Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness

GAO-12-683R, Jun 25, 2012

Summary

View Report (PDF, 61 pages)

Share This:

Additional Materials:

Accessible Text:
- (HTML text file)

Contact:

Cheryl E. Clark
(202) 512-3406
sebastians@gao.gov

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During our audit of IRS’s fiscal year 2011 financial statements, we identified new internal control deficiencies in the following areas:

Monitoring Information Systems Material to Financial Reporting. IRS management had not performed sufficient monitoring of internal control over information systems material to financial reporting to determine whether such control was affected by any deficiencies in internal control that either individually or collectively constitute a material weakness that had not previously been reported, in accordance with Office of Management and Budget requirements. This was primarily because (1) IRS had not yet fully implemented key components of its information security program in fiscal year 2011; (2) IRS’s monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting; and (3) IRS has a previously identified material weakness in information security that still existed in fiscal year 2011 which rendered it unnecessary for IRS to support an assertion indicating that the related internal controls were effective.

Tax Revenue Comparison. IRS did not always evaluate or resolve unusual variances identified in its comparison of tax revenue recorded in its general ledger to detailed tax revenue transactions recorded in its master files. In addition, although there was managerial review of the comparison as required by IRS’s procedures, the reviewer did not question these variances. These conditions existed primarily because IRS’s procedures did not instruct the preparer or the reviewer to evaluate and resolve significant or unusual variances that could indicate processing or other errors that would render the revenue data unreliable.

Treasury Forfeiture Fund Reimbursable Revenue. IRS improperly recorded anticipated revenue from the Department of the Treasury Forfeiture Fund (TFF) rather than actual revenue earned, contrary to federal accounting standards. IRS is reimbursed from the TFF for its tax enforcement expenditures and consequently should record the reimbursements as reimbursable revenue. However, in fiscal year 2011, IRS improperly recorded reimbursable revenue and the related accounts receivable from the TFF for expenditures it had not yet incurred. According to IRS, this occurred because the unit responsible for tax enforcement erroneously included both actual and estimated future expenditures in the amount it reported to IRS accounting staff that record TFF revenue and the related accounts receivable, and the accounting staff were not aware that all of the expenditures had not been incurred at the time it recorded the revenue and receivable.

Physical Security Reviews. IRS’s service center campus (SCC) and field office physical security personnel did not always properly or timely (1) complete the audit management checklists used to assess the physical security controls in place at these sites and (2) document supervisory reviews of completed checklists. This occurred primarily because IRS lacked procedures requiring centralized monitoring to detect whether analysts were properly completing such checklists and whether managers were timely and properly documenting their reviews of the completed checklists.

Integrated Data Retrieval System Access. Two clerks in the campus support unit at one SCC improperly had the ability to make adjustments to a taxpayer’s account through the Integrated Data Retrieval System while also maintaining physical possession of hard-copy receipts in the course of their payment processing duties. Consequently, they had the potential to misappropriate a payment and alter the taxpayer’s account to conceal the theft. This occurred because IRS procedures did not specifically prohibit access to such system commands for certain campus support employees who were responsible for processing payments, and thus, IRS procedures did not require monitoring these particular employees’ system accesses.

Monthly Rent Bill Allocation. The rent processing administrator was responsible for performing all of the key steps involved in allocating costs from the rent bill without any supervisory review and could edit lease data entered by another staff member without any independent review. This occurred because IRS did not have policies or procedures that required a supervisory review or proper segregation of duties over the rent allocation process.

Graphic Database Interface System Quarterly Reviews. IRS field managers did not always sufficiently document or accurately summarize the results of their quarterly reviews of employee locations recorded in IRS’s Graphic Database Interface system (GDI). This occurred because IRS did not have sufficiently detailed written procedures for documenting the GDI quarterly reviews nor require supervisory review of the reported results.

Leasehold Improvement Disposal Estimate. IRS incorrectly calculated its leasehold improvement disposal estimate, which resulted in understatements to leasehold improvement expenses and accumulated depreciation. In addition, supervisors responsible for reviewing the disposal calculations did not identify these errors. These conditions existed because IRS did not have procedures to assess the completeness and accuracy of the data extracted from GDI used in the calculation and supervisors had competing work demands which hindered them from identifying these errors.

Verification of End-user Receipt of Goods and Services. IRS staff did not always confirm, or obtain documentation of confirmation, with the end user of the satisfactory receipt of a purchased product or service before entering receipt and acceptance of the good/service into the procurement system. This occurred because IRS staff were not always aware of the requirement to obtain and document end-user receipt confirmation and IRS did not perform any monitoring for compliance.

Patient Protection and Affordable Care Act Expenses. IRS did not always identify expenses related to the implementation of the Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act (collectively referred to as PPACA) and timely determine whether to charge individual PPACA-identified expenses to the PPACA appropriation established within the Department of Health and Human Services or to one of IRS’s own appropriations. This occurred because employees did not always charge time spent on PPACA to the proper codes, supervisors did not ensure their employees’ time was appropriately coded, and IRS lacked an adequate process to timely review all PPACA-coded expenses to determine which appropriation to charge before fiscal year-end.

Time Card Approvals. Employee time cards were not always approved by a manager before being transmitted to the National Finance Center for processing and payment. This occurred because managers did not follow IRS’s procedures to electronically sign employees’ time cards, IRS did not have procedures requiring payroll staff to centrally review time cards to ensure all time cards were signed before submitting them for payment, and IRS’s payroll system did not have an edit check to prevent unsigned electronic time cards from being submitted for payment.

Employee Within-Grade Pay Increases. IRS did not always (1) make timely decisions on granting or denying within-grade increases (WGIs) in pay to employees with below fully successful ratings as required by IRS policies and procedures, and (2) timely grant WGIs to such employees if warranted. This occurred primarily because IRS did not have a central monitoring process in place to ensure that managers made and timely carried out all WGI-required actions for employees with below fully successful performance ratings and that such employees subsequently entitled to receive a WGI, were granted it.

Recycled Payroll Errors. IRS did not timely research and resolve recycled errors– payroll transactions with data errors that prevented them from automatically posting to IRS’s general ledger— resulting in recycled errors that had accumulated for over 7 years without being resolved. These errors accumulated because IRS did not have procedures requiring timely research and correction of such errors.

These deficiencies increase the risk that IRS may not prevent or promptly detect andcorrect (1) weaknesses in its internal control over its information systems material to financial reporting; (2) errors in dollar amounts recorded in the master files and general ledgers; (3) physical security deficiencies at its SCCs and field offices; (4) loss, theft, or misappropriation of hard-copy taxpayer receipts; (5) errors in the allocation of space-related expenses; (6) premature payments to vendors before goods or services were received and receipt confirmed; (7) misidentified PPACA expenses; (8) payroll errors; and (9) improper or delayed within-grade pay increases. In addition, the control deficiencies identified resulted in overstatements to Treasury Forfeiture Fund reimbursable revenue and accounts receivable, and understatements to leasehold improvement disposal expenses, accumulated depreciation, payroll expenses, and payroll liabilities.

Why GAO Did This Study

In November 2011, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2011, and 2010, and on the effectiveness of its internal control over financial reporting as of September 30, 2011. We also reported our conclusions on IRS’s compliance with selected provisions of laws and regulations and on whether IRS’s financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996. In March 2012, we issued a report on information security issues identified during our fiscal year 2011 audit, along with associated recommendations for corrective actions.

The purpose of this report is to present internal control deficiencies identified during our audit of IRS’s fiscal year 2011 financial statements for which we do not already have any recommendations outstanding. Although most of these deficiencies were not discussed in our report on the results of our fiscal year 2011 financial statement audit because they were not considered material weaknesses or significant deficiencies, they nonetheless warrant IRS management’s attention.

What GAO Recommends

This report provides 30 recommendations to address the internal control deficiencies we identified. We will issue a separate report on the status of IRS’s implementation of the recommendations from our prior IRS financial audits and related financial management reports, as well as this one.

Status Legend:

Review Pending
Open
Closed - implemented
Closed - not implemented

Recommendations for Executive Action

Recommendation: The Commissioner of the Internal Revenue Service should direct the appropriate IRS officials to establish mechanisms to monitor the implementation of and compliance with the revised policy established in October 2011 that requires field CAFM program managers to maintain GDI Quarterly Review documentation, including GDI validation walkthrough sheets and GDI Quarterly Review certifications.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Review Pending