Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures

IRS reported that to provide more emphasis on security, the Lockbox Security Guidelines (LSG) 2.5 now requires appropriate documentation for couriers and guards before they are granted access to taxpayer receipts. To ensure compliance with the LSG, IRS and Financial Management Service security has included this as a review item during their security reviews. GAO verified that the LSG does include a requirement that lockbox managers maintain documentation on-site demonstrating that satisfactory fingerprint results have been received before contractors are granted access to taxpayer receipts and data. During its fiscal year 2005 audit, GAO did not identify any instances in which contractors were granted access to taxpayer receipts and data without having satisfactory fingerprint results on file at the lockbox banks that we visited.

IRS reported that on February 14, 2005, the 2005 Lockbox Processing Guidelines (LPG) were updated and current courier requirements were reinforced with an addendum entitled "Courier's Additional Disclosure Statement." Each courier is required to complete and sign the disclosure, affirming that he or she is not to travel with an immediate family member. In addition, each courier is required to list the name and relationship of each family member residing in the same domicile that also performs courier duties for the IRS. The disclosure statement is updated annually and maintained in the personnel file. Starting in July 2005, during the onsite reviews the IRS and Financial Management Service security team began reviewing the disclosure statements to ensure adherence to this requirement. GAO confirmed that IRS updated its policy on two-person courier teams for lockbox banks as reflected in the revised LPG. Additionally, GAO identified no instances in which two-person courier teams consisted of closely related individuals during our fiscal year 2005 testing at the four lockbox banks and four service center campuses that we visited.

IRS now conducts on-site reviews of (1) logs for desk and work areas, (2) date stamps, (3) procedures for handling cash, (4) candling procedures, (5) shredding procedures, and (6) mail procedures using the Data Collection Instrument (DCI) entitled "Procedures-Internal Controls". IRS rolls the results of these reviews into a calculation to determine each bank's score as part of a new bank performance measurement process. In addition, IRS requires lockbox personnel to perform similar reviews monthly and to report the results to the Lockbox Field Coordinators. To comply with the Lockbox Processing Guidelines, these reports must contain: (1) date of review, (2) shifts reviewed, (3) results of the review (even when no items are found), and (4) a reviewer and site manager's initials and/or a signature. Furthermore, IRS stated that additional reviews are performed on the monthly Discovered Remittance candling log, the disk checks/audits, and the shred reports received from the lockbox site by the Lockbox Field Coordinators. GAO verified that IRS established and implemented a Processing Internal Controls and Physical Security DCI, and that these DCIs are used to assess the required managerial reviews that are performed at each lockbox bank.

IRS reported that Lockbox Policy and Procedures staff assessed the candling procedures and determined that current technologies are not exempt from the candling requirement and added to the 2005 Lockbox Processing Guidelines (LPG) section 3.2.8(1) that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. Thus, the requirement to keep tests and logs is not necessary. All other envelopes must be candled twice on the candling tables. During its fiscal year 2005 audit, GAO verified that the LPG requires that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled one additional time on the candling table. This change and IRS's assessment that current technologies are not exempt from the two candling requirement satisfies the objective of GAO's recommendation.

IRS reported that Lockbox Policy and Procedures staff assessed the candling procedures and determined that current technologies are not exempt from the candling requirement and added to the 2005 Lockbox Processing Guidelines (LPG) section 3.2.8(1) that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. Thus, the requirement to keep tests and logs is not necessary. All other envelopes must be candled twice on the candling tables. During its fiscal year 2005 audit, GAO verified that the LPG requires that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled one additional time on the candling table. This change and IRS's assessment that current technologies are not exempt from the two candling requirement satisfies the objective of GAO's recommendation.

IRS reported that written procedures have been provided to TAC employees for safeguarding taxpayer receipts when received. IRM 21.3.4.7(6), issued in June 2003, provides guidance stating that payments received from taxpayers will be immediately placed in a locked container. The receipts are also stored away from employees' personal belongings. IRS will continue to conduct operational reviews at TAC offices to ensure IRM procedures are being followed. The TAC location that was noted for securing payments from taxpayers outside the secure area of the TAC was contacted and the location of the desk has been moved inside the secured area of the TAC. The TAC manager was informed to ensure all TAC operations are conducted inside the secured area of the TAC. IRS monitored adherence to IRM procedures related to receiving and storing taxpayer data in secured areas during operational reviews conducted in fiscal year 2004. No discrepancies were noted. GAO verified that IRS included monitoring of its policy and procedures regarding receiving and storing taxpayer data in secured areas during operational reviews conducted in fiscal year 2004. In addition, GAO did not find any instances during its fiscal year 2004 audit visits to IRS field offices in which taxpayer receipts and data stored outside the TAC secured areas were not stored in a secured locked container.

