This is the accessible text file for GAO report number GAO-08-693 
entitled 'Internal Revenue Service: Status of GAO Financial Audit and 
Related Financial Management Report Recommendations' which was released 
on July 2, 2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Commissioner of Internal Revenue: 

United States Government Accountability Office: 

GAO: 

July 2008: 

Internal Revenue Service: 

Status of GAO Financial Audit and Related Financial Management Report 
Recommendations: 

Status of Recommendations: 

GAO-08-693: 

GAO Highlights: 

Highlights of GAO-08-693, a report to the Commissioner of Internal 
Revenue. 

Why GAO Did This Study: 

In its role as the nationís tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility in annually collecting trillions 
of dollars in taxes, processing hundreds of millions of tax and 
information returns, and enforcing the nationís tax laws. Since its 
first audit of IRSís financial statements in fiscal year 1992, GAO has 
identified a number of weaknesses in IRSís financial management 
operations. In related reports, GAO has recommended corrective action 
to address those weaknesses. Each year, as part of the annual audit of 
IRSís financial statements, GAO not only makes recommendations to 
address any new weaknesses identified but also follows up on the status 
of weaknesses GAO identified in previous yearsí audits. The purpose of 
this report is to (1) assist IRS management in tracking the status of 
audit recommendations and actions needed to fully address them and (2) 
demonstrate how the recommendations relate to control activities 
central to IRSís mission and goals. 

What GAO Found: 

IRS has made significant progress in improving its internal controls 
and financial management since its first financial statement audit in 
1992, as evidenced by 8 consecutive years of clean audit opinions on 
its financial statements, the resolution of several material internal 
control weaknesses, and actions resulting in the closure of over 200 
financial management recommendations. This progress has been the result 
of hard work throughout the agency and sustained commitment at the top 
levels of the agency. However, IRS still faces financial management 
challenges. At the beginning of GAOís audit of IRSís fiscal year 2007 
financial statements, 75 financial management-related recommendations 
from prior audits remained open because IRS had not fully addressed the 
issues that gave rise to them. During the fiscal year 2007 financial 
audit, IRS took actions that enabled GAO to close 18 of those 
recommendations. At the same time, GAO identified additional internal 
control issues resulting in 24 new recommendations. In total, 81 
recommendations remain open at the end of fiscal 2007. To assist IRS in 
evaluating and improving internal controls, GAO categorized the 81 open 
recommendations by various internal control activities, which, in turn, 
were grouped into three broad control categories. 

Table: Summary of Open Recommendations by Control Category: 

Safeguarding of assets and security activities; 
Open at the beginning of 2007: 19; 
Closed during 2007 audit: 4; 
New from 2007 audit: 6; 
Total open for 2008: 21. 

Proper recording and documenting of transactions; 
Open at the beginning of 2007: 33; 
Closed during 2007 audit: 9; 
New from 2007 audit: 9; 
Total open for 2008: 33. 

Effective management review and oversight; 
Open at the beginning of 2007: 23; 
Closed during 2007 audit: 5; 
New from 2007 audit: 9; 
Total open for 2008: 27. 

Total; 
Open at the beginning of 2007: 75; 
Closed during 2007 audit: 18; 
New from 2007 audit: 24; 
Total open for 2008: 81. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

The continued existence of internal control weaknesses that gave rise 
to these recommendations represents a serious obstacle that IRS needs 
to overcome. Effective implementation of GAOís recommendations can 
greatly assist IRS in improving its internal controls and achieving 
sound financial management and can help enable it to more effectively 
carry out its tax administration responsibilities. Most can be 
addressed in the short term (the next 2 years). However, a few 
recommendations, particularly those concerning IRS's automated systems, 
are complex and will require several more years to fully and 
effectively address. 

What GAO Recommends: 

GAO is making no new recommendations in this report. In commenting on 
this draft report, IRS stated that it is committed to implementing 
appropriate improvements to maintain sound financial management 
practices. 

To view the full product, including the scope and methodology, click on 
[http://www.gao.gov/cgi-bin/getrpt?GAO-08-693]. For more information, 
contact Steven J. Sebastian at (202)512-3406 or sebastians@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Scope and Methodology: 

IRS's Progress on Financial Management Recommendations: 

Open Recommendations Grouped by Control Activity: 

Open Recommendations Arranged by Related Material Weakness, Significant 
Deficiency, Compliance Issue, or Other Control Issue: 

Concluding Observations: 

Agency Comments and Our Evaluation: 

Appendix I: Status of GAO Recommendations from IRS Financial Audits and 
Related Management Reports: 

Appendix II: Open Recommendations Arranged by Control or Compliance 
Issue: 

Financial Reporting: 

Unpaid Tax Assessments: 

Tax Revenue and Refunds: 

Information Security: 

Hard-Copy Tax Receipts and Taxpayer Information: 

Release of Federal Tax Liens: 

Other Control Issues: 

Appendix III: Comments from the Internal Revenue Service: 

Appendix IV: Staff Acknowledgments: 

Tables: 

Table 1: Summary of Open Recommendations: 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

Table 4: Recommendation to Improve IRS's Controls over Information 
Processing: 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

Table 8: Recommendations to Improve IRS's Execution of Transaction and 
Events: 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

Table 11: Recommendations to Improve IRS's Management of Human Capital: 

Table 12: Material Weakness: Controls over Financial Reporting: 

Table 13: Material Weakness: Controls over Unpaid Assessments: 

Table 14: Material Weakness: Controls over Revenues and Issuing 
Refunds: 

Table 15: Significant Deficiency: Controls over Hard-Copy Receipts and 
Taxpayer Information: 

Table 16: Compliance with Laws and Regulations: Timely Release of 
Liens: 

Table 17: Other Control Issues Not Associated with a Material Weakness 
or Significant Deficiency: 

Abbreviations: 

ALS: Automated Lien System: 

ATFR: Automated Trust Fund Recovery: 

AUR: Automated Underreporter: 

AWSS: Agency-Wide Shared Services: 

BPMS: Business Performance Management System: 

CCTV: closed-circuit television: 

CDDB: Custodial Detail Data Base: 

FA: Field Assistance: 

FMFIA: Federal Managers' Financial Integrity Act of 1982: 

FMS: Financial Management Service: 

IDRS: Integrated Data Retrieval System: 

IFS: Integrated Financial System: 

IRACS: Interim Revenue and Accounting Control System: 

IRM: Internal Revenue Manual: 

IRS: Internal Revenue Service: 

LEM: Security Law Enforcement Manual: 

LMSB: Large and Mid- sized Business: 

LPG: Lockbox Processing Guidelines: 

LSG: Lockbox Security Guidelines: 

NFC: National Finance Center: 

OMB: Office of Management and Budget: 

P&E: property and equipment: 

SB/SE: Small Business/Self-Employed: 

SCC: service center campus: 

SETS: Security Entry and Tracking System: 

SP: Submission Processing: 

TAC: taxpayer assistance center: 

TE/GE: Tax Exempt and Government Entities: 

TFRP: Trust Fund Recovery Penalty: 

W&I: Wage and Investment: 

United States Government Accountability Office: 

Washington, DC 20548: 

July 2, 2008: 

The Honorable Douglas H. Shulman: 
Commissioner of Internal Revenue: 

Dear Mr. Shulman: 

In its role as the nation's tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility to collect taxes, process tax 
returns, and enforce the nation's tax laws. In fiscal year 2007, IRS 
collected about $2.7 trillion in tax payments, processed hundreds of 
millions of tax and information returns, and paid about $292 billion in 
refunds to taxpayers. Because of its role and overall mission, IRS's 
activities touch on virtually all of the nation's citizens. It is 
therefore critical that the agency strive to maintain sound financial 
management practices. 

IRS has made much progress in improving its financial management since 
it was first required to prepare and have audited a set of financial 
statements in fiscal year 1992. This progress was reflected in its 
ability to obtain and maintain a clean audit opinion on its financial 
statements each year beginning in fiscal year 2000, and to correct 
several material internal control weaknesses over the years and make 
many other improvements in internal control. At the same time, more 
remains to be done to address long-standing internal control issues 
that continue to exist at the agency. IRS continues to have weak or 
ineffective internal controls over fundamental elements of its 
operations that leave it vulnerable to a greater risk of fraud, waste, 
abuse, and mismanagement. This, in turn, has the potential to affect 
the lives of the nation's taxpayers, as our audits over the years have 
demonstrated. 

An agency's internal control environment serves as the first line of 
defense in safeguarding its assets and in preventing and detecting 
errors and fraud, as well as in helping to effectively manage its 
stewardship over public resources.[Footnote 1] Unfortunately, IRS 
continues to be challenged with several long-standing material 
weaknesses in internal control that are at the heart of IRS's 
operations.[Footnote 2] During our audit of IRS's fiscal year 2007 
financial statements, we continued to find material weaknesses in 
controls over: 

* financial reporting, 

* unpaid tax assessments, 

* identifying and collecting tax revenues due and issuing tax refunds, 
and: 

* information systems security. 

In addition to the material weaknesses, we continued to identify a 
significant deficiency involving controls over hard-copy tax receipts 
and taxpayer data, which increase the government's and taxpayer's risk 
of loss or inappropriate disclosure or use of taxpayer data. 

To assist IRS in strengthening its internal controls and improving its 
operations, we have made numerous recommendations as part of our annual 
financial statement audits and other financial management-related work 
at IRS. This report is being provided to you to (1) assist IRS 
management in tracking the status of financial audit and financial 
management-related recommendations and the actions needed to address 
them and (2) demonstrate how the recommendations relate to control 
activities central to IRS's mission and goals. We are making no new 
recommendations in this report. 

Our work was performed from December 2007 through May 2008 in 
accordance with generally accepted government auditing standards. 

Results in Brief: 

IRS management continues to make progress in addressing many of the 
internal control issues that challenge the agency. IRS's actions have 
enabled us to close over 200 financial management-related 
recommendations over the years since our first audit of its financial 
statements in 1992. At the beginning of our fiscal year 2007 IRS 
financial statement audit, 75 financial management-related 
recommendations from our prior audits remained open. During the fiscal 
year 2007 financial statement audit, IRS took actions to effectively 
address issues that gave rise to numerous recommendations, enabling us 
to close 18 of those recommendations. Thus, 57 recommendations from 
prior years' audits remained open at the end of fiscal year 2007. In 
addition, during our fiscal year 2007 financial audit, we identified a 
number of additional internal control issues and, in a separate report, 
made 24 new recommendations to address these newly identified 
issues.[Footnote 3] As a result, a total of 81 recommendations to 
address IRS's internal control issues remained open at the end of 
fiscal year 2007. Additionally, 76 recommendations as a result of our 
assessment of IRS's information security controls over key financial 
systems, data, and interconnected networks at IRS's critical data 
processing facilities remained open at the end of fiscal year 2007. 
Recommendations resulting from the information security portion of our 
annual audits of IRS's financial statements are reported separately and 
are not included in this report primarily because of the sensitive 
nature of some of these issues. 

In analyzing the nature of the 81 financial management recommendations 
open at the end of fiscal year 2007, we determined that 21 
recommendations (26 percent) relate to issues associated with IRS's 
lack of effective controls over safeguarding assets and security 
activities. Another 33 recommendations (41 percent) relate to issues 
associated with IRS's inability to properly record and document 
transactions. The remaining 27 recommendations (33 percent) relate to 
issues associated with lack of effective management review and 
oversight. Effectively and fully addressing these open recommendations 
would greatly assist IRS in improving its internal controls and 
achieving sound financial management. While most of our open 
recommendations can be addressed in the short term (within the next 2 
years), a few recommendations, particularly those concerning IRS's 
automated systems, are complex and will require several more years to 
fully and effectively address. 

Finally, we analyzed the nature of the open recommendations to relate 
them to the material weakness, significant deficiency, compliance 
issue, and other control issues not associated with a material weakness 
or significant deficiency identified as part of our annual financial 
statement audits. Appendix II provides a listing of our 81 open 
recommendations grouped according to their related material weakness, 
significant deficiency, compliance issue, or other control issue as 
described in our opinion report on IRS's financial statement[Footnote 
4]s. 

In commenting on a draft of this report, IRS expressed its appreciation 
for our acknowledgment of the agency's progress in addressing its 
financial management challenges as evidenced by our closure of 18 open 
financial management recommendations from GAO's prior year report. We 
have reprinted IRS's written comments in appendix III. 

Background: 

Internal control is not one event, but a series of actions and 
activities that occur throughout an entity's operations and on an 
ongoing basis. Internal control should be recognized as an integral 
part of each system that management uses to regulate and guide its 
operations rather than as a separate system within an agency. In this 
sense, internal control is management control that is built into the 
entity as a part of its infrastructure to help managers run the entity 
and achieve their goals on an ongoing basis. 

Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the 
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires 
agencies to establish and maintain internal control. The agency head 
must annually evaluate and report on the control and financial systems 
that protect the integrity of federal programs. The requirements of 
FMFIA serve as an umbrella under which other reviews, evaluations, and 
audits should be coordinated and considered to support management's 
assertion about the effectiveness of internal control over operations, 
financial reporting, and compliance with laws and regulations. 

Office of Management and Budget (OMB) Circular No. A-123, Management's 
Responsibility for Internal Control, provides the implementing guidance 
for FMFIA, and sets out the specific requirements for assessing and 
reporting on internal controls consistent with the internal control 
standards issued by the Comptroller General of the United 
States.[Footnote 5] The circular defines management's responsibilities 
related to internal control and the process for assessing internal 
control effectiveness, and provides specific requirements for 
conducting management's assessment of the effectiveness of internal 
control over financial reporting. The circular requires management to 
annually provide assurances on internal control in its performance and 
accountability report, and for each of the 24 Chief Financial Officers 
Act agencies to include a separate assurance on internal control over 
financial reporting, along with a report on identified material 
weaknesses and corrective actions.[Footnote 6] The circular also 
emphasizes the need for integrated and coordinated internal control 
assessments that synchronize all internal control-related activities. 

FMFIA requires GAO to issue standards for internal control in the 
federal government. The Standards for Internal Control in the Federal 
Government (i.e., internal control standards) provides the overall 
framework for establishing and maintaining effective internal control 
and for identifying and addressing major performance and management 
challenges and areas at greatest risk of fraud, waste, abuse, and 
mismanagement. 

As summarized in the internal control standards, the minimum level of 
quality acceptable for internal control in the government is defined by 
the following five standards, which also provide the basis against 
which internal controls are to be evaluated: 

* Control environment: Management and employees should establish and 
maintain an environment throughout the organization that sets a 
positive and supportive attitude toward internal control and 
conscientious management. 

* Risk assessment: Internal control should provide for an assessment of 
the risks the agency faces from both external and internal sources. 

* Control activities: Internal control activities help ensure that 
management's directives are carried out. The control activities should 
be effective and efficient in accomplishing the agency's control 
objectives. 

* Information and communications: Information should be recorded and 
communicated to management and others within the entity who need it and 
in a form and within a time frame that enables them to carry out their 
internal control and other responsibilities. 

* Monitoring: Internal control monitoring should assess the quality of 
performance over time and ensure that the findings of audits and other 
reviews are promptly resolved. 

The third control standard--control activities--helps ensure that 
management's directives are carried out. Control activities are the 
policies, procedures, techniques, and mechanisms that enforce 
management's directives. In other words, they are the activities 
conducted in the everyday course of business that are intended to 
accomplish a control objective, such as ensuring IRS employees 
successfully complete background checks prior to being granted access 
to taxpayer information and receipts. As such, control activities are 
an integral part of an entity's planning, implementing, reviewing, and 
accountability for stewardship of government resources and achievement 
of effective results. 

A key objective in our annual audits of IRS's financial statements is 
to obtain reasonable assurance about whether IRS maintained effective 
internal controls with respect to financial reporting, including 
safeguarding of assets, and compliance with laws and regulations. While 
we use all five internal control standards as a basis for evaluating 
the effectiveness of IRS's internal controls, we place a heavy emphasis 
on testing control activities. Our evaluations and tests have resulted 
in the identification of issues in certain internal controls over the 
years and recommendations for corrective action. 

Scope and Methodology: 

To accomplish our objectives, we evaluated the effectiveness of IRS's 
corrective actions implemented in response to open recommendations 
during fiscal year 2007 as part of our fiscal years 2007 and 2006 
financial audits. To determine the current status of the 
recommendations, we (1) obtained IRS's reported status of each 
recommendation and corrective action taken or planned as of April 2008, 
and (2) compared IRS's reported status to our fiscal year 2007 audit 
findings to identify any differences between IRS's and our conclusions 
regarding the status of each recommendation. 

In order to determine how these recommendations fit within IRS's 
management and internal control structure, we compared the open 
recommendations, and the issues that gave rise to them, to the control 
activities listed in the internal control standards and to the list of 
major factors and examples outlined in our Internal Control Management 
and Evaluation Tool.[Footnote 7] We also considered how the 
recommendations and the underlying issues were categorized in our prior 
reports; whether IRS had addressed, in whole or in part, the underlying 
control issues that gave rise to the recommendations; and other legal 
requirements and implementing guidance, such as OMB Circular No. A-123; 
FMFIA; and the Federal Information System Controls Audit Manual 
(FISCAM).[Footnote 8] 

Our work was performed from December 2007 through May 2008 in 
accordance with generally accepted government auditing standards. We 
requested comments on a draft of this report from the Commissioner of 
Internal Revenue or his designee on June 9, 2008. We received comments 
from the Commissioner on June 24, 2008. 

IRS's Progress on Financial Management Recommendations: 

IRS continues to make progress addressing its significant financial 
management challenges. Over the years since we first began auditing 
IRS's financial statements in fiscal year 1992, IRS has taken actions 
enabling us to close over 200 of our financial management-related 
recommendations. This includes 18 recommendations we are closing based 
on actions IRS took during the period covered by our fiscal year 2007 
financial audit. At the same time, however, our audits continue to 
identify additional internal control issues, resulting in our making 
further recommendations for corrective action, including 24 new 
financial management-related recommendations resulting from our fiscal 
year 2007 financial audit. These internal control issues, and the 
resulting recommendations, can be directly traced to the control 
activities in the internal control standards. As such, it is essential 
that they be fully addressed and resolved to strengthen IRS's overall 
financial management and to assist it in efficiently and effectively 
achieving its goals and mission. 

Status of Recommendations Based on the Year 2007 Financial Statement 
Audit: 

In June 2007, we issued a report on the status of IRS's efforts to 
implement corrective actions to address financial management 
recommendations stemming from our fiscal year 2006 and prior year 
financial audits and other financial management-related work.[Footnote 
9] In that report, we identified 75 audit recommendations that at that 
time remained open and thus required corrective action by IRS. A 
significant number of these recommendations had been open for several 
years, either because IRS had not taken corrective action or because 
the actions taken had not yet fully and effectively resolved the issues 
that gave rise to the recommendations. 

IRS continued to work to address many of the internal control issues to 
which these open recommendations relate. In the course of performing 
our fiscal year 2007 financial audit, we identified numerous actions 
IRS took to address many of its internal control issues. On the basis 
of IRS's actions, which we were able to substantiate through our audit, 
we are able to close 18 of these prior years' recommendations. IRS 
considers another 23 of the prior years' recommendations to be 
effectively addressed. However, we still consider them to be open 
either because we had not yet been able to verify the effectiveness of 
IRS's actions--they occurred subsequent to completion of our audit 
testing and thus have not been verified, which is a prerequisite to our 
closing a recommendation--or because the actions taken did not fully 
address the issue that gave rise to the recommendation. 

However, continued efforts are needed by IRS to address its internal 
control issues. While we are able to close 18 financial management 
recommendations made in prior years, 57 recommendations from prior 
years remain open, a significant number of which have been outstanding 
for several years. In some cases, IRS may have effectively addressed 
the issues that gave rise to the recommendations subsequent to our 
fiscal year 2007 audit testing. However, in many cases, we determined 
based on the work performed for our fiscal year 2007 audit that IRS's 
actions taken to date had not yet fully and effectively addressed the 
underlying internal control issues. Additionally, during our audit of 
IRS's fiscal year 2007 financial statements, we identified additional 
issues that require corrective action by IRS. In a recent management 
report to IRS,[Footnote 10] we discussed these issues, and made 24 new 
recommendations to IRS to address them. Consequently, a total of 81 
financial management-related recommendations were open at the end of 
fiscal year 2007 and need to be addressed by IRS. While most of our 
open recommendations can be addressed in the short term,[Footnote 11] a 
few recommendations, particularly those concerning IRS's automated 
systems, are complex and will require several more years to fully and 
effectively address. We consider 71 recommendations to be short-term 
and 10 to be long-term. 

In addition to the 81 open recommendations from our financial audits 
and other financial management-related work, we have 76 open 
recommendations as a result of our assessment of IRS's information 
security controls over key financial systems, data, and interconnected 
networks at IRS's critical data processing facilities. One of those 
open recommendations relates to IRS's need to implement an agencywide 
information security program, the lack of which was a key reason for 
the material weakness in IRS's information systems security controls 
over its financial and tax processing systems. Unresolved, previously 
reported recommendations and newly identified ones related to 
information security increase the risk of unauthorized disclosure, 
modification, or destruction of financial and sensitive taxpayer data. 
Recommendations resulting from of the information security portion our 
annual audits of IRS's financial statements are reported separately and 
are not included in this report primarily because of the sensitive 
nature of some of these issues. 

Appendix I presents a list of (1) the 81 recommendations we have made 
based on our financial statement audits and other financial management- 
related work that we had not previously reported as closed prior to our 
fiscal year 2007 audit, (2) the status of each of those recommendations 
and corrective actions taken or planned as of April 2008 as reported to 
us by IRS, and (3) our analysis of whether the issues that gave rise to 
the recommendations have been effectively and fully addressed based on 
the work performed during our fiscal year 2007 financial statement 
audit. Appendix I also lists new recommendations we have made based on 
our fiscal year 2007 financial statement audit. The appendix lists the 
recommendations by the date on which the recommendation was made and by 
report number. Appendix II presents the open recommendations arranged 
by related material weakness, significant deficiency, compliance issue, 
or other control issue as described in our opinion report on IRS's 
financial statements. 

Open Recommendations Grouped by Control Activity: 

Linking the open recommendations from our financial audits and other 
financial management-related work, and the issues that gave rise to 
them, to internal control activities that are central to IRS's tax 
administration responsibilities provides insight regarding their 
significance. 

The internal control standards define 11 control activities. These 
control activities can be further grouped into three broad categories: 

* Safeguarding of assets and security activities: 

- physical control over vulnerable assets, 

- segregation of duties, 

- controls over information processing, and: 

- access restrictions to and accountability for resources and records. 

* Proper recording and documenting of transactions: 

- appropriate documentation of transactions and internal control, 

- accurate and timely reporting of transactions and events, and: 

- proper execution of transactions and events. 

* Effective management review and oversight: 

- reviews by management at the functional or activity level, 

- establishment and review of performance measures and indicators, 

- management of human capital, and: 

- top-level reviews of actual performance. 

Each of the open recommendations from our financial audits and 
financial management-related work, and the underlying issues that gave 
rise to them, can be traced back to 1 of the 11 control activities 
(grouped into three broad categories). Table 1 presents a summary of 
the open recommendations, each of which is categorized by the control 
activity to which it best relates. 

Table 1: Summary of Open Recommendations: 

Control category/control activity: Safeguarding of assets and security 
activities: Physical control over vulnerable assets; 
Open at start of fiscal year 2007 audit: 12; 
Closed during fiscal year 2007 audit: 3; 
Control category/control activity: New from fiscal year 2007 audit: 0; 
Total open as of the end of fiscal year 2007: 9; 
Percentage: 11. 

Control category/control activity: Safeguarding of assets and security 
activities: Segregation of duties; 
Open at start of fiscal year 2007 audit: 4; 
Closed during fiscal year 2007 audit: 1; 
New from fiscal year 2007 audit: 0; 
Total open as of the end of fiscal year 2007: 3; 
Percentage: 4. 

Control category/control activity: Safeguarding of assets and security 
activities: Controls over information processing[A]; 
Open at start of fiscal year 2007 audit: 1; 
Closed during fiscal year 2007 audit: 0; 
New from fiscal year 2007 audit: 0; 
Total open as of the end of fiscal year 2007: 1; 
Percentage: 1. 

Control category/control activity: Access restrictions to and 
accountability for resources and records; 
Open at start of fiscal year 2007 audit: 2; 
Closed during fiscal year 2007 audit: 0; 
New from fiscal year 2007 audit: 6; 
Total open as of the end of fiscal year 2007: 8; 
Percentage: 10. 

Control category/control activity: Subtotal; 
Open at start of fiscal year 2007 audit: 19; 
Closed during fiscal year 2007 audit: 4; 
New from fiscal year 2007 audit: 6; 
Total open as of the end of fiscal year 2007: 21; 
Percentage: 26. 

Control category/control activity: Proper recording and documenting of 
transactions: Appropriate documentation of transactions and internal 
controls; 
Open at start of fiscal year 2007 audit: 13; 
Closed during fiscal year 2007 audit: 6; 
New from fiscal year 2007 audit: 5; 
Total open as of the end of fiscal year 2007: 12; 
Percentage: 15. 

Control category/control activity: Proper recording and documenting of 
transactions: Accurate and timely recording of transactions and events; 
Open at start of fiscal year 2007 audit: 19; 
Closed during fiscal year 2007 audit: 3; 
New from fiscal year 2007 audit: 2; 
Total open as of the end of fiscal year 2007: 18; 
Percentage: 22. 

Control category/control activity: Proper recording and documenting of 
transactions: Proper execution of transactions and events; 
Open at start of fiscal year 2007 audit: 1; 
Closed during fiscal year 2007 audit: 0; 
New from fiscal year 2007 audit: 2; 
Total open as of the end of fiscal year 2007: 3; 
Percentage: 4. 

Control category/control activity: Proper recording and documenting of 
transactions: Subtotal; 
Open at start of fiscal year 2007 audit: 33; 
Closed during fiscal year 2007 audit: 9; 
New from fiscal year 2007 audit: 9; 
Total open as of the end of fiscal year 2007: 33; 
Percentage: 41. 

Control category/control activity: Effective management review and 
oversight: Reviews by management at the functional or activity level; 
Open at start of fiscal year 2007 audit: 17; 
Closed during fiscal year 2007 audit: 5; 
New from fiscal year 2007 audit: 7; 
Total open as of the end of fiscal year 2007: 19. 
Percentage: 23. 

Control category/control activity: Effective management review and 
oversight: Establishment and review of performance measures and 
indicators; 
Open at start of fiscal year 2007 audit: 3; 
Closed during fiscal year 2007 audit: 0; 
New from fiscal year 2007 audit: 0; 
Total open as of the end of fiscal year 2007: 3; 
Percentage: 4. 

Control category/control activity: Effective management review and 
oversight: Management of human capital; 
Open at start of fiscal year 2007 audit: 3; 
Closed during fiscal year 2007 audit: 0; 
New from fiscal year 2007 audit: 2; 
Total open as of the end of fiscal year 2007: 5; 
Percentage: 6. 

Control category/control activity: Effective management review and 
oversight: Subtotal; 
Open at start of fiscal year 2007 audit: 23; 
Closed during fiscal year 2007 audit: 5; 
New from fiscal year 2007 audit: 9; 
Total open as of the end of fiscal year 2007: 27; 
Percentage: 33. 

Total; 
Open at start of fiscal year 2007 audit: 75; 
Closed during fiscal year 2007 audit: 18. 
New from fiscal year 2007 audit: 24; 
Total open as of the end of fiscal year 2007:81; 
Percentage: 100. 

Source: GAO analysis of the status of financial management 
recommendations made to IRS. 

[A] Does not include an additional 76 information systems security 
recommendations, which are reported separately because of the sensitive 
nature of some of the issues that gave rise to these recommendations. 

[End of table] 

As table 1 indicates, 21 recommendations (26 percent) relate to issues 
associated with IRS's lack of effective controls over safeguarding of 
assets and security activities. Another 33 recommendations (41 percent) 
relate to issues associated with IRS's inability to properly record and 
document transactions. The remaining 27 open recommendations (33 
percent) relate to issues associated with the lack of effective 
management review and oversight. 

On the following pages, we group the 81 open recommendations under the 
control activity to which the condition that gave rise to them most 
appropriately fits. We first define each control activity as presented 
in the internal control standards and briefly identify some of the key 
IRS operations that fall under that control activity. Although not 
comprehensive, the descriptions are intended to help explain why 
actions to strengthen these control activities are important for IRS to 
efficiently and effectively carry out its overall mission. For each 
recommendation, we also indicate whether it is a short-term or long- 
term recommendation. 

Safeguarding of Assets and Security Activities: 

Given IRS's mission, the sensitivity of the data it maintains, and its 
processing of trillions of dollars of tax receipts each year, one of 
the most important control activities at IRS is the safeguarding of 
assets. Internal control in this important area should be designed to 
provide reasonable assurance regarding prevention or prompt detection 
of unauthorized acquisition, use, or disposition of an agency's assets. 
We have grouped together the four control activities in the internal 
control standards that relate to safeguarding of assets (including tax 
receipts) and security activities (such as limiting access to only 
authorized personnel): (1) physical control over vulnerable assets, (2) 
segregation of duties, (3) controls over information processing, and 
(4) access restrictions to and accountability for resources and 
records. 

Physical Control over Vulnerable Assets: 

Internal control standard: an agency must establish physical control to 
secure and safeguard vulnerable assets. Examples include security for 
and limited access to assets such as cash, securities, inventories, and 
equipment which might be vulnerable to risk of loss or unauthorized 
use. Such assets should be periodically counted and compared to control 
records. 

IRS is charged with collecting trillions of dollars in taxes each year, 
a significant amount of which is collected in the form of checks and 
cash accompanied by tax returns and related information. IRS collects 
taxes both at its own facilities as well as at lockbox banks that 
operate under contract with the Department of the Treasury's Financial 
Management Service (FMS) to provide processing services for certain 
taxpayer receipts for IRS. IRS acts as custodian for (1) the tax 
payments it receives until they are deposited in the General Fund of 
the U.S. Treasury and (2) the tax returns and related information it 
receives until they are either sent to the Federal Records Center or 
destroyed. IRS is also charged with controlling many other assets, such 
as computers and other equipment, but IRS's legal responsibility to 
safeguard tax returns and the confidential information taxpayers 
provide on tax returns makes the effectiveness of its internal controls 
with respect to physical security essential. 

IRS receives cash and checks mailed to its service centers or lockbox 
banks with accompanying tax returns and information or payment vouchers 
and payments made in person at its offices. While effective physical 
safeguards over receipts should exist throughout the year, it is 
especially important during the peak tax filing season. Each year 
during the weeks preceding and shortly after April 15, an IRS service 
center campus (SCC) or lockbox bank may receive and process daily over 
100,000 pieces of mail containing returns, receipts, or both. The 
dollar value of receipts each service center and lockbox bank processes 
increases to hundreds of millions of dollars a day during the April 15 
time frame. 

Of our 81 open recommendations, the following 9 open recommendations 
are designed to improve IRS's physical controls over vulnerable assets. 
All are short-term in nature. (See table 2.) 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

ID no.: 04-08; 
Recommendations: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms. (short-term). 

ID no.: 06-05; 
Recommendations: Equip all Taxpayer Assistance Centers (TACs) with 
adequate physical security controls to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers such as locked doors marked with signs 
barring entrance by unescorted customers. (short- term). 

ID no.: 06-08; 
Recommendations: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms regardless of the 
circumstances that may have caused the activation. (short-term). 

ID no.: 06-15; 
Recommendations: Revise the physical security procedures in the 
Internal Revenue Manual (IRM) to require that all SCCs and any 
respective annex facilities processing taxpayer receipts and/or 
information perform and document monthly tests of the facilities' 
intrusion detection alarms. At a minimum, these procedures should (1) 
outline the type of test to be conducted, (2) include criteria for 
assessing whether the controls used to respond to the alarm were 
effective, and (3) require that a logbook be maintained to document the 
test dates, results, and response information. (short-term). 

ID no.: 07-01; 
Recommendations: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information. 
(short-term). 

ID no.: 07-02; 
Recommendations: Ensure that lockbox banks store backup media 
containing federal taxpayer information at an off-site location as 
required by the 2006 Lockbox Security Guidelines. (short-term). 

ID no.: 07-03; 
Recommendations: Revise instructions for the annual reviews of lockbox 
banks to encompass routine monitoring of backup media containing 
personally identifiable information to ensure that this information is 
(1) encrypted prior to transmission and (2) stored in an appropriate 
off-site location. (short-term). 

ID no.: 07-04; 
Recommendations: Develop and implement appropriate corrective actions 
for any gaps in closed circuit TV (CCTV) camera coverage that do not 
provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions. (short-term). 

ID no.: 07-20; 
Recommendations: Establish and maintain sufficient secured storage 
space to properly secure and safeguard its property and equipment 
inventory, including in-stock inventories assets from incoming 
shipments, and assets that are in the process of being excessed and/or 
shipped out. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Segregation of Duties: 

Internal control standard: Key duties and responsibilities need to be 
divided or segregated among different people to reduce the risk of 
error or fraud. This should include separating the responsibilities for 
authorizing transactions, processing and recording them, reviewing the 
transactions, and handling any related assets. No one individual should 
control all key aspects of a transaction or event. 

IRS employees are responsible for processing trillions of dollars of 
tax receipts each year, of which hundreds of billions are received in 
the form of cash or checks,[Footnote 12] and for processing hundreds of 
billions of dollars in refunds to taxpayers. Consequently, it is 
critical that IRS maintain appropriate separation of duties to allow 
for adequate oversight of staff and protection of these vulnerable 
resources so that no single individual would be in a position of 
causing an error or irregularity, potentially converting the asset to 
personal use, and then concealing it. For example, when an IRS field 
office or lockbox bank receives taxpayer receipts and returns, it is 
responsible for depositing the cash and checks in a depository 
institution and forwarding the related information received to an SCC 
for further processing. In order to adequately safeguard receipts from 
theft, the person responsible for recording the information from the 
taxpayer receipts on a voucher should be different from the individual 
who prepares those receipts for transmittal to the SCC for further 
processing. Also, for procurement of goods and services, the person who 
places an order for goods and services should be different from the 
person who receives the goods and services. Such separation of duties 
will help to prevent the occurrence of fraud, theft of IRS assets, or 
both. 

The following three open recommendations would help IRS improve its 
separation of duties, which will in turn strengthen its controls over 
tax receipts and refunds and procurement activities. All are short-term 
in nature. (See table 3.) 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

ID no.: 02-16; 
Recommendations: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term). 

ID no.: 05-32; 
Recommendations: Establish policies and procedures to require 
appropriate segregation of duties in small business/self- employed 
units of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term). 

ID no.: 07-21; 
Recommendations: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Controls over Information Processing: 

Internal control standard: A variety of control activities are used in 
information processing. Examples include edit checks of data entered, 
accounting for transactions in numerical sequences, and comparing file 
totals with control totals. There are two broad groupings of 
information systems control--general control (for hardware such as 
mainframe, network, end-user environments) and application control 
(processing of data within the application software). General controls 
include entitywide security program planning, management, and backup 
recovery procedures and contingency and disaster planning. Application 
controls are designed to help ensure completeness, accuracy, 
authorization, and validity of all transactions during application 
processing. 

IRS relies extensively on computerized systems to support its financial 
and mission-related operations. To efficiently fulfill its tax 
processing responsibilities, IRS relies extensively on interconnected 
networks of computer systems to perform various functions, such as 
collecting and storing taxpayer data, processing tax returns, 
calculating interest and penalties, generating refunds, and providing 
customer service. 

As part of our annual audits of IRS's financial statements, we assess 
the effectiveness of IRS's information security controls[Footnote 13] 
over key financial systems, data, and interconnected networks at IRS's 
critical data processing facilities that support the processing, 
storage, and transmission of sensitive financial and taxpayer data. 
From that effort over the years, we have identified information 
security control weaknesses that impair IRS's ability to ensure the 
confidentiality, integrity, and availability of its sensitive financial 
and taxpayer data. As of January 2008, there were 76 open 
recommendations from our information security work designed to improve 
IRS's information security controls.[Footnote 14] As discussed 
previously, recommendations resulting from our information security 
work are reported separately and are not included in this report 
primarily because of the sensitive nature of these issues. 

However, the following open short-term recommendation is related to 
systems limitations and IRS's need to enhance its computer programs. 
(See table 4.) 

Table 4: Recommendation to Improve IRS's Controls over Information 
Processing: 

ID no.: 02-18; 
Recommendations: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Access Restrictions to and Accountability for Resources and Records: 

Internal control standard: Access to resources and records should be 
limited to authorized individuals, and accountability for their custody 
and use should be assigned and maintained. Periodic comparison of 
resources with the recorded accountability should be made to help 
reduce the risk of errors, fraud, misuse, or unauthorized alteration. 

Because IRS deals with a large volume of cash and checks, it is 
imperative that it maintain strong controls to appropriately restrict 
access to those assets, the records that track those assets, and 
sensitive taxpayer information. Although IRS has a number of both 
physical and information system controls in place, some of the issues 
we have identified in our financial audits over the years pertain to 
ensuring that those individuals who have direct access to these cash 
and checks are appropriately vetted before being granted access to 
taxpayer receipts and information and to ensuring that IRS maintains 
effective access security control. 

The following eight open short-term recommendations would help IRS 
improve its access restrictions to assets and records. (See table 5.) 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

ID no.: 05-11; 
Recommendations: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at service center campuses selected for 
significant reductions in their submission processing functions. (short-
term). 

ID no.: 05-13; 
Recommendations: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short- term). 

ID no.: 08-09; 
Recommendations: Establish a mechanism to monitor compliance with 
existing requirement that TAC employees responsible for accepting 
taxpayer payments in cash have their computer system access 
appropriately restricted to limit their ability to adjust taxpayer 
accounts. (short-term). 

ID no.: 08-12; 
Recommendations: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term). 

ID no.: 08-13; 
Recommendations: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term). 

ID no.: 08-15; 
Recommendations: Establish procedures to require obtaining and 
reviewing documentation of completed background investigations for all 
shredding contractors before granting them access to taxpayer or other 
sensitive IRS information. (short-term). 

ID no.: 08-16; 
Recommendations: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles. (short-term). 

ID no.: 08-17; 
Recommendations: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Recording and Documenting of Transactions: 

One of the largest obstacles continuing to face IRS management is the 
agency's lack of an integrated financial management system capable of 
producing the accurate, useful, and timely information IRS managers 
need to assist in making well-informed day-to-day decisions. While IRS 
is making progress in modernizing its financial management 
capabilities, it nonetheless continues to face many pervasive internal 
control weaknesses related to its long-standing systems deficiencies 
that we have reported each year since we began auditing its financial 
statements in fiscal year 1992. These deficiencies can only be 
addressed as part of a longer-term effort to overhaul and integrate 
IRS's financial management system structure. Because of the long- 
standing, pervasive nature of these deficiencies, their resolution is 
likely to require more than 2 additional years. 

Nevertheless, IRS also has a number of internal control issues that 
relate to recording transactions, documenting events, and tracking the 
processing of taxpayer receipts or information, which do not depend 
upon longer-term efforts to overhaul and integrate its information 
systems. 

We have grouped three control activities together that relate to proper 
recording and documenting of transactions: (1) appropriate 
documentation of transactions and internal controls, (2) accurate and 
timely recording of transactions and events, and (3) proper execution 
of transactions and events. 

Appropriate Documentation of Transactions and Internal Control: 

Internal control standard: Internal control and all transactions and 
other significant events need to be clearly documented, and the 
documentation should be readily available for examination. The 
documentation should appear in management directives, administrative 
policies, or operating manuals and may be in paper or electronic form. 
All documentation and records should be properly managed and 
maintained. 

IRS collects and processes trillions of dollars in taxpayer receipts 
annually both at its own facilities and at lockbox banks under contract 
to process taxpayer receipts for the federal government. Therefore, it 
is important that IRS maintain effective controls to ensure that all 
documents and records are properly and timely recorded, managed, and 
maintained both at its facilities and at the lockbox banks. IRS must 
adequately document and disseminate its procedures to ensure that they 
are available for IRS employees. IRS must also document its management 
reviews of those controls, such as those regarding refunds and returned 
checks, credit card purchases, and reviews of TACs. Finally, to ensure 
future availability of adequate documentation, IRS must ensure that its 
systems, particularly those now being developed and implemented, have 
appropriate capability to trace transactions. 

The following 12 open recommendations would assist IRS in improving its 
documentation of transactions and internal control procedures. Eleven 
of these recommendations are short-term, and one is long-term. (See 
table 6.) 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

ID no.: 05-14; 
Recommendations: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term). 

ID no.: 05-39; 
Recommendations: Enforce requirements for documenting monitoring 
actions and supervisory review for manual refunds. (short- term). 

ID no.: 06-01; 
Recommendations: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term). 

ID no.: 06-02; 
Recommendations: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term). 

ID no.: 06-04; 
Recommendations: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term). 

ID no.: 06-07; 
Recommendations: Document supervisory visits by offsite managers to 
TACs not having a manager permanently on-site. This documentation 
should be signed by the manager and should (1) record the time and date 
of the visit, (2) identify the manager performing the visit, (3) 
indicate the tasks performed during the visit, (4) note any problems 
identified, and (5) describe corrective actions planned. (short-term). 

ID no.: 07-15; 
Recommendations: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in the Automated Lien System 
(ALS). (short-term). 

ID no.: 08-01; 
Recommendations: As IRS proceeds with its implementation of Custodial 
Detail Data Base (CDDB), it should verify that when it becomes fully 
operational, CDDB, when used in conjunction with the Interim Revenue 
and Accounting Control System (IRACS), will provide IRS with the direct 
transaction traceability for all of its tax-related transactions as 
required by the U.S. Standard General Ledger (SGL), Federal Financial 
Management System Requirements (FFMSR), and thus Federal Financial 
Management Improvement Act of 1996 (FFMIA). (long- term). 

ID no.: 08-02; 
Recommendations: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid assessment 
estimation process. (short-term). 

ID no.: 08-07; 
Recommendations: Develop and provide comprehensive guidance to assist 
TAC managers to use in conducting reviews of outlying TACS and 
documenting the results. This guidance should include a description of 
the key controls that should be in place at outlying TACs, specify how 
often these key controls should be reviewed, and specify how the 
results of each review should be documented, including follow-up on 
issues identified in previous TAC reviews. (short-term). 

ID no.: 08-21; 
Recommendations: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials update and maintain appropriate supporting documentation. 
(short-term). 

ID no.: 08-22; 
Recommendations: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card holders and 
purchase card approving officials retain copies of all supporting 
documents for a reasonable period of time, such as 3 years. (short-
term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Accurate and Timely Recording of Transactions and Events: 

Internal control standard: Transactions should be promptly recorded to 
maintain their relevance and value to management in controlling 
operations and making decisions. This applies to the entire process or 
life cycle of a transaction or event from the initiation and 
authorization through its final classification in summary records. In 
addition, control activities help to ensure that all transactions are 
completely and accurately recorded. 

IRS is responsible for maintaining taxpayer records for tens of 
millions of taxpayers in addition to maintaining its own financial 
records. To carry out this responsibility, IRS often has to rely on 
outdated computer systems or manual work-arounds. Unfortunately, some 
of IRS's recordkeeping difficulties we have reported on over the years 
will not be addressed until it can replace its aging systems, which is 
a long-term effort and depends on future funding. 

The following 18 open recommendations would strengthen IRS's 
recordkeeping abilities. (See table 7.) Twelve of these recommendations 
are short-term, and 6 are long-term. They include specific 
recommendations regarding requirements for new systems for maintaining 
taxpayer records. Several of the recommendations listed affect 
financial reporting processes, such as subsidiary records and 
appropriate allocation of costs. Some of the issues that gave rise to 
several of our recommendations directly affect taxpayers, such as those 
involving duplicate assessments, errors in calculating and reporting 
manual interest, errors in calculating penalties, and recovery of trust 
fund penalty assessments. About 38 percent of these recommendations are 
5 years or older and 1 is over 10 years old, reflecting the complex 
nature of the underlying system issues that must be resolved to fully 
address of some of these issues. 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

ID no.: 94-02; 
Recommendations: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts and 
test the effectiveness of these actions. (short- term). 

ID no.: 99-01; 
Recommendations: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term). 

ID no.: 99-03; 
Recommendations: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term). 

ID no.: 99-20; 
Recommendations: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance. (long-term). 

ID no.: 99-36; 
Recommendations: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term). 

ID no.: 01-17; 
Recommendations: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term). 

ID no.: 01-39; 
Recommendations: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term). 

ID no.: 02-08; 
Recommendations: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term). 

ID no.: 02-09; 
Recommendations: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term). 

ID no.: 06-22; 
Recommendations: Direct Facilities Management Branch managers to 
research and resolve the aging reports (short-term). 

ID no.: 07-09; 
Recommendations: Enhance its computer program to check for outstanding 
tax liabilities associated with both the primary and secondary Social 
Security numbers shown on a joint tax return and apply credits to those 
balances before issuing any refund. (short-term). 

ID no.: 07-11; 
Recommendations: Correct the penalty calculation programs in the master 
file so that penalties are calculated in accordance with the applicable 
Internal Revenue Code and implementing IRM guidance. (short-term). 

ID no.: 07-12; 
Recommendations: Research each of the taxpayer accounts that may have 
been affected by the penalty programming errors to determine whether 
they contain overassessed penalties and correct the accounts as needed. 
(short-term). 

ID no.: 07-13; 
Recommendations: Establish procedures and specify in the IRM that at 
the time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods. 
(short-term). 

ID no.: 07-14; 
Recommendations: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods. (short-term). 

ID no.: 07-18; 
Recommendations: Adjust errors in recorded installment agreement user 
fees as necessary to correctly reflect the user fees IRS earned and 
collected from taxpayers. (short-term). 

ID no.: 08-06; 
Recommendations: In instances where computer programs are not 
functioning in accordance with the intent of the IRM, take appropriate 
action to correct the programs so that they function in accordance with 
the IRM. (short-term). 

ID no.: 08-23; 
Recommendations: Issue a memorandum addressed to all personnel 
responsible for updating inventory records that reiterates IRS's 
existing policy requiring that new assets be inputted into the 
inventory system within 10 days of receipt. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Execution of Transactions and Events: 

Internal control standard: Transactions and other significant events 
should be authorized and executed only by persons acting within the 
scope of their authority. This is the principal means of ensuring that 
only valid transactions to exchange, transfer, use, or commit resources 
and other events are initiated or entered into. Authorizations should 
be clearly communicated to managers and employees. 

IRS employs tens of thousands of people in its 10 SCCs, three computing 
centers, and numerous field offices throughout the United States. In 
addition, the number of staff increases significantly during the peak 
of the tax filing season. Because of the significant number of 
personnel involved, IRS must maintain effective control over which 
employees are authorized to either view or change sensitive taxpayer 
data. IRS's ability to establish access rights and permissions for 
information systems is a critical control. 

Each year, IRS pays out hundreds of billions of dollars in tax refunds, 
some of which are distributed to taxpayers manually.[Footnote 15] IRS 
requires that all manual refunds be approved by designated officials. 
However, weaknesses in the authorization of such approving officials 
expose the federal government to losses because of the issuance of 
improper refunds. Likewise, the failure to ensure that employees obtain 
appropriate authorizations to use purchase cards or initiate travel 
similarly leave the government open to fraud, waste, or abuse. The 
following three open short-term recommendations would improve IRS's 
controls over its manual refund, purchase card, and travel 
transactions. (See table 8.) 

Table 8: Recommendations to Improve IRS's Execution of Transaction and 
Events: 

ID no.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term). 

ID no.: 08-20; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders obtain 
funding approval or verify that funds are available for the intended 
purpose prior to making a purchase. (short-term). 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates the 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of travel. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Effective Management Review and Oversight: 

All personnel within IRS have an important role in establishing and 
maintaining effective internal controls, but IRS's managers have 
additional review and oversight responsibilities. Management must set 
the objectives, put control activities in place, and monitor and 
evaluate controls to ensure that they are followed. Without effective 
monitoring by managers, internal control activities may not be carried 
out consistently and on time. 

We have grouped three control activities together related to effective 
management review and oversight: (1) reviews by management at the 
functional or activity level, (2) establishment and review of 
performance measures and indicators, and (3) management of human 
capital. Although we also include the control activity "top-level 
reviews of actual performance" in this grouping, we do not have any 
open recommendations to IRS related to this internal control activity. 

Reviews by Management at the Functional or Activity Level: 

Internal control standard: Managers need to compare actual performance 
to planned or expected results throughout the organization and analyze 
significant differences. 

IRS has over 71,000 full-time employees and hires over 23,000 seasonal 
personnel to assist during the tax filing season. In addition, as 
discussed earlier, Treasury's Financial Management Service contracts 
with banks to process tens of thousands of individual receipts, 
totaling hundreds of billions of dollars. At any organization, 
management oversight of operations is important, but with an 
organization as vast in scope as IRS, management oversight is 
imperative. 

The following 18 short-term and one long-term open recommendations 
would improve IRS's management oversight of lockbox banks, courier 
services, user fees, penalty calculations, issuance of manual refunds, 
and the timely release of liens. (See table 9.) Many of these 
recommendations were made to correct instances where an internal 
control activity either does not exist or where an established control 
is not being adequately or consistently applied. However, a number of 
these recommendations are aimed at enhancing IRS's own assessment of 
its internal controls over financial reporting in accordance with the 
requirements of the revised OMB Circular No. A-123. 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

ID no.: 99-22; 
Recommendations: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term). 

ID no.: 01-06; 
Recommendations: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term). 

ID no.: 05-33; 
Recommendations: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term). 

ID no.: 05-38; 
Recommendations: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term). 

ID no.: 07-17; 
Recommendations: Monitor installment agreement user fee activity on a 
regular basis. (short-term). 

ID no.: 07-19; 
Recommendations: Establish sufficient review procedures to help ensure 
that adjustments to installment agreement user fees collected from 
taxpayers are accurately and timely recorded. (short- term). 

ID no.: 07-22; 
Recommendations: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation. (short-term). 

ID no.: 07-23; 
Recommendations: Clearly document how it considered existing reviews 
and audits in determining the nature, scope, and timing of procedures 
it planned to conduct under its OMB Circular No. A-123 process. (short-
term). 

ID no.: 07-24; 
Recommendations: To the extent that it intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work. (short- term). 

ID no.: 07-25; 
Recommendations: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term). 

ID no.: 07-26; 
Recommendations: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews. (short-term). 

ID no.: 07-27; 
Recommendations: Begin devising appropriate A-123 follow-up procedures 
for the last 3 months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term). 

ID no.: 08-04; 
Recommendations: To address the inconsistency in assigning the 
effective date of an accuracy penalty, modify the Business Master File 
computer program so that the date of the deficiency assessment is used 
as the effective date of any related accuracy penalty. (long-term). 

ID no.: 08-05; 
Recommendations: Complete and document the review of existing programs 
in the master files that affect penalty calculations to identify any 
instances in which programs are not functioning in accordance with the 
intent of the IRM. (short-term). 

ID no.: 08-08; 
Recommendations: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC 
managers. (short-term). 

ID no.: 08-11; 
Recommendations: Modify the IRM to specify qualifications and 
geographical proximity requirements for individuals designated as first 
responders to duress alarms at IRS facilities, and to require that the 
responsibilities and qualifications of all designated first responders 
be periodically reviewed to verify that over time, they continue to be 
qualified and appropriately located, and to make any necessary 
adjustments. (short-term). 

ID no.: 08-14; 
Recommendations: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; document the 
results, including identification of any security issues; and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed. (short-term). 

ID no.: 08-18; 
Recommendations: Issue a memorandum to Receipt Control Operations Unit 
staff reiterating existing requirements for (1) supervisory reviews of 
the processing of TE/GE user fee deposits and (2) key documentation to 
be signed and dated by the supervisor as evidence of that review. 
(short-term). 

ID no.: 08-19; 
Recommendations: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials and purchase cardholders sign and date monthly account 
statements attesting to their review and completion of the required 
reconciliation process. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Establishment and Review of Performance Measures and Indicators: 

Internal control standard: Activities need to be established to monitor 
performance measures and indicators. These controls could call for 
comparisons and assessments relating different sets of data to one 
another so that analyses of the relationships can be made and 
appropriate actions taken. Controls should also be aimed at validating 
the propriety and integrity of both organizational and individual 
performance measures and indicators. 

IRS's operations include a vast array of activities encompassing 
educating taxpayers, processing of taxpayer receipts and data, 
disbursing hundreds of billions of dollars in refunds to millions of 
taxpayers, maintaining extensive information on tens of millions of 
taxpayers, and seeking collection from individuals and businesses that 
fail to comply with the nation's tax laws. Within its compliance 
function, IRS has numerous activities, including identifying businesses 
and individuals that underreport income, collecting from taxpayers that 
do not pay taxes, and collecting from those receiving refunds for which 
they are not eligible. Although IRS has at its peak over 94,000 
employees, it still faces resource constraints in attempting to fulfill 
its duties. Because of this, it is vitally important for IRS to have 
sound performance measures to assist it in assessing its performance 
and targeting its resources to maximize the government's return on 
investment. 

However, in past audits we have reported that IRS did not capture costs 
at the program or activity level to assist in developing cost-based 
performance measures for its various programs and activities. As a 
result, IRS is unable to measure the costs and benefits of its various 
collection and enforcement efforts to best target its available 
resources. 

The following three long-term open recommendations are designed to 
assist IRS in evaluating its operations, determining which activities 
are the most beneficial, and establishing a good system for oversight. 
(See table 10.) These recommendations call for IRS to measure, track, 
and evaluate the costs, benefits, or outcomes of its operations-- 
particularly with regard to identifying its most effective tax 
collection activities. 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

ID no.: 99-29; 
Recommendations: Develop the data to support meaningful cost 
information categories and cost-based performance measures. (long- 
term). 

ID no.: 01-04; 
Recommendations: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, administrative support), as well as the expected 
additional tax collections generated. (long-term). 

ID no.: 01-12; 
Recommendations: For (1) IRS's Automated Underreporter (AUR) and 
Combined Annual Wage Reporting (CAWR) programs, (2) screening and 
examination of Earned Income Tax Credit claims, and (3) identifying and 
collecting previously disbursed improper refunds, use the best 
available information to develop reliable cost-benefit data to estimate 
the tax revenue collected by, and the amount of improper refunds 
returned to, IRS for each dollar spent pursuing these outstanding 
amounts. These data would include (1) an estimate of the full cost 
incurred by IRS in performing each of these efforts, including the 
salaries and benefits of all staff involved, as well as any related 
nonpersonnel costs, such as supplies and utilities and (2) the actual 
amount (a) collected on tax amounts assessed and (b) recovered on 
improper refunds disbursed. (long-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Management of Human Capital: 

Internal control standard: Effective management of an organization's 
workforce--its human capital--is essential to achieving results and an 
important part of internal control. Management should view human 
capital as an asset rather than a cost. Only when the right personnel 
for the job are on board and are provided the right training, tools, 
structure, incentives, and responsibilities is operational success 
possible. Management should ensure that skill needs are continually 
assessed and that the organization is able to obtain a workforce that 
has the required skills that match those necessary to achieve 
organizational goals. Training should be aimed at developing and 
retaining employee skill levels to meet changing organizational needs. 
Qualified and continuous supervision should be provided to ensure that 
internal control objectives are achieved. Performance evaluation and 
feedback, supplemented by an effective reward system, should be 
designed to help employees understand the connection between their 
performance and the organization's success. As a part of its human 
capital planning, management should also consider how best to retain 
valuable employees, plan for their eventual succession, and ensure 
continuity of needed skills and abilities. 

IRS's operations cover a wide range of technical competencies with 
specific expertise needed in tax-related matters; financial management; 
and systems design, development, and maintenance. Because IRS has tens 
of thousands of employees spread throughout the country, it is 
imperative that management keeps its guidance up-to-date and its staff 
properly trained. 

The following five open short-term recommendations would assist IRS in 
its management of human capital. (See table 11.) 

Table 11: Recommendations to Improve IRS's Management of Human Capital: 

ID no.: 99-25; 
Recommendations: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term). 

ID no.: 07-08; 
Recommendations: Require that managers or supervisors provide the 
manual refund initiators in their units with training on the most 
current requirements to help ensure that they fulfill their 
responsibilities to monitor manual refunds and document their 
monitoring actions to prevent the issuance of duplicate refunds. (short-
term). 

ID no.: 07-28; 
Recommendations: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results. (short- term). 

ID no.: 08-03; 
Recommendations: Document and implement specific detailed procedures 
for reviewers to follow in their review of unpaid assessments 
statistical estimates. Specifically, IRS should require that a detailed 
supervisory review be performed to ensure: (1) the statistical validity 
of the sampling plans, (2) data entered into the sample selection 
programs agree with the sampling plans, (3) data entered into the 
statistical projection programs agree with IRS's sample review results, 
(4) data on the spreadsheets used to compile the interim projections 
and roll-forward results trace back to supporting statistical 
projection results, and (5) the calculations on these spreadsheets are 
mathematically correct. (short-term). 

ID no.: 08-10; 
Recommendations: Establish procedures requiring periodic verification 
that all individuals designated as first responders to TAC duress 
alarms are appropriately qualified and geographically located to 
respond to the potentially dangerous situations in an effective and 
timely manner. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Open Recommendations Arranged by Related Material Weakness, Significant 
Deficiency, Compliance Issue, or Other Control Issue: 

For several years, we have reported material weaknesses, a significant 
deficiency, noncompliance with laws and regulations, and other control 
issues in our annual financial statement audits and related management 
reports.[Footnote 16] To assist IRS in addressing those control issues, 
Appendix II provides summary information regarding the primary issue to 
which each open recommendation is related. To compile this summary, we 
analyzed the nature of the open recommendations to relate them to the 
material weaknesses, significant deficiency, compliance issues, and 
other control issues not associated with a material weakness or 
significant deficiency identified as part of our financial statement 
audit. 

Concluding Observations: 

Increased budgetary pressures and an increased public awareness of the 
importance of internal control require IRS to carry out its mission 
more efficiently and more effectively while protecting taxpayers' 
information. 

Sound financial management and effective internal controls are 
essential if IRS is to efficiently and effectively achieve its goals. 
IRS has made substantial progress in improving its financial management 
since its first financial audit, as evidenced by consecutive clean 
audit opinions on its financial statements for the past 8 years, 
resolution of several material internal control weaknesses, and actions 
taken resulting in the closure of hundreds of financial management 
recommendations. This progress has been the result of hard work by many 
individuals throughout IRS and sustained commitment of IRS leadership. 
Nonetheless, more needs to be done to fully address the agency's 
continuing financial management challenges. Further efforts are needed 
to address the internal control deficiencies that continue to exist. 
Effective implementation of the recommendations we have made and 
continue to make through our financial audits and related work could 
greatly assist IRS in improving its internal controls and achieving 
sound financial management. While we recognize that some actions-- 
primarily those related to modernizing automated systems--will take a 
number of years to resolve, most of our outstanding recommendations can 
be addressed in the short-term. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, IRS expressed its appreciation 
for our acknowledgment of the agency's progress in addressing its 
financial management challenges as evidenced by our closure of 18 open 
financial management recommendations from GAO's prior year report. IRS 
also commented that it is committed to implementing appropriate 
improvements to ensure that the IRS maintains sound financial 
management practices. We will review the effectiveness of further 
corrective actions IRS has taken or will take and the status of IRS's 
progress in addressing all open recommendations as part of our audit of 
IRS's fiscal year 2008 financial statements. 

We are sending copies of this report to the Chairmen and Ranking 
Members of the Senate Committee on Appropriations; Senate Committee on 
Finance; Senate Committee on Homeland Security and Governmental 
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term 
Growth, Senate Committee on Finance. We are also sending copies to the 
Chairmen and Ranking Members of the House Committee on Appropriations; 
House Committee on Ways and Means; the Chairman and Vice Chairman of 
the Joint Committee on Taxation; the Secretary of the Treasury; the 
Director of OMB; the Chairman of the IRS Oversight Board; and other 
interested parties. Copies will be made available to others upon 
request. In addition, the report will be available at no charge on 
GAO's Web site at [hyperlink, http://www.gao.gov]. 

If you have any questions concerning this report, please contact me at 
(202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix IV. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 

Director Financial Management and Assurance: 

[End of section] 

Appendix I: Status of GAO Recommendations from IRS Financial Audits and 
Related Management Reports: 

ID no.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short- term); 
Financial Management: Important IRS Revenue Information Is Unavailable 
or Unreliable (GAO/AIMD-94-22; , Dec. 21, 1993); 
Status per IRS: Open. The Internal Revenue Service's (IRS) Exam Policy 
has expanded its action plan to include short-term actions for fiscal 
year 2008. By June 30, 2008, it plans to issue a memorandum to 
emphasize the importance of training employees who calculate interest 
and outline available training modules. By September 30, 2008, it plans 
to offer assistance reviews as requested to verify adherence to 
procedures, and to improve the process for employees to elevate issues 
to the program office for resolution. By January 1, 2009, Exam Policy 
will coordinate additional interest- related training to target field 
exam and collection personnel; 
Status per GAO: Open. In testing a statistical sample of 45 manual 
interest transactions recorded during fiscal year 2006, we found eight 
errors relating to the calculation and recording of manually calculated 
interest. Based on this, we estimated that 18 percent of IRS's manual 
interest population contains errors and concluded that IRS's controls 
over this area remain ineffective. The ineffectiveness of these 
controls contributes to errors in taxpayer records, which is a major 
component of the material weakness in IRS's unpaid assessments. During 
fiscal year 2007, IRS did not make any significant improvements to 
controls related to manual interest calculations. We will continue to 
evaluate IRS's corrective actions in future audits. 

ID no.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term)Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. IRS's Small Business/Self-Employed (SB/SE) 
Division began a Trust Fund Recovery Penalty (TFRP) Database Cleanup 
Initiative in September 2006 that involved a combined systemic clean-up 
and systemically-assisted, manual cleanup. SB/SE completed the clean-up 
initiative in January 2008. According to IRS, one of the 
accomplishments of the clean-up initiative was to reduce cross-
reference errors by 32.4 percent. IRS will continue to identify and 
submit work requests to address current programming shortfalls, 
corrections and enhancements to the Automated Trust Fund Recovery 
(ATFR) program and database. The Work Request Tracking System will 
improve the Area Office, Control Point Monitoring, and Campus 
Compliance components of the database. These enhancements and 
improvements include but are not limited to minimizing accounts 
requiring manual intervention, providing increased managerial oversight 
through the creation of various reports and improvements to the current 
inventory delivery system; 
Status per GAO: Open. IRS has taken several actions to strengthen 
controls and correct programming or procedural deficiencies in the 
cross-referencing of payments. To ensure quality, timeliness, and 
accuracy of the TFRP process, IRS recently completed a quality review 
process that improved the accuracy rate of cross- references recorded 
in its master files. Additionally, IRS continues to monitor the 
accuracy and effectiveness of the TFRP process and all corrective 
actions already in place. However, IRS's actions have not been 
completely successful in addressing this issue. As part of our fiscal 
year 2007 financial audit, we reviewed a statistical sample of 76 TFRP 
payments, made on accounts created since August 2001. We found nine 
instances in which IRS did not properly record the payments to all 
related taxpayer accounts. We estimate that 11.8 percent of these 
payments may not be properly recorded. Thus, we conclude that IRS's 
controls over this area remain ineffective. The ineffectiveness of 
these controls contributes to errors in taxpayer records, which is a 
major component of our reported material weakness in IRS's unpaid 
assessments. We will continue to review IRS's corrective actions to 
address this issue during our fiscal year 2008 audit. 

ID no.: 99-03; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. IRS is developing the Custodial Detailed Data 
Base (CDDB), which it believes will ultimately address many of the 
outstanding financial management recommendations. IRS implemented the 
first phase of the CDDB during fiscal year 2006. In fiscal year 2007, 
IRS enhanced the CDDB to process a larger percentage of accounts 
associated with unpaid payroll taxes and began journalizing unpaid 
assessment information from CDDB to the Interim Revenue and Accounting 
Control System (IRACS) weekly; the first step in establishing CDDB to 
serve as the subsidiary ledger for unpaid assessments. For fiscal year 
2008, IRS is continuing to enhance the CDDB in order to process an even 
larger percentage of accounts associated with unpaid payroll taxes; 
Status per GAO: Open. IRS's development and use of CDDB has improved 
its ability to analyze and classify related taxpayer accounts 
associated with unpaid payroll taxes. However, CDDB is currently not 
able to analyze and classify 100 percent of such cases. In fiscal year 
2007, IRS implemented CDDB programs to begin journalizing tax debt 
information from its master files to its general ledger weekly, a first 
step in establishing CDDB's capability to serve as a subsidiary ledger 
for unpaid tax debt. However, IRS is presently unable to use CDDB as 
its subsidiary ledger for posting tax debt information to its general 
ledger in a manner that ensures reliable external reporting. 
Specifically, to report balances for taxes receivables and other unpaid 
tax assessments in its financial statements and required supplemental 
information, IRS must continue to apply statistical sampling and 
estimation techniques to master file data processed through CDDB at 
year-end. Even though CDDB is capable of analyzing master file data 
weekly to produce tax debt information classified into the various 
financial reporting categories (taxes receivables, compliance 
assessments, and write-offs), this information contains material 
inaccuracies. For example, over $20 billion in adjustments to the year-
end gross taxes receivable balance produced by CDDB were needed to 
correct for errors. Full operational capability of CDDB is several 
years away and depends in part on the successful implementation of 
future system releases through 2009. The lack of a fully functioning 
subsidiary ledger capable of producing accurate, useful, and timely 
information with which to manage and report externally is a major 
component of our reported material weakness in IRS's unpaid 
assessments. We will continue to monitor IRS's development of CDDB 
during our fiscal year 2008 and future audits. 

ID no.: 99-19; 
Recommendation: Ensure that walk-in payment receipts are recorded in a 
control log prior to depositing the receipts in the locked container 
and ensure that the control log information is reconciled to receipts 
prior to submission of the receipts to another unit for payment 
processing. To ensure proper segregation of duties, an employee not 
responsible for logging receipts in the control log should perform the 
reconciliation. (short-term); 
Status report: Internal Revenue Service: Physical Security Over 
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 
1998); 
Status per IRS: Closed. Recommendation is no longer directly applicable 
to IRS's current business operations. The Wage and Investment (W&I) 
Division is no longer organized by districts, and no longer has teller 
functions. The operations aspect of the recommendation has been 
addressed with procedures and processes in recommendation 99-22. 
Managerial aspects of the control logs and reviews are addressed in 
recommendations 02-16 and 05-33, where IRS addresses its monitoring 
activities and efforts to improve its current state of compliance; 
Status per GAO: Closed. The original report issued in November 1998 
directs the intent of this recommendation to the Customer Service Units 
at district offices that collected walk-in payments. Since that time 
IRS reorganized its operations into four operating divisions with 
particular responsibility for the collection of individual and 
corporate taxes, examination of returns, and taxpayer assistance. 
Specifically, the W&I Division's Taxpayer Assistance Centers (TACs) now 
handle the collection of walk-in payment receipts. Therefore, we agree 
that recommendations 99-22, 02-16 and 05-33 address the substance of 
the weaknesses reported in the November 1998 report. We will continue 
to monitor those recommendations to assess IRS's corrective actions. 

ID no.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance. (long-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Open. IRS implemented the Area Office (AO) ATFR Web 
application. This implementation included the Web version of the 
Control Point Monitoring (CPM) portion of the application. The CPM acts 
as the conduit from the AO to the Campus for assessment. IRS drafted 
new Internal Revenue Manual (IRM) procedures to complement the CPM AO 
Web processing, and is currently testing these procedures. IRS plans to 
assess the results of the test and implement the IRM procedures as 
appropriate. IRS continues to identify and submit Work Requests and 
Information Technology Assets Management System tickets to enhance the 
assessment process and provide for efficiencies in the CPM process. 
These include but are not limited to the systemic generation of the 
Form 5942, redefining the current inventory assignment system and 
creating inventory and management reports; 
Status per GAO: Open. To ensure quality, timeliness, and accuracy of 
the TFRP process, the IRS initiated a quality review process that 
focused on two primary areas, the first being consolidation of all TFRP 
work to one campus. Consolidation of all SB/SE ATFR work to the Ogden 
Campus was completed in September 2005. All W&I business unit TFRP work 
was transferred to SB/SE Campuses as of January 2006. The second area 
IRS undertook was the task of rewriting the ATFR area office user 
component to provide system flexibility that better replicates the 
realities of the current trust fund investigation/proposal process. IRS 
continues to monitor the accuracy and effectiveness of the TFRP process 
and all corrective actions already in place. According to IRS, it 
completed consolidation of ATFR work at its Ogden Campus by September 
2005. However, during our fiscal year 2007 audit, we continued to find 
long delays in IRS's processing and posting of TFRP assessments. In one 
case, we noted that IRS did not record the assessment against the 
responsible officer until 4 years after it made the determination that 
the officer was responsible for the TFRP. In another case, IRS did not 
record the TFRP assessment against the officer until almost 3 years 
after it made the determination that the officer was responsible for 
the TFRP. Such delays in recording taxpayer information contribute to 
errors in taxpayer records, which is a major component of our reported 
material weakness in IRS's unpaid assessments. We will continue to 
review IRS's corrective actions related to this issue as part of our 
fiscal year 2008 audit. 

ID no.: 99-22; 
Recommendation: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Closed. All IRS field offices continue to provide 
training and to perform reviews to strengthen controls over 
remittances. The Large and Mid-sized Business (LMSB) requires each 
field executive to certify that each group either had in its possession 
or was able to obtain the stamp. LMSB obtained certifications from the 
LMSB Industry Headquarter Offices that field groups are maintaining and 
using the US Treasury stamps, and that they are covering these 
procedures periodically in group meetings or through issuance of 
memorandums. LMSB implemented a training module on July 28, 2006 on the 
responsibilities and procedures for payment processing and check 
handling. SB/SE collection group managers have been instructed to 
periodically review remittance packages transmitted by revenue officers 
and designated clerical employees using a random selection process. In 
addition, territory managers review the group manager's control of 
those reviews. SB/SE Headquarters will be addressing this in interviews 
with territory managers as part of their operational reviews. Tax 
Exempt and Government Entities (TE/GE) continues to perform reviews to 
ensure adherence to the IRM procedures and to require managers to 
confirm that each group either had in its possession or was able to 
obtain the stamp; 
Status per GAO: Open. The objective of this recommendation was to 
create a mechanism for IRS to monitor the status of pervasive 
weaknesses in controls over taxpayer receipts and information that we 
have found at IRS's field offices over the years. The purpose of this 
monitoring is to facilitate the timely detection and effective 
resolution of issues and to verify the effectiveness of new and 
existing policies and procedures on an ongoing basis. During our fiscal 
year 2007 audit, we identified one instance at an SB/SE unit where 
employees did not have access to stamps needed to overstamp improper 
payee lines. Also, at five SB/SE field offices we found that there was 
no system in place or evidence maintained to track acknowledged 
document transmittals. Had IRS periodically reviewed the effectiveness 
of these controls in field offices as we recommended, these issues 
might have been detected and corrected. In addition, during our review 
of IRS's response to this recommendation, we asked IRS to provide a 
list and blank copies of the reviews that are performed within the 
LMSB, SBSE, and TEGE business units that address key controls over (1) 
physical security, (2) procedural safeguards, and (3) the transfer of 
taxpayer receipts and information. While IRS provided extensive 
explanations of the various procedures and reviews that are performed, 
IRS did not provide copies of the reviews covering all three business 
units for our evaluation to assess the adequacy and frequency of these 
reviews. We will continue to assess IRS's actions during our fiscal 
year 2008 audit. 

ID no.: 99-25; 
Recommendation: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Open. The IRS is continuing to develop CDDB. Each 
release is providing more detail for unpaid assessments, and new 
functionality will be added for revenue and refunds in fiscal year 2008 
to reduce the reliance on master file extracts and ad hoc procedures. 
The Chief Financial Officers (CFO) office has hired three additional 
staff and is cross-training existing staff to perform more of the ad 
hoc procedures to reduce the work on Modernization & Information 
Technology Services for financial reporting purposes. IRS continues to 
have contractor support to ensure that master file extracts and other 
ad hoc procedures are in place to continually develop reliable balances 
for financial reporting purposes while it finalizes CDDB and develops 
the IRACS redesign to be a compliant general ledger; 
Status per GAO: Open. We will continue to assess IRS's actions during 
our fiscal year 2008 audit. 

ID no.: 99-29; 
Recommendation: Develop the data to support meaningful cost information 
categories and cost-based performance measures. (long- term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Status per IRS: Open. IRS now has 3 complete years of fully allocated 
cost data in the Integrated Financial System (IFS). The Statement of 
Net Costs is now produced from the cost accounting module of IFS. IRS 
also initiated a project in fiscal year 2007 to identify the issues 
associated with developing a methodology for determining the costs of 
performance measures within IRS; 
Status per GAO: Open. We confirmed that IRS continued to improve its 
cost accounting capability in fiscal year 2007. However, while the cost 
accounting module of IFS successfully produced the Statement of Net 
Costs, it still does not provide IRS with the ability to produce full 
cost information for its performance measures. IRS states that it 
initiated a strategy to develop cost data for performance measures. We 
will continue to review and assess IRS's initiatives during our fiscal 
year 2008 audit. 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Status per IRS: Closed. IRS continues to strengthen internal controls 
and procedures to enhance its ability to account for P&E in IFS. P&E, 
including capital leases, are recorded as assets when purchased. During 
fiscal year 2007, IRS revised the dollar threshold for review of P&E 
accounting transactions and conducted intensive reviews of the large-
dollar transactions, increasing the accuracy of P&E reporting. IRS also 
improved its capability to capitalize assets or expense other items and 
to properly account for Business System Modernization costs in internal 
use software; 
Status per GAO: Open. Our fiscal year 2007 P&E valuation testing 
revealed problems with the linking of the purchase of assets recorded 
in the general ledger system to the P&E inventory system, which 
indicates that IRS's detailed P&E records do not yet fully reconcile to 
the financial records. We will continue to monitor IRS's strategy in 
addressing these financial management system issues. 

ID no.: 01-04; 
Recommendation: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, administrative support), as well as the expected 
additional tax collections generated. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status 
per IRS: Open. IRS has developed a workload delivery model that 
integrates the work plans of each source of assessment to evaluate the 
overall impact on downstream collection operations. IRS is continuing 
to look at case delivery practices from an overall perspective and make 
recommendations for changes to case routing and assignment priorities. 
IRS is also monitoring the nonfiler strategy and work plans to improve 
the identification of and selection of nonfiler cases to balance the 
working of nonfiler inventory with balance-due inventory. Additionally, 
IRS is also continuing the project to enhance its decision analytical 
models used for selecting cases based on their predicted collection 
potential to apply decision analytics to both delinquent accounts and 
unfiled returns; apply decision analytics to all categories of taxpayer 
not just small business, self-employed; expand the use of internal and 
external data sources to increase the portion of cases predicted by the 
models; ultimately develop alternative treatment strategies based on 
the least costly treatment indicated by the models; and update 
definitions for complex cases to improve routing to field collection; 
Status per GAO: Open. According to IRS, SB/SE has initiated several 
projects to build additional decision analytical models to increase its 
ability to route cases to the appropriate resource. These projects 
utilize more sophisticated computer modeling and risk assessment 
techniques to improve the targeting of cases to pursue. The Collection 
Governance Council was established to ensure the inventory is balanced 
and resources are expended appropriately. IRS has estimated several 
billion dollars in additional tax collections have been realized 
through the use of the collection approach developed from the projects. 
Although these efforts have helped IRS target cases for collection, its 
ability to assess the relative merits of these efforts continues to be 
hindered by its inability to reliably measure how much it collects as a 
result of these efforts, relative to their associated costs. In 
addition, these efforts are primarily focused on SB/SE, thus they do 
not represent an integrated agencywide systemic approach to managing 
the collection of unpaid taxes across the scope of IRS's activities. 
IRS has made some improvements in prioritizing its inventory of 
collection cases; but more needs to be done by IRS to address the full 
range of cost-benefit considerations. We will continue to review IRS's 
initiatives to manage resource allocation levels for its collection 
efforts. 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status 
per IRS: Open. IRS continues to address and correct issues that cause 
late lien releases through a Lien Release Action Plan, and conducting 
reviews as a part of A-123. In April 2007 IRS's review of lien releases 
found it had improved the timely release of liens to 88 percent, a 19 
percentage point increase from the 69 percent timeliness rate in fiscal 
year 2006. IRS added new action items and corrective actions to address 
new and repeat issues. IRS's goal is to reduce overall lien release 
error rates to below 5 percent by September 30, 2009; 
Status per GAO: Open. IRS has taken a number of actions over the past 
several years to address this issue. IRS developed an action plan to 
incorporate the requirements of the revised OMB Circular No. A-123. The 
overall action addresses untimely lien releases, including 
identification of causes and where they occur organizationally. For 
example, IRS centralized all lien processing at its Cincinnati Service 
Center Campus in 2005. Additionally, in July 2006, IRS enhanced various 
lien-processing exception reports to include a cumulative listing of 
unresolved lien releases, allowing it to more readily track the release 
status and take corrective action. However, during our fiscal year 2007 
audit, we continued to find delays in the release of liens. In its OMB 
No. A-123 testing of lien releases, IRS found 7 instances out of 59 
cases tested in which it did not release the applicable federal tax 
lien within the statutory period. The time between the satisfaction of 
the liability and release of the lien ranged from 35 days to 135 days. 
Based on its sample, IRS estimated that for about 12 percent of unpaid 
tax assessment cases in which it had filed a tax lien that were 
resolved in fiscal year 2007, it did not release the lien within 30 
days. IRS is 95 percent confident that the percentage of cases in which 
the lien was not released within 30 days does not exceed 21 percent. 
IRS's ineffective controls over this area results in its non-compliance 
with Internal Revenue Code section 6325 which requires IRS to release 
its tax liens within 30 days of the date the related tax liability was 
fully satisfied, had become legally unenforceable, or the Secretary of 
the Treasury has accepted a bond for the assessed tax. We will continue 
to assess the affect of IRS's actions and continue to review IRS's 
testing of tax lien releases as part of our fiscal year 2008 audit. 

ID no.: 01-12; 
Recommendation: For (1) IRS's Automated Underreporter (AUR) and 
Combined Annual Wage Reporting (CAWR) programs, (2) screening and 
examination of Earned Income Tax Credit claims, and (3) identifying and 
collecting previously disbursed improper refunds, use the best 
available information to develop reliable cost-benefit data to estimate 
the tax revenue collected by, and the amount of improper refunds 
returned to, IRS for each dollar spent pursuing these outstanding 
amounts. These data would include (1) an estimate of the full cost 
incurred by IRS in performing each of these efforts, including the 
salaries and benefits of all staff involved, as well as any related 
nonpersonnel costs, such as supplies and utilities and (2) the actual 
amount (a) collected on tax amounts assessed and (b) recovered on 
improper refunds disbursed. (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status 
per IRS: Open. IRS has taken steps to screen and examine Earned Income 
Tax Credit (EITC) claims and to address the collection of AUR and CAWR 
as part of the workload delivery model. For EITC IRS is pursuing 
estimating the full cost of these programs, and in the interim IRS is 
using information such as annual error rate estimates and high-level 
return on investment (ROI) computations for EITC base compliance 
activities and initiatives to make sound decisions about resource 
investments. IRS employs a ROI estimate for compliance activities that 
uses labor costs associated with protecting revenue for both pre-refund 
and post-refund activities. Since labor represents approximately 73 
percent of the total IRS budget (2007) and 91 percent of the EITC 
budget, ROI calculations using labor costs provide valid cost/benefit 
data which are used, along with other data and program considerations, 
to make sound program decisions. The IRS released two reports that 
include ROI discussions and it is in the process of finalizing a 
summary report on the 3-year test to assess investments in a 
certification requirement versus other potential compliance 
investments. SB/SE is monitoring the nonfiler strategy and work plans 
to improve the identification of and selection of non-filer cases to 
balance the working of nonfiler inventory with balance-due inventory. 
SB/SE continues to review this model to ultimately develop alternative 
treatment strategies based on the least costly treatment indicated by 
the models. The CFO also initiated a cost pilot during fiscal year 2007 
to determine the costs of several performance measures within AUR, and 
will share this information at the conclusion of the cost pilot; 
Status per GAO: Open. In fiscal year 2008, we will continue to follow 
up on IRS's progress on the various initiatives taken as well as IRS's 
progress in estimating the full cost of these programs. 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur; 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status 
per IRS: Closed. IRS continues to strengthen internal controls and 
procedures to enhance its ability to account for P&E in IFS. P&E, 
including capital leases, are recorded as assets when purchased. During 
fiscal year 2007, IRS revised the dollar threshold for review of P&E 
accounting transactions and conducted intensive reviews of the large-
dollar transactions, increasing the accuracy of P&E reporting. IRS also 
improved its capability to capitalize assets or expense other items and 
to properly account for Business System Modernization costs in internal 
use software. Currently, IRS does not have a subsidiary ledger for 
leasehold improvements. A subsidiary ledger requires an enhancement to 
IFS. Funding for enhancements was denied for fiscal years 2007, 2008 
and 2009. Depending on the amount of any future funding and 
prioritization of enhancements, it is not known when or if IRS can 
accomplish what was originally agreed to. Considering the age of this 
report and the long-term unknowns, IRS considers this action closed 
until further follow-up is required; 
Status per GAO: Open. IRS implemented the first release of IFS on 
November 10, 2004, which allowed recording leasehold improvements as 
assets when purchased. A subsidiary ledger for leasehold improvements 
has not been developed. According to IRS, it lacks the funding to make 
the enhancements to IFS that are needed to develop a subsidiary ledger 
for leasehold improvements. Until it determines the amount of its 
future funding and prioritization of IFS enhancements, IRS will remain 
unsure of any additional actions it will take to accomplish this 
recommendation. We will continue to evaluate IRS's efforts to enhance 
its ability to account for P&E assets, including leasehold 
improvements. 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term); 
Source report: Management Letter: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 
2001); 
Status per IRS: Closed. The CFO implemented IFS on November 10, 2004 
which included a cost module. The cost module currently has 3 years of 
data which provide managers with basic cost data for decision making in 
relation to their activities. IRS continues to improve the allocation 
methodology so that it can determine the detail behind the allocated 
costs; 
Status per GAO: Open. We confirmed that IRS has procedures for costing 
reimbursable agreements that provide the basic framework for the 
accumulation of both direct and indirect costs at the necessary level 
of detail. IRS has improved its methodology for allocating its costs of 
operations to its business units. However, further actions are needed 
for it to accumulate and report actual costs associated with specific 
reimbursable projects. We will continue to monitor IRS's efforts to 
fully implement its cost accounting system and, once it has been fully 
implemented, evaluate the effectiveness of IRS's procedures for 
developing cost information for its reimbursable agreements. 

ID no.: 02-08; 
Recommendation: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Status per IRS: Open. IRS is exploring other system-based ways of 
capturing both time and costs associated with its projects and 
activities and does not anticipate implementing the requirement for 
employees to itemize their time in the near future; 
Status per GAO: Open. IRS states that it is exploring other system-
based ways of capturing both time and costs associated with its 
projects and activities and does not anticipate implementing the 
requirement for employees to itemize their time in the near future. We 
will continue to monitor IRS's efforts to fully implement its cost 
accounting system. Once it has been fully implemented, we will evaluate 
the effectiveness of IRS's procedures for developing cost information 
to use in resource allocation decisions, which is the underlying basis 
for our making this recommendation. 

ID no.: 02-09; 
Recommendation: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Status per IRS: Closed. IRS now allocates all costs, both personnel and 
nonpersonnel, to the major program areas described in the Statement of 
Net Costs on a monthly basis; 
Status per GAO: Open. We confirmed that IRS has improved its cost 
accounting capabilities by developing and implementing procedures for 
allocating its costs of operations to its business units and to the 
cost categories in its Statement of Net Cost on a monthly basis. 
However, the cost categories on the Statement of Net Cost are at a 
higher level than specific programs and activities. Therefore, further 
actions are still needed to enable IRS to allocate nonpersonnel costs 
to the detailed level of specific programs and activities. We will 
continue to monitor IRS's efforts to fully implement its cost 
accounting system and, once it has been fully implemented, evaluate the 
effectiveness of IRS procedures for developing cost information for 
specific programs and activities to use in resource allocation 
decisions. 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Open. During fiscal year 2007, IRS conducted 
Operational Reviews of its W&I Field Assistance area groups. These 
reviews included compliance with this recommendation. While groups were 
generally in compliance, IRS recognized the need for additional 
training. Field Assistance is conducting Filing Season Readiness 
training for Managers in fiscal year 2008 that includes remittance and 
security training. The fiscal year 2008 performance commitments address 
remittance security and shared responsibility for operational reviews. 
Operational reviews at all levels will be conducted during fiscal year 
2008 to ensure consistency; 
Status per GAO: Open. During our fiscal year 2007 audit, we visited 10 
TACs and identified weaknesses over the payment processing and TAC 
managerial reviews that would address this recommendation at all 10 
locations. We will review IRS's additional planned corrective actions 
during our fiscal year 2008 audit. 

ID no.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short- term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Closed. SETS data are reviewed on a bi-weekly basis to 
detect and correct errors. Monitoring SETS falls across a broad group 
of Chief Human Capital and Agency-Wide Shared Services (AWSS) staff. 
IRS provided guidance in November 2007 to all involved staff reminding 
them to monitor SETS systemic issues and immediately elevate those 
issues for NFC correction. Until a SETS replacement is developed, 
continuous monitoring will occur; 
Status per GAO: Open. During our fiscal year 2007 audit, we continued 
to identify technical limitations and weaknesses with the SETS 
database. Specifically, during our analysis of the SETS data, we found 
multiple instances where (1) employees entered on duty either prior to 
the Office of Personnel Management completing their fingerprint check, 
IRS receiving their fingerprint check results, or both and (2) 
employees entered on duty with expired fingerprint check results (over 
180 days old). The guidance provided to staff in November 2007 was 
subsequent to the completion of our fiscal year 2007 audit. We will 
evaluate IRS's additional corrective actions during our fiscal year 
2008 audit. 

ID no.: 04-03; 
Recommendation: Develop procedures to require lockbox managers to 
provide satisfactory evidence that managerial reviews are performed in 
accordance with established guidelines. At a minimum, reviewers should 
sign and date the reviewed documents and provide any comments that may 
be appropriate in the event that their reviews identified problems or 
raised questions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. IRS continues to conduct on-site reviews 
looking at logs for desk and work area, date stamp, cash, candling, 
shred, and mail. IRS uses the data collection instrument (DCI) entitled 
"Processing-Internal Controls" and uses the results of these reviews to 
roll them into a calculation to determine each bank's score in the new 
bank performance measurement process. In addition, lockbox personnel 
are required to perform similar reviews monthly and report results to 
the lockbox field coordinators. The report must contain the date of 
review, shifts reviewed, results of the review (even when no items are 
found) and include a reviewer and site manager's initials; a signature 
as required by the Lockbox Processing Guidelines (LPG); or both. 
Additional reviews are performed on the monthly F9535/Discovered 
Remittance, candling log, disk checks/ audits, and shred reports 
received from the lockbox site by the lockbox field coordinators; 
Status per GAO: Closed. We verified that IRS established and 
implemented a Processing Internal Controls and Physical Security DCIs. 
These DCIs are used to assess the required managerial reviews that are 
performed at each lockbox bank. 

ID no.: 04-08; 
Recommendation: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms.; 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. IRS continues to perform monthly unannounced 
testing of guard response to alarms, and documentation from these 
reviews is maintained at each service center campus. Roll-up 
documentation from Physical Security Area managers is provided to the 
Program, Planning, and Policy Office (PPPO) for reports to higher-level 
management. PPPO also conducts random unannounced spot checks when on-
site at campuses and computing centers; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at two of five SCCs we visited in which security guards did 
not respond properly to alarms. We will evaluate IRS's corrective 
actions during our fiscal year 2008 audit. 

ID no.: 05-11; 
Recommendation: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at service center campuses selected for 
significant reductions in their submission processing functions. (short-
term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar 10, 2005); 
Status per IRS: Closed. Accounts Management is enforcing adherence to 
existing instructions for securing access to restricted areas through 
trained security monitors at consolidated sites. These clerks receive 
training annually, as well as periodic briefings, on the issuance and 
inventory of badges and the security of taxpayer information and 
receipts. Candling procedures are reinforced through training and team 
meetings. Local management ensures that correct procedures are followed 
when reviewing equipment and candling logs; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at one SCC we visited with reduced submission processing 
functions where (1) neither the door monitor nor the payment processing 
supervisor in the receipt and control area inspected visitors' 
belongings when they exited the restricted area and (2) the inside 
envelope of the 3210 transmittal package did not contain a statement 
indicating that the information inside is for limited official use. We 
will continue to assess IRS's actions during our fiscal year 2008 
audit. 

ID no.: 05-12; 
Recommendation: Document a methodology for estimating anticipated rapid 
changes in mail volume at future SCCs selected for significant 
reductions in their submission processing functions, taking into 
consideration factors such as the prior rampdown experience at 
Brookhaven. (short-term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar 10, 2005); 
Status per IRS: Closed. IRS has developed and implemented a methodology 
for estimating mail volumes and resource requirements for use in future 
submission processing consolidations. IRS used the prior campus 
consolidation experiences from both Brookhaven and Memphis in its 
projections for the Philadelphia Campus Support Department; 
Status per GAO: Closed. During our fiscal year 2007 audit, IRS W&I 
staff provided us with a methodology and estimation for anticipated 
rapid changes in mail volume at future SCCs selected for significant 
reductions in their submission processing functions. 

ID no.: 05-13; 
Recommendation: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. PPPO issued notification in February 2007 
reminding Physical Security area directors that required documentation 
from contracting officers' technical representatives is needed to 
support the issuance of identification media before granting staff-like 
access to contractors, and that all forms must remain on file. The 
Audit Management Checklist is also used to ensure that proper 
documentation is received and filed. All IRMs have been updated and 
renumbered. IRM 10.2.5 Identification Card specifies that Form 5519, 
13716-A or similar identification request form (13760), and the interim 
or final background investigation letter must be retained and filed in 
the identification media file on each contractor for the life of the 
identification card; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
four contractors at one of five SCCs we visited who were granted staff-
like access before background investigations had been completed. Also, 
we obtained and reviewed SCC contractor background investigation data 
from all 10 SCCs and found that 3 SCCs permitted five contractors staff-
like access before their background investigations had been completed. 
In addition, IRM series 10.2 mentioned in IRS's response to this 
recommendation is currently in draft, under review, and waiting to be 
finalized. We will evaluate IRS's corrective actions during our fiscal 
year 2008 audit. 

ID no.: 05-14; 
Recommendation: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term)]; 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr 27, 2005); 
Status per IRS: Closed. PPPO issued notification in February 2007 
reminding Physical Security area directors that documentation from the 
contracting officer's technical representative is needed to support the 
issuance of identification media before granting staff-like access to 
contractors, and that all forms remain on file. The Audit Management 
Checklist is also used to ensure that proper documentation is received 
and filed. All IRMs have been updated and renumbered. IRM 10.2.5 
Identification Card specifies that Form 5519, 13716-A or similar 
identification request form (13760), and the interim or final 
background investigation letter must be retained and filed in the 
identification media file on each contractor for the life of the 
identification card; 
Status per GAO: Open. As of the time of our audit, the IRM 10.2 series 
was in draft, under review, and waiting to be finalized. We will 
monitor its final implementation and continue to evaluate IRS's 
policies and procedures related to background investigations for 
contractors during our fiscal year 2008 audit. 

ID no.: 05-22; 
Recommendation: Provide a written reminder to courier contractors of 
the need to adhere to all courier service procedures. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. Submission Processing issued an annual reminder 
memorandum to the courier contractors on February 27, 2007. 
Additionally, the lockbox banks security team verified that all lockbox 
bank sites issued an annual reminder memorandum to courier contractors 
reminding them to adhere to all courier service procedures in the 
Lockbox Security Guidelines (LSG); 
Status per GAO: Closed. We verified that reminder memorandums were 
issued to the SCC and lockbox bank couriers. 

ID no.: 05-23; 
Recommendation: Periodically verify that contractors entrusted with 
taxpayer receipts and information off site adhere to IRS procedures. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr 27, 2005); 
Status per IRS: Closed. Submission Processing revised the LSG 2.5 
during 2007 to provide for periodic verification that couriers adhere 
to IRS policy while transporting taxpayer receipts and information. In 
IRS's campuses, IRS ensures couriers sign, date, and note the time of 
pickup on Form 10160, Receipt for Transport of IRS Deposit. When the 
couriers drop off the deposit, IRS ensures Form 10160 is date and time 
stamped. Each campus reviews the form and notes any time discrepancies. 
Couriers are questioned if discrepancies are found and the information 
is noted in the Courier Incident Log. If inconsistencies are noted, the 
centers use their discretion to determine whether it is necessary to 
trail the couriers; 
Status per GAO: Closed. We verified that IRS revised its LSG to include 
provisions for periodic verification that couriers adhere to IRS 
procedures for transporting taxpayer receipts and information. We also 
noted that procedures were established at the campuses involving the 
review of the returned Form 10160. 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self- employed 
units of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Open. SB/SE revised IRM 5.1.2, 1.4.50, 4.20.3, and 
4.20.4 to address this recommendation. The Director, Examination sent a 
memorandum to all Examination area directors on October 17, 2006 
reminding them of the payment processes outlined in IRM 5.1.2, and 
requiring periodic reviews of payment processing procedures during 
their group operational reviews; Although SB/SE believes its current 
field payment processing procedures sufficiently addresses segregation 
of duties, it is currently conducting a risk assessment to identify 
potential weaknesses; 
Status per GAO: Open. The status information provided by IRS did not 
clearly address segregation of duties within the SB/SE business units. 
When we issued this recommendation, we noted that (1) individuals 
responsible for preparing payment posting vouchers were the same 
individuals who recorded the information from those vouchers on the 
document transmittal and mailed those forms to the IRS service center 
and (2) there was no independent review or reconciliation of documents 
or payments before they were mailed by their preparer. During our 
recent visits to selected SB/SE units in March 2008, we found that this 
condition continued to exist. Duties involving the preparation of 
payment posting vouchers, document transmittal forms, and transmittal 
packages were not segregated. Employees informed us that there was no 
related requirement in the IRM. 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr 27, 2005); 
Status per IRS: Open. W&I Field Assistance has taken a number of 
actions to emphasize the requirement for including a document 
transmittal form listing the Daily Report of Collection Activity forms 
in transmittal packages, and ensuring that they are reconciled and 
reviewed by the secretary, initial assistant representative, or manager 
in offices where these positions are located. Territory managers review 
and discuss the monthly Trends and Patterns reports with the group 
manager. Results of the reviews are forwarded to the area director. 
Operational reviews at all levels will be conducted annually to ensure 
that field offices comply with the requirement to prepare Form 3210, 
which lists all Forms 795 being shipped to the Submission Processing 
Center; Beginning in March 2008 Collection began annual reviews of a 
sample of groups in each area to ensure the reviews described in IRM 
1.4.50 are taking place. The results of the headquarters review will be 
documented in the area operational review. SB/SE is currently reviewing 
the language in IRM 1.4.50, Collection Group Manager, Territory Manager 
and Area Director Operational Aid to determine if clarification is 
needed; 
Status per GAO: Open. During our visits to several SB/SE business 
units, we found that a document transmittal form was not being used to 
transmit multiple Daily Report of Collection Activity forms to the 
respective service center campus. We will continue to assess IRS's 
actions during our fiscal year 2008 audit. 

ID no.: 05-36; 
Recommendation: Assess options to prevent the generation or 
disbursement of refunds associated with accounts with unresolved 
Automated Under Reporter (AUR) discrepancies, including placement of a 
freeze or hold on all such accounts, until the AUR review has been 
completed. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. The procedures to prevent the generation or 
disbursement of refunds associated with AUR accounts are in place and 
included in IRM 3.8.45. Employees are required to conduct Integrated 
Data Retrieval System (IDRS) research after receiving an unidentified 
remittance to determine if there is an open account that allows for 
posting of the remittance. Submission Processing issued a Hot Topic on 
January 25, 2007, which added procedures to IRM 3.17.10 to check for 
cases that can be identified as an AUR payment and research IDRS for 
CP2000 Indicators: TC 922, "F" Freeze Code, and campus under reporter 
programs; 
Status per GAO: Closed. We confirmed that IRS updated IRM 3.8.45 and 
IRM 3.17.10 to include the requirement that employees conduct IDRS 
research after receiving unidentified remittances. 

ID no.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. IRS issued its annual memorandum in August 2007 
and received the annual list of authorized signatures by October 31, 
2007, per IRM 3.17.79.3.5(4)(d). Submission Processing completed a 
sample review as part of the Monthly Security Review Checklist per 
3.17.79.3.5(3), and completed a 100 percent review of the new annual 
list in November 2007; 
Status per GAO: Open. During our fiscal year 2007 audit, we continued 
to find that the documentation requirements on memorandums, which are 
submitted to the manual refund units listing officials authorized to 
approve manual refunds, were incomplete. The annual memorandums issued, 
the annual list of authorized signatures, and the reviews performed 
noted in IRS's response to this recommendation were subsequent to our 
fieldwork. We will follow up on IRS's efforts to improve the 
documentation requirements during our fiscal year 2008 audit. 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr 27, 2005); 
Status per IRS: Closed. IRS issued guidance on enforcing requirements 
for monitoring accounts and reviewing monitoring of accounts via Hot 
Topics on April 30, 2007 and again on July 13, 2007. Department 
managers provided subordinate managers and the employees refresher 
training using IRM 21.4.4 and 3.17.79 as reference materials to 
reinforce the monitoring requirements. Accounts Management completed 
refresher training at all campuses from January through May 2007. SB/SE 
Campus Compliance Services (CCS) continues to stress the importance of 
following all IRM procedures for the manual refunds. To ensure that the 
campuses continue to comply with all IRM provisions for manual refunds, 
the CCS directors are covering this topic in both filing & payment 
compliance and campus reporting compliance operations during their 
fiscal year 2008 campus reviews. The Taxpayer Advocate Service (TAS) 
has specific IRM requirements and controls for all employees and 
managers to monitor the posting of manual refunds to prevent duplicate 
refunds, and to document in the Taxpayer Advocate Management 
Information System (TAMIS) that all actions were completed. TAS also 
updated its manual refund training on March 12, 2007, re-emphasizing 
the requirement to monitor manual refunds to prevent duplicate refunds; 
Status per GAO: Open. We verified that IRS issued the Hot Topics, which 
included providing managers and the employees training to reinforce 
monitoring requirements. However, during our fiscal year 2007 audit, we 
continued to find instances where the manual refund initiators, leads, 
or both did not monitor accounts to prevent duplicate refunds. We also 
found that some of the supervisors did not review the initiators' or 
leads' work to ensure that the monitoring of accounts was performed. We 
will continue to review IRS's monitoring and review efforts during our 
fiscal year 2008 audit. 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring actions 
and supervisory review for manual refunds. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. Submission Processing (SP) issued guidance on 
enforcing requirements for monitoring accounts and reviewing monitoring 
of accounts via Hot Topics on April 30, 2007 and again on July 13, 
2007. Department managers provided subordinate managers and the 
employees refresher training using IRM 21.4.4 and 3.17.79 as reference 
materials to reinforce the monitoring requirements. Accounts Management 
completed refresher training at all campuses from January through May 
2007. IRS continues to use the Manual Refund Check Sheet and monthly 
security reviews to ensure compliance with IRM requirements, and these 
reviews are forwarded monthly to SP headquarters for consolidation and 
review by headquarters analysts and management. The SB/SE Campus 
Compliance Services continues to stress the importance of following all 
IRM procedures for the manual refunds. To ensure that the campuses 
continue to comply with all IRM provisions for manual refunds, the CCS 
directors are covering this topic in both filing & payment compliance 
and campus reporting compliance operations during their fiscal year 
2008 campus reviews. The TAS has specific IRM requirements and controls 
for all employees and managers to monitor the posting of manual refunds 
until posted to prevent duplicate refunds, and to document in TAMIS 
that all actions were completed. TAS also updated its manual refund 
training on March 12, 2007, re-emphasizing the requirement to monitor 
manual refunds to prevent duplicate refunds; 
Status per GAO: Open. We verified that IRS issued the Hot Topics, which 
included providing managers and employees training to reinforce the 
monitoring requirements. However, during our fiscal year 2007 audit, we 
continued to find instances where the requirement for documenting 
monitoring actions and documenting supervisory review were not 
enforced. We will continue to review IRS's monitoring and review 
efforts during our fiscal year 2008 audit. 

ID no.: 05-40; 
Recommendation: Enforce the requirement that command code profiles be 
reviewed at least once annually. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr 27, 2005); 
Status per IRS: Closed. IRS issued a Hot Topic on January 10, 2007 and 
again on March 30, 2007 as a reminder to ensure adherence to the 
existing process of enforcing the requirement that command code 
profiles be reviewed at least once annually. The Manual Refund Unit has 
included a signed and dated copy of the Command Code: RSTRK input 
(action performed through the use of IDRS in the file with the 
authorization memorandums to verify compliance with IRM 3.17.79.1.7. 
The Monthly Security Review Checklist was updated to add this review; 
Status per IRS: Closed. During our fiscal year 2007 audit, we found 
that the requirements that command code profiles be reviewed at least 
once annually were enforced. 

ID no.: 05-41; 
Recommendation: Specify in the IRM that staff members are not to review 
their own command code profiles. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. IRS updated IRM 10.8.34 IDRS Security Handbook 
replacing the IDRS Security Law Enforcement Manual (LEM) 25.10.3. 
Section 10.8.34.5.3.1 (3) - (6) prohibits managers from being in the 
same IDRS unit as the employees they review. Section 10.8.34.8.2.2.5 
(2) (f) requires managers to review reports monthly to ensure profiles 
have appropriate restrictions. Section 10.8.34.8.2.2.5 (2) (m) 
prohibits employees from reviewing their own profile or any other 
report data pertaining to themselves. IRS also updated the IDRS section 
of the annual FMFIA Self-Assessment Tool for Managers with item 4.50 
requiring the quarterly review of IDRS user profiles in accordance with 
the IRM, and item 4.52 requiring managers to indicate that they 
completed a review of IDRS security reports and appropriate action has 
been taken to correct weaknesses; 
Status per GAO: Closed. During our fiscal year 2007 audit, we found no 
instances of staff members reviewing their own command codes. We 
verified that IRS has updated IRM 10.8.34 IDRS Security Handbook, which 
has replaced IDRS Security LEM 25.10.3. We also verified that section 
10.8.34.5.3.1 (3) - (6) prohibits managers from being in the same IDRS 
unit as the employees they oversee; section 10.8.34.8.2.2.5 (2) (f) 
requires managers to review reports monthly to ensure that profiles 
have appropriate restrictions; and section 10.8.34.8.2.2.5 (2) (m) 
prohibits employees from reviewing their own profile or any other 
report data pertaining to themselves. 

ID no.: 06-01; 
Status per IRS: Recommendation: Require that Refund Inquiry Unit 
managers or supervisors document their review of all forms used to 
record and transmit returned refund checks prior to sending them for 
final processing. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I's Accounts Management will confirm during the 
site operational reviews that managers are performing a follow-up and 
documentation acknowledgement of receipt of Form 3210. This item will 
be monitored during the fiscal year 2008 quarterly reviews. During 
fiscal year 2007, IRS completed conference calls prior to each 
directorates filing season readiness (FSR) certification, and will 
continue to provide directions during the fiscal year 2008 FSR 
conference calls to enforce management controls to complete, review, 
approve, and follow up on receipt of Forms 3210 in Accounts Management; 
Status per GAO: Open. We will continue to evaluate IRS's corrective 
actions during our fiscal year 2008 audit. 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. LMSB has issued procedures to the field on the 
responsibilities for using receipt transmittals. LMSB employees are 
reminded annually through executive memorandum of Form 3210 procedures 
and responsibilities. LMSB has also issued memos to the field to remind 
and reinforce the use of Form 3210 and establishment of a follow-up 
system for unacknowledged 3210s. A Closing Checklist for LMSB Cases 
which includes Form 3210 requirement reminders was created to assist 
LMSB employees when transmitting cases. LMSB Technical training has 
certified that Form 3210 procedures and responsibilities are included 
in revenue agent training materials. LMSB Human Capital Office has 
included the requirement that Industry Territory Managers review Form 
3210 utilization and follow-up procedures during operational reviews in 
a memorandum dated December 13, 2006; IRMs 21.3.4.7 and 1.4.11.19.1 
were revised during 2007 to provide procedures for requiring TACs to 
follow-up with SP centers when acknowledgments are not received within 
10 days. Similarly, W&I Accounts Management revised IRMs 21.5.4.2 and 
1.4.16 for this requirement. W&I Field Assistance will conduct 
operational reviews during and after filing season to monitor 
compliance, and is currently enhancing the existing TAC Security and 
Remittance Review Database to provide more comprehensive and 
quantitative data for analysis. Reviews conducted during 2007 showed 
that offices transmitting receipts have a system to track acknowledged 
copies of document transmittals. Planned reviews will enforce existing 
requirements for both organizations; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at one SCC and four TACs where there was no system in place 
or evidence maintained to track acknowledged document transmittals. We 
will continue to evaluate IRS's corrective actions during our fiscal 
year 2008 audit. 

ID no.: 06-03; 
Recommendation: Provide instructions to document the follow-up 
procedures performed in those cases where transmittals have not been 
timely acknowledged. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 06-543R, May 12, 2006); 
Status per IRS: Closed. LMSB has issued procedures to the field on the 
responsibilities for using receipt transmittals. LMSB employees are 
reminded annually through executive memorandum of Form 3210 procedures 
and responsibilities. LMSB has also issued memos to the field to remind 
and reinforce the use of Form 3210 and establishment of a follow-up 
system for unacknowledged 3210s. A closing checklist for LMSB cases was 
created to assist LMSB employees when transmitting cases. LMSB 
technical training has certified that Form 3210 procedures and 
responsibilities are included in revenue agent training materials. LMSB 
Human Capital Office has included the requirement that Industry 
Territory Managers review Form 3210 utilization and follow-up 
procedures during operational reviews in a memorandum dated December 
13, 2006. IRMs 21.3.4.7 and 1.4.11.19.1 were revised to provide 
procedures for requiring TACs to follow-up with SP centers when 
acknowledgments are not received within 10 days. IRM 1.4.11.19.1 
Maintaining Form 795/795A Centralized Files provides instruction to 
document follow-up of unacknowledged document transmittals. To help 
reinforce the importance of the follow-up managers are required to 
attend classroom training. New and acting managers attended ďManaging a 
TACĒ training in 2007, and all managers attend a filing season 
readiness workshop. W&I Accounts Management revised IRMs 21.5.4.2 and 
1.4.16 for this requirement. Planned reviews will enforce existing 
requirements; 
Status per GAO: Closed. During our fiscal year 2007 audit, we verified 
that the IRM includes procedures for LMSB and TE/GE units to follow up 
with the destination sites if remittance transmittals are not returned 
within 10 days or if all remittances were not marked with a distinctive 
checkmark. Also, we verified that the IRM contains Field Assistance 
(TAC) procedures for monitoring document transmittal acknowledgments. 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. LMSB has issued procedures to the field on the 
responsibilities for using receipt transmittals. LMSB employees are 
reminded annually through executive memorandum of Form 3210 procedures 
and responsibilities. LMSB has also issued memos to the field to remind 
and reinforce the use of Form 3210 and establishment of a follow-up 
system for unacknowledged 3210s. A closing checklist for LMSB cases was 
created to assist LMSB employees when transmitting cases. LMSB 
technical training has certified that Form 3210 procedures and 
responsibilities are included in revenue agent training materials. LMSB 
Human Capital Office has included the requirement that Industry 
Territory Managers review Form 3210 utilization and follow-up 
procedures during operational reviews in a memorandum dated December 
13, 2006. IRM 1.4.11.19.5 Field Assistance Manager Review outlines 
instructions for managers to perform a minimum of two reviews per 
quarter per employee for payment processing and reconciliation 
procedures that include 3210 and 795 segregation of duties. A 
certification template has been created and placed in the IRM 1.4.11-10 
for managers to confirm the review being conducted. To help reinforce 
the importance of the follow-up managers are required to attend 
classroom training. New and acting managers attended ďManaging a TACĒ 
training in 2007 and all managers will attend a Filing Season Readiness 
Workshop. During the training the requirement to conduct reviews and 
document results will be emphasized. W&I Accounts Management revised 
IRMs 21.5.4.2 and 1.4.16 for this requirement; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at seven TACs where there was no evidence of managerial 
review of document transmittals and one instance at one of five SCCs we 
visited in which one Refund Inquiry Unit manager did not document his 
review of the document transmittals. We will continue to evaluate IRS's 
corrective actions during our fiscal year 2008 audit. 

ID no.: 06-05; 
Recommendation: Equip all Taxpayer Assistance Centers (TACs) with 
adequate physical security controls to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers such as locked doors marked with signs 
barring entrance by unescorted customers. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. W&I Field Assistance (FA) and AWSS are currently 
implementing plans to correct security and control access issues in 
TACs. Field Assistance identified 120 locations and AWSS completed a 
detailed analysis on each one. Most locations were identified as space 
and design issues that require implementation of the TAC Model Design. 
For locations that were not space and design issues, AWSS provided the 
funding and implemented corrective actions. Most of the security and 
control access issues affect small TACs. FA and AWSS have developed a 
strategic TAC Model implementation plan and the new "Mini TAC Model 
Design" to correct security and control access issues in the remaining 
offices; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at two TACs where the controlled area was not equipped with 
physical security controls adequate to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units. 
We will continue to evaluate IRS's corrective actions during our fiscal 
year 2008 audit. 

ID no.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to TACS 
not having a manager permanently on-site. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. Effective November 27, 2007, FA managers are no 
longer required to document visits to outlying TACs by using a 
checklist. Instead, new processes were implemented that will better 
gauge managers' adherence to remittance and physical security internal 
controls. The new process includes the following: (1) A performance 
commitment for each level of FA management (director, area director, 
territory manager (TM), and TAC manager). The commitment requires 
managers to conduct and document reviews to ensure protection of data 
and equipment and ensure compliance with remittance and security 
procedures. (2) Implementation of a tiered operational review approach. 
This will allow FA to determine if TAC managers are performing required 
reviews, conducting periodic visits, and focusing on actions that 
mitigate control weaknesses. Headquarters (HQ) reviews focus on the 
Area Offices, Area Office operational reviews focus on TMs, and TM 
reviews focus on each TAC manager. (3) TAC managers and TMs using DCIs 
to conduct physical security and remittance reviews. (4) TAC managers 
inputting review results into the TAC Security and Remittance Review 
Database. Database information will be analyzed at the headquarters 
level to identify top issues needing attention and to develop 
corrective actions; 
Status per GAO: Open. IRS no longer requires TAC managers to document 
their visits to outlying TACs by using a checklist but has implemented 
new procedures involving FA managers at all levels to ensure that 
periodic reviews are performed and centrally documented. However, these 
changes occurred subsequent to our fiscal year 2007 audit. We will 
assess, during our fiscal year 2008 audit, whether the new procedures 
will effectively mitigate the risks that the previous recommendation of 
documenting supervisory visits was originally designed to address. 

ID no.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at service center campuses (SCC) and lockbox 
banks record all instances involving the activation of intrusion alarms 
regardless of the circumstances that may have caused the activation. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. In January 2006, the lockbox bank LSG 2.2.3.1.5 
(6) was revised to add the requirement that banks maintain a logbook of 
incident reports and any applicable supporting documentation, and note 
corrective follow-up actions taken on each incident. IRS reinforced the 
requirement to maintain a logbook in sequential date order in the 2007 
LSG. For SCCs, the requirement for all activations of alarms to be 
logged in security console logs has been on the Audit Management 
Checklist since June 2006. Interim IRM 1.16.12A Security Guard Service 
and Explosive Detection Dogs, issued in November 2006, states the 
requirement for the guard console blotter/event log to be annotated to 
record and document the guard force response to each alarm activation 
exercise. Draft IRM 10.2.14 Methods of Providing Protection (awaiting 
finalization) states, "A record of all instances involving the 
activation of any alarm regardless of the circumstances that may have 
caused the activation, must be documented in a Daily Activity Report/ 
Event Log, or other log book and maintained for two-years." The IRM 
1.16 series is being changed to 10.2; 
Status per GAO: Open. As of the time of our audit, the IRM changes were 
in draft, under review, and waiting to be finalized. During our fiscal 
year 2007 audit, we identified three instances at one of four lockbox 
banks we visited in which the activation of intrusion alarms were not 
recorded by security guards. We will continue to evaluate IRS's 
corrective actions during our fiscal year 2008 audit. 

ID no.: 06-09; 
Recommendation: Reemphasize the need for the security guards at all 
TACs to ensure that key posts of duty, such as entrances to facilities, 
are not left unattended. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. W&I issued a memorandum on April 5, 2007, to 
address this issue. Additionally, a letter was issued to the Director, 
Security and Law Enforcement of Homeland Security, to ensure that 
security officers are aware of their duties and responsibilities at key 
post of duty; 
Status per GAO: Closed. We did not identify any instances where key 
posts of duty were left unattended by security guards during our fiscal 
year 2007 audit. 

ID no.: 06-11; 
Recommendation: Refine the scope and nature of its periodic reviews of 
candling processes at SCCs to ensure they (1) encompass tests of 
whether envelopes are properly candled through observation of candling 
in process and inquiry of employees who perform initial and final 
candling and (2) document the nature and scope of the test and 
observation results. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. IRS continues to use the Security Review Check 
List to document the effectiveness of the initial and final candling 
process, and to talk to employees who perform initial and final 
candling as part of the monthly campus and national office security 
reviews; 
Status per GAO: Closed. We verified that IRS revised its Security 
Review Checklist to document, through observation, the effectiveness of 
the initial and final candling process. During our fiscal year 2007 
audit, we non-statistically selected and reviewed several campus 
security review reports and found no instances where the reports did 
not document the number of employees who were questioned about their 
knowledge of candling procedures and the responses received from the 
employees. 

ID no.: 06-14; 
Recommendation: Refine the scope and nature of its periodic security 
reviews to encompass (1) testing the effectiveness of controls intended 
to ensure that only individuals with proper credentials are permitted 
access to SCCs and lockbox banks, and (2) reviewing the integrity of 
perimeter security at SCCs. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. As of January 1, 2007, IRS revised LSG section 
2.2.3.1(6) k to restrict access of all delivery personnel. The IRS 
Lockbox Security Review Team observed the lockbox site's process of 
delivery personnel while on-site to ensure compliance with the LSG 
requirement. In addition, section 2.2.2.13.1 (CCTV Cameras) (2)g of the 
LSG was revised to add that cameras must capture images of all persons 
entering and exiting perimeter doors and other critical ingress/egress 
points, including but not limited to the computer room and closets 
containing main utility feeds. AWSS continues to complete compliance 
reviews, risk assessments, and quarterly audit management checklist 
reviews. Since April 2006, the service center campuses have been 
providing quarterly verification that all guards have been reminded to 
inspect and scrutinize all badges of personnel accessing IRS 
facilities. During the past year, IRS has accessed closed-circuit 
television (CCTV) capabilities and is currently taking corrective 
actions to allow the unobstructed surveillance of campus fence lines 
and the facility perimeters; 
Status per GAO: Closed. We verified that IRS refined the scope and 
nature of its periodic security reviews by (1) performing periodic 
tests of whether lockbox personnel are only allowing authorized 
individuals to access the facility and verifying that CCTVs are 
capturing key areas and (2) conducting quarterly assessments of the 
integrity of perimeter access controls. 

ID no.: 06-15; 
Recommendation: Revise the physical security procedures in the Internal 
Revenue Manual (IRM) to require that all SCCs and any respective annex 
facilities processing taxpayer receipts and/or information perform and 
document monthly tests of the facility's intrusion detection alarms. At 
a minimum, these procedures should (1) outline the type of test to be 
conducted, (2) include criteria for assessing whether the controls used 
to respond to the alarm were effective, and (3) require that a logbook 
be maintained to document the test dates, results, and response 
information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. IRM 1.16.12 was revised and documents the 
requirements to test, document, report and follow-up on service center 
campus intrusion detection alarms. Physical Security area directors 
began implementing the new procedures in January 2007. Test results are 
rolled-up to PPPO for quarterly reports for upper management; 
Status per IRS: Open. IRS officials informed us that the IRM section is 
in draft and currently in the review stage. We will follow up on the 
finalization of this IRM and continue to assess IRS's actions during 
our fiscal year 2008 audit. 

ID no.: 06-21; 
Recommendation: Generate aging reports when an asset remains in pending 
disposal status for longer than a specified period of time. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. This recommendation remains closed, as IRS 
reported in fiscal year 2006. AWSS reports that the re-engineered 
process is working as intended. Aging record reports are monitored 
monthly, and AWSS staff follows up on disposal actions to identify 
issues or problems; 
Status per GAO: Closed. During fiscal year 2006, IRS re-engineered the 
P&E asset retirement and disposal process. The new process generates 
exception reports that enable management to monitor the aging of 
transactions during the disposal process. Our fiscal year 2007 review 
of P&E internal controls showed that anomaly reports are now being 
generated when an asset remains in a disposal code for an extended 
period of time. 

ID no.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. This recommendation remains closed as IRS 
reported in fiscal year 2006. AWSS reports that the reengineered 
process is working as intended. Aging record reports are monitored 
monthly and AWSS staff follows up on disposal actions to identify 
issues or problems; 
Status per GAO: Open. During fiscal year 2006, IRS re-engineered the 
P&E asset retirement and disposal process. The new process generates 
exception reports that enable management to monitor the aging of 
transactions during the disposal process. While our fiscal year 2007 
review of P&E internal controls showed that anomaly reports are now 
being generated when an asset remains in a disposal code for an 
extended period of time, our audit testing revealed that disposals are 
still not being recorded in a timely manner. Our inquiries of IRS 
management revealed that management is not always reviewing the anomaly 
reports as required by the reengineered process. We will continue to 
evaluate IRS's corrective actions during our fiscal year 2008 audit. 

ID no.: 07-01; 
Recommendation: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. IRS is currently evaluating this recommendation 
to determine the best means to safeguard (e.g. encryption) and/or 
retain taxpayer data. To assist in the evaluation process, IRS plans to 
complete a cost-benefit analysis to determine the best solution. The 
tentative date for completion of the cost-benefit analysis and any 
resulting solution is September 30, 2008. In the interim, to mitigate 
the risk of losing personally identifiable information (PII), IRS plans 
to incorporate specific guidelines in the calendar year 2008 LSG to 
clearly require that all lockbox sites store backup media containing 
PII in locked containers. The calendar year 2008 LSG was issued on 
December 19, 2007; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at all four lockbox banks we visited where backup data tapes 
containing federal taxpayer information were not encrypted. We will 
evaluate IRS's planned corrective actions during our fiscal year 2008 
audit. 

ID no.: 07-02; 
Recommendation: Ensure that lockbox banks store backup media containing 
federal taxpayer information at an off-site location as required by the 
2006 Lockbox Security Guidelines (LSG). (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Open. IRS is currently evaluating this recommendation 
to determine the best means to safeguard (e.g. encryption) and/or 
retain taxpayer data. To assist in the evaluation process, IRS plans to 
complete a cost-benefit analysis to determine the best solution. The 
tentative date for completion of the cost-benefit analysis and any 
resulting solution is September 30, 2008. In the interim, to mitigate 
the risk of losing PII, IRS plans to incorporate specific guidelines in 
the calendar year 2008 LSG to clearly require that all lockbox sites 
store backup media containing PII in locked containers. The calendar 
year 2008 LSG was issued in December 19, 2007; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at all four lockbox banks we visited where backup media 
containing federal taxpayer information was not stored at an off-site 
location. We will evaluate IRS's planned corrective actions during our 
fiscal year 2008 audit. 

ID no.: 07-03; 
Status per IRS: Recommendation: Revise instructions for the annual 
reviews of lockbox banks to encompass routine monitoring of backup 
media containing personally identifiable information to ensure that 
this information is (1) encrypted prior to transmission and (2) stored 
in an appropriate off-site location. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. IRS is currently evaluating this recommendation 
to determine the best means to safeguard (e.g. encryption) and/or 
retain taxpayer data. To assist in the evaluation process, IRS plans to 
complete a cost-benefit analysis to determine the best solution. The 
tentative date for completion of the cost-benefit analysis and any 
resulting solution is September 30, 2008. In the interim, to mitigate 
the risk of losing PII, IRS plans to incorporate specific guidelines in 
the calendar year 2008 LSG to clearly require all lockbox sites store 
backup media containing PII in locked containers. The calendar year 
2008 LSG was issued in December 19, 2007. For the Lockbox Electronic 
Network (LEN), it electronically transmits all transactional data, 
including federal taxpayer information, from the lockbox banks to IRS 
via the Martinsburg Computing Center, which is currently going to the 
Tennessee Computing Center. The electronic transmission securely 
transmits the data through the use of Virtual Private Network devices 
like the devices used at the computing centers which will encrypt the 
data as it is being transmitted. Effective March 2008, the LEN is being 
used to transmit the data to the SP centers. Cartridges will only be 
used in the event of an emergency or contingency situation where the 
LEN transmission fails; 
Status per GAO: Open. We will continue to evaluate IRS's corrective 
actions during our fiscal year 2008 audit. 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit TV (CCTV) camera coverage that do not 
provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Open. All SCCs conducted an assessment of the CCTV 
systems concerning unobstructed views of fence lines and perimeter, and 
identified problems that were documented in an action plan developed in 
May 2007 and completed by February 2008; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
instances at three of five SCCs we visited where security cameras did 
not provide an unobstructed view of the entire perimeter of the 
facility. We will evaluate IRS's corrective actions during our fiscal 
year 2008 audit. 

ID no.: 07-05; 
Recommendation: Revise instructions for quarterly physical security 
reviews to require analysts to (1) document any issues identified as 
well as planned implementation dates of corrective actions to be taken 
and (2) track the status of corrective actions identified during the 
quarterly assessments to ensure they are promptly implemented. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. Procedures were implemented requiring Physical 
Security analysts to document issues/problems during quarterly reviews, 
establish corrective action due dates, and track progress to ensure 
implementation of all corrective actions. The new procedures and 
reporting formats were implemented in June 2007. Compliance with the 
procedures is monitored during Physical Security area director 
operational reviews and random sampling by PPPO; 
Status per GAO: Closed. We verified that IRS revised its procedures and 
reporting formats to require its Physical Security analysts to (1) 
document concerns identified during quarterly physical security 
reviews, (2) establish corrective action implementation dates, and (3) 
track those actions to ensure and monitor implementation. 

ID no.: 07-06; 
Recommendation: Revise procedures contained in the Manual Refund Desk 
Reference to reflect the IRM requirements for manual refund initiators 
to (1) monitor the manual refund accounts in order to prevent duplicate 
refunds, and (2) document their monitoring actions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. Employees have been instructed to recognize 
only IRM 3.17.79 and IRM 21 as the official authoritative guidance for 
processing manual refunds. Submission Processing (SP) conducted a 
conference call with designated campus planning and analysis staff, SP 
Headquarters staff and the IRM owner for 21.4.4, and issued a Hot Topic 
on April 30, 2007. SP also provided sites with this information and 
contacted authors of IRM 21.4.4 and IRM 4.4.19. Accounts Management and 
SB/SE Compliance will review the IRM to ensure that instructions are 
correct and that related training course modules are correct; 
Status per GAO: Closed. IRS's action satisfies the intent of this 
recommendation. 

ID no.: 07-07; 
Recommendation: Provide to all IRS units responsible for processing 
manual refunds the same most current version of the Manual Refund Desk 
Reference. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. W&I reinforced IRM 3.17.79.0 and 21.4.4 as the 
official authoritative guidance for processing manual refunds. SP 
provided sites with this information and also contacted authors of IRM 
21.4.4 and IRM 4.4.19. The Account Management analyst and the SB/SE 
Compliance analyst will review the IRM to ensure that instructions are 
correct and that related training course modules are accurate; 
Status per IRS: Closed. IRS's action satisfies the intent of this 
recommendation. 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the manual 
refund initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Open. All W&I business functions conducted training by 
July 2007, except for Compliance, which is planned to be completed by 
April 2008. SP management reviews history sheets annotated with 
taxpayer identification numbers, tax period, transaction code, date, 
and initials of initiator. SP conducted team refresher training by July 
30, 2007. This refresher training will also be included in fiscal year 
2008 continuing professional education. A manual refunds refresher 
course was distributed by the Accounts Management Program 
Management/Process Assurance and training was completed by June 2007. 
The course emphasized the required monitoring of manual refunds and the 
documentation of monitoring actions. Accounts Management will conduct 
additional training by July 15, 2008, for employees who initiate manual 
refunds; 
Status per GAO: Open. We will review IRS's records of training during 
our fiscal year 2008 audit. 

ID no.: 07-09; 
Recommendation: Enhance its computer program to check for outstanding 
tax liabilities associated with both the primary and secondary Social 
Security Numbers shown on a joint tax return and apply credits to those 
balances before issuing any refund. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS submitted a work request on June 26, 2007, 
to update its computer programs to check for outstanding liabilities 
associated with both the primary and secondary Social Security numbers 
on a joint tax return and offsetting to any outstanding TFRP liability 
before issuance of a refund. The programming change was implemented on 
January 20, 2008; 
Status per GAO: Open. The programming change was initiated after our 
fiscal year 2007 audit was complete. We will evaluate the effectiveness 
of IRS's corrective action during our fiscal year 2008 audit. 

ID no.: 07-10; 
Recommendation: Instruct Revenue Officers making the TFRP assessments 
to research whether the responsible officers are filing jointly with 
their spouses and to place a refund freeze on the joint account until 
the computer programming change can be completed. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS counsel said that it was acceptable for the 
revenue officer to also freeze the refund of any spouse at the time of 
approval of recommendation for a TFRP assessment or at the time the 
TFRP assessment is made, Therefore, IRS's SB/SE issued interim guidance 
on July 23, 2007, for input of transaction code 130 to freeze potential 
individual master file refunds for all individuals determined 
responsible for the TFRP; 
Status per GAO: Closed. Based on our review of the IRS interim guidance 
issued on July 23, 2007, we verified that IRS instructed revenue 
officers making TFRP assessments to research whether responsible 
officers are filing jointly with their spouses and to place refund 
freezes on the joint accounts. 

ID no.: 07-11; 
Recommendation: Correct the penalty calculation programs in the master 
file so that penalties are calculated in accordance with the applicable 
Internal Revenue Code and implementing IRM guidance. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS implemented a system change in January 2007 
to correct the penalty calculation program; 
Status per GAO: Open. We will evaluate the effectiveness of IRS's 
corrective action during our fiscal year 2008 audit. 

ID no.: 07-12; 
Recommendation: Research each of the taxpayer accounts that may have 
been affected by the penalty programming errors to determine whether 
they contain overassessed penalties and correct the accounts as needed. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS implemented a system change in January 2007 
that corrected debit balance taxpayer accounts affected by the 
programming error; 
Status per GAO: Open. We will evaluate the effectiveness of IRS's 
corrective action during our fiscal year 2008 audit. 

ID no.: 07-13; 
Recommendation: Establish procedures and specify in the IRM that at the 
time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. The Deputy Commissioner for Services and 
Enforcement issued a memorandum to all functions titled "Service wide 
Action to Prevent Late Lien Releases," in January 2007. The memorandum 
directed manual lien releases when systemic processes do not release 
liens. Based on the memorandum, IRS revised several IRM sections. In 
addition, IRS plans to revise IRM 5.1.2 by May 2008 to include all four 
elements contained in this recommendation; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
issues that resulted in the untimely release of a tax lien. We will 
continue to review IRS's corrective actions to address this issue 
during our fiscal year 2008 audit[Empty]. 

ID no.: 07-14; 
Recommendation: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. IRS completed programming changes in January 2007 
that allow lien releases regardless of freeze codes. In addition, the 
Deputy Commissioner for Services and Enforcement issued a memorandum to 
all functions titled "Service wide Action to Prevent Late Lien 
Releases," in January 2007. The memorandum directed manual lien 
releases when systemic processes do not release liens. Based on the 
memorandum IRS revised several IRM sections. Finally, IRS plans to 
revise IRM 5.1.2 by May 2008 to include all of the elements contained 
in this recommendation; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
issues that resulted in the untimely release of a tax lien. We will 
continue to review IRS's corrective actions to address this issue 
during our fiscal year 2008 audit. 

ID no.: 07-15; 
Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in the Automated Lien System 
(ALS). (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. In order to facilitate timely lien releases, IRS 
put a new "My Eureka" report in place for the Centralized Insolvency 
Office. IRS generates and resolves issues on this report weekly. IRS 
revised IRM 5.9.17.11.6 in March 2007 to reference the report and 
request manual lien releases. Campus Compliance analysts conduct 
reviews quarterly to ensure appropriate actions are taken. However, 
IRS's fiscal year 2007 OMB Circular No. A-123 review of its lien 
release process identified two lien release errors associated with 
bankruptcy discharges. Therefore, IRS has added new action items to the 
Lien Release Action Plan, to establish new controls and oversight by 
management in CIO and Field Insolvency to ensure that IRM guidelines 
are followed and new procedures for Field Insolvency. In addition, IRS 
identified an instance where Field Insolvency failed to release a lien 
after an Exempt/Abandoned Asset review. Therefore, Collection Policy 
will review Field Insolvency by June 30, 2008, and consider the 
addition of new corrective actions to reduce lien errors based on this 
issue; 
Status per GAO: Open. During our fiscal year 2007 audit, we identified 
issues that resulted in the untimely release of a tax lien. We will 
continue to review IRS's corrective actions to address this issue 
during our fiscal year 2008 audit. 

ID no.: 07-16; 
Recommendation: Issue a memorandum to employees in the Centralized Lien 
Processing Unit reiterating the IRM requirement to date stamp and 
maintain the billing support voucher as evidence of timely processing 
by IRS. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. The IRM for the Centralized Lien Unit (CLU) 
provides specific direction to date stamp and maintain billing support 
vouchers (BSVs) as evidence of timely releases of federal tax liens. In 
November 2006 CLU began a new process of scanning BSVs, and associating 
BSVs with Specific Lien Identification (SLID) numbers in order to 
ensure that BSVs are retrievable and show that liens were timely 
released. IRS trained employees on this process as it was rolled out. 
In May 2007 IRS completed the 2007 OMB Circular No. A-123 review on the 
timeliness of lien releases. The review found that BSVs were stamped 
appropriately in all cases reviewed; 
Status per GAO: Closed. In our review of IRS's fiscal year 2007 OMB 
circular No. A-123 lien testing results, we verified that IRS was able 
obtain the date stamped billing vouchers for all of its sample items. 

ID no.: 07-17; 
Recommendation: Monitor installment agreement user fee activity on a 
regular basis. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Closed. The collection activity reports (CAR) capture 
data each month on installment agreement activity. The number of 
installment agreements, number of user fees paid and user fee dollar 
amounts are extracted from the installment agreement reports. These 
reports are utilized by Headquarters to conduct month-to-month and year-
to-year comparisons for trend analysis. Headquarters will monitor 
collections on the CAR and balance those collections against what is 
projected and what is in the financial system, and use historical 
trends to identify issues; 
Status per IRS: Open. IRS's actions to monitor and analyze installment 
agreement user fee collections at headquarters were initiated after our 
fiscal year 2007 audit was completed. We will review and evaluate IRS's 
efforts to monitor installment agreement user fee activity during our 
fiscal year 2008 audit. 

ID no.: 07-18; 
Recommendation: Adjust errors in recorded installment agreement user 
fees as necessary to correctly reflect the user fees IRS earned and 
collected from taxpayers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. A sweep process that collects paid fees and 
records them in the user fee account has been established. Effective 
January 2008, the sweep is run weekly to ensure accurate and more 
timely accounting of fee dollars; 
Status per GAO: Open. The action described in IRS's response does not 
fully ensure that recorded installment agreement user fees correctly 
reflect user fees earned and collected from taxpayers because it is not 
designed for that purpose. IRS's sweep (recovery) process is designed 
to identify and correct for unrecorded user fees collected with the 
initial installment agreement payment but incorrectly posted against 
the taxpayer's debt (tax module). We will continue to review and 
evaluate IRS's efforts to address issues related to installment 
agreement user fees during our fiscal year 2008 audit. 

ID no.: 07-19; 
Recommendation: Establish sufficient review procedures to help ensure 
that adjustments to installment agreement user fees collected from 
taxpayers are accurately and timely recorded. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. Steps to ensure appropriate assessment and 
collection of user fees are already in place. The user fee category on 
the Installment Agreement Accounts Listing (IAAL) compares unpaid and 
overpaid user fee money and makes adjustments accordingly. The IAAL for 
W&I is consolidated at one site. For both W&I and SBSE, the IAAL is 
subjected to Planning and Analysis Support, Managerial, Operations and 
Headquarters review; 
Status per GAO: Open. IRS was in the process of updating its operating 
procedures to account for and record new installment agreement user fee 
amounts when we completed our fiscal year 2007 audit. We will review 
and evaluate IRS's use of the IAAL and Managerial, Operations, and 
Headquarters review processes during our fiscal year 2008 audit. 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage space 
to properly secure and safeguard its property and equipment inventory, 
including in-stock inventories assets from incoming shipments, and 
assets that are in the process of being excessed and/or shipped out. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. IRS is identifying locations that need additional 
secured storage space and will obtain the necessary space as 
appropriate. Scheduled completion date is October 1, 2009. Processes 
and procedures are in place for business units to request space, either 
secured or non-secured. AWSS negotiated processes and procedures with 
the business units that are now part of AWSS's Senior Commissioner 
Representative Handbook. Business units needing secured space must 
follow established guidance. Also, processes have been set for business 
units to approve and fund their space requests; 
Status per GAO: Open. IRS has implemented a plan to obtain additional 
secured storage space as deemed necessary, with a scheduled completion 
date of October 1, 2009. We will monitor IRS's corrective actions 
during our fiscal years 2008 and 2009 audits. 

ID no.: 07-21; 
Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 07-689R, May 11, 2007); 
Status per IRS: Closed. IRS updated the IRM in September 2007 and sent 
a reminder to those with acquisition authority about the IRS 
acquisition procedures developed in December 2002. The update included 
reference to Policy and Procedures Memorandum No. 46.5, "Receipt, 
Quality Assurance and Acceptance," reiterating requirements for 
separation of duties; 
Status per GAO: Open. Our fiscal year 2007 review of internal controls 
over property and equipment revealed that at least one IRS employee was 
permitted to place orders with vendors and perform receipt and 
acceptance functions when the orders were delivered. We will continue 
to evaluate IRS's corrective actions during our fiscal year 2008 audit. 

ID no.: 07-22; 
Recommendation: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. In the fiscal year 2007 A-123 cycle, IRS expanded 
its A-123 guidance, improved review procedures, and improved training. 
As IRS prepares for the fiscal year 2008 A-123 cycle, it plans to 
continue to further enhance its in-house training and has instituted 
procedures to address the clarity and completeness of its explanations; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 07-23; 
Recommendation: Clearly document how it considered existing reviews and 
audits in determining the nature, scope, and timing of procedures it 
planned to conduct under its A-123 process.; 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. In fiscal year 2007, IRS made progress on this 
recommendation by adding a requirement to test plan templates to 
document audits reviewed. During the fiscal year 2008 planning phase, 
IRS plans to fully document the existing reviews and audits; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 07-24; 
Recommendation: To the extent that it intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work. (short- term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. IRS plans to continue to work with the Department 
of the Treasury and GAO to fully implement OMB Circular No. A-123 
requirements for evaluating controls over information technology 
relating to financial statement reporting; 
Status per IRS: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. IRS is piloting a limited set of fiscal year 2008 
test plans, which include an analysis of the design for each 
transaction control set tested, with full implementation expected in 
the fiscal year 2009 A-123 cycle; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 07-26; 
Recommendation: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. In fiscal year 2007, IRS established an internal 
crosswalk between A-123 tests and laws and regulations significant to 
financial reporting. IRS plans to further refine this linkage for the 
fiscal year 2008 A-123 process; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 07-27; 
Recommendation: Begin devising appropriate A-123 follow- up procedures 
for the last 3 months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. Although implementation of such procedures is not 
necessary until elimination of the outstanding material weaknesses, IRS 
plans to develop follow-up procedures that provide assurance for the 
last 3 months of the fiscal year; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 07-28; 
Recommendation: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results. (short- term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. IRS has enhanced training at the beginning of 
each A-123 cycle to include an external course designed for financial 
auditors on preparing workpapers. IRS evaluated results from fiscal 
year 2007 and has incorporated improvements to the fiscal year 2008 
training to ensure its curriculum addresses issues in testing approach, 
testing methodology, workpaper reviews, and lessons learned; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing its OMB Circular No. A-123 review 
procedures. 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of CDDB, it 
should verify that when it becomes fully operational, CDDB, when used 
in conjunction with IRACS, will provide IRS with the direct transaction 
traceability for all of its tax-related transactions as required by the 
U.S. Standard General Ledger (SGL), Federal Financial Management System 
Requirements (FFMSR), and thus Federal Financial Management Improvement 
Act of 1996 (FFMIA). (long-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-02; 
Recommendation: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid assessment 
estimation process. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures for 
reviewers to follow in their review of unpaid assessments statistical 
estimates. Specifically, IRS should require that a detailed supervisory 
review be performed to ensure: (1) the statistical validity of the 
sampling plans, (2) data entered into the sample selection programs 
agree with the sampling plans, (3) data entered into the statistical 
projection programs agree with IRS's sample review results, (4) data on 
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection 
results, and (5) the calculations on these spreadsheets are 
mathematically correct. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-04; 
Recommendation: To address the inconsistency in assigning the effective 
date of an accuracy penalty, modify the Business Master File computer 
program so that the date of the deficiency assessment is used as the 
effective date of any related accuracy penalty. (long-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-05; 
Recommendation: Complete and document the review of existing programs 
in the master files that affect penalty calculations to identify any 
instances in which programs are not functioning in accordance with the 
intent of the IRM. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-06; 
Recommendation: In instances where computer programs are not 
functioning in accordance with the intent of the IRM, take appropriate 
action to correct the programs so that they function in accordance with 
the IRM. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers to use in conducting reviews of outlying TACS and 
documenting the results. This guidance should include a description of 
the key controls that should be in place at outlying TACs, specify how 
often these key controls should be reviewed, and specify how the 
results of each review should be documented, including follow-up on 
issues identified in previous TAC reviews. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-08; 
Recommendation: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC 
managers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-09; 
Recommendation: Establish a mechanism to monitor compliance with 
existing requirement that TAC employees responsible for accepting 
taxpayer payments in cash have their computer system access 
appropriately restricted to limit their ability to adjust taxpayer 
accounts. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-10; 
Recommendation: Establish procedures requiring periodic verification 
that all individuals designated as first responders to TAC duress 
alarms are appropriately qualified and geographically located to 
respond to the potentially dangerous situations in an effective and 
timely manner. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-11; 
Recommendation: Modify the IRM to specify qualifications and 
geographical proximity requirements for individuals designated as first 
responders to duress alarms at IRS facilities, and to require that the 
responsibilities and qualifications of all designated first responders 
be periodically reviewed to verify that over time, they continue to be 
qualified and appropriately located, and to make any necessary 
adjustments. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-12; 
Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-13; 
Recommendation: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; document the 
results, including identification of any security issues; and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and reviewing 
documentation of completed background investigations for all shredding 
contractors before granting them access to taxpayer or other sensitive 
IRS information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-16; 
Recommendation: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-18; 
Recommendation: Issue a memorandum to Receipt Control Operations Unit 
staff reiterating existing requirements for (1) supervisory reviews of 
the processing of TE/GE user fee deposits and (2) key documentation to 
be signed and dated by the supervisor as evidence of that review. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-19; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials and purchase cardholders sign and date monthly account 
statements attesting to their review and completion of the required 
reconciliation process. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-20; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders obtain 
funding approval or verify that funds are available for the intended 
purpose prior to making a purchase. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-21; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials update and maintain appropriate supporting documentation. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-22; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders and 
purchase card approving officials retain copies of all supporting 
documents for a reasonable period of time, such as 3 years. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-23; 
Recommendation: Issue a memorandum addressed to all personnel 
responsible for updating inventory records that reiterates IRS's 
existing policy requiring that new assets be inputted into the 
inventory system within 10 days after receipt. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open. This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will review 
IRS's corrective actions during future audits. 

Source: IRS updates detailing its actions to address GAO's 
recommendations and GAO's analysis of IRS's actions. 

[End of table] 

[End of section] 

Appendix II: Open Recommendations Arranged by Control or Compliance 
Issue: 

Financial Reporting: 

IRS does not have financial management systems adequate to enable it to 
accurately generate and report, in a timely manner, the information 
needed to both prepare financial statements and manage operations on an 
ongoing basis. To overcome these systemic deficiencies with respect to 
preparation of its annual financial statements, IRS was compelled to 
employ extensive compensating procedures. Specifically, IRS (1) did not 
have an adequate general ledger system for tax-related transactions, 
and (2) was unable to readily determine the costs of its activities and 
programs and did not have cost-based performance information to assist 
in making or justifying resource allocation decisions. As a result, IRS 
does not have real-time data needed to assist in managing operations on 
a day-to-day basis and to provide an informed basis for making or 
justifying resource allocation decisions. 

Table 12: Material Weakness: Controls over Financial Reporting: 

ID no.: 99-25; 
Recommendation: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term); 
Control Activity: Management of human capital. 

ID no.: 99-29; 
Recommendation: Develop the data to support meaningful cost information 
categories and cost-based performance measures. (long- term); 
Control Activity: Establishment and review of performance measures and 
indicators. 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 02-08; 
Recommendation: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 02-09; 
Recommendation: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of CDDB, it 
should verify that when it becomes fully operational, CDDB, when used 
in conjunction with IRACS, will provide IRS with the direct transaction 
traceability for all of its tax-related transactions as required by the 
U.S. Standard General Ledger (SGL), Federal Financial Management System 
Requirements (FFMSR), and thus Federal Financial Management Improvement 
Act of 1996 (FFMIA). (long-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Unpaid Tax Assessments: 

IRS has serious internal control issues that affected its management of 
unpaid tax assessments. Specifically, (1) IRS lacked a subsidiary 
ledger for unpaid tax assessments that would allow it to produce 
accurate, useful, and timely information with which to manage and 
report externally, and (2) IRS experienced errors and delays in 
recording taxpayer information, payments, and other activities. 

Table 13: Material Weakness: Controls over Unpaid Assessments: 

ID. No.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short- term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID. No.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID. No.: 99-03; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving TFRP, the subsidiary 
ledger should ensure that (1) the TFRP assessment is appropriately 
tracked for all taxpayers liable but counted only once for reporting 
purposes and (2) all payments made are properly credited to the 
accounts of all individuals assessed for the liability. (short- term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID. No.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID. No.: 07-11; 
Recommendation: Correct the penalty calculation programs in the master 
file so that penalties are calculated in accordance with the applicable 
Internal Revenue Code and implementing IRM guidance. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID. No.: 07-12; 
Recommendation: Research each of the taxpayer accounts that may have 
been affected by the penalty programming errors to determine whether 
they contain overassessed penalties and correct the accounts as needed. 
(short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Tax Revenue and Refunds: 

IRS does not, at present, have agencywide cost-benefit information, 
related cost-based performance measures, or a systematic process for 
ensuring it is using its resources to maximize its ability to collect 
what is owed and minimize the disbursements of improper tax refunds in 
the context of its overall mission and responsibilities. These 
deficiencies inhibit IRS's ability to appropriately assess and 
routinely monitor the relative merits of its various initiatives and 
adjust its strategies as needed. This, in turn, can significantly 
affect both the level of tax revenue collected and the magnitude of 
improper refunds paid. 

Table 14: Material Weakness: Controls over Revenues and Issuing 
Refunds: 

ID no.: 01-04; 
Recommendation: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, administrative support), as well as the expected 
additional tax collections generated. (short-term); 
Control Activity: Establishment and review of performance measures and 
indicators. 

ID no.: 01-12; 
Recommendation: For (1) IRS's Automated Underreporter (AUR) and 
Combined Annual Wage Reporting (CAWR) programs, (2) screening and 
examination of Earned Income Tax Credit claims, and (3) identifying and 
collecting previously disbursed improper refunds, use the best 
available information to develop reliable cost-benefit data to estimate 
the tax revenue collected by, and the amount of improper refunds 
returned to, IRS for each dollar spent pursuing these outstanding 
amounts. These data would include (1) an estimate of the full cost 
incurred by IRS in performing each of these efforts, including the 
salaries and benefits of all staff involved, as well as any related 
nonpersonnel costs, such as supplies and utilities and (2) the actual 
amount (a) collected on tax amounts assessed and (b) recovered on 
improper refunds disbursed. (long-term); 
Control Activity: Establishment and review of performance measures and 
indicators. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Information Security: 

Significant weaknesses in information security controls continue to 
threaten the confidentiality, integrity, and availability of IRS's 
financial processing systems and information. IRS has weaknesses in 
controls for protecting access to systems and information, as well as 
other information security controls that affect key financial systems-
-particularly IFS and IRACS. For example, sensitive information, 
including user identification, passwords, and software code for mission-
critical applications, was accessible on an internal Web site to anyone 
who could connect to IRS's internal network--without having to log in 
to the network. The information gained through this access could be 
used to alter data flowing to and from IFS. In addition, configuration 
flaws in the mainframe allowed users unrestricted access to all 
programs and data on the mainframe, including IRACS. Because this 
access was not controlled by the security system, no security violation 
logs would be created, reducing IRS's ability to detect unauthorized 
access. Weaknesses also existed in other areas, such as protecting 
against unauthorized physical access to sensitive computer resources 
and patching servers to protect against known vulnerabilities. 

Material Weakness: Controls over Information Systems Security: 

Although IRS has made some progress in addressing previous weaknesses 
we identified in its information systems security controls and physical 
security controls, these and new weaknesses in information systems 
security continue to impair IRS's ability to ensure the 
confidentiality, integrity, and availability of financial and tax- 
processing systems. As of January 2008, there were 76 open 
recommendations from our information systems security work designed to 
help IRS improve its information systems security controls. Our 
recommendations resulting from our information systems security work 
are reported separately and are not included in this report primarily 
because of the sensitive nature of some of those issues. 

Hard-Copy Tax Receipts and Taxpayer Information: 

IRS manually processes hundreds of billions of dollars of hard-copy 
taxpayer receipts and related taxpayer information at its service 
center campuses, field office taxpayer assistance centers, other field 
office units, and commercial lockbox banks. However, we have identified 
weaknesses in IRS's controls designed to safeguard these taxpayer 
receipts and information which increase the risk that receipts in the 
form of checks, cash, and the like could be misappropriated or that the 
information could be compromised. 

Table 15: Significant Deficiency: Controls over Hard-Copy Receipts and 
Taxpayer Information: 

ID no.: 99-22; 
Recommendation: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term); 
Control Activity: Segregation of duties. 

ID no.: 04-08; 
Recommendation: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 05-11; 
Recommendation: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at service center campuses selected for 
significant reductions in their submission processing functions. (short-
term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 05-13; 
Recommendation: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short- term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 05-14; 
Recommendation: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self- employed 
units of field offices with respect to preparation of payment posting 
vouchers, document transmittal forms, and transmittal packages. (short-
term); 
Control Activity: Segregation of duties. 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-05; 
Recommendation: Equip all Taxpayer Assistance Centers (TACs) with 
adequate physical security controls to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers such as locked doors marked with signs 
barring entrance by unescorted customers. (short- term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to TACS 
not having a manager permanently on-site. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at service center campuses (SCC) and lockbox 
banks record all instances involving the activation of intrusion alarms 
regardless of the circumstances that may have caused the activation. 
(short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 06-15; 
Recommendation: Revise the physical security procedures in the Internal 
Revenue Manual (IRM) to require that all SCCs and any respective annex 
facilities processing taxpayer receipts and/or information perform and 
document monthly tests of the facility's intrusion detection alarms. At 
a minimum, these procedures should (1) outline the type of test to be 
conducted, (2) include criteria for assessing whether the controls used 
to respond to the alarm were effective, and (3) require that a logbook 
be maintained to document the test dates, results, and response 
information. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-01; 
Recommendation: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information. 
(short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-02; 
Recommendation: Ensure that lockbox banks store backup media containing 
federal taxpayer information at an off-site location as required by the 
2006 Lockbox Security Guidelines. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-03; 
Recommendation: Revise instructions for the annual reviews of lockbox 
banks to encompass routine monitoring of backup media containing 
personally identifiable information to ensure that this information is 
(1) encrypted prior to transmission and (2) stored in an appropriate 
off-site location. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit TV (CCTV) camera coverage that do not 
provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions. (short-term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers to use in conducting reviews of outlying TACS and 
documenting the results. This guidance should include a description of 
the key controls that should be in place at outlying TACs, specify how 
often these key controls should be reviewed, and specify how the 
results of each review should be documented, including follow-up on 
issues identified in previous TAC reviews. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-08; 
Recommendation: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC 
managers. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-09; 
Recommendation: Establish a mechanism to monitor compliance with 
existing requirement that TAC employees responsible for accepting 
taxpayer payments in cash have their computer system access 
appropriately restricted to limit their ability to adjust taxpayer 
accounts. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-10; 
Recommendation: Establish procedures requiring periodic verification 
that all individuals designated as first responders to TAC duress 
alarms are appropriately qualified and geographically located to 
respond to the potentially dangerous situations in an effective and 
timely manner. (short-term); 
Control Activity: Management of human capital. 

ID no.: 08-11; 
Recommendation: Modify the IRM to specify qualifications and 
geographical proximity requirements for individuals designated as first 
responders to duress alarms at IRS facilities, and to require that the 
responsibilities and qualifications of all designated first responders 
be periodically reviewed to verify that over time, they continue to be 
qualified and appropriately located, and to make any necessary 
adjustments. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-12; 
Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-13; 
Recommendation: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information, and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information, document the 
results, including identification of any security issues, and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and reviewing 
documentation of completed background investigations for all shredding 
contractors before granting them access to taxpayer or other sensitive 
IRS information. (short-term); 
Control Activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-16; 
Recommendation: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact. (short- term); 
Control Activity: Management of human capital. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Release of Federal Tax Liens: 

IRS did not always release the applicable federal tax lien within 30 
days of the tax liability being either paid off or abated, as required 
by the Internal Revenue Code. The Internal Revenue Code grants IRS the 
power to file a lien against the property of any taxpayer who neglects 
or refuses to pay all assessed federal taxes. The lien serves to 
protect the interest of the federal government and as a public notice 
to current and potential creditors of the government's interest in the 
taxpayer's property. Under section 6325 of the Internal Revenue Code, 
IRS is required to release federal tax liens within 30 days after the 
date the tax liability is satisfied or has become legally unenforceable 
or the Secretary of the Treasury has accepted a bond for the assessed 
tax. 

Table 16: Compliance with Laws and Regulations: Timely Release of 
Liens: 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-13; 
Recommendation: Establish procedures and specify in the IRM that at the 
time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods. 
(short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 07-14; 
Recommendation: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 07-15; 
Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in the Automated Lien System 
(ALS). (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Other Control Issues: 

The recommendations listed below do not rise to the level of a 
significant deficiency or a material weakness. However, these issues do 
represent weaknesses in various aspects of IRS's control environment 
that should be addressed. 

Table 17: Other Control Issues Not Associated with a Material Weakness 
or Significant Deficiency: 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short- term); 
Control Activity: Controls over Information processing. 

ID no.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term); 
Control Activity: Proper execution of transactions and events. 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring actions 
and supervisory review for manual refunds. (short- term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the manual 
refund initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds. (short-term); 
Control Activity: Management of human capital. 

ID no.: 07-09; 
Recommendation: Enhance its computer program to check for outstanding 
tax liabilities associated with both the primary and secondary Social 
Security numbers shown on a joint tax return and apply credits to those 
balances before issuing any refund. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 07-17; 
Recommendation: Monitor installment agreement user fee activity on a 
regular basis. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-18; 
Recommendation: Adjust errors in recorded installment agreement user 
fees as necessary to correctly reflect the user fees IRS earned and 
collected from taxpayers. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 07-19; 
Recommendation: Establish sufficient review procedures to help ensure 
that adjustments to installment agreement user fees collected from 
taxpayers are accurately and timely recorded. (short- term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage space 
to properly secure and safeguard its property and equipment inventory, 
including in-stock inventory assets from incoming shipments, and assets 
that are in the process of being excessed and/or shipped out. (short-
term); 
Control Activity: Physical control over vulnerable assets. 

ID no.: 07-21; 
Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. (short- term); 
Control Activity: Segregation of duties. 

ID no.: 07-22; 
Recommendation: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-23; 
Recommendation: Clearly document how it considered existing reviews and 
audits in determining the nature, scope, and timing of procedures it 
planned to conduct under its A-123 process. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-24; 
Recommendation: To the extent that it intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work. (short- term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-26; 
Recommendation: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-27; 
Recommendation: Begin devising appropriate A-123 follow- up procedures 
for the last three months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-28; 
Recommendation: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results. (short- term); 
Control Activity: Management of human capital. 

ID no.: 08-02; 
Recommendation: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid assessment 
estimation process. (short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures for 
reviewers to follow in their review of unpaid assessments statistical 
estimates. Specifically, IRS should require that a detailed supervisory 
review be performed to ensure: (1) the statistical validity of the 
sampling plans, (2) data entered into the sample selection programs 
agree with the sampling plans, (3) data entered into the statistical 
projection programs agree with IRS's sample review results, (4) data on 
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection 
results, and (5) the calculations on these spreadsheets are 
mathematically correct. (short-term); 
Control Activity: Management of human capital. 

ID no.: 08-04; 
Recommendation: To address the inconsistency in assigning the effective 
date of an accuracy penalty, modify the Business Master File computer 
program so that the date of the deficiency assessment is used as the 
effective date of any related accuracy penalty. (long-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-05; 
Recommendation: Complete and document the review of existing programs 
in the master files that affect penalty calculations to identify any 
instances in which programs are not functioning in accordance with the 
intent of the IRM. (long-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-06; 
Recommendation: In instances where computer programs are not 
functioning in accordance with the intent of the IRM, take appropriate 
action to correct the programs so that they function in accordance with 
the IRM. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 08-18; 
Recommendation: Issue a memorandum to Receipt Control Operations Unit 
staff reiterating existing requirements for (1) supervisory reviews of 
the processing of TE/GE user fee deposits, and (2) key documentation to 
be signed and dated by the supervisor as evidence of that review. 
(short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-19; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials and purchase cardholders sign and date monthly account 
statements attesting to their review and completion of the required 
reconciliation process. (short-term); 
Control Activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-20; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders obtain 
funding approval or verify that funds are available for the intended 
purpose prior to making a purchase. (short-term); 
Control Activity: Proper execution of transactions and events. 

ID no.: 08-21; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials update and maintain appropriate supporting documentation. 
(short-term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-22; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders and 
purchase card approving officials retain copies of all supporting 
documents for a reasonable period of time, such as three years. (short-
term); 
Control Activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-23; 
Recommendation: Issue a memorandum addressed to all personnel 
responsible for updating inventory records that reiterates IRS's 
existing policy requiring that new assets be inputted into the 
inventory system within 10 days after receipt. (short-term); 
Control Activity: Accurate and timely recording of transactions and 
events. 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel. (short-
term); 
Control Activity: Proper execution of transactions and events. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

[End of section] 

Appendix III: Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224: 

June 24, 2008: 

Mr. Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

I am writing in response to the Government Accountability Office (GAO) 
draft report titled, IRS: Status of GAO Financial Audit and Related 
Financial Management Report Recommendations (GAO-08-693). 

As GAO noted in the report, IRS continues to make significant progress 
in improving our internal controls and financial management as 
evidenced by eight consecutive years of clean audit opinions on our 
financial statements. We are pleased that you acknowledged our progress 
in addressing our financial management challenges and agreed to close 
18 prior year financial management recommendations. 

We are committed to implementing appropriate improvements to ensure 
that the IRS maintains sound financial management practices. If you 
have any questions, please contact Alison Doone, Chief Financial 
Officer, at (202) 622-6400. 

Sincerely,

Signed by: 

Douglas H. Shulman

[End of section] 

Appendix IV Staff Acknowledgments: 

GAO Contact: 

Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: 

Acknowledgments: 

In addition to the contact named above, the following individuals made 
major contributions to this report: William J. Cordrey, Assistant 
Director; Gloria Cano; Stephanie Chen; Nina Crocker; John Davis; 
Charles Ego; Charles Fox; Valerie Freeman; Ted Hu; Delores Lee; John 
Sawyer; Angel Sharma; Peggy Smith; Cynthia Teddleton; and Gary Wiggins. 

[End of section] 

Footnotes: 

[1] Management is responsible for establishing and maintaining internal 
control to achieve the objectives of effective and efficient 
operations, reliable financial reporting, and compliance with 
applicable laws and regulations. Part of the actions required by 
agencies and individual federal managers includes taking proactive 
measures to develop and implement appropriate, cost-effective internal 
control for results-oriented management; to assess the adequacy of 
internal control in federal programs and operations; to identify needed 
improvements; and to take corresponding corrective actions. 

[2] A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. A significant deficiency is a control 
deficiency, or combination of deficiencies, that adversely affects the 
entity's ability to initiate, authorize, record, process, or report 
financial data reliably in accordance with generally accepted 
accounting principles such that there is more than a remote likelihood 
that a misstatement of the entity's financial statements that is more 
than inconsequential will not be prevented or detected. A control 
deficiency exists when the design or operation of a control does not 
allow management or employees, in the course of performing their 
assigned functions, to prevent or detect misstatements on a timely 
basis. 

[3] GAO, Management Report: Improvements Needed in IRS's Internal 
Controls, GAO-08-368R (Washington, D.C.: June 4, 2008). 

[4] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial 
Statements, GAO-08-166 (Washington, D.C.: Nov. 9, 2007). 

[5] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Nov. 1999). 

[6] The circular requires agencies and individual federal managers to 
take systematic and proactive measures to (1) develop and implement 
appropriate, cost-effective internal control for results-oriented 
management; (2) assess the adequacy of internal control in federal 
programs and operations; (3) separately assess and document internal 
control over financial reporting consistent with the process defined in 
Appendix A of the circular; (4) identify needed improvements; (5) take 
corresponding corrective action; and (6) report annually on internal 
control through management assurance statements. 

[7] GAO, Internal Control Standards: Internal Control Management and 
Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001). 

[8] GAO/AIMD-12.19.6 (Washington, D.C.: January 1999). FISCAM contains 
guidance for reviewing information system controls that affect the 
security of computerized data (revised June 2001). 

[9] GAO, Internal Revenue Service: Status of Financial Audit and 
Related Financial Management Report Recommendations, GAO-07-629 
(Washington, D.C.: June 7, 2007). 

[10] GAO-08-368R. 

[11] We define short-term recommendations as those that we believe 
could be addressed within 2 years at the time we made the 
recommendation. We define long-term recommendations as those we 
expected to require 2 years or more to implement at the time we made 
the recommendation. 

[12] The vast majority of federal tax payments are made for both 
businesses and individuals via the Electronic Federal Tax Payment 
System. 

[13] Information security controls include electronic access controls, 
software change controls, physical security, segregation of duties, and 
service continuity. These controls are designed to ensure that access 
to data is appropriately restricted, only authorized changes to 
computer programs are made, physical access to sensitive computing 
resources and facilities is protected, computer security duties are 
segregated, and backup and recovery plans are adequate to ensure the 
continuity of essential operations. 

[14] GAO, Information Security: IRS Needs to Address Pervasive 
Weaknesses, GAO-08-211 (Washington, D.C.: Jan. 8, 2008). 

[15] Most refunds are generated automatically. However, under certain 
circumstances, IRS processes refunds manually to expedite payment. Such 
refunds include those over $10 million, those requested by taxpayers 
for immediate payment due to hardship or emergency, those to 
beneficiaries of deceased taxpayers, and those that need to be 
expedited because IRS is in jeopardy of paying interest for exceeding 
the 45-day limit for processing a return. 

[16] GAO -08-166. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: