Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

GAO-17-454R: Published: May 17, 2017. Publicly Released: May 17, 2017.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2016 and 2015 financial statements, GAO identified a new control deficiency regarding changes to master file programs that contributed to IRS's continuing material weakness in internal control over unpaid assessments as of September 30, 2016. GAO also identified other new deficiencies in IRS's internal control over financial reporting that although not considered material weaknesses or significant deficiencies, nonetheless warrant IRS management's attention. These control deficiencies concern

  • Internal Revenue Manual policies and procedures,
  • digital signatures on forms related to the authorization of manual refunds,
  • assignment of user access rights in IRS's human resources information management system,
  • review of the process for determining intragovernmental costs and costs with the public, and
  • accuracy of asset disposal dates.

GAO is making 2 new recommendations pertaining to the new control deficiency that contributed to IRS's continuing material weakness in internal control over unpaid assessments and 8 recommendations related to the other identified control deficiencies, for a total of 10 new recommendations. Further, GAO found that IRS had completed corrective action on 11 of the 42 recommendations from its prior financial audits that remained open at the beginning of GAO's fiscal year 2016 audit. As a result, IRS currently has 41 GAO recommendations to address, which consist of the previous 31 open recommendations and the 10 new recommendations GAO is making in this report.

Why GAO Did This Study

The purpose of this report is to present those internal control deficiencies identified during GAO's audit of IRS's fiscal years 2016 and 2015 financial statements for which GAO did not already have any recommendations outstanding. This report provides new recommendations to address these internal control deficiencies and also presents the status, as of September 30, 2016, of IRS's corrective actions taken to address GAO's recommendations from its prior financial audits that remained open at the beginning of GAO's fiscal year 2016 audit.

What GAO Recommends

GAO is making 10 recommendations related to the new control deficiencies. These recommendations are intended to improve IRS's internal controls over its financial management and accountability of resources as well as to bring IRS into conformance with its own policies and Standards for Internal Control in the Federal Government. IRS stated that it is committed to implementing appropriate improvements to ensure that IRS maintains sound financial management practices. IRS agreed with GAO's 10 recommendations and described actions it has taken or planned to take to address each recommendation.

For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: As of September 30, 2019, all IRS operating divisions involved with this recommendation developed and implemented a process to reasonably assure that IRS operating divisions and the IT organization effectively coordinate with the CFO organization when making programming changes to information systems affecting financial reporting. These actions achieve the objectives of this recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to develop and implement a process to reasonably assure that IRS operating divisions and the information technology (IT) organization effectively coordinate with the Chief Financial Officer (CFO) organization when making programming changes to information systems affecting financial reporting.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: As of September 30, 2018, IRS's Business Master File Office of the information technology (IT) organization researched and determined the reasons its staff did not follow IRS policy to thoroughly test programming changes related to the automation of specific penalty abatement procedures to reasonably assure that they worked as intended before implementation. According to the IT organization, these reasons included lack of (1) clear and consistent communication between stakeholders, (2) compliance with existing standards and policies, and (3) oversight to ensure quality programming changes. Based on this determination, the IT organization implemented weekly stakeholder meetings, created additional training to increase understanding of and compliance with existing standards and policies, and developed a new Applications Development transmittal checklist for required use when developing program changes and ensured the retention of test results. IRS's actions sufficiently address our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to research and determine the reason the IT organization did not follow IRS policy to thoroughly test programming changes related to the automation of specific penalty abatement procedures to reasonably assure that they worked as intended before implementation. Based on this determination, the IRS Commissioner should direct the appropriate IRS officials to establish a process to better ensure compliance with existing policies for testing programming changes, including the use and review of the Applications Development transmittal checklist when developing program changes and retention of test results.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2018, IRS created an annual Internal Revenue Manual (IRM) review and certification requirement to reasonably assure that all IRM sections align with the current control procedures and guidance that IRS personnel are implementing. In addition, the Small Business/Self-Employed (SB/SE) and Tax Exempt & Government Entities (TE/GE) organizations developed action plans to achieve substantial compliance with this requirement. During fiscal year 2019, the SB/SE organization completed its action plan; however, IRS officials stated that the TE/GE organization will complete its action plan during fiscal year 2020. Further, in fiscal year 2019, the Large Business & International organization reviewed and analyzed the results of its involvement in the annual IRM certification process. Based on the results of its analysis, the organization developed an action plan to achieve substantial compliance with the IRM review and certification requirement, which IRS officials stated it will complete by December 2021.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to strengthen the process for reasonably assuring that the Internal Revenue Manual (IRM) is reviewed annually to align with the current control procedures and guidance being implemented by agency personnel. This should include a mechanism for reasonably assuring that program owner directors (1) review their respective program control activities and related guidance annually and timely update the IRM as needed, (2) document their reviews, and (3) utilize interim guidance and supplemental guidance correctly for their intended purposes.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: In February 2017, IRS revised the Internal Revenue Manual and updated the corresponding standard operating procedures to synchronize the frequency of performing (1) emergency/alarm contact-list validation, (2) duress alarm inventory validation, and (3) federal security risk assessments. IRS's actions sufficiently address our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to ensure that the respective Agency-Wide Shared Services IRM and supplemental guidance related to the frequency of performing (1) emergency/alarm contact-list validation, (2) duress alarm inventory validation, and (3) federal security risk assessments are consistent.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: In April 2017, IRS updated the CFO IRM section to align the definition of tax gap with the current understanding that IRS personnel follow. In addition, in December 2017, the Privacy, Governmental Liaison and Disclosure organization removed the tax gap definition from its IRM section. IRS's actions sufficiently address our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to update the respective (1) Privacy, Governmental Liaison and Disclosure and (2) CFO IRM sections related to the definition of the tax gap to align with the current understanding followed by IRS personnel.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Implemented

    Comments: During fiscal year 2019, IRS updated the applicable Internal Revenue Manual sections to require employees to verify the validity of the digital signatures on manual refund request forms and the manual refund signature authorization forms. IRS's actions sufficiently address our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to revise the applicable IRM sections pertaining to manual refunds to require employees to verify the validity of the digital signatures on the manual refund request forms and the manual refund signature authorization forms.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: In April 2017, IRS identified and removed the system access rights in HR Connect that allowed HR assistants within the Employment Operations office to approve and release pay-related personnel actions. During our fiscal year 2017 audit, we observed that IRS's corrective actions were effective in preventing HR assistants from approving and releasing pay-related personnel actions and confirmed that these access rights were removed from all HR assistants in the Employment Operations office. IRS's actions sufficiently address our recommendation

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to revise system access rights in Human Resources (HR) Connect to prevent HR assistants within the Employment Operations office from approving and releasing pay-related personnel actions to the National Finance Center (NFC).

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: IRS revised the HR Connect HR User Profiles Desk Guide in December 2016, and subsequently in April 2017. The revised desk guide provides instructions for granting access rights to HR assistants within the Employment Operations office that will not allow them to both approve and release pay-related personnel actions to NFC. IRS's actions sufficiently address our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to revise the HR Connect HR User Profiles Desk Guide to clearly indicate that HR assistants within the Employment Operations office should not be granted access to approve and release pay-related personnel actions to NFC.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: The CFO organization documented the existing procedures to periodically review the process for determining the intragovernmental and public costs for each program. These procedures will be used if OMB Circular A-136 is revised to reinstate the requirement to report the intragovernmental and public costs for each major program in the notes to the financial statements. IRS's actions sufficiently address our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to establish and implement procedures to periodically review the process for determining the intragovernmental costs and costs with the public for each major program reported in the notes to the financial statements to provide reasonable assurance that these amounts are reliable and fairly presented.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Closed - Implemented

    Comments: Effective April 2018, IRS established the Facilities Management and Security Services Property and Asset Management Desk Guide, which contains guidelines as to what events constitute removal from IRS premises and the disposal date that should be recorded in its inventory system. IRS's actions satisfy the objectives of our recommendation.

    Recommendation: The IRS Commissioner should direct the appropriate IRS officials to provide clear guidelines as to what events constitute removal from IRS premises and the disposal date that should be recorded in its inventory system, either through an update of the IRM or other property and equipment-related desk guides.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Jun 29, 2020

Jun 16, 2020

May 1, 2020

Apr 30, 2020

  • tax icon, source: Eyewire

    Priority Open Recommendations:

    Internal Revenue Service
    GAO-20-548PR: Published: Apr 23, 2020. Publicly Released: Apr 30, 2020.

Apr 1, 2020

Mar 2, 2020

Feb 26, 2020

Feb 25, 2020

Feb 12, 2020

Jan 15, 2020

Looking for more? Browse all our products here