IRS issued revised procedures covering discovered remittances which were distributed to all Service Center campuses. Additionally, IRS revised its Form 4287, (Record of Discovered Remittances), to enhance adherence to existing instructions by including a check box for managers to indicate the reconciliation was performed. Additionally, IRS's Submission Processing (SP) revised the monthly security checklist to include a review of the discovered remittance procedures. IRS also added a "Discovered Remittances Job Aid" to its written procedures. SP is committed to conducting quarterly meetings with noncompliant offices to reinforce Discovered Remittances procedures. GAO verified IRS's actions and concluded that these actions effectively addressed the issues that gave rise to the recommendation.

According to IRS, it enforces monthly unannounced monitoring of guard response to alarms. Its Physical Security and Emergency Preparedness (PSEP) Risk Management (RM) office conducted an Alarm Monitoring Workshop on April 28, 2009, that included this topic. RM sends a calendar/reminder to alarm program coordinators each Friday before the monthly report is due, and continues to oversee and ensure compliance of alarm testing and results via internal reporting tools. A communication was distributed to PSEP Operational Readiness to reiterate policy on guard response to alarms on February 2, 2010. GAO confirmed that IRS continually enforces its policies and procedures to ensure that Service Center Campus security guards respond to alarms, that it sends monthly reminders to alarm program coordinators to ensure that alarms are tested and guards' responses are evaluated in each test. GAO also confirmed that alarm program coordinators are required to summarize the test results and report them monthly to PSEP management.

IRS's Mission Assurance (MA) unit developed alarm testing procedures which are used to supplement the requirements in the agency's Internal Revenue Manual (IRM). The IRM and supplemental procedures require the notification of local management whenever there is a malfunction of alarms. The procedures also require that guards are deployed or doors are secured, as necessary, either during tests or when otherwise identified. The contract guard force project manager is required to sign off on all unannounced alarm test reports. Test results are maintained by the Physical Security and Emergency Preparedness office. GAO verified that IRS revised language in the IRM that addresses specific compensating actions to be taken in the event of sporadic malfunctioning alarms or an overall system failure.

IRS reported that it modified the Aged Unliquidated Obligations (AUO) report to capture the last activity date for each obligation line amount. During GAO's fiscal year 2004 audit it verified that the IRS modified the AUO report accordingly.

During GAO's fiscal year 2004 audit, it verified that IRS implemented new guidelines for the quarterly review and certification of all outstanding obligations. As part of the review process, the procurement office staff reviews the AUO reports and determines whether obligations that they are responsible for reviewing are valid or need to be deobligated. The financial plan managers review procurement office staff responses prior to completing their quarterly certification. In addition, during the fiscal year 2004 testing, GAO found that obligations were being properly deobligated.

IRS implemented this recommendation in fiscal year 2004 when its operations division expanded its current random sample payroll review and validation process to include the recalculation of agency TSP contributions. GAO verified the effectiveness of IRS's actions during its fiscal year 2004 audit.

IRS agreed with this recommendation and established a standard process for conducting audits of salary and benefit computations prepared by the National Finance Center. IRS also established a standard process for timely investigating and resolving any errors that are identified. GAO verified that IRS satisfactorily implemented these procedures during its fiscal year 2004 financial statement audit.

IRS agreed with this recommendation and added a second level of review to its financial statements in fiscal year 2004 to ensure changes are identified and reported before final printing. GAO found no issues during its fiscal year 2004 audit.

IRS agreed with this recommendation and stated that it has taken steps to ensure that interim performance measurement data are properly reviewed before being published and provided a summary of its specific steps. During GAO's audit of IRS's fiscal year 2007 financial statements, it did not find any exceptions in IRS's performance information or its related review.