Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Tax information confidentiality"

    15 publications with a total of 51 open recommendations including 3 priority recommendations
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Jessica Lucas-Judy
    Phone: (202) 512-9110

    5 open recommendations
    Recommendation: To help ensure that IRS leverages lessons learned from the NRP examinations and effectively completes operational employment tax examinations, the Commissioner of Internal Revenue should develop and document plans to analyze the results in 2017 of the NRP employment tax study to identify the major issues of noncompliance.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In response to this recommendation, IRS said in July 2017 that it will develop and document plans to comprehensively analyze the National Research Program study results and identify major issues of noncompliance. IRS also said it will complete data perfection activities and deliver the updated data to its data warehouse system. IRS plans to complete these tasks by January 2018.
    Recommendation: To help ensure that IRS leverages lessons learned from the NRP examinations and effectively completes operational employment tax examinations, the Commissioner of Internal Revenue should develop and document plans for addressing the noncompliance identified in IRS's analysis of the NRP employment tax results.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In response to this recommendation, IRS said in July 2017 that it plans to research how the National Research Program (NRP) study results can be used to enhance workload selection programs and will develop and initiate an action plans based on studying the NRP results. IRS plans to complete this work by January 2019.
    Recommendation: To help ensure that IRS leverages lessons learned from the NRP examinations and effectively completes operational employment tax examinations, the Commissioner of Internal Revenue should develop and document plans for assessing the results of the NRP employment tax study to estimate the current state of the employment tax gap.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In response to this recommendation, in July 2017 IRS said it will update its tax gap estimates, which will include updating the employment tax gap estimates. IRS plans to complete this effort by January 2020.
    Recommendation: To help ensure that IRS leverages lessons learned from the NRP examinations and effectively completes operational employment tax examinations, the Commissioner of Internal Revenue should determine whether and when to provide the Information Return Analysis System upfront for Small Business/Self-Employed division operational examinations based on criteria such as whether it would help identify more noncompliance, reduce taxpayer burden, and improve audit efficiency by reducing overall IRS costs (examiner versus campus costs).

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In response to this recommendation, in July 2017 IRS said it will gather additional data and insights on the opportunities and challenges of incorporating Information Return Analysis System (IRAS) data into the classification process. IRS plans to complete these tasks by October 2018.
    Recommendation: To help ensure that IRS leverages lessons learned from the NRP examinations and effectively completes operational employment tax examinations, the Commissioner of Internal Revenue should regularly remind employment tax examiners how they can access and request the CP2100 and cash transaction data for operational employment tax examinations.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In response to this recommendation, in July 2017 IRS said it will provide reminders to examiners regarding the cash transaction data and the CP2100, hold training sessions, and include information on both tools on its internal website for examiners. IRS planned to complete these tasks by October 2018.
    Director: Jessica Lucas-Judy
    Phone: (202) 512-9110

    3 open recommendations
    Recommendation: The Commissioner of Internal Revenue should develop and maintain an online dashboard to display customer service standards and performance information such that it is easily accessible and improves the transparency of its taxpayer service.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In April 2017, IRS reported that it is evaluating the data that it can make available online. IRS also indicated that it will include the service standards that taxpayers should expect when interacting with IRS. IRS expects to make this information available online by February 2018.
    Recommendation: The Commissioner of Internal Revenue should review its document retrieval and scanning processes to identify potential training or guidance needs or other potential efficiencies.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In April 2017, IRS reported that it issued guidance to employees in February 2017 reminding them to follow IRS procedures that require thorough research of information contained in IRS systems before requesting a hard copy of documents from file storage or archives. However, IRS has not completed a review of its document retrieval and scanning processes to identify potential efficiencies. Without this review, IRS is missing potential opportunities to retrieve and scan the documents that employees require in a timely manner.
    Recommendation: The Commissioner of Internal Revenue should revise IRS's notices to IDT refund fraud victims to include information such as (1) whether any dependents were claimed on the fraudulent return, (2) to the extent possible, if those dependents match any of those the taxpayer claimed the same tax year, and (3) how to request a redacted copy of the fraudulent return.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In April 2017, IRS reported that it will revise its notices to victims of identity theft to include information that will advise them to protect the personally identifiable information of their dependents. The notice will also direct them to revised information and guidance on irs.gov. IRS expects to complete the revisions by July 2018.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    4 open recommendations
    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) e-authentication guidance, conduct an updated risk assessment to identify new or ongoing risks for TPP's online and phone authentication options, including documentation of time frames for conducting the assessment

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of August 2017, IRS was taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. According to officials, in February 2017, IRS implemented a new authentication process for TPP's phone authentication. Officials also told GAO they plan to finalize their review and risk assessment of TPP's phone, mail, and in-person authentication by October 2017. Once this assessment is finalized, GAO will review the assessment and determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards will enable IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS's return on investment for its fraud detection efforts.
    Recommendation: To further deter noncompliance in the Taxpayer Protection Program, the Commissioner of Internal Revenue should, in accordance with OMB and NIST e-authentication guidance, implement appropriate actions to mitigate risks identified in the assessment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of August 2017, IRS was taking steps to assess the risks of TPP authentication options, as GAO recommended in its May 2016 report. According to IRS, the agency assessed the e-authentication risk for the TPP web application based on OMB and NIST guidance. Based on the results of these assessments, the agency stated that officials are working to improve the level of assurance for the web application. In the interim, IRS reported that taxpayers will authenticate their identities by phone or in-person until the TPP web application has been sufficiently updated. According to officials, in February 2017, IRS implemented a new authentication process for TPP's phone authentication. Officials also told GAO they plan to finalize their review and risk assessment of TPP's phone, mail, and in-person authentication by October 2017. Once this assessment is finalized, GAO will review the assessment and determine the extent to which IRS has implemented the recommendation. Conducting an updated risk assessment for TPP in accordance with e-authentication and risk management standards will enable IRS to identify appropriate opportunities to strengthen TPP authentication and prevent IDT fraudsters from passing and potentially receiving millions of dollars in refunds. In addition, strengthening TPP could improve IRS's return on investment for its fraud detection efforts.
    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should remove refund thresholds from criteria used to develop IRS's refunds-paid estimates.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of October 2017, IRS has taken steps to update its methodology for calculating and reporting its Taxonomy estimates. IRS provided GAO with updated Taxonomy estimates for 2015; GAO is reviewing these estimates to determine the extent to which IRS has implemented GAO's recommendation.
    Recommendation: To improve the quality of the Taxonomy's IDT refund fraud estimates, the Commissioner of Internal Revenue should utilize return-level data--where available--to reduce overcounting and improve the quality and accuracy of the refunds-prevented estimates.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In August 2016, IRS reported that the agency did not agree with GAO's recommendation and noted that the agency does not think that adopting a different methodology for Taxonomy estimates is an effective use of agency resources. According to IRS, the agency established the Global Identity Theft Report (Global Report) as a standardized report that uses return-level data for most of the identity theft protected categories and summary data elsewhere. Further, IRS reported that the agency will continue to improve the Global Report, which will flow into the Taxonomy. However, as we reported in May 2016, by using the Global Report to calculate Taxonomy estimates for refunds prevented, IRS may have overestimated the refunds protected or recovered. For example, electronically filed returns that are rejected are overcounted because the same return can be rejected multiple times. Additionally, IRS already has a count of known and potential identity theft returns in its modeling dataset that the agency could use to help calculate the refunds protected estimates. As of October 2017, GAO is analyzing IRS's 2015 Taxonomy estimates to determine the extent to which GAO's recommendation has been implemented.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Jessica Lucas-Judy
    Phone: (202) 512-9110

    7 open recommendations
    including 1 priority recommendation
    Recommendation: The Commissioner of Internal Revenue should establish, document, and implement an organizational structure identifying responsibility for defining objectives with an appropriate line of reporting for measuring costs and results for information referrals.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of January 2017, IRS has taken some action to implement this recommendation. IRS told us it established a cross-functional team in February 2016 to conduct a comprehensive review of IRS's referral programs, including the information referral process. IRS completed its review and plan for the organizational structure in December 2016. The Wage and Investment division will retain the intake and screening responsibilities. The Small Business and Self-Employed division will be responsible for defining objectives and monitoring results for information referrals. We continue to monitor IRS implementation of the planned cost and results measurement and reporting.
    Recommendation: The Commissioner of Internal Revenue should ensure that the IRM has internal controls for processing information referrals by establishing, documenting, and implementing supervisory review and segregation of duties for inventory management reporting procedures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of January 2017, IRS has taken some action on this recommendation. IRS told us it established a cross-functional team in February 2016 to conduct a comprehensive review of IRS's referral programs, including the information referral process. IRS completed its review and plan for the organizational structure in December 2016. Once IRS approves the organizational structure, IRS will document new and updated screening and routing procedures in the Internal Revenue Manual as well as guidance for the Image Control Team and other IRS units receiving information referrals. IRS plans to implement this recommendation by September 2017.
    Recommendation: The Commissioner of Internal Revenue should ensure that the IRM has internal controls for processing information referrals by establishing, documenting, and implementing ongoing monitoring of information referrals retained for destruction, including a mechanism for tracking the reasons referrals were retained prior to destruction.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of January 2017, IRS has taken some action to implement this recommendation. IRS told us it established a cross-functional team in February 2016 to conduct a comprehensive review of IRS's referral programs, including the information referral process. IRS completed its review and plan for the organizational structure in December 2016. Once IRS approves the organizational structure, IRS will establish and document Internal Revenue Manual procedures, including criteria for retaining information referrals for destruction. IRS plans to implement this recommendation by September 2017.
    Recommendation: The Commissioner of Internal Revenue should ensure that the IRM has internal controls for processing information referrals by establishing, documenting, and implementing procedures for each IRS operating unit receiving information referrals to provide feedback on the number and types of referrals misrouted and on their disposition, and a mechanism to analyze patterns of misroute errors.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of January 2017, IRS has taken some action to implement this recommendation. IRS told us it established a cross-functional team in February 2016 to conduct a comprehensive review of IRS's referral programs, including the information referral process. IRS completed its review and plan for the organizational structure in December 2016. Once IRS approves the organizational structure, IRS will establish and document Internal Revenue Manual procedures, including guidelines for IRS units receiving information referrals. IRS plans to implement this recommendation by September 2017.
    Recommendation: The Commissioner of Internal Revenue should establish a coordination mechanism to facilitate communication and information sharing across IRS referral programs on crosscutting tax issues and ways to improve efficiency in the mechanisms for public reporting of possible tax violations.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, IRS had taken some action to establish a coordination mechanism to help IRS referral programs communicate and share information, as GAO recommended in its February 2016 report. IRS established a cross-functional team in February 2016 to comprehensively review IRS's referral programs. Among other things, this team is to explore aligning all IRS referral programs within an organizational structure to more efficiently coordinate, communicate, and share information across the referral programs by December 2017. As of March 2017, the Deputy Commissioner of Services and Enforcement directed the largest recipient of referrals to facilitate quarterly meetings in order to improve communication and information sharing across multiple IRS referral programs. The meetings are scheduled to begin by summer 2017.
    Recommendation: The Commissioner of Internal Revenue should direct the referral programs to establish a mechanism to coordinate on a plan and timeline for developing a consolidated, online referral submission in order to better position IRS to leverage specialized expertise while exploring options to further consolidate the initial screening operations.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: As of March 2017, IRS had taken some action to establish a mechanism to coordinate on a plan and timeline for developing a consolidated, online referral submission, as GAO recommended in its February 2016 report. IRS established a cross-functional team in February 2016 to comprehensively review IRS's referral programs. Among other things, the team has explored options to consolidate the initial screening operations and determine the scope and complexity for moving the referral process to an online format. According to IRS, an electronic submission process is expected to provide better access to the program and reduce the burden associated with making a written report or referral. In November 2016, the cross-functional team requested information technology resources for fiscal year 2019 to develop an online system which could potentially replace four separate referral forms, filter out incomplete referrals, and electronically route referrals for further IRS action. IRS assessed options for consolidating all forms for the various referral programs and determined that consolidating them to a single form was not feasible due to the technical nature and complexity of the various referral types. As of March 2017, the cross-functional team has worked with IRS On Line Services to develop an online application prototype and is also considering the cost-effectiveness of a commercial off-the-shelf product. According to the IRS, the online application will make it easier for the public to report possible tax violations. Also, the online system will improve efficiency in coordination and provide reports that will be incorporated into the quarterly coordination meetings, to achieve a broader collaborative mechanism across the multiple referral programs. IRS has said it will consider further consolidating the referral programs once the online application is in place.
    Recommendation: The Commissioner of Internal Revenue should ensure that the Internal Revenue Manual (IRM) has internal controls for processing information referrals by establishing, documenting, and implementing procedures for maintaining and communicating the information referral screening and routing guidelines to the Image Control Team (ICT) and IRS units receiving information referrals as well as procedures for ICT screening and routing operations.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of January 2017, IRS has taken some action on this recommendation. IRS told us it established a cross-functional team in February 2016 to conduct a comprehensive review of IRS's referral programs, including the information referral process. IRS completed its review and plan for the organizational structure in December 2016. Once IRS approves the organizational structure, IRS will document new and updated screening and routing procedures in the Internal Revenue Manual as well as guidance for the Image Control Team and other IRS units receiving information referrals. IRS plans to implement this recommendation by September 2017.
    Director: James R. McTigue, Jr.
    Phone: (202) 512-9110

    2 open recommendations
    Recommendation: To further encourage whistleblowers to provide information to IRS about serious tax noncompliance and to protect whistleblowers, Congress should consider legislation that would provide protections for tax whistleblowers against retaliation from their employers.

    Agency: Congress
    Status: Open

    Comments: On March 29, 2017, the Senate Finance Committee introduced the IRS Whistleblower Improvements Act of 2017, which would provide anti-retaliation protections for whistleblowers who bring information on tax noncompliance to IRS. The act would provide protections for employees from discharge, demotion, suspension, threats, harassment, or any other discrimination in reprisal for lawful actions to provide information to the IRS or to participate in a judicial action taken by the IRS relating to an alleged underpayment of tax or violation of tax laws. On April 20, 2016, the Senate Finance Committee approved provisions to improve the IRS's whistleblower program and protect tax whistleblowers from retaliation from their employers. The provision extends anti-retaliation provisions to IRS whistleblowers that are presently afforded to whistleblowers under the False Claims Act and Sarbanes-Oxley. However, no action passed on this Senate bill in the 114th congress. We will continue to monitor legislative action in this area.
    Recommendation: The Commissioner of Internal Revenue should direct the Whistleblower Office Director to establish a process to ensure whistleblower addresses are being properly updated in E-TRAK to ensure the WO does not send whistleblower mail to outdated or incorrect addresses. This process could include developing a change of address form specific to whistleblowers and including a blank copy of it in every correspondence with whistleblowers or referencing the importance of updating the WO with any address change in every correspondence with whistleblowers.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In a January 29, 2016 letter, the IRS Deputy Commissioner for Services and Enforcement said that the Whistleblower Office will emphasize in education materials, fact sheets, and other communications with whistleblowers the importance of whistleblowers providing updates to the IRS of any address changes, along with reminders of how to submit address changes to the Whistleblower Office. In August and September of 2016, IRS revised templates for standard letters sent to whistleblowers reminding them of the importance of updating their addresses with the Whistleblower Office and providing direction for how to do so. IRS also published a fact sheet for whistleblowers, which is available on www.irs.gov, that also provides information on how whistleblowers should notify the Whistleblower Office of any address change. As of February 2017, IRS had not taken action to establish a process to ensure that address changes are being properly updated in E-TRAK and that mail is being sent only to the correct address. We will continue to follow-up with IRS on this recommendation.
    Director: James R. McTigue, Jr.,
    Phone: (202) 512-9110

    3 open recommendations
    Recommendation: To strengthen oversight of the individual shared responsibility and premium tax credit provisions, the Commissioner of Internal Revenue should assess whether or not the data received from the health insurance marketplaces are sufficiently complete and accurate to enable effective correction of tax returns at-filing based on matching with the marketplace data and, if the assessment determines that such corrections would be effective, seek legislative authority to correct tax returns at-filing based on the marketplace data.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The Internal Revenue Service (IRS) agreed with GAO's recommendation. IRS reports that the quality of data submitted by health insurance marketplaces has improved since the 2015 return filing season, and it continues to use its correspondence process for resolving discrepancies between marketplace data and that reported by the taxpayer after the return has been filed. IRS has not considered requesting legislative authority to correct tax returns at the time of filing based specifically on discrepancies between the data submitted by the health insurance marketplace and reported by the taxpayer. Agency officials believe that would be premature at this time. They noted that a broader legislative initiative has already been proposed that would grant IRS with correctable error authority in cases where the information provided by the taxpayer does not match the information contained in government databases. Should this broad authority be granted in the future, IRS will then consider how to approach correction of tax returns at the time of filing based on discrepancies with health insurance marketplace data. Such authority was also included in the Administration's 2018 budget.
    Recommendation: To strengthen oversight of the individual shared responsibility and premium tax credit provisions, the Commissioner of Internal Revenue should work with CMS to get the total amount of advance PTC paid for the 2014 tax year and establish, as a baseline, the aggregate amount of the gap between advance PTC paid and advance PTC reported for the 2014 tax year, and track this aggregate gap for future tax years to help in evaluating the effectiveness of IRS's PTC education and compliance efforts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The Internal Revenue Service (IRS) agreed with GAO's recommendation in part. As one of the ongoing efforts by the IRS to evaluate the effectiveness of its implementation of the premium tax credit (PTC) provision for tax year 2014, IRS plans to perform as analysis of reporting of advance payments of the PTC by the Marketplaces. The results of this analysis and other efforts will help inform the IRS of potential areas for improvement in education, tax filing and compliance activities. IRS has been tracking the amount of advance PTC paid based on summary data provided by the Centers for Medicare & Medicaid Services (CMS) for 2014 and 2015 as well as the gap between the amounts paid compared to the amount reported by taxpayers. However, IRS has not yet resolved all issues with CMS related to properly allocating all payments to 2014 and 2015. Complete data for 2016 are not yet available.
    Recommendation: To strengthen oversight of the individual shared responsibility and premium tax credit provisions, the Commissioner of Internal Revenue should evaluate IRS efforts to collaborate and communicate with key external stakeholders to inform efforts related to implementation of the new 2015 PPACA requirements.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The Internal Revenue Service (IRS) agreed with GAO's recommendation but has not yet initiated an evaluation of collaboration and communication efforts with external stakeholders. IRS currently utilizes informal feedback processes to share information and identify opportunities for improvement with external stakeholders in implementing the shared responsibility payment and premium tax credit provisions. We continue to encourage IRS to evaluate its collaboration and communication efforts.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: James R. White
    Phone: (202) 512-9110

    3 open recommendations
    Recommendation: Congress should consider providing the Secretary of the Treasury with the regulatory authority to lower the threshold for electronic filing of W-2s from 250 returns annually to between 5 to 10 returns, as appropriate.

    Agency: Congress
    Status: Open

    Comments: As of September 2017, no legislation has been enacted. Lowering the threshold would help the Internal Revenue Service prevent identity theft refund fraud by enhancing its ability to verify the employment information reported on tax returns before issuing refunds. Additionally, lowering the threshold would reduce the Social Security Administration's administrative costs of processing W-2 information.
    Recommendation: To provide timely, accurate, and actionable feedback to all relevant lead-generating third parties, the Commissioner of Internal Revenue should provide aggregated information on (1) the success of external party leads in identifying suspicious returns and (2) emerging trends (pursuant to section 6103 restrictions).

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, the Internal Revenue Service (IRS) had taken steps to address GAO's August 2014 recommendation -- including developing timeliness metrics for managing leads and holding six feedback sessions with financial institutions participating in the External Leads Program -- but had not provided documentation that the agency is providing meaningful feedback to external parties. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In August 2016, an industry group representing financial institutions reported that IRS had not begun providing meaningful feedback to financial institutions that are providing leads to IRS. In March 2017, IRS officials told us they were holding more frequent, monthly, feedback sessions with financial institutions. GAO will follow up with financial institutions to understand the extent to which IRS's feedback has been timely and is actionable. Without accurate, timely, and actionable feedback, the more than 600 external parties participating in the External Leads Program do not know if the leads they provide to IRS are useful and they may not be able to assess their success in identifying identity theft refund fraud or improve their detection tools.
    Recommendation: To provide timely, accurate, and actionable feedback to all relevant lead-generating third parties, the Commissioner of Internal Revenue should develop a set of metrics to track external leads by the submitting third party.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As of March 2017, the Internal Revenue Service (IRS) had taken steps to address GAO's August 2014 recommendation --including developing timeliness metrics for managing leads and holding six feedback sessions with financial institutions participating in the External Leads Program -- but had not provided documentation that the agency is providing meaningful feedback to external parties. In November 2015, IRS reported that it had developed a database to track leads submitted by financial institutions and the results of those leads. IRS also stated that it had held six sessions with financial institutions to provide feedback on external leads provided to IRS. These quarterly feedback sessions contained various types of information, including overall statistics for the External Leads Program, individual statistics tailored to a specific external party, and solicitations for how to improve the program. In December 2015, IRS officials stated that the agency sent a customer satisfaction survey asking financial institutions for feedback on the external leads process and was considering other ways to provide feedback to financial institutions. In August 2016, an industry group representing financial institutions reported that IRS had not begun providing meaningful feedback to financial institutions that are providing leads to IRS. In March 2017, IRS officials told us they were holding more frequent, monthly, feedback sessions with financial institutions. GAO will follow up with financial institutions to understand the extent to which IRS's feedback has been timely and is actionable. Without accurate, timely, and actionable feedback, the more than 600 external parties participating in the External Leads Program do not know if the leads they provide to IRS are useful and they may not be able to assess their success in identifying identity theft refund fraud or improve their detection tools.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    1 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update access request policies and procedures to ensure that they contain sufficiently detailed information of access requests and access assignments to facilitate effective review and verification of appropriate access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: At the beginning of GAO's audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Director: Clark, Cheryl E
    Phone: (202)512-9377

    3 open recommendations
    Recommendation: The Acting Commissioner of Internal Revenue should direct the appropriate IRS officials to perform a risk assessment to determine the appropriate level of Integrated Data Retrieval System (IDRS) access that should be granted to employee groups that handle hard-copy taxpayer receipts and related sensitive taxpayer information as part of their job responsibilities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, a risk assessment was performed to determine the appropriate level of IDRS access that should be granted to employee groups that handle hard-copy taxpayer receipts and related sensitive taxpayer information as part of their job responsibilities. However, during our fiscal year 2016 audit, we identified a group of employees at an SCC who handle hard-copy taxpayer receipts and related sensitive taxpayer information and can make adjustments to taxpayer accounts. Based on the information obtained, it is unclear whether the risks associated with these employees were considered in a risk assessment. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Acting Commissioner of Internal Revenue should direct the appropriate IRS officials to, based on the results of the risk assessment, update the Internal Revenue Manual (IRM) accordingly to specify the appropriate level of IDRS access that should be allowed for (1) remittance perfection technicians and (2) all other employee groups with IDRS access that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As a result of its risk assessment efforts thus far, IRS updated the IRM to restrict the use of certain IDRS command codes for remittance perfection technicians. In addition, in May 2016, IRS reassessed the risks at its TACs, including the specific risks and mitigating factors associated with allowing TAC employees to process taxpayer remittances and to adjust taxpayer accounts. However, IRS did not update the IRM to reflect the conclusions from the risk assessment related to TAC employees. Further, during our fiscal year 2016 audit, we identified a group of employees at an SCC who handle hard-copy taxpayer receipts and related sensitive taxpayer information and can make adjustments to taxpayer accounts. Based on the information obtained, it is unclear whether the risks associated with these employees were considered in a risk assessment. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Acting Commissioner of Internal Revenue should direct the appropriate IRS officials to establish procedures to implement the updated IRM, including required steps to follow to prevent (1) remittance perfection technicians and (2) all other employee groups that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities from gaining access to command codes not required as part of their designated job duties.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: As a result of its risk assessment efforts thus far, IRS updated the IRM to include procedures to restrict the use of certain IDRS command codes for remittance perfection technicians. However, the IRM has not been updated based on the results of the risk assessment related to TAC employees and, if applicable, other employees who have access to sensitive command codes and handle hard-copy taxpayer receipts and related sensitive information as part of their job duties. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Clark, Cheryl E
    Phone: (202)512-9521

    3 open recommendations
    Recommendation: Based on a review of all existing contracts under $100,000 without an appointed COTR that should require contract employees to obtain favorable background investigation results, the Commissioner of the IRS should direct the appropriate IRS officials to amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it has completed its contract review and made appropriate modifications as of July 2016. However, the modifications to the contracts were not made available for our review during the fiscal year 2016 audit. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, several internal organizations will partner to identify the remaining actions needed to address this recommendation. According to IRS, these actions include developing policies and procedures to reasonably assure that (1) oversight between IRS's key offices is conducted to determine whether potential service awards IRS enters into involve routine, unescorted, unsupervised physical access to taxpayer information by contractors, thus requiring background investigations, and (2) the resulting processes make clear who is responsible for completing the various steps, as well as who must maintain documentation of the approved access determination prior to the contractor being allowed to provide the services. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. IRS stated that during fiscal year 2017, it would update campus post orders to help ensure timely reporting, monitoring and repair of exterior lighting outages. In addition, AWSS engaged in discussions with personnel from FPS and GSA to coordinate responsibilities and suggested changes for post orders when security services are contracted by those entities. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 audit.
    Director: Clark, Cheryl E
    Phone: (202)512-9521

    1 open recommendations
    Recommendation: The IRS should direct the appropriate IRS officials to establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS's efforts to address this recommendation are ongoing. In August 2016, IRS updated the IRM to require that (1) corrective actions are planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. IRS stated that in fiscal year 2017 it will update procedures and provide training to employees to help ensure that the updates to the guidance are communicated to affected employees. We will continue to evaluate IRS's corrective actions during our fiscal year 2017 audit.
    Director: Clark, Cheryl E
    Phone: (202) 512-3000

    1 open recommendations
    Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: According to IRS, it had substantially completed its corrective actions to address 19 penalty programming issues it had identified from its internal assessment of penalty computation programs. However, as of September 30, 2016, IRS had not provided us with supporting documentation to validate that it completed the corrective actions. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2017 financial statement audit.