GAO-03-562R, Management Report: Improvements Needed in IRS's Internal Controls


This is the accessible text file for GAO report number GAO-03-562r 
entitled 'Management Report: Improvements Needed in IRS's Internal 
Controls' which was released on May 21, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

May 20, 2003:

The Honorable Mark W. Everson:

Commissioner of Internal Revenue:

Subject: Management Report: Improvements Needed in IRS's Internal 
Controls:

Dear Mr. Everson:

In November 2002, we issued our report on the results of our audit of 
the Internal Revenue Service's (IRS) financial statements as of and for 
the fiscal years ending September 30, 2002 and 2001, and on the 
effectiveness of its internal controls as of September 30, 
2002.[Footnote 1] We also reported our conclusions on IRS's compliance 
with significant provisions of selected laws and regulations and on 
whether IRS's financial management systems substantially comply with 
requirements of the Federal Financial Management Improvement Act of 
1996 (FFMIA). A separate report on the implementation status of 
recommendations from our prior IRS financial audits and related 
financial management reports will be issued shortly.

The purpose of this report is to discuss issues identified during our 
fiscal year 2002 audit regarding accounting procedures and internal 
controls that could be improved for which we do not presently have any 
recommendations outstanding. Although not all of these issues were 
discussed in our fiscal year 2002 audit report, they all warrant 
management's attention.

Results in Brief:

During fiscal year 2002, IRS had a number of internal control issues 
that affected financial reporting, which includes safeguarding of 
assets. These issues concern policies and procedures related to (1) 
employee fingerprint records, (2) enforcement of courier service 
standards, (3) taxpayer receipt processing areas, (4) 
candling,[Footnote 2] 
(5) acceptance of tax payments in cash, and (6) structuring of 
installment agreements. Each of these control weaknesses posed added 
risks of losses, nonpayment of taxes, or potential burden to taxpayers.

Specifically, we found the following:

IRS did not always ensure that fingerprint check results for 
individuals entering on duty were under the required 180 day expiration 
period. The fingerprint check results consist of information provided 
by law enforcement agencies on events that occurred before the 
fingerprint check results are released. The older the fingerprint check 
results are, the greater the risk that IRS might hire applicants 
unsuitable for working with taxpayer receipts and information.

IRS did not always ensure that couriers adhered to certain security 
requirements. We found that (1) at half of IRS's service center 
campuses, couriers did not undergo the specified background 
investigations or fingerprint checks and (2) a courier service had not 
maintained the required insurance coverage for the deposits it 
transports.

IRS did not maintain consistently effective physical security controls 
over its receipt processing areas. We found (1) instances at service 
centers where prohibited items were brought into receipt processing 
areas and where the requirement to carry permitted personal items in 
clear plastic bags was circumvented and (2) at one of two taxpayer 
assistance centers[Footnote 3] we visited, employees were allowed to 
store personal belongings with cash payments and official receipt 
certificate vouchers.

IRS did not always ensure that emptied envelopes were candled twice or 
that final candling was not performed by a single employee in a remote 
area.[Footnote 4] 

At some taxpayer assistance centers, IRS did not accept cash payments 
from taxpayers as required by IRS policy, thereby imposing an undue 
burden on certain taxpayers.

IRS did not always structure installment agreements with taxpayers to 
provide for full payment of the tax liability as required by the 
Internal Revenue Code.

At the end of our discussion of each of the first five of these issues, 
we make recommendations for strengthening IRS's internal controls.

In its comments, IRS agreed with our recommendations and described 
actions it was taking or planned to take to address several of the 
control weaknesses described in this report. At the end of our 
discussion of each of the issues in this report where we are making 
recommendations, we have summarized IRS' related comments and provided 
our evaluation. We also considered IRS' comments on our findings and 
have made revisions as appropriate.

Scope and Methodology:

As part of our audit of IRS's fiscal years 2002 and 2001 financial 
statements, we evaluated IRS's internal controls and its compliance 
with selected provisions of laws and regulations. We designed our audit 
procedures to test relevant controls including those for proper 
authorization, execution, accounting, and reporting of transactions.

We conducted our audit in accordance with U.S. generally accepted 
government auditing standards. We requested comments on a draft of this 
report from the Acting Commissioner of IRS. We received written 
comments from the Acting Commissioner and have reprinted the comments 
in enclosure I to this report. Further details on our scope and 
methodology are included in our November 2002 report on the results of 
our fiscal years 2002 and 2001 financial statement audits and are 
reproduced in enclosure II.[Footnote 5]

Enforcement of Expiration Period Policy for Fingerprint Check Results:

In previous years, we found that IRS was hiring individuals and 
allowing them access to cash, checks, and other taxpayer data before it 
had received satisfactory results of their fingerprint checks, thereby 
subjecting IRS to an increased risk of theft or misuse of taxpayer 
receipts and taxpayer data.[Footnote 6] During our fiscal year 2002 
audit, we found that IRS had made substantial progress in this area and 
as a result had significantly reduced its exposure related to the risk 
of hiring individuals prior to receiving satisfactory fingerprint check 
results.[Footnote 7] However, fingerprint results most accurately 
reflect all the information known by law enforcement authorities on an 
individual on the date the results are obtained. The usefulness of 
preemployment fingerprint results in enabling an employer to assess an 
individual's suitability for employment therefore decreases as the age 
of the fingerprint results used increases.

IRS's hiring policies require that IRS receive and evaluate fingerprint 
check results before individuals enter on duty and set the expiration 
period for these results at 180 days. However, in our fiscal year 2002 
audit, we found that IRS did not actively track fingerprint results to 
ensure that they did not exceed the 180-day limit when individuals 
entered on duty. Specifically, we found 53 instances in which new 
employees entered on duty at IRS with fingerprint check results over180 
days old.

Until IRS enforces its policy on the expiration period for fingerprint 
check results it is exposed to increased risk of hiring applicants with 
unsuitable backgrounds to handle cash, checks, and sensitive taxpayer 
information. This, in turn, increases the risk of potential theft and 
misuse of taxpayer receipts and data.

Recommendation:

To further reduce IRS's risk of hiring unsuitable employees to handle 
and process taxpayer receipts and data, we recommend that IRS enforce 
its policy of a 180-day expiration period for fingerprint check results 
when an individual enters on duty.

IRS's Comments and Our Evaluation:

IRS agreed with this issue and indicated in its response that it has 
already taken action to address the finding. In its comments, IRS 
stated that it has a policy of 180 days for the expiration period of 
fingerprint results. IRS had initially informed us that it did not have 
such a policy. As a result, we modified the report to stress the 
importance of IRS enforcing this policy. With respect to actions taken 
to address this finding, IRS stated that it had (1) reemphasized its 
policy to background investigation coordinators and personnel officers 
and (2) created and distributed software calculating the fingerprint 
results expiration date and instructed staff to use this software and 
note the expiration date on the fingerprint check results 
documentation. We will evaluate the effectiveness of IRS's efforts 
during our fiscal year 2003 financial audit.

IRS also noted that exceptions could be made to the policy for GS-1811 
Criminal Investigation Special Agents and executives from outside the 
IRS, as they must complete an additional background investigation prior 
to their entering on duty. However, we had specifically excluded any 
individual having met these additional requirements from our count of 
53 instances in which employees entered on duty with fingerprint check 
results past the 180-day expiration period.

Enforcement of Courier Service Standards:

During previous audits of IRS's financial statements, we found that IRS 
did not have effective controls in place to ensure that its courier 
service requirements were enforced. Since November 1998, we have 
reported that IRS lacks effective controls
over courier services responsible for transporting taxpayer 
receipts.[Footnote 8] To address some of these matters, we recommended 
that IRS (1) clarify that the intent of the requirement for background 
investigations is meant to apply to personnel being entrusted with 
taxpayer receipts and information rather than just personnel being 
granted access to an IRS facility and (2) develop policies intended to 
ensure that contracts related to courier services do not unduly expose 
the government or taxpayers to losses in the event that deposits are 
lost, stolen, or damaged in transit. IRS has made an effort to address 
courier security weaknesses we identified by adopting more stringent 
security standards for couriers who transport IRS's daily deposits to 
depositary institutions. Specifically, as a result of our 
recommendations, IRS established a policy that couriers requiring 
access to IRS facilities undergo a limited background investigation, 
including a fingerprint check. IRS subsequently extended the 
requirement for background investigations to all personnel entrusted 
with taxpayer receipts and information. In addition, the courier 
service standards were revised to include, in particular, a requirement 
that courier services have and maintain insurance coverage valued at $1 
million to cover the costs of reconstructing a lost, stolen, or 
destroyed deposit. However, during our fiscal year 2002 audit, we 
identified two issues related to IRS's enforcement of its courier 
service standards that increased the risk that (1) taxpayer receipts 
and taxpayer data could be lost, stolen, or misused by couriers who 
transport these items and (2) taxpayers and the government could be 
unnecessarily exposed to the risk of financial loss.

Specifically, we found that at 5 of IRS's 10 service centers for which 
agreements for courier services were negotiated by the Department of 
the Treasury's Financial Management Service (FMS), there was no 
requirement that couriers undergo
background investigations or FBI fingerprint checks.[Footnote 9] Such a 
requirement does exist for the 5 service center campuses for which 
courier services agreements were negotiated by IRS. According to FMS, 
these background check requirements were not incorporated in the FMS-
negotiated courier agreements because FMS had been waiting since 2000 
for IRS to issue a final revision of its courier service standards--IRS 
issued revised standards on September 6, 2002. As of the end of our 
fiscal year 2002 audit fieldwork, FMS-negotiated agreements for 
couriers had not been revised. As a result, through fiscal year 2002, 
couriers under FMS-negotiated contracts were not required to undergo 
background investigations.

While IRS relies on FMS to enter into agreements with general 
depositaries, IRS nonetheless retains the responsibility to ensure that 
resulting contracts reflect the standards it establishes as necessary 
for personnel entrusted with taxpayer deposits. Until all couriers who 
are entrusted with IRS deposits are required to undergo background 
investigations, including fingerprint checks, IRS runs an increased 
risk that taxpayer receipts and taxpayer data may be vulnerable to 
theft, loss, or misuse.

Additionally, at one of two IRS service center campuses we visited, we 
found that the campus did not verify that the courier service had 
insurance coverage as required by the courier service standards. 
According to the courier's insurance agency, it had not provided 
insurance coverage to the courier service for the last year. Until IRS 
ensures that courier services are complying with courier service 
standards, taxpayers and the government will be unnecessarily exposed 
to the risk of financial loss.

Recommendations:

We recommend that IRS:

confirm with FMS that IRS' requirements for background and fingerprint 
checks for courier services are met regardless of whether IRS or FMS 
negotiates the service agreement, and 
establish procedures to verify that courier services are adhering to 
the standards established for them by IRS, including the requirement 
that the courier services have insurance coverage.

IRS's Comments and Our Evaluation:

IRS agreed with our recommendations. IRS noted that (1) FMS had amended 
the Courier Memorandum of Understanding to include the requirement that 
all courier employees under contracts negotiated by FMS satisfy the 
basic investigation requirements, (2) IRS had established a campus 
contact at each of its 10 service center campuses to ensure that all 
required information is submitted to the National Background 
Investigation Center (NBIC) and that a clearance is granted, and (3) it 
had requested NBIC to provide it with a monthly report of campus 
compliance. IRS also noted that its Security Review Team of Receipt and 
Control reviews compliance with the courier requirements monthly and 
that it had (1) requested that the 5 campuses where IRS holds the 
courier contracts produce insurance certificates for the couriers 
during these reviews and (2) requested FMS to direct the depositary 
banks holding the courier contracts for the 5 remaining campuses to 
provide the insurance certificates to IRS. We will evaluate the 
effectiveness of IRS' efforts during our fiscal year 2003 financial 
audit.

Controls in Receipt Processing Areas:

During our fiscal year 2002 audit, we identified weaknesses in IRS's 
controls over its receipt processing areas that increased the risk that 
taxpayer receipts and taxpayer information could be lost or stolen. 
These weaknesses relate to the presence of certain personal belongings 
that employees bring into receipt processing areas. GAO's Standards for 
Internal Control in the Federal Government requires agencies to 
establish controls to secure and safeguard vulnerable assets.

In our prior audits, we found that IRS did not have consistent controls 
over personal belongings brought into receipt processing areas; we 
recommended that IRS 
(1) restrict personal items that can be brought into the receipt 
processing areas, such as handbags, briefcases, and bulky outerwear, 
(2) provide lockers and require their use for storing personal 
belongings outside of the receipt processing areas, and 
(3) expand IRS's review of service center deterrent controls to include 
similar analyses of controls at IRS field offices in areas such as 
safeguarding of receipts by
storing them in locked containers.[Footnote 10] In response to our 
recommendations, IRS issued policies requiring that (1) employees 
display in clear plastic bags certain other personal items that can be 
kept at their desks and transported in and out of the receipt 
processing area, (2) employees store such items as purses, backpacks, 
lunch bags, CD cases, newspapers, and magazines in lockers before they 
enter the receipt processing area, and (3) taxpayer assistance centers 
secure cash payments and receipts in locked containers.

In each of our fiscal year 2001 and 2002 audits, we found that at one 
of two service center campuses we visited, many of the clear plastic 
bags employees used to bring personal belongings into the receipt 
processing area contained so many items that it would have been easy 
for employees to use the bags to conceal and remove checks from the 
area. At one of these campuses, we found that employees carried 
prohibited items such as CD cases, newspapers, and magazines--all items 
in which taxpayer receipts could be easily concealed--into the receipt 
processing area in plastic bags. At another campus, we observed 
employees using large clear plastic backpacks and tote bags to carry 
multiple personal belongings such as lunch bags, makeup bags and items 
of clothing. Such practices are at odds with the purpose intended in 
IRS's policies----namely limiting personal items allowed into the 
receipts processing area and requiring that all items allowed in be 
clearly visible. Until campuses are required to adhere to policies 
concerning employees' personal belongings in a consistent manner and 
until these policies are effectively enforced, taxpayer receipts and 
taxpayer information are vulnerable to theft or loss.

Additionally, during our fiscal year 2002 audit, we found that at one 
of two taxpayer assistance centers we visited, employees were allowed 
to store cash payments and official receipt certificate vouchers with 
their personal belongings in desk drawers, overhead cabinets, and 
lockers. IRS employees could use these personal belongings to conceal 
and remove funds from the receipt processing area. Unlike service 
centers, IRS does not have a policy concerning personal belongings at 
taxpayer assistance centers. Thus, there is nothing preventing 
employees at taxpayer assistance centers from storing personal 
belongings with cash payments and receipts. Until IRS ensures that cash 
payments and receipts are not stored with employees' personal 
belongings, taxpayer receipts are vulnerable to theft, loss, or misuse.

Recommendations:

We recommend that IRS:

enforce consistent implementation of its policy limiting personal 
belongings in receipt processing areas at service center campuses and:

prohibit the storage of employees' personal belongings with cash 
payments and receipts at IRS's taxpayer assistance centers.

IRS's Comments and Our Evaluation:

IRS agreed with our recommendations and stated it would (1) issue a 
memorandum requiring managers in receipt processing areas at service 
center campuses to ensure that employees are adhering to the 
established security procedures and (2) require unit managers in these 
areas to conduct random reviews of employee compliance with all 
security policies. IRS also stated it would review managerial adherence 
to this direction on a monthly basis as well as have its security 
review team perform unannounced reviews. We will evaluate the 
effectiveness of IRS' efforts in future audits.

Candling Procedures:

During our fiscal year 2002 financial audit, we found that IRS's 
candling procedures were not adequate to minimize the risk that 
taxpayer receipts and information could be destroyed, lost, or stolen. 
GAO's Standards for Internal Control in the Federal Government requires 
agencies to establish physical controls to secure and safeguard 
vulnerable assets.

IRS receives mail of different dimensions and separates and uses 
different methods to extract the contents depending on their 
dimensions. The extraction methods IRS employs to separate the 
envelopes from their contents are not always fully effective. To help 
ensure that items that were not removed from envelopes during 
extraction are not subsequently destroyed with the envelopes, IRS 
established a candling process.

The candling procedures are documented in two separate sections of 
IRS's Internal Revenue Manual (IRM). The first section addresses the 
extraction of envelope contents and requires that envelopes be candled 
after their contents have been removed. The second section states that 
"those envelopes to be destroyed shall be reviewed again before 
destruction." However, these procedures do not provide sufficient 
guidance as to what specific candling procedures need to be followed in 
each of the two candlings. During our fiscal year 2002 audit, as well 
as in our previous audits, we observed instances where taxpayer 
receipts or taxpayer data were not removed from envelopes during the 
extraction phase and would have been destroyed had they not been 
discovered through a final candling just prior to destruction of the 
envelopes and using a light source to illuminate the envelopes. Yet, in 
fiscal year 2002, we found that at one of two IRS service center 
campuses we visited, some envelopes were not candled at the point of 
extraction. Thus, these envelopes received, at most, one candling prior 
to destruction. Until IRS clarifies its candling requirements to ensure 
that emptied envelopes are candled twice and to specify the precise 
candling methods to be used based on the dimensions of the mail 
processed and the extraction method used for each of the two candlings, 
IRS's risk of loss of taxpayer receipts and information is increased.

We also found that at one of the two IRS service center campuses we 
visited, a single employee performed the final candling of envelopes in 
an area removed from other ongoing work in the receipts processing area 
- -a procedure not prohibited by IRS's policies and procedures. The 
initial candling, because it is performed immediately upon extraction, 
generally occurs in the presence of other employees in the receipt 
processing area. However, final candling often occurs in a less-
populated area of receipt processing. By not prohibiting a single 
employee in a remote location from performing the final candling, IRS's 
risk of theft of taxpayer receipts and information increases.

Recommendations:

We recommend that IRS:

revise its candling procedures to specify the precise candling methods 
to be used based on the dimensions of the mail processed and the 
extraction method used for both the first and the final candling and 


establish and implement procedures prohibiting a single employee from 
performing the final candling in a remote location.

IRS's Comments and Our Evaluation:

IRS agreed with our recommendations and stated it would provide us with 
copies of the procedures developed to address these recommendations by 
May 30, 2003.

Cash Acceptance Procedures at Taxpayer Assistance Centers:

During our fiscal year 2002 audit, we found that IRS did not have 
controls in place to ensure that its taxpayer assistance centers adhere 
to its cash payment acceptance requirement. IRS policy states that IRS 
must accept cash payments from taxpayers who do not have a check or 
money order, are unable to obtain one, or insist on paying in cash. 
However, during our fiscal year 2002 audit, we found that the taxpayer 
assistance center at one of two IRS field offices we visited, as well 
as other taxpayer assistance centers in the area, did not accept cash 
payments. At the taxpayer assistance center we visited, employees would 
direct taxpayers to a nearby financial institution where they could 
obtain a money order, but that institution did not maintain the same 
hours as the center and was regularly closed during parts of the day.

These centers' refusal to accept cash payments could place undue burden 
on taxpayers who do not have a check or money order or are unable to 
obtain one. To obtain a money order, they must find an open financial 
institution and then pay a fee. The burden associated with these extra 
efforts and costs could adversely impact IRS's collection of taxes 
owed.

Recommendations:

We recommend that IRS:

determine which taxpayer assistance centers do not accept payment of 
taxes in cash and issue a memorandum reminding them of the requirement 
that cash be accepted and
establish a mechanism to periodically review adherence to this policy.

IRS's Comments and Our Evaluation:

IRS agreed with our recommendations. In its comments, IRS noted that 
(1) it had included guidelines in its Fiscal Year 2003 Field Assistance 
Office Operating Procedures stating that all taxpayer assistance 
centers (TACs) would accept all standard forms of payment including 
checks, money orders, and cash, (2) signs are to be posted in all TACs, 
specifying that exact change must be remitted as IRS cannot make 
change, and (3) it will be reviewing adherence to these procedures.

Structuring of Installment Agreements:

During our fiscal year 2002 financial audit, we found that IRS did not 
always structure installment agreements to provide for full payment of 
the tax liability as required by section 6159 of the Internal Revenue 
Code. As we noted in our fiscal year 2002 audit report, the presence of 
cases in fiscal year 2002 that were not structured to obtain full 
payment indicates that IRS was not in compliance with the Internal 
Revenue Code.[Footnote 11] IRS's failure to properly structure taxpayer 
installment agreements could result in the loss to the federal 
government of legally collectible tax revenue.

Section 6159 of the Internal Revenue Code grants IRS the power to enter 
into written agreements with certain taxpayers to allow them to pay 
their full tax liability (along with additional interest) in 
installments. Both the Internal Revenue Code and IRS's procedures 
require that installment agreements fully satisfy the tax debt 
(including future accruals of interest and penalties) before the 
statutorily allowed period for collection on the liability 
expires.[Footnote 12] However, in our testing of a statistical sample 
of 59 installment agreements entered into during fiscal year 2002, we 
found 4 instances in which the terms of the agreements did not require 
full satisfaction of the tax liability. Based on the results of our 
work, we estimate that nearly 7 percent of the new installment 
agreements entered into during fiscal year 2002 had payment terms that 
would not fully satisfy the tax liability within the statutory 
collection period.[Footnote 13]

In each of these cases, we found that the installment agreements did 
not fully satisfy the tax debt because IRS did not consider accruals of 
interest and penalties in calculating the total amount to be paid under 
the installment agreements. This occurred for two reasons. First, 
customer service representatives relied on IRS's Integrated Data 
Retrieval System (IDRS) to determine the amount of the taxpayer's 
liability in structuring the terms of the installment agreement. 
However, IDRS includes only assessed balances rather than the total 
amount of tax owed, which must also include interest and penalties. 
While IRS procedures require that its customer service representatives 
use a special command function that takes various accruals into account 
when entering into installment agreements, these procedures were not 
followed in these cases.

Second, taxpayers may apply for an installment agreement through the 
Telephone Routing Interactive System. However, the balance due amounts 
in this system, like those in the IDRS, do not include accrued interest 
and penalties, and thus understate the total amount of tax owed.

After we discussed these findings with IRS, management reinforced the 
current installment agreement guidance, provided additional training, 
and issued a memo to the customer service representatives that stressed 
the importance of following this guidance. In addition, IRS revised the 
Telephone Routing Interactive System to include both interest and 
penalty accruals in its calculation of installment agreement:

balances. We commend IRS for its prompt action to develop and implement 
corrections to the installment agreement controls and will evaluate the 
effectiveness of these corrective actions during our fiscal year 2003 
financial audit.

- - - --:

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. 720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Governmental Affairs and the House 
Committee on Government Reform within 60 days of the date of this 
report. A written statement must also be sent to the House and Senate 
Committees on Appropriations with the agency's first request for 
appropriations made more than 60 days after the date of the report.

This report is intended for use by the management of IRS. We are 
sending copies to Chairmen and Ranking Minority Members of the Senate 
Committee on Appropriations; Senate Committee on Finance; Senate 
Committee on Governmental Affairs; Senate Committee on the Budget; 
Subcommittee on Transportation, Treasury, and General Government, 
Senate Committee on Appropriations; Subcommittee on Taxation and IRS 
Oversight, Senate Committee on Finance; and the Subcommittee on 
Oversight of Government Management, the Federal Workforce, and the 
District of Columbia, Senate Committee on Governmental Affairs. We are 
also sending copies to the Chairmen and Ranking Minority Members of the 
House Committee on Appropriations; House Committee on Ways and Means; 
House Committee on Government Reform; House Committee on the Budget; 
Subcommittee on Transportation, Treasury, and Independent Agencies, 
House Committee on Appropriations; Subcommittee on Government 
Efficiency and Financial Management, House Committee on Government 
Reform; and the Subcommittee on Oversight, House Committee on Ways and 
Means. In addition, we are sending copies of this report to the 
Chairman and Vice-Chairman of the Joint Committee on Taxation, the 
Secretary of the Treasury, the Director of the Office of Management and 
Budget, the Chairman of the IRS Oversight Board, and other interested 
parties. Copies will be made available to others upon request. The 
report is also available free on GAO's web site at http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided 
by IRS officials and staff during our audit of IRS's fiscal years 2002 
and 2001 financial statements. If you have any questions or need 
assistance in addressing these matters, please contact Paul Foderaro, 
Assistant Director, at (202) 512-2535.

Sincerely yours,

Steven J. Sebastian:

Director:

Financial Management and Assurance:

Signed by Steven J. Sebastian:

Comments from the Internal Revenue Service:

See comment 1.

See comment 2.

See comment 3.

DEPARTMENT OF THE TREASURY INTERNAL REVENUE SERVICE WASHINGTON, D C 
20224:

April 28, 2003:

Mr. Steven J. Sebastian Director:

Financial Management and Assurance U.S. General Accounting Office:

441 G Street, NW Washington, DC 20548:

Dear Mr. Sebastian:

I am responding to your draft of the FY 2002 management report tried, 
Improvements Needed in IRS's Internal Controls. Over the last several 
years, IRS has adopted numerous improvements to ensure the adequacy of 
its accounting procedures and internal controls. We have a robust 
program in place to keep improving our performance in these areas. As 
examples, we:

* Began conducting periodic security reviews of receipt processing areas, 
implemented many of our new hiring and courier standards, and updated 
relevant polices and procedures to safeguard taxpayer receipts and data 
Issued Lockbox Processing Guidelines to improve the safeguarding of 
taxpayer receipts and data at lockbox facilities:

* Established a Peer Review Program to ensure adequacy and compliance 
with internal access control guidelines:

* Published guidance to all field offices to assure that a "controlled 
access environment" is implemented in every Taxpayer Assistance Center, 
to the maximum extent possible within space and funding constraints:

We agree the issues presented in the draft report will help us continue 
to improve our accounting procedures and internal controls. As 
evidenced in our response to the recommendations we have already taken 
actions to correct some of these matters. The following comments 
address your recommendations separately.

Recommendation: We recommend that the IRS establish e policy setting an 
appropriate expiration period for fingerprint check results required 
when an individual enters on duty. In establishing such a policy, IRS 
may wish to consider, among other factors, the standards used by OPM 
and other agencies as further guidance and justification, and the risks 
associated with the age of the fingerprint check results in addition to 
its own workforce management needs.

Comments: Our existing fingerprint expiration policy is 180 days. While 
the report references a 90-day expiration period for fingerprint check 
results, the OPM standard is 120 days.[NOTE 1] 
IRS thoroughly examined its 
recruiting and hiring processes and practices, including the 
fingerprint expiration period, security issues, OPM guidance, and the 
costs associated with background checks. As a result, we determined 
that 180 days is a reasonable expiration period for fingerprint check 
results. OPM agreed by waiving the 120-day standard due to our unique 
hiring cycles and conditions.[NOTE 2]

IRM 1.23.3.4.23 (6) documents this requirement, and we re-emphasized 
this policy by e-mail to Background Investigations Coordinators and 
Personnel Officers on
September 30, 2002, and during a conference call on October 9, 2002. 
Additionally, the Personnel Security and Investigations staff created 
and distributed an Excel file that calculates the date when fingerprint 
results expire. Staff received instructions to use the Excel file and 
to annotate Case Closing Transmittal documentation when the 180-day 
expiration date is to occur.

We have an additional requirement when hiring GS-1811 Criminal 
Investigation Special Agents and executives from outside the IRS. A 
background investigation must be completed before these individuals can 
enter on duty (EOD). Fingerprint checks are only part of a complete 
background investigation that may take more than 180 days, and result 
in an EOD after the fingerprint expiration date. Because a more 
comprehensive background investigation was completed for these 
individuals (including checks of local law enforcement files and FBI 
fingerprint check), we do not fingerprint them again. These individuals 
are added to the Security Entry Tracking System (SETS) after the 
fingerprint expiration date. Risk is mitigated because the individual 
could not EOD without a favorable decision on the comprehensive 
background investigation.

Recommendation: We recommend that IRS confirm with Financial Management 
Services (FMS) that IRS' requirements for background and fingerprint 
checks for courier services are met regardless of whether IRS or FMS 
negotiates the service agreement.

Comments: We agree with this recommendation. The IRS is responsible for 
ensuring that all courier contracts reflect the standards we 
established. On October 7, 2002, FMS issued Amendment II to the Courier 
Memorandum of Understanding (MOU). The amendment included the 
requirement that all courier employees satisfy the basic investigation, 
which includes an FBI fingerprint and name check. A conference call was 
held on January 29, 2003, with all 10 campuses and the National 
Background Investigation Center (NBIC) to establish a campus contact to 
ensure all required paperwork is submitted to NBIC and clearance is 
granted. On April 10, 2003, we requested that NBIC provide a monthly 
status report of the campus compliance to the Headquarters Wage and 
Investment Division.

Recommendation: We recommend that IRS establish procedures to verify 
that courier services are adhering to the standards established for 
them by IRS, including the requirement that the courier service have 
insurance coverage.

Comments: We agree with this recommendation. The Security Review Team 
of Receipt and Control reviews compliance with the courier requirements 
monthly, using the Campus Security Checklist. For the five campuses 
where IRS holds the courier contract, we required that the monthly 
Security Review Team of Receipt and Control verify the campus has a 
valid insurance certificate valued at $1 million. The campuses are 
required to produce a file copy for the monthly reviews. For the five 
campuses with FMS negotiated agreements, we sent a written request, on 
April 17, 2003, to the FMS financial analyst and the Director, 
Financial Services Division, requesting them to direct the banks to 
issue a copy of the insurance certificate to their aligned campus. FMS 
agreed to draft a memorandum to the financial institutes advising them 
to regularly provide a copy of the insurance certificates to IRS 
Headquarters (HQ) instead of the aligned campus. HQ will then forward a 
copy of the insurance certificate to each of the Submission Processing 
Service Centers.

Recommendation: We recommend that the IRS enforce consistent 
implementation of its policy limiting personal belongings in receipt 
processing areas at service center campuses.

Comments: We agree with this recommendation. We require employees in 
receipt processing areas at service center campuses to limit personal 
belongings brought into the restricted areas of Receipt and Control. 
Employees who want to keep items at their desks must transport them in 
and out of receipt processing areas in clear plastic bags. Each 
employee is provided a locker to store personal belongings (e.g., 
handbags, briefcases, bulky outerwear, backpacks, lunch bags, 
newspapers, etc.).

The Director, W&I CAS Submission Processing, will issue a memorandum to 
all Submission Processing Field Directors, requiring managers in 
receipt processing areas to ensure employees are adhering to 
established security procedures. This memorandum will be issued before 
May 15, 2003, and will require unit managers in receipt processing 
areas to conduct random reviews of employee compliance with all 
security policies. Starting no later than June 30, 2003, we will verify 
managerial adherence to this direction during the monthly Campus 
Security Reviews. The IRS Headquarters Security Review Team will also 
conduct unannounced Campus Security Reviews at the campuses.

Recommendation: We recommend that the IRS prohibit the storage of 
employees' personal belongings with cash payments and receipts at IRS' 
taxpayer assistance centers.

Comments: We agree that employee's personal belongings should be stored 
separately from cash payments and receipts. We will include a 
requirement in the Internal Revenue Manual (IRM) guidelines to be 
issued June 30, 2003, stating that cash payments and Form 809 - Receipt 
for Payment of Taxes must be stored separately from personal 
belongings. We have also included this issue in our operational reviews 
of the Taxpayer Assistance Centers.

Recommendation: We recommend that IRS revise its candling procedures to 
specify the precise candling methods to be used based on the dimensions 
of the mail processed and the extraction method used for both the first 
and the final candling.

Comments: We agree with this recommendation. The IRM candling 
procedures are being revised to specify precise first and final 
candling methods. We will provide GAO a copy of the procedures no later 
than May 30, 2003.

Recommendation: We recommend that IRS establish and implement 
procedures prohibiting a single employee from performing the final 
candling in a remote location.

Comments: We agree with this recommendation. We will work with the 
service center campuses to incorporate the new requirements in the IRM 
by May 30, 2003.

Recommendation: We recommend that IRS determine which taxpayer 
assistance centers do not presently accept payment of taxes in cash and 
issue a memorandum reminding them of the requirement that cash be 
accepted. In addition, we recommend that IRS establish a mechanism to 
periodically review adherence to this policy.

Comments: We included guidelines in our Fiscal Year 2003 Field 
Assistance Operating Procedures (FAOPs) stating that all Taxpayer 
Assistance Centers (TAC) will accept all standard forms of payments 
from customers including checks, money orders, and cash. Document 
10161, posted in all TACs, states, "Make all cash payments in the exact 
amount due only, as we cannot make change." Additionally, this 
procedure will be included in our operational reviews of the TACs, to 
ensure compliance with FAOP guidelines. Managers in the TACs are also 
required to complete an annual review to address this issue.

Recommendation: We recommend that IRS establish a supervisory mechanism 
to monitor the effectiveness of the additional guidance and training in 
addressing the issues associated with the structuring of installment 
agreements.

Comments: Currently managers must approve installment agreements when 
the aggregate unpaid balance of assessment exceeds $25,000 or when the 
balance is $25,000 or less and cannot be fully paid within 60 months. 
Installment agreements that:

require collection statute extensions require mid-level management 
review. Managers review installment agreements as part of their 
mandatory employee workload and quality reviews.

I appreciate your input and will continue to take the necessary steps 
to improve our financial management. With the continued dedication and 
cooperation of both our staffs, we will further enhance the IRS' 
accounting procedures and internal controls.

Sincerely,

Bob Wenzel
Acting Commissioner:

Signed by Bob Wenzel:

NOTES:

[1] Refer to OPM Publication IS-15, Requesting OPM Personnel 
Investigations, dated May 2001, page 25. 

[2] OPM issues its waiver letter 
in June 1999 to the Associate Director, Personnel Security Division.


The following are GAO's comments on the Internal Revenue Service's 
letter dated April 28, 2003.

GAO Comments:

IRS stated it has a policy of 180 days for the expiration period of 
fingerprint results. IRS had initially informed us that it did not have 
such a policy. As a result, we modified our report to stress the 
importance of IRS enforcing its policy and modified our recommendation 
accordingly.
:

IRS had previously informed us of these exceptions. As a result, we had 
specifically excluded any individual having met these additional 
requirements from our count to arrive at the total of 53 instances in 
which employees entered on duty with fingerprint check results over the 
180 day expiration period.
:

In our draft report, we initially recommended that IRS establish a 
supervisory mechanism to monitor the effectiveness of the additional 
guidance and training in addressing the deficiencies noted in the 
structuring of installment agreements. In its comments, IRS stated that 
its policy is to require managers to approve installment agreements 
where the unpaid assessment balance exceeds $25,000 or where the 
balance cannot be fully paid within 5 years, regardless of the size of 
the balance. We do not find that this policy is unreasonable at this 
time and have thus revised our report accordingly.

Details on Audit Methodology:

To fulfill our responsibilities as the auditor of IRS's financial 
statements, we:

Examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements. This included testing selected 
statistical samples of unpaid assessment, revenue, refund, accounts 
payable, accrued expenses, payroll, nonpayroll, property and equipment, 
and undelivered order transactions. These statistical samples were 
selected primarily to substantiate balances and activities reported in 
IRS's financial statements. Consequently, dollar errors or amounts can 
and have been statistically projected to the population of transactions 
from which they were selected. In testing these samples, certain 
attributes were identified that indicated either significant 
deficiencies in the design or operation of internal control or 
compliance with provisions of laws and regulations. These attributes, 
where applicable, can be and have been statistically projected to the 
appropriate populations.
:

Assessed the accounting principles used and significant estimates made 
by management. 
:

Evaluated the overall presentation of the financial statements. 
:

Obtained an understanding of internal control related to financial 
reporting (including safeguarding assets), compliance with laws and 
regulations (including the execution of transactions in accordance with 
budget authority), and performance measures reported in the 
Management's Discussion and Analysis. 
:

Tested relevant internal control over financial reporting (including 
safeguarding assets) and compliance, and evaluated the design and 
operating effectiveness of internal control. 
:

Considered the process for evaluating and reporting on internal control 
and financial management systems under the Federal Managers' Financial 
Integrity Act of 1982. 
:

Tested compliance with selected provisions of the following laws and 
regulations: Anti-Deficiency Act, as amended (31 U.S.C. �1341(a)(1) and 
31 U.S.C. �1517(a)); Agreements for payment of tax liability in 
installments (26 U.S.C. �6159); Purpose Statute (31 U.S.C. �1301); 
Release of lien or discharge of property (26 U.S.C. �6325); Interest on 
underpayment, nonpayment, or extensions of time for payment of tax (26 
U.S.C. �6601); Interest on overpayments (26 U.S.C. �6611); 
Determination of rate of interest (26 U.S.C. �6621); Failure to file 
tax return or to pay tax (26 U.S.C. �6651); Failure by individual to 
pay estimated income tax (26 U.S.C. �6654); Failure by corporation to 
pay estimated income tax (26 U.S.C. �6655); Prompt Payment Act (31 
U.S.C. �3902 (a), (b), and (f), and 31 U.S.C. �3904) ; Fair Labor 
Standards Act of 1938, as amended (29 U.S.C. �206); Civil Service 
Retirement Act of 1930, as amended (5 U.S.C. ��5332, 5343); Federal 
Employees' Retirement System Act of 1986, as amended (5 U.S.C. ��8422 
and 8423); Social Security Act, as amended (26 U.S.C. �3101 and 3121, 
and 42 U.S.C. �430); and Federal Employees Health Benefits Act of 1959, 
as amended (5 U.S.C. ��8905, 8906, and 8909).
:

Tested whether IRS's financial management systems substantially comply 
with the three FFMIA requirements.

GAO Contacts and Staff Acknowledgments:

GAO Contacts:

Paul Foderaro, (202) 512-2535:

Alain Dubois, (202) 512-6365:

Acknowledgments:

Staff making key contributions to this report were: William Cordrey, 
Laurie King, Yola Lewis, and J. Lawrence Malenich.

(196001):

FOOTNOTES

[1] U.S. General Accounting Office, Financial Audit: IRS's Fiscal Years 
2002 and 2001 Financial Statements, GAO-03-243 (Washington D.C.: Nov. 
15, 2002).

[2] Candling is a process used by IRS to determine whether any contents 
remain in open envelopes before their destruction. Candling is 
generally performed by placing open envelopes in front of a light 
source.

[3] Taxpayer assistance centers handle questions and accept payments 
from taxpayers who choose to conduct business with IRS in person. They 
are located in field offices. 

[4] Final candling occurs at the end of the mail extraction process to 
ensure that all the contents have been removed from each envelope.

[5] GAO-03-243.

[6] U.S. General Accounting Office, Internal Revenue Service: Progress 
Made, but Further Actions Needed to Improve Financial Management, GAO-
02-35 (Washington D.C.: Oct. 19, 2001).

[7] GAO-03-243.

[8] U.S. General Accounting Office, Internal Revenue Service: Physical 
Security Over Taxpayer Receipts and Data Needs Improvement, GAO/AIMD-
99-15 (Washington D.C.:
Nov. 30, 1998); Internal Revenue Service: Custodial Financial 
Management Weaknesses, GAO/AIMD-99-193 (Washington D.C.: Aug. 4, 1999); 
Internal Revenue Service: Recommendations to Improve Financial and 
Operational Management, GAO-01-42 (Washington D.C.: Nov. 17, 2000); 
Management Report: Improvements Needed in IRS's Accounting Procedures 
and Internal Controls, GAO-02-746R (Washington D.C.: July 18, 2002); 
and GAO-02-35.

[9] Courier service agreements for IRS service center campuses are 
negotiated by either IRS or FMS, depending on the type of depositary 
institution IRS uses to deposit campus receipts. IRS has the option of 
depositing campus receipts into a Federal Reserve Bank or into a 
general depositary. General depositaries are designated commercial 
banks that have been specifically authorized by Treasury to maintain a 
Treasury General Account for the purpose of accepting deposits for 
Treasury. When receipts are to be deposited to an FRB, IRS contracts 
for the courier services. When receipts are to be deposited to a 
general depositary, FMS negotiates an agreement with the depositary to 
perform services for FMS. There are five service center campuses with 
FMS-negotiated agreements and five service center campuses with IRS-
negotiated agreements.

[10] U.S. General Accounting Office, Internal Revenue Service: 
Immediate and Long-Term Actions Needed to Improve Financial Management, 
GAO/AIMD-99-16 (Washington D.C.: Oct. 30, 1998) and GAO/AIMD-99-193.

[11] GAO-03-243.

[12] The statutory collection period for taxes is generally 10 years 
from the date of the tax assessment. However, this period can be 
extended by agreement with the taxpayer.

[13] We are 95 percent confident that the error rate could be as high 
as 15 percent.