Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

GAO-19-412R: Published: May 9, 2019. Publicly Released: May 9, 2019.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Does the IRS get audited, too?

Every year we audit the IRS's financial statements. Our FY 2018 audit found new and continuing problems related to its internal controls over its financial reporting.

For instance, we found issues with how the IRS:

Accounts for taxes receivable—the money it estimates it will collect from taxes owed

Safeguards taxpayer information

Reviews suspicious and questionable tax returns

Problems like these could lead to misstatements in IRS's financial statements, as well as unauthorized access to taxpayer information.

We made 12 additional recommendations in this report to address these issues.

 

The sign outside of the Internal Revenue Service building.

The sign outside of the Internal Revenue Service building.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified continuing control deficiencies related to IRS's accounting for federal taxes receivable and other unpaid assessments that collectively represent a significant deficiency in IRS's internal control over unpaid tax assessments as of September 30, 2018. GAO also identified new control deficiencies in IRS's internal control over financial reporting that although not considered a material weakness or significant deficiency, nonetheless, warrant IRS management's attention. These control deficiencies concern IRS's

  • nationwide strategy for safeguarding taxpayer receipts and associated information,
  • physical security policies and procedures,
  • review of visitor access logs,
  • transmission of taxpayer receipts,
  • designations of unit security representatives,
  • review of automated tax refund information prior to certification for payment,
  • review of refund schedule numbers for manual refunds, and
  • review of suspicious and questionable tax returns in Examination.

In addition, for six of the 32 recommendations from GAO's prior reports related to control deficiencies in IRS's internal control over financial reporting, GAO found that IRS implemented corrective actions during fiscal year 2018 that resolved the deficiencies, and as a result, these recommendations were closed. GAO closed one additional recommendation that related to unpaid assessments, by making a new recommendation that is better aligned with the remaining deficiencies that collectively represent a significant deficiency in internal controls over this area as of September 30, 2018. As a result, IRS currently has 37 GAO recommendations to address—the previous 25 open recommendations and the 12 new recommendations GAO is making in this report.

Why GAO Did This Study

The purpose of this report is to present those internal control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements for which GAO did not already have any recommendations outstanding. This report provides new recommendations to address these internal control deficiencies and also presents the status, as of September 30, 2018, of IRS's corrective actions taken to address GAO's recommendations from its prior financial audits that remained open as of September 30, 2017.

What GAO Recommends

GAO is making 12 recommendations to address the identified control deficiencies. These recommendations are intended to improve IRS's internal controls over financial reporting as well as to bring IRS into conformance with its own policies and Standards for Internal Control in the Federal Government. IRS stated that it is committed to implementing appropriate improvements to ensure that it maintains sound financial management practices. IRS agreed with GAO's 12 new recommendations and described planned actions to address each recommendation.

For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS documented the key management decisions in the design and use of the estimation process. This step should reduce the risk that IRS may perform sampling procedures inconsistent with management intent or plans. Continued management commitment and sustained efforts are necessary to build on the progress made to date and to fully address IRS's remaining unresolved issues concerning the management and reporting of unpaid assessments. We will assess IRS's progress in addressing these issues during our audit of IRS's fiscal year 2020 financial statements.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials implement the necessary actions to effectively address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments. These actions should (1) resolve the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and related taxpayer data to support timely and informed management decisions, and enable appropriate financial reporting of unpaid assessment balances throughout the year, and (2) identify the control deficiencies that result in significant errors in taxpayer accounts and implement control procedures to routinely and effectively prevent, or detect and correct, such errors. (Recommendation 19-01)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Priority recommendation

    Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that Facilities Management and Security Services is in the process of developing and documenting a formal, comprehensive strategy. According to IRS officials, this strategy will include different overarching goals, such as improving workforce effectiveness, ensuring appropriate monitoring functions and employee accountability, and improving coordination and communication of policies and procedures. IRS plans to complete the formal, comprehensive strategy during fiscal year 2020 and finalize the implementation of this strategy by March 2021.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials document and implement a formal comprehensive strategy to provide reasonable assurance concerning its nationwide coordination, consistency, and accountability for internal control over key areas of physical security. This strategy should include nationwide improvements for (1) coordinating among the functional areas involved in physical security; (2) implementing and monitoring the effectiveness of physical security policies, procedures, and internal controls; and (3) ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect IRS's facilities. (Recommendation 19-02)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS used a questionnaire survey and obtained feedback from security section chiefs and physical security specialists to determine the reasons staff did not consistently comply with IRS's existing requirement to maintain an emergency contact list at all IRS facilities. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will establish a process to better enforce compliance with the requirement based on the results of the feedback obtained.

    Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials determine the reasons staff did not consistently comply with IRS's existing requirement for maintaining an emergency contact list at all of its facilities and, based on this determination, establish a process to enforce compliance with the requirement. (Recommendation 19-03)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will (1) update the Internal Revenue Manual to reflect the requirement to use the Alarm Maintenance and Testing Certification Report to document alarm testing results, including any malfunctioning alarms and related corrective actions taken, as appropriate;, and (2) review the Alarm Maintenance and Testing Certification Report Form and incorporate any additional instructions and fields to document the specific alarms tested, the testing results, and related corrective actions taken, as appropriate.

    Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials establish and implement policies and procedures requiring that corrective actions be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests. (Recommendation 19-04)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will develop, document, and implement policies or procedures, or both, to provide reasonable assurance of the accuracy and physical security of the video surveillance systems at all IRS facilities by including periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment.

    Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement policies or procedures, or both, to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured. The policies or procedures should include periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment and systems. (Recommendation 19-05)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Information Technology and the Criminal Investigation organizations will update and implement their policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. (Recommendation 19-06)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that the Small Business/Self-Employed (SB/SE) Field Collection organization determined that the reasons the policies and procedures were not always followed were either a lack of understanding of the requirements or a lack of consistency in adhering to them. In order to address this, in October 2019, Field Collection distributed a memorandum to its area directors, territory managers, and group managers, reminding them of the required remittance processing procedures, emphasizing the importance of following the procedures, and requesting that they distribute the information in the memorandum within their organization. IRS officials stated that the memorandum will help assure that SB/SE Field Collection units comply with the applicable policies and procedures. Since this memorandum was issued after the end of our fiscal year 2019 audit, we will review the implementation of this action during our fiscal year 2020 audit. Further, IRS officials stated that during fiscal year 2020, the SB/SE Examination organization will identify the reason that IRS's policies and procedures for transmittal forms were not followed, and based on this, it will add guidance to the applicable Internal Revenue Manual sections to clarify and supplement the service-wide guidance for the appropriate control, monitoring, and review of the forms used to transmit packages containing personally identifiable information.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials (1) identify the reason IRS's policies and procedures related to the transmittal forms were not always followed and (2) design and implement actions to provide reasonable assurance that SB/SE units comply with these policies and procedures. (Recommendation 19-07)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, the Information Technology (IT) organization updated IRS's Integrated Data Retrieval System (IDRS) security policy contained in the Internal Revenue Manual to ensure that the IDRS account administration process complies with IRS's personnel security policy regarding background investigation completion dates. In addition, IRS officials stated that by November 2020, the IT organization will update the Unit Security Representative (USR) designation form, as well as policies and procedures, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including how the information should be validated.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including specifying how the information should be validated. (Recommendation 19-08)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Open

    Comments: During fiscal year 2019, the Information Technology organization updated its standard operating procedures to clearly specify the tax refund data elements that the Processing Validation Section Certifying Officers are required to verify before certifying the tax refunds in the Secure Payment System. Since IRS completed this action after we had already performed our fiscal year 2019 testing related to the certification of tax refunds, we will evaluate IRS's actions to address this recommendation during our fiscal year 2020 audit.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. (Recommendation 19-09)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Open

    Comments: IRS actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Wage & Investment organization will establish and implement a review process to provide reasonable assurance that the Refund Schedule Numbers on manual refund forms are transcribed accurately into the Integrated Submission and Remittance Processing system.

    Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement a review process to provide reasonable assurance that the RSNs that Data Conversion key entry operators enter into the ISRP system and post to the master files are correct. (Recommendation 19-10)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  11. Status: Open

    Comments: IRS officials stated that the Wage and Investment organization agrees that developing and implementing a Unified Work Request for programming changes is needed to systemically validate the refund schedule numbers input into the Integrated Submission and Remittance Processing system; however, IRS officials indicated that the organization is unable to commit to implementing a corrective action because of budgetary constraints. As a result, IRS will place this recommendation on hold until funds are available.

    Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials implement a validity check in the ISRP system to confirm that RSNs that Data Conversion key entry operators enter into the system have the required 14 digits. (Recommendation 19-11)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  12. Status: Open

    Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that by April 2020, IRS will update and implement policies or procedures, or both, requiring that reviewers follow up with tax examiners to verify that the errors tax examiners made in working a case related to suspicious or questionable tax returns are corrected.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to require that reviewers follow up with tax examiners to verify the errors that tax examiners made in working on cases related to suspicious or questionable tax returns are corrected. (Recommendation 19-12)

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Jun 17, 2020

Jun 10, 2020

Jun 8, 2020

May 21, 2020

Mar 31, 2020

Mar 26, 2020

Mar 12, 2020

Feb 27, 2020

Looking for more? Browse all our products here