Management Report: Improvements Needed in IRS's Internal Controls

Highlights

In November 2005, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2005 and 2004, and on the effectiveness of its internal controls as of September 30, 2005. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2005, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2005 audit report, they all warrant management's consideration.

During our fiscal year 2005 audit, we identified a number of internal control issues that adversely affected safeguarding of tax receipts and information, and the reliability of expense, and property & equipment (P&E) records. These issues concern (1) taxpayer receipts and data transmittal documents, (2) physical security controls at taxpayer assistance centers, (3) the roles and responsibilities of security guards, (4) candling procedures, (5) timely processing of large remittances at lockbox banks, (6) access to tax return processing facilities, (7) juvenile hiring policy, (8) classification of procurement transactions as P&E or expense, and (9) recording P&E disposals.

Recommendations

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Internal Revenue Service	IRS should require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing.	Closed – Implemented We verified that IRS included requirements that Refund Inquiry Unit managers document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing.
Internal Revenue Service	IRS should enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including service center campuses (SCCs), Taxpayer Assistance Centers (TACs), and units within Large and Mid-Size Business and Tax-Exempt and Government Entities, establish a system to track acknowledged copies of document transmittals.	Closed – Implemented IRS has taken several corrective actions across its business operating units to address this recommendation. Specifically, IRS updated (1) guidance on the use of the TAC follow-up review logs for tracking unacknowledged document transmittal forms and (2) its agency-wide requirements for shipping taxpayer information and receipts, including requirements for senders to track document transmittals and perform follow-up actions when needed. During our fiscal year 2013 audit, we visited two service center campuses, eight TACs, three LB&I offices, and two TEGE offices, all of which had systems for tracking acknowledged copies of document transmittals.
Internal Revenue Service	IRS should provide instructions to document the follow-up procedures performed in those cases where transmittals have not been timely acknowledged.	Closed – Implemented IRS issued procedures and reminder memos to the field on the responsibilities for using receipt transmittals including the establishment of a follow-up system for unacknowledged 3210s, and annually reminding LMSB employees through executive memorandum of Form 3210 procedures and responsibilities. IRS also created a closing checklist to assist employees when transmitting cases. Further, IRS reports Form 3210 procedures and responsibilities are included in revenue agent training materials. Also, as of December 2006, the LMSB Human Capital Office requires that Industry Territory Managers review Form 3210 utilization and follow-up procedures during operational reviews. Furthermore, IRS revised its Internal Revenue Manual to provide procedures for requiring Taxpayer Assistance Centers (TAC) to follow-up with Submission Processing Centers when acknowledgments are not received within 10 days.
Internal Revenue Service	IRS should require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines.	Closed – Implemented IRS revised its IRM policy IRM 1.4.11 to require that TAC managers use a Follow-up Review Log to document their review of document transmittals.
Internal Revenue Service	IRS should quip all TACs with adequate physical security controls to deter and prevent unauthorized access to controlled areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from controlled areas by physical barriers such as locked doors marked with signs barring entrance by unescorted customers.	Closed – Implemented As of September 30, 2016, IRS had 375 TACs in operation and stated that 65 have not been built to the "new TAC" model. However, IRS has mitigating controls at these 65 TAC locations to deter and prevent unauthorized access to restricted areas. IRS's actions sufficiently address our recommendation.
Internal Revenue Service	IRS should connect duress alarms to a central monitoring station or local police department or institute appropriate compensating controls when these alarm systems are not operable or in place.	Closed – Implemented In response to our recommendation, IRS revised its policy to include guidelines for employees at TACS to follow when working with duress alarms, particularly at those TACs with non-operable duress alarms, such as to contact 911 when alarms are not operable or in place. By instituting these compensating controls, IRS has reduced the risk of theft and/or misuse of taxpayer receipts and information.
Internal Revenue Service	IRS should document supervisory visits by offsite managers to TACS not having a manager permanently onsite. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned.	Closed – Implemented In response to our recommendation, IRS implemented the TAC Security and Remittance Review Database (TSRRD) in fiscal year 2008 to document supervisory reviews of all TACs, including those performed by offsite managers. The TSRRD documents (1) the time and date of the review; (2) the name of the manager performing the review; (3) the task performed during the review; (4) any problems or questions identified; and (5) planned corrective actions. However, during our fiscal years 2009 and 2010 audits, we found that TAC managers were not properly completing the TSRRD. We communicated these issues to IRS management. As a result, during fiscal year 2011, IRS revised its training curriculum for TAC managers to include greater emphasis on the proper completion of the TSRRD. By establishing the TSRRD for the documentation of supervisory reviews and providing training to all TAC managers on the proper completion of the TSRRD, IRS improved its ability to provide unauthorized access to taxpayer receipts and other sensitive data at TACs without a permanent onsite manager.
Internal Revenue Service	IRS should enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation.	Closed – Implemented In September 2009, IRS revised the Internal Revenue Manual (IRM) to require campuses to record all instances involving the activation of any alarm, regardless of what may have caused the activation, and to require that all instances be recorded in a Daily Activity Report/Event Log or other log book and maintained for a period of two years. In January 2008, IRS revised its Lockbox Security Guidelines (LSG) to require that all instances involving the activation of intrusion alarms, regardless of the circumstances that may have caused the activation, be recorded and maintained in the Daily Activity Report (DAR) or other incident logbook. On April 27, 2009, representatives from IRS's Business Support Management met with lockbox bank guard staff to address these requirements and emphasized the requirement for the full completion of the Daily Activity Report as detailed in the LSG, Standard Operating Procedures (SOP), and Post Orders. In addition, the Business Support Management team will monitor the full completion of the DAR, on a daily basis, and provide feedback to the guards, as necessary. During GAO's audit of IRS's fiscal year 2009 financial statements, it verified that IRS revised the IRM and LSG to require all instances involving the activation of intrusion alarms be recorded at SCCs and lockbox banks and that Business Support Management staff met with guards to address requirements and instituted controls to monitor full completion of the Daily Activity Reports at lockbox banks. GAO did not identify any instances where the activation of intrusion alarms were not recorded during its audit of IRS's fiscal year 2009 financial statements.
Internal Revenue Service	IRS should reemphasize the need for the security guards at all TACs to ensure that key posts of duty, such as entrances to facilities, are not left unattended.	Closed – Implemented IRS issued reminders in fiscal year 2007 to key security personnel to reemphasize this need. During our fiscal year 2007 audit, we did not identify any instances where key posts of duty were left unattended by security guards. By taking these actions, IRS reduced the risk that unauthorized individuals may access IRS offices and compromise taxpayer records and data or disrupt operations.
Internal Revenue Service	IRS shouldrevise its lockbox bank's security review checklist to ensure that it encompasses reviewing security incident reports to validate whether security personnel are providing corrective actions related to the incidents cited.	Closed – Implemented IRS reported a Security Review Checklist was updated June 5, 2006 and all follow-up actions have been completed by the Lockbox Security Team. Submission Processing worked with IRS Mission Assurance and Financial Management Service to ensure the physical security review checklist was updated to include reviews of the security incident reports and to validate that the security personnel are providing corrective actions related to the incidents that were cited. GAO verified that the lockbox bank physical security Data Collection Instrument had been updated to include a review to ensure that security incidents are documented.
Internal Revenue Service	IRS should refine the scope and nature of its periodic reviews of candling processes at SCCs to ensure they (1) encompass tests of whether envelopes are properly candled through observation of candling in process and inquiry of employees who perform initial and final candling, and (2) document the nature and scope of the test and observation results.	Closed – Implemented IRS reports using the Security Review Check List to document the effectiveness of the initial and final candling process, and to talk to employees who perform initial and final candling as part of the Monthly Campus and National Office Security Reviews. GAO verified that IRS revised its Security Review Checklist to document, through observation, the effectiveness of the initial and final candling process. During GAO's audit of IRS's fiscal year 2007 financial statements, we found no instances where IRS's reports did not document the number of employees who were questioned about their knowledge of candling procedures and the responses received from the employees.
Internal Revenue Service	IRS should enforce its existing policies and procedures at lockbox banks to ensure that all remittances of $50,000 or more are processed immediately and deposited at the first available opportunity.	Closed – Implemented On April 13, 2006, IRS reported distributing the Lockbox Electronic Bulletin (LEB) 200613 (Remittances of $50,000 or more) throughout the Lockbox Network. The LEB updated Lockbox Processing Guidelines (LPG) to state the following: "If 50,000 or more is discovered in any type of work, it should be expedited and deposited on the first available deposit." In addition, the bulletin noted that lockbox management must ensure remittances of $50,000 or more are not left unattended, including disruptive times such as shift changes, breaks, and meetings. These remittances must be collected and then batched for expedited processing. Additionally, IRS noted that management will continue to provide training reminders and actively monitor the work in process for compliance with high-dollar procedures. GAO verified that the LPG requires remittances $50,000 or greater are not to be left unattended, including disruptive times such as shift changes, breaks, meetings, and are to be expedited and deposited on the first available deposit. Also, GAO verified that a review checkpoint was added to the Processing Internal Controls DCI for lockbox banks to ensure that remittances of $50,000 or greater are processed expeditiously and not left unattended, including disruptive times such as shift changes, breaks, and meetings. During GAO's audit of IRS's fiscal year 2006 financial statements, we found no instances of remittances of $50,000 or more that were not processed immediately or deposited at the first available opportunity.
Internal Revenue Service	IRS shouldrefine the scope and nature of its periodic reviews of lockbox banks to include high dollar remittances to better monitor adherence to the requirement that they are processed immediately and deposited at the first available opportunity.	Closed – Implemented IRS added a review checkpoint to the Processing Internal Controls Data Collection Instrument (DCI) which was implemented during the April 2006 on-site review performed by the Lockbox Field Coordinators (LFC). The review requires the LFC to ensure that there is an internal control in place to expedite remittances of $50,000 and over; and that lockbox management is ensuring these remittances are collected from all areas at the end of each shift and prior to breaks, then batched and sent for processing. GAO verified that a review checkpoint was added to the Processing Internal Controls DCI for lockbox banks to ensure that remittances of $50,000 or greater are processed expeditiously and not to be left unattended, including disruptive times such as shift changes, breaks, and meetings. During GAO's audit of IRS's fiscal year 2006 financial statements, we found no instances of remittances of $50,000 or more that were not processed immediately or deposited at the first available opportunity.
Internal Revenue Service	IRS should refine the scope and nature of its periodic security reviews to encompass (1) testing the effectiveness of controls intended to ensure that only individuals with proper credentials are permitted access to SCCs and lockbox banks, and (2) reviewing the integrity of perimeter security at SCCs.	Closed – Implemented As of January 1, 2007, IRS revised Lockbox Security Guidelines (LSG) section 2.2.3.1(6) k to restrict access of all delivery personnel. The IRS Lockbox Security Review Team observed the Lockbox Site's process of delivery personnel while on site to ensure compliance with the LSG requirement. In addition, section 2.2.2.13.1 (closed-circuit television (CCTV) Cameras) (2)g of the LSG was revised to add that cameras must capture images of all persons entering and exiting perimeter doors and other critical ingress/egress points to include but not be limited to the computer room and closets containing main utility feeds. Agency Wide Shared Services (AWSS) continues to complete compliance reviews, risk assessments, and quarterly Audit Management checklist reviews. Since April 2006, the service center campuses have been providing quarterly verification that all guards have been reminded to inspect and scrutinize all badges of personnel accessing IRS facilities. During the past year, IRS has accessed CCTV capabilities and is currently taking corrective actions to allow the unobstructed surveillance of campus fence lines and the facility perimeters. GAO verified that IRS refined the scope and nature of its periodic security reviews by (1) performing periodic tests of whether lockbox personnel are only allowing authorized individuals to access the facility and verifying that CCTVs are capturing key areas and (2) conducting quarterly assessments of the integrity of perimeter access controls.
Internal Revenue Service	IRS shouldrevise the physical security procedures contained in the IRM to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information.	Closed – Implemented GAO verified that IRS revised its Internal Revenue Manual to include requirements to perform and document monthly tests of intrusion detection alarms, including guard responses to alarms. Also, IRS's Audit Management Checklist contains review steps for physical security analysts to determine whether SCCs and respective annex facilities that process taxpayer receipts and/or information perform and document monthly tests of intrusion alarms.
Internal Revenue Service	IRS should amend its policy to require that a completed form 13094 with a positive recommendation be provided for every juvenile hired to any position that will allow access to taxpayer receipts and/or taxpayer information.	Closed – Implemented IRS amended its policy to require that all juveniles being considered for employment with the IRS complete Form 13094 (Recommendation for Juvenile Employment with the IRS) with a positive recommendation. This requirement is mandatory for employment with the IRS. During GAO's audit of IRS's fiscal year 2006 financial statements, we verified that IRS amended its juvenile hiring policy to ensure that only those juveniles receiving positive recommendations will be permitted access to taxpayer receipt and information.
Internal Revenue Service	IRS shouldrequire IRS personnel to verify the information on the form 13094 by contacting the reference directly.	Closed – Implemented IRS amended its policy to establish procedures that require IRS personnel to verify all completed forms with a positive recommendation by contacting the reference directly. During GAO's audit of IRS's fiscal year 2006 financial statements, we verified that IRS amended its juvenile hiring policy to ensure that IRS personnel verify the information provided on Form 13094 via direct contact with the reference.
Internal Revenue Service	IRS shouldrevise the form 13094 to require the reference to describe his/her relationship with the juvenile, including extent of first-hand contact, to allow IRS to review the forms and assess whether the referencer has sufficient basis to recommend that juvenile to a position of trust.	Closed – Implemented IRS modified Form 13094 to include two additional boxes for the reference to include their relationship to the juvenile and the number of years they have known the juvenile. The revised Form 13094 is available on the IRS' publication website. During GAO's audit of IRS's fiscal year 2006 financial statements, we verified that IRS amended its juvenile hiring policy to require that the references indicate how well they know the potential juvenile hire.
Internal Revenue Service	IRS shouldestablish procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS's current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a form 13094 or its equivalent. These procedures could include a list of acceptable alternatives that may serve as references for juveniles who do not have a current teacher, principal, or guidance counselor.	Closed – Implemented IRS modified Form 13094 with the following sentence added, "Form should be completed by a person who has personal knowledge of the applicant's character and trustworthiness. If the applicant is attending school or has graduated, this form must be completed and signed by the current or former school official (i.e., principal, guidance counselor, or teacher). If the applicant is not in school and is currently employed or unemployed, the form must be completed and signed by either a current or former employer." The revised Form 13094 is available on the IRS' publication website. During GAO's audit of IRS's fiscal year 2006 financial statements, we verified that IRS amended its juvenile hiring policy to provide accepted alternative references if the juvenile does not have a current teacher, principal, or guidance counselor.
Internal Revenue Service	To assure proper accounting treatment of expense and P&E transactions and reliable financial reporting, IRS should enforce its property and equipment capitalization policy to ensure that it is properly implemented to fully achieve management's objectives, including recognizing assets when its capitalization criteria is met and recognizing expenses when it is not.	Closed – Implemented According to IRS, IRS implemented a dollar threshold for the ongoing monthly review of P&E transactions beginning in March 2006. In addition, the CFO and Chief, Agency-Wide Shared Services, jointly issued a memorandum to all executives entitled, "Internal Transaction Control and Accuracy Improvement," emphasizing responsibility for accurate transaction coding, in April 2006. Also, the CFO and procurement offices jointly completed a review of material code descriptions and implemented appropriate changes in the requisition tracking system and IFS; implemented a process to review the material group assigned to transactions at the point of requisition to drive the transaction coding as either P&E or expense; and initiated a feedback process regarding material group coding errors found after receipt and acceptance. On the basis of our fiscal year 2006 testing of P&E and nonpayroll expenses, we confirm that IRS has improved the accuracy and reliability of its P&E records by enhancing accounting code definitions in its new financial management system to make it easier for users to select the proper accounting codes for recording transactions, improving coordination among units involved in processing P&E activity, and streamlining its analysis of P&E transactions most susceptible to misclassification.
Internal Revenue Service	IRS should generate aging reports when an asset remains in pending disposal status for longer than a specified period of time.	Closed – Implemented During fiscal year 2006, IRS re-engineered the P&E disposal process. The new process, which includes performing the necessary research to resolve aging transactions during the disposal process, generates exception reports that enable management to monitor the aging of transactions during the disposal process. GAO's fiscal year 2007 review of P&E internal controls showed that anomaly (exception) reports were being generated when an asset remains in a disposal code for an extended period of time. IRS's actions have helped to reduce the risk of loss, or theft of its property and equipment.
Internal Revenue Service	IRS should direct Facilities Management Branch managers to research and resolve the aging reports.	Closed – Implemented IRS reported implementing procedures requiring Facilities Branch Managers to regularly research and follow-up on disposal actions by routinely reviewing system generated aging reports. These procedures help ensure that property and equipment disposals are recorded timely in its inventory records. In fiscal year 2008, IRS implemented a new wizard tool that caused a system glitch which prevented IRS from updating all disposals within 10 work days as required. During fiscal year 2009, IRS corrected the system glitch. GAO verified during the fiscal year 2009 audit that IRS staff routinely researched and resolved the aging reports, thereby promptly recording disposals of property and equipment in its inventory records. In addition, GAO's testing of property disposals as part of its audit of IRS's fiscal year 2009 financial statements did not identify any situations where IRS did not timely update disposal transactions.

See All 22 Recommendations

Full Report

Full Report (35 pages)

Accessible Text

GAO Contacts

Cheryl E. Clark

Director

clarkce@gao.gov

(202) 512-9377

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Tax Policy and Administration

Data destructionData transmissionFacility securityFinancial managementFinancial statement auditsFinancial statementsHiring policiesInternal controlsPhysical securityPolicy evaluationProperty disposalReporting requirementsTax administrationRemittances