This is the accessible text file for GAO report number GAO-10-565R entitled 'Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations' which was released on June 29, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-10-565R: United States Government Accountability Office: Washington, DC 20548: June 28, 2010: The Honorable Douglas H. Shulman: Commissioner of Internal Revenue: Subject: Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations: Dear Mr. Shulman: In November 2009, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2009, and 2008, and on the effectiveness of its internal controls as of September 30, 2009. [Footnote 1] We also reported our conclusions on IRS's compliance with selected provisions of laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). In March 2010, we issued a report on information security issues identified during our fiscal year 2009 audit, along with associated recommendations.[Footnote 2] The purpose of this report is to present internal control and compliance issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2009, for which we do not already have any recommendations outstanding. Although not all of these issues were discussed in our report on the results of our fiscal year 2009 financial statement audit, they all warrant IRS management's attention. This report provides 41 recommendations to address the internal control and compliance issues we identified. We will issue a separate report on the status of IRS's implementation of the recommendations from our prior IRS financial audits and related financial management reports, as well as this one. We conducted our audit in accordance with U.S. generally accepted government auditing standards. Results in Brief: During our audit of IRS's fiscal year 2009 financial statements, we identified several internal control issues and a compliance issue not addressed by previous recommendations. These issues include the following: * IRS's reported balances for taxes receivable and other unpaid tax assessments were not supported by its core general ledger system for tax-administration-related transactions. We found certain systemic limitations in its Custodial Detailed Data Base (CDDB) and other control weaknesses that resulted in errors in taxpayer accounts that, in turn, prevented IRS from using CDDB as its subsidiary ledger to manage, and routinely and reliably report, its balance of unpaid tax assessments. * IRS did not always credit or accurately credit trust fund recovery penalty payments received from one taxpayer to all related taxpayers as required by the Internal Revenue Manual (IRM), resulting in errors in taxpayer accounts. Although IRS automated this process, about half of the penalty payments processed through its automated system still require some error-prone, manual intervention. These errors occurred because IRS staff did not receive sufficient training when IRS fully implemented the automated system and their supervisors did not have sufficient guidance to review these transactions for accuracy. * IRS's transaction file of "pre-posted" tax revenue, which was supposed to largely reconcile the difference between IRS's aggregate tax revenue receipts recorded in its general ledger and the detailed- level tax revenue receipts recorded in its master file,was not accurate.[Footnote 3] This occurred because of errors in the instructions provided to the programmers for extracting the pre-posted tax revenue transactions and IRS's lack of updated desk procedures for the comparison of its general ledger tax revenue collections to its master files. * IRS did not establish adequate internal controls over its complex process for allocating operation support costs to the programs reported on its statement of net cost. This occurred because IRS's policies and procedures--including the IRM and the cost allocation desk guide--do not require controls such as the segregation of duties for the allocation tasks performed or documentation controls to help reduce the risk of errors and omissions in the spreadsheet used to track the allocation progress and status. * IRS did not always review duplicate refund transcripts, which identify potentially duplicate or erroneous refunds, prior to issuing the refunds as required by the IRM. The service center campuses (SCC) that generate the transcripts are required to transmit the data for special cases, such as bankruptcy cases, to centralized units for review. However, IRS did not have written IRM procedures requiring the centralized units to acknowledge receipt of the transcripts and, thus, to establish accountability for reviewing these cases. Consequently, some cases were lost in transit and were not reviewed. * IRS's SCCs did not acknowledge the quantity of unprocessable items-- e.g., unacceptable forms of payment such as traveler's checks, gold coins, and other items of value--the lockbox banks shipped to them, even in cases where there were discrepancies between the quantity of unprocessable items the lockbox bank recorded on the transmittal form and the quantity that the SCC actually received. * IRS's SCC and field office physical security analysts did not always accurately complete audit management checklists used to assess the physical security and emergency preparedness controls in place at their sites. Although IRS issued the checklists to help identify, prevent, and reduce physical security weaknesses, several of the questions on the checklist were unclear and guidance and training were not provided to help ensure accurate completion of the checklists. In addition, there was no requirement that managers or supervisors review the responses prepared by the physical security analysts. * IRS's taxpayer assistance center group managers did not always accurately assess the status of operational and security controls at their locations. We found that this was caused in part by ambiguities in the assessment questions for which they were required to respond, uncertainty as to the scope and intent of certain questions, a lack of guidance and training for completing the assessments, and a lack of managerial oversight and review of the group managers' assessment responses. * SCC and field office contractors who are provided routine, unescorted, unsupervised physical access to IRS facilities containing taxpayer receipts and information were not required to and did not receive annual security awareness training. * IRS's SCC unit security representatives, who are responsible for maintaining security over one of IRS's key tax processing systems, did not always receive or timely complete required initial and refresher training on carrying out their security responsibilities. IRS policy does not clearly designate one position or office with the oversight and enforcement responsibility; consequently, oversight was not effective in ensuring unit security representatives received or received timely essential security training. * IRS's employees did not always complete annual mandatory briefing requirements in fiscal years 2008 and 2009. IRS relied on each of its business units to establish their own policies to track and monitor employees' compliance with the requirements and to follow up on those that have not yet completed the required briefings. However, IRS did not centrally review each business unit's process for tracking, monitoring, and enforcing compliance or the results to ensure that mandatory briefing requirements were met. * IRS staff did not always confirm or obtain documentation of confirmation with the end user of a purchased product or service that the item was satisfactorily received before entering receipt and acceptance of the good/service into the procurement system. This confirmation is essential because often the end user (i.e., the person requesting the good or service) is at a different geographic location than the staff member responsible for entering receipt and acceptance into the system. However, IRS's policy did not specifically instruct staff who are responsible for entering receipt and acceptance to obtain and retain written documentation from end users confirming that a purchased product or service was received before entering receipt and acceptance. * IRS did not always timely deobligate excess obligated funds after the related goods or services were delivered and the remaining funds for those purchases were no longer needed. Although IRS performs periodic reviews of aging unliquidated obligations to identify potential funds for deobligation, the aging criteria for identifying obligations to review was too narrow, thus limiting the effectiveness of the reviews in ensuring that only valid obligations were reported in IRS's general ledger and its financial statements. * IRS did not always ensure that upward and downward adjustments to prior-year obligation transactions were properly reported for financial statement reporting purposes. To better identify and report only valid upward adjustments and valid downward adjustments of prior- year obligations--which are each reported on separate line items in IRS's financial statements--IRS performs a monthly netting process to offset transactions that are accounting corrections and not true adjustments to obligations. However, IRS did not have an adequate review process to identify erroneously linked transactions in the accounting system that, consequently, were improperly netted. * IRS did not comply with requirements in its annual appropriations act. Although that act required IRS to set aside at least $7.487 billion for tax law enforcement and related support activities, [Footnote 4] IRS fell short by about $74 million. IRS attributed the cause to (1) delays in hiring staff for enforcement activities caused by an almost 6-month delay in the enactment of IRS's fiscal year 2009 appropriations, and (2) increased funding for taxpayer services. Together, these factors resulted in a greater portion of its operations support costs (e.g., costs incurred for rent, telecommunications, agencywide administration, and facilities services) being allocated to its taxpayer services program and less to its enforcement program than what it originally estimated. In addition, IRS had about $71 million in fiscal year 2009 operations support appropriations that were unobligated at fiscal year end. Even if IRS could have allocated all of these unobligated operations support funds to enforcement, this would only have helped to reduce, but not eliminate, the shortfall. These issues increase the risk that IRS may fail to prevent or promptly detect and correct (1) errors in crediting taxpayer trust fund recovery penalty payments; (2) errors that could adversely affect the reliability of its financial statements; (3) duplicate or erroneous refunds; (4) discrepancies in the transport of unprocessable items; (5) security and control deficiencies at its SCCs and field offices; (6) improper disclosure of taxpayer data; (7) premature payments to vendors before confirming goods or services have been received; and (8) excess unused obligations reported on the financial statements. In addition, IRS is at increased risk of not complying with requirements established in its annual appropriations act. We are making 41 recommendations that, if effectively implemented, should address the internal control and compliance issues we identified. These recommendations are intended to bring IRS into conformance with its own policies, the Standards for Internal Control in the Federal Government,[Footnote 5] or both, as well as to help ensure IRS's compliance with its appropriations act requirements. We provided IRS with a draft of this report and obtained its written comments. In its comments, IRS agreed with all but three of our 41 recommendations and described actions it had taken, underway, or planned to take to address the control weaknesses described in this report. IRS did not agree with the three recommendations we made to address our finding that IRS did not comply with the legal requirements in its annual appropriations act. In its comments, IRS stated that it fully funded its tax law enforcement activities and met the intent of the law, and it disputed other facts described in our report's discussion of IRS's compliance with the appropriations act. We do not concur with IRS's views on this matter and, as we discuss in further detail at the end of that report section, we stand by the information we are reporting. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provided our evaluation. We have also reprinted IRS's comments in enclosure II. Scope and Methodology: This report addresses issues we identified during our audit of IRS's fiscal years 2009 and 2008 financial statements. As part of our audit, we tested IRS's internal controls over financial reporting and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. To assess internal controls related to safeguarding taxpayer receipts and information, we visited three SCCs,[Footnote 6] one consolidated campus,[Footnote 7] four lockbox banks,[Footnote 8] nine taxpayer assistance centers (TAC),[Footnote 9] and eight field office units.[Footnote 10] We conducted our fieldwork and related follow up between January 2009 and May 2010. Further details on our audit scope and methodology are included in enclosure I. Unpaid Tax Assessments: During our audit of IRS's fiscal year 2009 financial statements, we continued to find that IRS's reported balances for taxes receivable and other unpaid assessments were not supported by its core general ledger system for tax-administration-related transactions because IRS lacked a fully functioning subsidiary ledger for unpaid tax assessments that would allow it to produce reliable, useful, and timely information with which to manage and routinely report these balances. Unpaid assessments consist of taxes that IRS has recorded as due to the government from taxpayers for which payment has not yet been received.[Footnote 11] In accordance with federal accounting standards, unpaid assessments are placed in one of the following three categories:[Footnote 12] * taxes receivable, which are amounts due from taxpayers for which IRS can support the existence of a receivable through taxpayer agreement (such as the filing of a tax return) or a court ruling favorable to IRS; * compliance assessments, for which neither the taxpayer nor the court has affirmed that the amounts are owed, such as an assessment resulting from an audit of the taxpayer; and: * write-offs, which are any unpaid assessments for which IRS does not expect further collections due to factors such as the taxpayer's bankruptcy, insolvency, or death. Of these three, only taxes receivable are reported on the principal financial statements, with compliance assessments and write-offs presented as supplemental information to the financial statements. Therefore, it is essential for IRS to be able to accurately and routinely classify its unpaid assessments into these three categories in order to present reliable information in its financial statements and to enable management to make informed business decisions based on this complete and reliable information. As we reported in prior years, IRS's balance for federal taxes receivable,[Footnote 13] which comprised nearly 80 percent of IRS's total assets as reported on its fiscal year 2009 balance sheet, was not produced by its general ledger system for tax administration activities, the Interim Revenue Accounting Control System (IRACS). [Footnote 14] While IRS summarizes the detailed transaction information from its master files on IRACS, neither the master files nor IRACS were designed to classify and report unpaid assessments in accordance with federal accounting standards.[Footnote 15] To compensate for this, IRS for years has had to apply statistical sampling and estimation techniques to data from its master files to estimate the year-end balances of (1) taxes receivable in its financial statements and required supplementary information, and (2) compliance assessments and write-offs in its required supplementary information. To partially address this issue, we previously recommended that as part of IRS's efforts to modernize its systems, it include plans to develop a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. We noted that this subsidiary ledger needed to have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus those that represent compliance assessments and write-offs. Recognizing the seriousness of this deficiency, IRS began phasing in the use of the Custodial Detailed Data Base (CDDB) in 2006.[Footnote 16] According to IRS, one key objective of CDDB is to serve as a transaction-level subsidiary ledger for unpaid tax assessments by linking and classifying taxpayer account information from IRS's master files to IRACS, thus providing for transactional traceability.[Footnote 17] In fiscal year 2008, IRS enhanced CDDB to analyze the unpaid assessment balances, including related interest and penalty accruals, from its master files and record the balances to its general ledger by the various financial reporting categories (taxes receivable, compliance assessments, and write-offs) on a weekly basis. These enhancements established CDDB's capability to function as a transaction-level subsidiary ledger for unpaid tax assessments. However, IRS cannot yet use CDDB as its subsidiary ledger for recording transaction-based tax debt information to its general ledger in a manner that ensures reliable internal and external reporting. While CDDB analyzes and classifies master file tax debt information into the various financial reporting categories, the analysis and classification contain material inaccuracies. For example, IRS itself identified errors necessitating almost $8 billion in adjustments to the 2009 fiscal year-end gross taxes receivable balance produced by CDDB. We identified several systemic limitations in the programs used by CDDB that resulted in misclassifying tax debt accounts among the three financial reporting categories. Specifically, we identified instances in which CDDB was unable to correctly classify an account module because IRS had not written sufficient details into the CDDB classification program to allow it to sort through, identify, and analyze all the relevant transaction-level information required for proper classification.[Footnote 18] For example, when IRS records multiple tax assessments on a single account module, CDDB is currently unable to distinguish among and separately classify the various balances. In one instance we identified, a taxpayer filed a tax return but did not pay the entire amount of the tax liability reported on the return, which resulted in the amount owed being classified as a tax receivable.[Footnote 19] IRS later assessed additional taxes against the taxpayer for the same tax period, but the taxpayer did not concur with the additional tax assessment. Because there was no concurrence by the taxpayer or a court ruling in favor of IRS for the additional tax assessment, this assessment should not have been classified as a taxes receivable; it should have been classified as a compliance assessment. However, CDDB classified the entire outstanding balance as taxes receivable because the taxpayer's master file account module contained information that the taxpayer had filed a tax return. In addition to CDDB's systemic limitations, IRS's management and reporting of unpaid tax assessments also continued to be hindered by control weaknesses that resulted in inaccurate tax records. During our fiscal year 2009 audit, we again found errors in taxpayer records resulting from IRS's not recording information accurately and timely. Examples included IRS's failure to record the receipt of a taxpayer's $3 million payment and, as discussed in the next section of this report, IRS's failure to properly record trust fund recovery penalty payments to all related taxpayer accounts.[Footnote 20] Such errors directly affect the accuracy of the tax debt information being classified by CDDB. Additionally, such errors can cause frustration to taxpayers who either have already paid taxes owed or who owe significantly lower amounts. Internal control standards require that transactions and other significant events be promptly recorded and properly classified to maintain their relevance and value to management in controlling operations and making decisions.[Footnote 21] The standards also require that control activities ensure that all transactions are completely and accurately recorded. Transactions and events are to be properly classified in the summary records from which reports and financial statements are prepared. CDDB's systemic limitations and errors in taxpayer accounts resulted in IRS having to make numerous adjustments as part of its compensating manual process for estimating the balance of net taxes receivable and other unpaid tax assessments. On the basis of a statistical projection of these individual adjustments, IRS had to make almost $8 billion in adjustments to the year-end balances of all three categories of unpaid assessments generated by CDDB in order to produce reliable amounts for external reporting on its balance sheet and required supplementary information. IRS is aware of certain systemic limitations with CDDB, and has already initiated research into enhancing the CDDB classification programs to allow it to analyze some of the more complex unpaid assessment accounts in order to more accurately classify them for financial reporting purposes. Until IRS (1) improves the capabilities of CDDB to analyze the more complex unpaid assessments accounts and correctly classify them, and (2) addresses the control weaknesses that result in errors in taxpayer accounts, the unpaid assessment balances produced by CDDB, including taxes receivables, will continue to be materially inaccurate. This prevents IRS from using CDDB as a reliable subsidiary ledger to effectively manage and routinely and reliably report its balance of unpaid tax assessments, and constitutes a material weakness in IRS's management of unpaid assessments. Additionally, IRS must continue using its compensating statistical estimation process to annually estimate the amount of taxes receivable for financial reporting. Since the taxes receivable balance is produced by this process rather than IRS's general ledger, there is no transactional traceability from the amount of taxes receivable reported on IRS's balance sheet, through the general ledger, back to the underlying account records. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in CDDB resulted in misclassifications of account balances which, in turn, resulted in inaccuracies in the amounts of reported unpaid assessments. * Research and implement programming changes to allow CDDB to more accurately classify such accounts among the three categories of unpaid tax assessments. * Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that affect the financial reporting of unpaid tax assessments. * Once IRS identifies the control weaknesses that result in inaccuracies or errors that affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors. IRS Comments and our Evaluation: IRS agreed with our recommendations to enhance controls over the classification and reporting of its unpaid tax assessments. IRS stated that it has (1) identified programming changes to improve the business rules used by CDDB to accurately classify unpaid tax assessments, (2) identified and scheduled programming changes that would allow more accurate classification of the three categories of unpaid tax assessments, (3) identified and corrected misclassifications of account balances during its review of sample cases each year, and (4) reviewed IRM procedures to ensure controls are in place and are followed. IRS also stated that it would continue to identify and validate the completion of corrective actions. We will evaluate the effectiveness of IRS's actions and monitor its efforts during our audit of IRS's fiscal year 2010 financial statements and future audits. Trust Fund Recovery Penalty Payments: During our fiscal year 2009 audit, we found that IRS did not always credit or accurately credit trust fund recovery penalty payments to all related taxpayers. The Internal Revenue Code grants IRS the broad authority to assess penalties against taxpayers for failing to pay taxes owed or otherwise attempting to evade taxes.[Footnote 22] Employers are required to withhold from their employees' salaries amounts for individual federal income taxes and for Federal Insurance Contribution Act (FICA) taxes, which include Social Security and Hospital Insurance taxes. These withheld taxes are also referred to as "trust fund taxes." Employers are also required to match the amounts withheld from an employees' salary for Social Security and Hospital Insurance taxes. Taken together, the amounts withheld from an employee's salary for federal individual income and FICA taxes, along with the employer's matching portion of the FICA taxes, comprise the business's payroll taxes. When a business willfully fails to account for or pay the taxes it is legally required to withhold from its employees' wages, IRS will assess the outstanding payroll tax and underpayment penalties against the business. To provide the IRS a secondary source of collection for withheld taxes not paid by a business, IRS may impose a trust fund recovery penalty (TFRP) against the responsible officers of the business specifically for the employee- withholding component of the payroll tax liability.[Footnote 23] Although IRS has the authority to assess the TFRP individually against all responsible officers, the full amount of the TFRP assessment need only be paid once. Thus, IRS may record tax assessments against each of several individuals for the employee-withholding component of the payroll tax liability of a given business. When any one of those individuals or the business makes a payment towards this liability, IRS policies require that the payment be properly credited (i.e., the liability reduced) on all related taxpayer accounts associated with the TFRP within 45 days of the payment posting to the payer's tax account.[Footnote 24] During our fiscal year 2009 financial audit, we tested a statistical sample of 92 TFRP payments received by IRS during the first quarter of fiscal year 2009. We found eight instances in which IRS either did not record a reduction to the outstanding payroll tax liability on related taxpayer accounts or did not record the correct amount. For example, in one case, the officer of the business paid over $6,000 related to an outstanding TFRP assessment. However, IRS had not credited the business's payroll tax liability for the amount of the officer's payment when we reviewed the business account 12 weeks after IRS posted the payment to the officer's account. In another case, the officer of a business paid over $95,000 related to an outstanding TFRP assessment. IRS recorded a credit of about $70,000 towards the remaining TFRP balance on his account, and a credit of about $25,000 towards interest accrued on the account. Although IRS should have credited the business's account for the same amounts, it correctly recorded about a $70,000 credit to the business's unpaid payroll tax liability but failed to credit the business for about $25,000 to reduce interest accrued. Based on our testing, we estimate that about 8.7 percent of TFRP payment transactions in the first 3 months of fiscal year 2009 were not credited or accurately recorded on related taxpayer accounts.[Footnote 25] Since the detailed information from the taxpayer account records serves as the underlying basis for IRS's financial statements, erroneous tax records could lead IRS to misstate its unpaid assessments balances. Additionally, inaccurate tax records could cause unnecessary burden to taxpayers. Internal control standards require that transactions be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Furthermore, internal controls should help ensure that all transactions are completely and accurately recorded.[Footnote 26] However, the failure to completely and accurately reflect TFRP payments on the accounts of all related taxpayers has been a long-standing internal control weakness at IRS that we reported on following our fiscal year 1997 financial audit. [Footnote 27] The control weakness in the TFRP process was due largely to shortcomings with certain IRS computer systems, specifically its master files. IRS records payroll tax assessments against businesses in its business master file, and records TFRP assessments made against responsible officers in its individual master file. However, IRS's systems were unable to automatically link the account information between the business and the responsible officers, as well as account information between related officers assessed a TFRP for the same business. Consequently, transactions recorded in one account that should have been reflected in other related accounts were not automatically recorded. If the business or one of its officers paid some or all of the outstanding payroll tax or related TFRP, IRS's systems were unable to automatically reflect the payment as a reduction to the outstanding liability in the related accounts. Following our fiscal year 1997 financial audit, we recommended that IRS develop a subsidiary ledger for unpaid assessments that had the capability to, among other things, ensure that all payments made were properly credited to accounts of all individuals assessed for the liability. We also recommended that IRS manually review and eliminate duplicate or other assessments that had already been paid off to ensure that all accounts related to a single assessment were appropriately credited for payments received. Since then, IRS has taken a number of corrective actions in response to our recommendations. For example, IRS phased in the implementation of the Automated Trust Fund Recovery (ATFR) system, which interfaces with the business and individual master files to facilitate the linking of payment information to related parties. One of the key objectives of ATFR is to automatically record a reduction to the outstanding liability of related taxpayer accounts when either the business or any one of the responsible officers makes a payment. IRS officials informed us that while IRS had implemented all phases of ATFR, it can only automatically credit the outstanding liability of related taxpayer accounts for about 54 percent of TFRP payments it processes as of March 2010.[Footnote 28] The remaining 46 percent of TFRP payments processed through ATFR require some form of manual intervention in order to credit the outstanding liability on related taxpayer accounts. Additionally, in 2008 IRS completed special reviews of taxpayer accounts with outstanding TFRP liabilities to identify and correct any previously recorded TFRP payments that had not been accurately credited to all related accounts. The primary focus of these reviews was to correct existing errors in taxpayer accounts but, as shown by our recent testing results, they did not significantly improve controls that would prevent and detect errors as they occurred. The errors we identified in 2009 were primarily caused by a lack of sufficient training and guidance to employees when IRS fully implemented the ATFR system. According to IRS officials, during ATFR's development stage, only a small group of SCC employees were involved with processing TFRP credits to related parties using the ATFR system. When IRS fully implemented ATFR in March 2008, it significantly expanded the number of ATFR users. However, IRS did not issue its ATFR training manual to all affected employees until November 2008, and did not provide formal training until after it had issued the training manual. During the intervening period, IRS provided new users and their immediate supervisors with on-the-job training. As a result of our audit findings, IRS determined that its employees did not fully understand how to properly use the ATFR system and interpret its reports. For example, with more complex TFRP payment transactions, the system will calculate how the payment might be applied to reduce the liability of related taxpayer accounts and issue a transcript reporting the proposed transaction for IRS employees to review. IRS employees are required to research the related parties' accounts to determine the accuracy of the proposed transaction. If their research indicates that the proposed transaction is correct, they can electronically submit the proposed transaction for further processing and updating of taxpayer accounts. If their research indicates that the proposed transaction is not correct, they can delete the proposed transaction and enter a transaction to correctly apply the payment credits to the related parties. However, IRS found that some employees over-relied on the ATFR system's proposals. Specifically, when these employees received the ATFR system reports, they accepted the proposed transaction without verifying its accuracy. In other cases, IRS found that employees deleted the proposed transaction and closed the case without taking any action to reduce the liabilities of the related party accounts. Such examples directly resulted in the inaccurate recording or omission of payment transactions on related taxpayer accounts. Additionally, IRS did not detect these processing errors promptly because supervisors did not have adequate guidance for reviewing TFRP payment transactions processed through the new ATFR system. The current IRM section covering TFRP payment processing under the new ATFR system does not contain specific guidance on supervisory responsibilities for reviewing credit transactions, such as determining whether there should be associated credits resulting from a payment transaction, whether the credits applied to related parties were accurate, and which ATFR system reports would best facilitate supervisory reviews.[Footnote 29] According to IRS officials, supervisors have always performed reviews of TFRP payment processing. However, the reviews were focused more on ensuring the timeliness of processing the payments rather than the accuracy of the credit transactions applied to all related parties. In its attempt to address control weaknesses related to TFRP payment processing, IRS recently implemented and is continuing to implement additional corrective actions. Specifically, IRS officials stated that they provided additional training to IRS staff with emphasis on how to use and interpret ATFR reports and that new users receive more supervision and one-on-one training by more experienced staff. IRS officials also stated that in June 2009 the agency held a summit with key IRS management and first-line employees where these officials emphasized the importance of managerial reviews for accuracy as well as timeliness when reviewing TFRP transactions processed by their staff. Finally, IRS is currently in the process of implementing quarterly reviews led by its Small Business/Self-Employed Division. These quarterly reviews will statistically sample recent TFRP payment transactions to determine the employees' compliance with TFRP processing guidance. However, until it successfully implements effective controls over TFRP payment processing, IRS will continue to experience inaccuracies in the recording of credit information on related taxpayer accounts or failures in crediting the related parties altogether. This contributes to errors in taxpayer accounts, which is a major component of the material weakness in IRS's management of its unpaid assessments.[Footnote 30] Recommendations: To ensure that TFRP payments are always and accurately credited to all related parties when received, we recommend that you direct the appropriate IRS officials to do the following: * Revise the IRM to provide specific requirements for supervisors to review the accuracy of credit transactions related to TFRP payments processed through the ATFR system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. * Formalize and implement the quarterly reviews of TFRP payment transactions to monitor compliance with IRM requirements. * Develop procedures to analyze the results of the quarterly reviews so that specific factors causing the errors are identified. * Develop procedures to address the factors causing errors in the processing of TFRP payment transactions identified through the analyses of the quarterly review results. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it updated the IRM in May 2010 to include supervisory reviews of the accuracy and timeliness of credit transactions related to TFRP payments processed through ATFR and identified areas and system reports for review. IRS also stated that it commenced quarterly quality reviews in April 2010 that included analysis of findings and implementation of corrective actions to address identified deficiencies. We will verify the changes to the IRM and evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements. Tax Revenue Comparisons and Reconciliations: During our fiscal year 2009 financial audit, we found that a component of IRS's comparison of its general ledger tax revenue receipts to detailed transaction support in its master files was not accurate. IRS records and summarizes tax revenue transactions in two distinct paths. The general ledger is used to record and summarize tax revenue receipts by tax class and tax year, and is updated daily based on deposit activity; in contrast, the master files are used to record detailed transaction activity in each taxpayer's account, and are generally updated weekly. IRS performs a comparison between its general ledger and the master files to (1) help compensate for its lack of a subsidiary ledger which would normally contain the underlying detailed records that support the general ledger, (2) ensure that the two independent systems are materially reliable for both internal and external reporting purposes, and (3) account for expected timing differences between the general ledger postings and the master files. However, we found that the pre-posted revenue component of the comparison, which is a reconciling item intended to represent tax revenue transactions that have been recorded in the general ledger but not yet posted to a taxpayer's account on the master files, improperly included (1) exchange non-tax revenue such as reimbursements and user fees, which are accounted for separately from tax revenues, (2) tax revenue collected by IRS that had already been posted to the master files, and (3) misdirected receipts that were sent electronically to IRS, but were not tax revenue collections. IRS's fiscal year 2009 comparison of its general ledger revenue receipts to its master files identified that it recorded $6.2 billion more in receipts in the general ledger than the master files. IRS asserted that approximately $5.1 billion of the $6.2 billion variance consisted of pre-posted tax revenue. However, during our testing of a statistical sample of 59 transactions from the pre-posted revenue file, we found that 20 transactions were (1) non-tax revenue transactions, or (2) tax revenue transactions that had already been posted to the master files. Based on our testing, we estimate that 33.9 percent of the transactions in the pre-posted revenue file IRS provided were not in fact pre-posted revenue.[Footnote 31] Accordingly, we identified the $5.1 billion as an unexplained variance and were unable to rely on IRS's assertion that the transactions in the pre-posted file represented pre-posted tax revenue. Based on the materiality threshold established for the audit, the variance was not considered material to IRS's statement of custodial activity, but it nonetheless pointed to a breakdown in controls. In following up on these exceptions, we found that IRS officials responsible for the comparison did not establish the appropriate controls to ensure that the pre-posted transactions consisted of only tax revenue transactions that were posted in the general ledger but not yet posted in the master files. Specifically, the methodology these officials provided to IRS's computer programmers to create the pre-posted file did not appropriately include provisions for (1) eliminating both exchange non-tax revenue and tax revenue that had already been posted to the master files, and (2) verifying that those transactions were properly eliminated. Also, we found that the desk procedures used to outline the controls in IRS's comparison of its general ledger revenue receipts to its master files had not been updated since November 2001. As a result, these procedures did not document the controls or include detailed instructions addressing the most recent additions to the comparison process, such as the use of CDDB. For example, fiscal year 2009 marked the first year that IRS used CDDB to support the variance analysis of its comparison of general ledger tax revenue receipts to its master files, yet the desk procedures used to perform the comparison did not document the methodology for or mention the use of CDDB as part of the variance analysis. Internal control standards state that control activities, including comparisons and reconciliations, must be clearly documented, periodically updated, and readily available for examination.[Footnote 32] Control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. However, to be effective, the information upon which comparisons are based must be reliable. Since the pre-posted file is a key reconciling component of the comparison, the data it contains must be sufficiently reliable in order to ensure that the general ledger tax revenue receipts and the tax receipt information in the master files materially reconcile. IRS's inability to rely on the pre-posted file as a proper reconciling component of the comparison and the lack of updated documented procedures over the comparison process increase the risk that errors in the general ledger, the master files, or both, may not be identified and appropriately resolved. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Revise the existing methodology for extracting the pre-posted revenue component of the comparison to ensure that non-tax revenues and tax revenue transactions already posted to the master files are properly excluded. * Update the desk procedures governing the comparison of general ledger tax revenue receipts to the master files to ensure that the procedures reflect the current process and controls. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it (1) revised the pre-posted extraction methodology in May 2010 to ensure the proper exclusion of transactions such as non-tax revenue and (2) would update the desk procedures for the general ledger to master file comparison by December 31, 2010. We will review IRS's methodology and evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements and future audits. Cost Allocation Processing: During our fiscal year 2009 financial audit, we found that IRS did not establish adequate internal controls over its process used to allocate operation support costs to programs reported on its statement of net cost. The statement of net cost, one of the basic federal financial statements, is designed to show the net cost of operations for the reporting entity as a whole, by major program.[Footnote 33] While some costs--such as the salaries of staff that work directly for those programs--are easily identified by program, many operation support costs--such as rent and facilities costs, technology support, and payroll operation costs--support multiple programs. Consequently, IRS must properly allocate these costs among its programs in order to report them on its statement of net cost. IRS uses a combination of automated and manual processes monthly to collect and prepare cost information, which is then allocated across IRS's cost centers through the execution of over 600 manually initiated computerized commands, or run cycles.[Footnote 34] The accurate allocation of costs is dependent, in part, on the execution of each cycle in the correct order, with the execution of each cycle reliant on the proper execution of the previous cycle in order to yield the intended results. Because of the complexity of the processes involved and the high degree of manual intervention required, proper controls are necessary to help ensure the reliability of the process and thus, the reliability of the results reported in the financial statements. However, in our review of IRS's controls over the allocation process, we found the following. * Inadequate documentation of controls. Internal control standards state that internal control and all transactions and other significant events need to be clearly documented and the documentation readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals. [Footnote 35] However, IRS's cost allocation desk guide, which is used by IRS's cost accountants to guide them through the allocation process, did not list or describe all the steps required to perform the allocations; did not identify files used, opened, or saved at each step; did not consistently identify the source of input data; and did not specify points in the process where reviews or accuracy verifications by others were required. * Lack of segregation of duties. Internal control standards state that key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error.[Footnote 36] However, the three IRS cost accountants, who are responsible for performing the monthly cycle runs that allocate the costs, performed all of their assigned processing steps--from validating cost allocation input data to running assigned allocation cycles to evaluating the results of the allocation cycle and documenting their activity--without the participation or intervention of another accountant or a supervisor. Consequently, there is an increased risk that an error made in one allocation cycle--which could affect many subsequent cycles and yield incorrect allocations--may not be detected. * Inadequate documentation on the status of processing steps. Internal control standards state that internal control activities should help ensure that management's directives are carried out and are effective and efficient in accomplishing the agency's controls objectives. These include controls over information processing, such as accounting for transactions in numerical sequence, and controls over the complete, accurate, and prompt recording of all transactions and events. Overall, control activities should help ensure that actions are taken to address risks.[Footnote 37] The cycle run spreadsheet, a key document used by the cost accountants to track the status of over 600 cycle runs as well as the performance of their over 100 manual processing steps and the results, did not contain a field to uniquely identify each row or provide a sort-order to help ensure steps were maintained in sequential order, and was not consistently updated to document the completion and results of the manual steps performed. In addition, the accountants did not maintain one master version of the spreadsheet, but rather duplicated it with each one updating their own copy, then later transferring their updates to the master version. This increases the risk of error or omission. In addition, each month's cycle run spreadsheet was generated by taking the prior month's spreadsheet and manually updating each of over 600 cells one cell at a time to reflect the current month's data. This approach greatly increases the risk of error should one or a few cells be missed. These control weaknesses occurred because IRS's policies--including the IRM and the cost allocation desk guide--did not require controls such as the segregation of duties for the tasks described above or controls to help reduce the risk of errors and omissions in the cycle run spreadsheet. By not requiring the proper documentation and implementation of appropriate controls over the processing of cost allocations, IRS is at increased risk of not detecting erroneous or incomplete cost allocations. Consequently, we could not rely on IRS's controls over its allocation process to ensure program costs were reliably reported in its financial statements. Instead, IRS had to perform a separate, labor-intensive manual allocation process to provide support for the cost allocations that were ultimately reflected on the statement of net cost. Although IRS was able to satisfy us in the end that the amounts reported were reliable, it took a significant investment of time and effort for IRS to perform this ad hoc process and for us to review it. This may not have been necessary had adequate controls been in place. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Revise the cost allocation desk guide to better document the cost allocation process. This should include ensuring that all key processing steps are included and identifying the key sources of input data and the controls necessary to help ensure their reliability. * Revise the IRM and cost allocation desk guide to require appropriate segregation of duties within the cost allocation process. * Revise the IRM and cost allocation desk guide to require timely, documented supervisory reviews at key process points to help prevent and detect cost allocation processing errors. Establish controls over the cycle run spreadsheet to help minimize the risk of error or omission. At a minimum, this should include assigning a unique, sortable identifier to each row in the spreadsheet and implementing controls to promptly and accurately record the status of processing steps in a manner that ensures each cycle run is performed and is performed in the proper sequence. IRS Comments and our Evaluation: IRS agreed with our recommendations and has revised the cost allocation desk guide to include key processing steps, key sources of input data, and controls to ensure reliability, and established procedures and controls over the cycle-run spreadsheet to minimize the risk of error or omission. In addition, IRS stated that it will update its IRM and cost allocation desk guide to require appropriate segregation of duties and supervisory reviews by June 30, 2010. We will verify the changes to the cost allocation desk guide and IRM and evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements. Duplicate/Erroneous Refunds Related to Bankruptcy Cases: During our fiscal year 2009 financial statement audit, we found that IRS did not always review duplicate refund (DUPREF) transcripts, which identify potentially duplicate refunds, prior to issuing the refunds as required by the IRM. This occurred because IRS did not have a process in place to verify the receipt of pertinent taxpayer information from the DUPREF transcripts that had been communicated to the staff responsible for performing the required review. As a result, the DUPREF transcripts were not all reviewed, thus increasing the risk that actual duplicate or erroneous refunds may go undetected and be inappropriately paid to taxpayers. One of the primary tools used by IRS to identify potential duplicate or erroneous refunds is the DUPREF transcript. The DUPREF transcript is a report generated by a computer program that identifies instances in which two or more refunds in amounts within $100 of each other are scheduled to be disbursed and are posted to a taxpayer's account in IRS's master files. The DUPREF transcript is generated 1 week before the related refunds are scheduled to be disbursed. IRS requires its staff to review 100 percent of the DUPREF transcripts to assess the validity of the refunds listed. In most cases, the review is performed by the SCC's Manual Refund Unit. However, in cases related to taxpayers with a particular legal status, such as bankruptcy, special handling is required. If a DUPREF transcript is related to a taxpayer who has filed for bankruptcy, the Manual Refund Unit's standard practice is to fax the pertinent taxpayer information from the DUPREF transcripts on a 3210 transmittal form to IRS's Central Insolvency Operation (CIO) so that CIO can perform the review. CIO then determines if the refund is valid and if not, what steps should be taken to prevent disbursement. During our audit, we found that CIO did not always receive the information for the DUPREF transcripts related to bankruptcy cases that had been provided by the SCC. At one SCC we visited, IRS officials informed us that they had faxed to CIO information related to 33 DUPREF transcripts involving taxpayers in bankruptcy status. However, during our subsequent visit to CIO, we found that either through omission or misplacement of the transmittals, CIO only received information for 26 of the 33 DUPREF cases sent to it by the SCC. Until we brought this matter to their attention, neither CIO nor the originating SCC was aware of the discrepancy. As a result, the 7 DUPREF transcripts that were not received by CIO had not been investigated to determine whether they were valid refund transactions. The IRM requires the review of DUPREF transcripts to minimize the risk of disbursing potentially duplicate or erroneous refunds.[Footnote 38] Although officials at the SCC we visited informed us there is a standard practice followed by the Manual Refund Unit to communicate and confirm to CIO the pertinent taxpayer information taken from the DUPREF transcripts, we found that the practice was not consistently followed. Additionally, there is no specific IRM requirement that CIO acknowledge receipt of the Form 3210 transmittal received from the SCCs or for the SCCs to verify that all of the transmittals they sent were received by CIO. Not reviewing the DUPREF transcripts increases the risk that duplicate or erroneous refunds will not be detected in time to prevent them from being issued or to permit pursuit of effective corrective action, as appropriate. Recommendations: We recommend that you direct the appropriate IRS officials to revise the IRM to require: * CIO to promptly provide service center campuses an acknowledgment of receipt for each Form 3210 transmittal related to a duplicate refund transcript sent to them by a service center campus for review, * service center campuses to verify that an acknowledgment of receipt has been received from CIO for 100 percent of the Form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review, and: * service center campuses to resolve any instances in which an acknowledgment of receipt for a Form 3210 transmittal related to duplicate refund transcripts is not received. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it would update the IRM (1) by December 31, 2010, to require acknowledgment of duplicate refund transcripts to the issuer, (2) by January 31, 2011, to require service center verification of duplicate refund transcript acknowledgments received from CIO, and (3) by January 31, 2011, to include procedures for follow-up and resolution of non-receipt of acknowledgment of duplicate refund transcripts from CIO. We will verify the changes to the IRM and evaluate the effectiveness of IRS's efforts during future audits. Lockbox Bank Transmittals: During our fiscal year 2009 financial audit, we found that the quantity of the unprocessable items with receipts shipped from lockbox banks differed from what the SCCs actually received. IRS defines unprocessable items as any document, correspondence, or item that cannot be processed by the lockbox bank. For example, unprocessable items with receipts can include any tax return or document with unacceptable forms of payment such as traveler's checks, gold coins, and other items of value that are easily negotiable. Lockbox banks complete a transmittal form for the daily shipment of unprocessable items with receipts sent to SCCs for further processing. This form provides an inventory of the items and quantities in the shipment. However, we observed the shipping and receiving of these packages and noted that two SCCs we visited were not sending acknowledgment of the items received to the lockbox banks, including instances when there were discrepancies between the quantity of unprocessable items the lockbox bank recorded on the transmittal form and the quantity of unprocessable items the SCC actually received. Because these may contain valuable items or sensitive information, it is important that they be carefully tracked to ensure that all of the items shipped were actually received by the recipient. Internal control standards require that agencies establish physical controls to secure and safeguard vulnerable assets, ensure that ongoing monitoring occurs in the course of normal operations, and communicate deficiencies found during monitoring to appropriate levels of management.[Footnote 39] Additionally, the IRM requires IRS to establish a system to track and monitor all shipments of taxpayer receipts and information, which includes unprocessable items with receipts, to ensure accountability for and receipt of each shipment. However, we found that IRS has not established specific requirements for (1) acknowledging unprocessable items with receipts received from lockbox banks, (2) tracking SCC acknowledgments, and (3) monitoring the process used to track and acknowledge transmittals of unprocessable items with receipts, including the timely detection and communication of discrepancies. This increases the risk of error and fraud and, therefore, the potential for loss, theft, and misuse of taxpayer receipts and information. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. * Establish procedures to track service center campus acknowledgments of unprocessable items with receipts. * Establish procedures to monitor the process used by service center campuses and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it would implement procedures by December 31, 2010, to (1) revise the lockbox document transmittal form and draft instructions to include acknowledgment from the service center campus, (2) conduct training and instructions on this process, and (3) update the lockbox data collection instrument to include tracking and monitoring adherence to, and implementation of, corrective actions. We will review IRS's implementation of its new procedures and monitor their effectiveness during future audits. Security Reviews at Service Center Campuses and Field Offices: During our fiscal year 2009 financial audit, we found that physical security analysts at the SCC and field office locations we visited did not always accurately assess the physical security and emergency preparedness controls in place. We previously recommended that IRS improve its internal controls related to physical security at its processing facilities and field offices to include (1) performing and documenting the testing of its alarms, (2) maintaining documentation on contractor background investigations to ensure that background investigations are completed, (3) improving surveillance camera coverage of the perimeter and fence line at SCCs, and (4) conducting periodic reviews of the Emergency Signal History Reports and emergency contact lists to ensure that appropriate individuals are contacted during emergencies.[Footnote 40] One of the tools that IRS developed to address our recommendations was the Physical Security and Emergency Preparedness audit management checklist. IRS physical security analysts at SCCs and field offices are responsible for completing the checklist, which includes steps to test controls for limiting and controlling building access, review security guards' training records and performance requirements, and validate that surveillance cameras and other related equipment are properly operating. During our audit, we reviewed completed checklists for two SCCs and nine field offices we visited and found that the information on five of the completed checklists did not correspond to our own observations and test results. For example, at three field offices, the completed checklists indicated that surveillance cameras were not used or applicable for those locations. However, based upon our physical observations and inquiries we found that surveillance cameras were used at all three of these locations. Also, at one SCC and two field offices we visited, the physical security analysts asserted on the checklists that they had performed the required quarterly (1) reviews of the duress alarm emergency contact list provided to the central monitoring station and (2) tests of alarms at the SCC. However, after further discussion and review of documentation provided by the physical security analysts, we found that these reviews had not been performed. In one instance, the alarms had not been tested in nearly a year. Internal control standards require physical controls to limit access to vulnerable assets and require that access to resources and records, such as IRS receipts and taxpayer information, be limited to authorized individuals to reduce the risk of unauthorized use or loss to the government.[Footnote 41] The standards further state that control evaluations, such as reviews of control design and tests of internal control, are useful because they focus directly on the controls' effectiveness at a specific time. These evaluations should be accurately and promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Deficiencies found during such evaluations should be communicated to individuals at least one level of management above the individual performing the evaluation. However, by entering inaccurate information on the checklists regarding the status of controls, physical security analysts failed to provide management with reliable information needed to assess the effectiveness of physical security controls at these locations. In particular, misrepresenting or overstating the adequacy of physical security controls increases the risk that IRS management will not timely detect control deficiencies and thus may fail to adequately restrict access to taxpayer receipts and information. Although IRS issued the checklist to assist with the identification, prevention, and reduction of physical security weaknesses, we found, based on discussions with physical security analysts and our own observations, that several questions in the checklist were unclear and that no detailed guidance or training was provided to assist in completing the checklist questions. For example, the checklist is used to assess physical security controls at all IRS facilities, including SCCs, computing processing centers, and field offices, and certain questions on the checklist are specific to a particular type of facility. However, during the discussions with the physical security analysts, we found that they were unable to clearly discern which questions were relevant to a specific facility. We also found that several physical security analysts were unsure how to adequately assess or perform certain security reviews on the checklist, such as verifying that all duress alarms are functioning properly. These analysts were unsure because they were not trained on the various components and structure of the security system. As a result of these issues, the analysts were unsure how to properly assess the respective physical security controls. In addition, there were no instructions (1) informing the physical security analysts how often the checklists should be completed at each IRS facility and (2) requiring supervisors or managers to perform and document reviews of the checklist to validate the physical security analysts' responses. By not providing sufficient guidance and training for completing the checklists, IRS cannot be assured that the checklists will assist in accurately assessing the security posture of SCC and field office locations, and identifying actual or potential physical security issues so that corrective actions can be taken. This, in turn, increases the risk that weaknesses in controls designed to secure and safeguard vulnerable assets will go unnoticed, and IRS will not promptly detect or prevent the theft or loss of, or unauthorized access to, taxpayer receipts and information. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Review the audit management checklist for clarity and revise the assessment questions as appropriate. * Issue written guidance to accompany the audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related controls. * Provide training to physical security analysts responsible for completing the audit management checklist to help ensure that checklist questions are answered appropriately and accurately. * Establish and document the minimum frequency for how often the audit management checklist should be completed at each service center campus and field office. * Establish policies requiring documented managerial reviews of completed audit management checklists. These reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it has incorporated instructions for completing the audit management checklist in its December 18, 2009 revision of the checklist and documented the frequency for completing the checklist. In addition, IRS stated that by July 30, 2010, it would modify its procedures for documenting management review of the audit checklists to include the time and date of the review, the name of the manager performing the review, the supporting documentation reviewed, and any problems identified. IRS stated it would also review the audit management checklist questions for clarity by December 30, 2010, and provide training on completing the checklist by December 31, 2010. We will review IRS's changes and evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements and future audits. Oversight Controls at Taxpayer Assistance Centers: During our fiscal year 2009 financial audit, we found that TAC group managers did not always accurately assess the status of operational and security controls at IRS's TACs. IRS's Field Assistance Office, which oversees the TAC program, implemented the TAC Security and Remittance Review Database (TSRRD) to monitor each TAC's adherence to specific operational and security controls designed to collect, process, and safeguard taxpayer receipts and information. TAC group managers, who are responsible for managing the day-to-day operations at these TACs, conduct quarterly reviews to assess the effectiveness of these procedures and controls and enter the results of their reviews into the TSRRD. Field Assistance headquarters management uses the TSRRD to track the progress of corrective actions addressing weaknesses identified during operational reviews and to monitor prior audit findings. During our fiscal year 2009 audit, we visited nine TACs and identified several instances where responses entered by TAC group managers into the TSRRD were inaccurate and, as a result, did not meet Field Assistance's oversight objectives of monitoring operational and security controls at these locations. Specifically, we found the following. * At two TACs we visited, the group managers' assessments of controls over the transmission of taxpayer receipts and information to the SCC were not always accurate. For example, at these TACs, the respective group manager indicated in the TSRRD that TAC staff reconciled payments to the document transmittal forms prior to mailing them to the SCC.[Footnote 42] However, after further discussions and review of the documentation provided by the group managers, we determined that this was not being performed at these TAC locations. * At two other TACs we visited, the group managers incorrectly assessed controls for receiving and recording cash payments. These locations were exempt from receiving cash payments; however, the TSRRD indicated that appropriate controls were in place for receiving cash payments and operating as designed. * At one of the TACs we visited, the group manager indicated that duress alarms at the location were routinely tested. However, after we reviewed the alarm history report from the monitoring company, we determined that this was not the case. * At another TAC we visited, the group manager indicated that cleaning contractors were only allowed access to the IRS space during operating hours while other IRS employees were present. However, in conducting our own observations, we found that these contractors were allowed access during nonoperating hours. In attempting to reconcile the differences between our own observations and test procedures and the results of the group managers' quarterly reviews as indicated in the TSRRD, we found that several questions in the TSRRD were unclear and as a result, group managers were unsure how to properly assess the related controls. We asked several group managers to explain their interpretation of a few questions included in the database and we received varying responses. We also found that there was no policy in place requiring that responses entered by the group managers be reviewed and validated by territory managers or area directors before being forwarded to Field Assistance office headquarters management.[Footnote 43] Because several assessment questions in the TSRRD were unclear and IRS did not provide sufficient guidance or training for completing the TSRRD or require a supervisory review or validation of the information entered into it, the information used by headquarters management to make decisions and evaluate TAC adherence to control safeguards was not accurate, and therefore, not effective for decision making. Internal control standards require physical controls to limit access to vulnerable assets and require that access to resources and records, such as IRS receipts and taxpayer information, be limited to authorized individuals to reduce the risk of unauthorized use or loss to the government.[Footnote 44] The standards further state that control evaluations, such as reviews of control design and tests of internal control, are useful because they focus directly on the controls' effectiveness at a specific time. These evaluations should be accurate and promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Deficiencies found during such evaluations should be communicated to individuals at least one level of management above the individual performing the evaluation. Inaccurate information on the status of controls entered by TAC group managers into the TSRRD, combined with the lack of a review and validation of this information, impaired IRS management's ability to have reliable information concerning the status of certain controls at these TAC locations. In particular, overstating the adequacy of internal controls increases the risk that IRS management will not promptly detect operational or control deficiencies and thus may fail to implement adequate controls to reduce the risk of theft or loss of, or unauthorized access to, taxpayer receipts and information. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Review the TSRRD for clarity and revise review questions as appropriate. * Provide training to TAC group managers to assist with their understanding of the TSRRD review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. * Establish policies that require territory managers or a manager at least one level above the group manager to periodically review the information entered into the TSRRD for accuracy and completeness prior to the results being forwarded to Field Assistance Office headquarters management. This review should be signed and documented, and include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the task performed during the review, (4) any problems or questions identified, and (5) planned corrective actions. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it would, by January 31, 2011, clarify and revise the TSRRD review questions and add instructions to the IRM. In addition, IRS stated that by March 31, 2011, it would (1) conduct training and include TSRRD training in its Filing Season Readiness Workshop DVD delivered to all group managers annually and (2) update its policy to include instructions for the Field Assistance territory manager, or a manager one level above, to review the frontline manager's completed TSRRD responses and planned corrective actions. We will evaluate the effectiveness of IRS's efforts during future audits. Security Awareness Training: During our fiscal year 2009 financial audit, we found that IRS did not require that all SCC and field office contractors who are provided routine, unescorted, unsupervised physical access to IRS facilities containing taxpayer receipts and information undergo annual security awareness training. According to IRS, security awareness training is an essential management tool used to educate its employees on (1) authorized and unauthorized disclosures of taxpayer information, (2) basic protection policies concerning taxpayer receipts and information, and (3) federal penalties for not protecting this information. However, we found that janitors and security guards were all granted access to these facilities but were either not required to meet or were exempt from annual security awareness training requirements. During our discussions with IRS officials, we were informed that only contractors involved in the development, operation, or support of IRS's information systems are covered under the security awareness training requirement. However, other contractors, such as janitors and security guards, are allowed to freely enter areas throughout the SCC, where taxpayer receipts and sensitive information are processed and stored, to perform their contractual duties. Such unfettered access without corresponding training on the responsibilities associated with such access increases the risk of unauthorized disclosures of taxpayer information and loss or theft of taxpayer receipts. Internal control standards require that agencies establish controls to safeguard vulnerable assets and implement access restrictions to and accountability for resources and records, including taxpayer receipts and information.[Footnote 45] The IRM establishes requirements for managers and employees to complete security awareness training in order to ensure that employees are aware of proper safeguarding controls over taxpayer receipts and information. However, the IRM does not require that all contractors with physical access to IRS facilities receive security awareness training, thus increasing the vulnerability of taxpayer receipts and data to improper disclosure or loss. The effectiveness of IRS's security awareness training program, which is intended to help protect taxpayer information, is impaired if contractors with physical access to taxpayer receipts and information are not educated and briefed on these principles. Recommendation: We recommend that you direct the appropriate IRS officials to analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. IRS Comments and our Evaluation: IRS agreed with our recommendation and stated that it would develop a policy requiring security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information by June 30, 2011. We will verify IRS's development and implementation of the new policy during future audits. Unit Security Representative Training: During our fiscal year 2009 financial audit, we found that SCC Unit Security Representatives (USR), who are responsible for system security over one of IRS's key tax processing systems, did not always receive or timely complete the required USR initial training and did not always complete annual USR refresher training. USRs perform important security duties for IRS's Integrated Data Retrieval System (IDRS), which is one of the key systems IRS uses to process taxpayer data,[Footnote 46] and the training covers how they should carry out these duties in order to properly fulfill their security obligations. For example, USRs are responsible for monitoring each IDRS user's access codes, updating user profiles for changes in access rights, issuing temporary passwords, and reviewing security reports and taking appropriate action to address security weaknesses and breaches. Therefore, it is essential that they be properly trained on how to perform these critical responsibilities. However, we reviewed the employee profiles of 10 USRs at one SCC and found that none of the 10 had received initial training prior to performing their duties. Moreover, only 5 of the 10 USRs had completed annual refresher training as required by the IRM. We also reviewed employee profiles of 10 USRs at a second SCC and found that 1 of the 10 did not complete required initial training prior to performing USR duties. Additionally, we found the training materials used for USR annual refresher training at the first SCC referenced obsolete policies and procedures and thus, had not been updated to reflect current requirements. Internal control standards state that a key factor that affects the control environment is management's commitment to competence.[Footnote 47] All personnel need to possess and maintain a level of competence that allows them to effectively accomplish their assigned duties, as well as understand the importance of developing and maintaining effective internal control. Management needs to identify appropriate knowledge and skills needed for various jobs and provide the staff assigned to these positions the training necessary to enable them to effectively fulfill their assigned responsibilities. The IRM requires that USRs must complete initial USR training prior to performing their duties and complete annual USR refresher training.[Footnote 48] It also requires IDRS security officers to train and work with USRs to maintain the desired level of IDRS security and conduct USR training sessions at least annually.[Footnote 49] The lack of initial training and incomplete annual refresher training occurred at the first SCC because the IDRS Security Officer responsible for providing USRs with training had not done so. There were approximately 300 USRs at this SCC and according to the IDRS Security Officer Assistant, none of them were provided initial training because the IDRS Security Officer responsible for providing the training had been too busy with other responsibilities. In addition, the training manual used for the annual refresher training was provided by Mission Assurance and Security Services and, even though it contained obsolete information, was the most current version available. At the second SCC, the IDRS Security Officer informed us she had overlooked the USR who did not receive initial training prior to performing USR duties. Although the IRM requires that Division Commissioners, Chiefs, and the Taxpayer Advocate ensure that the USRs complete the required USR initial and annual refresher training, the requirement does not clearly designate an individual with the oversight and enforcement responsibility.[Footnote 50] The lack of required USR initial and annual refresher training for USR staff performing critical IDRS security functions coupled with outdated training materials increases the risk that USRs may not adequately perform their security duties. This, in turn, increases the risk of unauthorized access to the IDRS data. Recommendations: We recommend that you direct the appropriate IRS officials to do the following. * Designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all USRs to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. * Update USR training manuals to ensure they reflect current security policies and procedures. * Establish a process to periodically review and update training materials as appropriate. IRS Comments and our Evaluation: IRS agreed with our recommendations to monitor and enforce compliance with its USR training requirements and update training materials. IRS stated that it (1) required all USRs and alternate USRs to take an initial training class by May 31, 2010, (2) launched two new online training courses to provide initial and annual refresher training to all USRs, (3) would implement a report to monitor compliance with USR training requirements by December 31, 2010, and (4) implemented an annual review and update of the IDRS USR training material in December 2009 with another update planned by December 31, 2010. We will review IRS's new training requirements and evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements and future audits. Annual Mandatory Briefings: During our fiscal year 2009 financial audit, we found that IRS's employees did not always complete their annual mandatory briefing requirements in fiscal years 2008 and 2009.[Footnote 51] IRS's learning and education policy requires all employees to complete certain mandatory briefings each year in areas such as ethics and information security.[Footnote 52] We reviewed the training records of a non-statistical selection of 93 employees and found that 7 of the 93 employees did not complete all mandatory briefings in fiscal year 2008 and at least 1 of the 93 employees did not complete all of the mandatory briefings required for fiscal year 2009. We were not able to conclude on 7 of the 93 employees for fiscal year 2009 at the time of our audit because they worked for business units that allowed their employees up to 8 months after the end of the fiscal year to complete the briefings.[Footnote 53] Internal control standards require all personnel to possess and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal control.[Footnote 54] This is one of several factors that affect the control environment, which provides discipline and structure, as well as the climate which influences the quality of internal control. In addition, the standards state that management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. The majority of IRS employees take the briefings online through its Enterprise Learning Management System (ELMS).[Footnote 55] Each business unit establishes its own process for ensuring that employees receive mandatory briefings within required time frames. To help monitor compliance with the briefing requirements, ELMS administrators in each business unit generate a standard report listing the employees who have not yet completed the mandatory briefings and follow their business unit's procedures for documenting incomplete training. Each business unit's manager is responsible for ensuring that business unit employees complete the required briefings; however, they generally leave it up to the individual supervisor to notify his or her employees to complete the mandatory briefings by the cut-off date. The Director of IRS's Human Capital Office, Leadership, Education and Delivery Services (HCO LEADS) organization maintains and administers policy and guidelines for servicewide learning and education, but does not oversee or review each business unit's process or results to ensure mandatory briefing requirements are met. When employees fail to attend mandatory briefings, they may lack the necessary skills to successfully perform their assigned duties. Recommendation: We recommend that you direct the appropriate IRS officials to establish procedures requiring HCO LEADS or their designee to periodically monitor each business unit's progress in complying with mandatory briefing requirements. IRS Comments and our Evaluation: IRS agreed with our recommendation and stated that it would provide each business unit with reports on the unit's progress in complying with the mandatory briefings requirement. In addition, IRS stated that by January 31, 2011, it will begin distributing quarterly summary reports to heads of offices. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements and future audits. Documentation of Receipt of Goods and Services: During our fiscal year 2009 financial audit, we found that IRS staff did not always confirm, or obtain documentation of confirmation, with the end user of a purchased product or service that the item was satisfactorily received before entering receipt and acceptance of the good/service into the procurement system. This confirmation is essential because in many instances, the end user of the product (i.e., the requestor who physically receives the good or service) is at a different geographic location than the staff member responsible for entering receipt and acceptance into the system. As a result, without following up with the end user, the staff cannot ensure that the good or service met contractual requirements before authorizing payment to the vendor. All purchase requisitions that go through IRS's procurement department are assigned to a contracting officer (CO).[Footnote 56] A contracting officer may assign a contracting officer's technical representative (COTR) to perform certain tasks, including maintaining documentation of the receipt and acceptance (R&A) of purchased goods or services in the Web Request Tracking System (WebRTS), IRS's procurement system. [Footnote 57] Staff use this system to create, route, approve, track, and fund requisitions, and record the receipt and acceptance of the items purchased. Receipt signifies IRS's acknowledgment that supplies were received or services were rendered, while acceptance signifies that IRS assumes ownership of the supplies or approves of the services rendered. Consequently, prior to entering R&A into WebRTS, the CO/COTR is to ensure the good or service conforms to the contract requirements. In addition, IRS's accounting technicians who process payments rely on the assertion of the COs/COTRs that goods or services have been received and accepted as a basis for authorizing payment. However, we found that the CO/COTR did not always confirm or obtain documentation of confirmation of receipt from the end user prior to entering R&A in WebRTS. Specifically, we tested a statistical sample of 116 nonpayroll expense transactions processed between October 1, 2008, and May 31, 2009, and found that for 5 of the 116 transactions,the COTRs could not provide documentation showing they had confirmed that the end users received and accepted the goods or services before the COTRs entered R&A into WebRTS.[Footnote 58] In 4 cases, the COTRs did not have any documentation from the end users showing that they confirmed receipt of the goods or services with the end users. In the fifth case, the COTR's documentation showed she did not request confirmation of receipt from the end user until the day after she had entered R&A into WebRTS. IRS Policy and Procedures Memorandum No. 46.5 for Receipt, Quality Assurance, and Acceptance states that receipt is defined as the documentation of acknowledgment that supplies were received or services were rendered. This policy also instructs the CO/COTR to maintain documentation of receipt and to acknowledge receipt in WebRTS. However, the policy does not specifically instruct the CO/COTR to obtain and document confirmation from the end user that the good or service was satisfactorily received before entering receipt and acceptance in WebRTS. Internal control standards require that agencies establish control activities that ensure management's directives are enforced and carried out.[Footnote 59] In addition, the standards require that internal control and all transactions and other significant events be clearly documented, the documentation be readily available for examination, and all documentation and records be properly managed and maintained. By not requiring the CO/COTR to obtain and document confirmation that the end user actually received the good or service before entering R&A, an individual may enter an invalid R&A into WebRTS, which could result in an incorrectly recorded expense and the issuance of invalid payments to contractors for goods or services that were not received or did not fully conform to contractual requirements. Recommendation: We recommend that you direct the appropriate IRS officials to establish procedures requiring COs/COTRs to obtain and retain written documentation from end users confirming receipt and acceptability of purchased goods or services prior to entering acknowledgment of receipt and acceptance in WebRTS. IRS Comments and our Evaluation: IRS agreed with our recommendation and stated that it has updated its receipt and acceptance handbook and procurement policies to include the requirement to obtain and retain documentation acknowledging receipt and acceptance of purchased goods and/or services before entering the acknowledgment in WebRTS. In addition, IRS stated that it reinforced this policy during its procurement and CFO customer conferences in March and May 2010. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements. Review of Obligations: During our fiscal year 2009 financial audit, we found that IRS's controls over the review of obligations did not always ensure the timely deobligation or revision of excess obligations that were no longer needed. Obligations are appropriated funds that have been reserved to purchase specific goods or services specified in a legally binding agreement, such as a contract or a purchase order. Most of IRS's appropriated funds are available for obligation for a fixed period of time and amount. Once obligated, the funds cannot be used to fund the purchase of new goods or services unless the obligated funds are deobligated from one purchase, reobligated to another, and still within their valid time limits and other appropriations requirements. [Footnote 60] For this reason, it is in IRS's best interest to maximize the use of its appropriated funding by closely managing its obligations to identify funds that are no longer needed under the original obligation that can thus be used to fund other requirements before such funding expires and is no longer available for new obligations. During our testing of undelivered orders and nonpayroll expenses, we found one instance totaling nearly $141,000 and another instance totaling over $62,000 in which IRS did not timely deobligate the obligated funds, even though all items under the related contracts had been delivered and the excess obligated funds were no longer needed. In the first instance, IRS had contracted for temporary clerk services through the end of January 2009. The actual cost of the services was less than the funds obligated, resulting in a remaining obligated balance after the contract period had been completed. IRS did not identify the funds for deobligation until we informed IRS officials approximately 7 months after the final R&A. In the second instance, IRS had contracted for operations support services through December 2008. Final payment for services on this contract was made in February 2009; however, this obligation was not promptly deobligated because the COTR did not mark in WebRTS during final R&A that the February payment was the final payment under the contract. Marking this transaction as the final payment would have indicated that excess obligated funds should be deobligated. After we identified this open obligation during our testing, IRS deobligated the funds. This occurred approximately 6 months after the final payment had been made. [Footnote 61] If the excess obligated funds associated with these two instances had not been deobligated, IRS would have overstated its "Obligations Incurred" and "Obligated Balance" financial statement line items by over $203,000 each. In addition, when excess obligated funds are not deobligated in a timely manner, it can affect whether and how those funds can subsequently be used. Appropriations are generally available for incurring new obligations for a fixed period of time, usually 1 or 2 fiscal years.[Footnote 62] Once this period of availability expires, the funds can only be used for a period of time to adjust previous obligations--such as when the final bills on a contract obligated in a prior year exceed the amount originally obligated--but cannot be used on new obligations or purposes.[Footnote 63] For example, in the instance related to the contract for operations support services described above, the contract was funded by a 2-year appropriation that expired on September 30, 2009. Although final payment was made on the contract in February 2009, IRS did not deobligate the funds until August 2009, after we identified the error and brought it to IRS's attention. Had IRS not corrected the error before September 30, 2009, it would have forfeited its ability to use the excess funds on any new purchases.[Footnote 64] To help facilitate the timely management of obligations, IRS performs its Aging Unliquidated Obligation reviews, which are periodic reviews of obligations that meet certain aging criteria.[Footnote 65] However, during fiscal year 2009, these reviews were not fully effective in timely detecting obligations requiring deobligation. Based on the aging criteria for the periodic reviews, both instances we identified would not have been selected for review until 300 days (about 10 months) after the last activity, which would have been in fiscal year 2010. Consequently, this review has limited effectiveness in assisting IRS in timely identifying funds for deobligation and for use in funding other valid agency needs. Additionally, this review has limited effectiveness in helping to ensure that only valid obligations are reported in IRS's general ledger and, ultimately, its financial statements. The IRM requires the timely management of obligations in order to enable IRS to optimize its financial resources.[Footnote 66] Timely deobligations of unneeded funds allow IRS to use those funds to pay for other goods or services for which the appropriation is available to fund, resulting in maximizing the use of the funds. Furthermore, internal control standards require that transactions and other events be accurately and promptly recorded to maintain their relevance and value to management in controlling operations and making decisions.[Footnote 67] As a result of these internal control deficiencies, IRS may not be maximizing the use of its available funds to meet its mission and is potentially reporting excess obligation amounts in its general ledger accounts and financial statements. Recommendations: We recommend that you direct the appropriate IRS officials to do the following. * Reiterate IRS's policy for staff to indicate in WebRTS during final receipt and acceptance that the payment is a final payment to close out a contract or purchase order to help ensure any remaining obligated funds are deobligated in a timely manner. * Reevaluate and, as necessary, revise the aging criteria for the Aging Unliquidated Obligation reviews so that unliquidated obligations are reviewed sooner in order to detect and deobligate excess obligations in a timely manner. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it has revised the aging criteria for the fiscal year 2010 Aging Unliquidated Obligation reviews from 300 days to 240 days, and began issuing quarterly email broadcasts to all WebRTS users in June 2010 to reinforce the use of the receipt and acceptance final flag to ensure timely closure of obligations. While decreasing to 240 days (about 8 months) is an improvement, it is not clear whether this will alleviate the problem. For example, the two transactions we identified had no activity for 6 and 7 months respectively, and thus would not have been subject to the aging unliquidated obligation review had this been the criteria in place at the time. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2010 financial statements. Recording of Upward and Downward Adjustments to Prior-Year Obligations: During our fiscal year 2009 financial audit, we found that IRS did not always ensure that upward and downward adjustments of prior-year obligations were properly recorded for financial statement reporting purposes.[Footnote 68] To better identify and report only valid upward and downward adjustments of prior-year obligations, IRS performs a monthly netting process on all obligation transactions. The netting process should combine or net transactions primarily with the same obligation number and fund number to eliminate or offset transactions that are accounting corrections and not true adjustments to obligations.[Footnote 69] This netting process should result in a group of transactions that represent only true upward and downward adjustments of prior-year obligations that can be reported on IRS's financial statements. It is important that all valid adjustments and only valid adjustments of prior-year obligations remain after the netting process because upward and downward adjustments are each reported on different line items on the financial statements. In our testing of a statistical sample of 16 downward adjustments as of August 31, 2009, a valid upward adjustment totaling over $28,000 and a valid downward adjustment totaling over $1.4 million were erroneously netted together and could have resulted in the understatement of upward and downward adjustments of prior-years obligation balances reported in the "Obligations Incurred" and "Recoveries of Prior Years Obligations" line items in IRS's statement of budgetary resources, one of the basic agency financial statements. [Footnote 70] The error we found involved two valid (one upward and one downward) adjustments with two different obligation numbers. Normally, IRS's netting process would not combine two transactions with different obligation numbers. However, these two transactions were inappropriately netted because an IRS staff member had erroneously linked the obligation numbers of the two transactions in IRS's accounting system. After we brought this matter to its attention, IRS corrected this error by removing an erroneous obligation number link between the two transactions which caused the improper netting activity. Once the erroneous link was removed, the two valid transactions were reported correctly in the upward and downward adjustments of prior-year obligation accounts. IRS officials stated that it had two reports that are designed to identify linked transactions for further review. However, after further research, IRS determined that neither of these two reports was designed to capture the type of erroneous manual link we identified. IRS officials stated that they are currently developing a new control with the ability to identify situations such as the one we identified so they can be reviewed and corrected if necessary. The IRM requires financial plan managers to make every effort to ensure that data are accurately recorded.[Footnote 71] Furthermore, internal control standards require that transactions and other events be accurately and promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. [Footnote 72] Control activities also help to ensure that transactions are completely and accurately recorded. Because IRS did not have effective controls in place to ensure that the netting process was properly executed or to review the netting process results for such errors, the upward and downward adjustment balances would have been misstated in the financial statements had we not identified and brought the error to IRS's attention. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Provide technicians and supervisors who are responsible for recording and reviewing obligation transactions with training on the proper use of manually linked obligation transactions to reinforce IRS's existing policy requiring that transactions be recorded accurately to the upward and downward adjustments of prior-year obligation accounts. * Develop controls to improve the linked obligation transaction review process to detect and correct erroneous links between unrelated upward and downward adjustments of prior-year obligation transactions in a timely manner. IRS Comments and our Evaluation: IRS agreed with our recommendations and stated that it (1) revised its process for manually linking obligations, updated the related procedures, and provided additional training to technicians and supervisors in October 2009 and (2) revised its processes in March 2010 to include a second level review of all linked obligations at the time of the actual linking. We will review the updated policies and procedures and evaluate their design and operating effectiveness during our audit of IRS's fiscal year 2010 financial statements. Compliance with Appropriations Act Requirements: During our fiscal year 2009 financial audit, we found that IRS did not comply with all requirements of its annual appropriations act. IRS's fiscal year 2009 appropriations act required IRS to set aside at least $7.487 billion for tax law enforcement and related support activities. [Footnote 73] The appropriations act funded five separate appropriations accounts, including accounts for taxpayer services, enforcement, and operations support; however, the amount appropriated to the enforcement account alone was insufficient to satisfy the set- aside requirement. Consequently, IRS was required to identify additional funds from among the other four accounts and make available for obligation solely to tax law enforcement and related support activities the amount necessary to meet the requirement. However, at the end of our fiscal year 2009 audit, IRS asserted to us that it had set aside only $7,413,237,071 for tax law enforcement and related support activities, resulting in a shortfall of about $73.8 million in amounts set aside for these activities. IRS officials attributed this shortfall to three causes. First, the federal government was operating under a continuing resolution for almost half of the fiscal year which, according to IRS, delayed it from hiring staff needed for some of its enforcement initiatives. [Footnote 74] Consequently, fewer enforcement staff were on board throughout the year than originally estimated. Second, IRS initially estimated it would allocate about $5.1 billion in direct enforcement costs from its enforcement appropriations account and about $2.4 billion in indirect enforcement costs from its operations support appropriations account to meet the appropriations act's requirements. IRS budget officials stated that they estimated the portion of operations support appropriations--which are available to support both IRS's taxpayer services and enforcement programs--that would be allocated to enforcement activities based on IRS's fiscal year 2009 budget request. However, these officials stated that increased fiscal year 2009 funding received for taxpayer services,[Footnote 75] when coupled with the delayed hiring in enforcement, resulted in a greater portion of its operations support costs being allocated to the taxpayer services program and consequently less to the enforcement program than originally estimated.[Footnote 76] Third, IRS had about $70.6 million in fiscal year 2009 operations support appropriations that were unobligated at the end of the fiscal year. Because these funds had not yet been obligated and therefore allocated to programs, none of these funds were counted toward the set-aside requirement. However, even if IRS could have allocated all of these unobligated operations support funds to enforcement, that would only have reduced, but not eliminated, the amount of the shortfall. We recognize that the continuing resolution and the late passage of its appropriations act put IRS in a difficult position. In particular, we can appreciate that this would have had a negative effect on hiring. However, these challenging circumstances did not eliminate IRS's requirement to comply with all provisions in its annual appropriations act and to establish adequate funds control procedures to provide reasonable assurance of compliance. In preparation for this report, we discussed our concerns with IRS budget officials in February 2010. In April 2010, IRS officials presented us with a revised tax enforcement analysis, which asserted that IRS was now in compliance with the fiscal year 2009 set-aside requirement. In its revised analysis, IRS did not change the amount of appropriations that it allocated to the set-aside amount from the enforcement appropriations account; however, IRS increased the amount of operations support appropriations allocated to its enforcement program by $98.4 million. As a result, IRS's revised analysis reflected total appropriations allocated to tax law enforcement and related support activities of $7,511,675,000, which would have exceeded the set-aside requirement by $24.7 million. We reviewed IRS's revised analysis and found problems with the methodology that IRS used to support its claim that it now complied with its appropriations act requirement. Of the $98.4 million increase in operations support appropriations allocated to tax law enforcement activities, $70.6 million consisted of all of IRS's fiscal year 2009 operations support appropriations that remained unobligated at fiscal year end. IRS, in its revised analysis, attributes all of these unobligated operations support funds to tax law enforcement. We disagree with this methodology because these funds will also support the overhead costs of taxpayer services and other programs; therefore, only a portion of these unobligated operations support funds would truly be used to support tax law enforcement and related support activities. IRS's revised analysis achieves the remaining $27.8 million of the operations support allocation increase by not allocating any operations support costs to taxpayer services activities that were funded with $67.9 million in additional appropriations that were included in the fiscal year 2009 continuing resolution to meet the requirements of the Economic Stimulus Act of 2008.[Footnote 77] IRS officials stated that because this was a special appropriation, no operations support costs should be allocated to it. We disagree with this reasoning because the staff and activities funded by this special appropriation still required the use of office space, information technology, and other support services that are funded by the operations support appropriations account. By not allocating any operations support costs to these taxpayer services activities, IRS is erroneously allocating operations support costs, which actually supported its taxpayer services program, to its enforcement program. In addition, the set-aside requirement in IRS's fiscal year 2009 appropriations act required IRS to make available the entire set-aside amount for obligation. Since some of the funds IRS included in its revised analysis expired at the end of fiscal year 2009, reallocating and setting aside such appropriations after the end of the fiscal year fails to satisfy this requirement. IRS's failure to comply with its appropriations act requirement can be attributed in large part to a lack of internal controls to monitor and ensure compliance with its appropriations act requirements. In particular, IRS had established no formal funds control processes to clearly set aside the required funds. IRS officials stated that they have the ability to create a report to track the status of the tax law enforcement obligations and related monthly operations support allocations throughout the year; however, they stated they do not have any written policies or procedures specifying how compliance with such appropriations act requirements will be monitored and achieved. Without adequate internal controls to monitor progress against its appropriations act requirements and to take action to comply with these requirements, IRS may not have reasonable assurance that it is complying with all of its appropriations act requirements. IRS initially informed us that it would have had to transfer appropriations from nonenforcement appropriations accounts, such as the operations support account, to the enforcement appropriations account in order to comply with the tax law enforcement requirement. IRS's fiscal year 2009 appropriations act allows IRS to transfer up to 5 percent of any nonenforcement appropriation made available in the fiscal year 2009 appropriations act to its enforcement appropriation account upon the advance approval of the Committees on Appropriations.[Footnote 78] Although IRS officials informed us that they knew in the middle of fiscal year 2009 that they were not likely to meet the set-aside requirement, they did not request such a transfer during fiscal year 2009. Since a similar tax law enforcement requirement has been included in IRS's fiscal year 2010 appropriations act,[Footnote 79] IRS needs to have appropriate funds control policies and procedures in place to ensure it meets its mandated appropriations act requirements.[Footnote 80] Recommendations: We recommend that you direct the appropriate IRS officials to do the following. * Establish a formal funds control process to set aside amounts for tax law enforcement and related support activities, as required by annual appropriations acts. * Establish a policy to periodically monitor throughout the year the amount of different appropriations accounts attributed to the set- aside to assess IRS's progress toward complying with the requirement. * Based on the results of its periodic assessments, take action to allocate the required amount of appropriations to tax law enforcement and related support activities to comply with the set-aside requirement. IRS Comments and our Evaluation: IRS disagreed with all three recommendations related to its compliance with the fiscal year 2009 appropriations act requirements. IRS stated that (1) it fully funded tax law enforcement activities and met the intent of the 2009 legislation; (2) our characterization of the fiscal year 2009 appropriations act was incorrect; (3) it disagreed with our characterization of its April 2010 analysis; and (4) its failure to comply with the appropriations act requirement was not attributable to a lack of internal controls to monitor and ensure compliance. As discussed in the following paragraphs, we disagree with all of these points. First, IRS stated that it fully funded tax law enforcement activities and met the intent of IRS's fiscal year 2009 appropriations act. The act (1) provided $5.12 billion in IRS's enforcement appropriation, which funds direct enforcement activities such as conducting criminal investigations; and (2) required IRS to explicitly make available at least a total of $7.487 billion specifically for enforcement activities from among any of its appropriations funding in the appropriations act. IRS stated that because it obligated most of the funds appropriated for enforcement (the $5.12 billion) and allocated to enforcement a commensurate portion of operations support costs (i.e., the indirect or overhead costs associated with operating IRS's enforcement program),[Footnote 81] it fully funded its enforcement activities and thus met the intent of the law. We disagree. By not explicitly designating appropriated amounts of at least $7.487 billion for enforcement activities, IRS did not comply with the appropriations act set-aside requirement. The fact that IRS elected to meet the set- aside requirement in part through an allocation of indirect costs to enforcement activities does not alter the express requirement in the appropriations act. In fact, as IRS noted in its written response, it requested a change in the appropriations language to make compliance with this requirement contingent upon the availability of funds in its operations support account. IRS stated that this contingency was included in the fiscal year 2010 House Budget Resolution but was not included in the enacted law. We believe that IRS's proposal to amend the requirement provides further evidence that IRS was legally obligated to identify and set aside the $7.487 billion for enforcement activities from among its appropriations accounts. Second, IRS stated that our characterization of the requirements of the fiscal year 2009 appropriations act in our report was incorrect. IRS stated that the act's requirement that it make available $7.487 billion for tax law enforcement and related support activities applies only to the enforcement appropriation and the operations support appropriation. We agree that the $7.487 billion must be used only for tax law enforcement and related support activities. However, as discussed in our report, we disagree that the act provided that the source of funding must come solely from (and therefore is limited to the availability of) enforcement and operations support appropriations. In fact, the act explicitly provided that all of the funds made available by the Act shall be available to meet the requirement.[Footnote 82] Thus, it is clear that compliance was not contingent upon the availability of enforcement and operations support appropriations.[Footnote 83] Third, IRS disagreed with our characterization of the supplemental analysis it provided to us in April which was intended to demonstrate that it complied with the fiscal year 2009 appropriations act requirement. IRS stated that the primary change in the April 2010 analysis from the initial analysis it provided us was to count all unobligated operations support balances towards the amount required, under the assumption that those funds met the criteria that the resources "shall be available" for enforcement activities. However, as IRS stated in its comments, it cannot "set aside" funds in operations support exclusively for enforcement activities. Therefore, it is not possible for IRS under its cost allocation methodology to make 100 percent of the unobligated operations support balances at year end available exclusively for enforcement. In addition, even if IRS could have allocated all of the unobligated operations support balances to enforcement, the $70.6 million in total unobligated operations support balances would not have been enough to make up for the $73.8 million shortfall. Finally, IRS disagreed that its failure to comply with the appropriations act requirement is attributable to a lack of internal controls to monitor and ensure compliance. We can appreciate that the late passage of the final fiscal year 2009 budget and IRS's use of an indirect cost allocation approach to carrying out the set-aside both created difficulties for IRS in managing its appropriations. However, as discussed in our report, additional internal controls in this area could have alerted IRS to the problem much earlier in the year and enabled IRS to take corrective actions that may have enabled it to comply with the appropriation act's requirements. IRS stated that when it developed its fiscal year 2009 budget request, it estimated the amount of direct enforcement and related operations support costs that would enable it to comply. Because IRS must submit its budget request many months before the start of the fiscal year, the actual budget and other circumstances can change drastically before the final appropriation is enacted. Thus, it is important for IRS to establish and implement control procedures to ensure it periodically reassesses its estimates and revises plans as appropriate. However, IRS did not have such controls in place. For example, IRS officials stated that Congress appropriated $143 million more than IRS anticipated to taxpayer services in fiscal year 2009. While IRS's fiscal year 2009 appropriations act was not enacted until March 11, 2009, a significant portion of the increase ($67.9 million) was provided to IRS in its continuing resolution enacted September 30, 2008.[Footnote 84] Consequently, IRS knew about nearly half of the increase at the beginning of the fiscal year, yet it did not reassess its original estimates nor take any action to address the impact that the increase would have on the allocation of operations support costs to its tax law enforcement activities. For instance, rather than depending solely on the allocation of operations support costs to enforcement to meet the requirement, IRS could have identified funding sources in other appropriations or requested a transfer of funds to the direct enforcement appropriation. In addition, IRS's statements that the proportion of operations support costs allocated to the taxpayer service program from the enforcement program increased after the end of the fiscal year are incorrect. Contrary to IRS's assertions, IRS does not allocate the entire year's expenses at the end of the year. IRS runs its cost allocation methodology at the beginning of every month to allocate the prior month's operations support costs to the major programs, including taxpayer services and enforcement. The results of each monthly allocation are then added to the previous month's cumulative totals by program, so that at the end of the year all of the monthly allocations total the amount reported in IRS's statement of net cost. IRS's post year-end allocations only allocate the final month's operations support costs plus year-end adjustments necessary to prepare its financial statements. Had IRS's budget office had effective controls in place to monitor these monthly allocations, it could have tracked the amounts allocated to enforcement against what was originally estimated throughout the year and thus, could have identified early on that action was needed to meet the requirement. For the reasons discussed above, we still believe that IRS did not comply with the requirements of its fiscal year 2009 appropriations act with respect to its requirement that IRS set aside at least $7.487 billion for tax law enforcement and related support activities. IRS recognizes a problem exists, which is why it plans to propose language in its fiscal year 2012 budget request to make compliance with this requirement contingent upon the availability of funds in its operations support account. We also believe that the recommendations we are making in this report, if effectively implemented, will assist IRS in ensuring it has the processes and controls in place to minimize the risk of a reoccurrence of this issue. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. Furthermore, to ensure GAO has accurate, up-to-date information on the status of your agency's actions on our recommendations, we request that you also provide us with a copy of your agency's statement of actions taken on open recommendations. Please send your statement of action to me or Doreen Eng, Assistant Director, at EngD@gao.gov. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Members of the House Committee on Appropriations and House Committee on Ways and Means; the Chairman and Vice-Chairman of the Joint Committee on Taxation; the Secretary of the Treasury; the Director of the Office of Management and Budget; and the Chairman of the IRS Oversight Board. The report is available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2009 and 2008 financial statements. Please contact me at (202) 512- 3406 or sebastians@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures - 3: [End of section] Enclosure I: Details on Audit Methodology: We are responsible for planning and performing the audit to obtain reasonable assurance and provide our opinion about whether (1) IRS's financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, (2) IRS management maintained, in all material respects, effective internal control over financial reporting as of September 30, 2009, and (3) IRS's financial management systems substantially comply with financial management systems requirements. We are also responsible for (1) testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements, and (2) performing limited procedures with respect to certain other information accompanying the financial statements. To fulfill our responsibilities as the auditor of IRS's financial statements, we did the following. * We examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. This included selecting statistical samples of unpaid assessments, revenue, refunds, payroll and nonpayroll expenses, property and equipment, and undelivered order transactions. These statistical samples were selected primarily to determine the validity of balances and activities reported in IRS's financial statements. We projected any errors in dollar amounts to the population of transactions from which they were selected. In testing some of these samples, certain attributes were identified that indicated deficiencies in the design or operation of internal control. These attributes, where applicable, were statistically projected to the appropriate populations. * We examined evidence supporting IRS's compliance with learning and education policies. This included selecting non-statistical samples to determine if employees completed all mandatory briefings within the required time frames. * We assessed the accounting principles used and significant estimates made by management. * We evaluated the overall presentation of the financial statements. * We obtained an understanding of IRS and its operations, including its internal control over financial reporting. * We considered IRS's process for evaluating and reporting on internal control and financial systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers' Financial Integrity Act of 1982, and Office of Management and Budget Circular No. A-123, Management's Responsibility for Internal Control. * We assessed the risk of (1) material misstatement in the financial statements and (2) material weakness in internal control over financial reporting. * We tested relevant internal control over financial reporting. * We evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk. * We tested compliance with selected provisions of the following laws and regulations: Internal Revenue Code; Antideficiency Act, as amended; Purpose Statute; Prompt Payment Act; Pay and Allowance System for Civilian Employees; Federal Employees' Retirement System Act of 1986, as amended; Social Security Act of 1935, as amended; Federal Employees Health Benefits Act of 1959, as amended; Continuing Appropriations Resolution, 2009, as amended; Financial Services and General Government Appropriations Act, 2009; and American Recovery and Reinvestment Act of 2009. * We tested whether IRS's financial management systems substantially complied with the three FFMIA requirements. * We performed such other procedures as we considered necessary in the circumstances. [End of section] Enclosure II: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Commissioner: Washington, D.C. 20224: June 21, 2010: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft report titled, Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations (GA0- 10-565R). As GAO noted in the report titled, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial Statements, we continue to make significant progress in addressing remaining financial management challenges and have substantially mitigated weaknesses in internal controls. During FY 2009, IRS developed traceability of revenue and refund transactions from the general ledger to supporting detailed transaction information. IRS also continued to develop its cost accounting capabilities by implementing full-cost information on numerous IRS programs and activities and measuring the cost-benefit on enforcement programs. These improvements allowed GAO to conclude that these matters no longer constitute internal control deficiencies. The enclosed response addresses each of your recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions or would like to discuss our response in further detail, please contact me or Alison Doone, Chief Financial Officer, at (202) 622-6400. Sincerely. Signed by: Douglas H. Shulman: Enclosure: [End of letter] IRS Responses to GAO Recommendations in "Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations" GAO-10-565R: Recommendation #1: We recommend that you direct the appropriate IRS officials to review the results of IRS's unpaid assessments compensating statistical estimation process to identify and document instances where systemic limitations in the Custodial Detailed Data Base (CDDB) resulted in misclassifications of account balances that, in turn, resulted in inaccuracies in the amounts of reported unpaid assessments. Comments: IRS agrees with this recommendation. Each year IRS identifies misclassifications of account balances during the review of the sample cases selected for the unpaid assessment statistical estimation and corrects the errors. In the cases of misclassification of account balances caused by a systemic limitation in CDDB, IRS identified programming changes to improve the business rules used by CDDB to accurately classify unpaid tax assessments. IRS briefed GAO on the pending programming changes February 23, 2010. Recommendation #2: We recommend that you direct the appropriate IRS officials to research and implement programming changes to allow CDDB to more accurately classify such accounts among the three categories of unpaid tax assessments. Comments: IRS agrees with this recommendation. IRS continues to identify programming changes to improve the accuracy of the classification of the three categories of unpaid tax assessments in CDDB. The IRS implemented programming changes in January 2010 to classify non-payroll tax forms with reported amounts subject to a Trust Fund Recovery Penalty (TFRP) assessment, and to classify other TFRP assessments that were previously excluded from the TFRP analysis. The IRS is scheduled to implement programming changes in July 2010 that will reduce movement in and out of financial write-off status and identify payroll tax modules where a TFRP assessment was not made. Four additional programming changes are scheduled for implementation in January 2011 to improve the classification of installment agreements, to address one-time refund offsets, to allow CDDB to correctly adjust balances in the subsidiary ledger in cases where TFRP payments were not cross-referenced correctly, and to add an allocation methodology in CDDB to classify modules with split financial classifications. IRS briefed GAO on all of these changes on February 23, 2010. Recommendation #3: We recommend that you direct the appropriate IRS officials to research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that affect the financial reporting of unpaid tax assessments. Comments: IRS agrees with this recommendation. Each year IRS identifies misclassifications of account balances during the review of the sample cases selected for the unpaid assessment statistical estimation and corrects the errors. In addition, IRS reviews Internal Revenue Manual (IRM) procedures to ensure proper internal controls are in place, makes revisions when necessary, and ensures the internal control processes are followed. Recommendation #4: Once IRS identifies the control weaknesses that result in inaccuracies or errors that affect the financial reporting of unpaid tax assessments, we recommend that you direct the appropriate IRS officials to implement control procedures to routinely prevent, or to detect and correct, such errors. Comments: IRS agrees with this recommendation. IRS will continue to identify and validate corrective actions were completed. We will continue to monitor appropriate procedures, controls and program modifications. Recommendation #5: To ensure that Trust Fund Recovery Penalty (TFRP) payments are always and accurately credited to all related parties when received, we recommend that you direct the appropriate IRS officials to revise the Internal Revenue Manual (IRM) to provide specific requirements for supervisors to review the accuracy of credit transactions related to TFRP payments processed through the Automated Trust Fund Recovery (ATFR) system. This guidance should provide specific areas to review and list the ATFR system reports that can facilitate supervisory reviews. Comments: IRS agrees with this recommendation. IRS updated IRM 5.19.14 in May 2010 to include supervisory reviews of the accuracy and timeliness of credit transactions related to TFRP payments processed through ATFR and identified the areas and system reports for review. Recommendation #6: To ensure that TFRP payments are always and accurately credited to all related parties when received, we recommend that you direct the appropriate IRS officials to formalize and implement the quarterly reviews of TFRP payment transactions to monitor compliance with IRM requirements. Recommendation #7: To ensure that TFRP payments are always and accurately credited to all related parties when received, we recommend that you direct the appropriate IRS officials to develop procedures to analyze the results of the quarterly reviews so that specific factors causing the errors are identified. Recommendation #8: To ensure that TFRP payments are always and accurately credited to all related parties when received, we recommend that you direct appropriate IRS officials to develop procedures to address the factors causing errors in the processing of TFRP payment transactions identified through the analyses of the quarterly review results. Comments: IRS agrees with these recommendations. In May 2009, the IRS created the "Quality Assurance Internal Compliance Review" (QAICR) to expand testing beyond existing reviews to further gauge the accuracy and effectiveness of ATFR and to identify TFRP program deficiencies. The IRS quarterly review closely mirrors the GAO review, incorporating TFRP campus case reviews, analysis of findings, and implementation of corrective actions needed to address identified deficiencies. A pilot quarterly review was performed in January 2010, and the results were given to GAO. Quarterly quality reviews began in April 2010. Recommendation #9: We recommend that you direct the appropriate IRS officials to revise the existing methodology for extracting the pre- posted revenue component of the comparison to ensure that non-tax revenues and tax revenue transactions already posted to the master files are properly excluded. Comments: IRS agrees with this recommendation. IRS revised the pre- posted extraction methodology in May 2010 to define transactions that should be excluded from the pre-posted revenue file and added other indicators to better identify pre-posted revenue when the original indicator is changed. IRS sampled the interim pre-posted output file using the new methodology and verified that all non-custodial revenue was excluded. Recommendation #10: We recommend that you direct the appropriate IRS officials to update the desk procedures governing the general ledger to master files comparison to ensure that it reflects the current process and controls. Comments: IRS agrees with this recommendation. IRS will complete the update of the desk procedures for the general ledger to master file comparison to ensure that it reflects the current process and controls by December 31, 2010. Recommendation #11: We recommend that you direct the appropriate IRS officials to revise the cost allocation desk guide to better document the cost allocation process. This should include ensuring that all key processing steps are included and identifying the key sources of input data and the controls necessary to help ensure their reliability. Comments: IRS agrees with this recommendation. IRS revised the cost allocation desk guide in January 2010. The revised desk guide includes key processing steps, key sources of input data, and the controls necessary to help ensure their reliability. Recommendation #12: We recommend that you direct the appropriate IRS officials to revise the IRM and cost allocation desk guide to require appropriate segregation of duties within the cost allocation process. Recommendation #13: We recommend that you direct the appropriate IRS officials to revise the IRM and cost allocation desk guide to require timely, documented supervisory reviews at key process points to help prevent and detect cost allocation processing errors. Comments: IRS agrees with these recommendations. The IRS Chief Financial Officer will update IRM 1.32.3, Managerial Cost Accounting, and the cost allocation desk guide to require appropriate segregation of duties and documented supervisory reviews in the cost allocation process by June 30, 2010. Recommendation #14: We recommend that you direct the appropriate IRS officials to establish controls over the cycle run spreadsheet to help minimize the risk of error or omission. At a minimum, this should include assigning a unique, sortable identifier to each row in the spreadsheet and implementing controls to promptly and accurately record the status of processing steps in a manner that ensures each cycle run is performed and is performed in the proper sequence. Comments: IRS agrees with this recommendation. IRS established procedures and controls over the master version of the cycle-run spreadsheet to minimize the risk of error or omission in May 2010. Each step in the process now contains a unique cycle identifier for the cycle-run order. In addition, IRS reviews and validates that each cycle is performed in the proper sequence. Recommendation #15: We recommend that you direct the appropriate IRS officials to revise the IRM to require Central Insolvency Operation (CIO) to timely provide service center campuses an acknowledgment of receipt for each Form 3210, Document Transmittal, related to a duplicate refund transcript sent to them by a service center campus for review. Comments: IRS agrees with this recommendation. IRS will update IRM 5.9.16 covering the CIO by December 31, 2010, to require that Form 3210, acknowledgment for duplicate refund transcripts, be returned to the issuer within 5 days of receipt. Recommendation #16: We recommend that you direct the appropriate IRS officials to revise the IRM to require service center campuses to verify that an acknowledgment of receipt has been received from CIO for 100 percent of the Form 3210 transmittals related to duplicate refund transcripts they have forwarded to CIO for review. Comments: IRS agrees with this recommendation. IRS will revise IRM 3,17.79 to include procedures for verification of Form 3210 acknowledgments received from the CIO for duplicate refund transcripts at service center campuses by January 31, 2011. Recommendation #17: We recommend that you direct the appropriate IRS officials to revise the IRM to require service center campuses to resolve any instances in which an acknowledgment of receipt for a Form 3210 transmittal related to duplicate refund transcripts is not received. Comments: IRS agrees with this recommendation. Wage and Investment will revise IRM 3.17 to include procedures for follow-up/resolution of non-receipt of Form 3210 acknowledgment of duplicate refund transcripts from CIO function by January 31, 2011. Recommendation #18: We recommend that you direct the appropriate IRS officials to require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks. Recommendation #19: We recommend that you direct the appropriate IRS officials to establish procedures to track service center campus acknowledgments of unprocessable items with receipts. Recommendation #20: We recommend that you direct the appropriate IRS officials to establish procedures to monitor the process used by service center campuses and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed. Comments: IRS agrees with recommendations #18, #19, and #20. IRS is developing standardized procedures for the Lockbox Document Transmittals (LDT) in the lockbox network and the service center campuses. IRS revised the LDT form and drafted instructions to include an acknowledgment from the service center campus to the lockbox site. Once the form and instructions have been finalized, the Lockbox Field Coordinators will conduct training with the banks and service center campuses. The Lockbox Bank Performance Measure 'Mailout Review' Data Collection Instrument also will be updated to include tracking and monitoring adherence to the procedures and implementation of corrective actions, as needed. IRS expects to implement these changes by December 31, 2010. Recommendation #21: We recommend that you direct the appropriate IRS officials to review the audit management checklist for clarity and revise the assessment questions as appropriate. Comments: IRS agrees with this recommendation. IRS will review the questions on the audit management checklist and modify them for clarity by December 30, 2010. Recommendation #22: We recommend that you direct the appropriate IRS officials to issue written guidance to accompany the audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related controls. Comments: IRS agrees with this recommendation. IRS incorporated instructions for completing the audit management checklist in the December 18, 2009 revision of the checklist. Recommendation #23: We recommend that you direct the appropriate IRS officials to provide training to physical security analysts responsible for completing the audit management checklist to help ensure that checklist questions are answered appropriately and accurately. Comments: IRS agrees with this recommendation. IRS will provide training to physical security analysts on completing the audit management checklist by December 31, 2010. Recommendation #24: We recommend that you direct the appropriate IRS officials to establish and document the minimum frequency for how often the audit management checklist should be completed at each service center campus and field office. Comments: IRS agrees with this recommendation. IRS documented the frequency for completing the audit management checklist at the service center campuses and field offices in Physical Security and Emergency Preparedness (PSEP) Standard Operating Procedure 09-0011 Audit Activity Management Program, dated August 25, 2009. Recommendation #25: We recommend that you direct the appropriate IRS officials to establish policies requiring documented managerial reviews of completed audit management checklists. These reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken. Comments: IRS agrees with this recommendation. PSEP Standard Operating Procedure (SOP) 09-0011 Audit Activity Management Program, dated August 25, 2009, contains the requirement for documented management reviews of the audit management checklist. IRS will modify the SOP to include the time and date of the review, the name of the manager performing the review, the supporting documentation reviewed, and any problems identified with corrective actions to be taken by July 30, 2010. Recommendation #26: We recommend that you direct the appropriate IRS officials to review the Taxpayer Assistance Centers Security and Remittance Review Database (TSRRD) for clarity and revise review questions as appropriate. Comments: IRS agrees with this recommendation. IRS will review the TSRRD and, where appropriate, clarify and revise the review questions. The TSRRD will be revised to add an IRM point of reference and instructions on how to complete database questions properly by January 31, 2011. Recommendation #27: We recommend that you direct the appropriate IRS officials to provide training to Taxpayer Assistance Centers (TAC) group managers to assist with their understanding of the TSRRD review questions and related objectives. This training should be provided on an ongoing basis to account for changes in TSRRD questions and for newly hired or appointed TAC group managers. Comments: IRS agrees with this recommendation. IRS will include training on the TSRRD in the Filing Season Readiness Workshop DVD delivered to all group managers annually. IRS will conduct the training by March 31, 2011. Recommendation #28: We recommend that you direct the appropriate IRS officials to establish policies that require territory managers or a manager at least one level above the group manager to periodically review the information entered into the TSRRD for accuracy and completeness prior to the results being forwarded to Field Assistance Office headquarters management. This review should be signed and documented, and include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the task performed during the review, (4) any problems or questions identified, and (5) planned corrective actions. Comments: IRS agrees with this recommendation. IRS will update policy to include instructions for the Field Assistance territory manager, or a manager one level above, to review the frontline manager's completed TSRRD responses by March 31, 2011. Managers will review the forms and enter the review results into the TSRRD, and forward it to the territory manager for review and approval along with the planned corrective actions for any problems identified. The review document will include the reviewer's name, date and time of review, issues identified, and corrective actions taken. Recommendation #29: We recommend that you direct the appropriate IRS officials to analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information. Comments: IRS agrees with this recommendation. IRS will develop a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information by June 30, 2011. Recommendation #30: We recommend that you direct the appropriate IRS officials to designate management responsibility and establish a process for monitoring compliance with and enforcing the IRM requirement for all Unit Security Representatives (USRs) to complete (1) the required initial USR training prior to assuming their responsibilities, and (2) annual refresher training each year thereafter. Comments: IRS agrees with this recommendation. All USRs and Alternate USRs were required to take the initial training class by May 31, 2010, and before newly appointed USRs are provided security codes. Annual refresher training is required thereafter. To ensure compliance, IRS plans to implement by December 31, 2010, a reporting capability to identify USRs who fail to comply with initial and annual refresher training requirements. This reporting process will track USR compliance in the Enterprise Learning Management System (ELMS) Learning History and provide notification to affected USRs, their respective managers, and the USR point of contact for remediation. Recommendation #31: We recommend that you direct the appropriate IRS officials to update USR training manuals to ensure they reflect current security policies and procedures. Comments: IRS agrees with this recommendation. On December 15, 2009, IRS launched two new online training courses for all Integrated Data Retrieval System (IDRS) USRs to incorporate current security policies and procedures for USR Initial Training and IDRS USR Annual Refresher Training. These courses provide the initial and annual refresher training required for all IDRS USRs before performing such duties. Recommendation #32: We recommend that you direct the appropriate IRS officials to establish a process to periodically review and update training materials as appropriate. Comments: IRS agrees with this recommendation. IRS implemented an annual review and update of the IDRS USR training material. IRS completed a training content update in December 2009 and expects to complete the next update by December 31, 2010. Recommendation #33: We recommend that you direct the appropriate IRS officials to establish procedures requiring Human Capital Office, Leadership, Education and Delivery Services (NCO LEADS) or their designee to periodically monitor each business unit's progress in complying with mandatory briefing requirements. Comments: IRS agrees with this recommendation. IRS will distribute reports to the business units providing each business unit's progress in complying with the mandatory briefings requirement. Reports will be produced weekly during the mandatory briefing period from July through September and monthly for the remainder of the year. IRS also will begin distribution of a quarterly summary report to the heads of offices by January 31, 2011. Recommendation #34: We recommend that you direct the appropriate IRS officials to establish procedures requiring contracting officers (COs)/contracting officer's technical representatives (COTRs) to obtain and retain written documentation from end users confirming receipt and acceptability of purchased goods and/or services prior to entering acknowledgment of receipt and acceptance in the Web Request Tracking System (WebRTS). Comments: IRS agrees with this recommendation. IRS updated the Receipt and Acceptance Handbook in March 2010 to include the requirement to obtain and retain documentation to support receipt and acceptance before entering the acknowledgment in WebRTS and provided the updated handbook to GAO on March 31, 2010. In addition, Procurement's Policy and Procedures Memorandum No. 46.5, Monitoring Receipt, Acceptance and Quality Assurance through Contract Administration Plans, dated January 1, 2010, instructs all Procurement personnel and COTRs to maintain documentation of receipt of supplies or services. IRS has reinforced this requirement through presentations at the 2010 Procurement Partnership Conference in March 2010, and the 2010 CFO Customer Conference in May 2010. Recommendation #35: We recommend that you direct the appropriate IRS officials to reiterate IRS's policy for staff to indicate in WebRTS during final receipt and acceptance that the payment is a final payment to close out a contract or purchase order to help ensure any remaining obligated funds are timely deobligated. Comments: IRS agrees with this recommendation. IRS issued a WebRTS broadcast e-mail to all WebRTS users on June 2, 2010, to reinforce the use of the receipt and acceptance final flag to ensure timely closure of obligations. IRS will reissue this broadcast quarterly. Recommendation #36: We recommend that you direct the appropriate IRS officials to re-evaluate and, as necessary, revise the aging criteria for the Aging Unliquidated Obligation reviews so that unliquidated obligations are reviewed sooner in order to timely detect and deobligate excess obligations. Comments: IRS agrees with this recommendation. IRS revised the aging criteria for the FY 2010 Aging Unliquidated Obligation reviews from 300 days to 240 days to review unliquidated obligations sooner. Recommendation #37: We recommend that you direct the appropriate IRS officials to provide technicians and supervisors who are responsible for recording and reviewing obligation transactions with training on the proper usage of manually linked obligation transactions to reinforce IRS's existing policy requiring that transactions be recorded accurately to the upward and downward adjustments to prior year obligation accounts. Comments; IRS agrees with this recommendation. IRS revised the manual linking of obligations process, updated the related procedures, and provided additional training to technicians and supervisors in October 2009. IRS provided GAO with the revised procedures and conducted a walk-through of the process for GAO on March 11, 2010. Recommendation #38: We recommend that you direct the appropriate IRS officials to develop controls to improve the linked obligation transaction review process to timely detect and correct erroneous links between unrelated upward and downward adjustments to prior year obligation transactions. Comments: IRS agrees with this recommendation. IRS revised internal processes and implemented procedures to add a second level review of all linked obligations at the time of the actual linking on March 16, 2010. Recommendation #39: We recommend that you direct the appropriate IRS officials to establish a formal funds control process to set aside amounts for tax law enforcement and related support activities, as required by annual appropriations acts. Recommendation #40: We recommend that you direct the appropriate IRS officials to establish a policy to periodically monitor throughout the year the amount of different appropriations accounts attributed to the set-aside to assess IRS's progress toward complying with the requirement. Recommendation #41: We recommend that you direct the appropriate IRS officials to take action based on the results of its periodic assessments, to allocate the required amount of appropriations to tax law enforcement and related support activities to comply with the set- aside requirement. Comments: IRS disagrees with recommendations #39, #40, and #41. In FY 2009, the IRS fully funded its tax law enforcement activities and met the intent of the allocation adjustment. The IRS obligated $5.11 billion of the $5.12 billion (99.7 percent) enforcement appropriation and fully supported the enforcement activities from the operations support account. The IRS obligated $3.75 billion of the $3.76 billion (99.7 percent) of the operations support appropriation expiring funds. The characterization of the 2009 appropriations act in the report is incorrect. The requirement that the IRS spend $7A87 billion on tax law enforcement and related support activities applies to the enforcement appropriation and the operations support appropriation. The intent of the requirement is for the IRS to fully fund enforcement activities and related support activities without diverting funds to non-enforcement activities, and the IRS met that requirement. The IRS cannot unilaterally "set aside" funds from its Taxpayer Services, Business Systems Modernization, and Health Insurance Tax Credit Administration appropriations to fund enforcement activities. The IRS must obtain Office of Management and Budget (OMB) and Congressional approval to move funds among its five appropriation accounts. Further, the IRS cannot "set aside" funds in the Operations Support account exclusively for enforcement activities. The Operations Support account funds both the enforcement and the taxpayer service programs. Operations Support obligations fund common services, including rent, utilities, and information technology infrastructure. The IRS cannot split Operations Support obligations between enforcement and other activities in its accounting system. During the development of the IRS FY 2009 budget request, the pro-rata share of operations support funding attributable to enforcement activities was calculated using an allocation methodology that allocates operations support funds between taxpayer and enforcement activities based on many factors, including Full-Time Equivalent utilization. Congress added $143 million in FY 2009 funding to the taxpayer service account. As a result of the increase in FY 2009 taxpayer service funding that was not anticipated when the FY 2009 budget was developed, the proportion of Operations Support obligations allocated to taxpayer service increased in the post FY 2009 year-end allocation of total Operations Support obligations between Taxpayer Service and Enforcement. In accordance with the FY 2009 enacted budget, the IRS hired 3,000 new enforcement personnel, fully funded enforcement activities, and spent the funding in the Taxpayer Services, Enforcement, and Operation Support accounts consistent with the intent of the law. Because of the unexpected increase in FY 2009 taxpayer service funding, the post year- end allocation methodology run increased the portion of Operations Support dollars allocated to Taxpayer Service. The IRS also disagrees with the characterization of the supplemental analysis provided to GAO in April. The primary change in the April analysis was the assumption that all Enforcement account funds, the pro-rated Operations Support enforcement obligations, and Operations Support balances as of October 1, 2009, were available for the Enforcement Program. This assumption is based on the administrative provision in the appropriations language that "resources shall be available." The initial, more conservative analysis, under which the IRS operated in FY 2009, only included obligations in the Enforcement Program total and excluded unobligated Operations Support balances. Thus, the IRS disagrees that the failure to comply with the appropriations act requirement is attributable to a lack of internal controls to monitor and ensure compliance with its appropriations act requirements. Upon receipt of the additional taxpayer service funds in the FY 2009 enacted budget, the IRS identified the issue and informed both OMB and the House and Senate appropriations committees that the IRS would not meet the funding level contained in the appropriations language. The solution to this issue is a change in the appropriations language to allow the IRS to allocate Operations Support costs between Taxpayer Service and Enforcement Operations in accordance with both the intent of the Congressional allocation adjustment and the IRS cost allocation methodology. The FY 2010 President's Budget Request proposed the required change to appropriations language, and the FY 2010 House Budget Resolution contained the proposed language that "provides that such sums as may be necessary shall be available from the Operations Support account in the Internal Revenue Service to fully support these Enforcement activities." The enacted FY 2010 budget, however, did not include the House Budget Resolution language, and the IRS plans to propose the required language in its FY 2012 budget request. [End of section] GAO Contact and Staff Acknowledgments: GAO Contact: Steve Sebastian, (202) 512-3406 or Sebastians@gao.gov: Acknowledgments: The following individuals made major contributions to this report: Doreen Eng, Assistant Director; LaDonna Towler, Auditor-in-Charge; Russell Brown; Nina Crocker; Oliver Culley; F. Abe Dymond; Lauren S. Fassler; Chuck Fox; Mickie Gray; Ryan Guthrie; Mary Ann Hardy; David Hayes; Ted Hu; Luke Karboski; Sharon Kittrell; Tuan Lam; Rich Larsen; Delores Lee; Jenny Li; Joshua Marcus; Stephanie Miller; Marc Oestreicher; John Sawyer; Christopher Spain; Chevalier Strong; and Tina Wu. [End of section] Footnotes: [1] GAO, Financial Audit: IRS's Fiscal Years 2009 and 2008 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-10-176] (Washington, D.C.: Nov. 10, 2009). [2] GAO, Information Security: IRS Needs to Continue to Address Significant Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-10-355] (Washington, D.C.: Mar. 19, 2010). [3] IRS's master file contains the detailed records of taxpayer accounts. There are several master files, the most significant of which are the individual master file, which contains tax records of individual taxpayers, and the business master file, which contains tax records of corporations and other businesses. [4] The statute enacting IRS's fiscal year 2009 appropriations required IRS to set aside a minimum of $6,997,000,000 for tax law enforcement, and make an additional $490,000,000 available for enhanced tax law enforcement. See Financial Services and General Government Appropriations Act, 2009, Pub. L. No. 111-8, div. D, tit. I, § 105, 123 Stat. 630, 636 (Mar. 11, 2009) (IRS's fiscal year 2009 appropriations act). IRS officials informed us that they interpreted the act as requiring them to set aside $7,487,000,000 (i.e., the sum of the two amounts) for fiscal year 2009 tax law enforcement activities and related support activities. [5] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982). [6] SCCs process tax returns and payments submitted by taxpayers. [7] Consolidated campuses are SCC locations where the submission processing function has been eliminated. [8] Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government under contract with the U.S. Treasury's Financial Management Service to perform certain financial services, including processing tax documents, depositing the receipts, and then forwarding the documents and data to IRS SCCs, which update taxpayers' accounts. During fiscal year 2009, there were eight lockbox banks processing taxpayer receipts on behalf of IRS. [9] TACs are field assistance units, located within IRS's Wage and Investment operating division, designed to serve taxpayers who choose to seek help from IRS in person. Services provided include interpreting tax laws and regulations, preparing tax returns, resolving inquiries on taxpayer accounts, receiving payments, forwarding those payments to appropriate SCCs for deposit and further processing, and performing other services designed to minimize the burden on taxpayers in satisfying their tax obligations. These offices are much smaller facilities than SCCs or lockbox banks, with staffing ranging from 1 to about 35 employees. [10] Field offices are comprised of various units located within IRS's Small Business and Self Employed (SB/SE), Large and Mid-Size Business (LMSB), and Tax-Exempt and Government Entities (TE/GE) operating divisions that administer tax services to corporations, partnerships, small businesses, state and Indian tribal governments, major universities, community organizations, municipalities, pension funds, and individuals with certain types of nonsalary income. [11] An unpaid assessment is a legally enforceable claim against a taxpayer and consists of taxes, penalties, and interest that have been assessed to the taxpayer but not yet collected or abated (reduced). [12] Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, May 10, 1996. [13] IRS reports federal taxes receivable on its balance sheet, net of an allowance, for amounts considered uncollectible. [14] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008). [15] IRS's master files contain detailed records of taxpayer accounts. However, the master files do not contain all the details necessary to properly classify or estimate collectibility for unpaid tax assessment accounts. [16] CDDB uses a series of computer programs that analyze account information in IRS's master files to classify them into the financial reporting categories. [17] CDDB also serves as a subsidiary ledger for tax revenue and refunds, providing transactional traceability for tax revenue and refund activity between the general ledger and the detailed records. [18] An account module is a record in IRS's master files containing tax assessment, payment, and other information related to a specific type of tax for a specific period. A taxpayer may have multiple account modules within IRS's master files under a unique taxpayer identification number (i.e., Social Security number or an employer identification number). Each unique account module is identified by the taxpayer identification number, tax type (e.g., excise tax, individual tax, payroll tax), and specific tax period (e.g., year, quarter). [19] According to federal accounting standards, the self-reporting of an outstanding tax liability establishes the outstanding balance as a tax receivable for financial reporting purposes. [20] When a business willfully fails to collect, account for, or pay the taxes it is legally required to withhold from its employees' wages, such as Social Security or individual income tax withholdings (what is commonly referred to as "trust fund taxes"), IRS assesses underpayment penalties against the business and may impose an additional trust fund recovery penalty (TFRP) against the responsible officers. [21] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [22] See for example, 26 U.S.C. §§ 6651, 6654-55, 6662, 6672, 7201-03. [23] See 26 U.S.C. § 6672 and IRM §4.23.9.13, Trust Fund Recovery Penalty (May 14, 2008). [24] IRM § 5.7.7.4, Cross Referencing of Payments Made by Responsible Persons (Apr. 13, 2006). This was the applicable criteria during the first quarter of fiscal year 2009 for TFRP transactions we tested. [25] We are 95 percent confident that the error rate does not exceed 15.1 percent. According to IRS, it initiated actions to strengthen controls in this area. However, IRS believes that the actions taken thus far have not significantly improved the internal controls and that control deficiencies continue to exist over TFRP payment processing during the first half of fiscal year 2010. [26] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [27] GAO, Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management, [hyperlink, http://www.gao.gov/products/GAO/AIMD-99-16] (Washington, D.C.: Oct. 30, 1998). [28] According to IRS, about 15 percent of total TFRP payment transactions are not processed through ATFR at all but are instead completely manually processed. Such payments relate primarily to TFRP assessments that IRS recorded prior to August 2001 using procedures that prevent ATFR from recognizing related accounts in IRS's master files. [29] IRM § 5.19.14, Trust Fund Recovery Penalty (Dec. 22, 2009). [30] As we have reported in conjunction with our annual audit of IRS's financial statements for many years, IRS has a long-standing material weakness in its internal control over unpaid assessments. Most recently, we reported that (1) balances for unpaid assessments reported in IRS's financial statements and required supplementary information were not supported by its general ledger system, (2) IRS lacked a subsidiary ledger to provide reliable transaction-level information for unpaid tax assessments, and (3) IRS experienced errors and delays in recording taxpayer information. Consequently, IRS currently cannot produce reliable unpaid assessments information for internal and external reporting due to systemic limitations and errors in underlying taxpayer accounts, including errors in recording TFRP payments. See [hyperlink, http://www.gao.gov/products/GAO-10-176]. [31] We are 95 percent confident that the actual error rate of invalid pre-posted revenue transactions is not more than 45.3 percent. [32] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [33] OMB Circular No. A-136, Financial Reporting Requirements (rev. June 10, 2009). [34] IRS defines a cost center as the lowest level at which IRS segregates costs. Cost centers are organizational units that capture costs where someone has control or responsibility. Each cost center has a manager, a head count, and an assigned physical location. [35] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [36] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [37] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [38] IRM § 21.4.4.6.1, Duplicate Refund Transcripts (Oct. 1, 2008). [39] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [40] GAO, Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures, [hyperlink, http://www.gao.gov/products/GAO-04-553R] (Washington, D.C.: Apr. 26, 2004); Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27, 2005); Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11, 2007); Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-08-368R] (Washington, D.C.: June 4, 2008); and Management Report: Improvements are Needed to Enhance IRS's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 2009). [41] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [42] IRS requires the use of a transmittal form, such as a Form 795 or Form 3210, which list the contents of the package when shipping tax receipts from one IRS location to another. [43] TAC group managers report to territory managers, who in turn report to area directors. [44] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [45] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [46] IDRS is an online data retrieval system that manages data retrieved from IRS's master files, which contain detailed information on taxpayers' filings of tax returns and tax-return-related documents. IDRS allows IRS employees to (1) research taxpayer accounts; (2) enter transactions, such as collections, adjustments, and abatements; and (3) automatically generate notices, collection documents, and other information. [47] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [48] IRM § 10.8.34.2.1.11, Unit Security Representative (Sept. 1, 2007). [49] IRM § 10.8.34.2.1.7, IDRS Security Officer (Sept. 1, 2007). [50] IRM § 10.8.34.2.1.1, Division Commissioners, Chiefs, and Taxpayer Advocate (Sept. 1, 2007). [51] Fiscal year 2008 results were included because it was the most recent year for which IRS could provide complete data at the time of our review. [52] Mandatory briefings for fiscal year 2008 included: (1) Information Protection (Privacy/Disclosure); (2) Safety, Health, and Environmental Awareness; (3) Prevention of Sexual Harassment; and (4) Ethics. Mandatory briefings for fiscal year 2009 included (1) Information Systems Security; (2) Notification and Federal Employee Anti-Discrimination (No FEAR) Act; (3) Computer Security and Unauthorized Access; and, (4) Information Protection. Staff in specific positions may have additional briefing requirements specific to their position. [53] The Wage & Investment Division, which is IRS's largest operating division, scheduled the fiscal year 2009 required briefings for January through May 2010. Because this division's responsibilities include processing tax returns, it relies on a large number of seasonal staff that are only at IRS during these months. [54] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [55] According to IRS officials, two business units--the Wage & Investment Division and the Human Capital Office, Leadership, Education and Delivery Services organization--provide the mandatory briefings to their staff in a classroom setting. [56] Other transactions, such as micro purchases up to $3,000, are processed by business units rather than the Office of Procurement. [57] A CO must assign a COTR for any contract of $100,000 or more. For contracts under $100,000, a CO has the option of assigning a COTR. If a COTR is not assigned to a contract, then the CO assumes the duties otherwise performed by the COTR. [58] For these five transactions, a COTR was assigned the responsibility of confirming receipt with the end user. Of the 116 transactions we tested, 61 were transactions that were processed through the procurement department. However, because our sample was designed to test all nonpayroll expense transactions, including transactions such as travel that do not go through the procurement department, we are unable to project the exceptions that only applied to procurement transactions to the entire population. [59] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [60] For example, appropriated funds that are earmarked for tax law enforcement may only be used for expenses related to that purpose. [61] The first instance was identified during our testing of a statistical sample of 58 undelivered order balances as of August 31, 2009. Based on our testing, we estimate that the value of undelivered orders that could have the same control error could be as high as $69.5 million (i.e., the net upper error limit at an 86 percent confidence level). The second instance was identified during our testing of a statistical sample of 43 expense transactions under $50,000 other than payroll expenses as of May 31, 2009. Based on our testing, we estimate that the value of nonpayroll expense transactions less than $50,000 that could have the same control error could be as high as $46.5 million (i.e., the net upper error limit at a 95 percent confidence level). Because this second sample population consisted of expenses rather than obligations, we cannot estimate the value of potential excess obligated funds associated with these expenses. [62] Agencies generally must obligate funds within their period of availability or forfeit the ability to incur new obligations with the funds. In some circumstances, appropriated funds may be awarded for specific purposes with no time limit on when the funds may be used. [63] After the appropriation's period of availability has ended, agencies may use the funds for 5 years to adjust prior-year obligations made from the same appropriation if needed. After that, the funds are forfeited. See 31 U.S.C. §§ 1552-53. [64] In the other instance we identified, the period of availability expired September 30, 2008; however, the funds could still be deobligated and used for an upward adjustment of a prior obligation under that appropriation if needed. [65] IRM § 1.33.4.2.4.2.4, AUC and AUO Reviews (Jan. 15, 2008). [66] IRM § 1.33.4.4.4, Unliquidated Commitments/Obligations (Aug. 28, 2006). [67] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [68] Upward and downward adjustments of prior-year obligations are adjustments to obligations funded with prior-year appropriations. [69] Expired funds are netted by obligation identification number and fund. Unexpired funds are netted by obligation identification number, fund, and commitment item. [70] Based on our testing, we estimate that the value of downward adjustments that could have the same control error could be as high as $10.4 million (i.e., the net upper error limit at an 86 percent confidence level). [71] IRM § 1.33.4.4.3, Commitments/Obligations (Aug. 28, 2006). [72] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [73] IRS's fiscal year 2009 appropriations act required IRS to set aside a minimum of $6,997,000,000 for tax enforcement, and make an additional $490,000,000 available for enhanced tax law enforcement. See Financial Services and General Government Appropriations Act, 2009, Pub. L. No. 111-8, div. D, tit. I, § 105, 123 Stat. 630, 636 (Mar. 11, 2009). For purposes of this report, we refer to these requirements as a "set-aside." IRS attorneys and IRS budget officials informed us that they interpreted the act as requiring them to set aside $7,487,000,000 (i.e., the sum of the two amounts) for fiscal year 2009 tax law enforcement and related support activities. [74] In fiscal year 2009, IRS was funded through a continuing resolution from October 1, 2008, through March 11, 2009. See Continuing Appropriations Resolution, 2009, Pub. L. No. 110-329, div. A, 112 Stat. 3574 (Sept. 30, 2008), as amended by Pub. L. No. 111-6, 123 Stat. 522 (Mar. 6, 2009). A continuing resolution allows federal agencies to continue operating when their regular appropriations acts have not been enacted before the beginning of the new fiscal year. However, they only provide funding for the period of the continuing resolution and thereby create uncertainty about both the timing and level of funding that ultimately will be available for the entire fiscal year. [75] See, for example, section 131 of the continuing resolution, which appropriated an additional amount for IRS's "Taxpayer Services" to meet the requirements of the Economic Stimulus Act of 2008 (P.L. 110- 185), at a rate for operations of $67,900,000. See Continuing Appropriations Resolution, 2009, Pub. L. No. 110-329, div. A, 112 Stat. 3574, 3579 (Sept. 30, 2008), as amended by Pub. L. No. 111-6, 123 Stat. 522 (Mar. 6, 2009). [76] As discussed earlier in this report, IRS uses a complex process to allocate operations support costs--such as rent and facility costs, technology support, and payroll operation costs--for its major programs. One of the key factors that affects the amount of operations support costs allocated to each program is the number of staff assigned to each. [77] The continuing resolution (P.L. 110-329) appropriated additional funds for IRS's taxpayer services at a rate for operations of $67.9 million. [78] See Financial Services and General Government Appropriations Act, 2009, Pub. L. No. 111-8, div. D, tit. I, § 101, 123 Stat. 630, 636 (Mar. 11, 2009). [79] See Financial Services and General Government Appropriations Act, 2010, Pub. L. No. 111-117, div. C, tit. I, § 105, 123 Stat. 3159, 3165 (Dec. 16, 2009). [80] We disagree with IRS that it must invoke its transfer authority to transfer amounts between its annual appropriations accounts to effectuate the set-aside. However, IRS may need to initiate reprogramming actions (i.e., the shifting of funds within its individual accounts from one program activity to another), which may be subject to congressional notification requirements. [81] As described in the cost allocation processing section of this report, IRS allocates monthly a portion of operation support costs-- which are costs such as rent and technology support that benefit multiple programs--to each of its major programs. These operations support costs are considered part of the cost of running those programs. [82] See Financial Services and General Government Appropriations Act, 2009, Pub. L. No. 111-8, div. D, tit. I, § 105, 123 Stat. 630, 636 (Mar. 11, 2009). [83] IRS contends that it must invoke its authority to transfer funds between its appropriations accounts to use those accounts' funds to satisfy the set-aside requirement. As noted in our report, we disagree with this view given that the appropriations act allows IRS to use any funds made available by the act to satisfy the requirement. Regardless, IRS must identify the sources of funds to be used to satisfy the set-aside requirement and take affirmative actions to ensure such funds are used only for tax law enforcement and related support activities. [84] Continuing Appropriations Resolution, 2009, Pub. L. No. 110-329, div. A, 112 Stat. 3574 (Sept. 30, 2008), as amended by Pub. L. No. 111- 6, 123 Stat. 522 (Mar. 6, 2009). The funding increase was appropriated at a rate for operations of $67.9 million. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: