This is the accessible text file for GAO report number GAO-11-536 entitled 'Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations' which was released on June 22, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to the Commissioner of Internal Revenue: June 2011: Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations: GAO-11-536: GAO Highlights: Highlights of GAO-11-536, a report to the Commissioner of Internal Revenue. Why GAO Did This Study: In its role as the nation’s tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to annually collect trillions of dollars in taxes, process hundreds of millions of tax and information returns, and enforce the nation’s tax laws. Since its first audit of IRS’s financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS’s financial management operations. In related reports, GAO has recommended corrective actions to address those weaknesses. Each year, as part of the annual audit of IRS’s financial statements, GAO makes recommendations to address any new weaknesses identified and follows up on the status of IRS’s efforts to address the weaknesses GAO identified in previous years’ audits. The purpose of this report is to (1) provide an overview of the financial management challenges still facing IRS, (2) provide the status of financial audit and financial management–related recommendations and the actions needed to address them, and (3) highlight the relationship between GAO’s recommendations and internal control activities central to IRS’s mission and goals. What GAO Found: IRS has made progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 11 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of nearly 300 financial management recommendations. This progress has been the result of hard work throughout IRS and sustained commitment at the top levels of the agency. However, IRS still faces significant financial management challenges in (1) resolving its remaining material weaknesses and significant deficiency in internal control, (2) developing outcome-oriented performance metrics, and (3) correcting numerous other internal control issues, especially those relating to safeguarding tax receipts and taxpayer information. At the beginning of GAO’s audit of IRS’s fiscal year 2010 financial statements, 85 financial management–related recommendations from prior audits remained open because IRS had not fully addressed the underlying issues. During the fiscal year 2010 financial audit, IRS took actions that GAO considered sufficient to close 37 recommendations. At the same time, GAO identified additional internal control issues resulting in 29 new recommendations. In total, 77 recommendations remain open. To assist IRS in evaluating and improving internal controls, GAO categorized the 77 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. Table: Summary of Open Recommendations by Control Category: Safeguarding of assets and security activities: Open at the beginning of 2010: 19; Closed during 2010 audit: 4; New from 2010 audit: 14; Total remaining open: 29. Proper recording and documenting of transactions: Open at the beginning of 2010: 39; Closed during 2010 audit: 18; New from 2010 audit: 9; Total remaining open: 30. Effective management review and oversight: Open at the beginning of 2010: 27; Closed during 2010 audit: 15; New from 2010 audit: 6; Total remaining open: 18. Total: Open at the beginning of 2010: 85; Closed during 2010 audit: 37; New from 2010 audit: 29; Total remaining open: 77. Source: GAO. [End of table] The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle for IRS. Effective implementation of GAO’s recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management, which are integral to effectively carrying out its tax administration responsibilities. Most recommendations can be addressed within the next year or two. However, a few recommendations, particularly those concerning the functionality of IRS’s automated systems, are complex and will require several more years to effectively address. What GAO Recommends: GAO is not making any recommendations in this report. In commenting on a draft of this report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices. View [hyperlink, http://www.gao.gov/products/GAO-11-536] or key components. For more information, contact Steven J. Sebastian at (202) 512-3406 or sebastians@gao.gov. [End of section] Contents: Letter: Background: Scope and Methodology: IRS Faces Significant Financial Management Challenges: Status of Recommendations Based on the Fiscal Year 2010 Financial Statement Audit: Open Recommendations Grouped by Internal Control Activity: Concluding Observations: Agency Comments and Our Evaluation: Appendix I: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: Appendix II: Open Recommendations Arranged by Material Weakness, Significant Deficiency, Compliance, or Other Control Issue: Appendix III: Comments from the Internal Revenue Service: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Summary of Recommendations Grouped by Control Activity: Table 2: Open Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: Table 3: Open Recommendation to Improve IRS's Segregation of Duties: Table 4: Open Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: Table 5: Open Recommendations to Improve IRS's Documentation of Transactions and Internal Control: Table 6: Open Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: Table 7: Open Recommendations to Improve IRS's Execution of Transactions and Events: Table 8: Open Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: Table 9: Open Recommendation to Improve IRS's Establishment and Review of Performance Measures and Indicators: Table 10: Open Recommendations to Improve IRS's Management of Human Capital: Table 11: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: Table 12: Material Weakness: Controls over Unpaid Assessments: Table 13: Significant Deficiency: Tax Refund Disbursements: Table 14: Compliance with Laws and Regulations: Timely Release of Liens: Table 15: Other Control Issues Not Associated with a Material Weakness, Significant Deficiency, or Compliance Issue: Abbreviations: CFO: Chief Financial Officer: FMFIA: Federal Managers' Financial Integrity Act of 1982: IRM: Internal Revenue Manual: IRS: Internal Revenue Service: OMB: Office of Management and Budget: SCC: service center campus: TAC: Taxpayer Assistance Center: TFRP: Trust Fund Recovery Penalty: [End of section] United States Government Accountability Office: Washington, DC 20548: June 22, 2011: The Honorable Douglas H. Shulman: Commissioner of Internal Revenue: Dear Mr. Shulman: In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. In fiscal year 2010, IRS collected about $2.3 trillion in tax payments, processed hundreds of millions of tax and information returns, and paid nearly $470 billion in refunds to taxpayers. Because of its role and overall mission, IRS's activities affect virtually all of the nation's citizens. It is therefore critical that the agency strive to maintain sound internal control and financial management practices. IRS has made much progress in improving its financial management since it was first required to prepare a set of financial statements nearly two decades ago. This progress is reflected in IRS's 11-year record of clean audit opinions on its financial statements and correcting several material weaknesses[Footnote 1] and significant deficiencies [Footnote 2] in internal controls over the years. At the same time, IRS continues to face significant financial management challenges in achieving the overarching goals of effective federal financial management--accountability and useful management information. To enable more effective financial and operational management, IRS needs to (1) address its remaining material weaknesses and its significant deficiency in internal control, (2) develop performance metrics that will enhance its ability to manage for outcomes, and (3) implement corrective actions to address other identified internal control issues. An agency's internal control serves as the first line of defense in safeguarding its assets and in preventing and detecting errors and fraud, as well as in helping to effectively manage its stewardship over public resources.[Footnote 3] For many years, IRS has had weaknesses in internal controls over fundamental elements of its operations that leave it vulnerable to a greater risk of fraud, waste, abuse, and mismanagement. During our audit of IRS's fiscal year 2010 financial statements,[Footnote 4] we found that IRS continued to be challenged with two long-standing material weaknesses in internal control that are at the heart of its operations--weaknesses in internal controls over unpaid tax assessments[Footnote 5] and over information systems security. We also found that IRS had a new significant deficiency in internal control over tax refund disbursements. In addition, as in past years, IRS management faces a challenge in enhancing and using its financial management capabilities to develop and use outcome-oriented performance metrics[Footnote 6] critical to providing the foundation upon which an agency can manage its operations for outcomes. Finally, we identified other internal control issues that need management attention, in particular several that relate to safeguarding tax receipts and taxpayer information. To assist IRS in strengthening its internal controls and improving its operations, over the years we have made numerous recommendations as part of our annual financial statement audits and other financial management-related work at IRS. This report (1) provides an overview of financial management challenges still facing IRS; (2) describes the status of financial audit and financial management-related recommendations and the actions needed to address them, as summarized in appendix I; and (3) discusses how the unresolved recommendations relate to control activities central to IRS's mission and goals. To assist IRS in addressing those control activities, appendix II provides summary information regarding the primary internal control issue to which each open recommendation is related. This report does not include our recommendations related to IRS's information systems security even though they also are the result of our annual financial audits and are financial management-related; those recommendations are reported separately because of the sensitive nature of many of the issues that give rise to the recommendations.[Footnote 7] We are not making any new recommendations in this report. Background: Internal control is not one event, but a series of activities that occur throughout an entity's operations and on an ongoing basis. Internal control should be an integral part of each system that management uses to regulate and guide its operations rather than as a separate system within an agency. In this sense, internal control is management control that is built into the entity as a part of its infrastructure to help managers run the entity and achieve their goals on an ongoing basis. Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires agencies to establish and maintain effective internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of its federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations. Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, provides the implementing guidance for FMFIA, and prescribes the specific requirements for assessing and reporting on internal controls consistent with the Standards for Internal Control in the Federal Government (internal control standards) issued by the Comptroller General of the United States.[Footnote 8] The circular defines management's responsibilities related to internal control and the process for assessing internal control effectiveness, and provides specific requirements for conducting management's assessment of the effectiveness of internal control over financial reporting. The circular requires management to annually provide assurances on internal control and emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities.[Footnote 9] FMFIA requires GAO to issue standards for internal control in the federal government. The internal control standards provide the overall framework for establishing and maintaining effective internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. As summarized in the internal control standards, internal control in the government is defined by the following five elements, which also provide the basis against which internal controls are to be evaluated: * Control environment: Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. * Risk assessment: Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. * Control activities: Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. * Information and communication: Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. * Monitoring: Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. A key objective in our annual audits of IRS's financial statements is to obtain reasonable assurance that IRS maintained effective internal control with respect to financial reporting. While we use all five elements of internal control as a basis for evaluating the effectiveness of IRS's internal controls, our ongoing evaluations and tests have focused heavily on control activities, where we have identified numerous internal control weaknesses and have provided recommendations for corrective action. Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives. In other words, they are the activities conducted in the everyday course of business that are intended to accomplish a control objective, such as ensuring IRS employees successfully complete background checks prior to being granted access to taxpayer information and receipts. Control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achievement of effective results. Scope and Methodology: To accomplish our objectives, we evaluated the effectiveness of corrective actions IRS implemented during fiscal year 2010 in response to open recommendations as part of our fiscal years 2010 and 2009 financial audits. To determine the current status of the recommendations, we (1) obtained IRS's reported status of each recommendation and corrective action taken or planned as of March 2011, (2) compared IRS's reported status to our fiscal year 2010 audit findings to identify any differences between IRS's and our conclusions regarding the status of each recommendation, and (3) performed additional follow-up work to assess IRS's actions taken to address the open recommendations. For our recommendations to IRS regarding information security, this report includes only summary data on the number of those recommendations and their general makeup. Because of the sensitive nature of many of the issues related to our recommendations regarding information security, we have reported our recommendations for corrective action to IRS separately.[Footnote 10] In order to determine how IRS's open recommendations, including those identified in our June 2011 management report,[Footnote 11] fit within the agency's management and internal control structure, we compared the open recommendations and the issues that gave rise to them to the (1) control activities listed in the internal control standards, (2) list of major factors and examples outlined in our Internal Control Management and Evaluation Tool,[Footnote 12] and (3) criteria and objectives for federal financial management as discussed in the Chief Financial Officers Act of 1990(CFO Act) and the Federal Accounting Standards Advisory Board's (FASAB) Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting.[Footnote 13] We also considered whether IRS had addressed, in whole or in part, the underlying control issues that gave rise to the recommendations; and other legal requirements and implementing guidance, such as OMB Circular No. A-123 and FMFIA. Our work was performed from December 2010 through April 2011 in accordance with generally accepted government auditing standards. IRS Faces Significant Financial Management Challenges: IRS continues to make progress in resolving its internal control weaknesses and addressing outstanding recommendations, but it still faces significant financial management challenges. Since we first began auditing IRS's financial statements in fiscal year 1992, IRS has taken a significant number of actions that enabled us to conclude that it had effectively resolved several material weaknesses and significant deficiencies and to close almost 300 of our previously reported financial management-related recommendations. This includes 37 recommendations we are closing with this report based on actions IRS took through March 2011. Nevertheless, IRS continues to face challenges in improving the effectiveness of its financial and operational management. Specifically, IRS continues to face management challenges in (1) resolving its two material weaknesses and one significant deficiency in internal control, (2) developing performance measures and managing for outcomes, and (3) addressing its remaining internal control issues, particularly those dealing with safeguarding of taxpayer receipts and information. Further, as in previous years' audits, our fiscal year 2010 audit continued to identify additional internal control issues, resulting in 29 new recommendations for corrective action. These issues are discussed in detail in our June 2011 management report to IRS.[Footnote 14] In addition, as noted earlier, we also identified numerous issues related to information security during our fiscal year 2010 audit that we reported separately because of the sensitive nature of many of those issues.[Footnote 15] We have made numerous recommendations to IRS over the years--including new recommendations resulting from our fiscal year 2010 financial audit--to address the issues comprising these weaknesses in internal control. Successfully implementing these recommendations would assist IRS in fully resolving these weaknesses. To its credit, IRS continues to work to address the issues underlying these and other internal control weaknesses. Challenges in Resolving Two Long-standing Material Weaknesses and One Significant Deficiency in Internal Control: As we reported in our audit of IRS's fiscal year 2010 financial statements,[Footnote 16] IRS continues to face significant challenges in resolving its two remaining long-standing material weaknesses in internal control concerning (1) unpaid tax assessments[Footnote 17] and (2) information security. IRS's continuing challenge in addressing its material weakness in internal control over unpaid tax assessments results from its (1) inability to use its general ledger and underlying subsidiary records to report federal taxes receivable, compliance assessments, and writeoffs in accordance with federal accounting standards without significant compensating procedures; (2) lack of transaction traceability for the reported balance in taxes receivable that comprises over 80 percent of IRS's total assets as of September 30, 2010, and an effective transaction-based subledger for unpaid tax assessment transactions; and (3) inability to effectively prevent or timely detect and correct errors in taxpayer accounts. These control deficiencies are caused primarily by IRS's continued reliance on software applications that were not designed to provide the accurate, complete, and timely transaction-level financial information that management needs to make well-informed decisions or to accumulate and report financial information in accordance with federal accounting standards. These problems are likely to continue to exist until these software applications are either significantly enhanced or replaced. Successfully addressing these issues is vital and is one of the goals of IRS's ongoing systems-modernization effort. IRS's continuing challenge in addressing its material weakness in internal control over the management of information systems security is primarily due to IRS not having fully implemented key components of its information security program. Although IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective. For example, (1) IRS's testing did not detect many of the vulnerabilities we identified and did not assess a key application in its current environment, and (2) IRS had not effectively validated corrective actions reported to resolve previously identified weaknesses. As we reported in our audit of IRS's fiscal year 2010 financial statements,[Footnote 18] IRS has made progress in addressing numerous weaknesses in information security internal control. However, many of the weaknesses we reported in previous years remain unresolved and continue to place IRS systems at risk. For example, IRS (1) continued to allow individuals more access to sensitive information contained on its network than needed to perform their assigned duties, (2) had not completed actions to address a vulnerability in its procurement system that allowed users to enter commands that bypassed normal application security controls, and (3) continued to allow visitors unnecessary access to secured areas at one data center. In addition to unresolved issues, we identified additional internal control deficiencies, that, along with the unresolved deficiencies, continued to jeopardize the confidentiality, integrity, and availability of information processed by IRS's key systems, and increased the risk of material misstatement for financial reporting. For example, IRS had not (1) appropriately secured the database associated with the online system IRS used to support and manage its computer access request, approval, and review process; (2) appropriately restricted permissions on the database that supported an application used for cost allocation of rent-related data, allowing database users to run operating system commands; (3) tested the Redesigned Revenue Accounting Control System (RRACS) [Footnote 19] application security in its current production environment, which would have enabled IRS to identify weaknesses compromising IRS's ability to segregate incompatible duties and jeopardize the integrity of the application's data, and (4) used encrypted protocols on a server supporting the Electronic Federal Tax Payment System[Footnote 20] and several internal routers, potentially exposing user IDs and passwords transmitted in clear text across the network to inappropriate disclosure and unauthorized use. Until IRS takes additional steps to implement more comprehensive testing and effective validation processes, its facilities, computing resources, and information will remain vulnerable to inappropriate use, modification, or disclosure, and agency management will have limited assurance of the integrity and reliability of its financial and taxpayer information. In addition to the continuing challenges posed by the two long- standing material weaknesses concerning unpaid tax assessments and information security, our audit of IRS's fiscal year 2010 financial statements[Footnote 21] also identified a significant deficiency in IRS's internal control over tax refund disbursements. This significant deficiency, which is the collective result of (1) a multiyear pattern of our identifying and reporting deficiencies in IRS's internal control over the processing of manual refunds;[Footnote 22] (2) the increasing magnitude of manual refunds disbursed; and (3) new deficiencies associated with the internal controls over the First-Time Home Buyer Credit (FTHBC),[Footnote 23] increases the risk that IRS may pay out duplicate or otherwise erroneous tax refunds to which individuals or businesses are not entitled and for which IRS must use resources attempting to recover. This new significant deficiency is an example of the danger of not effectively addressing control deficiencies as soon as they are identified so that they do not become a more serious problem. We have reported numerous control deficiencies associated with manual refund processing since 1999. Nine of those deficiencies and their associated recommendations remain open, two of which have been open since 2005. Challenges in Developing and Implementing Performance Metrics to Assist in Managing for Outcomes: As we reported in our audit of IRS's fiscal year 2010 financial statements,[Footnote 24] IRS continues to face challenges in developing and instutionalizing the use of financial management information to assist it in making operational decisions and in measuring the effectiveness of its programs. IRS has not developed cost-based (and when appropriate, revenue-based) outcome-oriented performance measures that would enhance its ability to manage for outcomes[Footnote 25] and integrated them into its routine management and decision-making processes or its externally reported performance metrics.[Footnote 26] Although IRS has developed projected direct tax return on investment estimates[Footnote 27] for new enforcement (tax collection) initiatives in its annual budget submissions, it has not developed similar direct tax return on investment outcome-oriented performance metrics to determine whether funded initiatives achieve their originally projected outcomes. Lacking such performance metrics inhibits IRS's ability to more fully assess and monitor the relative merits of its existing programs, to evaluate new initiatives, or to consider alternatives and adjust its strategies as needed. Outcome- oriented performance metrics based on specific enforcement programs' costs and revenues would assist IRS in improving its ability to (1) establish measurable outcome goals, (2) evaluate the relative merits of various program options, and (3) highlight opportunities for optimizing the allocation of resources. They could also assist IRS in more credibly demonstrating to Congress and the public that it is using its appropriations wisely. IRS's existing metrics focus on process-oriented workload measures of program outputs[Footnote 28] rather than on measuring program outcomes. For example, for its enforcement programs, IRS focuses on measuring discrete activities within its overall tax collection efforts, such as the percentage of various types of tax returns examined, criminal investigations completed, and the number of tax returns examined and closed. While such output measures can be useful elements in assessing performance, they are not designed to measure the contribution each of these activities makes to the collection of unpaid taxes, nor do they compare the cost of collection activities to the tax revenue generated. IRS's enforcement metrics do not include revenue collected--a measure of outcome--compared to the cost of collection, which could provide useful information on the benefits of the enforcement programs. In addition, IRS's publicly available performance metrics do not measure the internal cost of IRS's programs either in the aggregate or per service or activity performed.[Footnote 29] As we report in the "Status per IRS" section of appendix I in this report, IRS has reported that it considers our recommendation to develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities to be closed. [Footnote 30] We do not agree. Part of IRS's justification for closing the recommendation is that it uses estimates of the cost-benefit direct tax return on investment analysis to evaluate future scenarios and to support funding requests for new initiatives in its annual budget submissions. Using such estimates of prospective return on investment information is useful for budgetary decision making, but our recommendation is for IRS to develop outcome data on the actual results of its programs and activities. We have also previously recommended that IRS: * extend the use of return on investment in future budget proposals to include major enforcement programs, * develop return on investment data for its enforcement programs using actual revenue and full cost data and compare actual results to the projected return on investment data included in its budget request, and: * provide Congress with information comparing projected savings to actual savings in the year following the budget's implementation. [Footnote 31] The intent of our recommendations is to encourage IRS to develop outcome-oriented performance metrics and to use them, along with other metrics, in resource-allocation decisions. While IRS has not developed or deployed such metrics for either funded initiatives or for ongoing enforcement programs and activities, IRS officials informed us they are considering options to collect direct tax return on investment data for newly funded enforcement initiatives. IRS officials also contended that it is not prudent to rely exclusively on direct tax return on investment as the sole determinant of resource allocation. As we have reported previously,[Footnote 32] we acknowledge that IRS must consider other factors besides maximizing revenue collection and least-cost operations. The fairness of IRS's implementation of the tax code and treatment of all taxpayers are important and we are cognizant of the many factors, such as coverage, that are important considerations when making resource-allocation decisions. These factors, and the decisions IRS makes about how to respond to them, have a significant effect on taxpayers, as well as on tax collections. We also acknowledge that IRS faces challenges in developing outcome-oriented performance metrics, such as return on investment, and integrating them into its resource allocation decision- making process. Furthermore, developing such an approach is important in order for IRS to make optimum use of its available resources and to be able to credibly demonstrate it is doing so to Congress and the public. IRS's lack of outcome-oriented performance metrics is inconsistent with federal financial management concepts as embodied in the Federal Accounting Standards Advisory Board's Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting. [Footnote 33] In its discussion of financial reporting concepts, FASAB notes that federal financial data should provide accountability and decision-useful information on the costs of programs and the outputs and outcomes achieved, and it should provide data for evaluating service efforts, costs, and accomplishments. The absence of outcome metrics is also inconsistent with the objectives of the CFO Act of 1990. A key objective of the act was for agencies to routinely develop and use appropriate financial management information to evaluate program effectiveness, make fully informed operational decisions, and ensure accountability. While obtaining a clean audit opinion on its financial statements is important in itself, it is not the CFO Act's end goal. Rather, the act's end goal is modern financial management systems that provide reliable, timely, and useful financial information to support day-to-day decision making and oversight. Such systems and practices should also provide for the systematic measurement of both outputs and outcomes. We have made several recommendations to IRS over the years to address its financial management challenges in developing internal full cost data for its programs and activities and for outcome-oriented performance measures. Successfully addressing the remaining open recommendations would enhance IRS's ability to effectively manage for outcomes. Challenges in Resolving Other Internal Control Issues: IRS's actions over the years to resolve internal control weaknesses enabled us to close nearly 300 internal control-related recommendations. However, IRS also continues to face a challenge in addressing numerous other unresolved internal control issues in several aspects of its operations that, while neither individually nor collectively representing a material weakness or significant deficiency, nonetheless merit management attention to ensure they are fully and effectively addressed. IRS now has a total of 57 open audit recommendations resulting from internal control issues that we report as "other control issues" in appendix II of this report. While most were identified during our recent financial audits, some were identified in our audits from 2005 or earlier. It is incumbent upon IRS to effectively address these open recommendations and to improve its system of internal controls so that IRS can identify and correct potential weaknesses before they can grow into more serious problems. Forty-four--77 percent--of the 57 "other" open recommendations address issues related either directly or indirectly to physically safeguarding of tax receipts and taxpayer information, a critical element of IRS's responsibilities.[Footnote 34] IRS processes billions of dollars annually in checks and currency and other valuable assets, and it must safeguard and account for them to prevent theft, fraud, and misuse. To do so, IRS has established physical security, accountability, and accounting policies, processes, and procedures to manage its activities involving transporting and accounting for tax receipts and for handling and storing taxpayer information. Although IRS has made substantial improvements in safeguarding taxpayer receipts and information since our financial audits first began identifying serious internal control issues in this area, the task of ensuring ongoing control over such critical responsibilities for IRS is a difficult one and requires constant vigilance. Each year, we continue to identify control issues related to IRS's safeguarding of taxpayer receipts and information. For example, our fiscal year 2010 audit identified new internal control issues and made 18 additional recommendations that related either directly or indirectly to physically safeguarding taxpayer receipts and information. The internal control issues encompassed in our open recommendations cover critical physical security functions, such as: * transporting taxpayer receipts and sensitive taxpayer information among IRS facilities and lockbox banks[Footnote 35] and maintaining physical security at IRS facilities to prevent loss, theft, or the potential for fraud regarding tax receipts and taxpayer information; * conducting inspections and audits of the design and operation of IRS's physical security processes and controls designed to safeguard tax receipts and taxpayer information; * conducting appropriate background investigations and screening of personnel, including contractors, with access to taxpayer information; and: * ensuring the proper destruction of documents and equipment to prevent the inappropriate release of sensitive taxpayer information. In light of the volume of taxpayer receipts and sensitive taxpayer files that IRS is responsible for safeguarding, and the implications for IRS's mission if they are lost, stolen, or the subject of fraud or misuse, it is critical that IRS fully and effectively resolve the internal control issues we have identified and work toward continually improving its internal controls to prevent new issues from arising. Status of Recommendations Based on the Fiscal Year 2010 Financial Statement Audit: In June 2010, we issued a report on the status of IRS's efforts to implement corrective actions to address financial management recommendations stemming from our fiscal year 2009 and prior year financial audits and other financial management-related work.[Footnote 36] In that report, we identified 85 audit recommendations that remained open and thus required corrective action by IRS. A significant number of these recommendations have been open for several years, either because IRS had not taken corrective action or because the actions taken had not yet effectively resolved the issues that gave rise to the recommendations. IRS has continued to work to address many of the internal control issues to which these open recommendations relate. In the course of performing our fiscal year 2010 financial audit, we identified numerous actions IRS took to address many of its internal control issues. On the basis of IRS's actions, which we were able to substantiate through our audit, we have closed 37 of our prior years' recommendations. However, a total of 48 recommendations from prior years remain open, a significant number of which have been outstanding for several years. IRS considers another 13 of the prior years' recommendations to be effectively addressed and therefore closed. However, we consider them to remain open. For 9 of the 13, in our view, IRS's actions did not fully address the issue that gave rise to the recommendations. For the remaining 4, we have not yet been able to verify the effectiveness of IRS's actions because IRS's corrective actions are ongoing. (The "Status per IRS" and "Status per GAO" sections of appendix I provide a summary of both IRS's and our assessment of IRS's actions on each recommendation.) During our audit of IRS's fiscal year 2010 financial statements, we identified additional issues that require corrective action. In our June 2011 management report to IRS,[Footnote 37] we discussed these issues, and made 29 new recommendations to address them. Consequently, a total of 77 financial management-related recommendations need to be addressed--48 from prior years and 29 new recommendations resulting from our fiscal year 2010 audit. We consider all of the new recommendations to be short-term.[Footnote 38] We also consider the majority of the recommendations outstanding from prior years to be short-term; however, a few, particularly those concerning the functionality of IRS's automated systems, are complex and will require several more years to fully and effectively address. In addition to the 77 open recommendations from our financial audits and other financial management-related work, there are 105 additional open recommendations stemming from our assessment of IRS's information security controls over key financial systems, information, and interconnected networks conducted as an integral part of our annual financial audits. The issues that led to our previously reported and our newly identified recommendations related to information security increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer data. Collectively, they constitute IRS's material weakness in internal control over information security for its financial and tax processing systems. As discussed earlier in this report, recommendations resulting from the information security issues identified in our annual audits of IRS's financial statements are reported separately because of the sensitive nature of many of these issues.[Footnote 39] Appendix I presents a summary listing of (1) the 85 non-information- systems security-related recommendations based on our financial statement audits and other financial management-related work that we had not previously reported as closed and the 29 new recommendations based on our fiscal year 2010 financial audit, (2) IRS-reported corrective actions taken or planned as of March 2011, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively addressed, based primarily on the work performed during our fiscal year 2010 financial statement audit. The appendix lists the recommendations by the year in which the recommendation was made and by report number. Appendix II presents the 77 open recommendations that remained as a result of closing the aforementioned 37 recommendations and the addition of 29 new recommendations from our fiscal year 2010 audit. The recommendations have been arranged by related material weakness, significant deficiency, and compliance issue as described in our opinion report on IRS's financial statements,[Footnote 40] as well as other control issues we have identified and discussed in our annual management report to IRS.[Footnote 41] Open Recommendations Grouped by Internal Control Activity: Linking the open recommendations from our financial audits and other financial management-related work, and the issues that gave rise to them, to internal control activities that are central to IRS's tax administration responsibilities provides insight regarding their significance. Internal control standards consist of five elements--control environment, risk assessment, control activities, information and communication, and monitoring.[Footnote 42] For the control activities element, the internal control standards explain that an agency's system of internal control should provide for an assessment of the risks the agency faces from both external and internal sources and that internal control activities should help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. The control activities element defines 11 specific control activities, which we have grouped into three categories, as shown in table 1. Each of the unresolved recommendations from our financial audits and financial management-related work, and the underlying issues that gave rise to them, can be traced to one of the 11 specific control activities as shown in table 1. Table 1: Summary of Recommendations Grouped by Control Activity: Control activity: Safeguarding of assets and security activities: Physical control over vulnerable assets: Open at the beginning of 2010: 11; Closed during 2010 audit: 0; New from 2010 audit: 11; Total remaining open: 22; Percentage: 29%. Segregation of duties: Open at the beginning of 2010: 3; Closed during 2010 audit: 2; New from 2010 audit: 0; Total remaining open: 1; Percentage: 1%. Controls over information processing: Open at the beginning of 2010: 0; Closed during 2010 audit: 0; New from 2010 audit: 0; Total remaining open: 0; Percentage: 0. Access restrictions to and accountability for resources and records: Open at the beginning of 2010: 5; Closed during 2010 audit: 2; New from 2010 audit: 3; Total remaining open: 6; Percentage: 8%. Control activity: Safeguarding of assets and security activities: Subtotal; Open at the beginning of 2010: 19; Closed during 2010 audit: 4; New from 2010 audit: 14; Total remaining open: 29; Percentage: 38%. Control activity: Proper recording and documenting of transactions: Appropriate documentation of transactions and internal controls: Open at the beginning of 2010: 18; Closed during 2010 audit: 8; New from 2010 audit: 3; Total remaining open: 13; Percentage: 17%. Accurate and timely recording of transactions and events: Open at the beginning of 2010: 20; Closed during 2010 audit: 10; New from 2010 audit: 5; Total remaining open: 15; Percentage: 19%. Proper execution of transactions and events: Open at the beginning of 2010: 1; Closed during 2010 audit: 0; New from 2010 audit: 1; Total remaining open: 2; Percentage: 3%. Control activity: Proper recording and documenting of transactions: Subtotal; Open at the beginning of 2010: 39; Closed during 2010 audit: 18; New from 2010 audit: 9; Total remaining open: 30; Percentage: 39%. Control activity: Effective management review and oversight: Reviews by management at the functional or activity level: Open at the beginning of 2010: 15; Closed during 2010 audit: 8; New from 2010 audit: 6; Total remaining open: 13; Percentage: 17%. Establishment and review of performance measures and indicators: Open at the beginning of 2010: 3; Closed during 2010 audit: 2; New from 2010 audit: 0; Total remaining open: 1; Percentage: 1%. Management of human capital: Open at the beginning of 2010: 8; Closed during 2010 audit: 4; New from 2010 audit: 0; Total remaining open: 4; Percentage: 5%. Top-level reviews of actual performance: Open at the beginning of 2010: 1; Closed during 2010 audit: 1; New from 2010 audit: 0; Total remaining open: 0; Percentage: 0. Control activity: Effective management review and oversight: Subtotal; Open at the beginning of 2010: 27; Closed during 2010 audit: 15; New from 2010 audit: 6; Total remaining open: 18; Percentage: 23%. Control activity: Total; Open at the beginning of 2010: 85; Closed during 2010 audit: 37; New from 2010 audit: 29; Total remaining open: 77; Percentage: 100%. Source: GAO. [End of table] As table 1 indicates, 29 (38 percent) of the unresolved recommendations relate to IRS's controls over safeguarding of assets and security activities, 30 (39 percent) relate to issues associated with IRS's ability to properly record and document transactions, and 18 (23 percent) relate to issues associated with IRS's management review and oversight.[Footnote 43] In the following section, we group the 77 open recommendations under the specific control activity to which the condition that gave rise to them most appropriately fits. We define each control activity as presented in the internal control standards and briefly identify some of the key IRS operations that fall under that control activity. Although not comprehensive, the descriptions are intended to help explain why actions to strengthen these control activities are important for IRS to efficiently and effectively carry out its overall mission. Each control activity description includes a table of the related open recommendations. The tables list the recommendations by the year in which we made them (ID noumber). For each recommendation, we also indicate whether it is a short-term or long-term recommendation. We characterized a recommendation as short-term when we believe that IRS had the capability to implement solutions within 2 years of the year in which we first reported the recommendations. Note that for the internal control activity "top-level reviews of actual performance," IRS addressed the outstanding recommendation from prior years that related to this control activity, and we identified no new issues during our fiscal year 2010 financial audit that relate to this control activity. Safeguarding of Assets and Security Activities: Given IRS's mission, the sensitivity of the data it maintains, and its processing of trillions of dollars of tax receipts each year, one of the most important control activities at IRS is the safeguarding of assets. Internal control in this important area should be designed to provide reasonable assurance regarding prevention or prompt detection of unauthorized acquisition, use, or disposition of an agency's assets. IRS has outstanding recommendations in the following three control activities in the internal control standards that relate to safeguarding of assets (including buildings and equipment as well as tax receipts) and security activities (such as limiting access to only authorized personnel): (1) physical control over vulnerable assets, (2) segregation of duties, and (3) access restrictions to, and accountability for, resources and records. Physical Control over Vulnerable Assets: [Text box: Internal control standard: An agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records. End of text box] Of the trillions of dollars in taxes that IRS collects each year, hundreds of billions is collected in the form of checks and cash accompanied by tax returns and related information.[Footnote 44] IRS collects taxes both at its own facilities as well as at lockbox banks. [Footnote 45] IRS acts as custodian for (1) the tax payments it receives until they are deposited in the General Fund of the U.S. Treasury and (2) the tax returns and related information it receives until they are either sent to the Federal Records Center or destroyed. IRS is also charged with controlling many other assets, such as computers and other equipment, but it is IRS's legal responsibility to safeguard tax returns and the confidential information taxpayers provide on those returns that makes the effectiveness of IRS's internal controls over physical security essential to accomplishing its mission. While effective physical safeguards over receipts should exist throughout the year, such safeguards are especially important during the peak tax filing season. Each year during the weeks preceding and shortly after April 15, an IRS service center[Footnote 46] or lockbox bank may receive and process daily over 100,000 pieces of mail containing returns, receipts, or both. The dollar value of receipts each service center and lockbox bank processes increases to hundreds of millions of dollars a day during the April 15 time frame. The following 22 open recommendations in table 2 are designed to improve IRS's physical controls over vulnerable assets. They include recommendations for IRS to improve controls over (1) physical security at its Taxpayer Assistance Centers (TAC),[Footnote 47] (2) courier activities, (3) lockbox banks' handling of unprocessable items, [Footnote 48] (4) the handling of hardcopy cash receipts, and (5) property and equipment disposal procedures. We consider all of these recommendations to be correctable on a short-term basis. Table 2: Open Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: ID number: 06-05; Recommendation: Equip all Taxpayer Assistance Centers (TAC) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers. (short-term). ID number: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the service center campus' (SCC) perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short- term). ID number: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed or shipped out, or both. (short-term). ID number: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. (short-term). ID number: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term). ID number: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term). ID number: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each Taxpayer Assistance Center (TAC) location to ensure that the inventory is current and complete as of the testing date. (short-term). ID number: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term). ID number: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term). ID number: 10-19; Recommendation: Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. (short-term). ID number: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses (SCC) and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. (short-term). ID number: 11-08; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring cash receipts to be immediately logged under dual control when first discovered in the mail room. (short-term). ID number: 11-09; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring mail room staff to maintain custody of the control log at all times. (short-term). ID number: 11-10; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring the amount of cash receipts initially discovered in the mail room to be independently reconciled to the amount deposited and recorded in the general ledger. (short-term). ID number: 11-14; Recommendation: Establish procedures to provide a consistent methodology for calculating and establishing allowable deposit courier trip time limits to be used by both service center campuses (SCCs) and lockbox banks that would assist in detecting potential unauthorized stops or other contractual violations by deposit couriers. Such procedures should include instructions for documenting and supporting how the trip limits were determined and require justification and approval for all established time limits that exceed the average trip time. (short-term). ID number: 11-15; Recommendation: Establish procedures to require periodic reassessments of and updates to deposit courier allowable trip time limits to account for changes in courier routes or other conditions that may affect trip times. (short-term). ID number: 11-16; Recommendation: Enforce existing contractual requirements for the cargo doors of contract courier vehicles to be locked after picking up taxpayer information. (short-term). ID number: 11-17; Recommendation: Establish procedures to prevent or detect unauthorized access to taxpayer information in contract courier vehicles during transit. These procedures should detail specific activities to be performed by both the business unit sending and receiving the information transported by the contract courier. (short-term). ID number: 11-18; Recommendation: Revise the guidance for conducting the periodic reviews of the contract couriers transporting taxpayer information from one IRS processing facility to another to include procedures for (1) physically verifying that courier vehicle cargo doors are locked after picking up this information and remain locked during transit to the final destination, and (2) documenting the basis for the reviewer's conclusions. (short-term). ID number: 11-27; Recommendation: Finalize procedures requiring that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. (short-term). ID number: 11-28; Recommendation: Revise the IRM to incorporate the new copier disposal procedures that require that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. (short-term). ID number: 11-29; Recommendation: Issue a memorandum to all business units reminding them that only designated Real Estate Facilities Management (REFM) staff are authorized to dispose of copiers. (short-term). Source: GAO. [End of table] Segregation of Duties: [Text box: Internal control standard: Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event. End of text box] As noted in the previous section, IRS employees process hundreds of billions of dollars in tax receipts in the form of cash and checks. Consequently, it is critical that IRS maintain appropriate separation of duties to allow for adequate oversight of staff and protection of these vulnerable resources so that no single individual would be in a position of causing an error or irregularity, or potentially converting the asset to personal use, and then concealing it. For example, when an IRS field office receives taxpayer receipts and returns, it is responsible for depositing the cash and checks in a depository institution and forwarding the related taxpayer information received, such as tax returns, to an IRS service center for further processing. In order to adequately safeguard receipts from theft, the person responsible for recording the information from the taxpayer receipts on a voucher should be different from the individual who prepares those receipts for transmittal to the service center for further processing. Implementing the following recommendation in table 3 would help IRS improve its separation of duties, which will in turn strengthen controls over tax receipts. This recommendation is short-term in nature. Table 3: Open Recommendation to Improve IRS's Segregation of Duties: ID number: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term). Source: GAO. [End of table] Access Restrictions to and Accountability for Resources and Records: [Text box: Internal control standard: Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. End of text box] Because IRS is responsible for maintaining accountability over a large volume of cash and checks, it is imperative that it maintain strong controls to appropriately restrict access to those assets, the records relied on to track those assets, and sensitive taxpayer information. Although IRS has a number of both physical and information systems controls in place, some of the issues we have identified in our financial audits over the years pertain to ensuring that (1) those individuals who have direct access to cash and checks are appropriately vetted, such as through appropriate background investigations, before being granted access to taxpayer receipts and information and (2) IRS maintains effective access security control. The following six short-term recommendations in table 4 are intended to help IRS improve its access restrictions to assets and records. Table 4: Open Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: ID number: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to Taxpayer Assistance Centers (TAC) and other field offices. (short-term). ID number: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 (Recommendation for Juvenile Employment) by contacting the reference directly and documenting the details of this contact. (short-term). ID number: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. (short-term). ID number: 11-11; Recommendation: Perform a review of all existing contracts under $100,000 that (1) do not have an appointed contracting officer's technical representative (COTR) and (2) do not require that contract employees obtain background investigations to assess whether the services performed under each contract warrant a requirement that contract employees obtain background investigations. (short-term). ID number: 11-12; Recommendation: Based on a review of all existing contracts under $100,000 without an appointed contracting officer's technical representative (COTR) that should require contract employees to obtain favorable background investigation results, amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted. (short-term). ID number: 11-13; Recommendation: Establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk. (short-term). Source: GAO. [End of table] Proper Recording and Documenting of Transactions: IRS has a number of internal control issues related to recording transactions, documenting events, and tracking the processing of taxpayer receipts or information. IRS has outstanding recommendations in the following three control activities related to proper recording and documenting of transactions: (1) appropriate documentation of transactions and internal controls, (2) accurate and timely recording of transactions and events, and (3) proper execution of transactions and events. Appropriate Documentation of Transactions and Internal Control: [Text box: Internal control standard: Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained. End of text box] IRS collects and processes trillions of dollars in taxpayer receipts annually both at its own facilities and at lockbox banks under contract to process taxpayer receipts for the federal government. Therefore, it is important that IRS maintain effective controls to ensure that all documents and records are properly and timely recorded, managed, and maintained both at its facilities and at the lockbox banks. In this regard, it is critical that IRS adequately document and disseminate its procedures to ensure that they are available for IRS employees. IRS must also document its management reviews of controls, such as those regarding refunds and returned checks, document transmittals, and reviews of TAC operations. To ensure future availability of adequate documentation, IRS must ensure that (1) its systems, particularly those now being developed and implemented, have appropriate capability to identify and trace individual transactions and (2) all critical steps in its accounting processes are adequately documented. Resolving the following 13 recommendations in table 5 would assist IRS in improving its documentation of transactions and related internal control procedures. All of these recommendations have been classified as short-term. Table 5: Open Recommendations to Improve IRS's Documentation of Transactions and Internal Control: ID number: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term). ID number: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term). ID number: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including service center campuses (SCC), Taxpayer Assistance Centers (TAC), and units within the Large and Mid-sized Business (LMSB) and the Tax-Exempt and Government Entities (TE/GE) business operating units, establish a system to track acknowledged copies of document transmittals. (short-term). ID number: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term). ID number: 08-07; Recommendation: Develop and provide comprehensive guidance to assist Taxpayer Assistance Center (TAC) managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term). ID number: 10-05; Recommendation: Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to Trust Fund Recovery Penalty (TFRP) payments processed through the Automated Trust Fund Recovery (ATFR) system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. (short-term). ID number: 10-15; Recommendation: Revise the IRM to require IRS's Central Insolvency Operation (CIO) to timely provide service center campuses (SSC) an acknowledgment of receipt for each form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review. (short-term). ID number: 10-16; Recommendation: Revise the IRM to require service center campuses (SCC) to verify that an acknowledgment of receipt has been received from IRS's Central Insolvency Operation (CIO) for 100 percent of the form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review. (short-term). ID number: 10-17; Recommendation: Revise the IRM to require service center campuses (SCC) to resolve any instances in which an acknowledgment of receipt for a form 3210 transmittal related to duplicate refund transcripts is not received. (short-term). ID number: 10-26; Recommendation: Review the Taxpayer Assistance Center Security and Remittance Review Database (TSRRD) for clarity and revise review questions as appropriate. (short-term). ID number: 11-19; Recommendation: Revise the IRM to include a comprehensive process that Small Business Self Employed (SBSE) unit managers should follow when performing reviews of the document transmittal process for determining whether staff are (1) maintaining control copies of document transmittal forms, (2) reconciling all document transmittal forms on a biweekly basis to ensure that all transmittals were received, and (3) following up on transmittals that are not timely acknowledged. (short- term). ID number: 11-20; Recommendation: Revise the IRM to include specifying minimally acceptable steps the Small Business Self Employed (SBSE) unit managers should follow in documenting the results of required reviews of the document transmittal process. (short-term). ID number: 11-24; Recommendation: Revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved. (short-term). Source: GAO. [End of table] Accurate and Timely Recording of Transactions and Events: [Text box: Internal control standard: Transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded. End of text box] IRS maintains sensitive records for tens of millions of taxpayers in addition to maintaining its own financial records. To maintain these records, IRS often has to rely on outdated computer systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping difficulties we have reported on over the years will not be fully addressed until it can replace its aging systems; an effort that is long-term and, in part, dependent on obtaining future funding. Implementation of the following 15 recommendations in table 6 would strengthen IRS's recordkeeping abilities. Thirteen of these recommendations are short-term, and 2 are long-term regarding requirements for new systems for maintaining taxpayer records. Several of the recommendations listed deal with financial reporting processes, such as maintaining subsidiary records, recording budgetary transactions, and tracking program costs. Some of the issues that gave rise to several of our recommendations directly affect taxpayers, such as those involving duplicate assessments, errors in calculating and reporting manual interest, errors in calculating penalties, and collection of trust fund recovery penalty assessments. Two of these recommendations have remained open for 10 years or more, reflecting the complex nature of the underlying systems issues that must be resolved to fully address some of these control deficiencies. Table 6: Open Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: ID number: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term). ID number: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term). ID number: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term). ID number: 10-01; Recommendation: Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in the Custodial Detail Data Base (CDDB) resulted in misclassifications of account balances that, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term). ID number: 10-02; Recommendation: Research and implement programming changes to allow the Custodial Detail Data Base (CDDB) to more accurately classify such accounts among the three categories of unpaid tax assessments. (short- term). ID number: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect the financial reporting of unpaid tax assessments. (short-term). ID number: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. (short-term). ID number: 10-07; Recommendation: Develop procedures to analyze the results of the quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment transactions so that specific factors causing the errors are identified. (short-term). ID number: 10-08; Recommendation: Develop procedures to address the factors causing errors in the processing of Trust Fund Recovery Penalty (TFRP) payment transactions identified through the analyses of the quarterly review results. (short-term). ID number: 10-18; Recommendation: Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. (short- term). ID number: 11-04; Recommendation: Establish formal written procedures requiring staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services. (short-term). ID number: 11-05; Recommendation: Establish procedures to centrally review and monitor the timeliness of personnel action requests and approvals to help ensure compliance with the IRM and applicable Office of Personnel Management (OPM) regulations and guidance. (short-term). ID number: 11-06; Recommendation: Adopt the local field office's timekeeping procedures or similar procedures for entering and verifying the accuracy of time and attendance information entered into the Single Entry Time Reporting System (SETR) throughout IRS for use by all units in which employees do not enter their own time charges directly to SETR. (short- term). ID number: 11-07; Recommendation: Further revise the detailed procedures for implementing the requirement to validate the appropriateness of the National Finance Center (NFC) programming changes after such changes are made. These revisions should (1) clarify the criteria for determining which programming changes will be subject to validation, (2) identify officials responsible for making and documenting these determinations, and (3) require post-implementation statistical sampling from a targeted population that consists of employees who are most likely to be affected by the NFC programming changes. (short- term). ID number: 11-26; Recommendation: Take steps to effectively implement the procedures requiring property staff to verify that the asset purchase price shown in the Asset Management Report agrees with the asset purchase price shown in the Integrated Financial System (IFS) and to resolve any variances before entering the information into the Information Technology Asset Management System (ITAMS). (short-term). Source: GAO. [End of table] Proper Execution of Transactions and Events: [Text box: Internal control standard: Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of ensuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees. End of text box] Each year, IRS spends approximately $250 million to cover the cost of its employees' travel in addition to entering into agreements with, and receiving services from, vendors. Failure to ensure that employees obtain appropriate authorizations for their travel or approval for procurements leaves the IRS open to fraud, waste, or abuse. IRS's actions to address the following two short-term recommendations in table 7 would improve IRS's controls over travel costs and approvals for the procurement of goods and services. Table 7: Open Recommendations to Improve IRS's Execution of Transactions and Events: ID number: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term). ID number: 11-03; Recommendation: Send out a reminder to all staff to follow policies and procedures for obtaining approval and funding of proposed purchases prior to entering into an agreement with vendors. (short- term). Source: GAO. [End of table] Effective Management Review and Oversight: All personnel within IRS have an important role in establishing and maintaining effective internal controls, but IRS's managers have additional review and oversight responsibilities. Management must set the objectives, put control activities in place, and monitor and evaluate controls to ensure that they are followed. Without adequate monitoring by managers, there is a risk that internal control activities may not be carried out effectively and in a timely manner. IRS has outstanding recommendations in the following four control activities related to effective management review and oversight: (1) reviews by management at the functional or activity level, (2) establishment and review of performance measures and indicators, (3) management of human capital, and (4) top-level reviews of actual performance. Reviews by Management at the Functional or Activity Level: [Text box: Internal control standard: Managers need to compare actual performance to planned or expected results throughout the organization and analyze significant differences. End of text box] IRS employs over 100,000 full-time and seasonal employees. In addition, IRS is also responsible for overseeing lockbox banks processing tens of thousands of individual receipts, totaling hundreds of billions of dollars. Effective management oversight of operations is important at any organization, but is imperative at IRS given its mission. Implementing the following 12 short-term and 1 long-term recommendations in table 8 would improve IRS's management oversight of several areas of its operations, including monitoring of contractor and off-site processing facilities, release of tax liens, and issuance of manual refunds. Table 8: Open Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: ID number: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term). ID number: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term). ID number: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term). ID number: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term). ID number: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual Taxpayer Assistance Center (TAC) location, group, territory, area, and nationwide. (long-term). ID number: 10-06; Recommendation: Formalize and implement the quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment transactions to monitor compliance with IRM requirements. (short-term). ID number: 10-33; Recommendation: Establish procedures requiring the Director of IRS's Human Capital Office, Leadership, Education and Delivery Services (HCO LEADS) or designee to periodically monitor each business unit's progress in complying with mandatory briefing requirements. (short- term). ID number: 11-01; Recommendation: Put procedures in place to periodically monitor the effectiveness of the new First-Time Home Buyers Credit (FTHBC) validity check for the duration of the filing of FTHBC claims to verify it is working as intended. (short-term). ID number: 11-02; Recommendation: Establish a mechanism to enforce the existing requirement for appropriate managers to immediately notify the manual refund units of any personnel changes affecting the approval or processing of manual refunds. This may be accomplished through mechanisms such as issuing periodic alerts, providing training or having the manual refund unit perform quarterly validations of the list of manual refund approving officials, or a combination of these. (short-term). ID number: 11-21; Recommendation: Define and specify in the IRM which types of IRS facilities constitute a processing facility. (short-term). ID number: 11-22; Recommendation: Perform an assessment of off-site processing facilities to determine the frequency with which compliance reviews should be performed for these locations commensurate with the specific operational activities performed and the assessed level of risk associated with the facility. (short-term). ID number: 11-23; Recommendation: Based on the results of an assessment of off-site processing facilities that process taxpayer receipts and related taxpayer information, revise the IRM to specify the frequency with which compliance reviews should be performed at these facilities. (short-term). ID number: 11-25; Recommendation: Revise the nature and scope of the service center campuses' (SCC) and lockbox banks' physical security reviews to include periodic after dark assessments of physical security controls. (short-term). Source: GAO. [End of table] Establishment and Review of Performance Measures and Indicators: [Text box: Internal control standard: Activities need to be established to monitor performance measures and indicators. These controls could call for comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Controls should also be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators. End of text box] IRS's operations include a wide range of activities, including educating taxpayers, processing taxpayer receipts and data, disbursing hundreds of billions of dollars in refunds to millions of taxpayers, maintaining extensive information on tens of millions of taxpayers, and seeking collection from individuals and businesses that fail to comply with the nation's tax laws. Within its compliance function, IRS has numerous activities, including identifying businesses and individuals that underreport income, collecting from taxpayers who do not pay taxes, and collecting from those receiving refunds for which they are not entitled. Although IRS has at its peak over 100,000 employees, it still faces resource constraints in attempting to fulfill its duties. It is vitally important for IRS to have sound performance measures to assist it in assessing its performance and targeting its resources to maximize the government's return on investment. The following long-term recommendation in table 9 is designed to assist IRS in (1) evaluating its operations and (2) determining which activities are the most beneficial. This recommendation is directed at improving IRS's ability to measure and evaluate the internal costs, direct benefits, and outcomes of its operations--particularly with regard to identifying its most cost-effective tax collection activities. Table 9: Open Recommendation to Improve IRS's Establishment and Review of Performance Measures and Indicators: ID number: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term). Source: GAO. [End of table] Management of Human Capital: [Text box: Internal control standard: Effective management of an organization’s workforce—its human capital—is essential to achieving results and an important part of internal control. Management should view human capital as an asset rather than a cost. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. Qualified and continuous supervision should be provided to ensure that internal control objectives are achieved. Performance evaluation and feedback, supplemented by an effective reward system, should be designed to help employees understand the connection between their performance and the organization’s success. As a part of its human capital planning, management should also consider how best to retain valuable employees, plan for their eventual succession, and ensure continuity of needed skills and abilities. End of text box] IRS's operations cover a wide range of technical activities requiring specific expertise in tax-related matters; financial management; and systems design, development, and maintenance. Because IRS has tens of thousands of employees spread throughout the country, it is imperative that management establish and maintain up-to-date guidance and provide appropriate training for its staff. Taking action to implement the following four short-term recommendations in table 10 would assist IRS in its management of human capital. Table 10: Open Recommendations to Improve IRS's Management of Human Capital: ID number: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term). ID number: 10-27; Recommendation: Provide training to Taxpayer Assistance Center (TAC) group managers to assist with their understanding of the TAC Security and Remittance Review Database (TSRRD) review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. (short-term). ID number: 10-30; Recommendation: Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all service center campus Unit Security Representatives (USR) to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. (short-term). ID number: 10-32; Recommendation: Establish a process to periodically review and update service center campus Unit Security Representatives (USR) training materials as appropriate. (short-term). Source: GAO. [End of table] Concluding Observations: Increased budgetary pressures and an increased public awareness of the importance of internal control have served to provide additional pressure on IRS to carry out its mission more efficiently and effectively while continuing to protect taxpayers' information. Sound financial management and effective internal controls are essential if IRS is to efficiently and effectively achieve its goals. IRS has made substantial progress in improving its financial management and internal control since its first financial audit, as evidenced by unqualified audit opinions on its financial statements for the past 11 years, resolution of several material internal control weaknesses, significant deficiencies, and other control issues, and actions taken resulting in the closure of hundreds of financial management recommendations. This progress has been the result of hard work by many individuals throughout IRS and sustained commitment of IRS leadership. Nonetheless, more needs to be done to fully address the agency's continuing financial management challenges--resolving material weaknesses and significant deficiencies in internal control; developing outcome-oriented performance metrics that can facilitate managing operations for outcomes; and correcting numerous other internal control issues. Effective implementation of the recommendations we have made through our financial audits and related work could greatly assist IRS in improving its internal controls and achieving sound financial management. Agency Comments and Our Evaluation: In commenting on a draft of this report, IRS expressed its appreciation for our acknowledgment of the agency's progress in addressing its financial management challenges as evidenced by our closure of 37 open financial management recommendations from prior GAO reports. IRS also commented that it is committed to implementing appropriate improvement to ensure that it maintains sound financial management practices. We will review the effectiveness of further corrective actions IRS has taken or will take to address all open recommendations as part of our audit of IRS's fiscal year 2011 financial statements. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term Growth, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Members of the House Committee on Appropriations; House Committee on Ways and Means; the Chairman and Vice Chairman of the Joint Committee on Taxation; the Secretary of the Treasury; the Director of OMB; the Chairman of the IRS Oversight Board; and other interested parties. The report is also available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions concerning this report, please contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: [End of section] Appendix I: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: This appendix presents a list of (1) the 85 recommendations that we had not previously reported as closed, (2) Internal Revenue Service (IRS) reported corrective actions taken or planned as of March 2011, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively addressed. It also includes 29 recommendations based on our fiscal year 2010 financial statement audit. Table 11 lists the recommendations by the year and recommendation number (ID number) and also identifies the report in which the recommendation was made. Table 11: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports: ID number: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short-term); Source report: Financial Management: Important IRS Revenue Information Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993), page 32; Status per IRS: Closed. IRS has implemented and is monitoring actions to reduce errors in calculating and reporting manual interest. IRS tests the effectiveness of these actions and measures accuracy through monthly sampling of manual interest transactions. IRS continues to increase the automation of restricted interest calculations and updated the Decision Modeling Incorporated/Automated Computational Tool Software in 2010. IRS created manual interest training and updated the training in 2010. IRS updated IRM 20.2 formalizing guidance on interest computations. IRS developed a quality review process, the Complex Interest Quality Measurement System (CIQMS) and formalized it by requiring completion of the Complex Interest Job Aid to document the reviews. As part of CIQMS, IRS finished developing the statistical sampling program with assistance from its Small Business/Self Employed business unit's Research and Testing on September 30, 2010. IRS completed selecting and reviewing a sample of closed cases in fiscal year 2010 which provided a statistically valid tool to measure the accuracy of manual interest transactions. In fiscal year 2011 IRS expanded sampling of manual interest transactions by including open modules to identify sources of significant errors or trends, and develop necessary corrective actions; Status per GAO: Closed. IRS has undertaken several actions to strengthen controls over this area, such as updating guidance, implementing standardized software to aid in the computation of manually calculated interest, and providing training related to manual interest calculations. We verified that IRS began testing samples of manual interest transactions in fiscal year 2011, making statistically valid projections of the results, and evaluating the results to gauge the effectiveness of its actions. ID number: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998), page 14; Status per IRS: Open. The Small Business/Self Employed (SB/SE) business unit's Campus Compliance Services (CCS) continues to refine and expand its Quality Assurance Internal Compliance Review (QAICR) process by modifying the procedures for performing the reviews, associated data collection instruments, and error determination criteria. The results of the QAICR testing are captured by both individual review periods and cumulatively to identify recurring errors and trends. Additionally, CCS instituted a 100 percent review process to identify missing or incorrect cross-references prior to the posting of the related transactions. In coordination with SB/SE, the Chief Financial Officer (CFO) plans to complete a readiness test by reviewing the SB/SE QAICR standard operating procedures (SOP) documentation, and case review results. CFO will verify that case reviews are conducted in accordance with the standard operating procedures (SOPs)2 by September 30, 2011; Status per GAO: Open. During our fiscal year 2009 audit, we tested a statistical sample of payments recorded on Trust Fund Recovery Penalty (TFRP) accounts and estimated that nearly 9 percent of TFRP payment transactions in the first 3 months of fiscal year 2009 that were posted on TFRP accounts could contain errors. While IRS continued its efforts to improve controls over the crediting of TFRP payments to all related parties, we did not test IRS controls in this area as part of our fiscal year 2010 audit as both we and IRS believed that the corrective actions initiated by IRS thus far had not been in place long enough to significantly improve the accuracy of TFRP payment processing. Furthermore, as of February 2011, IRS's Automated Trust Fund Recovery (ATFR) system continued to be unable to process all TFRP related payments. IRS reported that ATFR could automatically reduce the amounts owed on all related accounts for only about 57 percent of TFRP payments processed through the system. The remaining TFRP payments continue to require some form of manual processing to record the reduction of the liability in related accounts. Until IRS successfully implements effective controls over the recording of TFRP payments, opportunities for errors and omissions with TFRP payments continue to exist. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2011 audit. ID number: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999), page 37, no. 25; Status per IRS: Closed. Between 1999 and 2010, IRS has continued to make improvements toward addressing this recommendation through the implementation of various IRS systems. In 1999, IRS implemented the Automated Financial System (AFS) whereby all transactions were posted to expense accounts at a detailed level and then reclassified to asset accounts at a summary level. In October 2004, IRS implemented the Integrated Financial System (IFS) in which IRS posts directly to its asset accounts. Additionally, IRS maintains detailed records of asset purchases with current year asset and expense database files; Status per GAO: Closed. IRS has taken actions to address this recommendation. We confirmed that over the years, IRS has improved its financial systems so that IRS records P&E and capital leases when purchased and it maintains detailed P&E records. However, our audits continue to find that these property records do not always reconcile to the financial records. However, in order to provide a recommendation more closely aligned with the current status of the remaining issues to be resolved we are closing this recommendation based on IRS's progress to date and have reported the remaining issue, along with a related recommendation for corrective action in our June 2011 management report. (See recommendation number 11-26 in this report). ID number: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000), page 42; Status per IRS: Open. IRS continues to conduct independent semiannual Quality Assurance internal reviews. The latest review identified late releases that were caused by issues previously identified by IRS or the auditors. IRS completed corrective actions for certain cases and is in the process of either solving or defining a specific solution for the remaining cases. IRS continued throughout the year to investigate and address causes of late lien releases and now documents the issue in the Lien Action Plan. IRS has conducted in-depth discussions with Centralized Lien Unit (CLU), Insolvency and Filing, and Payment Compliance analysts to identify potential solutions. Discussions have been conducted with programming analysts and the Ogden Campus staff to examine systemic and procedural problems; Status per GAO: Open. During our fiscal year 2010 audit, we continued to find that IRS did not always timely release liens. In IRS's own OMB A-123 testing of lien releases, it identified 9 instances out of 59 cases tested in which it did not release the applicable federal tax lien within the statutory 30-day period. The time between the satisfaction of the liability and release of the lien ranged from 33 days to more than 97 days. Based on these results, IRS estimated that for about 15 percent of unpaid tax assessment cases that were resolved in fiscal year 2010, in which it had filed a tax lien, it did not release the lien within 30 days of the resolution of the case. Continued weaknesses in IRS's controls over this area results in its noncompliance with Internal Revenue Code Section 6325 which requires IRS to release its tax liens within 30 days of the date the related tax liability is fully satisfied. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2011 and future audits. ID number: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000), page 74; Status per IRS: Closed. Between 2001 and 2010, IRS has continued to make improvements toward addressing this recommendation through the implementation of various IRS systems. In 2001, IRS implemented the Automated Financial System (AFS) in which all transactions were posted to expense accounts at a detailed level and then reclassified to asset accounts including leasehold improvements (LHI) at a summary level. In October 2004, IRS implemented the Integrated Financial System (IFS) through which IRS posts directly to the asset accounts. Additionally, IRS maintains detailed records of asset purchases with current year asset and expense database files; Status per GAO: Open. Although IRS has not established a subsidiary ledger for leasehold improvements, it has made progress toward addressing our recommendations by recording leasehold improvement (LHI) costs as they occur. In addition, in fiscal years 2009 and 2010, IRS developed and used a methodology to write off LHI. However, IRS is still in the process of formally documenting its existing procedures for recording and writing off LHI. We will review and evaluate these procedures during our fiscal year 2011audit. ID number: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term); Source report: Management Letter: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 2001), page 4; Status per IRS: Closed. The IRS revised the Internal Revenue Manual (IRM) to include guidance for tracking and reporting actual costs associated with reimbursable activities. The IRM was also updated to include procedures on how to determine actual costs related to advance payments and how to deal with differences between actual and advance payment amounts, including refunds or billings if necessary; Status per GAO: Closed. We confirmed that IRS revised its IRM to address this recommendation. The IRM now includes guidance for tracking and reporting the actual costs associated with reimbursable activities. It further clarifies the processing steps for agreements requiring advance payments to ensure such payments are properly adjusted to actual costs incurred at the end of the agreement term. ID number: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short-term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002), page 6; Status per IRS: Closed. IRS continues to emphasize the requirements of segregation of duties and annually performs operational reviews at all levels to ensure field operations comply with the requirements of segregation of duties. IRS Field Assistance (FA) Headquarters conducted reviews at eight Taxpayer Assistance Centers (TACs) on the remittance process during fiscal year 2010 and concluded that controls are in place to ensure segregation of duties between the employees who prepare Forms 795 and 3210 and the employees who reconcile and transmit payments. FA conducts an annual Filing Season Readiness Workshop to address remittance and data security which reiterates that the originator of Form 795 and the reviewer must be different employees. FA will revise the "Managing a TAC" course by December 31, 2010, to include a discussion on the segregation of duties requirements as outlined in IRM 21.3.4; Status per GAO: Closed. We verified that IRS emphasizes the requirements for segregation of duties in its routine training provided to TAC managers. In addition, during our fiscal year 2010 audit, we did not identify any instances where duties among IRS TAC employees who receive payments, prepare control logs, and reconcile those payments to the control logs were not adequately segregated. ID number: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005), page 14; Status per IRS: Open. SB/SE published a revision to the IRM that clarified the segregation of duties between Revenue Officers and clerical personnel related to Collection Field function payment posting vouchers, document transmittal forms, and transmittal packages. IRS is analyzing the results of a process analysis of SB/SE field office remittance processing practices that was completed on February 15, 2011; Status per GAO: Open. We plan to evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005), page 14; Status per IRS: Open. IRS reviewed group managers' compliance with the control review requirements of remittance packages sent to Submission Processing in its fiscal year 2010 Director of Collection Operational Reviews. The IRS review of the Operational Review findings confirmed that management lacked understanding of the control review requirements in the IRM. IRS revised the IRM to clarify the control review requirements. IRS is reviewing group manager compliance with the control review requirements of remittance package transmittals sent to Submission Processing in its fiscal year 2011 Director of Collection Operational Reviews. IRS will review the results of the Operational Review findings for compliance with the IRM which is scheduled to be completed by June 30, 2011; Status per GAO: Open. IRS's efforts to address this recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005), page 20; Status per IRS: Open. IRS continues to enforce requirements to monitor accounts related to manual refunds. This includes improving identification of problems with duplicate refunds, updating requirements to enforce monitoring, conducting more frequent reviews to ensure proper monitoring, and providing refresher training reminders to managers and employees initiating and monitoring manual refunds. IRS initiated a manual refund reporting process to identify internal control deficiencies and provide data to help prevent duplicate refunds. IRS continues to monitor manual refunds on a weekly basis and conduct a quarterly review to ensure managers and employees are adhering to the prescribed IRM procedures. In addition, IRS continues to use the Taxpayer Advocate Service (TAS) Managers Forum to reinforce the requirements to monitor accounts after the issuance of a manual refund; Status per GAO: Open. During our fiscal year 2010 audit, we continued to find instances where manual refund initiators or individuals responsible for centralized monitoring did not monitor accounts for duplicate manual refunds and supervisors did not verify that manual refund initiators or those responsible for centralized monitoring were following proper procedures for monitoring manual refunds. We will continue to evaluate the effectiveness of IRS's actions during our fiscal year 2011 audit. ID number: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr. 27, 2005), page 20; Status per IRS: Open. IRS continues to strengthen oversight of requirements to monitor manual refunds. In January 2010, IRS revised the IRM to centralize controls for documenting the monitoring process and supervisory reviews. IRS also updated the IRM to simplify the monitoring requirements. Submission Processing (SP) Accounting updated the IRM to reject refund documents that do not contain an open control base used for monitoring. SP also introduced managerial monitoring reviews into the Embedded Quality Review System (EQRS), a tool that will provide managerial accountability to ensure monitoring is complete; Status per GAO: Open. During our fiscal year 2010 audit, we continued to find instances where the manual refund initiators or individuals responsible for centralized monitoring did not document their monitoring of accounts to prevent duplicate refunds. We also found instances where the supervisory review of the monitoring activity was not documented. We will continue to evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006), page 5; Status per IRS: Open. IRS Accounts Management (AM) has procedures requiring that Refund Inquiry (RI) Unit managers document their review of Forms 3210, Document Transmittal, prior to sending return refund checks to the Financial Management Service (FMS) for final processing. The IRM requires managers to conduct random sample reviews of incoming and outgoing Forms 3210 to ensure the accuracy of the outgoing documents and their contents, and that they are properly added to the Returned Refund Check System. On January 1, 2011, Submission Processing revised the IRM for the Payment Perfection Team to use Form 3210 to route returned refund checks to the RI units and include the check number, amount, and symbol. This information will ensure RI can track refund checks throughout the process including forwarding the returned refunds to FMS. Submission Processing issued SERP Alert 101149 to provide specific guidance on securing returned refund checks. Submission Processing updated the IRM regarding Manual Deposit for Field Office Payment Processing to include a requirement for supervisory review of controls over outgoing remittances in the January 1, 2011 edition; Status per GAO: Open. While IRS revised its IRM to require that Refund Inquiry Unit managers conduct periodic, random sample reviews of outgoing Forms 3210, we continued to identify instances during our fiscal year 2010 audit where Refund Inquiry Unit managers were unaware of the review requirements regarding document transmittals. We will continue to assess IRS's actions during our fiscal year 2011 audit. ID number: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including service center campuses (SCC), Taxpayer Assistance Centers (TAC), and units within the Large and Mid-sized Business (LMSB) and the Tax-Exempt and Government Entities (TE/GE) business operating units, establish a system to track acknowledged copies of document transmittals. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006), page 6; Status per IRS: Closed. IRS has procedures in place to ensure compliance with tracking acknowledgment of document transmittals. Large Business & International (LB&I) issued an annual memorandum reiterating Form 3210 procedures which provided specific IRM guidance related to the preparation, tracking, and monitoring of Form 3210. All Tax Exempt and Government Entities (TE/GE) Exam managers used the Quick Reference Guide for processing checks and Area Managers verified that tracking measures were in place during operational reviews. TE/GE revised sections of the IRM to include more explicit instructions regarding check information entered into group logbooks, preparation of Forms 3244-A and 3210 and follow-up of unacknowledged Forms 3210 identified in the logbook. Wage & Investment (W&I) also has a system in place to monitor the use of Form 3210 when mailing documents to SP Centers and reiterate this requirement while conducting workshops and annual training. Further, W&I monitors compliance through operational reviews which have provided evidence that sustained improvement has been achieved in compliance with tracking acknowledgment copies of Form 3210 document transmittals; Status per GAO: Open. IRS's actions to date have not been fully effective in addressing the issues that gave rise to this recommendation. During our fiscal year 2010 audit, we identified instances at two TACs where there was no system in place to monitor acknowledged/unacknowledged transmittals to the SCC. We will continue to assess IRS's actions during our fiscal year 2011 audit. ID number: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006), page 6; Status per IRS: Open. TE/GE Employee Plans (EP) Exam Director and Area Managers use a check sheet during the operation reviews of all EP Areas and EP Exam Groups to ensure payments and remittances transmitted between IRS locations are tracked according to guidelines. The managers notate recommendations and follow up actions based on the operational reviews. EP Exam discusses check processing with the Group Managers during Area conference calls and instructs the Group Managers to remind employees on proper handling and tracking of checks and to surface any errors identified. In EO Examinations, Area Managers will review whether groups are complying with Form 3210 follow-up procedures in their operational reviews. W&I Field Assistance updated the IRM to include specific procedures on how to complete Forms 795 and 3210 Review Logs. The procedures require managers to sign the Review Log to ensure the acknowledgments were received. FA conducted reviews at eight TACs during fiscal year 2010, which confirmed that the new procedures are being followed. FA sends communications and quarterly reminders to all managers advising of the types of required reviews, including Forms 795 and 3210. Accounts Management Headquarters conducted site reviews to ensure compliance with existing requirements. LB&I issued its annual executive memorandum to remind managers of their responsibility for preparing and tracking the shipment of returns as outlined in the IRM. LB&I emphasized the need for verification that transmittals are tracked through operational reviews and the Annual Assurance Reporting Process. Various industries have incorporated the review of Form 3210 procedures into their Territory Manager operational review check sheets. LB&I also emphasized the Territorial Manager operational review of the Form 3210 process in training material to new front line managers in the "Aspiring Team Manager Workshops."; Status per GAO: Open. During our fiscal year 2010 audit, we identified instances at all eight TACs we visited where managers were not documenting their reviews of document transmittals. IRS's update to the IRM occurred subsequent to our fiscal year 2010 field visits. We will review the implementation of this new requirement during our fiscal year 2011 audit. ID number: 06-05; Recommendation: Equip all Taxpayer Assistance Centers (TAC) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006), page 8; Status per IRS: Open. IRS's Real Estate and Facilities Management (REFM) continues to oversee, implement and track the TAC Model status while Physical Security and Emergency Preparedness (PSEP) provides guidance, oversight and status updates to W&I on interim solutions to mitigate security vulnerabilities. REFM will build out all TACs in compliance with the established security guidelines proposed by PSEP. Of the 401 TAC locations, 244 have the model TAC with another 18 scheduled for completion prior to the 2011 filing season. Due to the complexity of each build out, and funding and scheduling considerations, IRS cannot give definitive implementation dates for all locations. In the interim, IRS continues to utilize the following solutions to help secure non-model TACs: theater rope or other barriers, signage, and minor alterations; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 06-07; Recommendation: Document supervisory visits by offsite managers to Taxpayer Assistance Centers (TAC) not having a manager permanently on- site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006), page 8; Status per IRS: Closed. W&I Field Assistance continues to use the TAC Security Remittance Review Database (TSRRD) to document supervisory reviews. Managers are required to conduct and document their reviews to ensure the protection of data, and compliance with remittance and security procedures. They are required to submit remittance information semiannually. The TSRRD indicates if the review was conducted on site. The TSRRD also documents (1) the time and date of the review; (2) the name of the manager performing the review; (3) the task performed during the review; (4) any problems or questions identified; and (5) planned corrective actions; Status per GAO: Closed. W&I Field Assistance implemented the TAC Security and Remittance Review Database (TSRRD) to document supervisory reviews of all TACs, including those performed by offsite managers. The TSRRD documents (1) the time and date of the review; (2) the name of the manager performing the review; (3) the task performed during the review; (4) any problems or questions identified; and (5) planned corrective actions. ID number: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the service center campus' (SCC) perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007), page 7; Status per IRS: Open. PSEP Risk Management will require Territory Managers and Area Directors to validate that their SCC CCTV cameras (1) are compliant with IRM 10.2.14 (Methods of Providing Protection), (2) are not obstructed, (3) have a clear view of the entire exterior perimeter, and that (4) repairs are completed timely. PSEP Systems Resources and Designs will remind Area Directors and Territory Managers of the purpose and importance of completing the Audit Management Checklist accurately. PSEP Risk Management will initiate random "Quality Assurance Reviews" nation-wide in February 2011 to ensure Area Directors and Territory Managers comply with standards and requirements. PSEP RM will make this requirement a Special Interest Item (SII) to review and validate CCTV compliance and unobstructed CCTV Camera observation of the entire perimeter of a Campus or Computing Center; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007), page 9; Status per IRS: Open. IRS provided training to manual refund initiators to ensure they monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. Accounts Management has mandated that their managers and employees initiating manual refunds take the manual refund training course which includes a new lesson on monitoring manual refunds. Submission Processing and Compliance have added manual refund monitoring to their CPE training curriculum conducted annually; Status per GAO: Open. During our fiscal year 2010 audit, we found that several manual refund initiators indicated that they either had not received training or could not recall if manual refunds were covered in the training received. During the fiscal year 2011 audit, we will continue to evaluate IRS's progress in meeting this recommendation. ID number: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed or shipped out, or both. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007), page 20; Status per IRS: Closed. IRS continues to follow procedures implemented on March 3, 2009, which state, in part, "an Employee Resource Center (ERC) work ticket call type has been established to specifically identify when secured storage space is needed. Requesters will initiate the ERC ticket process by requesting 'Property Consultation' services, which initiates Real Estate and Facilities Management (REFM) activity to work with the requester on obtaining whatever secured storage space is needed."; Status per GAO: Open. Although IRS established procedures to ensure that sufficient secured space was available for all property and equipment not currently in use, we found that IRS's secured storage space was not effective in safeguarding its property and equipment. During our fiscal year 2010 physical inventory testing, IRS was unable to locate a desk top computer that was supposed to be maintained in one of its secured storage rooms. According to the IRS officials, the desk top computer had been lost. We will continue to assess the effectiveness of IRS's procedures to properly secure and safeguard property and equipment not in use during our fiscal year 2011 audit. ID number: 07-24; Recommendation: To the extent that IRS intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related Office of Management and Budget (OMB) Circular A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short- term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007), page 10; Status per IRS: Closed. On June 30, 2009, the IRS implemented a review process for evaluating controls over information technology relating to financial statement reporting. The review focused on the systems that affect recording of financial transactions and included assessing the annual FISMA evaluations of CFO oriented financial systems. In addition, the ACFO obtained copies of the Chief Information Officer's annual FISMA report evaluating the IRS servicewide information technology security program and found that it met A-123 requirements. The annual Treasury Inspector General for Tax Administration report evaluating the IRS compliance with FISMA requirements was also reviewed to identify any A-123 FISMA issues. These procedures are still in place for the current fiscal year; Status per GAO: Closed. During fiscal year 2010, we reviewed IRS's A- 123 support for its FISMA work related to the evaluation of internal controls over systems that record financial transactions, and its assessment of the annual FISMA report on IRS's information security program to determine if it met A-123 requirements. We concluded that IRS's A-123 test procedures related to its FISMA reviews were adequate, appropriately conducted, and documented, in all material respects. We also agreed with IRS's conclusion that it met A-123 requirements in the context of a preexisting material weakness in information security. However, once this material weakness has been resolved, the scope of IRS's work to monitor the effectiveness of internal control over information security will need to be significantly expanded in order to put IRS in a position to support a conclusion that internal control over information security at IRS is effective. ID number: 07-25; Recommendation: Revise Office of Management and Budget (OMB) Circular No. A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007), page 10; Status per IRS: Closed. On June 30, 2009, IRS implemented a "Fiscal Year 2009 Control Design" template that annotates which design activity was completed for each transaction. IRS enhanced its testing to include procedures for design control activities published in Standard Operating Procedures (SOPs), IRM references, and business process documentation. The IRS's A-123 team along with the process owner evaluates procedures to identify the key internal controls and to determine whether the control fully addresses multiple risks. Test plans are updated accordingly as needed for GAO review. These procedures will continue to be used during the current fiscal year; Status per GAO: Closed. During fiscal year 2010, we concluded that IRS's A-123 test plans included appropriate consideration of the design of controls. Also, we reviewed IRS's A-123 internal control test results and found that for all transactions tested, IRS appropriately considered the design of internal controls in its respective test plans. ID number: 08-01; Recommendation: As IRS proceeds with its implementation of the Custodial Detail Data Base (CDDB), it should verify that CDDB, when it becomes fully operational and is used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (USSGL), Federal Financial Management System Requirements (FFMSR), and the Federal Financial Management Improvement Act of 1996 (FFMIA). (long- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 5; Status per IRS: Closed. IRS implemented the Redesign Revenue Accounting and Control System (RRACS) in January 2010, a significant enhancement to IRACS, which records revenue, refund, and unpaid tax assessment transactions to the USSGL accounts. During the fiscal year 2010 audit, it was determined that RRACS posted tax revenue and tax refund transactions in conformance with the USSGL. Additional conclusions were reached that IRS recorded unpaid tax assessments, including taxes receivable, in substantial conformance with the USSGL because the adjustments were recorded in accordance with the USSGL, and the reported gross taxes receivable could be traced through the adjustments to the unadjusted taxes receivable (contained in CDDB), and from there to the underlying transaction detail which had been recorded in accordance with the USSGL; Status per GAO: Closed. During our fiscal year 2010 audit, we concluded that IRS's financial management systems substantially complied with the U.S. Standard General Ledger (USSGL) at the transaction level. We also determined that RRACS systems posted revenue and refund transactions in conformance with the USSGL. Also, we found that IRS recorded federal taxes receivable in substantial conformance with the USSGL because although the adjustments to federal taxes receivable were not traceable to underlying transaction detail, the adjustments themselves were recorded in accordance with the USSGL, and the reported gross federal taxes receivable balance could be traced through the adjustments to the unadjusted federal taxes receivable balance, and from there to underlying transaction detail, which had also been recorded in accordance with the USSGL. ID number: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 7; Status per IRS: Closed. IRS documented and implemented the specific procedures that the IRS statistician follows in each step of the unpaid assessments estimation process; Status per GAO: Closed. During fiscal year 2010, IRS finalized documentation detailing the specific procedures to be performed by IRS's statistician in each step of the unpaid assessment estimation process. We confirmed that IRS implemented these detailed steps as part of its formal unpaid assessments estimation process during fiscal year 2010. ID number: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 7; Status per IRS: Closed. IRS documented and implemented the specific procedures for reviewers to follow in reviewing the unpaid assessments statistical estimates; Status per GAO: Closed. During fiscal year 2010, IRS finalized documentation detailing the specific procedures to be performed by supervisors in reviewing the work of its statistician in preparing IRS's unpaid assessments statistical estimates. The guidance includes specific procedures to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll- forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. We confirmed that IRS implemented these detailed steps as part of its formal unpaid assessments estimation process during fiscal year 2010. ID number: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 10; Status per IRS: Closed. The cross-functional working group to address penalty and interest programming issues continues to identify and assess penalty and interest issues. Presently IRS has resolved or implemented program changes and tested them for eight of the identified issues. IRS also implemented program changes and is either reviewing test data or requesting data for testing for four work requests; Status per GAO: Open. While IRS completed corrective actions to address some of the programming issues and is continuing work on others identified from its internal review, it has not yet completed all of its planned programming corrections. We will continue to review IRS's corrective actions to address this recommendation during our fiscal year 2011 audit. ID number: 08-07; Recommendation: Develop and provide comprehensive guidance to assist Taxpayer Assistance Center (TAC) managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 11; Status per IRS: Open. W&I Field Assistance (FA) continues to use the TAC Security Remittance Review Database (TSRRD) to document supervisory reviews. Managers are required to conduct and document their reviews to ensure the protection of data and compliance with remittance and security procedures. FA updated the questions in the TSRRD to document supervisory reviews conducted at the TACs. Additionally, FA will rephrase any database questions for clarification as needed. FA provided continuing professional education (CPE) training in 2010 to managers and staff on how to use the TSRRD and will provide CPE training again for 2011. Territory Managers are required to review the information input to the TSRRD database per the IRM. Field Assistance Headquarters (HQ) will randomly request data to validate responses. HQ completed an analysis of the data and shared it with area offices. HQ conducted five on-site reviews in two area offices and found TACs are following the required procedures; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. FA informed us that all of the reviews assessing controls over taxpayer receipts and information are documented in the TSRRD. However, during our fiscal year 2010 audit, we found that certain questions in the TSRRD were unclear or ambiguous, contributing to incorrect responses entered by group managers completing the reviews. We will continue to evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to Taxpayer Assistance Centers (TAC) and other field offices. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 16; Status per IRS: Open. IRS continues to work with the General Services Administration (GSA) to complete janitorial background investigations. GSA completed background investigations for approximately 96 percent of the Level III and Level IV buildings. IRS requested a Background Investigation (BI) for all IRS facilities; however, GSA agreed to perform background investigations only for some buildings (level III and IV). IRS expects GSA to complete delivery on this entire initiative by June 15, 2011. In the interim, IRS requested that GSA arrange for daytime janitorial cleaning only, in order for IRS employees to observe janitorial staff in buildings where a BI has not been conducted; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 08-13; Recommendation: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 17; Status per IRS: Closed. The National NISH Contract services 552 (95 percent) of the 584 locations needing shredding service. IRS will add the remainder of the locations as NISH gains capability. All non-NISH shredding contractors follow the same performance work statement as that of the National NISH Contract. As individual local contracts expire, IRS adds this specific requirement to new contracts. In the interim, all contractors under the old contract provisions have agreed to comply with this specific requirement, even though the old contract has not yet expired; Status per GAO: Closed. IRS provided a Performance Work Statement for Secured Document Destruction Services for the remaining sites not covered under the nationwide NISH contract, which states that the (1) contractor shall perform background investigations on all employees involved in IRS document destruction and that these investigations shall be performed using NISH guidelines and (2) provisions of the contract must allow for, at a minimum, the annual IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information. ID number: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 17; Status per IRS: Closed. The IRM specifies that the contract contain provisions for IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information, including periodic unannounced inspections at off-site contractor facilities. The Performance Work Statement for NISH and non-NISH shredding contractors includes provisions that require contractor reviews and stipulates that the compliance reviews may be conducted unannounced. Further, as the national contract administrator, NISH is required to document results of its reviews and follow up with local contractors to make sure any corrective actions that may be needed are developed; Status per GAO: Open. IRS's update to the IRM specifies that off-site shredding contracts contain provisions for periodic IRS inspections; however, the language does not include specific provisions requiring that IRS personnel (1) conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; (2) document the results, including identification of any security issues; and (3) verify that the contractor has taken appropriate corrective actions on any security issues observed. During our March 2011 internal control testing conducted as part of our ongoing fiscal year 2011 IRS financial audit, we found that while the appropriate language was included in the shredding contracts, site inspections were not being performed by IRS personnel. ID number: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 18; Status per IRS: Closed. NISH reviewed all background investigations upon visiting contractor facilities to ensure local sub-contractors were in compliance. NISH obtained and reviewed the lists of contractor employees and the dates of their completed background investigations from the Prime Contractor prior to the start date of the contractual duties. NISH and non-NISH vendors are required to report to the IRS on a quarterly basis (within 30 days of the end of each fiscal quarter) the start date for each employee on the Contract as well as the completion date of the NACI-type background investigation. IRS requires a National Association for Information Destruction (NAID) Contractor certification or alternatively, a NAID compliant certification if the vendor is not a member of NAID. This is a higher standard than the typical fingerprint review or criminal record check. IRS annually reviews all contractor records and performs a random check of contractor records to ensure compliance; Status per GAO: Closed. IRS included language in the Performance Work Statement for Secured Document Destruction Services that requires shredding contactor companies to report to IRS on a quarterly basis the start date and background investigation completion date for each contractor involved in the destruction of IRS information. ID number: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 (Recommendation for Juvenile Employment) by contacting the reference directly and documenting the details of this contact. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 19; Status per IRS: Closed. The HCO Employment, Talent, and Security (ETS) Division conducted aggressive training and outreach to Employment Offices on using the current version of Form 13094 (Recommendation for Juvenile Employment), contacting appropriate references and documenting results accordingly. The Director, ETS, implemented an internal tracking system to monitor juvenile hires and validated that references were checked and documented. The system is updated each pay period. Area Directors conduct monthly reviews of the program and report to the Director on a bi-monthly basis at Senior Leaders' Operation Review meetings. The Director monitors the Treasury Integrated Management Information System (TIMIS) focus reports of Juvenile hires every month. ETS developed a centralized quality review of forms for juveniles hired during fiscal year 2011 and completed internal program audits during the first and second quarters of fiscal year 2011; Status per GAO: Open. IRS's actions to date have not been fully effective in addressing the issues that gave rise to our recommendation. During our fiscal year 2010 audit, we found that IRS employment offices did not obtain a correctly completed Form 13094 for 28 of the 38 juveniles hired between October 1, 2009, and April 30, 2010. In these instances, the person that signed as the reference was different than the person listed as the reference on Form 13094. In addition, we identified one instance where the IRS employment office staff did not document the required verification of the information on Form 13094 by contacting the reference directly, which was due to the IRS employment office using the outdated Form 13094. We will continue to review IRS's corrective actions during our fiscal year 2011 audit. ID number: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 4, 2008), page 25; Status per IRS: Closed. Agency-Wide Shared Services (AWSS) Employee Support Services Travel Services implemented in March 2010 a system of contacting employees who are scheduled to travel within three days and whose authorization is unsigned. If the travel is still necessary, the traveler's manager must sign the authorization, reducing the instances of unauthorized travel; Status per GAO: Open. During our fiscal year 2010 audit, we found four instances in which IRS employees conducted official travel prior to obtaining written supervisory approval. One of these trips occurred after IRS (1) issued a memorandum reiterating the policy to prepare an authorization before traveling and (2) implemented its new procedures for contacting employees with unsigned travel authorizations. Because the employee in this case did not submit the travel request until 1 business day before travel, IRS's new system of contacting employees was ineffective in reducing unauthorized travel in this instance. We will continue to monitor the effectiveness of IRS's actions during our fiscal year 2011 audit. ID number: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 10; Status per IRS: Open. IRS will develop minimum requirements to use off- site courier surveillance when SP observers note time discrepancies or other inconsistencies as documented on Form 10160, Receipt for Transport of IRS Deposit. SP will update the Statement of Work and the IRM during the third quarter of fiscal year 2011. SP Headquarters Deposit Analysts started surveillance of courier contractors during the unannounced internal security reviews beginning in August 2010 and conducted the final review in December 2010. IRS updated the Lockbox Security Guidelines (LSG) in January 2011 to require that lockbox banks conduct an annual analysis to establish acceptable courier timeframes of inbound and outbound deliveries; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 10; Status per IRS: Open. IRS will document minimum requirements in the IRM for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information after reviews are completed as discussed in recommendation 09-03. IRS will make these updates to the Courier Contract Statement of Work and the IRM during the third quarter of fiscal year 2011; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual Taxpayer Assistance Center (TAC) location, group, territory, area, and nationwide. (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 11; Status per IRS: Open. W&I Field Assistance (FA) and Accounts Management Services have developed an electronic Form 795 which automates the existing manual remittance reporting process. IRS has reached the first milestone in building the Collection Activity Report, which tracks cash and non-cash remittances by geographical regions, which the territories now use. FA will start mandating use of the revised Form 795A to collect and report the data at the TAC level. Anticipated completion of the recommendation is October 2012; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 13; Status per IRS: Closed. PSEP Risk Management requested that PSEP Area Directors and Territory Managers validate their new local procedures to address the IRM requirement. This validation includes implementation and compliance with the procedures. PSEP Risk Management confirmed that this action was completed by September 7, 2010; Status per GAO: Open. IRS responded to the recommendation by revising its IRM to require a readily available inventory of all duress alarms for individuals conducting the alarm tests. However, this revision did not include specific instructions or guidance that would ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests. As a result, during our fiscal year 2010 audit, we found that duress alarm testing did not cover all duress alarms at the location for seven of the eight field offices we visited. We will continue to evaluate this issue during our fiscal year 2011 audit. ID number: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each Taxpayer Assistance Center (TAC) location to ensure that the inventory is current and complete as of the testing date. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 13; Status per IRS: Closed. PSEP Risk Management requested that PSEP Area Directors and Territory Managers validate their new local procedures to address this IRM requirement. PSEP Risk Management confirmed that this action was completed by September 7, 2010; Status per GAO: Open. While IRS implemented a policy in the IRM requiring a quarterly validation of the duress alarm inventory, specific instructions or guidance outlining how this policy would be met were not implemented. As a result, during our fiscal year 2010 financial audit, we identified instances at all eight field offices we visited where duress alarm testing did not include a documented quarterly validation of the inventory of all duress alarms as required by the IRM. Additionally, we noted several instances where duress alarm points listed on the inventory provided to the test conductor were either no longer in TAC space or had been removed. For example, one noted location of a duress alarm was in a space occupied by a non- IRS agency and the other had been removed due to a space conversion. We will continue to evaluate this issue during our fiscal year 2011 audit. ID number: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 13; Status per IRS: Closed. Physical Security and Emergency Preparedness (PSEP) Risk Management requested that PSEP Area Directors and Territory Managers validate their new local procedures to address this IRM requirement. PSEP Risk Management confirmed that this action was completed by September 7, 2010; Status per GAO: Open. During our fiscal year 2010 financial audit, we identified instances at all eight field offices we visited where local instructions, outlining necessary steps for properly completing the quarterly duress alarm tests, were not provided to the individual(s) performing the duress alarm testing. For example, at three field offices we visited, instructions identifying the location of each duress alarm on site were not provided to the local official performing the test resulting in the omission of several alarms from the test. At four other field offices, we found that the conductor did not receive the test results for all the duress alarm points because the test conductor was not instructed to allow a waiting period before activating the alarms. As a result, the central monitoring station never received the signal. We will continue to evaluate this issue during our fiscal year 2011 audit. ID number: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 13; Status per IRS: Closed. PSEP Risk Management developed detailed procedures for the Emergency Signal History Reports that were sent to the Area Directors and Territory Managers. The procedures require that security analysts review and document their review of the Emergency Signal History Reports. PSEP RM distributed the procedures on August 3, 2010; Status per GAO: Open. During our fiscal year 2010 financial audit, we identified instances at all eight field offices we visited where there was no routine documented review of the Emergency Signal History Report or emergency contact list provided to the central monitoring station. During our discussions, PSEP analysts and others responsible for conducting the tests were unsure as to how to obtain the "Emergency Signal History Report" and associated zone description and disposition information outlined in the IRM. Furthermore, we identified several instances where the central monitoring station contact list was either outdated or listed unqualified individuals as the first responder. We will continue to evaluate IRS's actions during our fiscal year 2011 audit. ID number: 09-11; Recommendation: Revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 17; Status per IRS: Closed. IRS published one new IRM section and revised two IRM sections to provide additional guidance and establish year-end procedures for expired and closing appropriations. The CFO published IRM 1.35.15. Annual Close Guidelines effective September 8, 2009. Agency-Wide Shared Services revised IRM 1.32.6, Purchase Card Program Handbook effective January 21, 2010, and Corporate Budget revised IRM 1.33.4, Financial Operating Guidelines, effective April 1, 2010; Status per GAO: Closed. We reviewed IRM 1.35.15, which was issued September 8, 2009, and noted that it provides policies and procedures for expired appropriations (including situations when it is appropriate to use expired appropriations), procedures for closing transactions with canceled appropriations, and policies for paying invoices after a fiscal year appropriation is canceled. We also reviewed the revised version of IRM 1.33.4, which clarified procedures regarding the use of expired appropriations and used examples to further illustrate the policies and procedures. We reviewed IRM 1.32.6 which was revised as of January 21, 2010, and determined that the revisions addressed the issue of improperly using expired appropriations to fund purchase card transactions. ID number: 09-13; Recommendation: Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 19; Status per IRS: Closed. The CFO initiated weekly reviews of receipt and acceptance transactions to more timely identify and correct errors. The policies and procedures were updated accordingly in December 2008; Status per GAO: Closed. We obtained information about the Aging Unliquidated Accruals (AUA) process, which is designed to review IRS receipt and acceptance transactions in order to more timely identify and correct errors. We confirmed that IRS was conducting the AUA reviews. ID number: 09-14; Recommendation: Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the Chief Financial Officer (CFO) and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 22; Status per IRS: Closed. The Associate Chief Financial Officer for Internal Financial Management documented and formalized the cost accounting policy and process including the roles and responsibilities of the Chief Financial Officer, business units, and the Cost Users Group in IRM 1.32.3, Managerial Cost Accounting. The IRM was published in July 2009 and revised in June 2010. The Chief Financial Officer continues to determine useful cost information and the ways for developing and reporting this information for existing programs and new programs as they are initiated; Status per GAO: Closed. The revised IRM section assigns the CFO responsibility for "working with each unit to identify the specific costs accumulated for identified products and services or metrics and designing the proper costing and allocation methodologies." IRS established the Cost User's Group as the formal mechanism though which IRS's business units can participate in identifying and developing full cost information for their various programs and activities. The Cost User's Group has established a 2-year history of regular meetings focused on Managerial Cost Accounting and the development of internal cost-benefit information for business units. ID number: 09-15; Recommendation: For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed, and they should include both personnel costs based on time spent on specific activities as well as all associated non-personnel costs and be drawn from or reconcilable to IRS's financial accounting system. (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 22; Status per IRS: Closed. IRS developed cost performance measures at the request of management for a range of products and services in Enforcement and Operations Support. These measures have been incorporated into a series of regularly updated reports to management for their review and action. The CFO continually updates cost benefit analyses related to Field Collection; Automated Collection System (ACS); Automated Substitute for Return (ASFR); Automated Underreporter (AUR); Field Exam; Correspondence Exam; and Earned Income Tax Credit (EITC)-Exam and EITC-AUR, Notices, CAWR/FUTA, 6020(b) as well as additional analyses requested by the Business Units; Status per GAO: Closed. IRS has continued to conduct annual updates of the internal cost-benefit analyses for several programs, and it has completed additional analyses. Although IRS has not yet completed internal cost-benefit analyses of the full range of its programs and activities, its continuing progress in responding to the requests of the business units for internal cost-benefit information fulfills the intent of our recommendation. ID number: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 24, 2009), page 25; Status per IRS: Closed. The IRS improved the analytical tools it uses to make informed resource decisions for major enforcement programs. The IRS continued to use cost/benefit analysis, return on investment, evaluation of possible future scenarios, and enterprise risk management techniques for a wide range of resource allocations decisions, such as service and enforcement initiatives included in the President's Budget. The IRS continued to use a broader set of tools to evaluate its enforcement program, such as cost/benefit analysis that incorporates a wide range of tangible and intangible costs and benefits (such as equitable coverage rates for different groups of taxpayers, enhancing respect for the law, and ensuring that disadvantaged populations of taxpayers receive adequate levels of service). It is not prudent to rely exclusively on return on investment as the sole determinant of resource allocation; Status per GAO: Open. Although IRS began using internal cost-benefit analyses and projections as part of its support for future enforcement initiatives in its annual budget submissions, it has not developed outcome-oriented performance measures and related goals to measure the effectiveness of its existing programs. We recognize that IRS must take into consideration coverage and equitable taxpayer treatment when making decisions, and we have not advocated that IRS use cost-benefit analysis as the sole measure of effectiveness. However, measuring the cost-benefit--return on investment--of IRS's enforcement programs and activities is an important element in measuring their effectiveness. IRS continues to update internal cost-benefit data annually for the enforcement programs for which it had previously developed such data, and it developed new internal cost-benefit data for additional programs. Such analyses could be, but have not been, used to develop performance metrics and related goals. We will continue to review and monitor IRS's progress in addressing this recommendation during our fiscal year 2011 audit. ID number: 10-01; Recommendation: Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in the Custodial Detail Data Base (CDDB) resulted in misclassifications of account balances that, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 10; Status per IRS: Open. Each year IRS identifies misclassifications of account balances during the review of the sample cases selected for the unpaid assessment statistical estimation and corrects the errors. In the cases of misclassification of account balances caused by a systemic limitation in CDDB, IRS has identified pending programming changes to improve the business rules used by CDDB to accurately classify unpaid tax assessments. IRS is scheduled to implement these changes in June 2011; Status per GAO: Open. During our fiscal year 2010 audit, we and IRS continued to identify misclassified unpaid assessments accounts resulting from systemic limitations. As part of its unpaid assessments estimation process, IRS identified 33 cases in its taxes receivable sample that were either misclassified in whole or in part due to CDDB systemic limitations and recorded adjustments to these accounts to reflect the correct classification or value at the point in time that IRS sampled the account information. On the basis of a statistical projection of these individual adjustments, IRS made multibillion dollar adjustments to the year-end balances of all three categories of unpaid tax assessments generated by CDDB in order to produce reliable amounts for external reporting. While IRS identified and documented specific account modules that were misclassified as a result of systemic limitations, it has not compiled a listing of these systemic limitations in order to track and monitor the status of programming changes aimed at addressing these limitations. We will continue to monitor IRS's actions to address this recommendation as part of our fiscal year 2011 audit. ID number: 10-02; Recommendation: Research and implement programming changes to allow the Custodial Detail Data Base (CDDB) to more accurately classify such accounts among the three categories of unpaid tax assessments. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 10; Status per IRS: Open. IRS continues to identify programming changes to improve the accuracy of the classification of the three categories of unpaid tax assessments in CDDB. Five additional programming changes are scheduled to be implemented to improve the classification of installment agreements, to address one-time refund offsets, to allow CDDB to correctly adjust balances in the subsidiary ledger in cases where TFRP payments were not cross-referenced correctly, and to add an allocation methodology in CDDB to classify modules with split financial classifications; Status per GAO: Open. IRS is in the process of implementing numerous programming changes to improve CDDB's accuracy in classifying accounts among the three categories of unpaid assessments. We will continue to monitor IRS's corrective actions to address this recommendation as part of our fiscal year 2011 audit. ID number: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect the financial reporting of unpaid tax assessments. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 10; Status per IRS: Open. Each year IRS identifies and corrects misclassifications of account balances during the review of the sample cases selected for the unpaid assessment statistical estimation. In addition, IRS reviews IRM procedures to ensure proper internal controls are in place, makes revisions when necessary, and ensures the internal control processes are followed. IRS compiled a detailed report of errors identified during the financial audit process for fiscal year 2010. On December 8, 2010, CFO distributed this report to the Business Operating Divisions to remediate the errors; Status per GAO: Open. During our fiscal year 2010 audit, we and IRS continued to identify misclassified unpaid assessments accounts resulting from IRS processing errors or delays. As part of its unpaid assessments estimation process, IRS identified 15 cases in its taxes receivable sample that were misclassified in whole or in part due to errors in the taxpayer accounts, and recorded adjustments to these accounts to reflect the correct classification or value at the point in time that IRS sampled the account information. On the basis of a statistical projection of these individual adjustments, IRS made multibillion dollar adjustments to the year-end balances of all three categories of unpaid tax assessments generated by CDDB in order to produce reliable amounts for external reporting. While IRS compiled a report listing the errors identified in its unpaid assessment estimation process and attempted to identify the IRS unit where the error occurred, IRS did not identify the control weaknesses that resulted in the error or delay. IRS cannot implement appropriate corrective actions unless it knows the control weakness or weaknesses that resulted in the error or delay. We will continue to monitor IRS's actions to address this recommendation as part of our fiscal year 2011 and future audits. ID number: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page. 10; Status per IRS: Open. IRS will continue to identify and validate corrective actions that were completed. IRS will continue to monitor appropriate procedures, controls and program modifications. IRS compiled a detailed report of errors identified during the financial audit process for fiscal year 2010. On December 8, 2010, CFO distributed this report to the Business Operating Divisions to remediate the errors; Status per GAO: Open. During our fiscal year 2010 audit, we and IRS continued to identify misclassified unpaid assessments accounts resulting from IRS processing errors or delays. As part of its unpaid assessments estimation process, IRS identified 15 cases in its taxes receivable sample that were misclassified in whole or in part due to errors in the taxpayer accounts, and recorded adjustments to these accounts to reflect the correct classification or value at the point in time that IRS sampled the account information. On the basis of a statistical projection of these individual adjustments, IRS made multibillion dollar adjustments to the year-end balances of all three categories of unpaid tax assessments generated by CDDB in order to produce reliable amounts for external reporting. While IRS compiled a report listing the errors identified in its unpaid assessment estimation process and attempted to identify the IRS unit where the error occurred, IRS did not identify the control weaknesses that resulted in the error or delay. IRS cannot implement appropriate corrective actions unless it knows the control weakness or weaknesses that resulted in the error or delay. We will continue to monitor IRS's actions to address this recommendation as part of our fiscal year 2011 audit. ID number: 10-05; Recommendation: Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to Trust Fund Recovery Penalty (TFRP) payments processed through the Automated Trust Fund Recovery (ATFR) system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 15; Status per IRS: Open. IRS revised the IRM in May 2010 to include supervisory reviews of credit transactions related to TFRP payments processed through ATFR and to identify the areas and ATFR system reports to review. IRS will add an additional IRM requirement to include 100 percent review of payment cross-references prior to account postings. Publication of the revised IRM is expected by the end of fiscal year 2011; Status per GAO: Open. IRS is in the process of adding an additional IRM requirement to specify how supervisors should review processed TFRP transactions for accuracy. In the meantime, IRS revised the IRM to provide guidance on how supervisors should manage a unit's TFRP payment inventory to ensure timely processing. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2011 audit. ID number: 10-06; Recommendation: Formalize and implement the quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment transactions to monitor compliance with the IRM requirements. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 15; Status per IRS: Open. IRS implemented its formal quarterly reviews of TFRP payment transactions to monitor compliance with IRM requirements and began its official reviews in April 2010. IRS completed reviews in May, August, and September 2010. The reviews will be performed on a quarterly basis. IRS will create formal documentation of this process by the end of calendar year 2011; Status per GAO: Open. While IRS has formally implemented quarterly reviews of TFRP payment transactions, it is still in the process of formalizing standard procedures for the review, the analysis of results, and the corrective actions based on its analysis. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2011 audit. ID number: 10-07; Recommendation: Develop procedures to analyze the results of the quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment transactions so that specific factors causing the errors are identified. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 15; Status per IRS: Open. IRS implemented its formal quarterly reviews in April 2010 which encompass procedures for both Campus and Headquarters to identify and analyze error trends based on the findings from each quarterly review and the cumulative review results. This process will continue on a quarterly basis. IRS will create formal documentation for this process by the end of calendar year 2011; Status per GAO: Open. While IRS has formally implemented quarterly reviews of TFRP payment transactions, it is still in the process of formalizing standard procedures for the review, the analysis of results, and the corrective actions based on its analysis. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2011 audit. ID number: 10-08; Recommendation: Develop procedures to address the factors causing errors in the processing of Trust Fund Recovery Penalty (TFRP) payment transactions identified through the analyses of the quarterly review results. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 15; Status per IRS: Open. IRS developed procedures for addressing the root causes of error trends found during the quarterly and cumulative Quality Assurance Internal Compliance Reviews. This process will continue on a quarterly basis. IRS will create formal documentation for this process by the end of calendar year 2011; Status per GAO: Open. While IRS has formally implemented quarterly reviews of TFRP payment transactions, it is still in the process of formalizing standard procedures for the review, the analysis of results, and the corrective actions based on its analysis. We will continue to monitor IRS's actions to address this recommendation during our fiscal year 2011 audit. ID number: 10-09; Recommendation: Revise the existing methodology for extracting the preposted revenue component of the comparison of general ledger tax revenue receipts to the detailed transaction support in the master files to ensure that nontax revenues and tax revenue transactions already posted to the master files are properly excluded. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 17; Status per IRS: Closed. IRS revised and tested the extraction methodology in May 2010 to exclude non-tax and posted revenue transactions from the pre-posted revenue file. IRS provided to GAO the 9-month sample file in July 2010 for the audit with successful results; Status per GAO: Closed. IRS revised its methodology for extracting the preposted revenue component of its general ledger to master files comparison. This revised methodology appropriately ensures that nontax revenues and tax revenue transactions already posted to the master files are properly excluded. ID number: 10-10; Recommendation: Update the desk procedures governing the comparison of general ledger tax revenue receipts to the detailed transaction support in the master files to ensure that the procedures reflect the current process and controls. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 17; Status per IRS: Closed. IRS updated the desk procedures for the general ledger to master file comparison on December 21, 2010; Status per GAO: Closed. IRS updated the desk procedures governing the general ledger to master files comparison to ensure that it reflects the most current process and controls. In addition, we were informed by CFO officials that these procedures would be revisited periodically to ensure they remain current. ID number: 10-11; Recommendation: Revise the cost allocation desk guide to better document the cost allocation process. This should include ensuring that all key processing steps are included and identifying the key sources of input data and the controls necessary to help ensure their reliability. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 19; Status per IRS: Closed. IRS revised the cost allocation desk guide on January 29, 2010, to better document the cost allocation process. The guide includes key processing steps, identification of input data sources, and the controls to ensure their reliability; Status per GAO: Closed. We verified that IRS revised its cost allocation desk guide and created work instructions/job aids that include key processing steps, key sources of input data, and controls to ensure reliability throughout the cost allocation process. ID number: 10-12; Recommendation: Revise the IRM and cost allocation desk guide to require appropriate segregation of duties within the cost allocation process. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 20; Status per IRS: Closed. The CFO updated the IRM relating to Managerial Cost Accounting, on June 8, 2010, and the cost allocation desk guide on January 29, 2010, to require appropriate segregation of duties within the cost allocation process; Status per GAO: Closed. We verified that IRS revised its IRM and cost allocation desk guide to require segregation of duties when creating, executing, and reconciling monthly cost allocation cycles. During our fiscal year 2010 audit, we observed that IRS implemented these new requirements. IRS segregated the duties of cost accountants during its edit check processes (which occur between executing cycle runs) by having a cost accountant other than the one executing the edit check verify that the cycle ran successfully. ID number: 10-13; Recommendation: Revise the IRM and cost allocation desk guide to require timely, documented supervisory reviews at key process points to help prevent and detect cost allocation processing errors. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 20; Status per IRS: Closed. The CFO updated the IRM relating to Managerial Cost Accounting, on June 8, 2010, and the cost allocation desk guide on January 29, 2010, to require documented supervisory reviews within the cost allocation process; Status per GAO: Closed. We verified that IRS revised its IRM and cost allocation desk guide to require documented supervisory reviews when creating, executing, and reconciling monthly cost allocation cycles. During our fiscal year 2010 audit, we observed that IRS implemented these new requirements. Specifically, the supervisor reviewed and signed off on completed cycle-run steps within the cycle-run spreadsheet before the cost accountants proceeded to the next step. ID number: 10-14; Recommendation: Establish controls over the cycle-run spreadsheet to help minimize the risk of error or omission. At a minimum, this should include assigning a unique, sortable identifier to each row in the spreadsheet and implementing controls to promptly and accurately record the status of processing steps in a manner that ensures each cycle run is performed and is performed in the proper sequence. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 20; Status per IRS: Closed. IRS established procedures and controls over the master version of the cycle-run spreadsheet to minimize the risk of error or omission on May 6, 2010. Each step in the process contains a unique cycle identifier for the cycle-run order. Reviews and validations are conducted to ensure that each cycle is performed in the proper sequence. The cycle-run spreadsheet is controlled to limit access to only authorized employees; Status per GAO: Closed. We verified that IRS established procedures and implemented controls over the cycle-run spreadsheet, including supervisory review and sign-off of completed cycle-run steps within the cycle-run spreadsheet before the cost accountants proceed to the next step. While IRS chose not to assign a unique, sortable identifier to each row in the spreadsheet, the implementation of supervisory reviews at key processing steps helped to ensure that each cycle run was performed and performed in the proper sequence and thus met the intent of our recommendation. ID number: 10-15; Recommendation: Revise the IRM to require IRS's Central Insolvency Operation (CIO) to timely provide service center campuses (SSC) an acknowledgment of receipt for each Form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 21; Status per IRS: Open. IRS is in the process of revising the IRM specifically relating to Payments in Bankruptcy to include a provision requiring that receipt acknowledgments for Form 3210 be returned timely to the originator. Until the changes in IRM are effective, CIO has issued an e-mail alert with these instructions to the manager of the CIO department that works the duplicate refund transcripts; Status per GAO: Open. During our fiscal year 2010 audit, we continued to find instances where the manual refund units at the service centers tested either did not have procedures for communicating the information taken from the Duplicate Refund (DUPREF) transcripts, or the information was not routed in a timely manner. As IRS has noted, it is in the process of revising the IRM. We will continue to evaluate IRS's corrective actions during our fiscal year 2011 financial audit. Additionally, we will review revisions to the IRM to validate procedural revisions specific to this recommendation as well as e-mail alerts that precede the IRM revisions. ID number: 10-16; Recommendation: Revise the IRM to require service center campuses (SCC) to verify that an acknowledgment of receipt has been received from IRS's Central Insolvency Operation (CIO) for 100 percent of the form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 21; Status per IRS: Open. IRS revised the IRM to include procedures for verifying Form 3210 acknowledgments received from CIO for duplicate refund transcripts at service center campuses. The IRM instructs the Accounting function to review the transcript and stop the duplicate refund prior to cycle cutoff. The intended recipient will then route the acknowledgments to the originator for any subsequent action. IRS will update the fiscal year 2011 revision of the IRM with additional procedures for recipients to route documents to the required function within 24 hours of receipt/review; Status per GAO: Open. We have verified that IRS has revised the IRM to include procedures for verifying acknowledgments received from CIO for duplicate refund transcripts at SCCs. We will continue to evaluate the effectiveness of IRS's ongoing efforts to address this recommendation during our fiscal year 2011 audit. ID number: 10-17; Recommendation: Revise the IRM to require service center campuses (SCC) to resolve any instances in which an acknowledgment of receipt for a Form 3210 transmittal related to duplicate refund transcripts is not received. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 21; Status per IRS: Open. IRS revised the IRM to include procedures for following up and resolving instances where Form 3210 was not received from the Central Insolvency Operation function; Status per GAO: Open. We have verified that IRS has revised the IRM to include procedures for following-up and resolving instances where Form 3210 transmittals were not received from the Central Insolvency Operation (CIO). We will continue to evaluate the effectiveness of IRS's ongoing efforts to address this recommendation during our fiscal year 2011 audit. ID number: 10-18; Recommendation: Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 23; Status per IRS: Open. IRS developed the Lockbox Document Transmittal (LDT) forms (for IMF and BMF) and the related instructions for use when transferring unprocessable items with receipts from lockbox banks to service center campuses. The forms include an acknowledgment page that is verified by the Submission Processing Center (SPC) and is faxed back to the lockbox bank site; Status per GAO: Open. We plan to evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 10-19; Recommendation: Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 23; Status per IRS: Open. IRS added instructions to the IRM in December 2010, addressing receipt and acknowledgment of the lockbox transmittal form. IRS issued an Alert to add new procedures to the IRM that require acknowledging and retaining copies of the new Lockbox Transmittal. IRS also issued an Alert to add new procedures to acknowledge LDT if a package of unprocessable receipts is sent directly to Batching; Status per GAO: Open. We plan to evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses (SCC) and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 23; Status per IRS: Open. IRS developed the LDT forms for transferring unprocessable items with receipts from lockbox banks to service center campuses. The instructions include follow-up procedures for unacknowledged LDTs and for handling inconsistencies when the volume does not agree. The 2011 IRM and lockbox processing guidelines (LPG) will include instructions. The forms include an acknowledgment page that the SPC will verify and fax back to the lockbox bank site daily. In December 2010, IRS updated the Processing Internal Control (PIC) data collection instrument (DCI) to include random reviews performed by the Lockbox Field Coordinators of the retained LDTs and faxed acknowledgments. These reviews will take place during peak on-site reviews. Also in December 2010, IRS updated the Receipt and Control Mail Out Package DCI. Each Lockbox Field Coordinator met with their applicable lockbox bank site personnel, as well as their SPC receiving areas, and provided instructions and training on the new LDT process. IRS conducted LDT training in September 2010. The existing Lockbox DCI, specifically the Receipt and Control Mail Out Package DCI and the Unprocessable With-Remit DCI, captured review data through December 31, 2010. SP will provide feedback from the DCI reviews to the SPCs and Lockbox Bank Sites; Status per GAO: Open. We plan to evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 10-21; Recommendation: Review the Physical Security and Emergency Preparedness audit management checklist for clarity and revise the assessment questions as appropriate. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 25; Status per IRS: Closed. AWSS's PSEP reviewed the questions on the audit management checklist and modified them for clarity on November 29, 2010, for use in calendar year 2011; Status per GAO: Closed. IRS reviewed the audit management checklist and revised assessment questions on November 29, 2010, to more clearly identify which questions were relevant to the type of IRS facility being reviewed. ID number: 10-22; Recommendation: Issue written guidance to accompany the Physical Security and Emergency Preparedness audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related controls. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 25; Status per IRS: Closed. AWSS's PSEP incorporated instructions for completing the audit management checklist and included them in the November 29, 2010, revision for use during calendar year 2011; Status per GAO: Closed. IRS issued written guidance for completing the audit management checklist on November 29, 2010. ID number: 10-23; Recommendation: Provide training to physical security analysts responsible for completing the Physical Security and Emergency Preparedness audit management checklist to help ensure that checklist questions are answered appropriately and accurately. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 25; Status per IRS: Closed. IRS provided training to physical security analysts on completing the audit management checklist on December 15, 2010; Status per GAO: Closed. IRS PSEP Territory Directors validated to their Area Directors on December 15, 2010, that all security analysts received Audit Management Checklist training. ID number: 10-24; Recommendation: Establish and document the minimum frequency for how often the Physical Security and Emergency Preparedness audit management checklist should be completed at each service center campus (SCC) and field office. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 25; Status per IRS: Closed. AWSS's PSEP documented the frequency for completing the audit management checklist at the service center campuses and field offices in the PSEP Standard Operating Procedure Audit Activity Management Program, dated July 27, 2010; Status per GAO: Closed. On July 27, 2010, IRS established and documented the minimum frequency for how often the audit management checklist should be completed at each SCC and field office. ID number: 10-25; Recommendation: Establish policies requiring documented managerial reviews of completed Physical Security and Emergency Preparedness audit management checklists. These reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 25; Status per IRS: Closed. AWSS's PSEP modified the PSEP Standard Operating Procedure Audit Activity Management Program, on July 27, 2010, to establish policies requiring documented managerial reviews of completed audit management checklists; Status per GAO: Closed. In July 2010, IRS established policies requiring documented managerial reviews of completed audit management checklists. The newly established policies require that the territory manager's review include a review of supporting documentation to verify the accuracy of the responses on the checklist, problems identified with responses, and corrective actions to be taken; and be digitally signed and dated by the territory manager. ID number: 10-26; Recommendation: Review the Taxpayer Assistance Center Security and Remittance Review Database (TSRRD) for clarity and revise review questions as appropriate. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 28; Status per IRS: Open. IRS included guidance on how to use the TAC Security and Remittance Review Database (TSRRD) in the 2010 and 2011 CPE training via the Filing Season Readiness (FSR) Workshop. IRS provided the 2011 FSR training through December 31, 2010 via the web. TAC managers certified to their Territory Managers on January 14, 2011, that they had completed this training; Status per GAO: Open. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 10-27; Recommendation: Provide training to Taxpayer Assistance Center (TAC) group managers to assist with their understanding of the TAC Security and Remittance Review Database (TSRRD) review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 28; Status per IRS: Open. IRS included guidance on how to use the TAC TSRRD in the 2010 and 2011 CPE training via the Filing Season Readiness (FSR) Workshop. IRS provided the 2011 FSR training through December 31, 2010 via the web. TAC managers certified to their Territory Managers on January 14, 2011 that they had completed this training; Status per GAO: Open. We will evaluate the effectiveness of IRS's corrective actions during our fiscal year 2011 audit. ID number: 10-28; Recommendation: Establish policies that require territory managers or a manager at least one level above the group manager to periodically review the information entered into the Taxpayer Assistance Center Security and Remittance Review Database (TSRRD) for accuracy and completeness prior to the results being forwarded to Field Assistance Office headquarters management. This review should be signed and documented, and include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the task performed during the review, (4) any problems or questions identified, and (5) planned corrective actions. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 28; Status per IRS: Closed. IRS Territory Managers (TM) are required to review the information input by TAC group managers into the TAC TSRRD prior to sending it to Field Assistance headquarters management per IRM 1.4.11-11. TAC managers use the TSRRD to document supervisory reviews. Managers must establish and maintain appropriate recordkeeping systems which will support the data that is submitted in the TSRRD. Upon completion, managers will print a copy prior to electronic submission, which may be used for the TM's follow-up review. Once the manager submits the information in the TSRRD, the TM will review the information for accuracy and completeness prior to the deadline. The TM will sign, date, and address any problems, questions, or planned corrective actions for each review. The TM may document these actions in the operational review process; Status per GAO: Closed. We verified that IRS established policies in the IRM that require territory managers to review the information input by group managers into the TSRRD prior to sending it to FA headquarters. The newly established policies require that territory managers sign and date the review, as well as address any problems, questions or planned corrective actions. ID number: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 29; Status per IRS: Closed. AWSS's PSEP revised Procurement Policy 39.1(c) on September 7, 2010, to require security awareness training for all IRS contractors with unescorted physical access to taxpayer information. AWSS PSEP changed the policy to require contractors who were previously exempted from Security Awareness Training to take the PSEP briefing within 10 days of reporting to duty and annually thereafter; Status per GAO: Open. IRS's actions to date have not met the intent of our recommendation. IRS's Revised Procurement Policy 39.1(c) states that certain types of contractors, such as janitorial and building maintenance (who can have unescorted, unsupervised physical access to taxpayer information), are not required to receive Security Awareness Training--with the exception of Physical Security Training (also referred to as the PSEP briefing). However, the PSEP briefing does not cover key elements of security awareness, including (1) authorized and unauthorized disclosures of taxpayer information, (2) basic protection policies concerning taxpayer receipts and information, and (3) federal penalties for not protecting this information. We will continue to assess IRS's actions in this area during our fiscal year 2011 audit. ID number: 10-30; Recommendation: Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all service center campus Unit Security Representatives (USR) to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 31; Status per IRS: Open. All USRs and alternate USRs completed the initial USR training class by May 31, 2010. New USRs will complete the initial USR training class prior to assuming their responsibilities. Annual refresher training is mandatory for all USRs thereafter. The IDRS Security Project Management Office will implement a reporting capability to identify USRs who fail to comply with initial and annual refresher training requirements. The reporting process will track USR compliance in the Enterprise Learning Management System (ELMS) Learning History and provide notification to affected USRs, their respective managers, and the USR points of contact for remediation, when necessary; Status per GAO: Open. During our fiscal year 2010 audit, we continued to find that USRs did not complete the required initial USR training or complete the required annual refresher training, or both. We will evaluate the effectiveness of IRS's ongoing efforts to address this recommendation, during our fiscal year 2011 audit. We will also verify that IRS has implemented a reporting capability to identify USRs who have failed to comply with initial and annual refresher training requirements. ID number: 10-31; Recommendation: Update service center campus Unit Security Representatives' (USR) training manuals to ensure they reflect current security policies and procedures. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 31; Status per IRS: Closed. On December 15, 2009, the IDRS Project Management Office launched two new ELMS Interactive online training courses for all IDRS USRs to incorporate current security policies and procedures. In collaboration with MITS E-Learning, these interactive training courses include slide presentations and accompanying voice- recording narratives; Status per GAO: Closed. IRS has documented and we have verified that the USR training manuals were updated in December 2009. We will, however, continue to monitor IRS's updates and improvements to ensure that training manuals reflect current security policies and procedures. ID number: 10-32; Recommendation: Establish a process to periodically review and update service center campus Unit Security Representatives (USR) training materials as appropriate. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 31; Status per IRS: Open. The IDRS Security Project Management Office will ensure annual reviews of the IDRS USR training material occur. Annual reviews were implemented on December 31, 2010. Training material will be updated as appropriate. The IRS completed a review and update of USR training materials in December 2009. In November 2010, the IRS completed another review of USR training material. As a result, the initial and refresher USR courses are being updated; Status per GAO: Open. The steps IRS has taken to address the issues related to this recommendation were implemented after our fiscal year 2010 audit's completion. Therefore, we will review and evaluate IRS's implementation of annual reviews as well as initial and refresher USR courses during our fiscal year 2011 audit. ID number: 10-33; Recommendation: Establish procedures requiring the Director of IRS's Human Capital Office, Leadership, Education and Delivery Services (HCO LEADS) or designee to periodically monitor each business unit's progress in complying with mandatory briefing requirements. (short- term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 33; Status per IRS: Open. Effective July 17, 2010, LEADS provided weekly statistics on each unit's progress in complying with the mandatory briefings requirement broken out by Business Unit. LEADS will distribute quarterly summary reports to the heads of offices; Status per GAO: Open. IRS's efforts to address our recommendation are ongoing. We will evaluate IRS's actions during our fiscal year 2011 audit. ID number: 10-34; Recommendation: Establish procedures requiring contracting officers (COs) or contracting officer's technical representatives (COTRs) to obtain and retain written documentation from end users confirming receipt and acceptability of purchased goods or services prior to entering acknowledgment of receipt and acceptance in the Web Request Tracking System (WebTRS). (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 34; Status per IRS: Closed. IRS updated the Receipt and Acceptance Handbook in March 2010 to include the requirement to obtain and retain documentation to support receipt and acceptance before entering the acknowledgment in WebRTS. In addition, Procurement's Policy and Procedures Memorandum relating to Monitoring Receipt, Acceptance and Quality Assurance through Contract Administration Plans, instructs all Procurement personnel and COTRs to maintain documentation of receipt of supplies or services. IRS has reinforced this requirement through presentations at the 2010 Procurement Partnership Conference in March 2010, and the 2010 CFO Customer Conference in May 2010; Status per GAO: Closed. We confirmed that IRS updated the Receipt and Acceptance Handbook in March 2010 to include the requirement to obtain and retain documentation to support receipt and acceptance before entering the acknowledgment in WebRTS. However during our fiscal year 2010 audit, we found eight instances in which the COTRs did not either obtain or retain written documentation confirming receipt of the service from the end user prior to entering receipt and acceptance. Of these eight instances, three occurred following IRS's update to its guidance. We will continue to monitor the issue in future audits and assess the effectiveness of IRS's actions to determine what additional corrective actions may be needed. ID number: 10-35; Recommendation: Reiterate IRS's policy for staff to indicate in the Web Request Tracking System (WebRTS) during final receipt and acceptance that the payment is a final payment to close out a contract or purchase order to help ensure any remaining obligated funds are timely deobligated. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 37; Status per IRS: Closed. IRS issued a WebRTS broadcast e-mail to all WebRTS users on June 2, 2010, to reinforce the use of the receipt and acceptance final flag to ensure timely closure of obligations; Status per GAO: Closed. We reviewed the WebRTS broadcast e-mail message and noted that it does reinforce the use of the receipt and acceptance final flag to ensure timely closure of obligations. ID number: 10-36; Recommendation: Re-evaluate and, as necessary, revise the aging criteria for the Aging Unliquidated Obligation reviews so that unliquidated obligations are reviewed sooner in order to timely detect and deobligate excess obligations. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 37; Status per IRS: Closed. On January 4, 2010, the IRS revised the aging criteria for the fiscal year 2010 Aging Unliquidated Obligation reviews from 300 days to 240 days to review a broader scope of unliquidated obligations sooner. IRS determined that decreasing the aging criteria further would not only provide a minimal benefit, but increases the Aging Unliquidated Obligation review volume to an unreasonable level; Status per GAO: Closed. During the fiscal year 2010 audit, we confirmed that IRS reevaluated the aging criteria for Aging Unliquidated Obligation reviews and revised the aging criteria for obligations from over 300 days of no activity to over 240 days of no activity. ID number: 10-37; Recommendation: Provide technicians and supervisors who are responsible for recording and reviewing obligation transactions with training on the proper usage of manually linked obligation transactions to reinforce IRS's existing policy requiring that transactions be recorded accurately to the upward and downward adjustments to prior year obligation accounts. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 39; Status per IRS: Closed. IRS revised the internal Beckley Finance Center process, updated the related procedures, and provided additional training to technicians and supervisors responsible for the manual linking of obligations in October 2009. IRS provided GAO with copies of the procedures and a walk-through of the Beckley Finance Center process on March 11, 2010; Status per GAO: Closed. IRS updated the procedures related to manually linked up/down transactions and provided additional training to technicians and supervisors responsible for the manual linking of obligations in October 2009. We did not find any exceptions that were related to this issue in our fiscal year 2010 audit testing. ID number: 10-38; Recommendation: Develop controls to improve the linked obligation transaction review process to timely detect and correct erroneous links between unrelated upward and downward adjustments to prior year obligation transactions. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 39; Status per IRS: Closed. IRS revised internal Beckley Finance Center processes and implemented procedures to add a second level review of all linked obligations at the time of actual linking on March 16, 2010; Status per GAO: Closed. IRS established review procedures of manually linked up/down transactions. We did not find any exceptions that were related to this issue in our fiscal year 2010 audit testing. ID number: 10-39; Recommendation: Establish a formal funds control process to set aside amounts for tax law enforcement and related support activities, as required by annual appropriations acts. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 43; Status per IRS: Closed. The Tax Law Enforcement Appropriations set- aside requirement was not included in the full year continuing appropriations act for fiscal year 2011, as amended. The appropriations act contained language that specifically eliminated it; Status per GAO: Closed. The Tax Law Enforcement Appropriations set- aside requirement is not included in the full year continuing appropriations act for fiscal year 2011, as amended; therefore there is no similar set-aside requirement in fiscal year 2011. Because our recommendation is contingent on a set-aside requirement that is included in the appropriations act; and such a requirement was not included in fiscal year 2011 appropriations act, we are closing this recommendation. However, if such a set-aside requirement should exist in future years, IRS should establish a funds control process to ensure compliance. ID number: 10-40; Recommendation: Establish a policy to periodically monitor throughout the year the amount of different appropriations accounts attributed to the set-aside to assess IRS's progress toward complying with the requirement. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 43; Status per IRS: Closed. The IRS has established a policy to periodically monitor its progress toward achieving the targeted level of activity for tax law enforcement and related support activities; Status per GAO: Closed. During the fiscal year 2010 audit, we confirmed that IRS established a process to periodically monitor its progress toward achieving compliance with the enforcement set-aside requirement. ID number: 10-41; Recommendation: Based on the results of its periodic assessments, take action to allocate the required amount of appropriations to tax law enforcement and related support activities to comply with the set- aside requirement. (short-term); Source report: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GAO-10- 565R, June 28, 2010), page 43; Status per IRS: Closed. The Tax Law Enforcement Appropriations set- aside requirement was not included in the full year continuing appropriations act for fiscal year 2011, as amended. The appropriations act contained language that specifically eliminated it; Status per GAO: Closed. The Tax Law Enforcement Appropriations set- aside requirement is not included in the full year continuing appropriations act for fiscal year 2011, as amended; therefore there is no similar set-aside requirement in fiscal year 2011. Because our recommendation is contingent on a set-aside requirement that is included in the appropriations act, and such a requirement was not included in fiscal year 2011 appropriations act, we are closing this recommendation. ID number: 11-01; Recommendation: Put procedures in place to periodically monitor the effectiveness of the new First-Time Home Buyers Credit (FTHBC) validity checks for the duration of the filing of FTHBC claims to verify that they are working as intended. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 9; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-02; Recommendation: Establish a mechanism to enforce the existing requirement for appropriate managers to immediately notify the manual refund units of any personnel changes affecting the approval or processing of manual refunds. This may be accomplished through mechanisms such as issuing periodic alerts, providing training or having the manual refund unit perform quarterly validations of the list of manual refund approving officials, or a combination of these. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 10; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-03; Recommendation: Send out a reminder to all staff to follow policies and procedures for obtaining approval and funding of proposed purchases prior to entering into an agreement with vendors. (short- term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 13; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-04; Recommendation: Establish formal written procedures requiring staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 13; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-05; Recommendation: Establish procedures to centrally review and monitor the timeliness of personnel action requests and approvals to help ensure compliance with the IRM and applicable Office of Personnel Management (OPM) regulations and guidance. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 15; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-06; Recommendation: Adopt the local field office's timekeeping procedures or similar procedures for entering and verifying the accuracy of time and attendance information entered into the Single Entry Time Reporting System (SETR) throughout IRS for use by all units in which employees do not enter their own time charges directly to SETR. (short- term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 17; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-07; Recommendation: Further revise the detailed procedures for implementing the requirement to validate the appropriateness of the National Finance Center (NFC) programming changes after such changes are made. These revisions should (1) clarify the criteria for determining which programming changes will be subject to validation, (2) identify officials responsible for making and documenting these determinations, and (3) require postimplementation statistical sampling from a targeted population that consists of employees who are most likely to be affected by the NFC programming change. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 20; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-08; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring cash receipts to be immediately logged under dual control when first discovered in the mail room. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 22; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-09; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring mail room staff to maintain custody of the control log at all times. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 22; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-10; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring the amount of cash receipts initially discovered in the mail room to be independently reconciled to the amount deposited and recorded in the general ledger. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 22; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-11; Recommendation: Perform a review of all existing contracts under $100,000 that (1) do not have an appointed contracting officer's technical representative (COTR) and (2) do not require that contract employees obtain background investigations to assess whether the services performed under each contract warrant a requirement that contract employees obtain background investigations. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 24; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-12; Recommendation: Based on a review of all existing contracts under $100,000 without an appointed contracting officer's technical representative (COTR) that should require contract employees to obtain favorable background investigation results, amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 24; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-13; Recommendation: Establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 24; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-14; Recommendation: Establish procedures to provide a consistent methodology for calculating and establishing allowable deposit courier trip time limits to be used by both service center campuses and lockbox banks that would assist in detecting potential unauthorized stops or other contractual violations for deposit couriers. Such procedures should include instructions for documenting and supporting how the trip limits were determined and require justification and approval for all established time limits that exceed the average trip time. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 27; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-15; Recommendation: Establish procedures to require periodic reassessments of, and updates to, deposit courier allowable trip time limits to account for changes in courier routes or other conditions that may affect trip times. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 27; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-16; Recommendation: Enforce existing contractual requirements for the cargo doors of contract courier vehicles to be locked after picking up taxpayer information. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 29; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-17; Recommendation: Establish procedures to prevent or detect unauthorized access to taxpayer information in contract courier vehicles during transit. These procedures should detail specific activities to be performed by both the business units sending and receiving the information transported by the contract courier. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 29; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-18; Recommendation: Revise the guidance for conducting the periodic reviews of the contract couriers transporting taxpayer information from one IRS processing facility to another to include procedures for (1) physically verifying that courier vehicle cargo doors are locked after picking up this information and remain locked during transit to the final destination and (2) documenting the basis for the reviewer's conclusions. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 29; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-19; Recommendation: Revise the IRM to include a comprehensive process that Small Business/Self Employed (SB/SE) unit managers should follow when performing reviews of the document transmittal process for determining whether staff are (1) maintaining control copies of document transmittal forms, (2) reconciling all document transmittal forms on a biweekly basis to ensure that all transmittals were received, and (3) following up on transmittals that are not timely acknowledged. (short- term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 31; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-20; Recommendation: Revise the IRM to include specifying minimally acceptable steps the Small Business/Self Employed (SB/SE) unit managers should follow in documenting the results of required reviews of the document transmittal process. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 32; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-21; Recommendation: Define and specify in the IRM which types of IRS facilities constitute a processing facility. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 33; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-22; Recommendation: Perform an assessment of the off-site processing facilities to determine the frequency with which compliance reviews should be performed for these locations commensurate with the specific operational activities performed and the assessed level of risk associated with the facility. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 34; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-23; Recommendation: Based on the results of an assessment of off-site processing facilities that process taxpayer receipts and related taxpayer information, revise the IRM to specify the frequency with which compliance reviews should be performed at these facilities. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 34; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-24; Recommendation: Revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 35; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-25; Recommendation: Revise the nature and scope of the service center campuses' (SCC) and lockbox banks' physical security reviews to include periodic after dark assessments of physical security controls. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 35; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-26; Recommendation: Take steps to effectively implement the procedures requiring property staff to verify that the asset purchase price shown in the Asset Management Report agrees with the asset purchase price shown in the Integrated Financial System (IFS) and to resolve any variances before entering the information into the Information Technology Asset Management System (ITAMS). (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 37; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-27; Recommendation: Finalize procedures requiring that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 39; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-28; Recommendation: Revise the IRM to incorporate the new copier disposal procedures that require that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 39; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. ID number: 11-29; Recommendation: Issue a memorandum to all business units reminding them that only designated Real Estate Facilities Management (REFM) staff are authorized to dispose of copiers. (short-term); Source report: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness (GAO-11-494R, June 21, 2011), page 39; Status per IRS: Because this is a new recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will verify IRS's corrective actions during our fiscal year 2011 and future audits. Source: GAO and IRS. [End of table] [End of section] Appendix II: Open Recommendations Arranged by Material Weakness, Significant Deficiency, Compliance, or Other Control Issue: For several years, we have reported material weaknesses, significant deficiencies, noncompliance with laws and regulations, and other control issues in our annual financial statement audits and related management reports.[Footnote 49] Appendix II provides summary information regarding the primary issue to which each open recommendation is most closely related. To compile this summary, we analyzed the nature of the open recommendations to relate them to the material weaknesses, significant deficiency, compliance issue, or other control issues (not associated with a material weakness, significant deficiency, or compliance issue) identified as part of our financial statement audit. Material Weakness: Unpaid Tax Assessments: The Internal Revenue Service (IRS) has weaknesses in its internal control over the management of unpaid tax assessments resulting from the agency's (1) inability to use its general ledger and underlying subsidiary records to report federal taxes receivable, compliance assessments, and writeoffs in accordance with federal accounting standards without significant compensating procedures, (2) lack of transaction traceability for the reported balance in taxes receivable that comprises over 80 percent of IRS's total assets as of September 30, 2010, and an effective transaction-based subledger for unpaid tax assessment transactions, and (3) inability to effectively prevent or timely detect and correct errors in taxpayer accounts. The recommendations in table 12 address these weaknesses. Table 12: Material Weakness: Controls over Unpaid Assessments: ID number: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term); Control activity: Accurate and timely recording of transactions and events. ID number: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (long-term); Control activity: Accurate and timely recording of transactions and events. ID number: 10-01; Recommendation: Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in the Custodial Detail Data Base (CDDB) resulted in misclassifications of account balances that, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term); Control activity: Accurate and timely recording of transactions and events. ID number: 10-02; Recommendation: Research and implement programming changes to allow the Custodial Detail Data Base (CDDB) to more accurately classify such accounts among the three categories of unpaid tax assessments. (short- term); Control activity: Accurate and timely recording of transactions and events. ID number: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect the financial reporting of unpaid tax assessments. (short-term); Control activity: Accurate and timely recording of transactions and events. ID number: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. (short-term); Control activity: Accurate and timely recording of transactions and events. ID number: 10-05; Recommendation: Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to Trust Fund Recovery Penalty (TFRP) payments processed through the Automated Trust Fund Recovery (ATFR) system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID number: 10-06; Recommendation: Formalize and implement the quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment transactions to monitor compliance with IRM requirements. (short-term); Control activity: Reviews by management at the functional or activity level. ID number: 10-07; Recommendation: Develop procedures to analyze the results of the quarterly reviews of Trust Fund Recovery Penalty (TFRP) payment transactions so that specific factors causing the errors are identified. (short-term); Control activity: Accurate and timely recording of transactions and events. ID number: 10-08; Recommendation: Develop procedures to address the factors causing errors in the processing of Trust Fund Recovery Penalty (TFRP) payment transactions identified through the analyses of the quarterly review results. (short-term); Control activity: Accurate and timely recording of transactions and events. Source: GAO. [End of table] Material Weakness: Information Security: IRS has serious internal control weaknesses over information security that result primarily from IRS not having fully implemented key components of its information security program. These weaknesses, collectively, represent a material weakness. For example, (1) IRS's testing did not detect many of the vulnerabilities we identified and did not assess a key application in its current environment, and (2) IRS did not effectively validate corrective actions reported to resolve previously identified weaknesses. Although IRS has made some progress in addressing previous weaknesses we identified in its information systems and physical security controls, as of March 2011, there were 105 open recommendations designed to help IRS improve its information systems security controls. Those recommendations are reported separately and are not included in this report primarily because of the sensitive nature of some of the issues.[Footnote 50] Significant Deficiency: Tax Refund Disbursements: IRS has significant internal control weaknesses over its tax refund disbursements. In our audit of IRS's fiscal year 2010 financial statements,[Footnote 51] we reported a significant deficiency in IRS's internal control over tax refund disbursements that resulted from (1) a multiyear pattern of our identifying deficiencies in IRS's internal control over the processing of manual refunds, which we have reported for several years;[Footnote 52] (2) the increasing magnitude of manual tax refunds disbursed; and (3) new deficiencies associated with the First-Time Home Buyer Credit (FTHBC). This significant deficiency increases the risk that IRS may pay out duplicate or otherwise erroneous tax refunds to which individuals or businesses are not entitled and for which IRS must spend resources attempting to recover. The recommendations in table 13 address our findings. Table 13: Significant Deficiency: Tax Refund Disbursements: ID number: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term); Control activity: Reviews by management at the functional or activity level. ID number: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID number: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID number: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term); Control activity: Management of human capital. ID number: 10-15; Recommendation: Revise the IRM to require IRS's Central Insolvency Operation (CIO) to timely provide service center campuses (SCC) an acknowledgment of receipt for each form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID number: 10-16; Recommendation: Revise the IRM to require service center campuses (SCC) to verify that an acknowledgment of receipt has been received from IRS's Central Insolvency Operation (CIO) for 100 percent of the form 3210 transmittals related to duplicate refund transcripts they have been forwarded to CIO for review. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID number: 10-17; Recommendation: Revise the IRM to require service center campuses (SCC) to resolve any instances in which an acknowledgment of receipt for a form 3210 transmittal related to duplicate refund transcripts is not received. (short-term); Control activity: Appropriate documentation of transactions and internal controls. ID number: 11-01; Recommendation: Put procedures in place to periodically monitor the effectiveness of the new First-Time Home Buyers Credit (FTHBC) validity checks for the duration of the filing of FTHBC claims to verify that they are working as intended. (short-term); Control activity: Reviews by management at the functional or activity level. ID number: 11-02; Recommendation: Establish a mechanism to enforce the existing requirement for appropriate managers to immediately notify the manual refund units of any personnel changes affecting the approval or processing of manual refunds. This may be accomplished through mechanisms such as issuing periodic alerts, providing training or having the manual refund unit perform quarterly validations of the list of manual refund approving officials, or a combination of these. (short-term); Control activity: Reviews by management at the functional or activity level. Source: GAO. [End of table] Release of Federal Tax Liens: IRS continues to be noncompliant with the laws and regulations governing the release of federal tax liens.[Footnote 53] We found IRS did not always release applicable federal tax liens within 30 days of tax liabilities being either paid off or abated, as required by the Internal Revenue Code (section 6325). The Internal Revenue Code grants IRS the power to file a lien against the property of any taxpayer who neglects or refuses to pay all assessed federal taxes. The lien serves to protect the interest of the federal government and as a public notice to current and potential creditors of the government's interest in the taxpayer's property. The recommendation in table 14 addresses our finding. Table 14: Compliance with Laws and Regulations: Timely Release of Liens: ID number: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Control activity: Reviews by management at the functional or activity level. Source: GAO. [End of table] Other Control Issues: The 57 recommendations listed in table 15 pertain to issues that do not rise individually or in the aggregate to the level of a material weakness or significant deficiency in internal control, or to a reportable noncompliance with laws and regulations. However, these issues do represent weaknesses in various aspects of IRS's internal controls that should be addressed. Table 15: Other Control Issues Not Associated with a Material Weakness, Significant Deficiency, or Compliance Issue: ID number: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID number: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self-employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term); Control Activity: Segregation of duties. ID number: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Control Activity: Reviews by management at the functional or activity level. ID number: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including service center campuses (SCC), Taxpayer Assistance Centers (TAC), and units within the Large and Mid-sized Business (LMSB) and the Tax-Exempt and Government Entities (TE/GE) business operating units, establish a system to track acknowledged copies of document transmittals. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 06-05; Recommendation: Equip all Taxpayer Assistance Centers (TAC) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the Service Center Campus' (SCC) perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short- term); Control Activity: Physical control over vulnerable assets. ID number: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard property and equipment inventory, including in-stock inventories, assets from incoming shipments, and assets that are in the process of being excessed or shipped out, or both. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 08-07; Recommendation: Develop and provide comprehensive guidance to assist Taxpayer Assistance Center (TAC) managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to Taxpayer Assistance Centers (TAC) and other field offices. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID number: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term); Control Activity: Reviews by management at the functional or activity level. ID number: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 (Recommendation for Juvenile Employment) by contacting the reference directly and documenting the details of this contact. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID number: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term); Control Activity: Proper execution of transactions and events. ID number: 09-03; Recommendation: Document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 09-04; Recommendation: Document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual Taxpayer Assistance Center (TAC) location, group, territory, area, and nationwide. (long-term); Control Activity: Reviews by management at the functional or activity level. ID number: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each Taxpayer Assistance Center (TAC) location to ensure that the inventory is current and complete as of the testing date. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 09-16; Recommendation: Develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. (long-term); Control Activity: Establishment and review of performance measures and indicators. ID number: 10-18; Recommendation: Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID number: 10-19; Recommendation: Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses (SCC) and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 10-26; Recommendation: Review the Taxpayer Assistance Center Security and Remittance Review Database (TSRRD) for clarity and revise review questions as appropriate. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 10-27; Recommendation: Provide training to Taxpayer Assistance Center (TAC) group managers to assist with their understanding of the TAC Security and Remittance Review Database (TSRRD) review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. (short-term); Control Activity: Management of human capital. ID number: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID number: 10-30; Recommendation: Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all service center campus Unit Security Representatives (USR) to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. (short-term); Control Activity: Management of human capital. ID number: 10-32; Recommendation: Establish a process to periodically review and update service center campus Unit Security Representatives (USR) training materials as appropriate. (short-term); Control Activity: Management of human capital. ID number: 10-33; Recommendation: Establish procedures requiring the Director of IRS's Human Capital Office, Leadership, Education and Delivery Services (HCO LEADS) or designee to periodically monitor each business unit's progress in complying with mandatory briefing requirements. (short- term); Control Activity: Reviews by management at the functional or activity level. ID number: 11-03; Recommendation: Send out a reminder to all staff to follow policies and procedures for obtaining approval and funding of proposed purchases prior to entering into an agreement with vendors. (short- term); Control Activity: Proper execution of transactions and events. ID number: 11-04; Recommendation: Establish formal written procedures requiring staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID number: 11-05; Recommendation: Establish procedures to centrally review and monitor the timeliness of personnel action requests and approvals to help ensure compliance with the IRM and applicable Office of Personnel Management (OPM) regulations and guidance. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID number: 11-06; Recommendation: Adopt the local field office's timekeeping procedures or similar procedures for entering and verifying the accuracy of time and attendance information entered into the Single Entry Time Reporting System (SETR) throughout IRS for use by all units in which employees do not enter their own time charges directly to SETR. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID number: 11-07; Recommendation: Further revise the detailed procedures for implementing the requirement to validate the appropriateness of the National Finance Center (NFC) programming changes after such changes are made. These revisions should (1) clarify the criteria for determining which programming changes will be subject to validation, (2) identify officials responsible for making and documenting these determinations, and (3) require postimplementation statistical sampling from a targeted population that consists of employees who are most likely to be affected by the NFC programming changes. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID number: 11-08; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring cash receipts to be immediately logged under dual control when first discovered in the mail room. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-09; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring mail room staff to maintain custody of the control log at all times. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-10; Recommendation: Take steps to effectively implement procedures at the Beckley Finance Center requiring the amount of cash receipts initially discovered in the mail room to be independently reconciled to the amount deposited and recorded in the general ledger. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-11; Recommendation: Perform a review of all existing contracts under $100,000 that (1) do not have an appointed contracting officer's technical representative (COTR) and (2) do not require that contract employees obtain background investigations to assess whether the services performed under each contract warrant a requirement that contract employees obtain background investigations. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID number: 11-12; Recommendation: Based on a review of all existing contracts under $100,000 without an appointed contracting officer's technical representative (COTR) that should require contract employees to obtain favorable background investigation results, amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID number: 11-13; Recommendation: Establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID number: 11-14; Recommendation: Establish procedures to provide a consistent methodology for calculating and establishing allowable deposit courier trip time limits to be used by both service center campuses (SCCs) and lockbox banks that would assist in detecting potential unauthorized stops or other contractual violations by deposit couriers. Such procedures should include instructions for documenting and supporting how the trip limits were determined and require justification and approval for all established time limits that exceed the average trip time. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-15; Recommendation: Establish procedures to require periodic reassessments of and updates to deposit courier allowable trip time limits to account for changes in courier routes or other conditions that may affect trip times. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-16; Recommendation: Enforce existing contractual requirements for the cargo doors of contract courier vehicles to be locked after picking up taxpayer information. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-17; Recommendation: Establish procedures to prevent or detect unauthorized access to taxpayer information in contract courier vehicles during transit. These procedures should detail specific activities to be performed by both the business unit sending and receiving the information transported by the contract courier. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-18; Recommendation: Revise the guidance for conducting the periodic reviews of the contract couriers transporting taxpayer information from one IRS processing facility to another to include procedures for (1) physically verifying that courier vehicle cargo doors are locked after picking up this information and remain locked during transit to the final destination, and (2) documenting the basis for the reviewer's conclusions. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-19; Recommendation: Revise the IRM to include a comprehensive process that Small Business Self Employed (SBSE) unit managers should follow when performing reviews of the document transmittal process for determining whether staff are (1) maintaining control copies of document transmittal forms, (2) reconciling all document transmittal forms on a biweekly basis to ensure that all transmittals were received, and (3) following up on transmittals that are not timely acknowledged. (short- term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 11-20; Recommendation: Revise the IRM to include specifying minimally acceptable steps the Small Business Self Employed (SBSE) unit managers should follow in documenting the results of required reviews of the document transmittal process. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 11-21; Recommendation: Define and specify in the IRM which types of IRS facilities constitute a processing facility. (short-term); Control Activity: Reviews by management at the functional or activity level. ID number: 11-22; Recommendation: Perform an assessment of off-site processing facilities to determine the frequency with which compliance reviews should be performed for these locations commensurate with the specific operational activities performed and the assessed level of risk associated with the facility. (short-term); Control Activity: Reviews by management at the functional or activity level. ID number: 11-23; Recommendation: Based on the results of an assessment of off-site processing facilities that process taxpayer receipts and related taxpayer information, revise the IRM to specify the frequency with which compliance reviews should be performed at these facilities. (short-term); Control Activity: Reviews by management at the functional or activity level. ID number: 11-24; Recommendation: Revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID number: 11-25; Recommendation: Revise the nature and scope of the service center campuses' (SCC) and lockbox banks' physical security reviews to include periodic after dark assessments of physical security controls. (short-term); Control Activity: Reviews by management at the functional or activity level. ID number: 11-26; Recommendation: Take steps to effectively implement the procedures requiring property staff to verify that the asset purchase price shown in the Asset Management Report agrees with the asset purchase price shown in the Integrated Financial System (IFS) and to resolve any variances before entering the information into the Information Technology Asset Management System (ITAMS). (short-term); Control Activity: Accurate and timely recording of transactions and events. ID number: 11-27; Recommendation: Finalize procedures requiring that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-28; Recommendation: Revise the IRM to incorporate the new copier disposal procedures that require that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. (short-term); Control Activity: Physical control over vulnerable assets. ID number: 11-29; Recommendation: Issue a memorandum to all business units reminding them that only designated Real Estate Facilities Management (REFM) staff are authorized to dispose of copiers. (short-term); Control Activity: Physical control over vulnerable assets. Source: GAO. [End of table] [End of section] Appendix III: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Commissioner: Washington, D.C. 20224 June 9, 2011: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft report titled IRS: Status of GAO Financial Audit and Related Financial Management Report Recommendations (GA0-11-536). As GAO noted in the report, IRS has made significant progress in improving its internal controls and financial management as evidenced by 11 consecutive years of clean audit opinions on its financial statement. We are pleased that you acknowledged our progress in addressing our financial management challenges and agreed to close 37 prior year financial management recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact me, or a member of your staff may contact Pamela LaRue, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Douglas H. Shulman: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made major contributions to this report: William J. Cordrey, Assistant Director; Crystal Alfred; Russell Brown; Ray B. Bush; Stephanie Chen; Jeremy Choi; Oliver Culley; Charles Ego; Doreen Eng; Charles Fox; Valerie Freeman; Ryan Guthrie; Ted Hu; Richard Larsen; Tuan Lam; Delores Lee; Jenny Li; Cynthia Ma; Joshua Marcus; Julie Phillips; John Sawyer; Christopher Spain; Cynthia Teddleton; Lien To; LaDonna Towler; Cherry Vasquez; Gary Wiggins; and Ting-Ting Wu. [End of section] Footnotes: [1] A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. [2] A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. [3] Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. See 31 U.S.C. § 3512(c), (d), commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA); see also, GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999), 4-5. The actions required by agencies and individual federal managers includes taking proactive measures to develop and implement appropriate, cost-effective internal control for results- oriented management; to assess the adequacy of internal control in federal programs and operations; to identify needed improvements; and to take corresponding corrective actions. [4] GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-11-142] (Washington, D.C.: Nov. 10, 2010). [5] An unpaid assessment is a legally enforceable claim against a taxpayer and consists of taxes, penalties, and interest that have not been collected or abated (a reduction in a tax assessment). [6] The term "outcome-oriented performance metrics," refers to the measurement of the end result of a work activity or series of activities, such as the taxes collected as a result of a tax assessment and the collection actions taken by IRS employees, such as telephone calls to tax debtors. [7] Although most of our recommendations regarding our information security work are sensitive and reported to IRS separately, we have reported our objectives, summary results, and nonsensitive recommendations in a publicly available report. See GAO, Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data, [hyperlink, http://www.gao.gov/products/GAO-11-308] (Washington, D.C.: Mar. 15, 2011). [8] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1, 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by FMFIA. [9] The circular requires agencies and individual federal managers to take systematic and proactive measures to (1) develop and implement appropriate, cost-effective internal control for results-oriented management; (2) assess the adequacy of internal control in federal programs and operations; (3) separately assess and document internal control over financial reporting consistent with the process defined in app. A of the circular; (4) identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal control through management assurance statements. [10] See [hyperlink, http://www.gao.gov/products/GAO-11-308]. [11] GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-11-494R] (Washington, D.C.: June 21, 2011). [12] GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: Aug. 1, 2001). [13] FASAB, Statement of Federal Financial Concepts No. 1: Objectives of Federal Financial Reporting, version 09 (Washington, D.C.: June 30, 2010). [14] [hyperlink, http://www.gao.gov/products/GAO-11-494R]. [15] See [hyperlink, http://www.gao.gov/products/GAO-11-308]. [16] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [17] Unpaid assessments are unpaid taxes. For reporting purposes, federal accounting standards classify unpaid assessments into federal taxes receivables, compliance assessments, and writeoffs. Federal taxes receivable are taxes due from taxpayers for which IRS can support the existence of a receivable through taxpayer agreement or a favorable court ruling. Compliance assessments are assessments where neither the taxpayer nor the court has affirmed that the amounts are owed. Writeoffs represent unpaid tax assessments for which IRS does not expect further collection because of factors such as the taxpayer's death, bankruptcy, or insolvency. [18] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [19] In January 2010, IRS implemented RRACS to account for custodial tax activities, including tax revenue, tax refunds, and taxes receivable. RRACS is an enhancement to the previous general ledger system known as the Interim Revenue Accounting Control System (IRACS) and RRACS is designed to conform to the governmentwide United States Standard General Ledger (USSGL) at the transaction level. [20] The Electronic Federal Tax Payment System is a tax payment system provided free by the U.S. Department of the Treasury, through which businesses and individuals can pay federal taxes electronically by means of the Internet or by phone. [21] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [22] [hyperlink, http://www.gao.gov/products/GAO-11-494R]; GAO, Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11, 2007); Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-06-543R] (Washington, D.C.: May 12, 2006); and Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27, 2005). [23] See the First-Time Home Buyers Credit (FTHBC), which is codified, as amended, at 26 U.S.C. § 36. The FTHBC was first enacted by section 3011 of the Housing and Economic Recovery Act of 2008. The new credit was originally available for a limited time only, applying to taxpayers who purchased a principal residence after April 8, 2008, and before July 1, 2009. Taxpayers were permitted to claim a fully refundable credit up to 10 percent of the purchase price of the home, with a maximum available credit of $7,500. This credit was to be repaid within 15 years with payments beginning in the 2011 and 2012 filing seasons, respectively, for 2008 and 2009 home purchases. Section 1006 of the American Recovery and Reinvestment Act of 2009 extended the FTHBC to include purchases made on or after January 1, 2009, and before December 1, 2009; increased the maximum credit to $8,000; and eliminated the repayment requirement as long as the taxpayer retains the residence for 36 months. Further, section 11 of the Worker, Homeownership, and Business Assistance Act of 2009 extended the FTHBC for purchases made from December 1, 2009, to April 30, 2010, and extended eligibility for the credit (with a maximum available credit of $6,500) to qualifying longtime resident homebuyers. The law allowed taxpayers to claim the credit if they entered into a binding contract for the purchase of a home prior to May 1, 2010, and closed on the home prior to July 1, 2010. Section 2 of the Homebuyer Assistance and Improvement Act of 2010 extended the closing deadline to September 30, 2010, for taxpayers who entered into a binding contract prior to May 1, 2010. While Congress did not renew the credit for tax year 2011, members of the military and certain other federal employees, who met certain requirements, had until April 30, 2011, to purchase a home or enter into a written binding contract in order to qualify for the credit. These taxpayers who entered into a binding contract prior to May 1, 2011, may also claim an FTHBC for a purchase made after April 30, 2011, and before July 1, 2011. [24] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [25] An "outcome" is a measure of the end result of a work activity or series of activities, such as the taxes collected, and is a measure of the results of providing outputs. [26] IRS's performance metrics are reported externally by means of its Management Discussion and Analysis section of its annual financial statements. See GAO-11-142. [27] IRS's direct tax return on investment calculations include the agency's internal costs and the tax revenue collected. However, IRS's direct tax return on investment calculations have limitations that reflect the challenges of estimating returns on investments. For example, they do not include benefits of improved voluntary compliance. In addition, the "investment" or costs should ideally recognize not just IRS costs but any costs borne by others. IRS's return on investment estimates provide useful information but, given the limits of current data, are not complete estimates of benefits and costs. [28] An "output" measure is a measure of the quantity of services provided, such as the number of phone calls made to taxpayers in an effort to collect unpaid taxes. [29] IRS's measure of its "conviction efficiency rate" is a partial exception in that it measures the total cost of its criminal investigations divided by the number of convictions. [30] See appendix I, recommendation 09-16, in this report. [31] GAO, Internal Revenue Service: Fiscal Year 2009 Budget Request and Interim Performance Results of IRS's 2008 Tax Filing Season, [hyperlink, http://www.gao.gov/products/GAO-08-567] (Washington, D.C.: Mar. 13, 2008); Internal Revenue Service: Review of the Fiscal Year 2010 Budget Request, [hyperlink, http://www.gao.gov/products/GAO-09-754] (Washington, D.C.: June 13, 2009); and Internal Revenue Service: Assessment of Budget Justification for Fiscal Year 2011 Identified Opportunities to Enhance Transparency, [hyperlink, http://www.gao.gov/products/GAO-10-687R] (Washington, D.C.: May 26, 2010). [32] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-08-166] (Washington, D.C.: Nov. 9, 2007); Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008); and Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 2009). [33] FASAB, Statement of Federal Financial Concepts No. 1: Objectives of Federal Financial Reporting. [34] IRS's need to safeguard tax receipts and taxpayer information extends beyond the Control Activity of Safeguarding Assets, as reflected in tables 1 through 4 of this report. For our analysis in this section, we included recommendations related directly to guarding tax information and receipts, such as the transportation of information between IRS facilities, and those indirectly related, such as IRS's need to obtain background investigations on individuals with access to tax receipts or information. [35] Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government to perform certain financial services, including processing tax documents, depositing the receipts, and forwarding the documents and data to the IRS service center campuses (SCC) that process tax returns and payments. [36] GAO, Internal Revenue Service: Status of Financial Audit and Related Financial Management Report Recommendations, [hyperlink, http://www.gao.gov/products/GAO-10-597] (Washington, D.C.: June 30, 2010). [37] [hyperlink, http://www.gao.gov/products/GAO-11-494R]. [38] We define short-term recommendations as those that we believed could be addressed within 2 years from the time we made the recommendation. We define long-term recommendations as those we expected to require 2 years or more to implement from the time we made the recommendation. [39] See [hyperlink, http://www.gao.gov/products/GAO-11-308]. [40] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [41] See [hyperlink, http://www.gao.gov/products/GAO-11-494R] for the recommendations resulting from our fiscal year 2010 audit. [42] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [43] The number of recommendations cited in the earlier report section on "challenges in resolving other internal control issues" in which we discuss the open recommendations concerning safeguarding taxpayer receipts and taxpayer information does not match the control activity information in the table 1 section on "safeguarding of assets and security activities." The recommendations concerning safeguarding of taxpayer receipts and taxpayer information included in that table 1 section are limited to those recommendations that are related directly to such safeguarding, such as physical safeguards over the transportation of checks and tax returns. Other recommendations that are related indirectly to safeguarding taxpayer receipts and information, such as management oversight and the adequacy of policies and procedures, are included in the other two sections of table 1, "proper recording and documenting of transactions" and "effective management review and oversight." The previous section's discussion of recommendations related to the "safeguarding of taxpayer receipts and information" includes both directly and indirectly related recommendations. [44] The majority of federal tax payments are made for both businesses and individuals through the Electronic Federal Tax Payment System. [45] Lockbox banks operate under contract with the Department of the Treasury's (Treasury) Financial Management Service. The three lockbox banks perform processing functions in seven locations throughout the United States. [46] Six of IRS's 10 service center campuses (SCC) process tax returns and payments submitted by taxpayers. [47] IRS's 401 TACs are small field assistance units located in various cities and towns in every state, are part of IRS's Wage and Investment operating division, and are designated to serve taxpayers who choose to seek help from IRS in person. [48] IRS defines unprocessable items as any document, correspondence, or item that cannot be processed by the lockbox bank, such as unacceptable forms of payment--traveler's checks, gold coins, and other items of value that are easily negotiable. [49] See GAO, Financial Audit: IRS's Fiscal Years 2010 and 2009 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-11-142] (Washington, D.C.: Nov. 10, 2010); and Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-11-494R] (Washington, D.C.: June 21, 2011) for the fiscal year 2010 reports. [50] Although most of our recommendations regarding our information security work are sensitive and reported to IRS separately, we have reported our objectives, summary results, and nonsensitive recommendations in a publicly available report. See GAO, Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data, [hyperlink, http://www.gao.gov/products/GAO-11-308] (Washington, D.C.: Mar. 15, 2011). [51] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [52] GAO, Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-11-494R] (Washington, D.C.: June 21, 2011); Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11, 2007); Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-06-543R] (Washington, D.C.: May 12, 2006); and Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27, 2005). [53] [hyperlink, http://www.gao.gov/products/GAO-11-142]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: