required a quarterly, independent review of each 
Refund Inquiry Unit to ensure compliance with this requirement. AM 
Headquarters conducts this review; 
Status per GAO: Open. IRS's actions to date have not been fully 
effective in addressing the issue that gave rise to our 
recommendation. Since initially issuing this recommendation in May 
2006, we continued to identify instances where Refund Inquiry Unit 
managers or supervisors were not performing or documenting periodic 
reviews of forms used to transmit returned refund checks. In many 
cases, the employees were not aware of the requirement for documenting 
their reviews. In addition, while IRS states that procedures are in 
place requiring the periodic review of these forms, we were unable to 
locate or identify these procedures in the IRM. We will continue to 
evaluate IRS's actions during our fiscal year 2010 audit. 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. IRS has procedures in place to ensure compliance 
with tracking acknowledgment of document transmittals. To ensure 
compliance, LMSB issued a memorandum reiterating Form 3210 procedures 
which provided specific IRM guidance related to the preparation, 
tracking, and monitoring of Form 3210s and incorporated such 
procedures in a job aid module for new hires. All TE/GE Exam Managers 
use the Quick Reference Guide for processing checks and Area Managers 
verify tracking measures are in place during operational reviews. 
Additionally, TE/GE's Exempt Organization Exam Division will revise 
specific IRM sections dealing with remittance processing. W&I also has 
a system in place to monitor the use of Form 3210s when mailing 
documents to SP Centers and reiterate this requirement while 
conducting workshops and annual training. Further, W&I monitors 
compliance through operational reviews, which have provided evidence 
that sustained improvement has been achieved in compliance with 
tracking acknowledgment copies of Form 3210 document transmittals; 
Status per GAO: Open. IRS's actions to date have not been fully 
effective in addressing the issues that gave rise to this 
recommendation. During our fiscal year 2009 audit, we identified 
instances at two TACs where there was no system in place to monitor 
acknowledged/unacknowledged transmittals to the SCC. We will continue 
to assess IRS's actions during our fiscal year 2010 audit. 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. TE/GE added a question to its 2009 Annual 
Assurance Review to ensure managers document their reviews of document 
transmittals verifying that taxpayer remittances mailed between IRS 
locations are tracked according to guidelines. TE/GE will include this 
question in all future Annual Assurance Reviews. Also, TE/GE managers 
are required to review procedures and the Director of Exempt 
Organization (EO) Exam sent an e-mail to all EO Exam Managers 
reiterating Form 3210, Document Transmittal, procedures and to discuss 
Form 3210 procedures with their employees. W&I has a system in place 
to monitor the use of Form 3210 when mailing documents to SP Centers. 
W&I reinforces this requirement while conducting its Filing Season 
Readiness Workshop. Further, W&I monitors compliance during reviews 
conducted by territory managers and operational reviews conducted by 
headquarters personnel. AM operational reviews have provided evidence 
that sustained improvement has been achieved in compliance with 
tracking acknowledgment copies of Form 3210 document transmittals. 
LMSB emphasizes in managerial workshops that document transmittals 
between IRS locations are likely to be reviewed by Territory Managers. 
LMSB also incorporated the review of Form 3210 procedures into their 
Territory Manager's operational review, such as the Communications, 
Technology, and Media Industry operation review discussion check 
sheet. In August 2009, LMSB issued an annual executive memorandum to 
its employees on Form 3210 procedures, including the IRM requirement 
for LMSB managers and employees for the preparation, tracking, and 
monitoring of the form. In November 2009, LMSB incorporated 
information on Form 3210 procedures in the "Processing Advance 
Payments and Deposits" job aid module for new hires."; 
Status per GAO: Open. We reviewed IRS's policies for ensuring that 
hard-copy taxpayer receipts and information mailed between IRS 
locations are tracked according to guidelines. However, we did not 
find specific instructions stating how and where W&I Field Assistance 
managers or supervisors should document their review of the document 
transmittals to ensure that taxpayer receipts and/or taxpayer 
information mailed between IRS locations are tracked according to 
guidelines. During our fiscal year 2009 audit, we identified instances 
at seven TACs where there was no evidence of managerial review of 
document transmittals. We will continue to evaluate IRS's corrective 
actions. 

ID no.: 06-05; 
Recommendation: Equip all Taxpayer Assistance Centers with adequate 
physical security controls to deter and prevent unauthorized access to 
restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers, such as locked doors marked with 
signs barring entrance by unescorted customers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. The IRS continues to identify priority locations 
for TAC Model build outs through proactively evaluating TAC sites and 
from customer feedback. IRS criteria for priority status include sites 
with security, safety, and environmental health concerns. Of the 401 
TAC locations, 224 have the model TAC design and 12 were completed by 
the end of 2009 with another 63 scheduled for completion by the end of 
2010. IRS's Physical Security and Emergency Preparedness (PSEP) 
established quarterly meetings to track the redesign and physical 
security issues of the TACs. Until all remaining sites can be 
upgraded, all sites will follow the strictest security guidelines as 
established by PSEP. IRS continues to focus on security concerns 
through the use of the following solutions: theater rope or other 
barriers, signage, minor alterations, and reconfigurations with 
consultations from PSEP; 
Status per GAO: Open. IRS's efforts to address our recommendation are 
ongoing. We will continue to evaluate IRS's actions during our fiscal 
year 2010 audit. 

ID no.: 06-07; 
Recommendation: Document supervisory visits by off-site managers to 
TACs not having a manager permanently on-site. This documentation 
should be signed by the manager and should (1) record the time and 
date of the visit, (2) identify the manager performing the visit, (3) 
indicate the tasks performed during the visit, (4) note any problems 
identified, and (5) describe corrective actions planned. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I Field Assistance continues to use the TAC 
Security Remittance Review Database to document supervisory reviews. 
Managers are required to conduct and document their reviews to ensure 
the protection of data and compliance with remittance and security 
procedures. W&I Field Assistance is currently testing the Web design 
and initiated a review process to engage headquarters, area, and 
territory managers to identify and correct database entries. W&I Field 
Assistance is validating the effectiveness of the corrective actions 
taken; 
Status per GAO: Open. During our fiscal year 2009 audit, we identified 
instances at four TACs where group managers did not properly use the 
TAC Security Remittance Review Database to document supervisory 
reviews conducted during visits to outlying TACs. We will continue to 
assess IRS's actions during our fiscal year 2010 audit. 

ID no.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at service center campuses (SCC) and lockbox 
banks record all instances involving the activation of intrusion 
alarms, regardless of the circumstances that may have caused the 
activation. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. On September 23, 2009, IRS revised the IRM 
requiring campuses to record all instances involving the activation of 
any alarm, regardless of what may have caused the activation, and the 
instances must be recorded in a Daily Activity Report/Event Log or 
other log book and maintained for a period of two years. On January 1, 
2008, IRS revised L.S.G.2.3.3.15 Intrusion Detection System (IDS) 
stating, "A record of all instances involving the activation of 
intrusion alarms, regardless of the circumstances that may have caused 
the activation, must be maintained in the Daily Activity Report (DAR) 
or other incident logbook." On April 27, 2009, Business Support 
Management met with the guard staff to address IDS requirements and 
emphasized the requirement for the full completion of the Daily 
Activity Report as detailed in the Lockbox Security Guidelines (LSG), 
Standard Operating Procedures (SOP), and Post Orders. In addition, the 
Business Support team will monitor the full completion of the DAR, on 
a daily basis, and provide feedback to the guards, as necessary. 
Repeated offenses will ultimately result in the dismissal of the guard 
from the Lockbox Project; 
Status per GAO: Closed. During our fiscal year 2009 audit, we verified 
that IRS revised IRM 10.2.14 and LSG 2.3.3.15 to require all instances 
involving the activation of intrusion alarms to be recorded at SCCs 
and lockbox banks. In addition, Business Support staff met with the 
guards to address Intrusion Detection System requirements and 
instituted controls to monitor full completion of the DAR at lockbox 
banks. In addition, we did not identify any instances where the 
activation of intrusion alarms were not recorded. 

ID no.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. During fiscal year 2008, IRS corrected the 
Information Technology Asset Management System-Asset Center, which is 
used to record and manage P&E's disposal wizard, allowing all disposal 
actions to be timely updated in the Web-based aging report to ensure 
timely completion of the disposal process; 
Status per GAO: Closed. During our fiscal year 2009 audit, we verified 
that IRS staff routinely researched and resolved the aging reports, 
thereby promptly recording disposals of property and equipment in its 
inventory records. Additionally, our testing did not identify any 
situations where IRS did not timely update disposal transactions. 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the 
SCC's perimeter, such as adding or repositioning existing CCTV cameras 
or removing obstructions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS continues to utilize the Audit Management 
Checklist as a repeatable process where service center campuses 
quarterly validate their closed circuit television (CCTV) to determine 
if it provides an unobstructed view of the exterior of the campus 
perimeter and to identify problems and planned corrective actions to 
mitigate any identified problems. Physical Security and Emergency 
Preparedness (PSEP) continues to place emphasis on CCTV camera 
coverage, and the PSEP Risk Management office will distribute a 
communication to PSEP, Operational Readiness, to reiterate the policy 
on CCTV camera coverage; 
Status per GAO: Open. On January 10, 2008, IRS completed an assessment 
of its CCTVs in all SCCs to ascertain whether they provided an 
unobstructed view of its campuses' exterior perimeter. We found that 
this assessment did not account for the multiple long-standing CCTV 
weaknesses, which continued to exist at one SCC during our April 2009 
visit. As a result, it is unclear whether additional CCTV weaknesses 
at other SCCs went unreported in this risk assessment. Further, while 
IRS cites the Audit Management Checklist as a tool to (1) assess the 
physical security controls at SCCs and field offices and (2) identify 
associated weaknesses and planned corrective actions, we found that 
the officials responsible for completing the checklist did not always 
answer the questions in the checklist accurately. We will continue to 
assess IRS's actions during our fiscal year 2010 audit. 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the 
manual refund initiators in their units with training on the most 
current requirements to help ensure that they fulfill their 
responsibilities to monitor manual refunds and document their 
monitoring actions to prevent the issuance of duplicate refunds. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. All initiators and their managers completed 
manual refund procedures refresher training by October 15, 2009. In 
addition, Accounts Management revised manual refund monitoring 
procedures in IRM 21.4.4, emphasizing the new requirements for 
centralized monitoring at the team level and documenting the 
monitoring actions; 
Status per GAO: Open. During our fiscal year 2009 audit, we continued 
to find instances where the manual refund initiators did not receive 
training to ensure that they are able to fulfill their 
responsibilities for processing manual refunds which include 
monitoring and documenting actions to prevent the issuance of 
duplicate refunds. The IRS refresher training referred to by IRS was 
subsequent to our field work. We will follow up during our fiscal year 
2010 audit to test its effectiveness. 

ID no.: 07-15; 
Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the Internal Revenue Manual (IRM) 
requirement to timely record bankruptcy discharge information onto 
taxpayer accounts in the master file or to manually release the liens 
in the Automated Lien System. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. SB/SE issued a memorandum on December 16, 
2009, to its managers providing interim guidance on policies and 
procedures for monitoring the timely determination of release of 
Notices of Federal Tax Lien for cases receiving a discharge through 
bankruptcy. These procedures will be incorporated into IRM 5.9.17 and 
IRM 1.4.51 by August 30, 2010; 
Status per GAO: Closed. IRS issued a memorandum providing additional 
guidance for monitoring cases involving bankruptcy discharge to help 
ensure the timely release of federal tax liens. However, in its own 
fiscal year 2009 lien release testing, IRS identified one case 
involving bankruptcy, where it did not release the lien within 30 
days. We will continue to monitor IRS's implementation of policies and 
procedures in this area during our fiscal year 2010 audit. 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage 
space to properly secure and safeguard property and equipment 
inventory, including in-stock inventories, assets from incoming 
shipments, and assets that are in the process of being excessed and/or 
shipped out. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS implemented procedures on March 3, 2009, 
which state, in part, "an Employee Resource Center (ERC) work ticket 
call type has been established to specifically identify when secured 
storage space is needed. Requesters will initiate the ERC ticket 
process by requesting "Property Consultation" services, which 
initiates Real Estate and Facilities Management (REFM) activity to 
work with the requester on obtaining whatever secured storage space is 
needed"; 
Status per GAO: Open. While IRS had established procedures to ensure 
that sufficient secured space was available for all property and 
equipment not currently in use, we found that IRS did not ensure that 
the space was maintained properly. During our fiscal year 2009 
physical inventory testing, IRS was unable to locate a laptop 
computer. According to IRS officials, the laptop computer had been 
stolen. Although the IRS officials informed us that the storage room 
that housed the computer is normally locked, we found during our 
physical inventory testing that the storage room was unlocked. We will 
assess the effectiveness of IRS's procedures to properly secure and 
safeguard property and equipment not in use during our fiscal year 
2010 audit. 

ID no.: 07-21; 
Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. The Office of Procurement Policy will issue a 
Policy Update reminder to all of its employees regarding the receipt 
and acceptance criteria and limitations on contracting officers 
outlined in policy documents. This immediate notification will serve 
as a reminder and bring attention to this concern. In addition, Agency 
Wide Shared Services (AWSS) will follow up with an audit to ensure 
compliance with policy and procedures; 
Status per GAO: Closed. During our fiscal year 2008 audit, we reviewed 
IRS's revised policy and procedure memorandum pertaining to the 
separation of duties, but during our fiscal year 2008 testing, we 
found that individuals were performing incompatible functions. During 
our fiscal year 2009 audit, we did not identify any issues regarding 
separation of duties. 

ID no.: 07-24; 
Recommendation: To the extent that IRS intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information 
security, expand FISMA procedures or perform additional procedures as 
part of the A-123 reviews to augment FISMA work. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) 
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. On June 30, 2009, the IRS implemented a review 
process for evaluating controls over information technology relating 
to financial statement reporting. The review focused on the systems 
that affect recording of financial transactions and included assessing 
the annual Federal Information Security Management Act (FISMA) 
evaluations of the CFO-oriented financial systems. In addition, the 
Associate Chief Financial Officer (ACFO) obtained copies of the Chief 
Information Officer's (CIO) annual FISMA report evaluating the IRS 
servicewide information technology security program and found that it 
met A-123 requirements. The annual Treasury Inspector General for Tax 
Administration (TIGTA) report evaluating the IRS compliance with FISMA 
requirements was also reviewed to identify any A-123 FISMA issues; 
Status per GAO: Open. IRS implemented the review process for 
evaluating controls over information systems related to financial 
reporting subsequent to the conclusion of its a-123 testing for fiscal 
year 2009. We will follow up during our fiscal year 2010 audit to 
assess the effectiveness of this process. 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) 
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. On June 30, 2009, IRS implemented a "Fiscal 
Year 2009 Control Design" template that annotates which design 
activity was completed for each transaction. IRS enhanced its testing 
to include procedures for design control activities published in SOPs, 
IRM references, and business process documentation. The A-123 office, 
along with the process owner, evaluates procedures to identify the key 
internal controls and to determine whether the control fully addresses 
multiple risks; 
Status per GAO: Open. During our fiscal year 2009 audit, we continued 
to find that IRS did not include appropriate consideration of design 
of internal controls into their test plans. We reviewed IRS's internal 
control test results and found that for about half of the transactions 
tested, IRS did not consider the design of internal controls in their 
respective test plans. IRS's actions to address this recommendation 
were implemented subsequent to the conclusion of its A-123 testing for 
fiscal year 2009. We will evaluate the effectiveness of these actions 
during our fiscal year 2010 audit. 

ID no.: 07-27; 
Recommendation: Begin devising appropriate A-123 follow-up procedures 
for the last 3 months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) 
Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. In fiscal year 2009, IRS performed tests in 
the 4th quarter to provide sufficient evidence of continued operating 
effectiveness. Testing focused on significant nonroutine transactions, 
accounts, and processes with high subjectivity or judgment, period end 
reporting, and other high-risk transactions, as deemed appropriate. 
The IRS developed its 4th quarter testing by evaluating (1) results of 
controls tested prior to the year end, (2) evidence obtained, (3) 
length of time since initial A-123 test, and (4) possibility of 
significant changes. Testing procedures consisted of one or more of 
the following: (1) inquiries/questionnaires; (2) additional walk 
throughs; (3) scanning reconciliations used in the process; (4) 
selection of more significant controls to independently test; and, (5) 
review of annotated copies of reports and follow up communications. 
Testing was also conducted for some controls over processes that 
normally operate only after the year end closing; 
Status per GAO: Closed. During our fiscal year 2009 audit, we verified 
that IRS devised appropriate procedures for the last 3 months of the 
fiscal year. We obtained and reviewed IRS's testing plans and 
supporting audit documentation and determined the procedures to be 
appropriate. 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of the 
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it 
becomes fully operational and is used in conjunction with the Interim 
Revenue and Accounting Control System (IRACS), will provide IRS with 
the direct transaction traceability for all of its tax-related 
transactions as required by the U.S. Standard General Ledger (SGL), 
Federal Financial Management System Requirements (FFMSR), and the 
Federal Financial Management Improvement Act of 1996 (FFMIA). (long- 
term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. IRS established traceability for 98 percent of 
tax revenue collections using the Trace ID stored in IRACS, CDDB, the 
Integrated Submission and Remittance Processing (ISRP) system, 
Lockbox, and Electronic Federal Tax Payment System (EFTPS) during the 
fiscal year 2009 audit. IRS reviewed and corrected twenty-four IRMs 
pertaining to recording the Trace ID in summary deposits and revenue 
detail transactions. IRS issued a Hot Topic to the campuses, and is 
currently updating IRM 3.17.63 to include a new Trace ID 
reconciliation process to resolve any traceability discrepancies. 
During fiscal year 2009, IRS completed all remaining programs that 
validate the Trace ID in the deposit systems and implemented the 
programs into production in January 2010. During fiscal year 2009, IRS 
completed all remaining RRACS development and testing to implement 
RRACS into production, making RRACS the system of record replacing 
IRACS beginning in February 2010; 
Status per GAO: Open. During our fiscal year 2009 audit, we verified 
that IRS substantially completed the capability to trace its revenue 
and refund transactions from its general ledger to supporting 
documentary detail, thus providing transaction traceability for its 
refund disbursements and more than 98 percent of its recorded tax 
revenue collections. However, as of the end of our fieldwork, IRS had 
not demonstrated transaction traceability for unpaid tax assessments, 
including taxes receivable, which constituted over 80 percent of its 
assets as of September 30, 2009. During our audit of IRS fiscal year 
2010 financial statements, we will follow up to assess IRS progress in 
providing transaction traceability for unpaid tax assessments, 
including taxes receivable. 

ID no.: 08-02; 
Recommendation: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid 
assessment estimation process. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. Revenue Financial Management added a check sheet 
in May 2009 to ensure the statistician performed each of the steps in 
the estimation process outlined in the June 2008 procedures and is 
adding additional steps to the procedures based on the fiscal year 
2009 review; 
Status per GAO: Open. IRS is still in the process of documenting the 
specific procedures performed by the IRS statistician in each step of 
the unpaid assessment estimation process. During our fiscal year 2009 
audit, we again found an error in IRS's unpaid assessment estimates. 
Until IRS fully documents the specific procedures performed by its 
statistician in each step of the unpaid assessment estimation process, 
IRS faces increased risk that an error or omission could be made. We 
will continue to review IRS's corrective actions to address this 
recommendation during our fiscal year 2010 and future audits. 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures 
for reviewers to follow in their review of unpaid assessments 
statistical estimates. Specifically, IRS should require that a 
detailed supervisory review be performed to ensure (1) the statistical 
validity of the sampling plans, (2) data entered into the sample 
selection programs agree with the sampling plans, (3) data entered 
into the statistical projection programs agree with IRS's sample 
review results, (4) data on the spreadsheets used to compile the 
interim projections and roll-forward results trace back to supporting 
statistical projection results, and (5) the calculations on these 
spreadsheets are mathematically correct. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. Revenue Financial Management (RFM) is developing 
procedures for reviewers during review of the unpaid assessments 
estimation process to ensure (1) the statistical validity of the 
sampling plans, (2) data entered into the sample selection programs 
agree with the sampling plans, (3) data entered into the statistical 
projection programs agree with IRS's sample review results, (4) data 
on the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection 
results, and (5) the calculations on these spreadsheets are 
mathematically correct. The procedures will be in place by May 2010; 
Status per GAO: Open. During our fiscal year 2009 audit, we again 
found an error in IRS's unpaid assessment estimates that was not 
detected by IRS's internal reviews. IRS corrected this error after we 
brought it to IRS's attention. However, until IRS fully documents the 
specific detailed procedures for reviewers to follow in its review of 
unpaid assessments statistical estimates, IRS faces increased risk 
that errors in this process will not be prevented or detected and 
corrected. We will continue to review IRS's corrective actions to 
address this recommendation during our fiscal year 2010 audit. 

ID no.: 08-04; 
Recommendation: To address the inconsistency in assigning the 
effective date of an accuracy-related penalty, modify the Business 
Master (BMF) File computer program so that the date of the deficiency 
assessment is used as the effective date of any associated accuracy-
related penalty. (long-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Closed. In January 2009 IRS implemented programming 
changes to its BMF so that accuracy-related penalties assessed 
subsequent to the programming change will carry the same date as the 
related deficiency assessment; 
Status per GAO: Closed. IRS changed the computer program for 
calculating accuracy-related penalties in its BMF to assign the 
effective date of the accuracy penalty to match the date of the 
related deficiency assessment. The change makes the assessment of 
accuracy related penalties in its BMF consistent with how IRS 
calculates accuracy-related penalties in its Individual Master File. 
We reviewed IRS's documentation showing the implementation of the 
programming change as well as the results of its internal tests 
verifying that the programming change functioned as intended. 

ID no.: 08-06; 
Recommendation: In instances where computer programs that control 
penalty assessments are not functioning in accordance with the intent 
of the IRM, take appropriate action to correct the programs so that 
they function in accordance with the IRM. (long-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Closed. The cross-functional working group to address 
penalty and interest programming issues continue to identify and 
assess penalty and interest issues. Solutions to identify systemic 
differences between IRS systems that cannot be fixed under the current 
processing system have been shared and discussed with Modernization & 
Information Technology Services to determine the most effective way to 
implement programming changes and in certain cases an impact analysis 
determined correction is not cost effective at this time; 
Status per GAO: Open. Although IRS completed corrective actions on 
some of the programming issues it identified in 2008, and determined 
that others were not cost effective to correct, it has not yet 
completed the required programming corrections on all of the issues it 
planned to correct. We will continue to review IRS's progress on 
implementing the programming corrections during our fiscal year 2010 
and future audits. 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers in conducting reviews of outlying TACs and documenting 
the results. This guidance should include a description of the key 
controls that should be in place at outlying TACs, specify how often 
these key controls should be reviewed, and specify how the results of 
each review should be documented, including follow-up on issues 
identified in previous TAC reviews. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. W&I Field Assistance continues to use the TAC 
Security Remittance Review Database (TSRRD) to document supervisory 
reviews. Managers are required to conduct and document their reviews 
to ensure the protection of data and compliance with remittance and 
security procedures. W&I Field Assistance is validating the 
effectiveness of the corrective actions taken by trending subsequent 
findings to the baseline of prior findings; 
Status per GAO: Open. IRS outlined the reviews that TAC managers are 
required to conduct in its IRM. W&I Field Assistance informed us that 
all of the reviews assessing controls over taxpayer receipts and 
information are documented in the TSRRD. However, during our fiscal 
year 2009 audit, we found that the TSRRD was not used throughout the 
entire fiscal year and as a result we were unable to determine whether 
the required TAC manager reviews were performed and documented. Also, 
we identified instances at five TACs where the responses entered into 
the TSRRD by the TAC group manager were not always accurate, and 
instances at four TACs where the group manager was not performing the 
required payment processing reviews. In addition, we found that there 
was no guidance requiring managerial or supervisory reviews of the 
information entered in the TSRRD. The lack of managerial oversight 
increases the risk that the reviews conducted at these outlying TACs 
may not be useful in assessing key controls and identifying potential 
weaknesses. We will continue to evaluate IRS's corrective actions 
during our fiscal year 2010 audit. 

ID no.: 08-08; 
Recommendation: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC 
managers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Closed. The Director of Field Assistance issued 
managers a quarterly reminder to conduct required reviews again during 
fiscal year 2009. W&I reviews and monitors the status of corrective 
actions noted during operational reviews; 
Status per GAO: Closed. IRS established a process to periodically 
update and communicate the specific required reviews for all off-site 
TAC managers through quarterly reminders and reviewing and monitoring 
the status of corrective actions noted during operational reviews. In 
addition, IRS outlined the reviews that TAC managers are required to 
conduct in its IRM. According to our discussions with Field Assistance 
officials, any additional or revised reviews would be communicated 
through the normal IRM update process. 

ID no.: 08-12; 
Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. AWSS continues to work with the General Services 
Administration (GSA) to complete janitorial background investigations. 
GSA has only provided certification that a small number of Level IV 
and Level III background investigations were completed. IRS requests a 
Background Investigation (BI) on all contractors at IRS facilities. 
Although IRS has been working with GSA since March 2008, GSA has not 
delivered on this entire initiative. As an interim measure, IRS has 
asked GSA to convert all IRS leases to daytime janitorial cleaning; 
Status per GAO: Open. To date, background investigations have not been 
completed for all contractors with access to TAC and other field 
offices. Since many of these contracts are administered by GSA, IRS 
has no direct authority over how these contracts should be managed or 
what provisions should be included in these contracts. As a result, 
IRS's AWSS continues to work with GSA to complete the investigations 
for janitorial contractors and has asked GSA in the interim to convert 
all IRS leases to daytime janitorial cleaning. However, during our 
fiscal year 2009 audit, we identified instances at three TACs where 
IRS did not have documentary evidence demonstrating the completion of 
favorable background investigations for contractors performing 
janitorial services during nonoperating hours. We will assess the 
effectiveness of IRS's implementation and oversight of these 
procedures during our fiscal year 2010 audit. 

ID no.: 08-13; 
Recommendation: Require including in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information, and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. IRS implemented a National Document Destruction 
Contract with the National Institute for the Severely Handicapped 
(NISH) at 482 of the 668 sites requiring shredding as of October 1, 
2009. The current contract requires a review of contractor performance 
through site visits and to ensure that contractors comply with all 
security requirements for employee clearance prior to performing the 
work. The remaining sites did not migrate to the NISH contract, as 
NISH is not able to service several of these remote areas. However, 
all of the remaining sites' contractors that have local shred 
contracts with the IRS have agreed to operate under the same strict 
guidelines established in the NISH contract and are now operating 
accordingly. As NISH expands its coverage in the future, some of these 
small outlying locations may fall under the NISH contract, but all 
sites are now following the strict guidelines; 
Status per GAO: Open. IRS has taken steps, subsequent to our fiscal 
year 2009 fieldwork, to consolidate its offsite shredding services to 
one provider. However, this effort covers only about 72 percent of its 
sites requiring shredding services. IRS has not provided support to 
show that the provisions in our recommendation are included in the 
remaining shredding contracts. We will continue to evaluate IRS's 
corrective actions during future audits. 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; 
document the results, including identification of any security issues; 
and verify that the contractor has taken appropriate corrective 
actions on any security issues observed. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. IRS implemented a National Document Destruction 
Contract with the National Institute for the Severely Handicapped 
(NISH) at 482 of the 668 sites requiring shredding as of October 1, 
2009. The current contract requires a review of contractor performance 
through site visits and to ensure that contractors comply with all 
security requirements for employee clearance prior to performing the 
work. The remaining sites did not migrate to the NISH contract, as 
NISH is not able to service several of these remote areas. However, 
all of the remaining sites' contractors that have local shred 
contracts with the IRS have agreed to operate under the same strict 
guidelines established in the NISH contract and are now operating 
accordingly. As NISH expands its coverage in the future, some of these 
small outlying locations may fall under the NISH contract, but all 
sites are now following the strict guidelines; 
Status per GAO: Open. IRS identifies its current efforts and progress 
of implementing a National Document Destruction Contract with NISH 
that would include provisions for conducting site visits and asserts 
that all sites are following these guidelines. However, these actions 
occurred subsequent to our fiscal year 2009 fieldwork. In addition, 
IRS has not revised the IRM to require that IRS perform and document 
periodic unannounced inspections of off-site shredding contractor 
facilities to ensure that contractors continue to appropriately 
safeguard sensitive IRS information on an ongoing basis. We will 
continue to evaluate IRS's corrective actions during future audits. 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and 
reviewing documentation of completed background investigations for all 
shredding contractors before granting them access to taxpayer or other 
sensitive IRS information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Open. IRS implemented a National Document Destruction 
Contract with the National Institute for the Severely Handicapped 
(NISH) at 482 of the 668 sites requiring shredding as of October 1, 
2009. The current contract requires a review of contractor performance 
through site visits and to ensure that contractors comply with all 
security requirements for employee clearance prior to performing the 
work. The remaining sites did not migrate to the NISH contract, as 
NISH is not able to service several of these remote areas. However, 
all of the remaining sites' contractors that have local shred 
contracts with the IRS have agreed to operate under the same strict 
guidelines established in the NISH contract and are now operating 
accordingly. As NISH expands its coverage in the future, some of these 
small outlying locations may fall under the NISH contract, but all 
sites are now following the strict guidelines; 
Status per GAO: Open. IRS identifies its current efforts and progress 
in implementing a National Document Destruction Contract with NISH 
that would include provisions for requiring that contractors comply 
with all security requirements for employee clearance prior to 
performing the work. However, these actions occurred subsequent to our 
fiscal year 2009 fieldwork. We will review IRS's procedures for 
evaluating completed background investigation records to ensure that 
only contractor employees who receive favorable background 
investigation results are allowed access to taxpayer receipts or other 
sensitive information during future audits. 

ID no.: 08-16; 
Recommendation: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Closed. HCO continues to send monthly reminders to the 
Employment Offices reinforcing Policy No. 15 - Suitability Standards 
for Hiring Juveniles by the IRS. A notice was issued in July 2007 to 
emphasize the policy. Further, the HCO issued Alert 731-2 in September 
2008, to all Employment Offices to clarify the guidance in Policy No. 
15. HCO has taken steps to monitor the Employment Offices via monthly 
employment teleconference meetings to eliminate any further issues; 
Status per GAO: Closed. We verified that IRS continues to send monthly 
reminders to its Employment Offices. Also, we verified the Human 
Capital Office issued an alert to clarify guidance in its suitability 
standards for hiring juveniles, and conducted an oversight review of 
the Juvenile Employment Program in September 2009. We believe that 
these actions met the intent of our recommendation by enforcing the 
requirement to receive and make direct contact with character 
references when hiring juveniles. 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 (Recommendation for Juvenile Employment) 
by contacting the reference directly and documenting the details of 
this contact. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Closed. The HCO issued Alert 731-2 in September 2008 
to all Employment Offices to clarify the guidance in Policy No. 15. 
The Policy and Programs office conducted an oversight review of the 
Juvenile Employment Program in September 2009 and no exceptions in the 
policy were found regarding contacting the references listed on the 
Form 13094 and documenting the details; 
Status per GAO: Open. IRS's actions to date have not been fully 
effective in addressing the issues that gave rise to our 
recommendation. During our fiscal year 2009 audit, we identified three 
instances in which IRS employment office staff did not obtain and 
verify a valid character reference, as required on Form 13094. We will 
review IRS's corrective actions during our fiscal year 2010 audit. 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's 
Internal Controls (GAO-08-368R, June 4, 2008); 
Status per IRS: Closed. IRS implemented GovTrip requiring all 
travelers to use the new system. Travelers are required to create an 
authorization before travel begins, and GovTrip will not allow a 
voucher to be created without a signed/approved authorization. AWSS 
continues to issue communications to all employees reiterating the 
policy requiring all employees to obtain approval of travel 
authorizations before the initiation of travel through periodic 
notices on the IRS intranet. AWSS will continue to monitor compliance 
with this requirement; 
Status per GAO: Open. We confirmed that IRS implemented its GovTrip 
system, and that GovTrip does not allow a voucher to be created 
without an approved authorization entered into the system. However, 
GovTrip allows an authorization to be created after the date of travel 
and thus, cannot ensure that travel is authorized before it begins. 
Also, IRS could not provide an example of AWSS communications that 
mentioned the requirement to obtain approval of a travel authorization 
prior to the initiation of travel. In addition, during our fiscal year 
2009 audit, we found an instance where IRS staff did not obtain 
approval of travel authorizations in advance of travel. We will 
continue to review IRS's progress in implementing this recommendation. 

ID no.: 09-01; 
Recommendation: Correct the Integrated Data Retrieval System (IDRS) 
computer program for identifying individual taxpayers who have entered 
into an installment agreement so that except in situations where the 
taxpayer did not file the tax return timely, failure to pay penalty 
assessments made after the date of the installment agreement are 
calculated using the monthly one-quarter of one percent penalty rate 
on all of the taxpayer's accounts covered by the installment 
agreement. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS implemented additional programming changes 
in January 2009 to ensure that failure to pay penalties are calculated 
at a reduced rate for all eligible taxpayers who have entered into an 
installment agreement. IRS's CFO tested the programming changes 
through August of 2009 to ensure that the programming is operating as 
intended; 
Status per GAO: Closed. We reviewed a nonrepresentative selection of 
accounts of eligible taxpayers that had entered into installment 
agreements with IRS and verified that IRS's master file was 
calculating the failure to pay penalty at the reduced monthly rate of 
one-quarter of one percent on all of the selected accounts. 

ID no.: 09-02; 
Recommendation: Add specific requirements to the IRM to require that 
manual refund units assign back up staff to perform manual refund 
monitoring activities whenever a manual refund initiator is absent for 
an extended period of time. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. (W&I) Accounts Management revised IRM 
21.4.4.5.1 (1) on October 2, 2009, with the following: "It is 
management's responsibility to ensure accounts are monitored each week; 
however, the actual monitoring can be delegated. When an employee who 
performs monitoring actions is out on leave, management must reassign 
the monitoring to a backup"; 
Status per GAO: Closed. During our fiscal year 2009 audit, we verified 
that IRS revised its guidelines by adding a note within the IRM 
stating that it is management's responsibility to ensure accounts are 
monitored each week. 

ID no.: 09-03; 
Recommendation: Document in the IRM minimum requirements for 
establishing criteria for time discrepancies or other inconsistencies, 
which if noted as part of the required monitoring of Form 10160, 
Receipt for Transport of IRS Deposit, would require off-site 
surveillance of couriers. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Open. On May 15, 2009, IRS updated IRM 3.8.45 
clarifying the instructions when there are time discrepancies on 
acknowledged Forms 10160. IRM 3.8.45.1.9.3.1 directs the campuses to 
enact the courier contingency plan if the time stamps on Form 10160 
are outside of the time allowed in the courier contract without a 
reasonable explanation. Each campus has a contingency plan for 
delivering the deposit to the bank if the courier does not meet the 
requirements outlined in IRM 3.8.45.1.9.1. IRM 3.8.45.1.9.5 directs 
the Receipt & Control Operations Manager to enact the courier 
contingency plan and contact headquarters (HQ) if the time stamps on 
Form 10160 are outside of the time allowed in the courier contract 
without a reasonable explanation. IRM 3.8.45.1.9.7 directs HQ to 
contact the courier company management when notified by the Campus 
Receipt and Control Operations Manager of unacceptable time 
discrepancies on Form 10160. HQ management will make the decision to 
continue with the courier contract or adopt the campus courier 
contingency plan; 
Status per GAO: Open. The objective of this recommendation was for IRS 
to develop a mechanism to aid in identifying when courier drivers who 
transport deposits failed to comply with IRS's guidance to transport 
the deposits directly to their destination with no unauthorized stops. 
From our review of the IRM, IRS continues to lack guidance in 
establishing a methodology for developing minimum requirements for 
setting allowable times for courier deposits that, when exceeded, 
would identify potential unauthorized stops during transit. For 
example, during our fiscal year 2009 audit, we continued to find 
instances at one SCC where the deposit courier's average travel time 
was 90 minutes; 
however, the threshold established before anyone would question the 
deposit time or initiate the courier contingency plan was 135 minutes. 
Thus, IRS officials are only required to make inquiries if the courier 
exceeded the delivery time by 45 minutes. This time frame does not 
meet the objective of identifying potential instances when deposit 
couriers have made unauthorized stops during their delivery. We will 
review IRS's corrective actions during our fiscal year 2010 audit. 

ID no.: 09-04; 
Recommendation: Document in the IRM minimum requirements for 
conducting off-site surveillance of couriers entrusted with taxpayer 
receipts and information. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. SP performs courier surveillance during the 
unannounced security reviews completed at each campus. IRM 3.8.45.1.5 
instructs the campus Receipt & Control Operation manager to contact 
headquarters (HQ) if there is a time discrepancy on Form 10160 that 
does not have a reasonable explanation. HQ Management will perform 
courier surveillance if needed and make the decision to continue with 
the courier contract or adopt the campus contingency plan; 
Status per GAO: Open. The objective of this recommendation was to 
include minimum requirements in the IRM for conducting off-site 
surveillance of couriers entrusted with taxpayer receipts and 
information. In March 2010, IRS informed us that a surveillance of all 
couriers at SCCs will be conducted during fiscal year 2010. However, 
the IRM referred to in IRS's response does not include this 
requirement or any other requirements outlining when surveillance of 
couriers are conducted. We will continue to evaluate this issue during 
our fiscal year 2010 audit. 

ID no.: 09-05; 
Recommendation: Establish procedures to track and routinely report the 
total dollar amounts and volumes of receipts collected by individual 
TAC location, group, territory, area, and nationwide. (long-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Open. W&I Field Assistance and Accounts Management 
Services are creating an electronic Form 795 that will automate the 
existing manual remittance reporting process. W&I has reached the 
first milestone in building the "Collection Activity Report." This 
report will have capabilities of tracking cash and noncash remittances 
by geographical regions. The national roll-up report will identify the 
type and total amount of payments received at the territory level. 
Efforts are being made to further develop the report to the TAC level. 
Anticipated completion of the recommendation is October 2012; 
Status per GAO: Open. IRS continues its ongoing efforts to establish a 
mechanism to track and report TAC receipt. According to IRS, full 
implementation is not expected until October 2012. We will evaluate 
IRS's corrective actions during future audits. 

ID no.: 09-06; 
Recommendation: Establish procedures to ensure that an inventory of 
all duress alarms is documented for each location and is readily 
available to individuals conducting duress alarm tests before each 
test is conducted. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS revised IRM 10.2.14.9.1(11), IRM 10.2.14, 
Methods of Providing Protection, on September 23, 2009, requiring that 
the documentation of all duress alarms for each location be readily 
available to individuals conducting duress alarm tests before each 
test is conducted; 
Status per GAO: Open. IRS revised the IRM as noted and established a 
policy requiring a readily available inventory of all duress alarms 
for individuals conducting the alarm tests. However, while IRS has 
provided a broad policy statement, it did not provide detailed 
procedures on how the policy should be implemented. During our fiscal 
year 2009 financial audit, we identified instances at all nine field 
offices we visited where an inventory of all duress alarms was not 
provided to the test conductor prior to conducting the quarterly 
duress alarm tests. We will continue to evaluate this issue during our 
fiscal year 2010 audit. 

ID no.: 09-07; 
Recommendation: Establish procedures to periodically update the 
inventory of duress alarms at each TAC location to ensure that the 
inventory is current and complete as of the testing date. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS revised IRM 10.2.14.9.1(11), IRM 10.2.14, 
Methods of Providing Protection, on September 23, 2009, requiring 
Territory Managers to conduct a quarterly inventory validation of all 
duress alarms; 
Status per GAO: Open. IRS revised the IRM as noted and established a 
policy requiring that the inventory of all duress alarms be 
periodically updated for individuals conducting the alarm tests. 
However, while IRS has provided a broad policy statement, it did not 
provide detailed procedures on how the policy should be implemented. 
During our fiscal year 2009 audit, we identified instances at all nine 
field offices we visited where an updated inventory of all duress 
alarms was not provided to the test conductor prior to conducting the 
quarterly duress alarm tests. We will continue to evaluate this issue 
during our fiscal year 2010 audit. 

ID no.: 09-08; 
Recommendation: Provide instructions for conducting quarterly duress 
alarm tests to ensure that IRS officials conducting the test (1) 
document the test results for each duress alarm listed in the 
inventory, including date, findings, and planned corrective action and 
(2) track the findings until they are properly resolved. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS revised IRM 10.2.14.9.2(2), Methods of 
Providing Protection, on September 23, 2009, requiring IRS officials 
who conduct the test to (1) document the test results for each duress 
alarm listed in the inventory including date, findings, and planned 
corrective action and (2) track the findings until they are properly 
resolved; 
Status per GAO: Open. During our fiscal year 2009 audit, we verified 
that IRS revised duress alarm testing policies in the IRM to require 
that officials (1) document the test results for each duress alarm 
listed in the inventory, including date, findings, and planned 
corrective actions and (2) track the findings until they are properly 
resolved. However, we determined that IRS has not developed specific 
instructions outlining the necessary steps for properly completing 
duress alarm tests at its facilities. For example, a waiting period 
may be necessary between activations of duress alarms at some IRS 
locations to ensure that the central monitoring station receives each 
signal. We will continue to evaluate this issue during our fiscal year 
2010 audit. 

ID no.: 09-09; 
Recommendation: Establish procedures requiring that each physical 
security analyst conduct a periodic documented review of the Emergency 
Signal History Report and emergency contact list for its respective 
location to ensure that (1) appropriate corrective actions have been 
planned for all incidents reported by the central monitoring station, 
and (2) the emergency contact list for each location is current and 
includes only appropriate contacts. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS revised IRM 10.2.14.9.2(8), Methods of 
Providing Protection, on September 23, 2009, requiring a quarterly 
validation of the central monitoring station's Emergency Signal 
History Report at each IRS facility under the PSEP Territory Office 
jurisdiction where alarms are present. The prospective PSEP 
representative ensures that appropriate corrective actions are planned 
for all deficiencies or incidents requiring actions reported by the 
central monitoring station per IRM 10.2.14.9.1(11). The IRM requires a 
monthly validation of the "Emergency/Alarm Contact List" for each IRS 
facility under PSEP Territory Office jurisdiction where alarms are 
present, ensuring contact information is current, accurate, and 
includes appropriate contacts; 
Status per GAO: Open. IRS revised the IRM as noted and established 
policies requiring periodic documented review of the Emergency Signal 
History Report and emergency contact list. However, while IRS has 
provided broad policy statements, it did not provide detailed 
procedures on how the policies should be implemented. During our 
fiscal year 2009 financial audit, we identified instances at all nine 
field offices we visited where there was no routine documented review 
of the Emergency Signal History Report or emergency contact list 
provided to the central monitoring station and an instance at one TAC 
in which an appropriately qualified individual was not listed as the 
designated first responder on the duress alarm contact list. We will 
continue to evaluate this issue during our fiscal year 2010 audit. 

ID no.: 09-10; 
Recommendation: Develop, document, and implement procedures to 
regularly monitor the timeliness of purchase card approvals. This 
should include establishing procedures and responsibility for 
identifying and following up on instances of noncompliance with 
required approval time frames. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. AWSS modified the Purchase Card Handbook (IRM 
1.32.6) to meet this requirement, which is expected to be published at 
the end of January 2010. AWSS Credit Card Services Branch continues to 
monitor compliance with purchase card requirements through monthly 
reviews; 
Status per GAO: Closed. We confirmed that IRS developed, documented, 
and implemented procedures to regularly monitor the timeliness of 
purchase card approvals. Also, we verified that IRS's AWSS Credit Card 
Services Branch conducts monthly reviews of both Web-based and manual 
purchase card transactions to identify and follow up on instances of 
noncompliance with required approval time frames. 

ID no.: 09-11; 
Recommendation: Revise the IRM section related to the limited use of 
expired appropriations to provide additional guidance to help 
employees distinguish between procurement actions that constitute new 
obligations and those that merely adjust or liquidate prior 
obligations that the IRS incurred during an expired appropriation's 
original period of availability. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Open. The CFO published IRM 1.35.15, Annual Close 
Guidelines, establishing year end procedures for expired and closing 
appropriations. Corporate Budget will revise IRM 1.33.4, Financial 
Operating Guidelines, clarifying existing procedures regarding the use 
of expired appropriations, and the Agency-Wide Shared Services will 
update IRM 1.32.6, Purchase Card Handbook, by March 2010, providing 
guidance and procedures to preclude the use of expired appropriations 
when using a purchase card; 
Status per GAO: Open. We reviewed IRM 1.35.15, which was issued 
September 8, 2009, and noted that it provides policies and procedures 
for expired appropriations, including situations when it is 
appropriate to use expired appropriations, procedures for closing 
transactions with canceled appropriations, and policies for paying 
invoices after a fiscal year appropriation is canceled. We also 
reviewed the revised version of IRM 1.33.4, which was updated on April 
16, 2010. It clarified procedures regarding the use of expired 
appropriations and used examples to further illustrate the policies 
and procedures. However, as IRS acknowledged in its response, one 
additional IRM section must be revised and updated to satisfy the 
intent of the recommendation. IRS expects this action to be completed 
in fiscal year 2010. We will continue to evaluate IRS's actions during 
our fiscal year 2010 audit. 

ID no.: 09-12; 
Recommendation: Reiterate IRS's existing policy requiring that 
transactions be recorded accurately to the undelivered orders 
obligation accounts. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. The CFO issued the Annual Close and Fiscal 
Year 2009 Year end Memorandum on June 4, 2009. The memorandum states, 
"The need for timely review of open commitments and obligation 
continues to be essential Guidelines for the Review of Aging 
Unliquidated Commitments (AUC) and the Aging Unliquidated Obligations 
(AUO) Reports." The document provides supporting guidance for 
reviewing and ensuring the validity of AUO, liquidating unneeded 
balances for commitments and obligations, and defining 
responsibilities. In addition, the CFO published IRM 1.35.15, Annual 
Close Guidelines on September 8, 2009. During the AUC/AUO review 
process, the CFO also reiterates the importance of maintaining 
accurate obligation and commitment balances to Procurement and the 
business units; 
Status per GAO: Closed. We obtained the June 4, 2009 memo, noting that 
IRS emphasized the importance of reviewing AUCs and AUOs. Furthermore, 
IRM 1.35.15.11.2 was issued September 8, 2009, and reemphasizes the 
importance of monitoring and modifying obligations so that they are 
accurate. However, we noted during the fiscal year 2009 financial 
statement audit that the AUO reviews did not always identify and 
deobligate obligations that were no longer valid. We found that some 
unneeded obligations were not reviewed and deobligated in a timely 
manner because they did not meet the age criteria to be reviewed under 
the AUO program. In these cases, the age criteria for review would 
allow obligations with up to 300 days of inactivity to be exempt from 
review. This situation could lead to the inaccurate reporting of 
obligations at the fiscal year end. Thus, while we are closing this 
recommendation given that IRS's actions were responsive to it, we have 
reported the related issues noted above, along with related 
recommendations for corrective action, in our June 2010 management 
report (GAO-10-565R) and recommendations 10-35 and 10-36 in this 
report. 

ID no.: 09-13; 
Recommendation: Perform existing reviews of transactions recorded in 
undelivered orders obligation accounts in a more timely manner in an 
effort to detect and correct errors, such as duplicate receipt and 
acceptance charges, earlier in the process. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. The CFO initiated weekly reviews of receipt 
and acceptance transactions to more timely identify and correct errors; 
Status per GAO: Open. We obtained information about the Aging 
Unliquidated Accruals (AUA) process which is designed to review IRS 
receipt and acceptance transactions in order to more timely identify 
and correct errors. We confirmed that IRS was conducting the AUA 
reviews; 
however, during our fiscal year 2009 audit work we continued to find 
errors in Receipt and Acceptance transactions that had been identified 
through the AUA process but had not been corrected in a timely manner. 
These transactions had been identified by the AUA process from 2 
months to over 3 years before they were corrected. We will review 
IRS's corrective actions during our fiscal year 2010 audit. 

ID no.: 09-14; 
Recommendation: Establish a formal, documented process for identifying 
over time the full range of IRS's programs and underlying activities, 
outputs, and services for which IRS believes full cost information 
would be useful to executives and program managers. Such a process 
should (1) be formally established and documented through policies, 
procedures, guidance, meeting minutes, and other appropriate means; 
(2) define the roles and responsibilities of the CFO and other 
business units in the process; 
and (3) be focused on the goal of determining what cost information 
would be useful and the most appropriate means of developing and 
reporting it for both existing programs and new programs as they are 
initiated. (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS established a Cost Users Group and 
developed a regular meeting schedule. The purpose of the group is to 
identify programs, underlying activities, and outputs and services for 
which cost information would be beneficial. The group formalized the 
cost accounting process for each business unit, defines the roles and 
responsibilities of the CFO and business units, and determines what 
cost information would be useful and the means of developing and 
reporting this information for existing programs and new programs as 
they are initiated. They share cost accounting information, leverage 
best practices between the business units, and achieve standardization 
and consistency. Work is formalized and documented through agenda 
items and minutes. The ACFO for Internal Financial Management also 
documented and formalized the cost accounting policy and process, 
including the roles and responsibilities of the CFO, business units, 
and Cost Users Group in the new IRM 1.32.3, Managerial Cost Accounting 
which was published on July 13, 2009; 
Status per GAO: Open. As IRS notes, the IRM section that formalized 
IRS's Managerial Cost Accounting Policy established the Cost Users 
Group to share cost accounting information and to identify programs 
for which cost information would be beneficial, and the IRM section 
defined the roles and responsibilities of the CFO and IRS's business 
units in the process. However, IRS has not formally designated in 
writing the membership of the Cost Users Group. The group's meetings, 
as reported in its minutes, have not included discussions of which IRS 
programs and activities would benefit from full cost information. The 
minutes do not indicate that the group has developed a formal process 
whereby the group's determinations are communicated to upper 
management and adopted formally by IRS. We will continue to review 
IRS's progress in addressing this recommendation during our fiscal 
year 2010 audit. 

ID no.: 09-15; 
Recommendation: For each of the IRS programs, activities, outputs, and 
services identified for which full cost information would be useful to 
IRS executives and program managers, complete the development of full 
cost methodologies to routinely accumulate and report on their full 
costs, including down to the activity level where appropriate. Such 
full cost data should be readily accessible to IRS program managers 
whenever they are needed, and they should include both personnel costs 
based on time spent on specific activities as well as all associated 
non-personnel costs and be drawn from or reconcilable to IRS's 
financial accounting system. (long-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. IRS continues to develop cost-benefit analysis 
as requested by the business units to enhance program evaluation and 
decision making; 
Status per GAO: Open. As IRS noted, it continues to develop full cost-
benefit data for its programs and activities. However, the ad hoc 
process of reacting to the request from business units has not 
resulted in full cost and benefit data on a comprehensive set of 
programs and activities for which IRS regularly updates and makes 
readily accessible to program managers. We will continue to review 
IRS's progress in addressing this recommendation during our fiscal 
year 2010 audit. 

ID no.: 09-16; 
Recommendation: Develop outcome-oriented performance measures and 
related performance goals for IRS's enforcement programs and 
activities that include measures of the full cost of, and the revenue 
collected from, those programs and activities (return on investment) 
to assist IRS's managers in optimizing resource allocation decisions 
and evaluating the effectiveness of their activities. (long-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
24, 2009); 
Status per IRS: Closed. The IRS improved the analytical tools it uses 
to inform its resource decisions for major enforcement programs. The 
IRS already uses cost-benefit analysis, return on investment, 
evaluation of possible future scenarios, and enterprise risk 
management techniques for a wide range of resource-allocations 
decisions, such as service and enforcement initiatives included in the 
President's Budget. It is important to understand that return on 
investment is but one tool that can be utilized to improve resource-
allocation decision making. Currently, the IRS uses a broader set of 
tools, such as cost/benefit analysis that incorporates a wide range of 
tangible and intangible costs and benefits (such as equitable coverage 
rates for different groups of taxpayers, enhancing respect for the 
law, and ensuring that disadvantaged populations of taxpayers receive 
adequate levels of service). It is not prudent to rely exclusively on 
return on investment as the sole determinant of resource allocation; 
Status per GAO: Open. Although IRS began using projected cost-benefit 
analyses and projections as part of its support for future enforcement 
initiatives in its annual budget submissions, it has not developed 
outcome-oriented performance measures and related goals to measure the 
effectiveness of its existing programs. We recognize that IRS must 
take into consideration coverage and equitable taxpayer treatment when 
making decisions, and we have not advocated that IRS use cost/benefit 
analysis as the sole measure of effectiveness. However, measuring the 
cost-benefit--return on investment--of IRS's enforcement programs and 
activities is an important element in measuring their effectiveness. 
During fiscal year 2009, IRS developed data for some of its 
enforcement programs that could be, but has not been, used to develop 
performance metrics and related goals. We will continue to review and 
monitor IRS's progress in addressing this recommendation during our 
fiscal year 2010 audit. 

ID no.: 10-01; 
Recommendation: Review the results of IRS's unpaid assessments 
compensating statistical estimation process to identify and document 
instances where systemic limitations in CDDB resulted in 
misclassifications of account balances which, in turn, resulted in 
material inaccuracies in the amounts of reported unpaid assessments. 
(short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-02; 
Recommendation: Research and implement programming changes to allow 
CDDB to more accurately classify such accounts among the three 
categories of unpaid tax assessments. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-03; 
Recommendation: Research and identify control weaknesses resulting in 
inaccuracies or errors in taxpayer accounts that affect the financial 
reporting of unpaid tax assessments. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-04; 
Recommendation: Once IRS identifies the control weaknesses that result 
in inaccuracies or errors that affect the financial reporting of 
unpaid tax assessments, implement control procedures to routinely 
prevent, or to detect and correct, such errors. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-05; 
Recommendation: Revise the IRM to provide specific requirements for 
supervisors to review the accuracy of credit transactions related to 
TFRP payments processed through the ATFR system. This guidance should 
provide specific areas to review and list the ATFR system reports that 
can facilitate supervisory reviews. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-06; 
Recommendation: Formalize and implement the quarterly reviews of TFRP 
payment transactions to monitor compliance with IRM requirements. 
(short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-07; 
Recommendation: Develop procedures to analyze the results of the 
quarterly reviews so that specific factors causing the errors are 
identified. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-08; 
Recommendation: Develop procedures to address the factors causing 
errors in the processing of TFRP payment transactions identified 
through the analyses of the quarterly review results. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-09; 
Recommendation: Revise the existing methodology for extracting the pre-
posted revenue component of the comparison to ensure that nontax 
revenues and tax revenue transactions already posted to the master 
files are properly excluded. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-10; 
Recommendation: Update the desk procedures governing the comparison of 
general ledger tax revenue receipts to the master file to ensure that 
the procedures reflect the current process and controls. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-11; 
Recommendation: Revise the cost allocation desk guide to better 
document the cost allocation process. This should include ensuring 
that all key processing steps are included and identifying the key 
sources of input data and the controls necessary to help ensure their 
reliability. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-12; 
Recommendation: Revise the IRM and cost allocation desk guide to 
require appropriate segregation of duties within the cost allocation 
process. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, July 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-13; 
Recommendation: Revise the IRM and cost allocation desk guide to 
require timely, documented supervisory reviews at key process points 
to help prevent and detect cost allocation processing errors. (short-
term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-14; 
Recommendation: Establish controls over the cycle run spreadsheet to 
help minimize the risk of error or omission. At a minimum, this should 
include assigning a unique, sortable identifier to each row in the 
spreadsheet and implementing controls to promptly and accurately 
record the status of processing steps in a manner that ensures each 
cycle run is performed and is performed in the proper sequence. (short-
term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-15; 
Recommendation: Revise the IRM to require CIO to promptly provide 
service center campuses an acknowledgment of receipt for each Form 
3210 transmittal related to a duplicate refund transcript sent to them 
by a service center campus for review. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-16; 
Recommendation: Revise the IRM to require service center campuses to 
verify that an acknowledgment of receipt has been received from CIO 
for 100 percent of the Form 3210 transmittals related to duplicate 
refund transcripts they have forwarded to CIO for review. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-17; 
Recommendation: Revise the IRM to require service center campuses to 
resolve any instances in which an acknowledgment of receipt for a Form 
3210 transmittal related to duplicate refund transcripts is not 
received. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-18; 
Recommendation: Require service center campuses to acknowledge 
unprocessable items with receipts received from lockbox banks. (short-
term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-19; 
Recommendation: Establish procedures to track service center campus 
acknowledgments of unprocessable items with receipts. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-20; 
Recommendation: Establish procedures to monitor the process used by 
service center campuses and lockbox banks to acknowledge and track 
transmittals of unprocessable items with receipts. These procedures 
should include monitoring discrepancies and instituting appropriate 
corrective actions as needed. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-21; 
Recommendation: Review the audit management checklist for clarity and 
revise the assessment questions as appropriate. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June, 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-22; 
Recommendation: Issue written guidance to accompany the audit 
management checklist that explains the relevance of the questions and 
the methods that should be used to assess and test the related 
controls. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-23; 
Recommendation: Provide training to physical security analysts 
responsible for completing the audit management checklist to help 
ensure that checklist questions are answered appropriately and 
accurately. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-24; 
Recommendation: Establish and document the minimum frequency for how 
often the audit management checklist should be completed at each 
service center campus and field office. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-25; 
Recommendation: Establish policies requiring documented managerial 
reviews of completed audit management checklists. These reviews should 
document (1) the time and date of the review, (2) the name of the 
manager performing the review, (3) the supporting documentation 
reviewed, (4) any problems identified with the responses on the 
checklists, and (5) corrective actions to be taken. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-26; 
Recommendation: Review the TAC Security and Remittance Review Database 
(TSRRD) for clarity and revise review questions as appropriate. (short-
term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-27; 
Recommendation: Provide training to TAC group managers to assist with 
their understanding of the TSRRD review questions and related 
objectives. This training should be provided on an ongoing basis to 
account for changes in TSRRD questions and for newly hired or 
appointed TAC group managers. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-28; 
Recommendation: Establish policies that require territory managers or 
a manager at least one level above the group manager to periodically 
review the information entered into the TSRRD for accuracy and 
completeness prior to the results being forwarded to Field Assistance 
Office headquarters management. This review should be signed and 
documented, and include (1) the time and date of the review, (2) the 
name of the manager performing the review, (3) the task performed 
during the review, (4) any problems or questions identified, and (5) 
planned corrective actions. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-29; 
Recommendation: Analyze the various contractor access arrangements and 
establish a policy that requires security awareness training for all 
IRS contractors who are provided unescorted physical access to its 
facilities or taxpayer receipts and information. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-30; 
Recommendation: Designate management responsibility and establish a 
process for monitoring compliance with and enforcing the IRM 
requirement for all SCC Unit Security Representatives (USR) to 
complete (1) the required initial USR training prior to assuming their 
responsibilities, and (2) annual refresher training each year 
thereafter. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-31; 
Recommendation: Update USR training manuals to ensure they reflect 
current security policies and procedures. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-32; 
Recommendation: Establish a process to periodically review and update 
USR training materials as appropriate. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-33; 
Recommendation: Establish procedures requiring HCO LEADS or their 
designees to periodically monitor each business unit's progress in 
complying with mandatory briefing requirements. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-34; 
Recommendation: Establish procedures requiring COs/COTRs to obtain and 
retain written documentation from end users confirming receipt and 
acceptability of purchased goods or services prior to entering 
acknowledgment of receipt and acceptance in WebRTS. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-35; 
Recommendation: Reiterate IRS's policy for staff to indicate in WebRTS 
during final receipt and acceptance that the payment is a final 
payment to close out a contract or purchase order to help ensure any 
remaining obligated funds are deobligated in a timely manner. (short-
term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-36; 
Recommendation: Reevaluate and, as necessary, revise the aging 
criteria for the Aging Unliquidated Obligation reviews so that 
unliquidated obligations are reviewed sooner in order to detect and 
deobligate excess obligations in a timely manner. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-37; 
Recommendation: Provide technicians and supervisors who are 
responsible for recording and reviewing obligation transactions with 
training on the proper use of manually linked obligation transactions 
to reinforce IRS's existing policy requiring that transactions be 
recorded accurately to the upward and downward adjustments to prior-
year obligation accounts. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-38; 
Recommendation: Develop controls to improve the linked obligation 
transaction review process to detect and correct erroneous links 
between unrelated upward and downward adjustments to prior-year 
obligation transactions in a timely manner. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-39; 
Recommendation: Establish a formal funds control process to set aside 
amounts for tax law enforcement and related support activities, as 
required by annual appropriations acts. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-40; 
Recommendation: Establish a policy to periodically monitor throughout 
the year the amount of different appropriations accounts attributed to 
the set-aside to asses IRS's progress toward complying with the 
requirement. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 10-41; 
Recommendation: Based on the results of its periodic assessments, take 
action to allocate the required amount of appropriations to tax law 
enforcement and related support activities to comply with the set-
aside requirement. (short-term); 
Source report: Management Report: Improvements Are Needed in IRS's 
Internal Controls and Compliance with Laws and Regulations (GAO-10-
565R, June 28, 2010); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

Source: GAO and IRS. 

[End of table] 

[End of section] 

Appendix II: Open Recommendations Arranged by Material Weakness, 
Compliance, or Other Control Issue: 

For several years, we have reported material weaknesses, significant 
deficiencies, noncompliance with laws and regulations, and other 
control issues in our annual financial statement audits and related 
management reports.[Footnote 48] Appendix II provides summary 
information regarding the primary issue to which each open 
recommendation is most closely related. To compile this summary, we 
analyzed the nature of the open recommendations to relate them to the 
material weaknesses, compliance issue, and other control issues not 
associated with a material weakness identified as part of our 
financial statement audit. 

Unpaid Tax Assessments: 

The Internal Revenue Service (IRS) has serious internal control issues 
that affected its management of unpaid tax assessments. Specifically, 
IRS (1) reported balances for taxes receivable and other unpaid 
assessments that were not supported by its core general ledger system 
for tax administration, (2) lacked a subsidiary ledger for unpaid tax 
assessments that would allow it to produce accurate, useful, and 
timely information with which to manage and report externally, and (3) 
experienced errors and delays in recording taxpayer information, 
payments, and other activities. 

Table 13: Material Weakness: Controls over Unpaid Assessments: 

ID no.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all 
accounts related to a single assessment are appropriately credited for 
payments received. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of the 
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it 
becomes fully operational and is used in conjunction with the Interim 
Revenue and Accounting Control System (IRACS), will provide IRS with 
the direct transaction traceability for all of its tax-related 
transactions as required by the U.S. Standard General Ledger (SGL), 
Federal Financial Management System Requirements (FFMSR), and the 
Federal Financial Management Improvement Act of 1996 (FFMIA). (long- 
term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-02; 
Recommendation: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid 
assessment estimation process. (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures 
for reviewers to follow in their review of unpaid assessments 
statistical estimates. Specifically, IRS should require that a 
detailed supervisory review be performed to ensure (1) the statistical 
validity of the sampling plans, (2) data entered into the sample 
selection programs agree with the sampling plans, (3) data entered 
into the statistical projection programs agree with IRS's sample 
review results, (4) data on the spreadsheets used to compile the 
interim projections and roll-forward results trace back to supporting 
statistical projection results, and (5) the calculations on these 
spreadsheets are mathematically correct. (short-term); 
Control activity: Management of human capital. 

ID no.: 08-06; 
Recommendation: In instances where computer programs that control 
penalty assessments are not functioning in accordance with the intent 
of the IRM, take appropriate action to correct the programs so that 
they function in accordance with the IRM. (long-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-01; 
Recommendation: Review the results of IRS's unpaid assessments 
compensating statistical estimation process to identify and document 
instances where systemic limitations in CDDB resulted in 
misclassifications of account balances which, in turn, resulted in 
material inaccuracies in the amounts of reported unpaid assessments. 
(short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-02; 
Recommendation: Research and implement programming changes to allow 
CDDB to more accurately classify such accounts among the three 
categories of unpaid tax assessments. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-03; 
Recommendation: Research and identify control weaknesses resulting in 
inaccuracies or errors in taxpayer accounts that materially affect the 
financial reporting of unpaid tax assessments. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-04; 
Recommendation: Once IRS identifies the control weaknesses that result 
in inaccuracies or errors that materially affect the financial 
reporting of unpaid tax assessments, implement control procedures to 
routinely prevent, or to detect and correct, such errors. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-05; 
Recommendation: Revise the IRM to provide specific requirements for 
supervisors to review the accuracy of credit transactions related to 
TFRP payments processed through the ATFR system. This guidance should 
provide specific areas to review and list the ATFR system reports that 
can facilitate supervisory reviews. (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-06; 
Recommendation: Formalize and implement the quarterly reviews of TFRP 
payment transactions to monitor compliance with IRM requirements. 
(short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-07; 
Recommendation: Develop procedures to analyze the results of the 
quarterly reviews so that specific factors causing the errors are 
identified. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-08; 
Recommendation: Develop procedures to address the factors causing 
errors in the processing of TFRP payment transactions identified 
through the analyses of the quarterly review results. (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Information Security: 

Serious weaknesses in IRS's internal control over information security 
continue to jeopardize the confidentiality, availability, and 
integrity of information processed by IRS's key systems, increasing 
the risk of material misstatement for financial reporting. For 
example, IRS has not restricted users' ability to bypass application 
controls, removed separated employees' systems access in a timely 
manner, or restricted system access to only those who needed it. These 
unresolved weaknesses increase the risk that data processed by the 
agency's financial management systems are not reliable. Although IRS 
has made some progress in addressing previous weaknesses we identified 
in its information systems and physical security controls, as of March 
2010, there were 88 open recommendations designed to help IRS improve 
its information systems security controls. Those recommendations are 
reported separately and are not included in this report primarily 
because of the sensitive nature of some of the issues.[Footnote 49] 

Release of Federal Tax Liens: 

IRS continues to be noncompliant with the laws and regulations 
governing the release of federal tax liens.[Footnote 50] IRS did not 
always release applicable federal tax liens within 30 days of tax 
liabilities being either paid off or abated, as required by the 
Internal Revenue Code (section 6325). The Internal Revenue Code grants 
IRS the power to file a lien against the property of any taxpayer who 
neglects or refuses to pay all assessed federal taxes. The lien serves 
to protect the interest of the federal government and as a public 
notice to current and potential creditors of the government's interest 
in the taxpayer's property. 

Table 14: Compliance with Laws and Regulations: Timely Release of 
Liens: 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Other Control Issues: 

The 70 recommendations listed below pertain to issues that do not rise 
individually or in the aggregate to the level of a material weakness 
or noncompliance with laws and regulations. However, these issues do 
represent weaknesses in various aspects of IRS's control environment 
that should be addressed. 

Table 15: Other Control Issues Not Associated with a Material Weakness 
or Significant Deficiency: 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. 
(short-term); 
Control Activity: Segregation of duties. 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed 
units of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term); 
Control Activity: Segregation of duties. 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring 
actions and supervisory review for manual refunds. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-05; 
Recommendation: Equip all Taxpayer Assistance Centers with adequate 
physical security controls to deter and prevent unauthorized access to 
restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers, such as locked doors marked with 
signs barring entrance by unescorted customers. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to 
TACs not having a manager permanently on-site. This documentation 
should be signed by the manager and should (1) record the time and 
date of the visit, (2) identify the manager performing the visit, (3) 
indicate the tasks performed during the visit, (4) note any problems 
identified, and (5) describe corrective actions planned. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the 
SCC's perimeter, such as adding or repositioning existing CCTV cameras 
or removing obstructions. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the 
manual refund initiators in their units with training on the most 
current requirements to help ensure that they fulfill their 
responsibilities to monitor manual refunds and document their 
monitoring actions to prevent the issuance of duplicate refunds. 
(short-term); 
Control Activity: Management of human capital. 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage 
space to properly secure and safeguard property and equipment 
inventory, including in-stock inventories, assets from incoming 
shipments, and assets that are in the process of being excessed and/or 
shipped out. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-24; 
Recommendation: To the extent that IRS intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information 
security, expand FISMA procedures or perform additional procedures as 
part of the A-123 reviews to augment FISMA work. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers in conducting reviews of outlying TACs and documenting 
the results. This guidance should include a description of the key 
controls that should be in place at outlying TACs, specify how often 
these key controls should be reviewed, and specify how the results of 
each review should be documented, including follow-up on issues 
identified in previous TAC reviews. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-12; 
Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-13; 
Recommendation: Require including in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information, and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; 
document the results, including identification of any security issues; 
and verify that the contractor has taken appropriate corrective 
actions on any security issues observed. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and 
reviewing documentation of completed background investigations for all 
shredding contractors before granting them access to taxpayer or other 
sensitive IRS information. (short-term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 (Recommendation for Juvenile Employment) 
by contacting the reference directly and documenting the details of 
this contact. (short-term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel. (short-
term); 
Control Activity: Proper execution of transactions and events. 

ID no.: 09-03; 
Recommendation: Document in the IRM minimum requirements for 
establishing criteria for time discrepancies or other inconsistencies, 
which if noted as part of the required monitoring of Form 10160, 
Receipt for Transport of IRS Deposit, would require off-site 
surveillance of couriers. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 09-04; 
Recommendation: Document in the IRM minimum requirements for 
conducting off-site surveillance of couriers entrusted with taxpayer 
receipts and information. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 09-05; 
Recommendation: Establish procedures to track and routinely report the 
total dollar amounts and volumes of receipts collected by individual 
TAC location, group, territory, area, and nationwide. (long-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 09-06; 
Recommendation: Establish procedures to ensure that an inventory of 
all duress alarms is documented for each location and is readily 
available to individuals conducting duress alarm tests before each 
test is conducted. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 09-07; 
Recommendation: Establish procedures to periodically update the 
inventory of duress alarms at each TAC location to ensure that the 
inventory is current and complete as of the testing date. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 09-08; 
Recommendation: Provide instructions for conducting quarterly duress 
alarm tests to ensure that IRS officials conducting the test (1) 
document the test results for each duress alarm listed in the 
inventory, including date, findings, and planned corrective action and 
(2) track the findings until they are properly resolved. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 09-09; 
Recommendation: Establish procedures requiring that each physical 
security analyst conduct a periodic documented review of the Emergency 
Signal History Report and emergency contact list for its respective 
location to ensure that (1) appropriate corrective actions have been 
planned for all incidents reported by the central monitoring station, 
and (2) the emergency contact list for each location is current and 
includes only appropriate contacts. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 09-11; 
Recommendation: Revise the IRM section related to the limited use of 
expired appropriations to provide additional guidance to help 
employees distinguish between procurement actions that constitute new 
obligations and those that merely adjust or liquidate prior 
obligations that the IRS incurred during an expired appropriation's 
original period of availability. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 09-13; 
Recommendation: Perform existing reviews of transactions recorded in 
undelivered orders obligation accounts in a more timely manner in an 
effort to detect and correct errors, such as duplicate receipt and 
acceptance charges, earlier in the process. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 09-14; 
Recommendation: Establish a formal, documented process for identifying 
over time the full range of IRS's programs and underlying activities, 
outputs, and services for which IRS believes full cost information 
would be useful to executives and program managers. Such a process 
should (1) be formally established and documented through policies, 
procedures, guidance, meeting minutes, and other appropriate means; 
(2) define the roles and responsibilities of the CFO and other 
business units in the process; and (3) be focused on the goal of 
determining what cost information would be useful and the most 
appropriate means of developing and reporting it for both existing 
programs and new programs as they are initiated. (short-term); 
Control Activity: Establishment and review of performance measures and 
indicators. 

ID no.: 09-15; 
Recommendation: For each of the IRS programs, activities, outputs, and 
services identified for which full cost information would be useful to 
IRS executives and program managers, complete the development of full 
cost methodologies to routinely accumulate and report on their full 
costs, including down to the activity level where appropriate. Such 
full cost data should be readily accessible to IRS program managers 
whenever they are needed, and they should include both personnel costs 
based on time spent on specific activities as well as all associated 
nonpersonnel costs and be drawn from or reconcilable to IRS's 
financial accounting system. (long-term); 
Control Activity: Establishment and review of performance measures and 
indicators. 

ID no.: 09-16; 
Recommendation: Develop outcome-oriented performance measures and 
related performance goals for IRS's enforcement programs and 
activities that include measures of the full cost of, and the revenue 
collected from, those programs and activities (return on investment) 
to assist IRS's managers in optimizing resource allocation decisions 
and evaluating the effectiveness of their activities. (long-term); 
Control Activity: Establishment and review of performance measures and 
indicators. 

ID no.: 10-09; 
Recommendation: Revise the existing methodology for extracting the 
preposted revenue component of the comparison to ensure that nontax 
revenues and tax revenue transactions already posted to the master 
files are properly excluded. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-10; 
Recommendation: Update the desk procedures governing comparison of the 
general ledger tax revenue receipts to the master files to ensure that 
the procedures reflect the current process and controls. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-11; 
Recommendation: Revise the cost allocation desk guide to better 
document the cost allocation process. This should include ensuring 
that all key processing steps are included and identifying the key 
sources of input data and the controls necessary to help ensure their 
reliability. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-12; 
Recommendation: Revise the IRM and cost allocation desk guide to 
require appropriate segregation of duties within the cost allocation 
process. (short-term); 
Control Activity: Segregation of duties. 

ID no.: 10-13; 
Recommendation: Revise the IRM and cost allocation desk guide to 
require timely, documented supervisory reviews at key process points 
to help prevent and detect cost allocation processing errors. (short-
term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-14; 
Recommendation: Establish controls over the cycle run spreadsheet to 
help minimize the risk of error or omission. At a minimum, this should 
include assigning a unique, sortable identifier to each row in the 
spreadsheet and implementing controls to promptly and accurately 
record the status of processing steps in a manner that ensures each 
cycle run is performed and is performed in the proper sequence. (short-
term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-15; 
Recommendation: Revise the IRM to require CIO to promptly provide 
service center campuses an acknowledgment of receipt for each Form 
3210 transmittal related to a duplicate refund transcript sent to them 
by a service center campus for review. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-16; 
Recommendation: Revise the IRM to require service center campuses to 
verify that an acknowledgment of receipt has been received from CIO 
for 100 percent of the Form 3210 transmittals related to duplicate 
refund transcripts they have forwarded to CIO for review. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-17; 
Recommendation: Revise the IRM to require service center campuses to 
resolve any instances in which an acknowledgment of receipt for a Form 
3210 transmittal related to duplicate refund transcripts is not 
received. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-18; 
Recommendation: Require service center campuses to acknowledge 
unprocessable items with receipts received from lockbox banks. (short-
term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-19; 
Recommendation: Establish procedures to track service center campus 
acknowledgments of unprocessable items with receipts. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 10-20; 
Recommendation: Establish procedures to monitor the process used by 
service center campuses and lockbox banks to acknowledge and track 
transmittals of unprocessable items with receipts. These procedures 
should include monitoring discrepancies and instituting appropriate 
corrective actions as needed. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 10-21; 
Recommendation: Review the audit management checklist for clarity and 
revise the assessment questions as appropriate. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-22; 
Recommendation: Issue written guidance to accompany the audit 
management checklist that explains the relevance of the questions and 
the methods that should be used to assess and test the related 
controls. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-23; 
Recommendation: Provide training to physical security analysts 
responsible for completing the audit management checklist to help 
ensure that checklist questions are answered appropriately and 
accurately. (short-term); 
Control Activity: Management of human capital. 

ID no.: 10-24; 
Recommendation: Establish and document the minimum frequency for how 
often the audit management checklist should be completed at each 
service center campus and field office. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-25; 
Recommendation: Establish policies requiring documented managerial 
reviews of completed audit management checklists. These reviews should 
document (1) the time and date of the review, (2) the name of the 
manager performing the review, (3) the supporting documentation 
reviewed, (4) any problems identified with the responses on the 
checklists, and (5) corrective actions to be taken. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-26; 
Recommendation: Review the TAC Security and Remittance Review Database 
(TSRRD) for clarity and revise review questions as appropriate. (short-
term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-27; 
Recommendation: Provide training to TAC group managers to assist with 
their understanding of the TSRRD review questions and related 
objectives. This training should be provided on an ongoing basis to 
account for changes in TSRRD questions and for newly hired or 
appointed TAC group managers. (short-term); 
Control Activity: Management of human capital. 

ID no.: 10-28; 
Recommendation: Establish policies that require territory managers or 
a manager at least one level above the group manager to periodically 
review the information entered into the TSRRD for accuracy and 
completeness prior to the results being forwarded to Field Assistance 
Office headquarters management. This review should be signed and 
documented, and include (1) the time and date of the review, (2) the 
name of the manager performing the review, (3) the task performed 
during the review, (4) any problems or questions identified, and (5) 
planned corrective actions. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-29; 
Recommendation: Analyze the various contractor access arrangements and 
establish a policy that requires security awareness training for all 
IRS contractors who are provided unescorted physical access to its 
facilities or taxpayer receipts and information. (short-term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 10-30; 
Recommendation: Designate management responsibility and establish a 
process for monitoring compliance with and enforcing the IRM 
requirement for all SCC Unit Security Representatives (USR) to 
complete (1) the required initial USR training prior to assuming their 
responsibilities, and (2) annual refresher training each year 
thereafter. (short-term); 
Control Activity: Management of human capital. 

ID no.: 10-31; 
Recommendation: Update USR training manuals to ensure they reflect 
current security policies and procedures. (short-term); 
Control Activity: Management of human capital. 

ID no.: 10-32; 
Recommendation: Establish a process to periodically review and update 
USR training materials as appropriate. (short-term); 
Control Activity: Management of human capital. 

ID no.: 10-33; 
Recommendation: Establish procedures requiring HCO LEADS or their 
designees to periodically monitor each business unit's progress in 
complying with mandatory briefing requirements. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 10-34; 
Recommendation: Establish procedures requiring COs/COTRs to obtain and 
retain written documentation from end users confirming receipt and 
acceptability of purchased goods or services prior to entering 
acknowledgment of receipt and acceptance in WebRTS. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-35; 
Recommendation: Reiterate IRS's policy for staff to indicate in WebRTS 
during final receipt and acceptance that the payment is a final 
payment to close out a contract or purchase order to help ensure any 
remaining obligated funds are deobligated in a timely manner. (short-
term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 10-36; 
Recommendation: Reevaluate and, as necessary, revise the aging 
criteria for the Aging Unliquidated Obligation reviews so that 
unliquidated obligations are reviewed sooner in order to detect and 
deobligate excess obligations in a timely manner. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-37; 
Recommendation: Provide technicians and supervisors who are 
responsible for recording and reviewing obligation transactions with 
training on the proper use of manually linked obligation transactions 
to reinforce IRS's existing policy requiring that transactions be 
recorded accurately to the upward and downward adjustments to prior 
year obligation accounts. (short-term); 
Control Activity: Management of human capital. 

ID no.: 10-38; 
Recommendation: Develop controls to improve the linked obligation 
transaction review process to detect and correct erroneous links 
between unrelated upward and downward adjustments to prior-year 
obligation transactions in a timely manner. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-39; 
Recommendation: Establish a formal funds control process to set aside 
amounts for tax law enforcement and related support activities, as 
required by annual appropriations acts. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 10-40; 
Recommendation: Establish a policy to periodically monitor throughout 
the year the amount of different appropriations accounts attributed to 
the set-aside to asses IRS's progress toward complying with the 
requirement. (short-term); 
Control Activity: Top level reviews of actual performance. 

ID no.: 10-41; 
Recommendation: Based on the results of its periodic assessments, take 
action to allocate the required amount of appropriations to tax law 
enforcement and related support activities to comply with the set-
aside requirement. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

[End of section] 

Appendix III: Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224: 

June 15, 2010: 

Mr. Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Sebastian: 

I am writing in response to the Government Accountability Office (GAO) 
draft report titled, IRS: Status of GAO Financial Audit and Related 
Financial Management Report Recommendations (GA0-10-597). 

As GAO noted in the report, IRS has made significant progress in 
improving its internal controls and financial management as evidenced 
by 10 consecutive years of clean audit opinions on its financial 
statements. We are pleased that you acknowledged our progress in 
addressing our financial management challenges and agreed to close 18 
prior year financial management recommendations. 

We are committed to implementing appropriate improvements to ensure 
that the IRS maintains sound financial management practices. If you 
have any questions or would like to discuss our response in further 
detail, please contact me or Alison Doone, Chief Financial Officer, at 
(202) 622-6400. 

Sincerely, 

Signed by: 

Douglas H. Shulman: 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, the following individuals made 
major contributions to this report: William J. Cordrey, Assistant 
Director; Russell Brown; Ray B. Bush; Nina Crocker; Oliver Culley; 
Doreen Eng; Charles Fox; Valerie Freeman; Jamie Haynes; Ted Hu; 
Richard Larsen; Delores Lee; Julie Phillips; John Sawyer; Christopher 
Spain; Cynthia Teddleton; LaDonna Towler; and Gary Wiggins. 

[End of section] 

Footnotes: 

[1] A material weakness is a deficiency, or a combination of 
deficiencies, in internal control such that there is a reasonable 
possibility that a material misstatement of the entity's financial 
statements will not be prevented, or detected and corrected on a 
timely basis. A control deficiency exists when the design or operation 
of a control does not allow management or employees, in the normal 
course of performing their assigned functions, to prevent, or detect 
and correct misstatements on a timely basis. 

[2] A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged 
with governance. 

[3] Management is responsible for establishing and maintaining 
internal control to achieve the objectives of effective and efficient 
operations, reliable financial reporting, and compliance with 
applicable laws and regulations. See 31 U.S.C. ß 3512 (c), (d), 
commonly known as the Federal Managers' Financial Integrity Act of 
1982 (FMFIA); see also, GAO, Standards for Internal Control in the 
Federal Government, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: 
Nov. 1, 1999), 4-5. The actions required by agencies and individual 
federal managers includes taking proactive measures to develop and 
implement appropriate, cost-effective internal control for results-
oriented management; to assess the adequacy of internal control in 
federal programs and operations; to identify needed improvements; and 
to take corresponding corrective actions. 

[4] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial 
Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176] 
(Washington, D.C.: Nov. 10, 2009). 

[5] An unpaid assessment is a legally enforceable claim against a 
taxpayer and consists of taxes, penalties, and interest that have not 
been collected or abated (a reduction in a tax assessment). 

[6] The term "outcome-oriented performance metrics," refers to the 
measurement of the end result of a work activity or series of 
activities, such as the taxes collected as a result of a tax 
assessment and the collection actions taken by IRS employees, such as 
telephone calls to tax debtors. 

[7] GAO, Information Security: IRS Needs to Continue to Address 
Significant Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19, 
2010). 

[8] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], 
(Washington, D.C.: Nov. 1, 1999), contains the internal control 
standards to be followed by executive agencies in establishing and 
maintaining systems of internal control as required by 31 U.S.C. ß 
3512 (c), (d). which is commonly known as the Federal Managers' 
Financial Integrity Act of 1982 (FMFIA). 

[9] See the CFO Act of 1990, Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 
15, 1990), codified in relevant part, as amended at 31 U.S.C. ß 3521 
(g). 

[10] The circular requires agencies and individual federal managers to 
take systematic and proactive measures to (1) develop and implement 
appropriate, cost-effective internal control for results-oriented 
management; (2) assess the adequacy of internal control in federal 
programs and operations; (3) separately assess and document internal 
control over financial reporting consistent with the process defined 
in appendix A of the circular; (4) identify needed improvements; (5) 
take corresponding corrective action; and (6) report annually on 
internal control through management assurance statements. 

[11] [hyperlink, http://www.gao.gov/products/GAO-10-355]. 

[12] GAO, Management Report: Improvements Are Needed in IRS's Internal 
Controls and Compliance with Laws and Regulations, [hyperlink, 
http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28, 
2010). 

[13] GAO, Internal Control Standards: Internal Control Management and 
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] 
(Washington, D.C.: Aug. 1, 2001). 

[14] FASAB, Statement of Federal Financial Concepts No. 1: Objectives 
of Federal Financial Reporting, version 8 (Washington, D.C.: June 30, 
2009). 

[15] [hyperlink, http://www.gao.gov/products/GAO-10-565R]. 

[16] [hyperlink, http://www.gao.gov/products/GAO-10-355]. 

[17] [hyperlink, http://www.gao.gov/products/GAO-10-176]. 

[18] Unpaid assessments are unpaid taxes. For reporting purposes, 
federal accounting standards classify unpaid assessments into federal 
taxes receivables, compliance assessments, and write-offs. Federal 
taxes receivable are taxes due from taxpayers for which IRS can 
support the existence of a receivable through taxpayer agreement or a 
favorable court ruling. Compliance assessments are assessments where 
neither the taxpayer nor the court has affirmed that the amounts are 
owed. Write-offs represent unpaid tax assessments for which IRS does 
not expect further collection because of factors such as the 
taxpayer's death, bankruptcy, or insolvency. 

[19] [hyperlink, http://www.gao.gov/products/GAO-10-176]. 

[20] An "outcome" is a measure of the end result of a work activity or 
series of activities, such as the taxes collected, and is a measure of 
the results of providing outputs. 

[21] IRS's performance metrics are reported externally via its 
Management Discussion and Analysis section of its annual financial 
statements. See [hyperlink, http://www.gao.gov/products/GAO-10-176]. 

[22] An "output" measure is a measure of the quantity of services 
provided, such as the number of phone calls made to taxpayers in an 
effort to collect unpaid taxes. 

[23] IRS's measure of conviction efficiency rate is a partial 
exception in that it measures the total cost of its criminal 
investigations divided by the number of convictions. 

[24] See app. I, recommendation 09-16, in this report. 

[25] GAO, Internal Revenue Service: Fiscal Year 2009 Budget Request 
and Interim Performance Results of IRS's 2008 Tax Filing Season, 
[hyperlink, http://www.gao.gov/products/GAO-08-567] (Washington, D.C.: 
Mar. 13, 2008); and GAO, Internal Revenue Service: Review of the 
Fiscal Year 2010 Budget Request, [hyperlink, 
http://www.gao.gov/products/GAO-09-754] (Washington, D.C.: June 13, 
2009). 

[26] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial 
Statements, [hyperlink, http://www.gao.gov/products/GAO-08-166] 
(Washington, D.C.: Nov. 9, 2007); GAO, Financial Audit: IRS's Fiscal 
Years 2008 and 2007 Financial Statements, [hyperlink, 
http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 
2008); and GAO, Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness, [hyperlink, 
http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 
2009). 

[27] GAO, Internal Revenue Service: Serious Weaknesses Impact Ability 
to Report on and Manage Operations, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-99-196] (Washington, D.C.: Aug. 
9, 1999). 

[28] See [hyperlink, http://www.gao.gov/products/GAO-08-166], 
[hyperlink, http://www.gao.gov/products/GAO-09-119], and [hyperlink, 
http://www.gao.gov/products/GAO-09-513R]. 

[29] The "full cost" of a program or activities includes all of the 
direct costs, including personnel time charges, and indirect costs, 
such as the allocation of overhead costs, that are applicable to the 
program or activity. 

[30] An "activity" can be defined as a discrete action that IRS 
undertakes, such as when IRS matches a taxpayer's reported dividends 
on its tax return to the dividends reported to IRS by the taxpayer's 
financial institution to identify discrepancies. A "program" can be 
defined as a group of related activities, such as IRS's Automated 
Underreporter program in which IRS matches a taxpayer's various types 
of income--wages, dividends, interest, etc.--to identify discrepancies 
that, collectively, may indicate unpaid taxes. 

[31] IFS is IRS's administrative accounting system, which IRS uses to 
facilitate its core financial management activities, such as general 
ledger, budget formulation, and accounts payable and receivable. IFS 
includes a cost module that IRS uses to facilitate the recording of 
cost information, but the cost module is not fully integrated with 
IRS's workload management systems, which record employees' time spent 
on various programs and activities. In fiscal year 2008, IRS canceled 
plans to add a managerial cost accounting module to IFS that was 
intended to provide the capability to produce such full cost 
information at the program and activity levels. 

[32] FASAB, Statement of Federal Financial Concepts No. 1: Objectives 
of Federal Financial Reporting. 

[33] An "outcome" is a measure of the end result of a work activity or 
series of activities, such as the taxes collected and is a measure of 
the results of providing outputs. An "output" is a measure of the 
quantity of services provided, such as the number of phone calls made 
to taxpayers in an effort to collect unpaid taxes. 

[34] Lockbox banks are financial institutions designated as 
depositories and financial agents of the U.S. government to perform 
certain financial services, including processing tax documents, 
depositing the receipts, and forwarding the documents and data to the 
IRS service center campuses that process tax returns and payments. 

[35] GAO, Internal Revenue Service: Status of Financial Audit and 
Related Financial Management Report Recommendations, [hyperlink, 
http://www.gao.gov/products/GAO-09-514] (Washington, D.C.: June 25, 
2009). 

[36] [hyperlink, http://www.gao.gov/products/GAO-10-565R]. 

[37] We define short-term recommendations as those that we believed 
could be addressed within 2 years at the time we made the 
recommendation. We define long-term recommendations as those we 
expected to require 2 years or more to implement at the time we made 
the recommendation. 

[38] [hyperlink, http://www.gao.gov/products/GAO-10-355]. 

[39] [hyperlink, http://www.gao.gov/products/GAO-10-176]. 

[40] See [hyperlink, http://www.gao.gov/products/GAO-10-565R] and 
[hyperlink, http://www.gao.gov/products/GAO-09-513R] for our 
recommendations resulting from our fiscal years 2009 and 2008 audits. 

[41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[42] The number of recommendations cited in the earlier report section 
on "challenges in resolving other internal control issues" in which we 
discuss the open recommendations concerning safeguarding taxpayer 
receipts and information does not match the control activity 
information in the table 1 section on "safeguarding of assets and 
security activities." The recommendations concerning safeguarding of 
taxpayer receipts and information included in that table 1 section are 
limited to those that are directly related to such safeguarding, such 
as physical safeguards over the transportation of checks and tax 
returns. Other recommendations that are indirectly related to 
safeguarding taxpayer receipts and information, such as management 
oversight and the adequacy of policies and procedures, are included in 
the other two sections of table 1, "proper recording and documenting 
of transactions" and "effective management review and oversight." The 
70 recommendations reported in the previous report section included 
both those directly and indirectly related to safeguarding taxpayer 
receipts and information. 

[43] The majority of federal tax payments are made for both businesses 
and individuals through the Electronic Federal Tax Payment System. 

[44] Lockbox banks operate under contract with the Department of the 
Treasury's Financial Management Service. The three lockbox banks 
perform processing functions in seven locations throughout the country. 

[45] Six of IRS's 10 service center campuses process tax returns and 
payments submitted by taxpayers. 

[46] IRS's 401 TACs are small field assistance units located in 
various cities and towns in every state, are part of IRS's Wage and 
Investment operating division, and are designated to serve taxpayers 
who choose to seek help from IRS in person. 

[47] IRS defines unprocessable items as any document, correspondence, 
or item that cannot be processed by the lockbox bank, such as 
unacceptable forms of payment--traveler's checks, gold coins, and 
other items of value that are easily negotiable. 

[48] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial 
Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176] 
(Washington, D.C.: Nov. 10, 2009); and GAO, Management Report: 
Improvements Are Needed in IRS's Internal Controls and Compliance with 
Laws and Regulations, [hyperlink, 
http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28, 
2010). 

[49] GAO, Information Security: IRS Needs to Continue to Address 
Significant Weaknesses, [hyperlink, 
http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19, 
2010). 

[50] [hyperlink, http://www.gao.gov/products/GAO-10-176]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAOís actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAOís Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: