Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

GAO-15-480R: Published: May 29, 2015. Publicly Released: May 29, 2015.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During GAO's audit of the Internal Revenue Service's (IRS) fiscal years 2014 and 2013 financial statements, it identified the following new internal control deficiencies in the following areas that contributed to IRS's continuing material weakness in internal control over unpaid tax assessments as of September 30, 2014:

  • Corrective action plan for addressing system deficiencies involving unpaid tax assessments: IRS's corrective action plan was not adequate to reasonably assure that system control deficiencies contributing to a material weakness in unpaid tax assessments would be effectively addressed. This increases the risk that IRS's efforts to address numerous control issues affecting the reporting of unpaid assessment amounts and the resultant material weakness will be hampered.
  • Accuracy of penalty assessments: IRS's controls over penalty assessments were not operating effectively to reasonably assure the accuracy of penalties recorded in taxpayers' accounts. This increases the risk of errors in IRS's financial statements, may burden taxpayers who are assessed higher amounts in penalties than they actually owe, or result in lost revenue to the federal government when taxpayers are assessed lower penalty amounts than they actually owe. 

In addition, GAO identified other new deficiencies in the following areas as of September 30, 2014:

  • Transmission of taxpayer receipts and information: IRS's managerial review controls were not effectively designed or implemented to provide reasonable assurance that taxpayer receipts and information sent from taxpayer assistance centers were received by the intended submission processing centers. These deficiencies increase the risk that IRS will not promptly prevent or detect loss of, theft of, or unauthorized access to taxpayer receipts and related sensitive information.
  • Unauthorized access awareness training for contractors: IRS did not consistently enforce its policies and procedures requiring that contractors receive unauthorized access awareness training prior to gaining unescorted access to IRS facilities. This deficiency increases the risk of unauthorized disclosure, loss, or theft of taxpayer receipts and related sensitive information.
  • Candling procedures at receipt processing facilities: IRS did not adequately enforce its candling policies and procedures at certain receipt processing facilities. This increases the risk of inadvertent loss or destruction of taxpayer receipts and information.
  • Capitalization of internal use software costs: IRS did not have sufficient controls in place to reasonably assure that it properly and consistently capitalized certain internal use software costs in accordance with federal accounting standards. This increases the risk of IRS misstating assets and expenses in its financial statements.
  • Recording property and equipment acquisitions: IRS's controls were not effectively designed to reasonably assure that asset purchases were properly recorded in its asset management systems. These deficiencies increase the risk of misstatements to its financial statements and the risk of undetected loss or theft of assets, and jeopardize the integrity of the information IRS management uses for decision making.

GAO found that IRS had completed corrective action on 20 of the 51 recommendations from GAO's prior financial audits and other financial management-related work that remained open at the beginning of the fiscal year 2014 audit. As a result, IRS currently has 42 GAO recommendations to address; the previous 31 open recommendations and the 11 new recommendations GAO is making in this report. 

Why GAO Did This Study

The purpose of this report is to present those internal control deficiencies identified during GAO's audit of IRS's fiscal years 2014 and 2013 financial statements for which there are no GAO recommendations outstanding. Although some of these deficiencies were not discussed in GAO's report on the results of its financial statement audit because they were not considered, either individually or collectively, to be material weaknesses or significant deficiencies, they nonetheless warrant IRS management's attention. This report provides new recommendations to address the internal control issues GAO identified during its fiscal year 2014 audit, and presents the status of recommendations that remained open from prior GAO reports.

What GAO Recommends

This report provides 2 new recommendations pertaining to the new control deficiencies that contributed to IRS’s continuing material weakness in internal control over unpaid tax assessments and 9 new recommendations related to the other identified deficiencies, for a total of 11 new recommendations. These recommendations are intended to improve IRS’s internal controls over its financial management and accountability of resources as well as bring IRS into conformance with its own policies, Standards for Internal Control in the Federal Government, and Office of Management and Budget Circular No. A-123, Management’s Responsibility for Internal Control. IRS agreed with all 11 of GAO’s new recommendations and stated it is committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. 

For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2015, IRS developed a long-term action plan to address the unpaid assessments material weakness. This plan identifies and documents (1) the specific system and control deficiencies that result in errors in taxpayer accounts and inaccurate classification of unpaid assessments amounts, (2) the actions IRS needs to take to address each related deficiency, and (3) the IRS organizational units that need to be involved in the actions.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to include all key elements as recommended by the OMB Circular No. A-123 implementation guide in IRS's corrective action plan to adequately address the control deficiencies in its systems that are contributing to the material weakness in unpaid tax assessments.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: During fiscal year 2015, IRS conducted a trial quality review to evaluate the accuracy of penalty assessments recorded in a sample of taxpayer accounts and took action to address the errors it identified. Based on its trial review, IRS developed procedures for performing this type of review in June 2016 and informed us that it would formalize procedures in the IRM to include routine monitoring and testing of the accuracy of penalty assessments in taxpayer accounts. However, as of September 30, 2016, IRS had not implemented these procedures or documented them in the IRM. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to develop and implement agency-wide procedures to routinely monitor the accuracy of penalties recorded in taxpayer accounts to timely detect and correct errors.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that it has performed a study of the causes of noncompliance with the IRM requirements and will complete all related corrective actions by May 2017. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine the reason(s) why taxpayer assistance centers (TAC) managers and personnel did not consistently comply with existing Internal Revenue Manual (IRM) requirements that TAC managers and personnel (1) perform and document reviews of the Follow-Up Review Log by the last day of the following month, (2) maintain control copies of transmittal forms, and (3) ship taxpayer receipts and information via traceable overnight mail and, based on this determination, establish a process to better enforce compliance with these requirements.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: While IRS updated the IRM in April 2016 to require TAC managers to (1) perform a semiannual reconciliation of document transmittal forms to the associated Follow-Up Review Log to monitor employee compliance with IRM requirements and (2) document this reconciliation on Form 14698, Field Assistance Taxpayer Assistance Centers Remittance and Non-Remittance Log Reconciliation, our fiscal year 2016 audit testing identified instances where the use of the form was not fully implemented at the TACs we visited. Further, we continued to identify instances where TAC employees did not always (1) track document transmittals on the Follow-up Review Log and (2) follow up on late acknowledgments timely. In one instance, we found that TAC personnel did not document on the log the actions that were taken for a package that was lost; however, the manager had completed a review of the Follow-up Review Log. We will continue to evaluate the results of IRS's corrective actions during our fiscal year 2017 audit.

    Recommendation: The Commissioner of IRS should update the IRM to require managers to reconcile transmittal forms with the Follow-Up Review Log to reasonably assure that personnel are properly entering transmittal forms into the log and are appropriately documenting follow-up on unacknowledged transmittals of taxpayer receipts and information.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: During fiscal year 2016, IRS issued interim guidance to update the IRM, which requires that all contractors with unescorted staff-like access, whether directly or indirectly contracted by IRS, complete information protection and security awareness training within 10 business days of approved staff-like access and annually thereafter. IRS's actions sufficiently address our recommendation.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to update the IRM to specify that unauthorized access awareness training requirements apply to non-IRS contractors who have unescorted physical access to IRS facilities.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will partner with FPS and GSA to establish a process to help ensure that all contractors who require unescorted access are first approved for interim or final staff-like access and complete mandatory information protection and security awareness training within 10 business days of approved staff-like access. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish a process to ensure that the requirement for unauthorized access awareness training is explicitly communicated to non-IRS contractors who have unescorted access to IRS facilities.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will send out a communication to its FMSS field offices that will include SOPs for monitoring training and acquiring unauthorized access awareness training documentation for each non-IRS contract employee. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish procedures to monitor whether non-IRS contractors with unescorted physical access to IRS facilities are receiving unauthorized access awareness training.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that by July 2017, it will identify and analyze the risks associated with candling at the SCCs and lockbox banks, along with any mitigating factors, to determine if further actions are warranted. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to determine why staff did not consistently comply with IRS's existing requirements for the final candling of receipts at service center campuses and lockbox banks, including logging remittances found during final candling on the final candling log at the time of discovery, safeguarding the remittances at the time of discovery, transferring the remittances to the deposit unit promptly, and passing one envelope at a time over the light source, and based on this determination, establish a process to better enforce compliance with these requirements.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: In fiscal year 2015, IRS developed and implemented written procedures to determine whether internal use software (IUS) costs should be capitalized or expensed in accordance with Statement of Federal Financial Accounting Standards No. 10, Accounting for Internal Use Software. The procedures included steps for obtaining supporting documentation (e.g., communications with project managers, status reports/memos) to determine the project phase to which a cost was attributable, specifically for cases in which the invoice, Statement of Work, and internal work-in-process schedule do not provide sufficient information. In addition, based on our fiscal year 2015 IUS acquisition testing, we noted that IRS had implemented these procedures. IRS's actions sufficiently address our recommendation.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish and implement detailed written procedures for properly determining whether internal use software costs should be capitalized or expensed. The procedures should include steps for obtaining the complete documentation required to determine the project phase to which a cost was attributable, specifically for cases in which the invoice, Statement of Work, and internal work-in-process schedule do not provide sufficient information.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Closed - Implemented

    Comments: In fiscal year 2015, IRS revised its written procedures to require that assets reclassified during the voucher review process be added to KISAM or CIMIS. However, the procedures were not revised until after we conducted our internal control testing in fiscal year 2015. We tested IRS's implementation of the revised procedures during our fiscal year 2016 audit and did not identify any exceptions. IRS's actions sufficiently address our recommendation.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to establish and implement written procedures to reasonably assure that assets that are reclassified during the voucher review process are properly added to Knowledge Incident/Problem Service Asset Management (KISAM) or Criminal Investigation Management Information System for tracking purposes, as applicable.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  11. Status: Closed - Implemented

    Comments: In fiscal year 2015, IRS's IT organization updated its procedures to include quarterly supervisory reviews to reasonably assure that asset acquisitions are properly entered into KISAM. However, our fiscal year 2015 internal control testing included assets that were acquired prior to IRS updating the procedures. We tested IRS's implementation of the revised procedures during our fiscal year 2016 audit and did not identify any exceptions. IRS's actions sufficiently address our recommendation.

    Recommendation: The Commissioner of IRS should direct the appropriate IRS officials to update the Hardware Asset Management Standard Operating Procedure to include a requirement for periodic supervisory review to provide reasonable assurance that certain asset acquisitions are properly entered into KISAM.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Nov 16, 2017

Nov 15, 2017

Nov 9, 2017

Oct 20, 2017

Sep 26, 2017

Looking for more? Browse all our products here