Management Report: Improvements Needed in IRS's Internal Controls

IRS's Program, Planning, and Policy Office finalized and issued a revision to the Internal Revenue Manual (IRM). The revision specifies that red photo ID cards may be issued to IRS contract employees who have a daily need on a continuing basis to be on site at a facility over a period of time, and who have been granted interim or final staff-like access to a facility/work area with sensitive systems or information, but that before such an ID card may be issued, the contracting officer's technical representative must provide the Physical Security Office with a copy of the Personnel Security background completion.

IRS's Program, Planning, and Policy Office finalized and issued a revision to the Internal Revenue Manual (IRM). The revision requires, among other things, that an interim or final background investigation letter must be retained and filed in the identification media file for each contractor. GAO verified that IRS finalized and issued the revision to its IRM and, during its audit of IRS's fiscal year 2008 financial statements, it found no exceptions in its review of documentation of background investigations of contract staff.

IRS reported that it updated the Lockbox Processing Guidelines (LPG) 4.2.3.1, Courier Contingency Plan, on January 1, 2005, to require that prior to implementation of the contract, the courier service must provide the lockbox with a disaster contingency plan. The contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that courier service contractors must provide the lockbox bank with a disaster contingency plan.

IRS reported that contingency plans were provided by all lockbox sites by March 31, 2005, and were part of the Filing Season Readiness (FSR) Plan. The Lockbox Processing Guidelines (LPG) 4.2.3.1 states "the contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events." The lockbox coordinators reviewed the contingency plans to ensure that these issues were addressed. The lockbox coordinators interpreted the contingency plans to be complete; for example, the coordinators may have viewed contingencies covering natural disasters as sufficient to address inclement weather even though the term "inclement weather" was not specifically stated in the plan. GAO disagreed, citing continued areas of deficiencies. In September 2005, the Financial Management Service (FMS) and IRS security team conducted an additional review of each site's courier contingency plans to ensure compliance. Their review indicated that in order to increase consistency and ensure the plans are clearly documented, strengthening of the contingency plan requirements was necessary. The 2006 Lockbox Security Guidelines (LSG) 2.7 (1) and (2) includes clarification of the requirements for the courier contingency plans. Review of the contingency plans to ensure incorporation of all of the requirements is now assigned to the IRS/FMS security team as part of the on-site courier contingency review. GAO verified that IRS and FMS jointly reviewed the lockbox bank courier contingency plans and as a result included language in the LSG clarifying that before courier contracts are implemented, couriers must provide a disaster contingency plan to the lockbox bank addressing specific contingencies.

IRS reported that the Lockbox Processing Guidelines (LPG) 4.2.3.1(1) were updated on June 30, 2005, to state that all banks must maintain a signed copy of the courier contingency plan on-site. During its fiscal year 2005 audit, GAO verified that IRS revised the LPG to specify that courier contingency plans be available at lockbox banks.

IRS reported that the Lockbox Processing Guidelines (LPG) 4.2.3(2)--Courier Services, which require lockbox banks to ensure all bonded courier/armored car agreements address all privacy-related criteria and include clear reference to privacy-related laws and regulations, were updated on January 1, 2005. Effective January 1, 2006, in addition to the above requirement, the Lockbox Security Guidelines (LSG) 2.17.6 (2)(a) added the requirement that all lockbox banks ensure shred company contracts contain clear reference to the privacy-related laws and regulations. In October 2005, the Lockbox Policy and Procedures team reviewed and confirmed that all courier and shred contracts contained all privacy related criteria. Banks must submit their contracts to the Lockbox Policy and Procedures team for their review by October 1st of each year. The courier contract is also reviewed by the IRS and Financial Management Service security staff during the on-site courier security review. During its fiscal year 2005 audit, GAO verified that the courier and shredding contracts had the required privacy-related language and related provisions set forth in the Privacy Act of 1974. In addition, GAO verified that the LSG requires lockbox banks to ensure that all bonded courier agreements contain privacy-related language and reminds couriers of their responsibility to not disclose taxpayer information.

IRS reported that its Lockbox Policy and Procedures Section updated the Lockbox Processing Guidelines (LPG) on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form, which requires the lockbox site to receive back by the next business day the original completed Receipt for Transport of IRS Lockbox Bank Deposit Form with the bank representative's name and signature and date and time the deposit was received by the depository. Each day the lockbox site must reconcile the Receipt for Transport of IRS Lockbox Bank Deposit Form(s) to ensure receipt of dedicated service (e.g., the time between release to the courier and the release to the bank is not in excess). If discrepancies are found, the lockbox field coordinator should be notified immediately. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that (1) lockbox couriers return, on the next business day, deposit receipts to the lockbox banks following delivery of the taxpayer remittances to depositories, and (2) lockbox banks promptly review, on a daily basis, the returned deposit receipts.

IRS reported that the Lockbox Processing Guidelines (LPG) were updated on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form--to require the courier service employee to return the form to the lockbox site on the next business day, ensuring the following information is completed on the form: the depository bank employee's name and signature, the date the deposit was received by the depository, and the time the deposit was received by the depository. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that deposit receipts for taxpayer remittances include the time and date of receipt by the depository institution.

IRS reported that the Lockbox Processing Guidelines (LPG) 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form, was updated on January 1, 2005, to require lockbox bank couriers to annotate the time of delivery of receipts for deposits of taxpayer remittances. New Security Performance Measures have been developed to measure and rate each site's overall adherence to security guidelines and provides incentives/disincentives accordingly. Mission Assurance and Financial Management Service security support the Lockbox Policy and Procedures Program Office in conducting security reviews. Reviews will rate each site's compliance to physical, personnel, courier, and Information Technology security. Security Performance Measures is scheduled to be fully implemented by January 2006. To further prepare for filing season each year, each bank is now required to certify that it is adhering to security guidelines. During its fiscal year 2005 audit, GAO verified that IRS updated the LPG to require that couriers annotate the time of delivery of receipts for deposits of taxpayer remittances. Further, GAO did not find any instance during its fiscal year 2005 testing in which the courier did not annotate the time the courier received the deposit from the bank personnel.

In response to our recommendation, in fiscal year 2007, IRS issued an annual reminder memorandum to all courier contractors and the lockbox banks security team verified that all lockbox bank sites issued similar memorandums reminding couriers to adhere to all of the courier service security procedures in the Lockbox Security Guidelines. By taking these actions, IRS has reduced the risk of loss, theft, or misuse of taxpayer receipts and information.

IRS's Submission Processing revised the Lockbox Security Guidelines (LSG) in 2007 to require periodic verification that couriers adhere to IRS policy while transporting taxpayer receipts and information. Specifically, IRS stated that at service center campuses (SCC), IRS ensures couriers sign, date, and notate the time of pick up on form 10160, Receipt for Transport of IRS Deposit, and ensure the form is date and time stamped at the time of drop off at the financial institution. Each campus reviews the form and notates any time discrepancies. IRS stated that any discrepancies found will prompt the campus to (1) question the couriers, (2) record the finding in the Courier Incident Log, and (3) use their discretion to make a determination whether or not it is necessary to trail the couriers. GAO verified that IRS revised its LSG to include provisions for periodic verification that couriers adhere to IRS procedures for transporting taxpayer receipts and information. GAO also noted that procedures were established at the campuses involving the review of the returned Form 10160.

IRS reported that the 2005 Lockbox Processing Guidelines (LPG) 4.2.3.1 "Courier Contingency Plan" was updated on July 18, 2005, (effective Aug. 29, 2005) to include a plan that ensures the security of receipts if courier requirements are not met, or the courier contractor is unable to send suitable replacement couriers in time to meet the bank's deposit deadline. Submission Processing campuses submitted contingency plans in May 2005, which outline what deposit managers are to do in the event that couriers are unable to transport a deposit in the event of non-compliance with contract requirements, vehicle breakdown, or other reasons. In addition, the implementation of the Courier Daily Checklist in April 2005 has continued to work smoothly. During its fiscal year 2005 audit, GAO verified that IRS had updated its LPG for lockbox banks and submitted contingency plans for service center campuses, which outline what to do if couriers are unable to transport a deposit in the event of non-compliance with contract requirements.

IRS stated that its Mission Assurance (MA) and Security Services (SS) units worked with the Business Operating Divisions (BOD) and Procurement to formulate policy guidelines. The Lockbox Policy Guidelines, dated 01/10/06, have been revised. Lockbox Security Guide (LSG) 2.2.1 Main Utility Feeds, includes physical protection of all utilities against accidental or intentional disruption of services. Exterior utilities will be physically protected with bollards, fencing, or similar obstruction to prevent destruction. Where critical controls relative to utility feeds and security systems are located in rooms or areas frequented by contract employees, there must be continuous closed-circuit television (CCTV) coverage as well as tamper proof devices on those controls such as fencing, locks or other protections. LSG 2.2.2.12 page 18(5) has been revised to state that to prevent unauthorized access to control panels or critical systems, keys must be secured and controlled. GAO verified that the revisions to the LSG require physical protection of all main utility feeds against accidental or intentional disruptive of service. While the LSG does not require that critical utility or security controls not be located in areas requiring frequent access, the LSG does require that frequently accessed areas where utility feeds are present must be continuously monitored with CCTV coverage as well as tamper proof devices installed on those controls such as fencing, locks, or other protections, and therefore, meets the objective of the recommendation.

IRS stated that its Mission Assurance unit has developed and incorporated a close-circuit television (CCTV) evaluation matrix into the security review process ensuring that critical areas and assets are monitored. The January 1, 2007, Lockbox Security Guide (LSG) was revised under (CCTV Cameras) LSG 2.2.2.13.1 (6) and it states that Pan, Tilt, Zoom (PTZ) cameras shall be installed in mail sorting, mail delivery, mail extraction, exceptions processing and certified mail processing areas to ensure sites have the capability to observe, monitor, and record mail extraction activity and to assist in monitoring. Also, the LSG requires that the IRS security controls, equipment, and utilities must be locked to prevent tampering and that keys will be controlled and limited to authorized bank employees. Mission Assurance also included key and combination controls and management as part of its review process at the banks. GAO verified that the LSG requires physical protection of all main utility feeds against accidental or intentional disruption of service. While the LSG does not require that critical utility or security controls not be located in areas requiring frequent access, the LSG does require that frequently accessed areas where utility feeds are present must be continuously monitored with CCTV coverage, as well as tamper proof devices installed on those controls such as fencing, locks, or other protections, and therefore, effectively addresses the issues that gave rise to the recommendation.

IRS reported that the Lockbox Security Guidelines (LSG) were revised and published on January 1, 2006. The LSG requires strict control of keys, panels, and access to rooms and areas that contain facility utilities and controls. Lockbox banks are monitored and reviewed to ensure compliance to the policy. The Lockbox Physical Security Checklist includes checks to verify compliance to the policy. Five lockbox reviews have been conducted subsequent to publication of the LSG, and IRS has not observed any instances of this finding at any of the sites reviewed. During its fiscal year 2005 audit, GAO verified that IRS periodically monitored adherence to this requirement during IRS's lockbox bank security reviews.

IRS reported that its Lockbox Policy and Procedures staff determined that current technologies are not exempt from the candling requirement and added to the 2005 Lockbox Processing Guidelines (LPG) 3.2.8(1) that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables. GAO noted that IRS's determination that current technologies are not exempt from the candling requirement, and the additional LPG guidelines added and verified by GAO during its fiscal year 2005 audit, meet the objective of this recommendation.

IRS reported that Wage and Investment (W&I) determined that a cost benefit analysis was not necessary because it previously assessed the candling function on the automated equipment. To provide additional risk mediation, W&I revised the Lockbox Processing Guidelines (LPG) under section 3.2.8 (1) to require that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. W&I will monitor adherence during site reviews. IRS's determination that current technologies are not exempt from the candling requirement or the additional LPG guidelines added, verified during GAO's fiscal year 2005 audit, meets the objective of this recommendation.

IRS reported that it updated the 2005 Lockbox Processing Guidelines (LPG) 3.2.8, Candling, to require that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables. GAO verified that IRS updated the LPG to clarify requirements concerning the number of candlings.

IRS reported that the Internal Revenue Manual (IRM) 3.10.72.6.2 (2) (a) requires that all candling equipment on both initial and final candling tables shall be adjusted as necessary to maintain maximum envelope recognition. Maximum envelope recognition is determined by the measurement of foot candles through use of a light meter. Minimum reading on the light meter should be 174. The testing of the candling equipment should be completed twice annually for Individual Master File sites and quarterly for Business Master File sites. Testing will be completed prior to peak time-frames. Management or a designated employee will complete the candling equipment review log to verify lights are meeting minimum requirements. Light meters are available and testing has been completed at all submission processing centers to ensure requirements are met. Sorting table vendors have been contacted and are aware of this requirement and are adjusting all new tables that are purchased to ensure they are in compliance. During its fiscal year 2005 audit, GAO verified that IRS revised its IRM to include guidelines for testing lighting conditions for candling equipment.

We verified that IRS performed a process analysis of SB/SE remittance processing practices as outlined in the IRM in which it concluded that the current level of segregation of duties in the remittance process maintains an acceptable risk.

Since the issuance of this recommendation IRS has taken several actions to address this recommendation. Specifically, it updated the IRM to require (1) the use of a document transmittal form 3210 when sending multiple Daily Report of Collection Activity forms and (2) managers to ensure document transmittal forms are used when transmittal packages include more than one Daily Report of Collection Activity form. In addition, in June 2013, it completed a review of three collection field areas to assess their use of the document transmittal form 3210 to ensure compliance with the IRM. Based on the results, IRS determined no further actions were necessary. We believe that IRS's efforts and actions over the years to enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages sufficiently addresses this recommendation.

IRS stated that procedures have been established, updated, and incorporated into its Internal Revenue Manual (IRM), and hard copies were shipped to all applicable employees on September 15, 2006. GAO verified that IRS established procedures requiring its Small Business and Self-Employed employees to track document transmittal forms and to acknowledge receipt for these forms.

GAO verified that IRS established procedures which require Small Business and Self-Employed to review the recording, transmittal, and receipt of acknowledgments of the document transmittal forms.

IRS issued a "Hot Topic" memorandum to its staff on January 25, 2007, which added procedures to check for cases that can be identified as an AUR payment and research the taxpayer's account on the Integrated Data Retrieval System (IDRS) for CP 2000 Indicators. During GAO's audit of IRS's fiscal year 2007 financial statements, it confirmed that IRS updated its procedures to prevent the generation or disbursement of refunds associated with AUR accounts. GAO also verified that the procedures were in place requiring employees to conduct IDRS research after receiving an unidentified remittance to determine if there is an open account that allows for posting of the remittance.

IRS reported that in September 2008, it created a standard authorization Form 14031 for all offices to use. In addition, IRS stated that it continued to issue its annual solicitation memorandum for authorized officials approving manual refunds. GAO verified that the Form 14031 was standardized and properly documented IRS officials charged with approving manual refunds. GAO also verified that the annual solicitation memorandum provided information to enforce documentation requirements.

Since the issuance of this recommendation in 2005, IRS has taken several actions to address this recommendation. Specifically, IRS updated its IRM to require the use of the automated Erroneous Manual Refund Tool (EMT)/Case Monitoring tool to conduct the required manual refund monitoring and managerial reviews of monitoring activity. In addition, in fiscal year 2013, IRS initiated quarterly reviews of the manual refund process to verify compliance with the IRM for monitoring accounts and reviewing monitoring activity for manual refunds. We reviewed a selection of the reviews conducted by IRS in fiscal year 2014 and concluded that IRS's efforts to enforce the requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds sufficiently address our recommendation

In October 2013, IRS clarified the requirements in its IRM for managers to document their supervisory reviews of monitoring activity in the Manager's Monitoring Confirmation Log. Further, in fiscal year 2013, IRS initiated reviews of the manual refund process documentation to verify compliance with the IRM, We reviewed a selection of the reviews conducted by IRS in fiscal year 2014 and concluded that IRS's efforts to enforce the requirements for documenting monitoring actions and supervisory review of manual refunds monitoring sufficiently address our recommendation.

During GAO's audit of IRS's fiscal year 2007 financial statements, it verified that IRS issued a "Hot Topic" memorandum to its staff in January 2007 and again in March 2007, as a reminder to adhere to the existing process of enforcing the requirement that command code profiles be reviewed at least once annually. Additionally, during its visits to IRS sites as part of its fiscal year 2007 audit, GAO found that at both of the IRS service centers it visited, the command code profiles were reviewed at least once annually. IRS's enforcement of the annual review of command code profiles reduces the risk of errors or fraud and the improper disbursement of manual refunds.

IRS updated its procedures in September 2007 to prohibit employees from reviewing their own profile or any other report data pertaining to themselves. During GAO's audit of IRS's fiscal year 2007 financial statements, it found no instances of IRS staff members reviewing their own command codes.

IRS conducted a study of accounts containing manually calculated interest or penalties and determined that the manually calculated amounts were insignificant. Consequently, IRS reprogrammed its Automated Lien System (ALS) to automatically release liens once the taxpayer's account was full paid. During GAO's audit of IRS's fiscal year 2007 financial statements, it obtained and reviewed a computer extract showing that taxpayer accounts containing manually calculated interest or penalty are no longer being held up from automated lien release.