Skip to main content

Management Report: Improvements Needed in IRS's Internal Controls

GAO-07-689R Published: May 11, 2007. Publicly Released: May 11, 2007.
Jump To:
Skip to Highlights

Highlights

In November 2006, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2006, and 2005, and on the effectiveness of its internal controls as of September 30, 2006. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2006, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2006 audit report, they all warrant management's consideration. This report contains 21 recommendations that we are proposing IRS implement to improve its internal controls. We conducted our audit in accordance with U.S. generally accepted government auditing standards.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service IRS should enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information.
Closed – Implemented
IRS revised its Lockbox Processing Guidelines to require lockbox banks to encrypt backup media containing taxpayer information. IRS included this issue as one of the areas tested during its annual reviews of information technology security at its lockbox banks. During GAO's audit of IRS's fiscal year 2008 financial statements, it did not identify any instances where lockbox banks were not encrypting backup media containing federal taxpayer information.
Internal Revenue Service IRS should ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 Lockbox Security Guidelines.
Closed – Implemented
IRS revised its Lockbox Processing Guidelines to require lockbox banks to store backup media containing taxpayer information at an off-site location. IRS has included this issue as one of the areas tested during its annual information technology security reviews at lockbox banks.
Internal Revenue Service IRS should revise instructions for its annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off-site location.
Closed – Implemented
IRS revised its Information Technology Data Collection Instrument to test whether lockbox banks are (1) encrypting personally identifiable information prior to transmission and (2) storing backup media containing personally identifiable information at an appropriate off-site location.
Internal Revenue Service IRS should develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstruction.
Closed – Implemented
IRS required that each service center campus perform and validate completion of an assessment of its CCTV system to ascertain if it provided an unobstructed view of the exterior of the campus perimeter. IRS also instituted periodic monitoring controls to assess related CCTV camera coverage weaknesses.
Internal Revenue Service IRS should revise instructions for quarterly physical security reviews to require analysts to (1) document any issues identified as well as planned implementation dates of corrective actions to be taken and (2) track the status of corrective actions identified during the quarterly assessments to ensure they are promptly implemented.
Closed – Implemented
IRS reported implementing procedures requiring Physical Security analysts to document issues/problems during quarterly reviews, establish corrective action due dates, and track progress to ensure implementation of all corrective actions. The new procedures and reporting formats were implemented in June 2007. Compliance with the procedures is monitored during Physical Security Area Director operational reviews and random sampling by the Program, Planning, and Policy Office. GAO verified that IRS revised its procedures and reporting formats to require its Physical Security Analysts to (1) document concerns identified during quarterly physical security reviews, (2) establish corrective action implementation dates, and (3) track those actions to ensure and monitor implementation.
Internal Revenue Service IRS should revise procedures contained in the Manual Refund Desk Reference to reflect the Internal Revenue Manual (IRM) requirements for manual refund initiators to (1) monitor the manual refund accounts in order to prevent duplicate refunds, and (2) document their monitoring actions.
Closed – Implemented
IRS satisfied the intent of this recommendation by issuing instructions for its employees to follow the official authoritative guidelines when processing manual refunds.
Internal Revenue Service IRS should provide to all the IRS units responsible for processing manual refunds the same and most current version of the Manual Refund Desk Reference.
Closed – Implemented
GAO verified that IRS satisfied the intent of this recommendation by instructing its employees to follow the official authoritative guidelines when processing manual refunds.
Internal Revenue Service IRS should require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds.
Closed – Implemented
In March 2013, IRS developed a training analysis process to identify employees who have not completed the required training and to perform follow-up on delinquent employees to ensure that all employees who initiate, approve, or monitor manual refunds complete appropriate annual training. Based on our review of a selection of IRS's training analysis performed in fiscal year 2014, we concluded that IRS's training analysis process properly ensures that employees responsible for monitoring manual refunds and documenting their monitoring actions are provided and have taken the required training. IRS's actions sufficiently address our recommendation.
Internal Revenue Service IRS should enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary social security numbers shown on a joint tax return and apply credits to those balances before issuing any refund.
Closed – Implemented
GAO verified that IRS implemented the programming change to check for outstanding liabilities associated with both the primary and secondary Social Security numbers on a joint tax return for offsetting to any outstanding Trust Fund Recovery Penalty (TFRP) liability before issuance of a refund. GAO reviewed the accounts of a number of taxpayers who (1) were assessed a TFRP, (2) filed a joint personal income tax return with a spouse, (3) listed her or his Social Security number as the second one on the tax return, and (4) had credits on the personal income tax account. In each of these cases, GAO verified that IRS's computer program identified the outstanding TFRP and applied the credits to the TFRP balance before sending any refund to the taxpayer.
Internal Revenue Service IRS should instruct revenue officers making the Trust Fund Recovery Program assessments to research whether the responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account until the computer programming change can be completed.
Closed – Implemented
Based on its review of the IRS interim guidance issued on July 23, 2007, GAO verified that IRS instructed Revenue Officers making TFRP assessments to research whether responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account.
Internal Revenue Service IRS should correct the penalty calculation programs in its master file so that penalties are calculated in accordance with the applicable Internal Revenue Code and implementing IRM guidance.
Closed – Implemented
GAO verified that IRS corrected the Failure to Pay (FTP) penalty calculation performed within its computer systems. GAO reviewed the accounts of a number of taxpayers for whom: (1) IRS increased the FTP penalty rate assessed against the taxpayer for failing to pay taxes owed from 0.5 percent to 1 percent when the taxpayer failed to pay following repeated notification of the taxes due, (2) the taxpayer subsequently paid off the balance for the specific tax period, and (3) following its system change, IRS assessed the taxpayer additional taxes owed for the same tax period and a related FTP penalty. In each of these cases, GAO verified that the FTP penalties were calculated in accordance with the applicable guidance contained in IRS's Internal Revenue Manual.
Internal Revenue Service IRS should research each of the taxpayer accounts that may have been affected by the programming errors to determine whether they contain overassessed penalties and correct the accounts as needed.
Closed – Implemented
GAO verified that a change IRS made to its computer system resulted in Failure to Pay (FTP) penalties being calculated in accordance with the applicable Internal Revenue Manual (IRM) guidance on open taxpayer accounts. GAO reviewed the accounts of a number of taxpayers from IRS's unpaid assessment inventory for whom: (1) IRS had increased the FTP penalty rate assessed against the taxpayer for failing to pay taxes owed from 0.5 percent to 1 percent when the taxpayer failed to pay following repeated notification of the taxes due, (2) the taxpayer subsequently paid off the balance for the specific tax period, and (3) IRS assessed the taxpayer additional taxes owed for the same tax period, with related FTP penalties. In each of these cases, GAO verified that the total recorded FTP penalty assessments on the account were in accordance with the applicable IRM guidance.
Internal Revenue Service IRS should establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods.
Closed – Implemented
IRS revised its Internal Revenue Manual (IRM) in September 2008 to include instructions specifically addressing this recommendation. The IRM now instructs IRS employees to (1) determine if the payment is sufficient to cover the tax liability of the tax period specified by the payment, (2) perform additional research and resolve any outstanding issues on the account, including determining if there are any freeze codes that will delay credit posting, (3) determine whether the other taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods.
Internal Revenue Service IRS should establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods.
Closed – Implemented
IRS revised its Internal Revenue Manual (IRM) in September 2008 to include instructions specifically addressing this recommendation. The IRM now instructs IRS employees to (1) determine if the payment is sufficient to cover the tax liability of the tax period specified on the payment, (2) perform additional research and resolve any outstanding issues on the account, including determining if there are any freeze codes that will delay credit posting, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods.
Internal Revenue Service IRS should issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System.
Closed – Implemented
IRS issued a memorandum providing additional guidance for monitoring cases involving bankruptcy discharge to help ensure the timely release of federal tax liens. IRS's actions will help it to more promptly reflect in its systems when a taxpayer has been discharged of his/her tax liabilities by the bankruptcy court which will, in turn, improve the timeliness of IRS's lien release. However, in its own fiscal year 2009 lien release testing, IRS identified one case involving bankruptcy, where it did not release the lien within 30 days. GAO will continue to monitor IRS's implementation of policies and procedures in this area during its audit of IRS's fiscal year 2010 financial statements.
Internal Revenue Service IRS should issue a memorandum to employees in the Centralized Lien Processing Unit reiterating the IRM requirement to date stamp and maintain the billing support voucher as evidence of timely processing by IRS.
Closed – Implemented
Based on GAO's review of IRS's fiscal year 2007 OMB circular A-123 lien testing results, it verified that IRS obtained date stamped billing vouchers.
Internal Revenue Service IRS should monitor installment agreement (IA) user fee activity on a regular basis.
Closed – Implemented
IRS runs edit checks to test the validity of recorded installment agreements, including the user fees, which results in the identification of potential errors that are then listed on the IAAL. GAO verified that IRS improved its IAAL report process by grouping items that appear on the IAAL into tiers based on priority and establishing time frames by tier for investigating and resolving these potential errors. In addition, GAO confirmed that IRS now performs managerial reviews on IAAL cases processed by its collection operations. IRS also increased the frequency of its computer sweep recovery process, which is intended to identify unrecorded user fees, from a few times a year to once a week, thus increasing the timeliness and accuracy of recorded individual taxpayer user fees.
Internal Revenue Service IRS should adjust errors in recorded IA user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers.
Closed – Implemented
IRS's Wage and Investment Division's Compliance Unit weekly sweep process is designed to identify and correct for unrecorded user fees collected with the initial installment agreement payment. GAO verified that IRS's improvements to its installment agreement user fees monitoring process will help ensure that errors in recorded installment agreement user fees are identified and corrected in a more timely manner. Additionally, GAO did not identify any instances of errors in recorded installment agreement user fees during its audit of IRS's fiscal year 2008 financial statements.
Internal Revenue Service IRS should establish sufficient review procedures to help ensure that adjustments to IA user fees collected from taxpayers are accurately and timely recorded.
Closed – Implemented
GAO verified that IRS conducts managerial and operational reviews on its Wage and Investment Division's Compliance Service Collection Operations, the organizational unit responsible for making the appropriate adjustments for errors in recorded installment agreement user fees. Additionally, GAO did not identify any errors in recorded installment agreement user fees tested during its audit of IRS's fiscal year 2008 financial statements.
Internal Revenue Service IRS should establish and maintain sufficient secured storage space to properly secure and safeguard its property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out.
Closed – Implemented
IRS established procedures to ensure that sufficient secured space was available for all property and equipment not currently in use. During our fiscal year 2011 audit, we observed that IRS implemented these procedures. Specifically, we observed that there was adequate storage space and the storage areas were restricted. In addition, we observed the use of control logs to track incoming and outgoing assets.
Internal Revenue Service IRS should develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered.
Closed – Implemented
IRS issued an annual policy update, which contains revisions to Policy and Procedure Memorandum 46.5, "Receipt, Quality Assurance and Acceptance." A previous revision limits situations in which contracting officers may perform receipt and acceptance. In addition to the Policy and Procedure Memorandum 46.5, the IRS Acquisition Procedure Subpart 1003.90, "Separation of Duties and Management Controls", specifically requires separation of duties for requisition approval, certification of funds, contract award, and receipt and acceptance. IRS's Procurement function also runs Web Request Tracking System reports to review the instances where contracting officers performed receipt and acceptance to ensure that the receipt and acceptance falls within exceptions/procedures outlined in the Policy and Procedures Memorandum 46.5. GAO's audit of IRS's fiscal year 2009 financial statements, found that IRS personnel were complying with IRS's policy and procedures memorandum and its recent guidance on separation of duties, and did not identify any issues regarding separation of duties.

Full Report

Office of Public Affairs

Topics

Accounting errorsAccounting proceduresFacility securityFinancial statement auditsFinancial statementsInformation managementInternal controlsPersonal income taxesTax administration systemsTax creditTax refundsTax return auditsUser fees