This is the accessible text file for GAO report number GAO-06-543R entitled 'Management Report: Improvements Needed in IRS's Internal Controls' which was released on May 12, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: Washington, DC 20548: May 12, 2006: The Honorable Mark W. Everson: Commissioner of Internal Revenue: Subject: Management Report: Improvements Needed in IRS's Internal Controls: Dear Mr. Everson: In November 2005, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2005 and 2004, and on the effectiveness of its internal controls as of September 30, 2005.[Footnote 1] We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending September 30, 2005, regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2005 audit report, they all warrant management's consideration. This report contains 22 recommendations that we are proposing IRS implement to improve its internal controls. We conducted our audit in accordance with U.S. generally accepted government auditing standards. Results in Brief: During our fiscal year 2005 audit, we identified a number of internal control issues that adversely affected safeguarding of tax receipts and information, and the reliability of expense, and property & equipment (P&E) records. These issues concern (1) taxpayer receipts and data transmittal documents, (2) physical security controls at taxpayer assistance centers, (3) the roles and responsibilities of security guards, (4) candling procedures, (5) timely processing of large remittances at lockbox banks, (6) access to tax return processing facilities, (7) juvenile hiring policy, (8) classification of procurement transactions as P&E or expense, and (9) recording P&E disposals. Specifically, we found the following: * At three of the four service center campuses (SCCs), seven of the eight Taxpayer Assistance Centers (TACs),[Footnote 2] and two of the six field offices we visited, we found no evidence of managerial review of the transmittal documents and acknowledgment forms used to transmit and monitor taxpayer receipts and information shipped from one IRS location to another. Additionally, at five TACs and both field offices, we found no evidence of follow-up on the overdue unacknowledged transmittals we reviewed. * At four TAC sites, physical security controls were not adequate to preclude individuals from entering controlled areas and gaining access to taxpayer receipts and information. At three of these TACs, we found that individuals were able to enter controlled areas[Footnote 3] of the TAC or other IRS office space unnoticed. In addition, one of the four TACs did not have an operable emergency alarm and at another of the four TACs, the door separating the customer area from the controlled area was not locked nor marked with a sign alerting customers that they were not permitted to enter unescorted. * At one SCC, one TAC, and one lockbox bank[Footnote 4] we visited, we found that security guard personnel did not always effectively fulfill their responsibilities in (1) controlling access to IRS tax return facilities, (2) responding to intrusion alarms, and (3) recording, maintaining, and reporting security incidents or violations. * At three SCCs we visited, we found that IRS did not always ensure that envelopes were opened and candled[Footnote 5] twice before destruction, as required by its procedures, to provide assurance that all contents have been extracted. * At two lockbox banks, we found that large dollar checks were not always immediately processed and deposited according to IRS's guidelines. * At two SCCs and one lockbox bank, controls over access to facilities were not adequate to provide reasonable assurance that unauthorized personnel would not be admitted. Credentials of persons entering one SCC and one lockbox bank were not always validated before admission and, at one SCC, (1) alarms were not always functional and (2) gaps existed in perimeter security. * Limitations in IRS's juvenile[Footnote 6] hiring policy increased the risk of unsuitable candidates being hired and permitted access to taxpayer receipts and data. For juvenile employee candidates, IRS (1) only required references for those individuals hired to work in receipt processing functions although taxpayer receipts and data are also accessible in other functions, and (2) accepted written references that were hand delivered to IRS by the candidates themselves without independently verifying their source. * IRS did not always ensure that it properly classified its procurement transactions as P&E and recognized assets when they met its capitalization criteria or classified these transactions as expense when they did not. Of 267 sample transactions we tested from IRS's non- payroll expenses and P&E acquisitions recorded during the first 9 months of fiscal year 2005 and accounts payable as of September 30, 2005, six were incorrectly classified and reported. * Disposals of property and equipment were not recorded in a timely manner at five IRS locations, resulting in inventory records that were inaccurate and out-of-date. The issues noted above increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed, and (2) physical assets could be stolen or valued incorrectly. At the end of our discussion of each of these issues in the following sections, we make recommendations for strengthening IRS's internal controls. These recommendations are intended to bring IRS into conformance with its own policies and with the internal control standards that all federal agencies are required to follow.[Footnote 7] In its comments, IRS agreed with our recommendations and described actions it had taken or planned to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provide our evaluation. Scope and Methodology: As part of our audit of IRS's fiscal years 2005 and 2004 financial statements, we tested IRS's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. This report addresses issues we observed during our fiscal year 2005 audit. For issues related to safeguarding taxpayer receipts and information, we visited four SCCs, four lockbox banks, eight TACs, and six other IRS field offices; and for issues related to procurement and property and equipment (P&E), we performed our testing at 22 IRS offices and at the IRS Finance Center. Further details on our audit scope and methodology are included in our report on the results of our audits of IRS's fiscal years 2005 and 2004 financial statements[Footnote 8] and are reproduced in enclosure II. We requested comments on a draft of this report from the Commissioner of IRS or his designee. We received written comments from the Commissioner, which we have incorporated as appropriate and have reprinted them as Enclosure 1. Transmission of Taxpayer Receipts and Information: IRS's controls over transmissions of taxpayer receipts and information between offices did not always ensure that transmissions were reviewed to make certain that potential errors were promptly identified and corrected and that transmissions were timely received and acknowledged. When IRS transmits taxpayer receipts and/or information between locations, IRS personnel are required to use either a Daily Report of Collection Activity (form 795) or a Document Transmittal (form 3210) to record and document the items being transmitted.[Footnote 9] However, during our fiscal year 2005 audit, we found that these forms were not always (1) subject to a documented supervisory review prior to submitting the documents for final processing, or (2) tracked to ensure that recipients timely acknowledged receipt of the transmitted documents. Specifically, we found: * at three of the four SCCs we visited, managers or supervisors within the Refund Inquiry Unit did not document their review of forms used to record and transmit returned refund checks before they were mailed to the Austin Regional Finance Center for final processing. * at five of the eight TACs and at three Large and Mid-Size Business (LMSB) and three Tax-Exempt and Government Entities (TEGE) field units,[Footnote 10] document transmittals were not always acknowledged by the recipient within the timeframe required by IRS. In addition, there was no evidence that the originators of the transmittals contacted the recipient to follow-up on the status of the unacknowledged transmittals. * at seven of the eight TACs, four LMSB units, and one TEGE unit, there was no evidence that managers periodically reviewed the logbooks used to track acknowledged transmittals. GAO's Standards for Internal Control in the Federal Government[Footnote 11] require agencies to establish controls to enforce adherence to management policies and procedural requirements, such as management reviews, to create and maintain records providing evidence that these controls are executed, and to appropriately safeguard assets. Additionally, the Internal Revenue Manual (IRM)[Footnote 12] requires that area offices take responsibility for the security and accountability of taxpayer receipts and information during transit. Specifically, the IRM requires senders to establish a control to ensure timely delivery of taxpayer receipts and information and to follow up with the recipient if the acknowledgement has not been received within 10 workdays. The lack of documentation of review and follow-up on overdue acknowledgements increases the risk that these procedures are not in place and operating effectively and that, consequently, errors, theft, or loss of taxpayer receipts and information may occur and not be timely detected. Recommendations: We recommend that IRS: * require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing; * enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within LMSB and TEGE, establish a system to track acknowledged copies of document transmittals; * provide instructions to document the follow-up procedures performed in those cases where transmittals have not been timely acknowledged; and: * require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning its documentation of controls over transmission of taxpayer receipts and information between offices. IRS indicated it will remind all SCCs of the requirement to conduct periodic reviews of the document transmittal form and that verifying this will be included as part of the site review process by March 2007. IRS also indicated it had conducted an education effort to ensure that all managers in Examination are familiar with existing IRMs related to check processing procedures and provided their personnel additional instruction on requirements for transmitting taxpayer receipts, checks, and taxpayer information in order to ensure their personnel comply with policy. Specifically, IRS stated that it had conducted an information presentation for Examination managers, developed a flowchart to document the process, and developed a quick reference guide for processing checks in TEGE. IRS stated it also developed training materials to provide additional guidance on handling transmittals and will perform periodic reviews to ensure transmittals are handled appropriately. IRS also indicated that it will revise the IRM to require documentation of follow-up actions with SCCs when transmittal documents are not acknowledged timely. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial audit. Physical Security at Taxpayer Assistance Centers: During our fiscal year 2005 audit, we found that physical security controls at several TAC sites we visited were not adequate to prevent unauthorized individuals from accessing areas which contained taxpayer receipts and information. For example: * At one TAC, upon entering the facility at the time of our audit, we were able to repeatedly walk from the public entrance to a controlled area without being noticed or challenged. The only obstacle was a door which was not locked nor marked with a sign alerting individuals that they were not permitted to enter unescorted. This area was also accessible through a separate door that was also not locked nor marked. * Another TAC was staffed by two Technical Research Representatives (TRRs),[Footnote 13] whose responsibilities included monitoring the public reception area of the TAC and preventing customers from venturing into controlled areas of the office that were shared by other IRS business units. However, TRRs sometimes found it necessary to leave their desks and the public reception area to perform their other duties, thereby leaving the area unattended and potentially allowing individuals to enter controlled areas of the TAC unchallenged. We were informed that individuals had on occasion been found in the other business units' office space seeking assistance. Additionally, there were no signs posted in the TAC informing individuals that access within the office beyond a certain point was not permitted unless escorted by an employee. IRS is currently in the process of reconfiguring the space at several of its TACs, and refers to the reconfigured TAC sites as the "new TAC" models.[Footnote 14] The IRM requires that layouts of the new TACs should incorporate certain security features to meet a controlled area requirement to protect taxpayer receipts and information from disclosure and prevent unauthorized access to both information and property. However, during our visits to two of the new TAC models, we found similar security problems as discussed above. For example, at one new TAC that was often staffed by 1 or 2 TRRs, the TRRs responsible for monitoring the entrance of the TAC at times would leave their workstations to perform other duties. Based on our observations and inquiries, we found that unauthorized individuals could access and had occasionally been found to have entered the controlled area of the TAC and offices shared by other IRS business units. At the same TAC, we noted that emergency alarms (known as duress alarms) were not connected to a central monitoring station or the local police department. We were informed that the contractor had not completed installing the duress alarm at the time the new TAC was opened to the public. At another new TAC, we found that a door separating the customer waiting area from the secured area was not equipped with a locking device nor marked with a sign to inform customers that they were not permitted to enter unescorted. We also found that three of the TAC sites discussed above were not supervised by an on-site manager. IRS policy requires that in such cases, designated responsible offsite TAC managers are required to make routine supervisory visits to ensure that operations are performed according to standards. However, IRS did not have documentation to demonstrate if or how often such supervisory visits to these locations actually occurred or what was accomplished during these visits. Without appropriate supervisory oversight, the risk is significantly increased that the physical security issues we identified may not be timely detected and corrected. The IRM requires that access to assets be limited to those employees with a valid business need to access the information. GAO's Standards for Internal Control in the Federal Government requires physical controls to limit access to vulnerable assets and records to authorized individuals. Such controls may include an appropriate combination of locks, duress alarms, warning signs, and other measures. Not adequately implementing such measures to restrict access to taxpayer receipts and information increases the risk that loss, theft, and/or misuse of taxpayer receipts and information may occur and not be timely detected. Recommendations: We recommend that IRS: * equip all TACs with adequate physical security controls to deter and prevent unauthorized access to controlled areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from controlled areas by physical barriers such as locked doors marked with signs barring entrance by unescorted customers; * connect duress alarms to a central monitoring station or local police department or institute appropriate compensating controls when these alarm systems are not operable or in place; and: * document supervisory visits by offsite managers to TACS not having a manager permanently onsite. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning physical security at the TACs. IRS indicated that it will identify those TACs that lack adequate physical barriers, evaluate this issue, and determine corrective actions by June 2006. IRS noted that its Field Assistance staff have developed procedures to canvass TACs twice a year for security, safety, health, and space concerns. IRS also stated that its Field Assistance staff have developed testing requirements to ensure that the alarms are appropriately monitored and working properly. In addition, IRS indicated that it will connect duress alarms to a central monitoring station or local police departments in TACs based on criticality and funding availability, and implement compensating controls when alarm systems are inoperable. IRS also stated that it had developed a checklist for managers to use to document their visits to TACs, which is scheduled to be added to the IRM by June 2006. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial audit. Security Guards' Roles and Responsibilities: IRS relies heavily on security guards to (1) control access to IRS facilities and lockbox banks to safeguard taxpayer receipts and information from theft, loss, or abuse; (2) respond to intrusion alarms and other emergencies as needed; and (3) record, maintain, and report security incidents or violations to IRS for review or, when necessary, for corrective action. However, during our fiscal year 2005 audit, we found that security guards did not always effectively fulfill these responsibilities. Specifically, we found the following: * Security guard personnel at one SCC and one lockbox bank did not document a tripped door alarm in their respective security logs. At the SCC, it took security guard personnel nearly 10 minutes to respond to an alarm and they later did not deem it necessary to document the incident as required by IRS policy because the door was malfunctioning and there was an "understanding" that such documentation was not necessary. The security personnel at the lockbox bank did not provide an explanation for why they did not record the tripped alarm. * Security guards stationed at one TAC often left their assigned post of duty to escort customers to the workstations of IRS representatives. While the guards were absent from their post, customers were, at times, left unsupervised in the customer/visitor waiting area that was accessible to controlled space through a door that was unlocked at the time of our visit. * Incident reports[Footnote 15] prepared by security guards at one lockbox bank did not include corrective follow-up actions as required by the lockbox processing guidelines (LPG).[Footnote 16] Additionally, we found that the lockbox bank security review checklist used by IRS to periodically monitor whether all incidents and alarms are recorded and reported does not ask whether corrective actions were included in the incident reports. Without documentation of the corrective action taken on each incident, IRS management does not have a record of what, if any, corrective actions the bank took and, consequently, will be unable to evaluate the appropriateness of these actions or analyze whether other actions are needed to minimize the incident from occuring at other lockbox banks. GAO's Standards for Internal Control in the Federal Government require that management establish physical controls to secure and safeguard vulnerable assets and that access to resources and records, such as IRS receipts and taxpayer information, be limited to authorized individuals to reduce the risk of unauthorized use or loss to the government. Further, the IRM requires that access to assets be limited to those employees with a need due to their official duties and/or responsibilities. The IRM and LPG also require security guards to report and record significant conditions or situations to appropriate authorities. IRS relies heavily on security guards to control entry into all of its SCCs and lockbox banks and several of the TACs we visited, and to protect taxpayer receipts and information from theft, loss, or abuse. However, when they do not perform their duties in accordance with IRS policy, their effectiveness in achieving these objectives is impaired, thus increasing the risk that unauthorized individuals may access IRS offices and compromise taxpayer records and data and/or disrupt operations. Recommendations: We recommend that IRS: * enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation; * reemphasize the need for the security guards at all TACs to ensure that key posts of duty, such as entrances to facilities, are not left unattended; and: * revise its lockbox bank's security review checklist to ensure that it encompasses reviewing security incident reports to validate whether security personnel are providing corrective actions related to the incidents cited. IRS Comments and Our Evaluation: IRS substantially agreed with our recommendations concerning security guards' roles and responsibilities. Regarding our recommendation that IRS enforce the requirement that personnel responsible for security at SCCs and lockbox banks record all instances of activation of intrusion alarms, IRS stated that it had revised the Lockbox Security Guidelines in January 2006 to require documentation of such events. IRS also noted that field security analysts were advised to enforce this requirement. In addition, IRS indicated that it would prepare a memorandum to reemphasize security guards' duties and responsibilities and the importance of meeting security requirements, and provide it to all TACs by October 2006. IRS also stated that it would revise its physical security review checklist to ensure that it encompasses reviewing security incident reports to validate whether security personnel are providing corrective actions related to the incidents cited. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial audit. Candling Reviews: In previous audits, we found weaknesses in IRS's controls over candling and made several recommendations to IRS for improving its candling procedures at SCCs and lockbox banks.[Footnote 17] Generally, we recommended that IRS revise candling procedures to specify the precise candling methods to be used for various types of envelopes received, require management to ensure that envelopes are properly candled, and monitor adherence to these requirements. In response, IRS revised its candling procedures to (1) specify the precise candling method to be used for the first and final candling based on the dimensions of envelopes received, (2) require that all envelopes, including those manually extracted (e.g., non letter-size envelopes), be subject to initial and final candling prior to destruction, (3) require that non letter-size envelopes be sliced on three sides and opened flat to assure no contents are left inside the envelope, (4) require that envelopes opened on three or more sides manually or by machine still be candled, and (5) require that managers review and document evidence of their review of items found during candling every day for each work shift. Additionally, IRS modified the LPG and IRM, as applicable, to (1) require recording of receipts discovered during candling in a control log, (2) prohibit a single, isolated employee from performing candling, and (3) require that all envelopes opened on three or more sides including those opened by machine, be candled one more time on a candling table. Despite these actions, during our fiscal year 2005 audit, we continued to find deficiencies in IRS's oversight and implementation of candling procedures at three of the four SCCs we visited. At these SCCs, IRS management did not always enforce the requirement that opened envelopes receive at least two candlings before they are made available for destruction. Specifically, we found the following: * At one SCC, we observed that an extractor did not perform initial candling of regular letter-size envelopes by placing the envelope over a light source. The employee indicated that there was no need to place the envelope over the light source because they "knew" the envelope was empty. We also found several non letter-size envelopes[Footnote 18] that were not slit open on all three sides as required by IRS policy. In each instance, the envelopes had not received initial candling or been properly candled before being made available for destruction. * At another SCC, we observed extractors splitting non letter-size envelopes on three sides and placing them in the bin for shredding without the benefit of a final candling. Also, we observed that employees performing final candling did not immediately record the items found upon discovery. After further inquiry, we found that there was no candling log available at the candling table for employees to record the discovered items. * At two SCCs, we found non letter-size envelopes that had been slit only once in a bin scheduled for final destruction. This indicates that these envelopes were either only candled once or not properly candled before being made available for destruction. Over the past several years IRS has conducted monthly security reviews of its receipt and control function responsible for opening and candling envelopes. While these reviews address various controls designed to safeguard taxpayer receipts and information, including candling, they do not address the effectiveness of the candling procedures performed. For example, there are no questions on the checklist designed to test the usefulness of the candling procedures or discussions and observations with employees performing initial and final candling to assess their awareness of the required candling procedures. GAO's Standards for Internal Control in the Federal Government requires that management establish physical controls to secure and safeguard vulnerable assets and provide qualified and continuous supervision to ensure that control objectives are achieved.[Footnote 19] Candling is a key control employed by IRS to ensure that taxpayer receipts are not inadvertently overlooked and destroyed. The lack of adherence to the prescribed candling procedures limits the effectiveness of this control and increases the risk of inadvertent loss or destruction of taxpayer receipts. Recommendation: We recommend that IRS refine the scope and nature of its periodic reviews of candling processes at SCCs to ensure they (1) encompass tests of whether envelopes are properly candled through observation of candling in process and inquiry of employees who perform initial and final candling, and (2) document the nature and scope of the test and observation results. IRS Comments and Our Evaluation: IRS agreed with our recommendation and stated it will revise its Internal Control Checklist used for the monthly security reviews by January 2007 to address the effectiveness of the candling procedures performed. We will evaluate the effectiveness of IRS's efforts during future audits. Processing of Remittances: During our fiscal year 2005 audit, we found that lockbox banks were not always timely processing large dollar remittances.[Footnote 20] Specifically, at two of the lockbox banks we visited, we found large dollar checks that were not processed immediately. At one of the lockbox banks, six large checks totaling $1.25 million had been extracted from envelopes but were left in the extraction area; bank management informed us that the checks were not immediately processed because they were extracted by an earlier shift and that the current shift leaders were not aware of them. At the other bank, we found similar large checks in the extraction area that were not immediately processed but rather were left in bins while the extraction team went on a break. GAO's Standards for Internal Control in the Federal Government require that transactions be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This includes the timely processing of transactions. In addition, the LPG requires that remittances of $50,000 or more be immediately processed and deposited as part of the first available deposit. IRS conducts periodic performance and operational reviews of lockbox banks to ensure compliance with guidelines over processing and securing taxpayer receipts and information. However, the review process does not assess controls designed to ensure whether large checks are immediately processed and deposited as part of the first available deposit, as required by the LPG. By not always processing high dollar remittances immediately, IRS increases the risk of loss, theft, or misappropriation of such checks. Recommendations: We recommend that IRS: * enforce its existing policies and procedures at lockbox banks to ensure that all remittances of $50,000 or more are processed immediately and deposited at the first available opportunity; and: * refine the scope and nature of its periodic reviews of lockbox banks to include high dollar remittances to better monitor adherence to the requirement that they are processed immediately and deposited at the first available opportunity. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning controls over processing high dollar remittances. IRS stated that it will add appropriate language to the LPG to enforce its existing policies and procedures at lockbox banks for handling remittances of $50,000 or more. IRS also stated that by May 2006, it will add a review checkpoint for high dollar remittances to the Processing Internal Controls Data Collection Instrument used by Lockbox Field Coordinators during on-site reviews. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial audit. Physical Access Controls at Tax Return Processing Facilities: As the U.S. government's principal revenue-collecting agency, IRS collects more than two trillion dollars in taxes each year, accounting for more than 95 percent of the U.S. government's total revenues. This includes hundreds of millions of dollars in hardcopy tax payments and related information which is submitted to IRS tax processing facilities by millions of taxpayers. IRS has a responsibility to safeguard these payments and the related information entrusted to it by the nation's taxpayers. To fulfill this responsibility, it is essential that IRS have effective physical security controls to prevent unauthorized access to its tax return processing facilities. However, we found deficiencies in several of these controls during our fiscal year 2005 audit. Specifically, at two of the SCCs and at one of the lockbox banks we visited as part of our audit, we found weaknesses in controls over access to the facility and/or surrounding perimeter that increase the risk of penetration by unauthorized individuals. For example: * At one SCC, we observed flaws in the security over the facility's perimeter that could allow unauthorized individuals to bypass security guards and enter the grounds unobserved. These flaws included (1) unguarded entrances to perimeter grounds, (2) gaps in the security fence, and (3) overgrown shrubbery which obstructed the view of security personnel. * At the same SCC, we observed that employees entering the facility were not always subject to verification of their credentials. At the SCC, we observed employees closely following an employee who had opened a secure door with their proximity access card; these individuals were able to enter without presenting credentials of their own (a practice known as "piggybacking"). In testing another entrance, we found the same weakness by entering via piggybacking on IRS employees who had presented access cards. * At the second SCC's annex facility, we found two loading dock door alarms that were both inoperable. IRS officials at the facility informed us that they had been inoperable since they had been inadvertently deactivated while performing maintenance on an adjacent door three weeks earlier. * At the lockbox bank, we found that couriers from two different mail delivery services were allowed to enter the facility without first presenting proper identification. GAO's Standards for Internal Control in the Federal Government requires that agencies establish physical controls to limit access to vulnerable assets and records to authorized individuals. To help ensure that its physical security controls are effective, IRS routinely reviews the security at all SCCs and lockbox banks, identifies weaknesses, and pursues corrective actions. However, at SCCs, these reviews do not encompass reviewing controls over access to the grounds through the outer perimeter. Additionally, at both SCCs and lockbox banks, the reviews do not encompass testing the effectiveness of controls intended to prevent individuals without proper credentials from entering the facility. Also, while the IRM requires that SCC intrusion alarm systems be tested, it only requires that the testing be conducted annually. Consequently, an alarm could potentially be dysfunctional for an extended period and remain undetected for several months. Also, the IRM does not offer guidance as to how these tests should be conducted and the results documented. These weaknesses increase the risk that unauthorized individuals may enter these tax return processing facilities and potentially disrupt operations or compromise the taxpayer receipts or information they process. Recommendations: We recommend that IRS: * refine the scope and nature of its periodic security reviews to encompass (1) testing the effectiveness of controls intended to ensure that only individuals with proper credentials are permitted access to SCCs and lockbox banks, and (2) reviewing the integrity of perimeter security at SCCs; and: * revise the physical security procedures contained in the IRM to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning physical access controls at tax processing facilities. In response to our recommendation that IRS refine the nature of its periodic security reviews, IRS stated that the lockbox bank site discussed in the audit report that did not restrict access of unauthorized employees was instructed to immediately prohibit entry and acceptance of deliveries from these and similar unauthorized employees in the loading dock area. IRS stated that its review team will add this requirement as a specific review item in their physical security review process. Additionally, IRS indicated that it had updated its Security Review Procedures and Checklist for SCCs and lockbox banks and conducted quarterly reviews with the new procedures/checklist to assess employee piggybacking attempts, fence lines, landscaping, and alarm testing. IRS noted that it will update the IRM and LPG related to the SCCs alarm testing procedures to include a description of the types of tests to be conducted, criteria for assessing controls, and the logging of requirements by August 2007. We will evaluate the effectiveness of IRS's efforts during future audits. Hiring Juveniles for Access to Taxpayer Receipts and Information: IRS requires background investigations on every prospective contract or non-contract employee prior to granting them access to taxpayer receipts and information. However, legal restrictions limit the scope of background investigations for juvenile applicants. Specifically, title 18 of the United States Code, section 5038, prevents the release of criminal records on juveniles when the request is related to an application for employment. To compensate, IRS policy requires that juveniles hired to perform receipt and control processing functions submit a Recommendation for Juvenile Employment (form 13094) or an equivalent document from an individual recommending the juvenile for employment in a position of trust.[Footnote 21] However, during our fiscal year 2005 audit, we found limitations in IRS's design and implementation of its policy. Specifically, we found the following: * IRS policy requiring the completed form 13094 only applies to juveniles hired to perform receipt processing functions. However, access to taxpayer information is not limited to staff assigned to receipt processing functions. Thus, this policy may allow juveniles access to taxpayer information without providing any references. * The form 13094s are provided directly to IRS by the juvenile as part of the application package, and IRS personnel officials do not verify the source of the information submitted. Consequentially, IRS does not have adequate assurance that the individual whose name appears on the form actually exists and that they completed the form as represented. * The form does not require that the reference describe his or her relationship with the juvenile, including the number of years known and the nature of the relationship, in order to allow IRS to assess whether the reference has sufficient basis to recommend the juvenile for employment. * IRS did not obtain form 13094s for three juveniles hired in the receipt and control processing function during fiscal year 2005. According to IRS officials, they decided not to request the form from these three individuals because they graduated from high school prior to attaining the age of 18 and did not have a current or former employer or a current teacher, counselor, or principal as required by the form's instructions. As a result, these three juveniles were given access to taxpayer receipts and information without an independent assessment of their character, as required by IRS policy. GAO's Standards for Internal Control in the Federal Government requires that access to resources and records, such as IRS receipts and taxpayer data, be limited to authorized individuals to reduce the risk of unauthorized use or loss to the government.[Footnote 22] By not (1) always obtaining a character reference for juveniles to be permitted access to taxpayer receipts and information and (2) independently verifying the source of the information on the form, IRS increases the risk that juveniles with inappropriate backgrounds may obtain access to sensitive taxpayer receipts and information. Recommendations: We recommend that IRS: * amend its policy to require that a completed form 13094 with a positive recommendation be provided for every juvenile hired to any position that will allow access to taxpayer receipts and/or taxpayer information; * require IRS personnel to verify the information on the form 13094 by contacting the reference directly; * revise the form 13094 to require the reference to describe his/her relationship with the juvenile, including extent of first-hand contact, to allow IRS to review the forms and assess whether the referencer has sufficient basis to recommend that juvenile to a position of trust; and: * establish procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS's current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a form 13094 or its equivalent. These procedures could include a list of acceptable alternatives that may serve as references for juveniles who do not have a current teacher, principal, or guidance counselor. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning controls over hiring juveniles. To address these recommendations, IRS stated that (1) it will amend its policy to require that a completed Recommendation for Juvenile Employment (form 13094) with a positive recommendation be provided for every juvenile hired to any position allowing access to taxpayer receipts and/or taxpayer information; (2) once the Office of Management and Budget (OMB) approves the revised form 13094, it will, by August 2006, issue a new policy requiring IRS personnel to verify the information on the form 13094 by contacting the reference directly; (3) it will make appropriate revisions to the form 13094 to require the reference to describe his/her relationship with the juvenile; and (4) after OMB approves the revised form 13094, it will issue a new policy establishing procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS's current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a form 13094 or its equivalent. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial audit. Classifying and Reporting Expense and P&E Transactions: During our fiscal year 2005 audit, we found deficiencies in IRS's controls over the classification and reporting of transactions relating to its expenses and property and equipment (P&E) acquisitions. Specifically, IRS did not always assure that it properly classified its procurement transactions as P&E and recognized assets when they met its capitalization criteria, or as expenses when they did not. IRS's property and equipment capitalization policy, which is consistent with Statement of Federal Financial Accounting Standards No. 6[Footnote 23] and provides criteria on the capitalization of P&E, requires the recognition of assets when its capitalization criteria is met and the recognition of expense when it is not. To implement this policy, IRS requires its staff to classify expense and P&E acquisition transactions at the time orders are placed and assign and record the classification and accounting codes in the general ledger when they record the obligations. At the end of each month, IRS personnel review the entries to expense and P&E accounts considered more susceptible to error to determine if any classification errors occurred and, if so, to make the necessary corrections to properly classify and record them. We noted that IRS's established policy, if properly implemented, could help its staff differentiate between expense and P&E transactions and, through periodic reviews, detect and correct transactions improperly recorded in the expense and P&E accounts. However, IRS's staff did not always follow the capitalization policy effectively in fiscal year 2005. We tested a total of 267 sampled transactions from IRS's non-payroll expenses and P&E acquisitions recorded during the first 9 months of fiscal year 2005 and accounts payable as of September 30, 2005, and found that 6 of the transactions were classified and reported incorrectly. Specifically: * We found two instances where IRS initially recorded purchases of automated data processing equipment with a total cost of $7.8 million correctly as P&E acquisitions but subsequently reviewed the initial accounting treatment, removed the transactions from P&E, and erroneously included them in the expense accounts. In another instance, IRS initially recorded a $266,000 purchase of information services correctly as an expense but, after one of its periodic reviews, removed it from expense and erroneously included it as capitalized P&E. * In the remaining 3 instances, IRS initially misclassified procurement transactions totaling $1.7 million that should have been recorded as expenses and incorrectly recorded them as P&E. One transaction involved an operating lease payment that IRS capitalized as an asset instead of including it in expenses. The other 2 transactions involved charges for support services that IRS misclassified and incorrectly recorded as P&E instead of expenses. IRS did not detect and correct these misclassified transactions either when they were initially recorded or during its periodic review process. GAO's Standards for Internal Control in the Federal Government require that transactions and other events be accurately and timely recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded. The errors we found occurred because IRS's controls over its property and equipment capitalization process were not always effective. While these errors did not result in a material misstatement to IRS's fiscal year 2005 financial statements, the control weaknesses that gave rise to these errors precludes IRS from having assurance that its financial records for expenses and capital assets are capable of generating reliable reports on an ongoing basis throughout the year. Recommendation: To assure proper accounting treatment of expense and P&E transactions and reliable financial reporting, we recommend that IRS enforce its property and equipment capitalization policy to ensure that it is properly implemented to fully achieve management's objectives, including recognizing assets when its capitalization criteria is met and recognizing expenses when it is not. IRS Comments and Our Evaluation: IRS agreed with our recommendation. IRS's stated that its Chief Financial Officer and Procurement Office implemented new procedures for reviewing the classification of P&E into its accounting system. The Procurement Office will begin reviewing classification codes to ensure correctness and will take all necessary steps to ensure end users correct errors prior to entering the obligations. IRS expects these new procedures to be fully operational for the fourth quarter of fiscal year 2006. IRS also stated that it modified the scope of its monthly review of P&E transactions to include only obligations above a pre- determined dollar threshold. IRS indicated that these procedures were implemented in April 2006 for P&E acquired in March 2006. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial statement audit. Recording Disposals of Property and Equipment: In prior years, we identified deficiencies in IRS's process for recording property and equipment (P&E) transactions in its inventory records. Over the past several years, IRS has made substantial progress in improving the accuracy and reliability of its inventory records. While we recognize IRS's progress, our work performed as part of our fiscal year 2005 audit indicates that further improvements are needed. During our audit, we found that IRS staff did not always follow the agency's procedures requiring the prompt recording of disposals of property and equipment in its inventory records. The P&E disposal process is initiated when the function utilizing P&E notifies the local Single Point Inventory Function (SPIF) unit that they have P&E to be excessed or retired. The local SPIF unit arranges to remove the P&E, prepares the necessary paperwork, updates the inventory records to reflect that the asset is pending disposal, and turns custody of the P&E over to the Facilities Management Branch (FMB). FMB has responsibility for physical disposition of the P&E and updating the inventory records to reflect the final disposal. The IRM specifies that P&E inventory records must be updated to reflect all disposals within ten days of the action. During our fiscal year 2005 audit, we found that eight of 220 items selected from IRS's inventory records could not be located.[Footnote 24] All of these assets had been disposed of, but the inventory records reflected the assets as pending disposal. FMB had not updated the inventory system to change the disposal status from pending to final. For three of the exceptions found at one location, the assets were retired on May 15, 2004, but the disposals were still reflected as pending as of July 15, 2005, more than one year after the date of disposal. IRS's property management system does not generate aging reports to indicate the length of time assets have remained in pending status. GAO's Standards for Internal Control in the Federal Government require agencies to implement internal control procedures to ensure the accurate and timely recording of transactions and events. This standard further states that transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Property records that are out of date impede management's ability to make sound operating decisions, monitor performance, and allocate resources, and can result in undetected theft or loss of assets. Recommendation: We recommend that IRS: * generate aging reports when an asset remains in pending disposal status for longer than a specified period of time; and: * direct FMB managers to research and resolve the aging reports. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning recording disposals of property and equipment. IRS indicated that issues raised in the fiscal year 2005 financial statement audit were being addressed through an IRS re-engineering effort focused on the entire asset retirement and disposal process. IRS stated that it currently has reports available to monitor aging transactions during the disposal life cycle. IRS also indicated that it is (1) developing procedures to require reviews of aging reports to streamline the process to ensure timely recording of disposal transactions, and (2) modifying software to electronically record such transactions. IRS intends to implement these modifications and review procedures by August 2006. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2006 financial statement audit. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Minority Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Minority Members of the House Committee on Appropriations; House Committee on Ways and Means; the Chairman and Vice-Chairman of the Joint Committee on Taxation, the Secretary of the Treasury, the Director of the Office of Management and Budget, the Chairman of the IRS Oversight Board, and other interested parties. The report is available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2005 and 2004 financial statements. Please contact me at (202) 512-3406 or sebastians@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III. Signed By: Steven J. Sebastian: Director: Financial Management and Assurance: [End of section] Enclosure I: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Washington, D.C. 20224: May 1, 2006: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, N.W.: Washington, D.C. 20548: Dear Mr. Sebastian: I am writing in response to your draft of the FY 2005 Management Report titled, Improvements Needed in IRS' Internal Controls (GAO-06-532R). I appreciate your continued assistance during our fiscal year financial statement audit. The issues you presented in your report will help us to take the necessary steps to strengthen our controls over property and equipment, safeguarding tax receipts, and improving financial management. We continue to make progress in addressing our financial management challenges. We successfully closed 33 recommendations during fiscal year 2005. We expanded our remediation plans to better address the reportable condition on lockbox to include the controls over hard-copy tax receipts at our service center campuses, Taxpayer Assistance Centers, and field offices. We have developed corrective action plans for each of these areas and will monitor the plans through implementation. We are working with your staff to trace each of the remaining open recommendations to the underlying issues and ensure that our corrective actions will address all of the controls to which they relate. I have enclosed a response addressing all of your recommendations separately. We appreciate your recommendations and will continue to work with you to address each of them. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact Janice Lambert, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed By: Mark W. Everson: Enclosure: GAO Recommendations and IRS Responses to GAO FY 2005 Management Report Improvements Needed in the IRS' Internal Controls GAO-06-532R: Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. Comments: We agree with this recommendation. Internal Revenue Manual (IRM) 21.4.3, Returned Refunds/Releases, contains procedures for transmitting returned refund checks to the Regional Finance Center utilizing Document Transmittal - Form 3210. Although the procedures do not require the manager to initial the Form 3210, procedures are in place in the Manager's IRM to conduct periodic reviews. Accounts Management (AM) will include a reminder to all centers of the requirement to conduct periodic Form 3210 reviews in the annual AM Program Letter. This item will also be included as part of the site review process by March 2007. Recommendation: Enforce compliance with existing requirements that all Internal Revenue Service (IRS) units transmitting taxpayer receipts and information from one IRS facility to another, including Service Center Campuses (SCCs), Taxpayer Assistance Centers (TACs), and units within Large & Mid-Size Business (LMSB) and Tax Exempt & Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. Comments: We agree with this recommendation. TEIGE conducted an education effort to ensure all managers in Examination are familiar with existing IRMs related to check processing procedures, including proper maintenance of log books for document transmittals. These efforts included conducting an information presentation at a meeting that included managers from TEIGE, developing a Quick Reference Guide for Processing Checks in TE/GE Examination, documenting the process via a flowchart, and revising our Exam Revenue Agent basic training course. Document Transmittal - Form 3210 is one method used Service-wide to transmit information. IRM 3.13.62, Media Transport and Control, contains Form 3210 procedures, including the acknowledgement process. AM will include a reminder to all centers of the requirement to conduct periodic Form 3210 reviews in the annual AM Program Letter. This item will also be included as part of the site review process by March 2007. By July 2006, Field Assistance will establish a process to monitor acknowledgements of Report of Collection Activity - Form 795 and Form 3210 - when received from the service centers. Specific actions underway include revising IRM procedures to require documentation of follow-up actions with Submission Processing Centers when an identified Form 795 or Form 3210 is not acknowledged timely. The documentation will be retained with the group copy of Form 795 or Form 3210. Recommendation: Provide instructions to document the follow-up procedures performed in those cases where transmittals have not been timely acknowledged. Comments: We agree with this recommendation. TE/GE developed a flowchart and quick reference guide on proper check handling procedures and also incorporated these into its Examination Phase 1 training materials. By July 2006, Field Assistance will establish a process to monitor acknowledgements of Form 795 and Form 3210 when received from the service centers. Specific actions underway include revising IRM procedures to require documentation of follow-up actions with Submission Processing Centers when an identified Form 795 or Form 3210 is not acknowledged timely. The documentation will be placed with the group copy of Form 795 or Form 3210. Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/ or taxpayer information mailed between IRS locations are tracked according to guidelines. Comments: We agree with this recommendation. TE/GE conducted an education effort to ensure all managers in Examination are familiar with existing IRMs. An informational presentation was conducted at the Examination manager's meeting on check processing procedures and proper maintenance of log books for document transmittals. TE/GE developed a Quick Reference Guide for Processing Checks in TE/GE Examination and documented the process via a flowchart. TE/GE has also added a new commitment to the performance plan of its managers regarding implementation of the TE/GE action plan to address the General Accountability Office (GAO) repeat findings for safeguarding hard copy receipts. Field Assistance will identify and, as appropriate, develop and implement methods to improve the consistent use of Form 3210 for documenting the shipment of taxpayer receipts and information to the service centers. Specific actions underway include developing procedures by September 2006, to require TAC managers to perform a weekly review of the Forms 3210 as part of the payment reconciliation review and to document the review. Recommendation: Equip all TACs with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. Comments: We agree with this recommendation. Field Assistance will identify TACs that lack the physical barriers to prevent unauthorized access to TAC space and work with IRS Agency-Wide Shared Services / Real Estate Facilities Management (AWSS/REFM) to address alternatives to controlling access. Meetings with AWSS/REFM began in January 2006, and they agreed to evaluate barrier issues within the TACs and determine corrective actions by June 2006. Field Assistance has also developed procedures to canvas TACs twice a year for security, safety, health, and space concerns. Recommendation: Connect duress alarms to a central monitoring station or local police department or institute appropriate compensating controls when these alarm systems are not operable or in place. Comments: We agree with this recommendation. Field Assistance has developed testing requirements to ensure security equipment (e.g., duress alarms) is functioning properly. Field Assistance will coordinate with AWSS/REFM and Mission Assurance and Security Services (MA&SS) on any reported deficiencies, especially when the new TAC models are completed. Otherwise, Field Assistance will work with MA&SS to ensure testing of duress alarms is performed semi-annually. MA&SS, Wage and Investment (W&I), and AWSS will connect duress alarms to a central monitoring station or local police departments in TACs based upon criticality and funding availability, and enact compensating controls when the systems are inoperable. The IRS will address appropriate compensating controls at TACs not connected to central monitoring/local police departments by December 2006. Recommendation: Document supervisory visits by offsite managers to TACs not having a manager permanently onsite. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. Comments: We agree with this recommendation. Field Assistance has developed a checklist for managers to use to document visits to outlying TACs. The checklist includes the manager's name and date of visit, as well as the issues discussed with employees, the Commissioner's Representative, and the Union President. The checklist will be added to the IRM 1.4.11 by June 2006. Recommendation: Enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation. Comments: We believe we have addressed this recommendation. We revised the Lockbox Security Guideline under L.S.G.2.2.3.1.6 (6) in January 2006 to add the requirement that the banks maintain a logbook of incident reports and any applicable supporting documentation, noting corrective follow-up actions taken on each incident. The logbook must be maintained in sequential date order. Additionally, field security analysts were advised to enforce the recordation requirement for all activations of intrusion alarms with guards. The IRS updated alarm testing procedures and checklists to include a review of guard console logs, and IRS will check compliance in unannounced alarm tests. Recommendation: Reemphasize the need for the security guards at all TACs to ensure that key posts of duty, such as entrances to facilities, are not left unattended. Comments: We agree with this recommendation, MA&SS, W&I, and AWSS will prepare a memorandum that reemphasizes security guards' duties and responsibilities (post orders) and the importance of meeting security requirements, and provide to all TAC locations by October 2006. Recommendation: Revise its lockbox bank's security review checklist to ensure that it encompasses reviewing security incident reports to validate whether security personnel are providing corrective actions related to the incidents cited. Comments: We agree with this recommendation. Submission Processing will work with MA&SS and Treasury Financial Management Service (FMS) to ensure the physical security review checklist is updated to include reviews of the security incident reports and to validate that the security personnel are providing corrective actions related to the incidents that are cited by May 2006. Recommendation: Refine the scope and nature of its periodic reviews of candling processes at SCCs to ensure they (1) encompass tests of whether envelopes are properly candled through observation of candling in process and inquiry of employees who perform initial and final candling, and (2) document the nature and scope of the test and observation results. Comments: We agree with this recommendation. We will revise the Internal Control Checklist used for the monthly security reviews by January 2007, to address the effectiveness of the candling procedures performed. Recommendation: Enforce its existing policies and procedures at lockbox banks to ensure that all remittances of $50,000 or more are processed immediately and deposited at the first available opportunity. Comments: We agree with this recommendation. To further enhance our current requirements, we will add the following language by May 2006, to L.P.G.3.2 (4) and L.P.G.3.2.7.1: "In addition, Lockbox management must ensure remittances of $50,000 or more are not left unattended; for example: shift changes, breaks, meetings, etc. These remittances must be collected and then batched for expedited processing.": Recommendation: Refine the scope and nature of its periodic reviews of lockbox banks to include high dollar remittances to better monitor adherence to the requirement that they are processed immediately and deposited at the first available opportunity. Comments: We agree with this recommendation. A review checkpoint for high dollar remittances will be added by May 2006, to the Processing Internal Controls Data Collection Instrument that the Lockbox Field Coordinators use during their on-site reviews. Recommendation: Refine the scope and nature of its periodic security reviews to encompass (1) testing the effectiveness of controls intended to ensure that only individuals with proper credentials are permitted access to SCCs and lockbox banks, and (2) reviewing the integrity of perimeter security at SCCs. Comments: We agree with this recommendation. The lockbox site discussed in the audit report that did not restrict access of unauthorized employees has been instructed to immediately prohibit entry and acceptance of deliveries from these and similar unauthorized employees in the loading dock area. The IRS Review Team will add this requirement as a specific review item in our physical security review process. Additionally, the IRS updated its Security Review Procedures and Checklists for SCCs and lockbox banks, and conducted quarterly security reviews with the new procedures/checklist to assess employee piggybacking attempts, fence lines, landscaping, and alarm testing. Recommendation: Revise the physical security procedures contained in the IRM to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and(3) require that a logbook be maintained to document the test dates, results, and response information. Comments: We agree with this recommendation. MA&SS and AWSS will update the IRMs and Lockbox Processing Guidelines related to the SCCs alarm testing procedures to include a description of the types of tests to be conducted, criteria for assessing controls, and the logging requirements by August 2007. Recommendation: Amend its policy to require that a completed Recommendation for Juvenile Employment - Form 13094 with a positive recommendation be provided for every juvenile hired to any position that will allow access to taxpayer receipts and/or taxpayer information. Comments: We agree with this recommendation. After the Office of Management Budget (OMB) approves Form 13094, the Human Capital Office (HCO) will issue a new policy requiring a positive recommendation for juveniles hired to any position that will allow access to taxpayer receipts and/or taxpayer information by August 2006. Recommendation: Require IRS personnel to verify the information on the Form 13094 by contacting the reference directly. Comments: We agree with this recommendation. After the OMB approves Form 13094, the HCO will issue new policy requiring IRS personnel to verify the information on the Form 13094 by contacting the reference directly by August 2006. Recommendation: Revise the Form 13094 to require the reference to describe his/her relationship with the juvenile, including extent of first-hand contact, to allow IRS to review the forms and assess whether the referencer has sufficient basis to recommend that juvenile to a position of trust. Comments: We agree with this recommendation. The HCO will revise Form 13094 to require that the reference describe their relationship with the juvenile and how long they have known the juvenile. This will allow the HCO offices to assess whether the reference has sufficient basis to recommend the juvenile for employment. After Form 13094 is revised, it will be submitted to OMB for formal approval to be used as a pre- employment form by August 2006. Recommendation: Establish procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS's current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a Form 13094 or its equivalent. These procedures could include a list of acceptable alternatives that may serve as references for juveniles who do not have a current teacher, principal or guidance counselor. Comments: We agree with this recommendation. After the OMB approves Form 13094, the HCO will issue a new policy establishing procedures for hiring juveniles who do not have a current teacher, principal, counselor, employer or former employer, and clarify that IRS' current policies and procedures should not be interpreted to mean that such juveniles should be allowed access to taxpayer receipts and information without a Form 13094 or its equivalent by August 2006. Additionally, the revised Form 13094 will offer alternative reference documentation if the juvenile does not have a current teacher, principal or guidance counselor. Recommendation: Enforce its property and equipment capitalization policy to ensure that it is properly implemented to fully achieve management's objectives, including recognizing assets when its capitalization criteria is met and recognizing expenses when it is not. Comments: We agree with this recommendation. The Chief Financial Officer (CFO) and Procurement implemented new procedures for reviewing the classification of property and equipment (P&E) prior to entering transactions into the accounting system. In the past, Procurement was not required to review classification codes end users provided prior to entering obligations into the accounting system. Going forward, Procurement will now review classification codes to ensure correctness, and will take all necessary steps to ensure end users correct errors prior to entering the obligations. We anticipate the new procedures to be fully operational for the fourth quarter of FY 2006. Additionally, the CFO's Internal Financial Management (IFM) improved its monthly review of P&E transactions. In the past, IFM reviewed virtually all transactions related to capitalized P&E or expendable purchases. With advance approval from GAO in FY 2006, I FM has modified the scope of its review to include only purchases above a material dollar threshold. As a result, reviews will concentrate primarily on ensuring the transactions are properly classified as capital assets or expense. The new review procedures will be implemented in April 2006, for P&E acquired during the month of March 2006 and each month thereafter. Recommendation: Generate, aging reports when an asset remains in pending disposal status for longer than a specified period of time. Comments: We agree with this recommendation. In March 2006, the Chief Information Officer (CIO) property program manager informed GAO that issues raised in the FY 2005 Financial Statement Audit are being addressed via a re-engineering effort focused on the entire asset retirement and disposal process. As such, reports are currently available to monitor aging transactions during the disposal life cycle. Additionally, procedures are being developed to require reviews of aging reports for the timely recording of disposal transactions. Substantial software modifications are being designed to improve the recording of information by replacing manual data entry methods by using electronic forms, signatures, and processes. These modifications and review procedures will be implemented to streamline the recording of asset disposal activity as required by IRS policy by August 2006. Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports. Comments: We agree with this recommendation. AWSS and CIO property program managers are working to reengineer the entire asset retirement and disposal process and discussed this initiative with GAO in March 2006. Reports are currently available for management to monitor the status of aging transaction dates until the disposal process is complete. Also, we are developing review procedures to streamline the process to ensure the timely recording of disposal transactions. Reengineered process modifications, review procedures, and guidance for conducting reviews, will be implemented by August 2006. [End of section] Enclosure II: Details on Audit Methodology: To fulfill our responsibilities as the auditor of the Internal Revenue Service's (IRS) financial statements, we did the following: * Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. This included testing selected statistical samples of unpaid assessment, revenue, refund, accrued expenses, payroll, nonpayroll, property and equipment, and undelivered order transactions. These statistical samples were selected primarily to substantiate balances and activities reported in IRS's financial statements. Consequently, dollar errors or amounts can and have been statistically projected to the population of transactions from which they were selected. In testing these samples, certain attributes were identified that indicated either significant deficiencies in the design or operation of internal control or compliance with provisions of laws and regulations. These attributes, where applicable, can be and have been statistically projected to the appropriate populations. * Assessed the accounting principles used and significant estimates made by management. * Evaluated the overall presentation of the financial statements. * Obtained an understanding of internal controls related to financial reporting (including safeguarding assets), compliance with laws and regulations (including the execution of transactions in accordance with budget authority), and performance measures reported in the Management Discussion and Analysis. * Tested relevant internal controls over financial reporting (including safeguarding assets) and compliance, and evaluated the design and operating effectiveness of internal controls. * Considered the process for evaluating and reporting on internal controls and financial management systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers' Financial Integrity Act of 1982. * Tested compliance with selected provisions of the following laws and regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1) and 31 U.S.C. § 1517(a)); Purpose Statute (31 U.S.C. § 1301); Release of lien or discharge of property (26 U.S.C. § 6325); Interest on underpayment, nonpayment, or extensions of time for payment of tax (26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611); Determination of rate of interest (26 U.S.C. § 6621); Failure to file tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31 U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Pay and Allowance System for Civilian Employees (5 U.S.C. §§ 5332 and 5343, and 29 U.S.C. § 206); Federal Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§ 8422, 8423, and 8432); Social Security Act, as amended (26 U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909); Transportation, Treasury, and Independent Agencies Appropriations Act, 2004, Pub. L. No. 108-199, div. F, tit. II, 118 Stat. 314 (Jan. 23, 2004); and Transportation, Treasury, Independent Agencies, and General Government Appropriations Act, 2005, Pub. L. No. 108-447, div. H, tit. II, 118 Stat. 3235 (Dec. 8, 2004). * Tested whether IRS's financial management systems substantially comply with the three requirements of the Federal Financial Management Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996). [Signed By:] Enclosure III: Staff Acknowledgments: Acknowledgments: The following individuals made major contributions to this report: Charles Fox-Assistant Director, Manmei Chen, John Davis, Paul Foderaro, Ted Hu, Jerrod O'Nelio, Theresa Patrizio, Robert Preshlock, John Sawyer, Angel Sharma, Peggy Smith, and Gary Wiggins. (196092): [End of section] FOOTNOTES [1] GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005). [2] TACs are field assistance units designed to serve taxpayers who choose to seek help from the IRS in person. Services provided include interpreting tax laws and regulations, preparing some tax returns, resolving inquiries on taxpayer accounts, receiving payments and forwarding those payments to their respective SCC for deposit and further processing, and performing other services designed to minimize the burden on taxpayers in satisfying their tax obligations. These offices are typically much smaller facilities than SCCs or lockbox banks with staff sizes ranging from 1 to about 35 employees. [3] IRS defines controlled areas as space to which access is limited to IRS employees with a valid business purpose. Within such controlled space, certain areas are designated as restricted and are subject to a further elevated level of security to safeguard such sensitive assets as hardcopy taxpayer receipts and computer facilities. [4] Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government to perform certain financial services, including processing tax documents, depositing the receipts, and then forwarding the documents and data to their respective SCC, which update taxpayers' accounts. [5] Candling is a process used by IRS to determine if any contents remain in open envelopes, which is often achieved by passing the envelopes over a light source. [6] IRS defines juvenile as a person who is not yet eighteen years of age. [7] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Washington, D.C.: November 1999). [8] GAO-06-137. [9] The Daily Report of Collection Activity is generally used to transmit taxpayer receipts from an IRS facility to a SCC. A Document Transmittal is used interchangeably to transmit (1) taxpayer receipts or several form 795s from an IRS facility to a SCC for final processing or (2) non-payment related taxpayer information (e.g., case files and other sensitive tax related data) between IRS facilities. [10] LMSB units are field office units charged with administering taxes for corporations and partnerships with assets over $10 million. TEGE units are field office units that serve a wide range of customers including small local community organizations, municipalities, major universities, pension funds, state governments, Indian tribal governments, and tax exempt bond issuers. All other corporations, partnerships, small businesses, and individuals with certain types of non-salary income with assets under $10 million are serviced by IRS's Small Business and Self-Employed (SB/SE) units. We addressed similar monitoring weaknesses within several SB/SE units in our management report from our fiscal year 2004 audit, see GAO, Management Report: Improvements Needed in IRS's Internal Controls, GAO-05-247R (Washington, D.C.: April 2005). [11] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [12] The IRM outlines business rules and administrative procedures and guidelines IRS uses to conduct its operations and contains policy, direction, and delegations of authority necessary to carry out IRS's responsibilities to administer tax law and other legal provisions. [13] One of the TRRs at this location worked a part-time schedule. [14] As of March 2006, IRS had reconfigured 115 of its 400 TACs located throughout the United States, has an additional 29 such projects underway, and plans on reconfiguring the remaining TACs by 2014. [15] Incident reports are used by security guards to document and record their response to suspicious events, incidents, and activities. In addition, lockbox banks are required to maintain a log of incident reports, noting the action that the lockbox bank took to correct the incident. [16] Internal Revenue Service, "2005 Lockbox Processing Guidelines" (Washington, D.C.: January 2005), and subsequent 2005 updates. The 2005 LPG provides guidelines for processing work at lockbox banks serving IRS for the 2005 filing season. [17] GAO-05-247R. [18] Non letter-size envelopes refer to envelopes that are either larger or smaller than the standard white business-size envelopes that are used for mailing such items as personal or business mail (e.g., utility bills, tax returns, general correspondences). [19] GAO/AIMD-00-21.3.1. [20] In the LPG, IRS defines large dollar remittances as those with amounts $50,000 or greater. [21] The Recommendation for Juvenile Employment form asks the reference provider to check off whether he or she feels that the juvenile is suitable for a position of trust or to disclaim his/her knowledge of the juvenile. Other data captured includes the name of the reference and information related to the school and current/former employer of the juvenile. [22] GAO/AIMD-00-21.3.1. [23] U.S. Federal Accounting Standards Advisory Board (FASAB), SFFAS No. 6, Accounting for Property, Plant, and Equipment. [24] For our book-to-floor sample, we selected a two-stage cluster sample of P&E items. In the first stage, we selected a sample of 22 buildings in probabilities proportionate to the number of P&E items in each building's inventory records. In the second stage, we randomly selected a sample of 10 assets located at each of the 22 buildings. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: