Management Report:

Improvements Needed in IRS's Internal Controls and Accounting Procedures

GAO-04-553R: Published: Apr 26, 2004. Publicly Released: Apr 26, 2004.

Additional Materials:

Contact:

Steven J. Sebastian
(202) 512-9521
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In November 2003, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of and for the fiscal years ending September 30, 2003 and 2002, and on the effectiveness of its internal controls as of September 30, 2003. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports including this one will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2003 audit regarding internal controls and accounting procedures that could be improved for which we do not presently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2003 audit report, they all warrant management's consideration.

During fiscal year 2003, we identified a number of internal control issues that adversely affected safeguarding of tax receipts, budgeting, operating costs, and financial reporting. These issues concern (1) enforcement of lockbox bank contractor policies, (2) courier service requirements, (3) lockbox bank management reviews, (4) candling, (5) safeguarding of taxpayer receipts and information at IRS field offices and service center campuses, (6) physical security, (7) deobligation of funds, (8) overpayments to employees' Thrift Savings Plan (TSP) accounts, (9) financial statement disclosures, and (10) interim performance measures.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: IRS reported that to provide more emphasis on security, the Lockbox Security Guidelines (LSG) 2.5 now requires appropriate documentation for couriers and guards before they are granted access to taxpayer receipts. To ensure compliance with the LSG, IRS and Financial Management Service security has included this as a review item during their security reviews. GAO verified that the LSG does include a requirement that lockbox managers maintain documentation on-site demonstrating that satisfactory fingerprint results have been received before contractors are granted access to taxpayer receipts and data. During its fiscal year 2005 audit, GAO did not identify any instances in which contractors were granted access to taxpayer receipts and data without having satisfactory fingerprint results on file at the lockbox banks that we visited.

    Recommendation: IRS should require lockbox bank managers to maintain appropriate documentation on-site demonstrating that satisfactory fingerprint results have been received before contractors are granted access to taxpayer receipts and data.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: IRS reported that on February 14, 2005, the 2005 Lockbox Processing Guidelines (LPG) were updated and current courier requirements were reinforced with an addendum entitled "Courier's Additional Disclosure Statement." Each courier is required to complete and sign the disclosure, affirming that he or she is not to travel with an immediate family member. In addition, each courier is required to list the name and relationship of each family member residing in the same domicile that also performs courier duties for the IRS. The disclosure statement is updated annually and maintained in the personnel file. Starting in July 2005, during the onsite reviews the IRS and Financial Management Service security team began reviewing the disclosure statements to ensure adherence to this requirement. GAO confirmed that IRS updated its policy on two-person courier teams for lockbox banks as reflected in the revised LPG. Additionally, GAO identified no instances in which two-person courier teams consisted of closely related individuals during our fiscal year 2005 testing at the four lockbox banks and four service center campuses that we visited.

    Recommendation: IRS should revise its policy on two-person courier teams to prohibit the use of courier teams consisting of closely related individuals to further minimize the risk of collusion in the theft of taxpayer receipts and data.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: IRS now conducts on-site reviews of (1) logs for desk and work areas, (2) date stamps, (3) procedures for handling cash, (4) candling procedures, (5) shredding procedures, and (6) mail procedures using the Data Collection Instrument (DCI) entitled "Procedures-Internal Controls". IRS rolls the results of these reviews into a calculation to determine each bank's score as part of a new bank performance measurement process. In addition, IRS requires lockbox personnel to perform similar reviews monthly and to report the results to the Lockbox Field Coordinators. To comply with the Lockbox Processing Guidelines, these reports must contain: (1) date of review, (2) shifts reviewed, (3) results of the review (even when no items are found), and (4) a reviewer and site manager's initials and/or a signature. Furthermore, IRS stated that additional reviews are performed on the monthly Discovered Remittance candling log, the disk checks/audits, and the shred reports received from the lockbox site by the Lockbox Field Coordinators. GAO verified that IRS established and implemented a Processing Internal Controls and Physical Security DCI, and that these DCIs are used to assess the required managerial reviews that are performed at each lockbox bank.

    Recommendation: IRS should develop procedures to require lockbox managers to provide satisfactory evidence that managerial reviews are performed in accordance with established guidelines. At a minimum, reviewers should sign and date the reviewed documents and provide any comments that may be appropriate in the event that their reviews identified problems or raised questions.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: IRS reported that Lockbox Policy and Procedures staff assessed the candling procedures and determined that current technologies are not exempt from the candling requirement and added to the 2005 Lockbox Processing Guidelines (LPG) section 3.2.8(1) that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. Thus, the requirement to keep tests and logs is not necessary. All other envelopes must be candled twice on the candling tables. During its fiscal year 2005 audit, GAO verified that the LPG requires that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled one additional time on the candling table. This change and IRS's assessment that current technologies are not exempt from the two candling requirement satisfies the objective of GAO's recommendation.

    Recommendation: IRS should revise its candling procedures at lockbox banks to require testing of automated candling machines at appropriate intervals, taking into account such factors as use time, volume processed, machine requirements, and shift cycles.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: IRS reported that Lockbox Policy and Procedures staff assessed the candling procedures and determined that current technologies are not exempt from the candling requirement and added to the 2005 Lockbox Processing Guidelines (LPG) section 3.2.8(1) that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. Thus, the requirement to keep tests and logs is not necessary. All other envelopes must be candled twice on the candling tables. During its fiscal year 2005 audit, GAO verified that the LPG requires that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled one additional time on the candling table. This change and IRS's assessment that current technologies are not exempt from the two candling requirement satisfies the objective of GAO's recommendation.

    Recommendation: IRS should require lockbox managers to maintain logs of these tests and to periodically review their logs.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Implemented

    Comments: IRS reported that written procedures have been provided to TAC employees for safeguarding taxpayer receipts when received. IRM 21.3.4.7(6), issued in June 2003, provides guidance stating that payments received from taxpayers will be immediately placed in a locked container. The receipts are also stored away from employees' personal belongings. IRS will continue to conduct operational reviews at TAC offices to ensure IRM procedures are being followed. The TAC location that was noted for securing payments from taxpayers outside the secure area of the TAC was contacted and the location of the desk has been moved inside the secured area of the TAC. The TAC manager was informed to ensure all TAC operations are conducted inside the secured area of the TAC. IRS monitored adherence to IRM procedures related to receiving and storing taxpayer data in secured areas during operational reviews conducted in fiscal year 2004. No discrepancies were noted. GAO verified that IRS included monitoring of its policy and procedures regarding receiving and storing taxpayer data in secured areas during operational reviews conducted in fiscal year 2004. In addition, GAO did not find any instances during its fiscal year 2004 audit visits to IRS field offices in which taxpayer receipts and data stored outside the TAC secured areas were not stored in a secured locked container.

    Recommendation: IRS should discontinue its practice of storing taxpayer receipts and data outside TAC secured areas without storing the receipts in a secured locked container.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: IRS issued revised procedures covering discovered remittances which were distributed to all Service Center campuses. Additionally, IRS revised its Form 4287, (Record of Discovered Remittances), to enhance adherence to existing instructions by including a check box for managers to indicate the reconciliation was performed. Additionally, IRS's Submission Processing (SP) revised the monthly security checklist to include a review of the discovered remittance procedures. IRS also added a "Discovered Remittances Job Aid" to its written procedures. SP is committed to conducting quarterly meetings with noncompliant offices to reinforce Discovered Remittances procedures. GAO verified IRS's actions and concluded that these actions effectively addressed the issues that gave rise to the recommendation.

    Recommendation: IRS should develop procedures to enhance adherence to existing instructions on safeguarding discovered remittances at service center campuses.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: According to IRS, it enforces monthly unannounced monitoring of guard response to alarms. Its Physical Security and Emergency Preparedness (PSEP) Risk Management (RM) office conducted an Alarm Monitoring Workshop on April 28, 2009, that included this topic. RM sends a calendar/reminder to alarm program coordinators each Friday before the monthly report is due, and continues to oversee and ensure compliance of alarm testing and results via internal reporting tools. A communication was distributed to PSEP Operational Readiness to reiterate policy on guard response to alarms on February 2, 2010. GAO confirmed that IRS continually enforces its policies and procedures to ensure that Service Center Campus security guards respond to alarms, that it sends monthly reminders to alarm program coordinators to ensure that alarms are tested and guards' responses are evaluated in each test. GAO also confirmed that alarm program coordinators are required to summarize the test results and report them monthly to PSEP management.

    Recommendation: IRS should enforce its policies and procedures to ensure that service center campus security guards respond to alarms.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: IRS's Mission Assurance (MA) unit developed alarm testing procedures which are used to supplement the requirements in the agency's Internal Revenue Manual (IRM). The IRM and supplemental procedures require the notification of local management whenever there is a malfunction of alarms. The procedures also require that guards are deployed or doors are secured, as necessary, either during tests or when otherwise identified. The contract guard force project manager is required to sign off on all unannounced alarm test reports. Test results are maintained by the Physical Security and Emergency Preparedness office. GAO verified that IRS revised language in the IRM that addresses specific compensating actions to be taken in the event of sporadic malfunctioning alarms or an overall system failure.

    Recommendation: IRS should establish compensating controls in the event that automated security systems malfunction, such as notifying guards and managers of the malfunction and immediately deploying guards to better protect the processing center's perimeter.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Closed - Implemented

    Comments: IRS reported that it modified the Aged Unliquidated Obligations (AUO) report to capture the last activity date for each obligation line amount. During GAO's fiscal year 2004 audit it verified that the IRS modified the AUO report accordingly.

    Recommendation: IRS should modify outstanding unliquidated obligations reports to ensure that they report the last activity date for each outstanding obligation line amount.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  11. Status: Closed - Implemented

    Comments: During GAO's fiscal year 2004 audit, it verified that IRS implemented new guidelines for the quarterly review and certification of all outstanding obligations. As part of the review process, the procurement office staff reviews the AUO reports and determines whether obligations that they are responsible for reviewing are valid or need to be deobligated. The financial plan managers review procurement office staff responses prior to completing their quarterly certification. In addition, during the fiscal year 2004 testing, GAO found that obligations were being properly deobligated.

    Recommendation: IRS should require procurement office staff to review and sign off on whether obligations are valid or require deobligation before business units complete their quarterly certifications.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  12. Status: Closed - Implemented

    Comments: IRS implemented this recommendation in fiscal year 2004 when its operations division expanded its current random sample payroll review and validation process to include the recalculation of agency TSP contributions. GAO verified the effectiveness of IRS's actions during its fiscal year 2004 audit.

    Recommendation: IRS should enhance its compensating internal controls by including tests or recalculations of payroll computations performed by the National Finance Center for the IRS employees selected for review each pay period.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  13. Status: Closed - Implemented

    Comments: IRS agreed with this recommendation and established a standard process for conducting audits of salary and benefit computations prepared by the National Finance Center. IRS also established a standard process for timely investigating and resolving any errors that are identified. GAO verified that IRS satisfactorily implemented these procedures during its fiscal year 2004 financial statement audit.

    Recommendation: IRS should timely investigate and resolve any identified errors.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  14. Status: Closed - Implemented

    Comments: IRS agreed with this recommendation and added a second level of review to its financial statements in fiscal year 2004 to ensure changes are identified and reported before final printing. GAO found no issues during its fiscal year 2004 audit.

    Recommendation: IRS should establish review procedures for amounts being reported in Supplemental Information to the financial statements for Other Claims for Refund.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  15. Status: Closed - Implemented

    Comments: IRS agreed with this recommendation and stated that it has taken steps to ensure that interim performance measurement data are properly reviewed before being published and provided a summary of its specific steps. During GAO's audit of IRS's fiscal year 2007 financial statements, it did not find any exceptions in IRS's performance information or its related review.

    Recommendation: Until BPMS is fully operational, IRS should implement procedures to ensure that all performance data reported in MPS reports are subject to effective, documented reviews to provide reasonable assurance that the data are current at interim periods.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 22, 2014

Jul 9, 2014

Jun 19, 2014

May 30, 2014

May 15, 2014

May 13, 2014

May 12, 2014

May 2, 2014

Mar 27, 2014

Looking for more? Browse all our products here