This is the accessible text file for GAO report number GAO-06-560 
entitled 'Internal Revenue Service: Status of Recommendations from 
Financial Audits and Related Financial Management Reports' which was 
released on June 6, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Commissioner of Internal Revenue: 

United States Government Accountability Office: 

GAO: 

June 2006: 

Internal Revenue Service: 

Status of Recommendations from Financial Audits and Related Financial 
Management Reports: 

GAO-06-560: 

GAO Highlights: 

Highlights of GAO-06-560, a report to the Commissioner of Internal 
Revenue. 

Why GAO Did This Study: 

In its role as the nationís tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility in annually collecting over $2 
trillion in taxes, processing hundreds of millions of tax and 
information returns, and enforcing the nationís tax laws. Since its 
first audit of IRSís financial statements in fiscal year 1992, GAO has 
identified a number of weaknesses in IRSís financial management 
operations. In related reports, GAO has recommended corrective action 
to address those weaknesses. 

Each year, as part of the annual audit of IRSís financial statements, 
GAO not only makes recommendations to address any new weaknesses 
identified but also follows up on the status of weaknesses GAO 
identified in previous yearsí audits. The purpose of this report is to 
(1) assist IRS management in tracking the status of audit 
recommendations and actions needed to fully address them and (2) 
demonstrate how the recommendations fit into IRSís overall management 
and internal control structure. 

What GAO Found: 

IRS has made significant progress in improving its internal controls 
and financial management since its first financial audit in 1992, as 
evidenced by 6 consecutive years of clean audit opinions on its 
financial statements, the resolution of several material internal 
control weaknesses, and the closing of over 200 financial management 
recommendations. This progress has been the result of hard work and 
commitment at the top levels of the agency. 

However, IRS still faces financial management challenges. At the 
beginning of GAOís audit of IRSís fiscal year 2005 financial 
statements, 84 financial management-related recommendations from prior 
audits remained open because IRS had not fully addressed the issues 
that gave rise to them. During the fiscal year 2005 financial audit, 
IRS took actions that enabled GAO to close 34 of those recommendations. 
At the same time, GAO identified additional internal control 
deficiencies resulting in 22 new recommendations. In total, 72 
recommendations currently remain open. 

To assist IRS in evaluating its internal controls and in making 
improvements, GAO categorized the 72 open recommendations by various 
internal control activities which, in turn, were grouped into three 
broad control activity groupings. 

Table: Summary of Open Recommendations: 

Control activity group: Safeguarding of assets and security activities: 
Open in 2005: 33: 
Closed during 2005 audit: 13: 
New from 2005 audit: 9: 
Total open for 2006: 29: 

Control activity group: Proper recording and documenting of 
transactions: Open in 2005: 30: 
Closed during 2005 audit: 13: 
New from 2005 audit: 9: 
Total open for 2006: 26: 

Control activity group: Effective management review and oversight: Open 
in 2005: 21: 
Closed during 2005 audit: 8: 
New from 2005 audit: 4: 
Total open for 2006: 17: 

Control activity group: Total: 
Open in 2005: 84: 
Closed during 2005 audit: 34: 
New from 2005 audit: 22: 
Total open for 2006: 72: 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of Table] 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-560]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Steven J. Sebastian at 
(202) 512-3406 or sebastians@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Objectives, Scope, and Methodology: 

IRS's Progress on Financial Management Recommendations: 

Open Recommendations Grouped by Control Activity: 

Concluding Observations: 

Agency Comments and Our Evaluation: 

Appendix I: Status of GAO Recommendations from IRS Financial Audits and 
Related Management Reports: 

Appendix II: Comments from the Internal Revenue Service: 

Appendix III: Staff Acknowledgments: 

Tables: 

Table 1: Summary of Open Recommendations: 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

Table 4: Recommendations to Improve IRS's Controls over Information 
Processing: 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

Table 8: Recommendation to Improve IRS's Execution of Transactions and 
Events: 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

Table 11: Recommendation to Improve IRS's Management of Human Capital: 

Abbreviations: 

ALS: Automated Lien System: 

ATFR: Automated Trust Fund Recovery: 

AUR: Automated Under Reporter: 

AWSS: Agency-Wide Shared Services: 

BMF: Business Master File: 

BPMS: Business Performance Management System: 

CAP: Custodial Accounting Project: 

CCP: Centralized Case Processing: 

CCTV: closed-circuit television: 

CDDB: Custodial Detail Data Base: 

CFO: chief financial officer: 

CIO: chief information officer: 

CIQMS: complex interest quality measurement system: 

COTR: contracting officer's technical representative: 

CPE: continuing professional education: 

DCI: data collection instrument: 

FMFIA: Federal Managers' Financial Integrity Act of 1982: 

FMIS: Financial Management Information System: 

FMS: Financial Management Service: 

FRB: Federal Reserve Bank: 

IDRS: Integrated Data Retrieval System: 

IFS: Integrated Financial System: 

IMF: Individual Master File: 

IRM: Internal Revenue Manual: 

IRS: Internal Revenue Service: 

IT: information technology: 

LEM: Security Law Enforcement Manual: 

LMSB: Large and Mid-sized Business: 

LPG: Lockbox Processing Guidelines: 

LSG: Lockbox Security Guide: 

MOU: memorandum of understanding: 

NBIC: National Background Investigation Center: 

NFC: National Finance Center: 

OMB: Office of Management and Budget: 

P&E: property and equipment: 

POD: post of duty: 

PSEP: office of Physical Security and Emergency Preparedness: 

SATMOD: satisfied module: 

SB/SE: Small Business/Self-Employed: 

SCC: service center campus: 

SERP: Service-wide Electronic Research Program: 

SETS: Security Entry and Tracking System: 

SP: Submission Processing: 

SPC: submission processing center: 

TAC: taxpayer assistance center: 

TE/GE: Tax Exempt and Government Entities: 

TFRP: Trust Fund Recovery Penalty: 

TGA: Treasury's General Account: 

W&I: Wage and Investment: 

United States Government Accountability Office: 

Washington, DC 20548: 

June 6, 2006: 

The Honorable Mark W. Everson: 
Commissioner of Internal Revenue: 

Dear Mr. Everson: 

In its role as the nation's tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility to collect taxes, process tax 
returns, and enforce the nation's tax laws. In fiscal year 2005, IRS 
collected about $2.3 trillion in tax payments, processed hundreds of 
millions of tax and information returns, and paid about $267 billion in 
refunds to taxpayers. Because of its role and overall mission, IRS's 
activities touch on virtually all of the nation's citizens. It is 
therefore critical that the agency strive to maintain sound financial 
management practices. 

IRS has made much progress in improving its financial management since 
it was first required to prepare and have audited a set of financial 
statements in fiscal year 1992. This progress has led to its ability to 
obtain and maintain a clean audit opinion on its financial statements 
each year beginning in fiscal year 2000, and to correct several 
material internal control weaknesses over the years. Despite these 
considerable improvements, however, more remains to be done to address 
long-standing internal control issues that continue to plague the 
agency. IRS continues to have weak or ineffective internal controls 
over fundamental elements of its operations that leave it vulnerable to 
a greater risk of fraud, waste, abuse, and mismanagement. This, in 
turn, has the potential to impact the lives of the nation's taxpayers, 
as our audits over the years have demonstrated. 

An agency's internal control environment serves as the first line of 
defense in safeguarding its assets and in preventing and detecting 
errors and fraud, as well as in helping to effectively manage its 
stewardship over public resources.[Footnote 1] Unfortunately, IRS 
continues to be challenged with several long-standing material 
weaknesses in internal control that are at the heart of IRS's 
operations.[Footnote 2] During our audit of IRS's fiscal year 2005 
financial statements, we continued to find material weaknesses in 
controls over: 

* financial reporting (including safeguarding of assets), 

* unpaid tax assessments, 

* identifying and collecting tax revenues due and issuing tax refunds, 
and: 

* information systems security. 

In addition to the material weaknesses, we continued to identify two 
reportable conditions, including deficiencies in controls over (1) hard-
copy tax receipts and taxpayer data, which increase the government's 
and taxpayer's risk of loss or inappropriate disclosure of taxpayer 
data, and (2) property and equipment (P&E), which preclude IRS from 
readily reconciling its property records to its financial records. 

To assist IRS in strengthening its internal controls and improving its 
operations, we have made numerous recommendations as part of our annual 
financial statement audits and other financial management-related work 
at IRS. This report is being provided to you to (1) assist IRS 
management in tracking the status of financial audit and financial 
management-related recommendations and the actions needed to address 
them and (2) demonstrate how the recommendations fit into IRS's overall 
management and internal control structure. In cases where IRS has taken 
action on open recommendations that did not result in our closing them, 
we explain why this occurred. 

We conducted our review from December 2005 through May 2006 in 
accordance with U.S. generally accepted government auditing standards. 

Results in Brief: 

IRS management continues to make progress in addressing many of the 
internal control deficiencies that plague the agency. At the beginning 
of the fiscal year 2005 IRS financial statement audit, 84 financial 
management-related recommendations from prior audits remained open 
because IRS had not addressed the issues that gave rise to them 
sufficiently to allow us to close them. During the fiscal year 2005 
financial audit, IRS took actions to effectively address issues that 
gave rise to numerous recommendations, enabling us to close 34 of those 
recommendations. However, more efforts are needed by IRS to effectively 
address its financial management challenges. During our fiscal year 
2005 financial audit, we continued to identify recurring internal 
control deficiencies, as well as new deficiencies, and we made 22 new 
recommendations to address these newly identified issues. As a result, 
72 recommendations to address IRS's internal control deficiencies 
remain open. 

In analyzing the nature of these open financial management 
recommendations, we found that 29 recommendations, or 40 percent, 
relate to issues associated with IRS's lack of effective controls over 
safeguarding assets and security activities. Another 26 
recommendations, or more than a third of the open recommendations, 
relate to issues associated with IRS's inability to properly record and 
document transactions. The remaining 17 recommendations, or 
approximately 24 percent, relate to issues associated with lack of 
effective management review and oversight. Effective implementation of 
these open recommendations could greatly assist IRS in improving its 
internal controls and achieving sound financial management. We are 
making no new recommendations in this report. 

In commenting on this report, IRS highlighted its efforts to further 
improve its internal controls over hard-copy tax receipts, and felt our 
grouping of the remaining open recommendations into broad internal 
control categories will facilitate its strategy to address its 
remaining financial management issues. We have reprinted IRS's written 
comments in appendix II. 

Background: 

Internal control is not one event, but a series of actions and 
activities that occur throughout an entity's operations and on an 
ongoing basis. Internal control should be recognized as an integral 
part of each system that management uses to regulate and guide its 
operations rather than as a separate system within an agency. In this 
sense, internal control is management control that is built into the 
entity as a part of its infrastructure to help managers run the entity 
and achieve their goals on an ongoing basis. 

Section 3512 (c), (d) of Title 31, U.S. Code (commonly known as the 
Federal Managers' Financial Integrity Act of 1982 (FMFIA)), requires 
agencies to establish and maintain internal control. The agency head 
must annually evaluate and report on the control and financial systems 
that protect the integrity of federal programs. The requirements of 
FMFIA serve as an umbrella under which other reviews, evaluations, and 
audits should be coordinated and considered to support management's 
assertion about the effectiveness of internal control over operations, 
financial reporting, and compliance with laws and regulations. 

Office of Management and Budget (OMB) Circular No. A-123, Management's 
Responsibility for Internal Control (revised Dec. 21, 2004), provides 
the implementing guidance for FMFIA, and sets out the specific 
requirements for assessing and reporting on internal controls[Footnote 
3] consistent with the internal control standards issued by the 
Comptroller General of the United States.[Footnote 4] The circular, 
which was revised in 2004 with the revisions effective for fiscal year 
2006, defines management's responsibilities related to internal control 
and the process for assessing internal control effectiveness, and 
provides specific requirements for conducting management's assessment 
of the effectiveness of internal control over financial reporting. The 
circular requires management to annually provide assurances on internal 
control in its Performance and Accountability Report, and for the Chief 
Financial Officers (CFO) Act agencies, beginning in fiscal year 2006, 
to include a separate assurance on internal control over financial 
reporting, along with a report on identified material weaknesses and 
corrective actions.[Footnote 5] The circular also emphasizes the need 
for integrated and coordinated internal control assessments that 
synchronize all internal control-related activities. 

FMFIA requires GAO to issue standards for internal control in the 
federal government. GAO's Standards for Internal Control in the Federal 
Government provides the overall framework for establishing and 
maintaining internal control and for identifying and addressing major 
performance and management challenges and areas at greatest risk of 
fraud, waste, abuse, and mismanagement. 

As summarized in GAO's Standards for Internal Control in the Federal 
Government, the minimum level of quality acceptable for internal 
control in the government is defined by the following five standards, 
which also provide the basis against which internal controls are to be 
evaluated: 

* Control environment: Management and employees should establish and 
maintain an environment throughout the organization that sets a 
positive and supportive attitude toward internal control and 
conscientious management. 

* Risk assessment: Internal control should provide for an assessment of 
the risks the agency faces from both external and internal sources. 

* Control activities: Internal control activities help ensure that 
management's directives are carried out. The control activities should 
be effective and efficient in accomplishing the agency's control 
objectives. 

* Information and communications: Information should be recorded and 
communicated to management and others within the entity who need it and 
in a form and within a time frame that enables them to carry out their 
internal control and other responsibilities. 

* Monitoring: Internal control monitoring should assess the quality of 
performance over time and ensure that the findings of audits and other 
reviews are promptly resolved. 

The third control standard--internal control activities--helps ensure 
that management's directives are carried out. Control activities are 
the policies, procedures, techniques, and mechanisms that enforce 
management's directives. In other words, they are the activities 
conducted in the everyday course of business that accomplish a control 
objective, such as ensuring IRS employees successfully complete 
background checks prior to being granted access to taxpayer information 
and receipts. As such, control activities are an integral part of an 
entity's planning, implementing, reviewing, and accountability for 
stewardship of government resources and achievement of effective 
results. 

A key objective in our annual audits of IRS's financial statements is 
to obtain reasonable assurance about whether IRS maintained effective 
internal controls with respect to financial reporting, including 
safeguarding of assets, and compliance with laws and regulations. While 
all five internal control standards are critical and are used by us as 
a basis for evaluating the effectiveness of IRS's internal controls, we 
place a heavy emphasis on testing control activities. This has resulted 
in the identification of significant deficiencies in certain internal 
controls over the years and recommendations for corrective action. 

Objectives, Scope, and Methodology: 

The objectives of this report are to (1) assist IRS management in 
tracking the status of financial audit and financial management-related 
recommendations and the actions needed to address them and (2) 
demonstrate how the recommendations fit into IRS's overall management 
and internal control structure. To accomplish these objectives, we 
evaluated the effectiveness of IRS's corrective actions implemented in 
response to open recommendations during fiscal year 2005 as part of our 
fiscal years 2005 and 2004 financial audits. To report on the current 
status of the recommendations, we obtained the status of each 
recommendation and corrective action taken or planned as of April 2006, 
as reported to us by IRS. We then compared IRS's assessment to our 
fiscal year 2005 audit findings and noted any differences between IRS's 
and our conclusions regarding the status of each recommendation. 

In order to determine how these recommendations fit within IRS's 
management and internal control structure, we compared the open 
recommendations, and the issues that gave rise to them, to the control 
activities listed in GAO's Standards for Internal Control in the 
Federal Government and to the list of major factors and examples 
outlined in our Internal Control Management and Evaluation 
Tool.[Footnote 6] We also considered how the recommendations and the 
underlying issues were categorized in our prior reports, whether IRS 
had addressed in whole or in part the underlying control issues that 
gave rise to the recommendations, and other legal requirements and 
implementing guidance, such as OMB Circular No. A-123; FMFIA; and the 
Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6 
(revised June 2001). 

We conducted our review from December 2005 through May 2006 in 
accordance with U.S. generally accepted government auditing standards. 
We requested comments on a draft of this report from the Commissioner 
of Internal Revenue or his designee. We received written comments from 
the commissioner, which are reprinted in appendix II. 

IRS's Progress on Financial Management Recommendations: 

IRS continues to make progress on addressing its significant financial 
management challenges. Over the years since we first began auditing 
IRS's financial statements in fiscal year 1992, we have closed out over 
200 financial management-related recommendations we made based on 
actions IRS has taken to improve its internal controls and operational 
efficiency. This includes 34 recommendations we are closing in fiscal 
year 2006 based on actions IRS took during the period covered by our 
fiscal year 2005 financial audit. At the same time, however, our audits 
continue to identify significant internal control deficiencies, 
resulting in our making further recommendations for corrective action, 
including 22 new financial management-related recommendations resulting 
from our fiscal year 2005 financial audit. These internal control 
deficiencies, and the resulting recommendations, can directly be traced 
to the control activities in GAO's Standards for Internal Control in 
the Federal Government. As such, it is essential that they be fully 
addressed and resolved to strengthen IRS's overall financial management 
and to assist it in achieving its goals and mission. 

Status of Recommendations Based on the Fiscal Year 2005 Financial 
Statement Audit: 

In April 2005, we issued a report on the status of IRS's efforts to 
implement corrective actions to address financial management 
recommendations stemming from our fiscal year 2004 and prior year 
financial audits and other financial management-related work.[Footnote 
7] In that report, we identified 84 audit recommendations that at that 
time, remained open and thus required corrective action by IRS. A 
significant number of these recommendations had been open for several 
years, either because IRS had not taken corrective action or because 
the actions taken had not been effective in resolving the issues that 
gave rise to the recommendations. 

IRS continued to work to address many of the internal control 
deficiencies to which these open recommendations relate. In the course 
of performing our fiscal year 2005 financial audit, we identified 
numerous actions IRS took to address many of its internal control 
deficiencies. Based on IRS's actions, which we were able to 
substantiate through our audit, we are able to close 34 of these prior 
years' recommendations since we concluded that IRS's actions 
effectively addressed the issues that gave rise to them. IRS considers 
another 23 of the prior years' recommendations to be effectively 
addressed. However, we still consider them to be open either because we 
have not yet had time to verify the effectiveness of IRS's actions-- 
they occurred subsequent to completion of our audit testing and thus 
have not been verified, which is a prerequisite to our closing a 
recommendation--or because the actions taken did not fully address the 
issue that gave rise to the recommendation. 

However, continued efforts are needed by IRS to address its serious 
internal control weaknesses. While we are able to close 34 financial 
management recommendations made in prior years, this still leaves 50 
recommendations from prior years that remain open, a significant number 
of which have been outstanding for several years. In some cases, as 
mentioned, IRS may have effectively addressed the issues that gave rise 
to the recommendations subsequent to our fiscal year 2005 audit 
testing; however, in many cases, our fiscal year 2005 audit determined 
that the actions taken to date had not effectively addressed the 
underlying internal control issues. Additionally, during our fiscal 
year 2005 audit, we identified additional internal control issues that 
will require corrective action by IRS. In a recent management report to 
IRS,[Footnote 8] we discussed these internal control issues, and made 
22 new recommendations to IRS to address these new issues. 
Consequently, a total of 72 financial management-related 
recommendations are currently open and need to be addressed by IRS. Of 
these, we consider 64 to be short term and 8 to be long term.[Footnote 
9] 

Appendix I presents a listing of (1) recommendations we have made based 
on our financial audits and other financial management-related work 
that we have not previously reported as closed, (2) the status of each 
of these recommendations and corrective actions taken or planned as of 
April 2006 as reported to us by IRS, and (3) our analysis of whether 
the issues that gave rise to the recommendations have been effectively 
and fully addressed based on the work performed during our fiscal year 
2005 financial audit. The appendix lists the recommendations by the 
date on which the recommendation was made and by report number. 

Relation of Open Recommendations to IRS's Control Environment: 

An agency's overall internal control environment comprises the plans, 
methods, and procedures that are used to meet its mission, goals, and 
objectives and, in doing so, supports its performance-based management. 
Internal control also serves as the first line of defense in 
safeguarding an agency's assets and in preventing and detecting errors 
and mitigating the potential for fraud. Effective internal control 
assists program managers in achieving desired results through effective 
stewardship of public resources. 

Control activities, one of the five broad standards contained in GAO's 
Standards for Internal Control in the Federal Government, are the 
policies, procedures, techniques, and mechanisms that enforce 
management's directives. As such, they are an integral part of an 
entity's planning, implementing, reviewing, and accountability for 
stewardship of government resources and achievement of results. GAO's 
Standards for Internal Control in the Federal Government defines 11 
control activities. These control activities can be further grouped 
into three broad categories: 

* safeguarding of assets and security activities, including: 

* physical control over vulnerable assets, 

* segregation of duties, 

* controls over information processing, and: 

* access restrictions to and accountability for resources and records; 

* proper recording and documenting of transactions, including: 

* appropriate documentation of transactions and internal control, 

* accurate and timely reporting of transactions and events, and: 

* proper execution of transactions and events; and: 

* effective management review and oversight, including: 

* reviews by management at the functional or activity level, 

* establishment and review of performance measures and indicators, 

* management of human capital, and: 

* top level reviews of actual performance. 

Each of the open recommendations from our financial audits and 
financial management-related work, and the underlying issues that gave 
rise to them, can be traced back to the 11 control activities and their 
three broad categories. Table 1 presents a summary of the open 
recommendations, each tied back to the control activity to which it 
relates. 

Table 1: Summary Of Open Recommendations 

Control activity: Safeguarding of assets and security activities; 
Open at start of fiscal year 2005 audit: [Empty]; 
Closed during fiscal year 2005 audit: [Empty]; 
New from fiscal year 2005 audit: [Empty]; 
Total open recommendations: [Empty]; 
Percentage: 40. 

Control activity: Physical control over vulnerable assets; 
Open at start of fiscal year 2005 audit: 17; 
Closed during fiscal year 2005 audit: 9; 
New from fiscal year 2005 audit: 5; 
Total open recommendations: 13; 
Percentage: 18. 

Control activity: Segregation of duties; 
Open at start of fiscal year 2005 audit: 4; 
Closed during fiscal year 2005 audit: 1; 
New from fiscal year 2005 audit: 0; 
Total open recommendations: 3; 
Percentage: 4. 

Control activity: Controls over information processing; 
Open at start of fiscal year 2005 audit: 8; 
Closed during fiscal year 2005 audit: 2; 
New from fiscal year 2005 audit: 0; 
Total open recommendations: 6; 
Percentage: 8. 

Control activity: Access restrictions to and accountability for 
resources and records; 
Open at start of fiscal year 2005 audit: 4; 
Closed during fiscal year 2005 audit: 1; 
New from fiscal year 2005 audit: 4; 
Total open recommendations: 7; 
Percentage: 10. 

Control activity: Proper recording and documenting of transactions; 
Open at start of fiscal year 2005 audit: [Empty]; 
Closed during fiscal year 2005 audit: [Empty]; 
New from fiscal year 2005 audit: [Empty]; 
Total open recommendations: [Empty]; 
Percentage: 36. 

Control activity: Appropriate documentation of transactions and 
internal controls; 
Open at start of fiscal year 2005 audit: 16; 
Closed during fiscal year 2005 audit: 10; 
New from fiscal year 2005 audit: 5; 
Total open recommendations: 11; 
Percentage: 15. 

Control activity: Accurate and timely recording of transactions and 
events; 
Open at start of fiscal year 2005 audit: 13; 
Closed during fiscal year 2005 audit: 3; 
New from fiscal year 2005 audit: 4; 
Total open recommendations: 14; 
Percentage: 20. 

Control activity: Proper execution of transactions and events; 
Open at start of fiscal year 2005 audit: 1; 
Closed during fiscal year 2005 audit: 0; 
New from fiscal year 2005 audit: 0; 
Total open recommendations: 1; 
Percentage: 1. 

Control activity: Effective management review and oversight; 
Open at start of fiscal year 2005 audit: [Empty]; 
Closed during fiscal year 2005 audit: [Empty]; 
New from fiscal year 2005 audit: [Empty]; 
Total open recommendations: [Empty]; 
Percentage: 24. 

Control activity: Reviews by management at the functional or activity 
level; 
Open at start of fiscal year 2005 audit: 14; 
Closed during fiscal year 2005 audit: 6; 
New from fiscal year 2005 audit: 4; 
Total open recommendations: 12; 
Percentage: 17. 

Control activity: Establishment and review of performance measures and 
indicators; 
Open at start of fiscal year 2005 audit: 4; 
Closed during fiscal year 2005 audit: 0; 
New from fiscal year 2005 audit: 0; 
Total open recommendations: 4; 
Percentage: 6. 

Control activity: Management of human capital; 
Open at start of fiscal year 2005 audit: 3; 
Closed during fiscal year 2005 audit: 2; 
New from fiscal year 2005 audit: 0; 
Total open recommendations: 1; 
Percentage: 1. 

Control activity: Total; 
Open at start of fiscal year 2005 audit: 84; 
Closed during fiscal year 2005 audit: 34; 
New from fiscal year 2005 audit: 22; 
Total open recommendations: 72; 
Percentage: [Empty]. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

As table 1 indicates, many of IRS's open recommendations are tied to 
safeguarding and security issues. Specifically, 29 of the open 
recommendations, or 40 percent, relate to issues associated with IRS's 
lack of effective controls over safeguarding of assets and security 
activities. Another 26 recommendations, or 36 percent, relate to issues 
associated with IRS's inability to properly record and document 
transactions. The remaining 17 recommendations, or 24 percent, relate 
to issues associated with the lack of effective management review and 
oversight. 

Open Recommendations Grouped by Control Activity: 

Linking the open recommendations from our financial audits and other 
financial management-related work, and the issues that gave rise to 
them, to the internal control activities identified in GAO's Standards 
for Internal Control in the Federal Government provides insight 
regarding their significance to IRS's ability to effectively achieve 
the objectives associated with the control activities and, thus, to its 
overall mission and goals. 

On the following pages, we group the 72 open recommendations under the 
control activity to which the condition that gave rise to them most 
appropriately fits. We first define each control activity as presented 
in GAO's Standards for Internal Control in the Federal Government and 
briefly identify some of the key IRS operations that fall under that 
control activity. Although not comprehensive, the descriptions are 
intended to help explain why the control activity is important for IRS 
and thus why implementing the recommendations would strengthen 
management and controls that support those operations. For each 
recommendation, we also indicate whether it is a short-term or long- 
term recommendation. 

Safeguarding of Assets and Security Activities: 

Given IRS's mission, the sensitivity of the data it maintains, and its 
processing of trillions of dollars of tax receipts each year, one of 
the most important control activities at IRS is the safeguarding of 
assets. Internal control should be designed to provide reasonable 
assurance regarding prevention or prompt detection of unauthorized 
acquisition, use, or disposition of an agency's assets. We have grouped 
together the four control activities in GAO's Standards for Internal 
Control in the Federal Government that relate to safeguarding of assets 
(including tax receipts) and security activities (such as limiting 
access to only authorized personnel): (1) physical control over 
vulnerable assets, (2) segregation of duties, (3) controls over 
information processing, and (4) access restrictions to and 
accountability for resources and records. 

Physical Control over Vulnerable Assets: 

An agency must establish physical control to secure and safeguard 
vulnerable assets. Examples include security for and limited access to 
assets such as cash, securities, inventories, and equipment which might 
be vulnerable to risk of loss or unauthorized use. Such assets should 
be periodically counted and compared to control records. 

IRS is charged with collecting over $2 trillion in taxes each year, a 
significant amount of which is collected in the form of checks and cash 
accompanied by tax returns and related information. IRS collects taxes 
both at its own facilities as well as at lockbox banks that operate 
under contract with the Treasury Department's Financial Management 
Service (FMS) to provide processing services for certain taxpayer 
receipts for IRS. IRS acts as custodian for (1) the tax payments it 
receives until they are deposited in the General Fund of the U.S. 
Treasury and (2) the tax returns and related information it receives 
until they are either sent to the Federal Records Center or destroyed. 
IRS is also charged with controlling many other assets, such as 
computers and other equipment, but IRS's legal responsibility to 
safeguard tax returns and the confidential information taxpayers 
provide in tax returns makes the effectiveness of its internal controls 
with respect to physical security essential. 

IRS receives cash and checks mailed to its service centers or lockbox 
banks with accompanying tax returns and information or payment vouchers 
and payments made in person at one of its offices. While adequate 
physical safeguards over receipts should exist throughout the year, it 
is especially important during the peak tax filing season. Each year 
during the weeks preceding and shortly after April 15, an IRS service 
center campus (SCC) may receive and process daily over 100,000 pieces 
of mail containing returns, receipts, or both. The dollar value of 
receipts each service center processes increases to hundreds of 
millions of dollars a day during the April 15 time frame. 

Of our 72 open recommendations, the following 13 open recommendations 
are designed to improve IRS's physical controls over vulnerable assets. 
(See table 2.) 

Table 2: Recommendations To Improve Irs's Physical Controls Over 
Vulnerable Assets: 

ID. No.: 99-19; 
Recommendations: Ensure that walk-in payment receipts are recorded in a 
control log prior to depositing the receipts in the locked container 
and ensure that the control log information is reconciled to receipts 
prior to submission of the receipts to another unit for payment 
processing. To ensure proper segregation of duties, an employee not 
responsible for logging receipts in the control log should perform the 
reconciliation. (short-term). 

ID. No.: 03-32; 
Recommendations: Prohibit the storage of employees' personal belongings 
with cash payments and receipts at IRS's taxpayer assistance centers. 
(short-term). 

ID. No.: 04-07; 
Recommendations: Develop procedures to enhance adherence to existing 
instructions on safeguarding discovered remittances at SCCs. (short-
term). 

ID. No.: 04-08; 
Recommendations: Enforce its policies and procedures to ensure that SCC 
security guards respond to alarms. (short-term). 

ID. No.: 04-09; 
Recommendations: Establish compensating controls in the event that 
automated security systems malfunction, such as notifying guards and 
managers of the malfunction, and immediately deploying guards to better 
protect the processing center's perimeter. (short- term). 

ID. No.: 05-25; 
Recommendations: Formulate a policy to require that critical utility or 
security controls not be located in areas requiring frequent access. 
(short-term). 

ID. No.: 05-26; 
Recommendations: Require lockbox bank management to position closed-
circuit television cameras to enable monitoring of secured areas 
containing sensitive systems or controls. (short-term). 

ID. No.: 05-34; 
Recommendations: Establish a procedure for Small Business/Self-Employed 
(SB/SE) field office units to track Document Transmittal forms and 
acknowledgments of receipt of Document Transmittal forms. (short-term). 

ID. No.: 06-05; 
Recommendations: Equip all taxpayer assistance centers (TACs) with 
adequate physical security controls to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas by 
physical barriers such as locked doors marked with signs barring 
entrance by unescorted customers. (short-term). 

ID. No.: 06-06; 
Recommendations: Connect duress alarms to a central monitoring station 
or local police department or institute appropriate compensating 
controls when these alarm systems are not operable or in place. (short-
term). 

ID. No.: 06-08; 
Recommendations: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms regardless of the 
circumstances that may have caused the activation. (short-term). 

ID. No.: 06-09; 
Recommendations: Reemphasize the need for the security guards at all 
TACs to ensure that key posts of duty, such as entrances to facilities, 
are not left unattended. (short-term). 

ID. No.: 06-15; 
Recommendations: Revise the physical security procedures contained in 
the IRM (Internal Revenue Manual) to require that all SCCs and any 
respective annex facilities processing taxpayer receipts and/or 
information perform and document monthly tests of the facility's 
intrusion detection alarms. At a minimum, these procedures should (1) 
outline the type of test to be conducted, (2) include criteria for 
assessing whether the controls used to respond to the alarm were 
effective, and (3) require that a logbook be maintained to document the 
test dates, results, and response information. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Segregation of Duties: 

Key duties and responsibilities need to be divided or segregated among 
different people to reduce the risk of error or fraud. This should 
include separating the responsibilities for authorizing transactions, 
processing and recording them, reviewing the transactions, and handling 
any related assets. No one individual should control all key aspects of 
a transaction or event. 

IRS employees are responsible for processing trillions of dollars of 
tax receipts each year, of which hundreds of billions are received in 
the form of cash or checks,[Footnote 10] and for processing hundreds of 
billions of dollars in refunds to taxpayers. Consequently, it is 
critical that IRS maintain appropriate separation of duties to allow 
for adequate oversight of staff and protection of these vulnerable 
resources so that no single individual would be in a position of both 
causing an error or irregularity and then concealing it. For example, 
when an IRS field office or lockbox bank receives taxpayer receipts and 
returns, it is responsible for depositing the cash and checks in a 
depository institution and forwarding the related information received 
to an SCC for further processing. In order to adequately safeguard 
receipts from theft, the person responsible for recording the 
information from the taxpayer receipts on a voucher should be different 
from the individual who prepares those receipts for transmittal to the 
SCC for further processing. 

The following three open recommendations would help IRS improve its 
separation of duties, which will in turn strengthen its controls over 
both tax receipts and refunds. (See table 3.) 

Table 3: Recommendations To Improve Irs's Segregation Of Duties: 

ID. No.: 02-16; 
Recommendations: Ensure that field office management comply with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term). 

ID. No.: 05-32; 
Recommendations: Establish policies and procedures to require 
appropriate segregation of duties in SB/SE units of field offices with 
respect to preparation of Payment Posting Vouchers, Document 
Transmittal forms, and transmittal packages. (short-term). 

ID. No.: 05-41; 
Recommendations: Specify in the IRM that staff members are not to 
review their own command code profiles. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Controls over Information Processing: 

A variety of control activities are used in information processing. 
Examples include edit checks of data entered, accounting for 
transactions in numerical sequences, and comparing file totals with 
control totals. There are two broad groupings of information systems 
control--general control (for hardware such as mainframe, network, end- 
user environments) and application control (processing of data within 
the application software). General controls include entitywide security 
program planning, management, and backup recovery procedures, and 
contingency and disaster planning. Application controls are designed to 
help ensure completeness, accuracy, authorization, and validity of all 
transactions during application processing. 

IRS relies extensively on computerized systems to support its financial 
and mission-related operations. To efficiently fulfill its tax 
processing responsibilities, IRS relies extensively on interconnected 
networks of computer systems to perform various functions, such as 
collecting and storing taxpayer data, processing tax returns, 
calculating interest and penalties, generating refunds, and providing 
customer service. 

As part of our annual audits of IRS's financial statements, we assess 
the effectiveness of IRS's information security controls[Footnote 11] 
over key financial systems, data, and interconnected networks at IRS's 
critical data processing facilities that support the processing, 
storage, and transmission of sensitive financial and taxpayer data. 
From that effort, we have identified over the years information 
security control weaknesses that impair IRS's ability to ensure the 
confidentiality, integrity, and availability of its sensitive financial 
and taxpayer data. As of March 2006, there were 45 open recommendations 
from our information security work designed to improve IRS's 
information security controls.[Footnote 12] Recommendations resulting 
from our information security work are reported separately and are not 
included in this report primarily because of the sensitive nature of 
some of these issues. 

However, the following six open recommendations are related to systems 
limitations and IRS's need to review and resolve various exception 
reports that its systems generate. (See table 4.) We included reviews 
of exception reports in this control activity since they help ensure 
the integrity of IRS's automated data.[Footnote 13] 

Table 4: Recommendations To Improve Irs's Controls Over Information 
Processing: 

ID. No.: 02-18; 
Recommendations: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Secure Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short-term). 

ID. No.: 05-03; 
Recommendations: Research and resolve the current backlog of unresolved 
unmatched exception reports. (short-term). 

ID. No.: 05-04; 
Recommendations: Research and resolve unmatched exception reports 
weekly. (short-term). 

ID. No.: 05-06; 
Recommendations: Research and resolve the current backlog of unresolved 
manual interest or penalties reports. (short- term). 

ID. No.: 05-07; 
Recommendations: Research and resolve exception reports containing 
liens with manually calculated interest or penalties weekly, as called 
for in the IRM and the ALS[A] User Guide. (short-term). 

ID. No.: 05-09; 
Recommendations: Improve the current unmatched exception report by 
including a cumulative list of all unmatched taxpayer accounts that 
have not been resolved to date. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[A] ALS stands for Automated Lien System. 

[End of table] 

Access Restrictions to and Accountability for Resources and Records: 

Access to resources and records should be limited to authorized 
individuals, and accountability for their custody and use should be 
assigned and maintained. Periodic comparison of resources with the 
recorded accountability should be made to help reduce the risk of 
errors, fraud, misuse, or unauthorized alteration. 

Because IRS deals with a large volume of cash and checks, it is 
imperative that it maintain strong controls over who has access to 
those assets, the records that track those assets, and sensitive 
taxpayer information. Although IRS has a number of both physical and 
information system controls in place, some of the issues we have 
identified in our financial audits over the years pertain to ensuring 
that those with direct access to these cash and checks are 
appropriately vetted before being granted access to taxpayer receipts 
and information and to ensuring that IRS maintains effective access 
security control. 

The following seven open recommendations would help IRS improve its 
access restrictions to assets and records. (See table 5.) 

Table 5: Recommendations To Improve Irs's Access Restrictions To And 
Accountability For Resources And Records: 

ID. No.: 03-29; 
Recommendations: Confirm with FMS that IRS's requirements for 
background and fingerprint checks for courier services are met 
regardless of whether IRS or FMS negotiates the service agreement. 
(short-term). 

ID. No.: 05-11; 
Recommendations: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at SCCs selected for significant reductions in 
their submission processing functions. (short-term). 

ID. No.: 05-13; 
Recommendations: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short- term). 

ID. No.: 06-16; 
Recommendations: Amend its policy to require that a completed form 
13094 with a positive recommendation be provided for every juvenile 
hired to any position that will allow access to taxpayer receipts 
and/or taxpayer information. (short-term). 

ID. No.: 06-17; 
Recommendations: Require IRS personnel to verify the information on the 
form 13094 by contacting the reference directly. (short-term). 

ID. No.: 06-18; 
Recommendations: Revise the form 13094 to require the reference to 
describe his/her relationship with the juvenile, including extent of 
firsthand contact, to allow IRS to review the forms and assess whether 
the referencer has sufficient basis to recommend that juvenile to a 
position of trust. (short-term). 

ID. No.: 06-19; 
Recommendations: Establish procedures for hiring juveniles who do not 
have a current teacher, principal, counselor, employer or former 
employer, and clarify that IRS's current policies and procedures should 
not be interpreted to mean that such juveniles should be allowed access 
to taxpayer receipts and information without a form 13094 or its 
equivalent. These procedures could include a list of acceptable 
alternatives that may serve as references for juveniles who do not have 
a current teacher, principal or guidance counselor. (short- term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Recording and Documenting of Transactions: 

One of the largest obstacles continuing to face IRS management is the 
agency's lack of an integrated financial management system capable of 
producing the accurate, useful, and timely information IRS managers 
need to assist in making day-to-day decisions. While progress is being 
made to modernize its financial management capabilities, IRS 
nonetheless continues to face many of the pervasive internal control 
weaknesses that we have reported each year since we began auditing its 
financial statements in fiscal year 1992, many of which are related to 
its long-standing systems deficiencies. 

However, IRS also has a number of internal control issues that relate 
to recording transactions, documenting events, and tracking the 
processing of taxpayer receipts or information, which do not depend 
upon improvements in information systems. 

We have grouped three control activities together that relate to proper 
recording and documenting of transactions: (1) appropriate 
documentation of transactions and internal controls, (2) accurate and 
timely recording of transactions and events, and (3) proper execution 
of transactions and events. 

Appropriate Documentation of Transactions and Internal Control: 

Internal control and all transactions and other significant events need 
to be clearly documented, and the documentation should be readily 
available for examination. The documentation should appear in 
management directives, administrative policies, or operating manuals 
and may be in paper or electronic form. All documentation and records 
should be properly managed and maintained. 

IRS collects and processes trillions of dollars in taxpayer receipts 
annually both at its own facilities and at lockbox banks under contract 
to process taxpayer receipts for the federal government. Therefore, it 
is important that IRS maintain appropriate assurance that all documents 
and records are properly managed and maintained both at its facilities 
and at the lockbox banks. 

The following 11 open recommendations would assist IRS in improving its 
documentation of transactions and internal control procedures. (See 
table 6.) 

Table 6: [RECOMMENDATIONS TO IMPROVE IRS'S DOCUMENTATION OF 
TRANSACTIONS AND INTERNAL CONTROL] 

ID. No.: 04-03; 
Recommendations: Develop procedures to require lockbox managers to 
provide satisfactory evidence that managerial reviews are performed in 
accordance with established guidelines. At a minimum, reviewers should 
sign and date the reviewed documents and provide any comments that may 
be appropriate in the event their reviews identified problems or raised 
questions. (short-term). 

ID. No.: 05-12; 
Recommendations: Document a methodology for estimating anticipated 
rapid changes in mail volume at future SCCs selected for significant 
reductions in their submission processing functions, taking into 
consideration factors such as the prior rampdown experience at 
Brookhaven. (short-term). 

ID. No.: 05-14; 
Recommendations: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor work sites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term). 

ID. No.: 05-35; 
Recommendations: Require evidence of managerial review of recording, 
transmittal, and receipt of acknowledgments of taxpayer receipts and 
information. (short-term). 

ID. No.: 05-39; 
Recommendations: Enforce requirements for documenting monitoring 
actions and supervisory review. (short-term). 

ID. No.: 05-42; 
Recommendations: Specify in the IRM how to properly verify interest and 
penalties for accounts with liens with manually calculated interest or 
penalties. (short-term). 

ID. No.: 06-01; 
Recommendations: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term). 

ID. No.: 06-02; 
Recommendations: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within IRS's Large 
and Mid-sized Business (LMSB) and Tax Exempt and Government Entity 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term). 

ID. No.: 06-03; 
Recommendations: Provide instructions to document the follow-up 
procedures performed in those cases where transmittals have not been 
timely acknowledged. (short-term). 

ID. No.: 06-04; 
Recommendations: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term). 

ID. No.: 06-07; 
Recommendations: Document supervisory visits by offsite managers to 
TACS not having a manager permanently onsite. This documentation should 
be signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Accurate and Timely Recording of Transactions and Events: 

Transactions should be promptly recorded to maintain their relevance 
and value to management in controlling operations and making decisions. 
This applies to the entire process or life cycle of a transaction or 
event from the initiation and authorization through its final 
classification in summary records. In addition, control activities help 
to ensure that all transactions are completely and accurately recorded. 

IRS is responsible for maintaining taxpayer records for tens of 
millions of taxpayers in addition to maintaining its own financial 
records. To carry out this responsibility, IRS often has to rely on 
outdated computer systems or manual work-arounds. Unfortunately, some 
of IRS's recordkeeping difficulties we have reported on over the years 
will not be addressed until it can replace its aging systems, which is 
a long-term effort and is dependent on future funding. 

The following 14 open recommendations would strengthen IRS's 
recordkeeping abilities. (See table 7.) They include some specific 
recommendations regarding requirements for new systems for maintaining 
taxpayer records. Several of the recommendations listed affect 
financial reporting processes, such as subsidiary records and 
appropriate allocation of costs. Some of the issues that gave rise to 
certain of our recommendations directly affect taxpayers, such as those 
involving duplicate assessments, errors in calculating and reporting 
manual interest, and recovery of trust fund penalty assessments. Half 
of these recommendations are almost over 5 years old and 1 is over 10 
years old, reflecting the long-term nature of the resolution of some of 
these issues. 

Table 7: Recommendations To Improve Irs's Accurate And Timely Recording 
Of Transactions And Events: 

ID. No.: 94-2; 
Recommendations: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short- term). 

ID. No.: 99-1; 
Recommendations: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term). 

ID. No.: 99-3; 
Recommendations: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term). 

ID. No.: 99-20; 
Recommendations: Analyze and determine the factors causing delays in 
processing and posting trust fund recovery penalty assessments. Once 
these factors have been determined, IRS should develop procedures to 
reduce the impact of these factors and to ensure timely posting to all 
applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance. (short-term). 

ID. No.: 99-36; 
Recommendations: Make enhancements to IRS financial systems to include 
recording P&E and capital leases as assets when purchased and to 
generate detailed records for P&E that reconcile to the financial 
records. (long-term). 

ID. No.: 01-17; 
Recommendations: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term). 

ID. No.: 01-39; 
Recommendations: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long- term). 

ID. No.: 02-08; 
Recommendations: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term). 

ID. No.: 02-09; 
Recommendations: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term). 

ID. No.: 05-36; 
Recommendations: Assess options to prevent the generation or 
disbursement of refunds associated with accounts with unresolved 
Automated Under Reporter (AUR) discrepancies, including placement of a 
freeze or hold on all such accounts, until the AUR review has been 
completed. (short-term). 

ID. No.: 06-12; 
Recommendations: Enforce its existing policies and procedures at 
lockbox banks to ensure that all remittances of $50,000 or more are 
processed immediately and deposited at the first available opportunity. 
(short-term). 

ID. No.: 06-20; 
Recommendations: To assure proper accounting treatment of expense and 
P&E transactions and reliable financial reporting, we recommend that 
IRS enforce its property and equipment capitalization policy to ensure 
that it is properly implemented to fully achieve management's 
objectives, including recognizing assets when its capitalization 
criteria is met and recognizing expenses when it is not. (short-term). 

ID. No.: 06-21; 
Recommendations: Generate aging reports when an asset remains in 
pending disposal status for longer than a specified period of time. 
(short-term). 

ID. No.: 06-22; 
Recommendations: Direct Facilities Management Branch managers to 
research and resolve the aging reports. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Execution of Transactions and Events: 

Transactions and other significant events should be authorized and 
executed only by persons acting within the scope of their authority. 
This is the principal means of assuring that only valid transactions to 
exchange, transfer, use, or commit resources and other events are 
initiated or entered into. Authorizations should be clearly 
communicated to managers and employees. 

IRS employs tens of thousands of people in its 10 SCCs, three computing 
centers, and numerous field offices throughout the United States. In 
addition, the number of staff increases significantly during the peak 
of the tax filing season. Because of the tremendous number of personnel 
involved, IRS must maintain effective control over which employees are 
authorized to either view or change sensitive taxpayer data. IRS's 
ability to establish access rights and permissions for information 
systems is a critical control. 

Each year, IRS pays out hundreds of billions of dollars in tax refunds, 
some of which are distributed to taxpayers manually.[Footnote 14] IRS 
requires that all manual refunds be approved by officials who are 
designated by managers. However, weaknesses in the authorization of 
such approving officials expose the federal government to losses 
because of the issuance of improper refunds. The following open 
recommendation would improve IRS's controls over its manual refund 
transactions. (See table 8.) 

Table 8: Recommendation To Improve Irs's Execution Of Transactions And 
Events: 

ID. No.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Effective Management Review and Oversight: 

All personnel within IRS have an important role in making internal 
controls work, but the responsibility for good internal control rests 
with IRS's managers. Management sets the objectives, puts the control 
mechanisms and activities in place, and monitors and evaluates the 
controls. Without effective monitoring by managers, internal control 
activities may not be conducted on a consistent and timely basis. 

We have grouped three control activities together related to effective 
management review and oversight: (1) reviews by management at the 
functional or activity level, (2) establishment and review of 
performance measures and indicators, and (3) management of human 
capital. Although we also include the control activity "top level 
reviews of actual performance" in this grouping, we do not have any 
open recommendations to IRS related to this internal control activity. 

Reviews by Management at the Functional or Activity Level: 

Managers need to compare actual performance to planned or expected 
results throughout the organization and analyze significant 
differences. 

IRS has over 80,000 full-time employees and hires over 10,000 seasonal 
personnel to assist during the tax filing season. In addition, as 
discussed earlier, IRS contracts with banks to process tens of 
thousands of individual receipts, totaling hundreds of billions of 
dollars. At any organization, management oversight of operations is 
important, but with an organization as vast in scope as the IRS, 
management oversight is imperative. 

The following 12 open recommendations would improve IRS's management 
oversight. (See table 9.) In general, these recommendations were made 
to correct instances where an internal control activity either does not 
exist or where an established control is not being adequately or 
consistently applied. The majority of these recommendations emphasize 
improvements needed to IRS's oversight of lockbox banks and contracted 
courier programs in order to ensure appropriate physical control over 
vulnerable assets, such as taxpayer receipts. 

Table 9: Recommendations To Improve Irs's Reviews By Management At The 
Functional Or Activity Level: 

ID. No.: 99-22; 
Recommendations: Expand IRS's current review of service center 
deterrent controls to include similar analyses of controls at IRS field 
offices in areas such as courier security, safeguarding of receipts in 
locked containers, requirements for fingerprinting employees, and 
requirements for promptly over-stamping checks made out to the "IRS" 
with "Internal Revenue Service" or "United States Treasury." Based on 
the results, IRS should make appropriate changes to strengthen its 
physical security controls. (short-term). 

ID. No.: 01-06; 
Recommendations: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term). 

ID. No.: 03-15; 
Recommendations: Require lockbox management to ensure that envelopes 
are properly candled and that IRS takes steps to monitor adherence to 
this requirement. (short-term). 

ID. No.: 05-22; 
Recommendations: Provide a written reminder to courier contractors of 
the need to adhere to all courier service procedures. (short-term). 

ID. No.: 05-23; 
Recommendations: Periodically verify that contractors entrusted with 
taxpayer receipts and information off-site adhere to IRS procedures. 
(short-term). 

ID. No.: 05-33; 
Recommendations: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term). 

ID. No.: 05-38; 
Recommendations: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts. (short-term). 

ID. No.: 05-40; 
Recommendations: Enforce the requirement that command code profiles be 
reviewed at least once annually. (short-term). 

ID. No.: 06-10; 
Recommendations: Revise the lockbox bank's security review checklist to 
ensure that it encompasses reviewing security incident reports to 
validate whether security personnel are providing corrective actions 
related to the incidents cited. (short-term). 

ID. No.: 06-11; 
Recommendations: Refine the scope and nature of IRS's periodic reviews 
of candling processes at SCCs to ensure they (1) encompass tests of 
whether envelopes are properly candled through observation of candling 
in process and inquiry of employees who perform initial and final 
candling and (2) document the nature and scope of the test and 
observation results. (short-term). 

ID. No.: 06-13; 
Recommendations: Refine the scope and nature of IRS's periodic reviews 
of lockbox banks to include high-dollar remittances to better monitor 
adherence to the requirement that they are processed immediately and 
deposited at the first available opportunity. (short- term). 

ID. No.: 06-14; 
Recommendations: Refine the scope and nature of IRS's periodic security 
reviews to encompass (1) testing the effectiveness of controls intended 
to ensure that only individuals with proper credentials are permitted 
access to SCCs and lockbox banks and (2) reviewing the integrity of 
perimeter security at SCCs. (short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Establishment and Review of Performance Measures and Indicators: 

Activities need to be established to monitor performance measures and 
indicators. These controls could call for comparisons and assessments 
relating different sets of data to one another so that analyses of the 
relationships can be made and appropriate actions taken. Controls 
should also be aimed at validating the propriety and integrity of both 
organizational and individual performance measures and indicators. 

IRS's operations include a vast array of activities encompassing 
taxpayer education, processing of taxpayer receipts and data, 
disbursing hundreds of billions of dollars in refunds to millions of 
taxpayers, maintaining extensive information on tens of millions of 
taxpayers, and seeking collection from individuals and businesses that 
fail to comply with the nation's tax laws. Within its compliance 
function, IRS has numerous activities, including identifying businesses 
and individuals that underreport income, collecting from taxpayers that 
do not pay, and collecting from those receiving refunds for which they 
are not eligible. Although IRS has at its peak over 90,000 employees, 
it still faces resource constraints in attempting to fulfill its 
duties. Because of this, it is vitally important for IRS to have sound 
performance measures to assist it in assessing its performance and 
targeting its resources in a manner that maximizes the government's 
return on investment. 

However, in past audits we have reported that IRS did not capture cost 
at the program or activity level to assist in developing cost-based 
performance measures for its various programs and activities. As a 
result, IRS is unable to measure the costs and benefits of its various 
collection and enforcement efforts to best target its available 
resources. Additionally, we have reported that IRS's controls over its 
reporting of interim performance measurement data were not effective 
throughout the year because the data reported at interim periods for 
certain performance measures were either not accurate or were outdated. 

The following four open recommendations are designed to assist IRS in 
evaluating its operations, determining which activities are the most 
beneficial, and establishing a good system for oversight. (See table 
10.) These recommendations call for IRS to measure, track, and evaluate 
the cost, benefits, or outcomes of its operations--particularly with 
regard to identifying its most effective tax collection activities. 

Table 10: Recommendations To Improve Irs's Establishment And Review Of 
Performance Measures And Indicators: 

ID. No.: 99-29; 
Recommendations: Develop the data to support meaningful cost 
information categories and cost-based performance measures. (long- 
term). 

ID. No.: 01-04; 
Recommendations: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, and administrative support) as well as the expected 
additional tax collections generated. (long-term). 

ID. No.: 01-12; 
Recommendations: For (1) IRS's AUR and Combined Annual Wage Reporting 
programs, (2) screening and examination of Earned Income Tax Credit 
(EITC) claims, and (3) identifying and collecting previously disbursed 
improper refunds, use the best available information to develop 
reliable cost-benefit data to estimate the tax revenue collected by, 
and the amount of improper refunds returned to, IRS for each dollar 
spent pursuing these outstanding amounts. These data would include (1) 
an estimate of the full cost incurred by IRS in performing each of 
these efforts, including the salaries and benefits of all staff 
involved, as well as any related nonpersonnel costs, such as supplies 
and utilities, and (2) the actual amount (a) collected on tax amounts 
assessed and (b) recovered on improper refunds disbursed. (long-term). 

ID. No.: 04-15; 
Recommendations: Until the Business Performance Management System 
(BPMS) is fully operational, implement procedures to ensure that all 
performance data reported in the Monthly Summary of Performance (MSP) 
report are subject to effective, documented reviews to provide 
reasonable assurance that the data are current at interim periods. 
(short-term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Management of Human Capital: 

Effective management of an organization's workforce--its human capital-
-is essential to achieving results and an important part of internal 
control. Management should view human capital as an asset rather than a 
cost. Only when the right personnel for the job are on board and are 
provided the right training, tools, structure, incentives, and 
responsibilities is operational success possible. Management should 
ensure that skill needs are continually assessed and that the 
organization is able to obtain a workforce that has the required skills 
that match those necessary to achieve organizational goals. Training 
should be aimed at developing and retaining employee skill levels to 
meet changing organizational needs. Qualified and continuous 
supervision should be provided to ensure that internal control 
objectives are achieved. Performance evaluation and feedback, 
supplemented by an effective reward system, should be designed to help 
employees understand the connection between their performance and the 
organization's success. As a part of its human capital planning, 
management should also consider how best to retain valuable employees, 
plan for their eventual succession, and ensure continuity of needed 
skills and abilities. 

IRS's operations cover a wide range of technical competencies with 
specific expertise needed in tax-related matters; financial management; 
and systems design, development, and maintenance. Because IRS has tens 
of thousands of employees spread throughout the country, management's 
responsibility to keep its guidance up-to-date and its staff properly 
trained is imperative. 

The following open recommendation would assist IRS in its management of 
human capital in its financial operations. (See table 11.) The 
recommendation is over 5 years old and may be resolved through IRS's 
business systems modernization efforts. 

Table 11: Recommendation To Improve Irs's Management Of Human Capital: 

ID. No.: 99-25; 
Recommendation: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term). 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Concluding Observations: 

Increased budgetary pressures and an increased public awareness of the 
importance of internal control require IRS to operate more efficiently 
and more effectively in its mission while protecting taxpayers and 
their information. 

Sound financial management and effective internal controls can assist 
IRS in achieving its goals. IRS has made substantial progress in 
improving its financial management since its first financial audit, as 
evidenced by consecutive clean audit opinions on its financial 
statements for the past 6 years, resolution of several material 
internal control weaknesses, and the closing of hundreds of financial 
management recommendations. This progress has been the result of hard 
work and commitment at the top. Nonetheless, more needs to be done to 
fully address the financial management challenges the agency faces. 
Efforts must continue to address the internal control deficiencies that 
continue to exist. Effective implementation of the recommendations we 
have made and continue to make through our financial audits and related 
work could greatly assist IRS in improving its internal controls and 
achieving sound financial management. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, IRS expressed its appreciation 
that we acknowledged the progress the agency has made in addressing its 
financial management challenges, and noted that our mapping of its 
remaining recommendations to specific internal control activities and 
grouping them into three broad categories will facilitate its strategy 
to address the remaining financial management issues. IRS also 
highlighted its efforts to further improve its internal controls over 
hard-copy tax receipts, noting that its plan to address these issues 
now includes comprehensive actions to address our remaining 
recommendations covering lockbox banks, submission processing campuses, 
taxpayer assistance centers, and field offices. We will review the 
effectiveness of these corrective actions and the status of IRS's 
progress in addressing all open recommendations as part of our fiscal 
year 2006 IRS financial statement audit. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate Committee on Appropriations; Senate 
Committee on Finance; Senate Committee on Homeland Security and 
Governmental Affairs; and Subcommittee on Taxation and IRS Oversight, 
Senate Committee on Finance. We are also sending copies to the Chairmen 
and Ranking Minority Members of the House Committee on Appropriations; 
House Committee on Ways and Means; Chairman and Vice Chairman of the 
Joint Committee on Taxation, the Secretary of the Treasury, the 
Director of the Office of Management and Budget, the Chairman of the 
IRS Oversight Board, and other interested parties. Copies will be made 
available to others upon request. In addition, the report will be 
available at no charge on GAO's Web site at http://www.gao.gov. 

If you have any questions concerning this report, please contact me at 
(202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs can be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix III. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director Financial Management and Assurance: 

[End of section] 

Appendix I Status of GAO Recommendations from IRS Financial Audits and 
Related Management Reports: 

Count: 1; 
ID. No.: 94-2; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short-term); 
Source report: Financial Management: Important IRS Revenue Information 
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); 
Per IRS: Open. The five errors identified in the FY05 Financial 
Statement Audit were resolved. The Complex Interest Quality Measurement 
System (CIQMS) staff assisted GAO with their sample review for the FY06 
Audit. Once GAO completes their audit, CIQMS will continue to provide 
assistance as subject matter experts; 
Per GAO: Open. In testing a statistical sample of 45 manual interest 
transactions recorded during fiscal year 2005, we found five errors 
relating to the calculation and recording of manually calculated 
interest. We estimate that 11 percent of IRS's manual interest 
population contains errors and concluded that IRS controls over this 
area remain ineffective. We will continue to test the accuracy of IRS's 
manual interest calculations during our fiscal year 2006 financial 
audit. 

Count: 2; 
ID. No.: 99-1; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Per IRS: Open. IRS has taken several actions to strengthen controls and 
correct programming or procedural deficiencies in the cross referencing 
of payments. To ensure quality, timeliness, and accuracy of the Trust 
Fund Recovery Penalty (TFRP) process, the IRS initiated a quality 
review process that focused in two primary areas. The first being 
consolidation of all TFRP work to one campus. Consolidation of all 
SB/SE Automated Trust Fund Recovery (ATFR) work to the Ogden campus was 
completed in September 2005. All Wage & Investment (W&I) business unit 
TFRP work was transferred to SB/SE Campuses as of January 2006. The 
second area IRS undertook was the task of rewriting the ATFR area 
office user component to provide system flexibility that better 
replicates the realities of the current trust fund investigation/ 
proposal process. The enhanced rewrite has been delivered and is in 
production testing. Training is scheduled to begin in June 2006 with a 
complete nationwide deployment by the end of fiscal year 2006. IRS 
continues to monitor the accuracy and effectiveness of the TFRP process 
and all corrective actions already in place; 
Per GAO: Open. We recognize automation of the current TFRP program is 
much needed. However, IRS's efforts to date have not been effective. In 
fiscal year 2005, we reviewed a statistical sample of 80 TFRP payments 
made on accounts established since August 2001. We found six instances 
in which IRS did not properly record the payment to all related 
taxpayer accounts. We estimate that 7.5 percent of these payments may 
not be properly recorded. We will continue to review IRS's initiatives 
to improve posting of TFRP cases and test TFRP cases for proper 
postings to all related accounts as part of our fiscal year 2006 
financial audit. 

Count: 3; 
ID. No.: 99-3; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Per IRS: Open. The Custodial Accounting Project (CAP) has been canceled 
due to budget constraints. The IRS chief financial officer (CFO) has 
developed a TFRP database that can establish the links and identify 
problems to more accurately report a single balance due for these 
assessments and determine areas for improvement in the TFRP program. 
The TFRP database is the first Release of the Financial Management 
Information System's (FMIS) enhancement to the Custodial Detail Data 
Base (CDDB) that has been proposed to enable the IRS CFO to address 
many of the outstanding financial management recommendations. FMIS/CDDB 
Release 1, TFRP database will be tested and fully implemented in 2006. 
Further releases of FMIS/CDDB functionality are contingent on future 
funding levels; 
Per GAO: Open. We will continue to monitor IRS's development of an 
alternative strategy for CAP, as well as its implementation of the new 
FMIS/CDDB. If IRS implements CDDB Release 1 for fiscal year 2006, we 
will perform tests of these data as part of our fiscal year 2006 audit. 

Count: 4; 
ID. No.: 99-17; 
Recommendation: Ensure that all returned refund checks are stamped 
"nonnegotiable" as soon as they are extracted. (short-term); 
Source report: Internal Revenue Service: Physical Security Over 
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 
1998); 
Per IRS: Closed. A memorandum is issued to Submission Processing (SP) 
Field Directors prior to filing season reinforcing the importance of 
ensuring SP procedures and policies regarding overstamping of returned 
refund checks are followed. In addition, this requirement is part of 
the Campus Monthly Security Reviews. All findings are shared with SP 
Field Directors. Local management continues to remind employees of the 
importance of overstamping returned refund checks on a regular basis 
through individual and group meetings to ensure compliance with the 
Internal Revenue Manual (IRM) and security requirements; 
Per GAO: Closed. During our fiscal year 2005 audit, we found no 
instances where returned refund checks were not stamped "nonnegotiable" 
upon extraction at the four SCCs we visited. 

Count: 5; 
ID. No.: 99-19; 
Recommendation: Ensure that walk-in payment receipts are recorded in a 
control log prior to depositing the receipts in the locked container 
and ensure that the control log information is reconciled to receipts 
prior to submission of the receipts to another unit for payment 
processing. To ensure proper segregation of duties, an employee not 
responsible for logging receipts in the control log should perform the 
reconciliation. (short-term); 
Source report: Internal Revenue Service: Physical Security Over 
Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 
1998); 
Per IRS: Open. IRM 21.3.4.7 was updated in October 2005 to require 
employees to record payments on Form 795, Daily Report of Collection 
Activities, and to immediately place the payment in a locked container. 
Field Assistance has implemented in taxpayer assistance centers (TACs) 
where staffing permits the review of Form 795 and all supporting 
documents for accuracy (by an employee other than the recipient of the 
funds) before they are transmitted to the Submission Processing Centers 
(SPC). The review process for these TACs was included in the IRM on 
January 20, 2006. Additional procedures were explored to determine a 
feasible process for mitigating the circumstances that prevent proper 
segregation of duties in TACs with limited staffing. In exploring 
procedures in January 2006 for TACs with limited staffing where there 
is no manager, secretary, or Initial Account Representative, Field 
Assistance determined proposed procedures to be burdensome, difficult 
to administer, and not administratively feasible (e.g., copying and 
faxing Form 795 to the manager). In addition, based on a September 2005 
Treasury Inspector General for Tax Administration (TIGTA) report on 
payments received at TACs, 99 percent of payments posted appropriately 
to taxpayer accounts. This accuracy rate combined with compensating 
controls at the SPCs effectively reduces risks associated with not 
having reconciliation processes in small TACs. Additional emphasis was 
placed on development of internal controls and the oversight and 
accountability of both employees and managers within Field Assistance. 
Specifically,; 
Per GAO: Open. During our fiscal year 2005 audit, we found a lack of 
segregation of duties related to the preparation, review, and/or 
reconciliation of Form 795 at six of the eight TACs we visited. At 
three of these TACs, at times only one employee was present to carry 
out the functions of the office. At another TAC, there was no evidence 
that the Form 795 was reconciled by an employee other than the employee 
who received the payment from the taxpayer and recorded it on the Form 
795. At this same TAC, we observed two instances where employees did 
not log information onto the Form 795 upon receipt. At the fifth TAC, 
the employee responsible for receiving and recording payments on the 
control log did not receive an independent reconciliation of the 
payments before they were mailed to the SCC for further processing. At 
the sixth TAC, one employee retrieved all the checks from the locked 
container and logged all the checks received onto a Form 795 and sent 
them to the SCC without a supervisor or designee review. The corrective 
actions cited by IRS were subsequent to our fieldwork at those 
locations. We will evaluate IRS's corrective actions during our fiscal 
year 2006 audit. 

Per IRS: Count6: Field Assistance headquarters began conducting 
operational reviews on February 28, 2006. The operational reviews 
include assessing their ability to engage employees in process and 
program improvement, identifying best practice ideas, ensuring elements 
of accountability and responsibility are clearly communicated at each 
level, and assessing conformance to the current policies and 
procedures; 
Per GAO: Count6: [Empty]. 

Count: 6; 
ID. No.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting TFRP assessments. Once these factors have been 
determined, IRS should develop procedures to reduce the impact of these 
factors and to ensure timely posting to all applicable accounts and 
proper offsetting of refunds against unpaid assessments before 
issuance. (short-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD- 99-193, Aug. 4, 1999); 
Per IRS: Open. To ensure quality, timeliness, and accuracy of the TFRP 
process, the IRS initiated a quality review process that focused in two 
primary areas. The first being consolidation of all TFRP work to one 
campus. Consolidation of all SB/SE ATFR work to the Ogden campus was 
completed in September 2005. All W&I business unit TFRP work was 
transferred to SB/SE Campuses as of January 2006. The second area IRS 
undertook was the task of rewriting the ATFR area office user component 
to provide system flexibility that better replicates the realities of 
the current trust fund investigation/proposal process. The enhanced 
rewrite has been delivered and is in production testing. Training is 
scheduled to begin in June 2006 with a complete nationwide deployment 
by the end of fiscal year 2006. IRS continues to monitor the accuracy 
and effectiveness of the TFRP process and all corrective actions 
already in place; 
Per GAO: Open. We will continue to review IRS's initiatives to improve 
posting of TFRP cases and monitor trust fund recovery penalty 
processing timeliness as part of our fiscal year 2006 audit. 

Count: 7; 
ID. No.: 99-22; 
Recommendation: Expand IRS's current review of service center deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly over-stamping checks made out to the "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Per IRS: Closed. The guidelines in the Fiscal Year 2003 Operating 
Procedures for TACs for safeguarding receipts in locked containers and 
over-stamping checks made payable to IRS were incorporated into the IRM 
in June 2003. The requirement for over-stamping checks made payable to 
the IRS has been emphasized. Operational reviews by Field Assistance 
Headquarters are planned to ensure adherence to safeguarding of 
receipts and over- stamping requirements. Employees have been 
instructed to keep all containers locked that contain taxpayer data. 
Each employee will be provided individual performance feedback 
regarding any security violations. More frequent security reviews will 
be conducted that include this and other areas relating to protection 
of taxpayer data. Additional emphasis will be placed on development of 
internal controls and the oversight and accountability of both 
employees and managers within Field Assistance; 
Per GAO: Open. While IRS has taken steps to address this 
recommendation, the current response does not entail expansion of IRS's 
service center security reviews and TAC operational reviews to the non-
W&I business units. During our fiscal year 2005 audit, we found several 
instances where controls over safeguarding taxpayer receipts and 
information at the SB/SE, the Large and Mid-Size Business (LMSB), and 
Tax Exempt and Government Entities (TE/GE) field office units were not 
effective. We will evaluate IRS's corrective actions during our fiscal 
year 2006 audit. 

Count: 8; 
ID. No.: 99-25; 
Recommendation: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes. (short-
term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Per IRS: Open. The CAP has been stopped due to budget cuts. The IRS has 
decided to address this recommendation by enhancing the Service's 
existing FMIS with a new database, the CDDB and the Interim Revenue 
Accounting Control System (IRACS) used to support the financial audit. 
The CFO has developed a business case and will pursue opportunities to 
identify resources within the IRS's Information Technology budget to 
fund this effort. The need to build an appropriate depth of experience 
is still an immediate and ongoing issue. The IRS continues to examine 
its resources to see if work can be realigned, and if existing 
employees can be retrained. Contractor support is used to provide the 
support and backup necessary for preparation of the compensating 
procedures, pending implementation of the CDDB and the Customer Account 
Data Engine (CADE). IRS is committed to supporting the funding of 
contractor resources that are used for the financial statement audit. 
This corrective action will be continually monitored; 
Per GAO: Open. In fiscal year 2005, IRS continued to augment its own 
resources with contractor support to produce auditable financial 
statements. We will continue to assess IRS's actions during our fiscal 
year 2006 audit. 

Count: 9; 
ID. No.: 99-29; 
Recommendation: Develop the data to support meaningful cost information 
categories and cost-based performance measures. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD- 99-196, Aug. 9, 
1999); 
Per IRS: Open. Integrated Financial System (IFS) Release 1, which was 
implemented on November 10, 2004, includes a cost module that will 
interface with program area management information systems. Both direct 
and indirect resource cost data will be linked to the budget process 
and the strategic planning goals of all business units. This will help 
move IRS forward in transitioning to a performance-based organization. 
Full cost accounting will not be realized until future releases, such 
as Work Management, are implemented. An integrated Work Management 
module would routinely provide a greater level of detail for costing 
purposes. However, at present, all future releases are being 
reevaluated based on funding availability and no future implementation 
date has been established; 
Per GAO: Open. We will follow up during future audits to assess IRS's 
progress in implementing a cost-accounting system and populating it 
with the cost information needed to support meaningful cost-based 
performance measures. 

Count: 10; 
ID. No.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Per IRS: Open. In IFS Release 1, implemented on November 10, 2004, P&E 
are being recorded as an asset when purchased. The ability to tie to 
the detailed physical asset information and a fully integrated system 
with subsidiary records will not be available until the IFS Asset 
Management module is implemented. At present, all future releases are 
being reevaluated based on funding availability and no future 
implementation date has been established; 
Per GAO: Open. IRS implemented the first release of the new IFS on 
November 10, 2004, which allowed recording P&E as assets when 
purchased. However, implementation of a property asset module that is 
intended to generate detailed records for P&E that will reconcile to 
the financial records is being deferred indefinitely due to funding 
constraints. We will continue to monitor IRS's progress in implementing 
subsequent IFS releases and the property asset module. 

Count: 11; 
ID. No.: 01-04; 
Recommendation: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, and administrative support) as well as the expected 
additional tax collections generated. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Per IRS: Open. Based on initial success with modeling technology, SB/SE 
has initiated several other projects to build additional decision 
analytical models to increase our ability to route cases to the 
appropriate resource. These projects include the addition of external 
credit scores and other internal data to build more robust models with 
increased predictive power. These efforts will continue to help IRS 
ensure that the right resources are devoted to the appropriate cases. 
IRS has developed a corporate strategy for working collections cases. 
The Collection Governance Board (consisting of executives from SB/SE 
and W&I) was established in August 2005 to ensure inventory is balanced 
and resources are expended appropriately; 
Per GAO: Open. We will continue to review IRS's initiatives to manage 
resource allocation levels for its collection efforts. 

Count: 12; 
ID. No.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Per IRS: Open. IRS has redeveloped the prior action plan to incorporate 
the requirements of the revised OMB Circular No. A-123. The overall 
action addresses untimely lien releases, including identification of 
root causes and where they occur organizationally. ; 
Per GAO: Open. During our fiscal year 2005 audit, we continued to find 
delays in release of liens. We found 13 instances out of 59 cases 
tested in which IRS did not release the applicable federal tax lien 
within the 30-day statutory period. The time between the satisfaction 
of the liability and release of the lien ranged from 36 days to 233 
days. We will assess the impact of IRS's actions and continue to review 
IRS's release of tax liens as part of our fiscal year 2006 audit. 

Count: 13; 
ID. No.: 01-12; 
Recommendation: For (1) IRS's AUR and Combined Annual Wage Reporting 
programs, (2) screening and examination of Earned Income Tax Credit 
claims, and (3) identifying and collecting previously disbursed 
improper refunds, use the best available information to develop 
reliable cost-benefit data to estimate the tax revenue collected by, 
and the amount of improper refunds returned to, IRS for each dollar 
spent pursuing these outstanding amounts. These data would include (1) 
an estimate of the full cost incurred by IRS in performing each of 
these efforts, including the salaries and benefits of all staff 
involved, as well as any related nonpersonnel costs, such as supplies 
and utilities and (2) the actual amount (a) collected on tax amounts 
assessed and (b) recovered on improper refunds disbursed. (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Per IRS: Open. Allocation methodology was reviewed and enhanced for 
fiscal year 2006 and further refinements will be implemented each year. 
The first year's data will be reviewed in fiscal year 2006 and a plan 
developed for integrating cost data in decision making. The use of the 
data will be tested in fiscal year 2007 with baseline data. However, to 
achieve maximum benefit in decision making, several years' data will be 
needed. As a result, the IRS will fully implement the use of cost 
accounting data for resource allocation decisions in fiscal year 2008; 
Per GAO: Open. During our fiscal year 2005 audit, IRS provided 
information on the AUR program, including program results. Based on our 
review of the information and discussions with IRS officials, we 
determined IRS does not use the data to make decisions on the AUR 
workload. In addition, IRS implemented a cost accounting module during 
fiscal year 2005. However, management has not yet determined what the 
full range of its cost information needs are or how best to tailor the 
capabilities of this module to serve those needs. Also, IRS has not yet 
implemented a related workload management system intended to provide 
the cost module with detailed personnel cost information. In addition, 
as noted by IRS, because it generally takes several years of historical 
cost information to support meaningful estimates and projections, IRS 
cannot yet rely on this system as a significant planning tool. We will 
continue to followup on IRS's progress on this issue during our fiscal 
year 2006 audit. 

Count: 14; 
ID. No.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Per IRS: Open. In IFS Release 1, implemented on November 10, 2004, P&E 
and leasehold improvements are recorded as assets when purchased. 
However, amortization will remain a manual process. The ability to tie 
the detailed physical asset information and a fully integrated system 
with subsidiary records will not be available until the Asset 
Management module is implemented. At present, all future releases are 
being reevaluated based on funding availability and no future 
implementation date has been established; 
Per GAO: Open. IRS implemented the first release of the new IFS on 
November 10, 2004, which allowed recording leasehold improvements as 
assets when purchased. However, implementation of a property asset 
module that is intended to generate detailed records for P&E that will 
reconcile to the financial records is being deferred indefinitely due 
to funding constraints. We will continue to monitor IRS's progress in 
implementing subsequent IFS releases and the property asset module. 

Count: 15; 
ID. No.: 01-18; 
Recommendation: Implement procedures and controls to ensure that 
expenditures for P&E are charged to the correct accounting codes to 
provide reliable records for expenditures as a basis of extracting the 
costs for major systems and leasehold improvements. (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO- 01-42, Nov. 17, 2000); 
Per IRS: Closed. In IFS Release 1, implemented on November 10, 2004, 
P&E and leasehold improvements are posted to the correct accounting 
code at the time of purchase. IRS has improved the definitions of P&E 
and has provided guidance on appropriate coding classifications to end 
users. Routine control reviews have been established to ensure the 
accuracy and appropriate coding of classifications; 
Per GAO: Closed. IRS implemented the first release of IFS on November 
10, 2004, which incorporated procedures to allow IRS to record the 
majority of P&E additions in the appropriate general ledger accounts as 
they occur. During our fiscal year 2005 audit, we found that IRS was 
generally recording P&E transactions as they occurred, although we did 
identify some new issues. See recommendation ID. No. 06-20. 

Count: 16; 
ID. No.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term); 
Source report: Management Letter: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 
2001); 
Per IRS: Open. IRS has developed guidance for costing reimbursable 
agreements, which includes instructions on tracking labor. IFS Release 
1, implemented on November 10, 2004, includes a cost module that will 
interface with program area management information systems. Full cost 
accounting will not be realized until future releases, such as Work 
Management, are implemented. Actions will be initiated in fiscal year 
2006 or fiscal year 2007 to begin gathering the real cost of certain 
reimbursable projects. At present, future releases are being evaluated 
based on funding availability and no future implementation date has 
been established; 
Per GAO: Open. We confirmed that IRS has procedures for costing 
reimbursable agreements that provide the basic framework for the 
accumulation of both direct and indirect costs at the necessary level 
of detail. IRS plans to implement these procedures over several years 
as it phases in various program area management information systems 
that will provide critical information to its new cost accounting 
system. However, as indicated by IRS, these systems have not yet been 
scheduled for implementation. We will continue to monitor IRS's efforts 
to fully implement its cost accounting system and, once it has been 
fully implemented, evaluate the effectiveness of IRS procedures for 
developing cost information for its reimbursable agreements. 

Count: 17; 
ID. No.: 02-01; 
Recommendation: Implement policies and procedures to record 
capitalizable acquisition costs for P&E, capital leases, leasehold 
improvements, and major systems in the appropriate P&E general ledger 
accounts as transactions occur. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Per IRS: Closed. In IFS Release 1, implemented on November 10, 2004, 
property and equipment are recorded as assets when purchased; 
Per GAO: Closed. IRS implemented the first release of IFS on November 
10, 2004, which incorporated procedures to allow IRS to record the 
majority of P&E additions in the appropriate general ledger accounts as 
they occur. During our fiscal year 2005 audit, we found that IRS was 
generally recording P&E transactions as they occurred, although we did 
identify some new issues. See recommendation ID. No. 06-20. 

Count: 18; 
ID. No.: 02-08; 
Recommendation: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Per IRS: Open. IRS agreed with the objective of this recommendation, 
which is to allow it to collect and report the full payroll costs 
associated with its activities. While IRS indicated that most of its 
employees already itemize their time charges in functional tracking 
systems, it has acknowledged that full implementation of the IFS cost 
accounting module is required to close this recommendation. IFS Release 
1, implemented on November 10, 2004, includes requirements for a cost 
module that will be interfaced with program area management information 
systems. Both direct and indirect resource cost data can be linked to 
the budget process and the strategic planning goals of all business 
units. This will help move IRS forward in transitioning to a 
performance-based organization. Full cost accounting will not be 
realized until future releases, such as Work Management, are 
implemented. At present, all future releases are being reevaluated 
based on funding availability and no future implementation date has 
been established; 
Per GAO: Open. We confirmed that IRS employees continue to use 
functional tracking (workload management) systems to itemize and track 
their time charges. However, this recommendation remains open because 
its objective is to allow IRS to collect and report the full payroll 
costs associated with its activities. During our fiscal year 2005 
audit, we continued to find that the functional tracking systems are 
insufficient for this purpose because they do not interface with each 
other or the general ledger to allow management to use them to readily 
accumulate the time charged to specific projects. 

Count: 19; 
ID. No.: 02-09; 
Recommendation: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Per IRS: Open. The IFS, Release 1, implemented on November 10, 2004, 
includes a cost module that is interfaced with program area management 
information systems. Both direct and indirect resource cost data can be 
linked to the budget process and the strategic planning goals of all 
business units. This helps move IRS forward in transitioning to a 
performance- based organization. Full cost accounting will not be 
realized until future IFS releases, including Work Management, are 
implemented; 
Per GAO: Open. We confirmed that the IRS plans include requirements 
that meet the objectives of this recommendation; 
however, IRS has indefinitely delayed the implementation of these 
requirements. IRS's plans to implement these requirements are expected 
to be executed over several years as IRS phases in various program area 
management information systems that will provide critical information 
to the cost accounting system. We will continue to monitor the progress 
of IRS's efforts to address this issue. 

Count: 20; 
ID. No.: 02-14; 
Recommendation: Develop policies and procedures to require that IRS and 
lockbox employees performing final candling record receipts in a 
control log at the time of discovery, recording at a minimum the total 
number of payments found, the amount of each payment, and the taxpayer 
who submitted the payment. (short- term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Per IRS: Closed. The 2005 Lockbox Processing Guidelines (LPG), 
Documentation of Items Found in Candling (Form 9535), directs the 
responsible manager to initial Form 9535 every day for each shift. An 
entry must be made each shift, whether or not items have been found. A 
manager will initial Form 9535 to validate all of the following: (1) 
all available information is correctly entered; 
(2) items found have been reconciled with Form 9535 entries; 
(3) items have been correctly categorized as processable or 
unprocessable; 
(4) all processable work has been cleared after each shift, i.e., the 
work has been put back into the stream of work; 
and (5) the received date has been entered correctly. Only Form 9535 
will be used for documenting items found during candling. IRM 
3.10.72.6.2 provides the following guidance for the campuses: 
Management shall maintain Form 13592 Candling Log - Receipt and Control 
(R&C) Discovered Remittances to record remittances found in final 
candling. An employee designated by management will immediately record 
these items into the final candling log. In addition, management shall 
initial the log to validate that all available information is correctly 
entered and ensure that all remittances listed on the log are brought 
to the deposit function on a daily basis. The National Office 
redesigned the Form 13592 candling log that records, at a minimum, the 
total number of payments found, the amount of each payment, and the 
taxpayer who submitted the payment; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS updated its candling procedures in the LPG and IRM to include the 
recording of receipts in the control log at the time of discovery. 

Count: 21; 
ID. No.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Per IRS: Open. Field Assistance has implemented in TACs, where staffing 
permits, the review of Form 795 and all supporting documents for 
accuracy by someone other than the recipient of the funds before they 
are transmitted to the SPCs. Additional procedures are being explored 
to determine a process for mitigating the circumstances that prevent 
proper segregation of duties in those TACs with limited staffing. 
Additional emphasis will be placed on development of internal controls 
and the oversight and accountability of both employees and managers 
within Field Assistance; 
Per GAO: Open. During our fiscal year 2005 audit, we found a lack of 
segregation of duties related to the preparation, review, and/or 
reconciliation of Form 795 at six of the eight TACs we visited. At 
three of these TACs, at times only one employee is present to carry out 
the functions of the office. At another TAC, there was no evidence that 
the Form 795 was reconciled by an employee other than the employee who 
received the payment from the taxpayer and recorded it on the Form 795. 
At this same TAC, we observed two instances where employees did not log 
information onto the Form 795 upon receipt. At the fifth TAC, the 
employee responsible for receiving and recording payments on the 
control log did not receive an independent reconciliation of the 
payments before they were mailed to the SCC for further processing. At 
the sixth TAC, one employee retrieved all the checks from the locked 
container and logged all the checks received onto a Form 795 and sent 
them to the SCC without a supervisor or designee review. We will 
evaluate IRS's corrective actions during our fiscal year 2006 audit. 

Count: 22; 
ID. No.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Secure Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Per IRS: Closed. In July 2005, NFC demonstrated (first time) a Web 
version of SETS and more IRS requirements are to be accommodated in 
that system; 
a meeting is slated for early 2006 between IRS and NFC. Also, IRS/NFC 
dialogue continues to ensure that data flows are timely and accurate, 
reconciliations and error adjustments regularly occur, and monthly NFC 
reports are reviewed and analyzed by IRS. Agency-Wide Shared Services 
(AWSS) continues to monitor SETS reports for each pay period and 
coordinates with employment offices when corrections are needed. IRS 
and NFC continue to engage on-going discussions on reconciliations and 
error adjustments as needed. NFC controls the time table for deploying 
a Web version of SETS; 
however, no time table has been set and no meetings are being convened; 
Per GAO: Open. During our fiscal year 2005 audit, we continued to find 
technical limitations in IRS's SETS database. The corrective actions 
cited by IRS were subsequent to our fieldwork for the fiscal year 2005 
audit. We will evaluate the effectiveness of these actions during our 
fiscal year 2006 audit. 

Count: 23; 
ID. No.: 03-02; 
Recommendation: Establish and document guidelines and procedures in IRS 
policy and procedure manuals for implementing the new penalty provision 
for lockbox banks to reimburse the government for direct costs incurred 
in correcting errors made by lockbox banks. (short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003); 
Per IRS: Closed. IRS and the Financial Management Service (FMS) 
prepared a reimbursement process. The procedures include the use of a 
special Lockbox Program code to delineate IRS rework costs as a result 
of errors made by the lockbox sites. The Lockbox Policy Reimbursement 
procedures are included in the 2005 LPG under LPG 2.1.9 and 2005 
Lockbox Processing Procedures under IRM 3.0.230.9.3; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS had incorporated reimbursement procedures in the 2005 LPG. 

Count: 24; 
ID. No.: 03-07; 
Recommendation: Revise the guidance used for compliance reviews so it 
requires reviewers to (1) determine whether lockbox contractors, such 
as couriers, have completed and obtained favorable results on IRS 
fingerprint checks and (2) obtain and review all relevant logs for cash 
payments and candled items to ensure that all payments are accounted 
for. (short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003); 
Per IRS: Closed. IRS updated the security check sheet in January 2004 
to instruct reviewers to determine whether contractors have completed 
and obtained favorable fingerprint results and to review all relevant 
logs for cash payments and candling logs. In order to ensure compliance 
to the LPG requirements, an IRS and FMS task group developed a 
performance measures process to include a category for security 
(Courier, Physical, Remittance) that was implemented in October 2005. 
This process which was piloted in 2005 and implemented in January 2006 
uses a data collection instrument (DCI) check sheet that lists by line 
item the requirements as outlined in the LPG. It is used as a tool to 
identify varying levels of performance and provide incentives and 
disincentives based on those levels of performance. This helps the 
IRS/FMS Security staff ensure compliance with the LPG requirements. 
Additionally, an internal control review is included in the reviews 
performed quarterly by the Lockbox coordinators; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified the 
lockbox coordinator's on-site review check sheet included the 
requirement to ensure that the cash and candling logs are being kept 
and updated daily and that contractors have completed and obtained 
favorable results on IRS fingerprint checks. 

Count: 25; 
ID. No.: 03-08; 
Recommendation: Assign individuals, other than the lockbox 
coordinators, responsibility for completing on-site performance 
reviews. (short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003); 
Per IRS: Closed. IRS Lockbox Field Section, IRS Policy & Procedures 
Section, and FMS are responsible for conducting their own on-site 
performance reviews during peak season at each Lockbox site. DCIs are 
used by the IRS Field Coordinators to review Lockbox processing 
requirements and processing internal controls. DCIs are also used by 
IRS Policy & Procedures Section in conjunction with IRS Mission 
Assurance and FMS Security to review courier, physical, and personnel 
security. FMS and IRS Policy and Procedures Section also use a check 
sheet to review various processing/security requirements during peak 
processing. DCI processing reviews are also completed daily at each IRS 
SPC by SPC staff after the work is received from the lockbox. The on-
site DCI processing and security reviews and the SPC reviews are 
incorporated into the Bank Performance Standards scorecards. The 
scorecards are signed by both IRS and FMS management prior to being 
issued to each Lockbox site under an FMS cover letter. In addition, 
peak trip reports are completed jointly by the IRS and FMS personnel on 
site. These trip reports assess the banks performance by categories 
such as deliverables, FMS cash management cash flow, mail, processing, 
remittance security, and staffing. This report is used to capture any 
observations that may or may not have been covered on the various DCIs. 
The combination of these reviews serves as the checks and balances of 
the program. While the Field Coordinators remain responsible for the on-
site processing review, these reviews constitute only a portion of the 
overall assessment of each lockbox site; 
Per GAO: Closed. We issued this recommendation in January 2003 when the 
lockbox coordinators were the only individuals responsible for 
conducting the performance reviews and at that time these reviews were 
not being performed because of competing demands. Over the years, IRS 
and FMS have increased their oversight of the lockbox bank program with 
various performance and compliance reviews. These reviews include peak 
season trip reports and annual security reviews conducted jointly by 
IRS and FMS staff. In addition, IRS has implemented a scorecard system 
performed, reviewed, and signed by both IRS and FMS that incorporates 
the results of the reviews. These procedures collectively satisfy the 
objective of this recommendation. 

Count: 26; 
ID. No.: 03-10; 
Recommendation: Require lockbox management to ensure that guards are 
responsive to alarms and that IRS take steps to monitor adherence to 
this requirement. (short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003); 
Per IRS: Closed. To provide more emphasis on security, the Lockbox 
Security Guidelines (LSG) is no longer included in the LPG. Beginning 
in 2006 LSG is a separate document. LSG 2.2.2.4(7) requires that "Bank 
management is ultimately responsible for access control and procedures 
for ensuring only authorized personnel are granted access to the 
processing floor. Bank management must be involved in the day to day 
access control process. This responsibility cannot be delegated (e.g., 
to temporary agency personnel, security guards, third parties)." LSG 
2.2.3.1 (7) provides the requirements for guards to respond to alarms. 
The Security Team performs alarm testing and evaluates guards' 
responses to alarms during their on-site security reviews. Security 
Performance Measures (effective January 2006) were developed to measure 
and rate each site's overall adherence to security guidelines and 
provides incentives/disincentives accordingly. Mission Assurance and 
FMS Security staff supports the Lockbox Policy and Procedures Program 
Office in conducting security reviews. Reviews rate each site's 
compliance to physical, personnel, courier, and information technology 
(IT) security; 
Per GAO: Closed. We verified that the LSG requires lockbox bank 
management to ensure that guards are responsive to alarms. 
Additionally, we verified that Security Performance Measures are in 
place to measure and rate each lockbox bank's overall adherence to 
security guidelines. 

Count: 27; 
ID. No.: 03-15; 
Recommendation: Require lockbox management to ensure that envelopes are 
properly candled and that IRS take steps to monitor adherence to this 
requirement. (short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003); 
Per IRS: Closed. Effective October 2005, candling reviews are conducted 
at all Lockbox sites to ensure that all candling requirements are being 
met. These internal control reviews ensure that envelopes opened 
(manually or by OPEX) on three or more sides are candled once and that 
envelopes other than the ones opened on three or more sides are candled 
twice. The results of these reviews are used to calculate each bank's 
score in the new bank performance measurement process. The Processing- 
Internal Controls (PIC) DCI that included the new candling review was 
first performed by Lockbox Field Coordinators at Individual Master File 
(IMF) lockbox sites during on-site reviews in October 2005 and at 
Business Master File (BMF) sites in November 2005. This element is now 
part of the Lockbox Performance Scorecard Measures; 
Per GAO: Open. During our fiscal year 2005 audit, we found instances at 
one lockbox bank where employees did not properly candle envelopes. 
However, the candling reviews planned by IRS were implemented 
subsequent to the completion of our fiscal year 2005 fieldwork. We will 
evaluate the effectiveness of these reviews during our fiscal year 2006 
audit. 

Count: 28; 
ID. No.: 03-17; 
Recommendation: Require lockbox management to ensure that returned 
refund checks are restrictively endorsed immediately upon extraction 
and that IRS take steps to monitor adherence to this requirement. 
(short-term); 
Source report: Lockbox Banks: More Effective Oversight, Stronger 
Controls, and Further Study of Costs and Benefits Are Needed (GAO-03-
299, Jan. 15, 2003); 
Per IRS: Closed. The requirement to ensure that returned refund checks 
are restrictively endorsed immediately upon extraction was previously 
listed in Section 3.2.1 of the 2002 LPG issued January 1, 2002, as well 
as the 2003 (revised April 8, 2003) and 2004 LPG, issued December 1, 
2003. During the on-site security reviews, IRS and FMS security teams 
reviewed adherence to this requirement. Additionally, adherence to this 
requirement is evaluated during the daily SPC quality reviews; 
Per GAO: Closed. During our fiscal year 2005 audit, we did not identify 
any instances where returned refund checks at the lockbox banks were 
not restrictively endorsed upon extraction. 

Count: 29; 
ID. No.: 03-29; 
Recommendation: Confirm with FMS that IRS's requirements for background 
and fingerprint checks for courier services are met regardless of 
whether IRS or FMS negotiates the service agreement. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-03-562R, May 20, 2003); 
Per IRS: Closed. On October 7, 2002, FMS issued an amendment to the 
Courier Memorandum of Understanding (MOU), which included the 
requirement that all courier employees satisfy the basic investigation, 
including a Federal Bureau of Investigation fingerprint and name check. 
All 10 IRS campuses now have a contact responsible for submitting 
paperwork to the National Background Investigations Center (NBIC) and 
ensuring courier employees are granted clearance. On April 10, 2003, 
IRS requested that NBIC provide a monthly status report of the campus 
compliance to the W&I. The 2004 LPG (issued December 1, 2003) includes 
guidelines for background investigations under Personnel Security in 
Section 4.2; 
all parties are adhering to these requirements. Compliance to the new 
requirement will be reviewed during campus security reviews and/or 
lockbox security reviews, and couriers are now required to have mid-
level investigations completed by NBIC prior to working for IRS and/or 
a lockbox. A teleconference was held in September 2005 with FMS, the 
Federal Reserve Banks (FRB), Treasury's General Account (TGA) Banks, 
and Campuses. Continuing professional education (CPE) was conducted 
with the Campus Deposit Managers, January 31 through February 1, 2006 
to strengthen relationships with FMS and servicing depositories at 
national and local levels; 
also to foster understanding of IRS courier requirements and provide 
guidance to the deposit managers. An IRS/FMS teleconference was held 
with FRB officials and local; 
Per GAO: Open. IRS's IRM and lockbox bank policies require that all 
courier employees satisfy requirements for background and fingerprint 
checks regardless of who negotiated the courier service agreement. 
However, when we updated our review of courier contracts in March 2006, 
we again found that one FMS-negotiated contract did not contain IRS's 
requirements for background and fingerprint checks for courier 
services. We will continue to evaluate the compliance of the 2006 
courier agreements during our fiscal year 2006 audit. 

Per IRS: Count30: depositories. Courier policies and procedures were 
reinforced in IRM 3.8.45 with FRB and TGA bank offices and campus 
deposit managers. The NBIC program manager participated in this 
session; 
Per GAO: Count30: [Empty]. 

Count: 30; 
ID. No.: 03-32; 
Recommendation: Prohibit the storage of employees' personal belongings 
with cash payments and receipts at IRS's taxpayer assistance centers. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-03-562R, May 20, 2003); 
Per IRS: Closed. In 2005, remittance training covering the procedures 
for remittance processing was conducted for all TAC managers. The 
requirement prohibiting storing personal belongings with taxpayer data 
was reiterated. Operational reviews are planned by Field Assistance 
Headquarters to ensure TACs adhere to required IRM procedures. 
Additional emphasis will be placed on development of internal controls 
and the oversight and accountability of both employees and managers 
within Field Assistance; 
Per GAO: Open. During our fiscal year 2005 audit, we identified an 
instance at one TAC where an employee's personal belongings were stored 
with taxpayer receipts. In addition, IRS's response does not 
specifically address the prohibition of taxpayer payments (cash and non-
cash) with employees' personal belongings as stated in our 
recommendation. We will continue to evaluate IRS's corrective actions 
during our fiscal year 2006 audit. 

Count: 31; 
ID. No.: 03-33; 
Recommendation: Revise its candling procedures to specify the precise 
candling methods to be used based on the dimensions of the mail 
processed and the extraction method used for both the first and the 
final candling. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 03-562R, May 20, 2003); 
Per IRS: Closed. Additional guidance was issued to Submission 
Processing field employees on February 28, 2005, reinforcing the 
importance of ensuring Submission Processing candling procedures and 
policies are followed. IRM 3.10.72 has been revised to specify precise 
candling methods, as well as specific illumination measures of light. 
In addition, new requirements were implemented to turn large envelopes 
that cannot be easily opened on all three sides, inside out. This 
requirement is part of the campus monthly security reviews. All 
findings are shared with SP field directors. Local management continues 
to remind employees of the importance of candling of envelopes on a 
regular basis through individual and group meetings to ensure 
compliance with this requirement; 
Per GAO: Closed. We verified that the IRM has been updated to provide 
specific instructions regarding the candling processes for different 
types of mail processed by service center campuses. 

Count: 32; 
ID. No.: 03-34; 
Recommendation: Establish and implement procedures prohibiting a single 
employee from performing the final candling in a remote location. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-03-562R, May 20, 2003); 
Per IRS: Closed. IRM 3.10.72 has procedures prohibiting a single 
employee from performing the final candling in a remote location. This 
requirement is part of the campus monthly security reviews. All 
findings are shared with SP field directors. Local management continues 
to remind employees of candling requirements through individual and 
group meetings to ensure compliance with this requirement; 
Per GAO: Closed. We verified that IRS had established and implemented 
procedures prohibiting a single employee from performing final candling 
in a remote location. In addition, we did not identify any instances in 
which final candling were performed by only one individual. 

Count: 33; 
ID. No.: 03-40; 
Recommendation: Communicate in writing any potential changes in IRS's 
certification process to other Treasury entities that use the 
certification information, and obtain concurrence from these entities 
prior to implementing such changes. (short-term); 
Source report: Management Report: Improvements Needed in Controls over 
IRS's Excise Tax Certification Process (GAO-03-687R, July 23, 2003); 
Per IRS: Closed. An MOU was signed December 15, 2004, by the Chairman, 
Excise Tax Trust Fund Working Group. The IRS Treasury Excise Tax Trust 
Fund Working Group MOU established a process of recording minutes of 
the Working Group meetings in order to document issues related to trust 
fund certification procedures/ processes and proposed or passed 
legislative changes impacting trust fund investments. Recording of 
minutes will be taken by a representative of Treasury member offices or 
bureaus on a rotating basis. Draft minutes will be shared with all 
participants for concurrence prior to final approval and distribution. 
IRS will discuss and make a presentation to advise the members of any 
changes to the trust fund certification process; 
Per GAO: Closed. We verified that the Treasury Excise Tax Trust Fund 
Working Group signed a resolution to establish a process for 
documenting issues related to IRS's trust fund certifications. Our 
review shows the Treasury Excise Tax Working Group has established a 
process of recording and distributing minutes of the Working Group 
meetings in order to document issues related to trust fund 
certification procedures/ processes including procedural or legislative 
changes impacting trust fund investments. 

Count: 34; 
ID. No.: 04-01; 
Recommendation: Require lockbox bank managers to maintain appropriate 
documentation on-site demonstrating that satisfactory fingerprint 
results have been received before contractors are granted access to 
taxpayer receipts and data. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. To provide more emphasis on security, LSG (2.5) 
requires appropriate documentation for couriers and guards before they 
are granted access to taxpayer receipts. To ensure compliance with the 
LSG, IRS/FMS Security has included this as a review item during their 
security reviews; 
Per GAO: Closed. We verified that the LSG does include a requirement 
that lockbox managers maintain documentation on- site demonstrating 
that satisfactory fingerprint results have been received before 
contractors are granted access to taxpayer receipts and data. During 
our fiscal year 2005 audit, we did not identify any instances in which 
contractors were granted access to taxpayer receipts and data without 
having satisfactory fingerprint results on file at the lockbox banks 
that we visited. 

Count: 35; 
ID. No.: 04-02; 
Recommendation: Revise its policy on two- person courier teams to 
prohibit the use of courier teams consisting of closely related 
individuals to further minimize the risk of collusion in the theft of 
taxpayer receipts and data. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. On February 14, 2005, the 2005 LPG was updated and 
reinforced current courier requirements with an addendum entitled 
"Courier's Additional Disclosure Statement." Each courier is required 
to complete and sign the disclosure, affirming that they are not to 
travel with an immediate family member. In addition, each courier is 
required to list the name and relationship of each family member 
residing in the same domicile that also performs courier duties for the 
IRS. The disclosure statement is updated annually and maintained in the 
personnel file. Starting in July 2005, during the onsite reviews, the 
IRS/FMS Security Team began reviewing the disclosure statements to 
ensure adherence to this requirement; 
Per GAO: Closed. We confirmed that IRS updated its policy on two-person 
courier teams for lockbox banks as reflected in the revised LPG. 
Additionally, we identified no instances in which two-person courier 
teams consisted of closely related individuals during our fiscal year 
2005 testing at the four lockbox banks and four service center campuses 
that we visited. 

Count: 36; 
ID. No.: 04-03; 
Recommendation: Develop procedures to require lockbox managers to 
provide satisfactory evidence that managerial reviews are performed in 
accordance with established guidelines. At a minimum, reviewers should 
sign and date the reviewed documents and provide any comments that may 
be appropriate in the event their reviews identified problems or raised 
questions. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. Effective October 1, 2005, IRS established a new DCI 
review entitled "Processing-Internal Controls." During on-site reviews, 
the following logs are required to be reviewed: desk and work area, 
date stamp, cash, candling, shred, and mail. The results of these DCI 
reviews are rolled into a calculation to determine each bank's score in 
the new bank performance measurement process. In addition, lockbox 
personnel are required to perform reviews of the desk and work area, 
cash, candling, and shred logs. A monthly report for each review must 
be sent to the Lockbox Field Coordinator on the fifth business day of 
the month following the review. The report must contain the following: 
date of review, shifts reviewed, results of the review (even when no 
items are found), and reviewer's and site manager's initials and/or 
signature as required by the LPG. To further strengthen this internal 
control, effective June 1, 2006, additional review of the monthly 
reports (F9535/Discovered Remittance, candling log, disk checks/audits, 
and shred) received from the lockbox site will be performed by the 
Lockbox Field Coordinators. Specific check points will be added to the 
"Monthly Reports" DCI that is a part of the Procedural DCI performed at 
the SPC. In addition to confirming the receipt and timeliness of the 
reports, coordinators will review the reports to ensure they are 
completed per the LPG requirements and that all required management 
signatures/initials are present to provide satisfactory evidence that 
the managerial reviews are performed; 
Per GAO: Open. During our fiscal year 2005 audit, we verified that the 
LPG and LSG instruct the lockbox bank managers to perform numerous 
managerial reviews and to provide evidence that the reviews were 
performed. However, at two of the four lockbox banks we visited, we 
found that satisfactory evidence was not always provided to validate 
that these reviews were performed in accordance with established 
guidelines. In addition, IRS's corrective actions addressing 
documentation of required reviews occurred subsequent to our fiscal 
year 2005 fieldwork. We will evaluate IRS's corrective actions during 
our fiscal year 2006 audit. 

Count: 37; 
ID. No.: 04-04; 
Recommendation: Revise candling procedures at lockbox banks to require 
testing of automated candling machines at appropriate intervals, taking 
into account factors such as use time, volume processed, machine 
requirements and shift cycles. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. Lockbox Policy and Procedures staff assessed the 
candling procedures and determined that current technologies are not 
exempt from the candling requirement and added to the 2005 LPG section 
3.2.8(1) that envelopes opened (either manually or by OPEX equipment) 
on three or more sides must be candled once on the candling tables. 
Thus, the requirement to keep tests and logs is not necessary. All 
other envelopes must be candled twice on the candling tables; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
the LPG requires that envelopes opened (either manually or by OPEX 
equipment) on three or more sides must be candled one additional time 
on the candling table. This change and IRS's assessment that current 
technologies are not exempt from the two candling requirement satisfies 
the objective of our recommendation. 

Count: 38; 
ID. No.: 04-05; 
Recommendation: Require lockbox managers to maintain a log of these 
tests and to periodically review their logs. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. Lockbox Policy and Procedures staff assessed the 
candling procedures and determined that current technologies are not 
exempt from the candling requirement and added to the 2005 LPG section 
3.2.8(1) that envelopes opened (either manually or by OPEX equipment) 
on three or more sides must be candled once on the candling tables. 
Thus, the requirement to keep tests and logs is not necessary. All 
other envelopes must be candled twice on the candling tables; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
the LPG requires that envelopes opened (either manually or by OPEX 
equipment) on three or more sides must be candled one additional time 
on the candling table. This change and IRS's assessment that current 
technologies are not exempt from the two candling requirement satisfies 
the objective of our recommendation. 

Count: 39; 
ID. No.: 04-07; 
Recommendation: Develop procedures to enhance adherence to existing 
instructions on safeguarding discovered remittances at SCCs. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. In 2003, IRM 3.8.46, Discovered Remittances, was 
issued and 10,000 copies were distributed to all campuses. Form 4287 
(Record of Discovered Remittances) was revised to enhance adherence to 
existing instructions by including a check box for managers to indicate 
the reconciliation was performed. Additionally, Submission Processing 
revised the monthly security checklist to include a review of the 
discovered remittance procedures. A Discovered Remittances Job Aid was 
added to IRM 3.8.46 on January 26, 2005 via the SP Web site. The job 
aid and a PowerPoint presentation were added to the SP Web site again 
in August 2005; 
Per GAO: Open. We verified that the IRM contains a discovered 
remittances job aid to be used for recording discovered remittances. 
However, during our fiscal year 2005 audit we found that two of the 
four SCCs we visited did not adhere to the IRM procedures for securing 
discovered remittances. We will evaluate IRS's corrective actions 
during our fiscal year 2006 audit. 

Count: 40; 
ID. No.: 04-08; 
Recommendation: Enforce its policies and procedures to ensure that SCC 
security guards respond to alarms. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Open. Mission Assurance revised policies and procedures in IRM 
1.16.12, to require the following: (1) self- assessments which test 
response capabilities of guards to alarms. Mission Assurance 
implemented a self-assessment tool in October 2004 which is used to 
test response capabilities relating to alarm activation; 
(2) monthly, unannounced alarm tests at all campuses and computing 
centers; 
(3) mandatory reporting of the monthly alarm test results to the office 
of Physical Security and Emergency Preparedness (PSEP); 
(4) review of the monthly test results by the PSEP office, ensuring 
that the results are in compliance with IRM requirements, and if not, 
providing feedback for improvements; 
and (5) annual security exercises at each facility to test alarm 
responses; 
Per GAO: Open. During our fiscal year 2005 audit, we continued to find 
weaknesses in IRS's enforcement of policies and procedures to ensure 
that SCC security guards respond to alarms. We identified instances at 
two of four SCCs visited during our fiscal year 2005 audit in which 
guards either did not respond or did not respond timely to our tests of 
door alarms. IRS's implementation of new procedures to address guard 
response issues occurred subsequent to the end of our fiscal year 2005 
audit fieldwork. We will evaluate IRS's corrective actions during our 
fiscal year 2006 audit. 

Count: 41; 
ID. No.: 04-09; 
Recommendation: Establish compensating controls in the event that 
automated security systems malfunction, such as notifying guards and 
managers of the malfunction, and immediately deploying guards to better 
protect the processing center's perimeter. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. Mission Assurance developed alarm testing procedures 
which are used to supplement the requirements in IRM 1.16.12. The IRM 
and supplemental procedures require the notification of local 
management whenever there is a malfunction of alarms. The procedures 
also require that guards are deployed or doors are secured, as 
necessary, either during tests or when otherwise identified. The 
contract guard force project manager is required to sign off on all 
unannounced alarm test reports. Test results are maintained by the PSEP 
office; 
Per GAO: Open. IRS indicates in its response that compensating controls 
have been developed and implemented in the event that automated 
security systems malfunction. However, from our review of the IRM and 
the compensating controls used in conjunction with the IRM, we did not 
identify any procedures outlining specific controls to be employed 
should automated security systems malfunction or be taken out of 
service for any period of time. We will evaluate IRS's corrective 
actions during our fiscal year 2006 audit. 

Count: 42; 
ID. No.: 04-15; 
Recommendation: Until the Business Performance Management System (BPMS) 
is fully operational, implement procedures to ensure that all 
performance data reported in the MSP report are subject to effective, 
documented reviews to provide reasonable assurance that the data are 
current at interim periods. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, Apr. 26, 2004); 
Per IRS: Closed. IRS has taken steps to ensure that the performance 
measures data reported in the monthly report are properly reviewed 
before being published. All divisions now submit most of their 
performance measures data directly to BPMS. The divisions are required 
to verify/certify the accuracy of the data before uploading to BPMS. 
Corporate Performance Budgeting staff implemented additional manual 
quality control procedures that include reviewing all tables, charts, 
and line graphs and visually inspecting the numbers and comparing the 
information to the previous month's report for consistency. In 
addition, IRS is working with Treasury to streamline its current set of 
performance measures. Its purpose is to increase the value of the 
information provided to stakeholders, focus priorities, and reduce 
administrative burden; 
Per GAO: Open. In fiscal year 2005, we continued to find errors in 
IRS's interim performance measures data at interim periods. GAO will 
continue to monitor IRS's progress in this area during our fiscal year 
2006 financial audit. 

Count: 43; 
ID. No.: 05-01; 
Recommendation: Expedite efforts to resolve the backlog of unpostable 
liens, releasing liens as appropriate. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Closed. IRS conducted a review of the unpostable accounts 
during the period, October 31, 2005, to November 4, 2005. The remaining 
1,500 accounts were resolved by May 31, 2005. Inventories are current 
and being resolved in a timely manner; 
Per GAO: Closed. We verified that IRS had resolved the backlog of 
unpostable liens. IRS's Centralized Case Processing/ Lien Processing 
Unit at the Cincinnati Campus is researching and resolving unpostable 
liens weekly. We reviewed IRS's report of unpostable liens from 
February and March 2006 and determined there was no current backlog. 

Count: 44; 
ID. No.: 05-02; 
Recommendation: Keep current on all new unpostable liens. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Closed. IRS has been resolving new unpostables within 5 days 
since June 2004. IRS conducted a review of the unpostable accounts 
during the period, October 31, 2005, to November 4, 2005, which 
verified inventories are current and being resolved in a timely manner; 
Per GAO: Closed. Although IRS has not formally documented procedures in 
the IRM for weekly resolution of unpostable liens, IRS officials of the 
Centralized Case Processing / Lien Processing Unit told us that they 
research and resolve unpostable liens weekly. We reviewed six weekly 
reports of unpostable liens from February through March 2006 and 
determined that IRS was keeping current on new unpostable liens. 

Count: 45; 
ID. No.: 05-03; 
Recommendation: Research and resolve the current backlog of unresolved 
unmatched exception reports. (short- term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Open. Managers and employees have received training on the 
entity portion of the Satisfied Module (SATMOD) Reject Report. 
Resolution of the backlog will be conducted by the centralized site. 
Anticipated time for resolution is being extended to May 2006 in order 
to complete a workshop, compile the extract from the master file, and 
establish a specific group of employees to work on the backlog; 
Per GAO: Open. We will review the status of IRS's corrective actions as 
part of our fiscal year 2006 audit. 

Count: 46; 
ID. No.: 05-04; 
Recommendation: Research and resolve unmatched exception reports 
weekly. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Open. IRS developed new procedures for working on the 
unmatched exception reports. Accounts on the unmatched exception report 
will be resolved by matching information between the master file and 
the Automated Lien System (ALS). Timely report resolution is an 
integral function of the Centralized Lien Unit, and time frames and 
managerial oversight are built into report resolution processes. 
Managers and employees have received training on the entity portion of 
the reject report. Training will be ongoing as new employees are 
assigned to the unit. IRM provisions require resolution of rejected 
accounts within 5 business days. Managers will monitor timeliness and 
will report weekly on the outstanding inventory. SB/SE has started 
working on the cumulative listings; 
however, additional time is needed to complete the listings. Collection 
Policy will conduct an onsite review in fiscal year 2006; 
Per GAO: Open. According to IRS officials we contacted in March 2006, 
IRS anticipates completing this review in June 2006. We will continue 
to review the results of IRS's quality review as part of our fiscal 
year 2006 audit. 

Count: 47; 
ID. No.: 05-05; 
Recommendation: Provide training to designated staff on how to resolve 
exception reports. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Closed. Managers and employees have received training on the 
resolution of the restricted interest portion of the SATMOD reject 
report. IRS conducted a review during the period October 31, 2005, to 
November 4, 2005. All current employees have received training. 
Procedural changes are not required; 
Per GAO: Closed. We verified that IRS had provided training to 
designated staff on resolving exception reports. 

Count: 48; 
ID. No.: 05-06; 
Recommendation: Research and resolve the current backlog of unresolved 
manual interest or penalties reports. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Open. Managers and employees have received training on the 
resolution of the manual computation portion of the reject report. IRM 
provisions require resolution of the rejected accounts within 5 
business days. Managers will monitor timeliness and will report weekly 
on the outstanding inventory. The Collection Policy unit will conduct 
an on-site review. Training will be given to all new employees as they 
are assigned to the group. The revised anticipated completion date is 
May 2006; 
Per GAO: Open. According to IRS officials we contacted in March 2006, 
IRS anticipates completing this action in May 2006. We will continue to 
monitor IRS's efforts to address its backlog of exception reports 
containing liens with manually calculated interest or penalties as part 
of our fiscal year 2006 audit. 

Count: 49; 
ID. No.: 05-07; 
Recommendation: Research and resolve exception reports containing liens 
with manually calculated interest or penalties weekly, as called for in 
the IRM and the ALS User Guide. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Closed. ALS receives a master file data extract listing 
modules where liabilities have been fully paid. The data extract that 
is matched against information in the ALS automatically releases liens 
when there is a match. In the case of modules with restricted interest 
or penalty, the module is placed on a report for manual processing. In 
our review of 300 satisfied modules, we identified five cases with 
additional restricted interest or penalties. The remaining amounts due 
after computation were for very small amounts, less than $10. Based on 
those reviews, we ascertained that these cases should receive systemic 
release based on the status 12 information provided by master file and 
verified by our review. Copies of the last four weekly extract 
transmittals in March were reviewed to verify that there were no 
restricted interest and penalty entries on the listing--confirming that 
these cases have been systemically released; 
Per GAO: Open. According to IRS, an internal study determined that the 
dollar amounts of additional interest and penalties to be assessed on 
cases with liens requiring manual calculations was not significant. 
Consequently, IRS is in the process of revising the IRM to no longer 
require the additional manual computation and assessment of interest 
and penalties on such cases. In addition, IRS updated its computer 
programs to automatically release liens once the current account 
balance had been satisfied. IRS's actions are based on its 
determination that the additional interest and penalty amounts are not 
significant. We will review the results of IRS's internal analysis 
during our fiscal year 2006 audit. 

Count: 50; 
ID. No.: 05-08; 
Recommendation: Provide training to designated staff on how to resolve 
exception reports containing accounts with manually calculated interest 
or penalties. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Closed. IRS conducted workshops and provided training to 
employees of the Centralized Case Processing Lien Teams. IRS conducted 
an onsite review during the period, October 31, 2005, to November 4, 
2005. Procedural changes are not required; 
Per GAO: Closed. IRS created a special unit within the Centralized Case 
Processing Lien Processing Unit at the Cincinnati Campus to resolve 
accounts containing restricted interest and penalties. We verified that 
IRS had provided training to staff in this unit for resolving exception 
reports containing accounts with manually calculated interest and 
penalties. Unit staff we interviewed understood these procedures. 

Count: 51; 
ID. No.: 05-09; 
Recommendation: Improve the current unmatched exception report by 
including a cumulative list of all unmatched taxpayer accounts that 
have not been resolved to date. (short-term); 
Source report: Opportunities to Improve Timeliness of IRS Lien Releases 
(GAO-05-26R, Jan. 10, 2005); 
Per IRS: Open. Requests for additional enhancements to cumulate the 
reject report have been initiated. In the interim, area managers are 
required to print and resolve reports based on IRM procedures. 
Anticipated date of completion is January 2007; 
Per GAO: Open. We will review IRS's corrective actions during future 
audits. 

Count: 52; 
ID. No.: 05-10; 
Recommendation: Revise the Accounts Management Mail Unit procedures, 
scheduled to be incorporated into the IRM, to include detailed 
instructions for (1) monitoring transshipped documents and (2) handling 
cash receipts found during extraction. Where adequate guidance exists 
elsewhere, IRS should include these through cross-references. (short-
term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar. 10, 2005); 
Per IRS: Closed. IRM 3.10.72.12 and 3.10.203 were updated to include 
detailed procedures for mail operations where Submission Processing no 
longer has a presence. These instructions include monitoring 
transshipped documents, safeguarding taxpayer receipts and information, 
precise candling, and security requirements. The IRM also contains a 
cross-reference to the handling of cash receipts; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS updated the IRM to include detailed procedures and cross-
references, where applicable, for mail operations for SCCs selected for 
significant reductions in their submission processing functions. 

Count: 53; 
ID. No.: 05-11; 
Recommendation: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at SCCs selected for significant reductions in 
their submission processing functions. (short-term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar. 10, 2005); 
Per IRS: Closed. IRS has enforced adherence to existing instructions on 
safeguarding taxpayer receipts and information by including this 
requirement in the monthly Campus Security Reviews. It is also reviewed 
annually by the National Office Security Review Team at selected sites. 
Local Management continually reinforces these requirements through 
employee counseling and individual and group meetings with security 
clerks to ensure procedures for issuance of badges, inventory of 
badges, and security of taxpayer receipts and information. Meetings 
have also been held to discuss candling procedures. Local management 
also conducts weekly and monthly reviews to ensure adherence to these 
procedures; 
Per GAO: Open. IRS's corrective actions addressing enforcing adherence 
to instructions on safeguarding receipts and information occurred 
subsequent to our fiscal year 2005 fieldwork and will continue as 
future SCCs are selected for significant reductions in their submission 
processing functions. We will continue to evaluate IRS's corrective 
actions during our fiscal year 2006 audit. 

Count: 54; 
ID. No.: 05-12; 
Recommendation: Document a methodology for estimating anticipated rapid 
changes in mail volume at future SCCs selected for significant 
reductions in their submission processing functions, taking into 
consideration factors such as the prior rampdown experience at 
Brookhaven. (short-term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar. 10, 2005); 
Per IRS: Open. IRS will use historical data obtained from the 
Brookhaven Campus rampdown, and any other prior consolidations, to 
develop and document a methodology for estimating future mail volumes. 
This methodology will be used in future consolidations to ensure that 
IRS has reliable data to effectively manage resources during and after 
the consolidation period; 
Per GAO: Open. We will evaluate IRS's efforts to develop and document a 
methodology for estimating mail volume for future sites selected for 
rampdown. 

Count: 55; 
ID. No.: 05-13; 
Recommendation: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS has implemented steps to monitor and enforce the 
requirements issued on September 29, 2003, on the issuance of ID cards 
to contractors. This guidance requires that a letter from the NBIC 
indicating successful completion of at least an interim background 
investigation be received by the issuing office before a contractor can 
be approved for staff-like access to IRS. The guidance further 
stipulates that Physical Security staff would, at least every 6 months, 
ensure that a re-certification had been received from the contracting 
officer's technical representative (COTR) confirming the contractors' 
need for continued staff-like access to the IRS facility. Additionally, 
as part of the required records and accountability process, non-federal 
photo ID cards are audited annually by the issuing office to reconcile 
numerical and alphabetical files and ensure that ID cards have been 
recovered upon separation or termination of the contract; 
Per GAO: Open. IRS indicated that steps were taken in September 2003 to 
monitor and enforce the requirement that appropriate background 
investigations be completed for contractors before they are granted 
staff-like access to service centers. However, our recommendation was 
based on findings from our fiscal year 2004 audit, which occurred 
subsequent to the issuance of IRS's guidance. As such, IRS's actions 
are not sufficient to address the objective of this recommendation. We 
will continue to evaluate IRS's enforcement, oversight, and 
implementation of contractor background investigation policies during 
our fiscal year 2006 audit. 

Count: 56; 
ID. No.: 05-14; 
Recommendation: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. A Mission Assurance policy memorandum dated September 
29, 2003, requires the COTRs to complete and submit a request form for 
every contract employee. Implementation of the standardized form 
assures that all required information is provided in order for the 
contractor to receive its IRS photo ID card. The guidance requires a 
copy of the letter from NBIC indicating successful completion of at 
least an interim background investigation be attached to the request 
form or no ID card will be issued. Both documents are maintained by the 
issuing office; 
Per GAO: Open. IRS's policies and procedures do not require that 
documentation of the results of background checks for contractors be 
maintained onsite at SCCs where contractors are allowed access to sites 
containing taxpayer receipts and information. During our fiscal year 
2005 audit, we found that one SCC did not always maintain this 
information onsite. 

Count: 57; 
ID. No.: 05-15; 
Recommendation: Require that courier contracts call for couriers to 
submit contingency plans to lockbox banks. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS updated LPG 4.2.3.1, Courier Contingency Plan, on 
January 1, 2005, to require that prior to implementation of the 
contract, the courier service must provide the lockbox with a disaster 
contingency plan. The contingency plan must cover labor disputes, 
employee strikes, inclement weather, natural disasters, traffic 
accidents, and unforeseen events; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS updated the LPG to require that courier service contractors must 
provide the lockbox bank with a disaster contingency plan. 

Count: 58; 
ID. No.: 05-16; 
Recommendation: Review lockbox bank courier contingency plans to help 
ensure that they incorporate all contingencies specified in the LPG. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr. 27, 2005); 
Per IRS: Closed. Contingency plans were provided by all lockbox sites 
by March 31, 2005, and were part of the Filing Season Readiness (FSR) 
Plan. LPG 4.2.3.1 states "the contingency plan must cover labor 
disputes, employee strikes, inclement weather, natural disasters, 
traffic accidents, and unforeseen events." The lockbox coordinators 
reviewed the contingency plans to ensure that these issues were 
addressed. The lockbox coordinators interpreted the contingency plans 
to be complete; 
for example, the coordinators may have viewed contingencies covering 
natural disasters as sufficient to address inclement weather even 
though the term "inclement weather" was not specifically stated in the 
plan. GAO disagreed, citing continued areas of deficiencies. In 
September 2005, the FMS/IRS Security Team conducted an additional 
review of each site's courier contingency plans to ensure compliance. 
Their review indicated that in order to increase consistency and ensure 
the plans are clearly documented, strengthening of the contingency plan 
requirements was necessary. The 2006 LSG 2.7 (1) and (2) includes 
clarification of the requirements for the courier contingency plans. 
Review of the contingency plans to ensure incorporation of all of the 
requirements is now assigned to the IRS/FMS security team as part of 
the on-site courier contingency review; 
Per GAO: Closed. We verified that IRS and FMS jointly reviewed the 
lockbox bank courier contingency plans and as a result included 
language in the LSG clarifying that before courier contracts are 
implemented, couriers must provide a disaster contingency plan to the 
lockbox bank addressing specific contingencies. 

Count: 59; 
ID. No.: 05-17; 
Recommendation: Revise the LPG to specify that courier contingency 
plans be available at lockbox banks. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. LPG 4.2.3.1(1) was updated June 30, 2005, to state 
that all banks must maintain a signed copy of the courier contingency 
plan on-site; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS revised the LPG to specify that courier contingency plans be 
available at lockbox banks. 

Count: 60; 
ID. No.: 05-18; 
Recommendation: Review lockbox bank courier and shredding contracts to 
ensure that they address all privacy-related criteria and include clear 
reference to privacy-related laws and regulations. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. The LPG 4.2.3(2), was updated on January 1, 2005--
Courier Services--which requires lockbox banks to ensure all bonded 
courier/armored car agreements address all privacy-related criteria and 
include clear reference to privacy-related laws and regulations. 
Effective January 1, 2006, in addition to the above requirement, the 
LSG.2.17.6 (2)(a) added the requirement that all lockbox banks ensure 
shred company contracts contain clear reference to the privacy-related 
laws and regulations. In October 2005 the Lockbox Policy and Procedures 
team reviewed and confirmed that all courier and shred contracts 
contained all privacy related criteria. Banks must submit their 
contracts to the Lockbox Policy and Procedures team for their review by 
October 1 of each year. The courier contract is also reviewed by the 
IRS/FMS security staff during the on-site courier security review; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
the courier and shredding contracts had the required privacy-related 
language and related provisions set forth in the Privacy Act of 1974. 
In addition, we verified that the LSG requires lockbox banks to ensure 
that all bonded courier agreements contain privacy-related language and 
reminds couriers of their responsibility to not disclose taxpayer 
information. 

Count: 61; 
ID. No.: 05-19; 
Recommendation: Revise the LPG to require that (1) lockbox couriers 
promptly return deposit receipts to the lockbox banks following 
delivery of taxpayer remittances to depositories and, (2) lockbox banks 
promptly review the returned deposit receipts. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS Lockbox Policy and Procedures Section updated the 
LPG on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS 
Lockbox Bank Deposit Form --which requires the lockbox site to receive 
back by the next business day the original completed Receipt for 
Transport of IRS Lockbox Bank Deposit Form with the bank 
representative's name and signature, date and time the deposit was 
received by the depository; 
and each day the lockbox site must reconcile the Receipt for Transport 
of IRS Lockbox Bank Deposit Form(s) to ensure receipt of dedicated 
service (e.g., the time between release to the courier and the release 
to the bank is not in excess). If discrepancies are found, the lockbox 
field coordinator should be notified immediately; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS updated the LPG to require that (1) lockbox couriers return, on the 
next business day, deposit receipts to the lockbox banks following 
delivery of the taxpayer remittances to depositories and (2) lockbox 
banks promptly review, on a daily basis, the returned deposit receipts. 

Count: 62; 
ID. No.: 05-20; 
Recommendation: Revise the LPG to require that deposit receipts for 
taxpayer remittances be time-and date- stamped. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. The LPG was updated on January 1, 2005--LPG 4.2.3.1.8, 
Receipt for Transport of IRS Lockbox Bank Deposit Form--to require the 
courier service employee to return the form to the lockbox site on the 
next business day, ensuring the following information is completed on 
the form: the depository bank employee's name and signature, the date 
the deposit was received by the depository, and the time the deposit 
was received by the depository; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS updated the LPG to require that deposit receipts for taxpayer 
remittances include the time and date of receipt by the depository 
institution. 

Count: 63; 
ID. No.: 05-21; 
Recommendation: Better enforce the LPG requirement that lockbox bank 
couriers annotate the time of delivery on receipts for deposits of 
taxpayer remittances. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox 
Bank Deposit Form, was updated on January 1, 2005, to require lockbox 
bank couriers to annotate the time of delivery of receipts for deposits 
of taxpayer remittances. New Security Performance Measures have been 
developed to measure and rate each site's overall adherence to security 
guidelines and provides incentives/disincentives accordingly. Mission 
Assurance and FMS Security support the Lockbox Policy and Procedures 
Program Office in conducting security reviews. Reviews will rate each 
site's compliance to physical, personnel, courier, and IT security. 
Security Performance Measures is scheduled to be fully implemented by 
January 2006. To further prepare for filing season each year, each bank 
is now required to certify that they are adhering to security 
guidelines; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS updated the LPG to require that couriers annotate the time of 
delivery of receipts for deposits of taxpayer remittances. We did not 
find any instances during our fiscal year 2005 testing in which the 
courier did not annotate the time the courier received the deposit from 
the bank personnel. 

Count: 64; 
ID. No.: 05-22; 
Recommendation: Provide a written reminder to courier contractors of 
the need to adhere to all courier service procedures. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. Effective January 1, 2006, the lockbox banks must 
provide an annual memorandum to the courier contractor reminding them 
that they must adhere to all of the courier service procedures in the 
LSG. For the campuses, Service Center Accounting held a conference 
(Deposit Manager's CPE on January 31, 2006) with FMS, the Federal 
Reserve Banks, and the servicing TGA banks and reinforced all policies 
and procedures governing the courier process as outlined in IRM 3.8.45; 
Per GAO: Open. We verified that IRS's LSG requires lockbox banks to 
issue an annual memorandum to courier contractors reminding them to 
adhere to all courier service procedures in the LSG. However, this 
memorandum had not been issued by the conclusion of our fiscal year 
2005 fieldwork. We will evaluate IRS's corrective actions during our 
fiscal year 2006 audit. 

Count: 65; 
ID. No.: 05-23; 
Recommendation: Periodically verify that contractors entrusted with 
taxpayer receipts and information off site adhere to IRS procedures. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. The Lockbox LSG requires that while transporting the 
data from the lockbox facility, the courier vehicle used to transport 
taxpayer data/remittances must be locked and secured (LSG 2.13), driven 
directly to the destination (LSG 2.12) and the vehicle must always be 
under the supervision of the courier (LSG 2.13). All couriers are 
required to complete the same National Agency Check and Inquiry with 
Credit Investigation (NACIC) as bank management officials. For specific 
transport activities, deposit ticket and deposit transport timeframes 
are reviewed as part of Lockbox Performance Measures; 
Per GAO: Open. IRS's corrective actions do not address the intent of 
this recommendation, which envisioned IRS testing courier compliance 
through observations or similar methods. During our fiscal year 2005 
audit, we found instances where couriers did not follow IRS policies 
and procedures while transporting receipts and information. During our 
observations of couriers en route, we continued to find instances where 
couriers either made unauthorized stops before proceeding to the 
depository institution or left the vehicle unattended while it 
contained taxpayer receipts and information. 

Count: 66; 
ID. No.: 05-24; 
Recommendation: Develop alternative, back-up plans that are consistent 
with IRS courier policies and procedures to address instances in which 
only one courier reports for transport of taxpayer receipts or 
information, such as requiring that a service center or lockbox bank 
employee accompany the courier to the depository. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. The 2005 LPG 4.2.3.1 "Courier Contingency Plan" was 
updated on July 18, 2005 (effective Aug. 29, 2005) to include a plan 
that ensures the security of receipts if courier requirements are not 
met, or the courier contractor is unable to send suitable replacement 
couriers in time to meet the bank's deposit deadline. Submission 
Processing campuses submitted contingency plans in May 2005, which 
outline what deposit managers are to do in the event that couriers are 
unable to transport a deposit in the event of non- compliance with 
contract requirements, vehicle breakdown, or other reasons. In 
addition, the implementation of the Courier Daily Checklist in April 
2005 has continued to work smoothly; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS had updated its LPG for lockbox banks and submitted contingency 
plans for SCCs, which outline what to do in the event that couriers are 
unable to transport a deposit in the event of noncompliance with 
contract requirements. 

Count: 67; 
ID. No.: 05-25; 
Recommendation: Formulate a policy to require that critical utility or 
security controls not be located in areas requiring frequent access. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr. 27, 2005); 
Per IRS: Open. Mission Assurance developed policy guidelines to address 
protection of security or critical controls. Mission Assurance will 
request transfer of this corrective action to W&I to coordinate with 
the business operating divisions and Procurement to incorporate any 
revised requirements into updated and future interagency agreements 
with FMS; 
Per GAO: Open. During our fiscal year 2005 audit, we verified that IRS 
continues to develop guidelines to address protection of security of 
critical controls. These corrective actions were not complete at the 
conclusion of our fiscal year 2005 fieldwork. We will continue to 
evaluate IRS's corrective actions during our fiscal year 2006 audit. 

Count: 68; 
ID. No.: 05-26; 
Recommendation: Require lockbox bank management to position closed-
circuit television (CCTV) cameras to enable monitoring of secured areas 
containing sensitive systems or controls. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. Mission Assurance has developed and incorporated a 
CCTV evaluation matrix into the security review process ensuring that 
critical areas and assets are monitored. Every camera is assessed 
during the review. In addition, verbiage for the CCTV requirements is 
being strengthened in W&I's new proposed LSG currently under 
development. The LSG will require at least one camera monitor the main 
utility feeds. Also, the LPG requires that the IRS security controls, 
equipment, and utilities must be locked to prevent tampering and that 
keys will be controlled and limited to authorized bank employees. 
Mission Assurance will also include key and combination controls and 
management as part of its review process at the banks; 
Per GAO: Open. During our fiscal year 2005 audit, we found a sensitive 
area in a lockbox bank that was not monitored by a camera. The 
corrective actions planned by IRS had not been implemented at the 
conclusion of our fieldwork. We will continue to assess IRS's 
corrective actions during our fiscal year 2006 audit. 

Count: 69; 
ID. No.: 05-27; 
Recommendation: Periodically monitor lockbox banks' adherence to the 
LPG requirement that keys be kept in secured containers within the 
secured perimeter. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr. 27, 2005); 
Per IRS: Closed. The LSG was revised and published on January 1, 2006. 
The LSG requires strict control of keys, panels, and access to rooms 
and areas that contain facility utilities and controls. Lockbox banks 
are monitored and reviewed to ensure compliance to the policy. The 
Lockbox Physical Security Checklist includes checks to verify 
compliance to the policy. Five lockbox reviews have been conducted 
subsequent to publication of the LSG, and IRS has not observed any 
instances of this finding at any of the sites reviewed; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS periodically monitored adherence to this requirement during its 
lockbox bank security reviews. 

Count: 70; 
ID. No.: 05-28; 
Recommendation: Assess technologies that may be exempt from the visual 
inspection requirement to determine whether they are acceptable methods 
of satisfying candling objectives and, if so, add such technologies to 
the LPG list of accepted candling methods. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS Lockbox Policy and Procedures staff determined 
that current technologies are not exempt from the candling requirement 
and added to the 2005 LPG 3.2.8(1) that envelopes opened (either 
manually or by OPEX) on three or more sides must be candled once on the 
candling tables. All other envelopes must be candled twice on the 
candling tables; 
Per GAO: Closed. IRS's determination that current technologies are not 
exempt from the candling requirement, and the additional LPG guidelines 
added and verified by us during our fiscal year 2005 audit meets the 
objective of this recommendation. 

Count: 71; 
ID. No.: 05-29; 
Recommendation: Conduct an assessment of the costs and benefits of 
relying on only one candling when using certain automated equipment. 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. W&I determined that a cost benefit analysis was not 
necessary because it previously assessed the candling function on the 
automated equipment. To provide additional risk mediation, W&I revised 
the LPG under section 3.2.8 (1) to require that envelopes opened 
(either manually or by OPEX equipment) on three or more sides must be 
candled once on the candling tables. W&I will monitor adherence during 
site reviews; 
Per GAO: Closed. IRS's determination that current technologies are not 
exempt from the candling requirement and the additional LPG guidelines 
added, and verified by us during our fiscal year 2005 audit meet the 
objective of this recommendation. 

Count: 72; 
ID. No.: 05-30; 
Recommendation: Clarify the LPG to eliminate confusion about the number 
of candlings required for different extraction methods. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS updated the 2005 LPG 3.2.8, Candling, to require 
that envelopes opened (either manually or by OPEX) on three or more 
sides must be candled once on the candling tables. All other envelopes 
must be candled twice on the candling tables; 
Per GAO: Closed. We verified that IRS updated the LPG to clarify 
requirements concerning the number of candlings. 

Count: 73; 
ID. No.: 05-31; 
Recommendation: Establish guidelines and a testing requirement to 
ensure satisfactory lighting conditions for effective candling. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRM 3.10.72.6.2 (2) (a) requires that all candling 
equipment on both initial and final candling tables shall be adjusted 
as necessary to maintain maximum envelope recognition. Maximum envelope 
recognition is determined by the measurement of foot candles through 
use of a light meter. Minimum reading on the light meter should be 174. 
The testing of the candling equipment should be completed twice 
annually for IMF sites and quarterly for BMF sites. Testing will be 
completed prior to peak time-frames. Management or a designated 
employee will complete the candling equipment review log to verify 
lights are meeting minimum requirements. Light meters are available and 
testing has been completed at all SPCs to ensure requirements are met. 
Sorting table vendors have been contacted and are aware of this 
requirement and are adjusting all new tables that are purchased to 
ensure they are in compliance; 
Per GAO: Closed. During our fiscal year 2005 audit, we verified that 
IRS revised its IRM to include guidelines for testing lighting 
conditions for candling equipment. 

Count: 74; 
ID. No.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed units 
of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Open. IRS will establish a procedure(s) for SB/SE field office 
units to track Document Transmittal forms and acknowledgments of 
receipt of Document Transmittal forms. IRS will also strengthen 
guidance to revenue officers and will develop procedures specifically 
for its field clerical staff. IRS's procedures will clarify that 
revenue officers are responsible for submitting an appropriately 
labeled sealed envelope containing the Daily Report of Collection 
Activity form to a designated clerical contact in the post of duty 
(POD). This guidance will apply unless the revenue officers are working 
away from the POD on extended field calls, flexiplace, or are working 
in a single revenue officer POD. Those revenue officers will send the 
envelope directly to Submission Processing; 
Per GAO: Open. IRS's proposed corrective actions to this recommendation 
have not been finalized and published in the IRM. We will continue to 
monitor future developments in this area during our fiscal year 2006 
audit. 

Count: 75; 
ID. No.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. In 2005, Remittance Training covering the procedures 
for remittance processing was conducted for all TAC managers. The 
requirement for including a document transmittal form listing the Daily 
Report of Collection Activity forms in the transmittal package was 
emphasized. Field Assistance headquarters began operational reviews on 
February 28, 2006 to, among other things, ensure TAC adherence to 
required IRM procedures. Additional emphasis was placed on development 
of internal controls and the oversight and accountability of both 
employees and managers within Field Assistance. Specifically, Field 
Assurance headquarters began conducting operational reviews on February 
28, 2006. The operational reviews include assessing their ability to 
engage employees in process and program improvement, identifying best 
practice ideas, ensuring elements of accountability and responsibility 
are clearly communicated at each level, and assessing conformance to 
the current policies and procedures; 
Per GAO: Open. During our fiscal year 2005 audit, we found that three 
of eight TACs we visited did not use a document transmittal to transmit 
multiple Daily Report of Collection Activity forms to their respective 
SCC for further processing. We will continue to evaluate IRS's 
implementation of its corrective actions during our fiscal year 2006 
audit. 

Count: 76; 
ID. No.: 05-34; 
Recommendation: Establish a procedure for SB/SE field office units to 
track Document Transmittal forms and acknowledgments of receipt of 
Document Transmittal forms. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Open. IRS will update its procedures to clarify that the 
managers should ensure continuous coverage of the designated clerical 
contact duties so that absence due to illness or leave does not disrupt 
the processing of remittances; 
Per GAO: Open. IRS's corrective actions were not implemented during our 
fiscal year 2005 audit. In addition, our audit continued to find 
numerous instances of SB/SE groups not properly tracking document 
transmittal forms to ensure that taxpayer receipts and information were 
received by the recipient. We will evaluate IRS's corrective actions 
during our fiscal year 2006 audit. 

Count: 77; 
ID. No.: 05-35; 
Recommendation: Require evidence of managerial review of recording, 
transmittal, and receipt of acknowledgments of taxpayer receipts and 
information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Open. IRS will establish a procedure(s) to require evidence of 
managerial review of recording, transmittal, and receipt of 
acknowledgments of taxpayer receipts and information. However, IRS will 
not implement any procedure requiring 100 percent managerial review. 
IRS's new procedures will call for random managerial spot-checking of 
packages prepared for submission to Submission Processing by revenue 
officers working in PODs or by the designated clerical contacts in the 
PODs. The new procedure(s) will not call for any random managerial spot-
checking of packages prepared by revenue officers working away from the 
POD on extended field calls or flexiplace. Instead, on those packages, 
IRS will continue to rely on the remittance reviews conducted by 
remittance processing personnel in Submission Processing. These reviews 
will be documented by the revenue officer group manager and be retained 
for the appropriate period required under record management guidelines; 
Per GAO: Open. IRS's corrective actions were not implemented during our 
fiscal year 2005 audit. In addition, we continued to find numerous 
instances where SB/SE groups did not provide evidence that managers, or 
a designee, reviewed the recording, transmittal, and receipt of 
acknowledgements of taxpayer receipts and information to ensure that 
they were received and acknowledged by the recipient. We will evaluate 
IRS's corrective actions during our fiscal year 2006 audit. 

Count: 78; 
ID. No.: 05-36; 
Recommendation: Assess options to prevent the generation or 
disbursement of refunds associated with accounts with unresolved AUR 
discrepancies, including placement of a freeze or hold on all such 
accounts, until the AUR review has been completed. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS's position is that, if followed, the procedures it 
has in place adequately address preventing the generation or 
disbursement of refunds associated with AUR accounts. IRM 3.8.45 
requires employees receiving an unidentified remittance to conduct 
Integrated Data Retrieval System (IDRS) research to determine if there 
is an open account that allows for posting of the remittance. Also, AUR 
will partner with SP to ensure that employees receiving unidentified 
remittances are aware of the need to conduct IDRS research and how to 
properly post AUR remittances in these instances; 
Per GAO: Open. During our fiscal year 2005 audit, we found a technician 
in the Unidentified Remittance unit unaware of how to properly post 
remittances for AUR cases. We will continue to monitor IRS's efforts in 
preventing the generation or disbursements of refunds associated with 
AUR accounts during our fiscal year 2006 financial audit. 

Count: 79; 
ID. No.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. A memorandum was issued on August 3, 2005, as a 
reminder to solicit the annual list of authorized signatures 
(individuals formally delegated authority to sign manual refunds). The 
campuses were advised to submit a memorandum to National Office no 
later than October 31, certifying they had completed the request for 
authorized signatures. This information was also conveyed via 
Information Alert: W&I-IA-2002-1149-2005, dated March 17, 2005; 
and will be covered by BMF headquarter staff during their unannounced 
visits; 
Per GAO: Open. During our fiscal year 2005 audit, we continued to find 
issues with the documentation requirements relating to authorizing 
officials charged with approving manual refunds. For example, IRS 
policy requires that IRS submit a memorandum identifying the personnel 
designated to authorize manual refunds. The list must include the name, 
title/position, and signature of the designated person and official 
issuing the memorandum. However, during our July 2005 testing, we found 
memorandums that were either over a year old or lacked the required 
information. The reminder memorandum Submission Processing issued on 
August 3, 2005, was issued subsequent to our July 2005 fieldwork. We 
will continue to follow up on IRS's efforts to improve the 
documentation requirements during our fiscal year 2006 financial audit. 

Count: 80; 
ID. No.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. Submission Processing issued an alert on the SP Web 
site on March 17, 2005. A reminder memorandum was issued on August 3, 
2005. IRM check sheets were included, and campuses were required to 
confirm actions taken. IRS determined this item would not be included 
in the management accountability review process. As part of our 
commitment to improve the manual refund process, an attachment covering 
monitoring was included with the annual memorandum soliciting 
authorized manual refund signers. In response to the Service-wide 
Electronic Research Program (SERP) alert issued by Accounts Management, 
we included items that should be considered when Accounting Operations 
reviewed manual refund requests initiated by employees in the SP 
campuses. This will be covered by BMF headquarter staff during their 
unannounced visits; 
Per GAO: Open. During our fiscal year 2005 audit, we continued to find 
instances where the manual refund initiators did not monitor accounts 
to prevent duplicate refunds, and supervisors did not review the 
monitoring of accounts. We reviewed the alerts that IRS issued on April 
1, 2005 (Monitoring Manual Refunds) and May 13, 2005 (Managerial 
Procedures for Manual Refunds). However, we found that some of the 
manual refund initiators, leads, supervisors and managers were unaware 
of the alerts. The reminder memorandum issued on August 3, 2005 was 
issued subsequent to our July 2005 testing. We will continue to review 
IRS's monitoring and review efforts during our fiscal year 2006 
financial audit. 

Count: 81; 
ID. No.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring actions 
and supervisory review. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. Submission Processing issued a reminder memorandum on 
August 3, 2005. IRM check sheets were included, and campuses were 
required to confirm actions taken. IRS determined this item would not 
be included in the management accountability review process. As part of 
our commitment to improve the manual refund process, an attachment 
covering monitoring was included with the annual memorandum soliciting 
authorized manual refund signers. In response to the SERP alert issued 
by Accounts Management, we included items that should be considered 
when Accounting Operations reviewed manual refund requests initiated by 
employees in the SP campuses. This will be covered by BMF headquarter 
staff during their unannounced visits; 
Per GAO: Open. During our fiscal year 2005 audit, we found the 
requirements for documenting monitoring actions and documenting 
supervisory review were not always enforced. The reminder memorandum 
issued on August 3, 2005, was issued subsequent to our July 2005 
testing. We will continue to monitor IRS's efforts in documenting the 
monitoring actions and documenting the supervisory review during our 
fiscal year 2006 financial audit. 

Count: 82; 
ID. No.: 05-40; 
Recommendation: Enforce the requirement that command code profiles be 
reviewed at least once annually. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Closed. SP supports Mission Assurance in enforcing IDRS 
security by ensuring appropriate officials are reminded annually of 
their security obligations. A memorandum, including IDRS security and 
the Automated Command Code Access Control, was issued August 3, 2005. 
IRS determined this item would not be included in the management 
accountability review process. An overview of the Automated Command 
Code Access Control (ACCAC) program was included in our Annual 
Solicitation for Authorized Signatures - Manual Refunds memorandum, 
dated August 3, 2005. This will be covered by BMF headquarter staff 
during their unannounced visits; 
Per GAO: Open. During our fiscal year 2005 audit, we found that the 
requirement for the annual review of command code profiles was not 
always enforced. The reminder memorandum issued on August 3, 2005 was 
issued subsequent to our July 2005 fieldwork. We will continue to 
follow up on IRS's efforts in enforcing the requirement to review 
command code profiles at least once annually during our fiscal year 
2006 financial audit. 

Count: 83; 
ID. No.: 05-41; 
Recommendation: Specify in the IRM that staff members are not to review 
their own command code profiles. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr. 27, 2005); 
Per IRS: Open. The IRM wording will be updated, and recommendations 
will be included in annual reminders (memos, notices, etc.) to 
management officials that the approver's manager is responsible for 
ensuring that approvers' profiles have appropriate restrictions and 
have been reviewed. Mission Assurance updated its project Web page in 
January 2005, advising managers and unit security representatives to 
review IDRS user profiles to ensure that the appropriate restrictions 
have been added to the user's profile. Limited staffing resources have 
impacted the actual updating of the IDRS Security Law Enforcement 
Manual (LEM). The LEM wording will be updated to require managers and 
unit security representatives to review the IDRS security profiles to 
ensure that appropriate restrictions have been placed against the 
user's IDRS account. The LEM is expected to be revised by July 15, 
2006; 
Per GAO: Open. During our fiscal year 2005 audit, we found that the IRM 
wording to specify that staff members to not review their own command 
code profiles had not been updated. We will continue to monitor IRS's 
efforts in preventing staff members to review their own command code 
profiles during our fiscal year 2006 audit. 

Count: 84; 
ID. No.: 05-42; 
Recommendation: Specify in the IRM how to properly verify interest and 
penalties for accounts with liens with manually calculated interest or 
penalties. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 05-247R, Apr. 27, 2005); 
Per IRS: Closed. IRS revised the IRM to instruct employees to check the 
IDRS to determine if restricted interest or penalty is due. The IRM now 
clearly states that there are only two instances where restricted 
interest and penalty should not be computed, offer-in-compromise and 
bankruptcy cases. Also, instructions for computing restricted interest 
and penalty are found in the ALS User Guide as well as in training 
material and desk guides. In addition, tax examiners hired to staff the 
Centralized Case Processing (CCP), Lien Processing Unit were provided 
hands-on training in the computation of restricted interest and 
penalty. Resolution of these cases moved to CCP effective February 
2005. The centralized site has created a special group of employees who 
were trained in the resolution of restricted interest and penalty 
cases. New hires for this group will also receive this training. The 
LEM will be updated to reflect the changes made by the RIS; 
Per GAO: Open. According to IRS, an internal study determined that the 
dollar amounts of additional interest and penalty to be assessed on 
cases with liens requiring manual calculations was not significant. 
Consequently, IRS is in the process of revising the IRM to no longer 
require the additional manual computation and assessment of interest 
and penalty on such cases. In addition, IRS updated its computer 
programs to automatically release liens once the current account 
balance had been satisfied. IRS's actions are based on its 
determination that the additional interest and penalty amounts are not 
significant. We will review the results of IRS's internal analysis 
during our fiscal year 2006 audit. 

Count: 85; 
ID. No.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 86; 
ID. No.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within LMSB and 
TE/GE, establish a system to track acknowledged copies of document 
transmittals. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 87; 
ID. No.: 06-03; 
Recommendation: Provide instructions to document the follow-up 
procedures performed in those cases where transmittals have not been 
timely acknowledged. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 88; 
ID. No.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 89; 
ID. No.: 06-05; 
Recommendation: Equip all TACs with adequate physical security controls 
to deter and prevent unauthorized access to restricted areas or office 
space occupied by other IRS units, including those TACs that are not 
scheduled to be reconfigured to the "new TAC" model in the near future. 
This includes appropriately separating customer service waiting areas 
from restricted areas by physical barriers such as locked doors marked 
with signs barring entrance by unescorted customers. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 90; 
ID. No.: 06-06; 
Recommendation: Connect duress alarms to a central monitoring station 
or local police department or institute appropriate compensating 
controls when these alarm systems are not operable or in place. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 91; 
ID. No.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to TACs 
not having a manager permanently on-site. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 92; 
ID. No.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms regardless of the 
circumstances that may have caused the activation. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 93; 
ID. No.: 06-09; 
Recommendation: Reemphasize the need for the security guards at all 
TACs to ensure that key PODs, such as entrances to facilities, are not 
left unattended. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 94; 
ID. No.: 06-10; 
Recommendation: Revise lockbox bank's security review checklist to 
ensure that it encompasses reviewing security incident reports to 
validate whether security personnel are providing corrective actions 
related to the incidents cited. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 95; 
ID. No.: 06-11; 
Recommendation: Refine the scope and nature of its periodic reviews of 
candling processes at SCCs to ensure they (1) encompass tests of 
whether envelopes are properly candled through observation of candling 
in process and inquiry of employees who perform initial and final 
candling, and (2) document the nature and scope of the test and 
observation results. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO- 06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 96; 
ID. No.: 06-12; 
Recommendation: Enforce its existing policies and procedures at lockbox 
banks to ensure that all remittances of $50,000 or more are processed 
immediately and deposited at the first available opportunity. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 97; 
ID. No.: 06-13; 
Recommendation: Refine the scope and nature of its periodic reviews of 
lockbox banks to include high dollar remittances to better monitor 
adherence to the requirement that they are processed immediately and 
deposited at the first available opportunity. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 98; 
ID. No.: 06-14; 
Recommendation: Refine the scope and nature of its periodic security 
reviews to encompass (1) testing the effectiveness of controls intended 
to ensure that only individuals with proper credentials are permitted 
access to SCCs and lockbox banks, and (2) reviewing the integrity of 
perimeter security at SCCs. (short- term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 99; 
ID. No.: 06-15; 
Recommendation: Revise the physical security procedures contained in 
the IRM to require that all SCCs and any respective annex facilities 
processing taxpayer receipts and/or information perform and document 
monthly tests of the facility's intrusion detection alarms. At a 
minimum, these procedures should (1) outline the type of test to be 
conducted, (2) include criteria for assessing whether the controls used 
to respond to the alarm were effective, and (3) require that a logbook 
be maintained to document the test dates, results, and response 
information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 100; 
ID. No.: 06-16; 
Recommendation: Amend its policy to require that a completed form 13094 
with a positive recommendation be provided for every juvenile hired to 
any position that will allow access to taxpayer receipts and/or 
taxpayer information. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 101; 
ID. No.: 06-17; 
Recommendation: Require IRS personnel to verify the information on the 
form 13094 by contacting the reference directly. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 102; 
ID. No.: 06-18; 
Recommendation: Revise the form 13094 to require the reference to 
describe his/her relationship with the juvenile, including extent of 
first-hand contact, to allow IRS to review the forms and assess whether 
the referencer has sufficient basis to recommend that juvenile to a 
position of trust. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 103; 
ID. No.: 06-19; 
Recommendation: Establish procedures for hiring juveniles who do not 
have a current teacher, principal, counselor, employer or former 
employer, and clarify that IRS's current policies and procedures should 
not be interpreted to mean that such juveniles should be allowed access 
to taxpayer receipts and information without a form 13094 or its 
equivalent. These procedures could include a list of acceptable 
alternatives that may serve as references for juveniles who do not have 
a current teacher, principal, or guidance counselor. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 104; 
ID. No.: 06-20; 
Recommendation: To assure proper accounting treatment of expense and 
P&E transactions and reliable financial reporting, we recommend that 
IRS enforce its property and equipment capitalization policy to ensure 
that it is properly implemented to fully achieve management's 
objectives, including recognizing assets when its capitalization 
criteria is met and recognizing expenses when it is not. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Because this is a recent recommendation, GAO did not obtain 
information on IRS's status in addressing it; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 105; 
ID. No.: 06-21; 
Recommendation: Generate aging reports when an asset remains in pending 
disposal status for longer than a specified period of time. (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Open. In March 2006 the chief information officer (CIO) 
property program manager informed GAO that issues raised in the FY 2005 
Financial Statement Audit are being addressed via a re-engineering 
effort focused on the entire asset retirement and disposal process. As 
such, reports are currently available to monitor aging transactions 
during the disposal life cycle. Additionally, procedures are being 
developed to require reviews of aging reports for the timely recording 
of disposal transactions. Substantial software modifications are being 
designed to improve the recording of information by replacing manual 
data entry methods by using electronic forms, signatures, and 
processes. In August 2006 these modifications and review procedures 
will be implemented to streamline the recording of asset disposal 
activity as required by IRS policy; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Count: 106; 
ID. No.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports. (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Per IRS: Open. AWSS and CIO property managers have been working on 
reengineering the entire asset retirement and disposal process to 
mitigate issues raised in GAO's FY 2005 Financial Statement Audit. CIO 
staff reported on that initiative to GAO in March 2006. As such, 
reports are currently available for management to monitor the status of 
aging transaction dates until the disposal process is complete. Also, 
review procedures are being developed to streamline the process to 
ensure the timely recording of disposal transactions. In August 2006, 
reengineered process modifications and review procedures will be 
implemented and guidance for conducting reviews will be issued; 
Per GAO: Open. This is a recent recommendation. We will review IRS's 
corrective actions during future audits. 

Sources: IRS updates detailing IRS actions to address GAO's 
recommendations and GAO's analysis of IRS's actions. 

[End of table] 

[End of section] 

Appendix II: Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Washington, D.C. 20224: 

Commissioner: 

May 25, 2006: 

Mr. Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

Thank you for the opportunity to review and comment on your draft 
report entitled, "Internal Revenue Service: Status of Recommendations 
from Financial Audits and Related Financial Reports" (GAO-06-560). 

We are pleased that you acknowledged our progress in addressing our 
financial management challenges and agreed to close 34 of the 84 open 
financial management recommendations from last year's report. Although 
22 new recommendations were added, the total number of open 
recommendations continues to decrease. 

We have taken actions to address your recommendations and improve our 
internal controls. For example, we expanded our reportable condition 
plan for controls over hard-copy tax receipts. This plan now includes 
comprehensive actions to address your recommendations for lockboxes, 
submission processing campuses, Taxpayer Assistance Centers, and field 
offices. The Financial and Management Controls Executive Steering 
Committee will monitor the plan until completed. 

We appreciate your mapping the 72 open recommendations to specific 
internal control activities and grouping them into three broad control 
activities, Safeguarding of assets and security activities, Proper 
recording and documenting of transactions, and Effective management 
review and oversight. This approach provides additional information on 
the internal control issues and facilitates our strategy to address the 
financial management issues. 

I appreciate your willingness to work with us throughout the year to 
improve our internal controls. Your staff has met with representatives 
of the business units on many occasions to assist us in developing 
action plans to resolve these issues. 

If you have any questions, please contact Janice Lambert, Chief 
Financial Officer, at (202) 622-6400. 

Sincerely, 

Signed by: 

Mark W. Everson: 

[End of section] 

Appendix III: Staff Acknowledgments: 

The following individuals made major contributions to this report: 
William J. Cordrey, Charles Fox, Paul Foderaro, Nina Crocker, John 
Davis, Charles Ego, David Elder, Ted Hu, Jerrod O'Nelio, John Sawyer, 
Peggy Smith, Lisa Warde, Gary Wiggins, and Mark Yoder. 

(196093) 

Footnotes: 

[1] Management is responsible for establishing and maintaining internal 
control to achieve the objectives of effective and efficient 
operations, reliable financial reporting, and compliance with 
applicable laws and regulations. Part of the actions required by 
agencies and individual federal managers includes taking proactive 
measures to develop and implement appropriate, cost-effective internal 
control for results-oriented management; 
to assess the adequacy of internal control in federal programs and 
operations; 
to identify needed improvements; 
and to take corresponding corrective actions. 

[2] A material weakness is a reportable condition that precludes the 
entity's internal controls from providing reasonable assurance that 
material misstatements in the financial statements would be prevented 
or detected on a timely basis. Reportable conditions represent 
significant deficiencies in the design or operation of internal 
controls that could adversely affect an entity's ability to initiate, 
authorize, record, process, or report financial data reliably. 

[3] The Circular was revised in December 2004. The circular states that 
the revision followed a reexamination of the existing internal control 
requirements for federal agencies that was initiated in light of the 
new internal control requirements for publicly traded companies 
contained in the Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 
stat. 745 (July 30, 2002). However, the revised circular states that it 
is not effective until fiscal year 2006. Therefore, during the period 
covered by our fiscal year 2005 audit of IRS's financial statements, 
IRS had to comply with the requirements contained in the prior circular 
version, OMB Circular No. A-123, Management Accountability and Control 
(June 21, 1995). 

[4] GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (November 1999). 

[5] The circular requires agencies and individual federal managers to 
take systematic and proactive measures to (1) develop and implement 
appropriate, cost-effective internal control for results-oriented 
management; 
(2) assess the adequacy of internal control in federal programs and 
operations; 
(3) separately assess and document internal control over financial 
reporting consistent with the process defined in Appendix A of the 
circular; 
(4) identify needed improvements; 
(5) take corresponding corrective action; 
and (6) report annually on internal control through management 
assurance statements. 

[6] GAO, Internal Control Standards: Internal Control Management and 
Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). 

[7] GAO, Internal Revenue Service: Status of Recommendations from 
Financial Audits and Related Financial Management Reports, GAO-05-393 
(Washington, D.C.: Apr. 29, 2005). 

[8] GAO, Management Report: Improvements Needed in IRS's Internal 
Controls, GAO-06-543R (Washington, D.C.: May 12, 2006). 

[9] Short-term recommendations are defined as those that could be 
addressed within 2 years at the time we made the recommendation. Long- 
term recommendations are defined as those expected to require 2 years 
or more to implement at the time we made the recommendation. 

[10] The vast majority of federal tax payments are made for both 
businesses and individuals via the Electronic Federal Tax Payment 
System (EFTPS). 

[11] Information security controls include electronic access controls, 
software change controls, physical security, segregation of duties, and 
service continuity. These controls are designed to ensure that access 
to data is appropriately restricted, that only authorized changes to 
computer programs are made, that physical access to sensitive computing 
resources and facilities is protected, that computer security duties 
are segregated, and that backup and recovery plans are adequate to 
ensure the continuity of essential operations. 

[12] GAO, Information Security: Continued Progress Needed to Strengthen 
Controls at the Internal Revenue Service, GAO-06-328 (Washington, D.C.: 
Mar. 23, 2006). 

[13] Exception reports are one of the measures listed in GAO's Internal 
Control Management Evaluation Tool (GAO-01-1008G) as an information 
processing function. 

[14] Most refunds are generated automatically. However, under certain 
circumstances, IRS processes refunds manually to expedite payment. Such 
refunds include those over $10 million, those requested by taxpayers 
for immediate payment due to hardship or emergency, those to 
beneficiaries of deceased taxpayers, and those that need to be 
expedited because IRS is in jeopardy of paying interest for exceeding 
the 45-day limit for processing a return. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: