Recommendation: The Commissioner of Internal Revenue should document measurable objectives for using data in selecting exempt organization returns for examination. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should document and consistently use clear criteria and decision rules on assigning point values to queries, using categories and sliding scales. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should require a regular review of query descriptions and programming to ensure their accuracy and minimize queries that flag the same or similar compliance issue. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should develop procedures and criteria to test new queries prior to implementation in the models. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should more fully document how TE/GE processes data and uses data to make examination selection decisions for sources outside of the model such as research projects and other projects that use queries. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should conduct an analysis to identify the optimal interval between model runs. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should establish a process for regularly evaluating selection decisions and related outcomes for the models and other processes that use data to select returns for examinations. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should document consideration or action on recommendations from its 2018 and 2020 contractor assessments. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should document how score and query data for all returns in the models will continue to be saved over the long term. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should ensure that historical data on examination outcomes are consistently defined and used when doing analysis of examination outcomes. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should routinely analyze the reasons for not examining selected returns and identify any necessary actions to address the reasons. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should annually review and update procedures as needed in relevant IRM sections on examination selection and issue interim guidance until the affected IRM sections are updated. (Recommendation 12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Commissioner of Internal Revenue should document why TE/GE has not identified any risks in its risk register for using data to select exempt organization returns for examination. If risks are subsequently identified, TE/GE should document how it plans to analyze and address them. (Recommendation 13)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials implement the necessary actions to effectively address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments. These actions should (1) resolve the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and related taxpayer data to support timely and informed management decisions, and enable appropriate financial reporting of unpaid assessment balances throughout the year, and (2) identify the control deficiencies that result in significant errors in taxpayer accounts and implement control procedures to routinely and effectively prevent, or detect and correct, such errors. (Recommendation 19-01)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS documented the key management decisions in the design and use of the estimation process. This step should reduce the risk that IRS may perform sampling procedures inconsistent with management intent or plans. Continued management commitment and sustained efforts are necessary to build on the progress made to date and to fully address IRS's remaining unresolved issues concerning the management and reporting of unpaid assessments. We will assess IRS's progress in addressing these issues during our audit of IRS's fiscal year 2020 financial statements.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials document and implement a formal comprehensive strategy to provide reasonable assurance concerning its nationwide coordination, consistency, and accountability for internal control over key areas of physical security. This strategy should include nationwide improvements for (1) coordinating among the functional areas involved in physical security; (2) implementing and monitoring the effectiveness of physical security policies, procedures, and internal controls; and (3) ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect IRS's facilities. (Recommendation 19-02)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that Facilities Management and Security Services is in the process of developing and documenting a formal, comprehensive strategy. According to IRS officials, this strategy will include different overarching goals, such as improving workforce effectiveness, ensuring appropriate monitoring functions and employee accountability, and improving coordination and communication of policies and procedures. IRS plans to complete the formal, comprehensive strategy during fiscal year 2020 and finalize the implementation of this strategy by March 2021.

Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials determine the reasons staff did not consistently comply with IRS's existing requirement for maintaining an emergency contact list at all of its facilities and, based on this determination, establish a process to enforce compliance with the requirement. (Recommendation 19-03)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS used a questionnaire survey and obtained feedback from security section chiefs and physical security specialists to determine the reasons staff did not consistently comply with IRS's existing requirement to maintain an emergency contact list at all IRS facilities. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will establish a process to better enforce compliance with the requirement based on the results of the feedback obtained.

Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials establish and implement policies and procedures requiring that corrective actions be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests. (Recommendation 19-04)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will (1) update the Internal Revenue Manual to reflect the requirement to use the Alarm Maintenance and Testing Certification Report to document alarm testing results, including any malfunctioning alarms and related corrective actions taken, as appropriate;, and (2) review the Alarm Maintenance and Testing Certification Report Form and incorporate any additional instructions and fields to document the specific alarms tested, the testing results, and related corrective actions taken, as appropriate.

Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement policies or procedures, or both, to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured. The policies or procedures should include periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment and systems. (Recommendation 19-05)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will develop, document, and implement policies or procedures, or both, to provide reasonable assurance of the accuracy and physical security of the video surveillance systems at all IRS facilities by including periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. (Recommendation 19-06)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Information Technology and the Criminal Investigation organizations will update and implement their policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials (1) identify the reason IRS's policies and procedures related to the transmittal forms were not always followed and (2) design and implement actions to provide reasonable assurance that SB/SE units comply with these policies and procedures. (Recommendation 19-07)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that the Small Business/Self-Employed (SB/SE) Field Collection organization determined that the reasons the policies and procedures were not always followed were either a lack of understanding of the requirements or a lack of consistency in adhering to them. In order to address this, in October 2019, Field Collection distributed a memorandum to its area directors, territory managers, and group managers, reminding them of the required remittance processing procedures, emphasizing the importance of following the procedures, and requesting that they distribute the information in the memorandum within their organization. IRS officials stated that the memorandum will help assure that SB/SE Field Collection units comply with the applicable policies and procedures. Since this memorandum was issued after the end of our fiscal year 2019 audit, we will review the implementation of this action during our fiscal year 2020 audit. Further, IRS officials stated that during fiscal year 2020, the SB/SE Examination organization will identify the reason that IRS's policies and procedures for transmittal forms were not followed, and based on this, it will add guidance to the applicable Internal Revenue Manual sections to clarify and supplement the service-wide guidance for the appropriate control, monitoring, and review of the forms used to transmit packages containing personally identifiable information.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including specifying how the information should be validated. (Recommendation 19-08)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, the Information Technology (IT) organization updated IRS's Integrated Data Retrieval System (IDRS) security policy contained in the Internal Revenue Manual to ensure that the IDRS account administration process complies with IRS's personnel security policy regarding background investigation completion dates. In addition, IRS officials stated that by November 2020, the IT organization will update the Unit Security Representative (USR) designation form, as well as policies and procedures, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including how the information should be validated.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. (Recommendation 19-09)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During fiscal year 2019, the Information Technology organization updated its standard operating procedures to clearly specify the tax refund data elements that the Processing Validation Section Certifying Officers are required to verify before certifying the tax refunds in the Secure Payment System. Since IRS completed this action after we had already performed our fiscal year 2019 testing related to the certification of tax refunds, we will evaluate IRS's actions to address this recommendation during our fiscal year 2020 audit.

Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement a review process to provide reasonable assurance that the RSNs that Data Conversion key entry operators enter into the ISRP system and post to the master files are correct. (Recommendation 19-10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Wage & Investment organization will establish and implement a review process to provide reasonable assurance that the Refund Schedule Numbers on manual refund forms are transcribed accurately into the Integrated Submission and Remittance Processing system.

Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials implement a validity check in the ISRP system to confirm that RSNs that Data Conversion key entry operators enter into the system have the required 14 digits. (Recommendation 19-11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS officials stated that the Wage and Investment organization agrees that developing and implementing a Unified Work Request for programming changes is needed to systemically validate the refund schedule numbers input into the Integrated Submission and Remittance Processing system; however, IRS officials indicated that the organization is unable to commit to implementing a corrective action because of budgetary constraints. As a result, IRS will place this recommendation on hold until funds are available.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to require that reviewers follow up with tax examiners to verify the errors that tax examiners made in working on cases related to suspicious or questionable tax returns are corrected. (Recommendation 19-12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that by April 2020, IRS will update and implement policies or procedures, or both, requiring that reviewers follow up with tax examiners to verify that the errors tax examiners made in working a case related to suspicious or questionable tax returns are corrected.

Recommendation: The Commissioner of Internal Revenue should direct the Chief of Appeals, in coordination with the IRS Human Capital Office, to conduct a skills gap analysis specific to Appeals mission needs and develop a strategy for mitigating any identified gaps. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation. As of April 2020, the Office of Appeals stated that it is working with the IRS Human Capital Office to design a questionnaire for all Appeals managers to identify the technical and organizational skills necessary to meet organizational short and long-term needs for the Appeals Officer position. This information will be used to conduct a skills gap analysis on the current Appeals workforce and to enhance the selection/hiring process to ensure future hires possess necessary skills. IRS plans to complete these actions by October 2020, and Appeals stated that time frame for this corrective action may be affected by budgetary and resource constraints. GAO will continue to monitor IRS's implementation of this recommendation.

Recommendation: The Commissioner of Internal Revenue should evaluate the existing monitoring for collection due process appeal requests and address deficiencies in collection staff meeting the requirement for timely transfer to the Office of Appeals. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation. In July 2019, IRS evaluated the existing monitoring for collection due process appeal requests to identify any impediments to collection staff timely transferring these requests to the Office of Appeals and provided the studies and related recommendations to GAO. The affected IRS collection units have developed action plans to address deficiencies in case transfer time. These plans include modifying inventory software to alert both staff and managers on the number of days collection due process requests have been under review. IRS also plans to update relevant IRM documentation in early 2020 to ensure that receipt dates of collection due process appeal requests are recorded for all cases and that there is appropriate notation of reasons why certain cases exceed established timeframes for transfer to the Office of Appeals. To fully implement this recommendation, IRS will need to provide GAO copies of the updated IRM as well as evidence of other corrective actions outlined in its evaluations of its monitoring procedures for collection due process appeal requests. GAO will continue to monitor the implementation of this recommendation.

Recommendation: The Commissioner of Internal Revenue should establish timeframes and monitoring procedures for timely transfer of taxpayer appeals requests by examination compliance units to the Office of Appeals. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS agreed with this recommendation. All four IRS business operating divisions have a corrective action plan and established and documented time frames for timely appeal transfer as of February 2020. While three business operating divisions have reporting procedures planned for monitoring timely appeal transfer, one division has not provided a plan for monitoring its timeliness in transferring cases to the Office of Appeals. To fully implement this recommendation, IRS needs to assess whether the planned monitoring actions will result in timely transfer of examination appeals. As of February 2020, data tracking the time from taxpayer request for appeal to when it is received by the Office of Appeals indicated that the actual transfer times are longer than the established time frames. Delays in transferring such requests can result in increased interest costs for taxpayers because interest continues to accumulate on the tax liability during the appeal process. Further, taxpayers unsure of their appeal status may call or write to IRS, tying up other IRS staff to respond to inquiries about appeals delayed in transfer. GAO will continue to monitor IRS's implementation of this recommendation.

Recommendation: The Commissioner of Internal Revenue should direct the Chief of Appeals to regularly report and share with each compliance unit the data on the time elapsed between when a taxpayer requests an appeal to when it is received in the Office of Appeals. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation. In February 2019, IRS stated that the Chief of Appeals will share with each compliance unit data on the time elapsed between when a taxpayer requests an appeal to when it is received in the Office of Appeals. Appeals will also conduct an assessment with IRS compliance units of the time elapsed between when a taxpayer requests an appeal to when it is received in the Office of Appeals and implement improvements based on that assessment. As of February 2020, Appeals demonstrated that it provided to compliance units initial example data that tracks the time from taxpayer request for appeal to when it is received by the Office of Appeals. As of April 2020, it continues to refine the format of these reports. Appeals said it plans to do an assessment of the data with compliance units and will provide an example of this analysis when it is complete. IRS plans to complete these actions by October 2020, and GAO will continue to monitor IRS's implementation of this recommendation.

Recommendation: The Commissioner of Internal Revenue should provide more transparency to taxpayers on historical average total appeal resolution times. This could include publishing average total resolution times by workstream on an Office of Appeals web page as well as including total expected times in the Appeals welcome letter. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation. In February 2019, IRS stated that the Chief of Appeals will review appeal resolution times and participate in IRS-wide efforts to improve transparency of resolution timeframes. As of June 2019, the Office of Appeals explained that IRS was beginning to simplify its website, including the Appeals website, with a focus on making it more customer friendly. IRS plans to complete these actions by June 2020, and GAO will continue to monitor IRS's implementation of this recommendation.

Recommendation: The Secretary of the Treasury, consistent with its responsibilities under GPRAMA and Executive Orders for customer service, should ensure that the Commissioner of Internal Revenue takes action to make Appeals customer service standards and performance results more transparent to the public. This could include publishing customer service standards and related performance measure results on the Office of Appeals web page on IRS.gov. (Recommendation 6)

Agency: Department of the Treasury
Status: Open

Comments: Treasury agreed with this recommendation and plans to monitor IRS implementation. In February 2019, IRS stated that it will publish customer service standards and related performance measure results on the Office of Appeals web page on IRS.gov. As of April 2020, the Office of Appeals stated it plans to use information from its redesigned customer satisfaction survey to address this recommendation and is determining how to include the performance information on its website. IRS plans to complete these actions by June 2020, and GAO will continue to monitor IRS's implementation of this recommendation.

Recommendation: The Secretary of the Treasury, consistent with its responsibilities under GPRAMA and Executive Orders for customer service, should ensure that the Commissioner of Internal Revenue takes action to develop a mechanism to solicit and consider public input and customer feedback on a regular basis on current and proposed IRS appeal policies and procedures. This could include leveraging existing IRS advisory bodies or establishing an Office of Appeals advisory body representing the taxpaying public, the tax practitioner community, and businesses to solicit customer perspectives. (Recommendation 7)

Agency: Department of the Treasury
Status: Open

Comments: Treasury agreed with this recommendation and will monitor IRS implementation. In February 2019, IRS stated that it will leverage existing IRS advisory bodies to solicit customer perspectives. In January 2020, the Office of Appeals reported that it had begun to meet with the IRS Advisory Committee (IRSAC) to solicit customer perspectives, with its first interactions beginning in November 2019. The Office of Appeals stated that, in addition to this action, its leadership continues to meet with other external bodies to capture public input and customer feedback on an ad hoc basis. As of April 2020, the Office of Appeals stated it plans to participate in IRSAC's public meetings. Since the Office of Appeals has only begun leveraging IRSAC to solicit customer perspectives in November 2019 in a working session, GAO will continue to monitor the implementation of this recommendation to ensure sustained interaction with IRSAC through working sessions, as well as public meetings.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials, based on IRS's research and determination, design and implement the corrective actions necessary to reasonably assure that IRS effectively resolves and records unpostable transactions in a timely manner, including establishing clearly defined time frames in the Internal Revenue Manual (IRM) by which the IRS operating divisions should correct unpostable transactions and appropriate related oversight and review processes. (Recommendation 18-02)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. As of September 30, 2019, three of the four operating divisions involved in this recommendation designed and implemented the corrective actions necessary to reasonably assure that IRS effectively resolved and recorded unpostable transactions in a timely manner. In March 2019, one operating division determined that based on the research performed, no actions needed to be taken by the operating division to effectively resolve and record unpostable transactions in a timely manner. We will continue to evaluate IRS's actions to address this recommendation during our audit of IRS's fiscal year 2020 financial statements.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the Submission Processing internal control review. These policies should include or be accompanied by procedures to (1) assess and update the review questions and cited IRM criteria to reasonably assure they align with the controls under review; (2) periodically evaluate and document a review of the error threshold methodology to assess its current validity based on changes to the operating environment; (3) report findings identified in the Findings and Corrective Actions Report; and (4) assess and monitor (a) safeguarding internal control activities across all work shifts, particularly during peak seasons, (b) safeguarding internal control activities for the appropriate use and destruction of hard copy taxpayer information, and (c) the results of relevant functional level reviews. (Recommendation 18-03)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During fiscal year 2019, IRS developed policies in the Internal Revenue Manual (IRM) for conducting and monitoring the Submission Processing internal control review. Specifically, the IRM addresses the (1) designated roles and responsibilities among IRS business units for ensuring the review questions and associated criteria are assessed and updated to align with internal controls under review; (2) requirements for periodically evaluating the error threshold methodology used in the review; (3) procedures for the review to assess and monitor (a) internal control activities across work shifts and (b) internal control activities for appropriate use and destruction of hard-copy taxpayer information. However, the IRM did not include requirements for reporting findings identified during all components of the internal control review and for assessing and monitoring results of relevant functional level reviews. Since IRS developed the relevant IRM policies and procedures after we had already performed our fiscal year 2019 internal control testing, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the Audit Management Checklist review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review; (2) clarify the minimum requirements for how frequently the review should be completed at its various facilities while considering factors that may affect the most appropriate timing of these reviews, such as changes in personnel, operational processes, or information technology; and (3) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. (Recommendation 18-04)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS notified stakeholders of the added procedures to the Internal Revenue Manual (IRM) for (1) conducting the Audit Management Checklist reviews, including how frequently the reviews should be completed; (2) developing corrective actions for deficiencies; and (3) tracking the status of the corrective actions until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the All Events History Report review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review and (2) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. (Recommendation 18-05)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS notified stakeholders of the added procedures to the Internal Revenue Manual (IRM) for conducting the All Events History Report reviews, including developing and monitoring corrective actions for deficiencies until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the Defense Contract Management Agency (DCMA) and the military departments, should assess whether risk mitigation actions have been identified in the event of a loss of each task critical assets (TCA) facility in the defense industrial base and, based on this assessment, develop risk mitigation actions with associated implementation plans and time lines, and provide this information to congressional and DOD decision makers. (Recommendation 1)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. In June 2019, DOD provided follow up information and identified key corrective actions for recommendations from this report. The key corrective actions identified for this recommendation include the issuance of the mission assurance instruction in August 2018 that guides the identification, prioritization, and assessment of defense critical infrastructure. Further, Executive Order 13806 required that DOD perform a whole-of-government assessment of the manufacturing and the defense industrial base, assess risk, identify impacts, and propose mitigation strategies. DOD issued the resulting report in October 2018, which includes a focus on numerous single source and sole supply risks. Lastly, DOD officials stated that DOD senior leadership and Congress were briefed in May 2019 on investments planned to reduce risks and updates will be included in an annual Industrial Capabilities Report to Congress. DOD placed considerable focus on defense industrial base issues in the past year, we will review the next annual report to ensure this focus is continued and that detailed information on DOD's industrial base risks and task critical assets is provided to DOD and Congressional decision makers.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should provide congressional and DOD decision makers with information on potential effects on defense capabilities in the event of a loss of each TCA facility in the defense industrial base. (Recommendation 2)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. In June 2019, DOD provided follow up information and identified key corrective actions for recommendations from this report. The key corrective actions identified for this recommendation include a description of the mission assurance process and the annual report on the industrial capabilities that were already in place at the time of issuance of this report, therefore do not represent a change or response to this recommendation. Another key corrective action identified is the issuance of the report in response to the Executive Order 13806 in October 2018, which provides a whole of government assessment of the defense industrial base risks and impacts and associated Hill briefing. DOD placed considerable focus on defense industrial base issues in the past year as a result of the Executive Order, we will review the next annual report to ensure this focus is continued and that detailed information on DOD's industrial base risks and task critical assets is provided to DOD and Congressional decision makers.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should provide congressional and DOD decision makers with information on DOD organic facilities that have been identified as TCAs, similar to the information provided previously on commercial facilities. This information also should include (1) the potential effects on defense capabilities in the event of a loss of the facility and (2) risk mitigation actions and associated implementation plans with time lines. (Recommendation 3)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. In June 2019, DOD provided follow up information and identified key corrective actions for recommendations from this report. The key corrective actions identified for this recommendation include the mission assurance process that was already in place at the time of the issuance of this report, which does not reflect a change in response to this recommendation. However, other key corrective actions identified include the identification of several DOD-owned assets in the report DOD issued in response to Executive Order 13806 in October 2018. Further, DOD states that it will provide yearly updates to Congress in its Industrial Capabilities report. Lastly, the corrective actions state that DOD will continue to execute risk mitigation identified in its October 2018 report. DOD placed considerable focus on defense industrial base issues in the past year as a result of the Executive Order, we will review the next annual report to ensure this focus is continued and that detailed information on DOD's industrial base risks and task critical assets is provided to DOD and Congressional decision makers.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with DCMA and the military departments, should take steps to share information on risks identified through the annual Critical Asset Identification Process with relevant program managers or other designated service or program officials. At a minimum, relevant officials should receive information on the most critical facilities (such as TCAs) that produce parts supporting their programs. This information-sharing could occur through service-specific channels of communication or another method of internal communication deemed appropriate by DOD. (Recommendation 4)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. As of August 2018, DOD officials stated that they are in the process of developing proactive steps to share information on risks identified through the annual CAIP with relevant program managers, or other designated service or program officials as necessary. However, in June 2019, DOD shared the key corrective actions identified for this recommendation, which include a description of the mission assurance process that was already in place at the time of issuance of this report, therefore do not represent a change or response to this recommendation. It further states that the Critical Asset Identification Process is addressed in semi-annual Joint Industrial Base Working Group meetings, which are attended by all service and agency industrial base representatives. As of November 2019, DOD officials did not respond to a request for more detail, we will continue to assess DOD's actions.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the military departments, should develop a mechanism to ensure that program offices obtain information from contractors on single source of supply risks. (Recommendation 5)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. As of August 2018, DOD officials stated that assessing the health of the defense industrial base and associated supply chains was the focus of an Executive Order issued in July 2017 and that the resulting inter-agency report will be released within the next year. DOD officials stated that the issuance of this report will provide significant information towards addressing this recommendation. However, in June 2019, DOD provided key corrective actions for this recommendation, which stated that multiple services and agencies began in 2018 to incorporate contracting language to require prime contractors to track and provide sub-tier data and that this effort will expand to cover more programs. Further, it states that in the Industrial Base Integrated Data System, suppliers are indicated as either single or sole source suppliers and that the services and agencies have access to this list. As of November 2019, DOD officials did not respond to a request for more detail, we will continue to assess DOD's actions.

Recommendation: The Under Secretary of Defense for Acquisition, Technology and Logistics, in conjunction with the military departments, should issue department-wide DMSMS policy, such as an instruction, that clearly defines requirements of DMSMS management and details responsibilities and procedures to be followed by program offices to implement the policy. (Recommendation 6)

Agency: Department of Defense: Office of the Secretary of Defense: Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Status: Open

Comments: DOD concurred with this recommendation. The DOD official that is the lead for the Diminishing Manufacturing Sources and Material Shortages (DMSMS) program stated that as of July 2019, the department has completed the draft DMSMS instruction and accompanying manual that details program requirements, responsibilities, and procedures to be followed. The draft instruction is undergoing legal review and the official expects the instruction and manual to be issued by December 2019. As of November 2019, this recommendation will remain open and we will review the instruction once issued.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that the department-level investment review structure is implemented as planned and that guidance on the IT governance process is documented and identifies criteria for selecting new investments, and reselecting investments currently operational at VHA.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation and provided meeting minutes for its Portfolio Investment Management Board and documentation describing the proposed alignment and interdependencies between information technology (IT) governance boards. According to VA officials, as of September 2019, the department had continued to further evolve its IT governance framework, reworked the committee structure and related working groups that oversee IT investments, and refined the process for prioritizing investments. A draft IT Governance Policy that describes an updated governance structure intended to implement IT solutions and an agile workforce was to be implemented by March 2020. The department has yet to report on the status and results of this implementation. We will continue to monitor VA's actions to ensure that the implementation is consistent with planned actions.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to identify additional performance metrics to align with VHA's core business functions, and then use these metrics to determine the extent to which the department's IT systems support performance of VHA's mission.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. In addition, the department outlined steps it intends to take to address our recommendation, including developing a set of metrics to provide continuous input into investment portfolio decisions and establishing a methodology for ensuring that IT investments are aligned to business needs and that expected outcomes are defined prior to making the investments. According to department officials, VA issues a Joint Business Plan that identifies annual milestones associated with initiatives agreed upon by both VHA and OIT. As of September 2020, we are reviewing additional documentation related to the underlying processes that support the compilation of the plan and any related metrics for the associated investments that are to support VHA's mission. We will continue to monitor progress in this area.

Recommendation: To assist VA in improving key IT management processes to ensure that investments support the delivery of health care services, the Secretary of Veterans Affairs should direct the Under Secretary for Health and the Chief Information Officer to ensure that unmet IT needs identified by key program areas--pharmacy benefits management, scheduling, and community care--are addressed appropriately and that related business functions are supported by IT systems to the extent required.

Agency: Department of Veterans Affairs
Status: Open

Comments: In its comments on our report, VA concurred with our recommendation. The department described its intention to ensure that unmet IT needs for the pharmacy benefits management, scheduling, and community care program areas were addressed appropriately during fiscal year 2018 budget formulation. In March 2020, we met with officials from the Pharmacy Benefits Management program office, the Office of Veterans Access to Care, and the Community Care program to discuss the status of new service requests and the extent to which IT needs have been met since our report. While there was a slight decrease in the total number of new service requests that remained open for 5 years or more, officials from each office did not consistently report improvements in how IT needs were being addressed. For example, Pharmacy Benefits Management officials still waited for improvements that may come with the deployment of the new electronic health record system, but they continued to report that updates to industry standards should be addressed sooner and often IT needs did not make it through the prioritization process at the Veterans Health Administration to be considered by the Office of Information and Technology. Community Care officials reported a general improvement in the IT governance process and a more engaged relationship with the Office of Information Technology; however, the list of open new service requests still included long-term VistA-related enhancements, some of which had not yet been prioritized by the department. The Office of Veterans Care has not yet provided an updated list of open new service requests, but officials were satisfied with a new maintenance contract that allowed them to address a number of IT issues. We will continue to monitor the number of new service requests in each program area and the extent to which the IT needs are being met by the IT governance process.

Recommendation: The IRS Commissioner should direct the appropriate IRS officials to strengthen the process for reasonably assuring that the Internal Revenue Manual (IRM) is reviewed annually to align with the current control procedures and guidance being implemented by agency personnel. This should include a mechanism for reasonably assuring that program owner directors (1) review their respective program control activities and related guidance annually and timely update the IRM as needed, (2) document their reviews, and (3) utilize interim guidance and supplemental guidance correctly for their intended purposes.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2018, IRS created an annual Internal Revenue Manual (IRM) review and certification requirement to reasonably assure that all IRM sections align with the current control procedures and guidance that IRS personnel are implementing. In addition, the Small Business/Self-Employed (SB/SE) and Tax Exempt & Government Entities (TE/GE) organizations developed action plans to achieve substantial compliance with this requirement. During fiscal year 2019, the SB/SE organization completed its action plan; however, IRS officials stated that the TE/GE organization will complete its action plan during fiscal year 2020. Further, in fiscal year 2019, the Large Business & International organization reviewed and analyzed the results of its involvement in the annual IRM certification process. Based on the results of its analysis, the organization developed an action plan to achieve substantial compliance with the IRM review and certification requirement, which IRS officials stated it will complete by December 2021.

Recommendation: To provide greater transparency in the reporting of FOIA litigation costs, Congress could consider requiring Justice to provide a cost estimate for collecting and reporting information on costs incurred when defending lawsuits in which the plaintiffs prevailed.

Agency: Congress
Status: Open

Comments: As of February 2020, Congress has not yet considered if it plans to amend FOIA regarding the reporting of costs for defending lawsuits in which the plaintiffs prevailed.

Recommendation: Congress could consider amending the act to require Justice to reflect in its Litigation and Compliance reports, changes in the award of attorneys' fees and costs resulting from the appeals process and settlement agreements between agencies and plaintiffs, if deemed to be cost-effective.

Agency: Congress
Status: Open

Comments: As of February 2020, Congress has not yet considered if it plans to amend FOIA to require Justice to make changes to its Litigation and Compliance reports.

Recommendation: The Director of the Office of Management and Budget, in consultation with the Performance Improvement Council and General Services Administration, should ensure the information presented on Performance.gov consistently complies with GPRAMA public reporting requirements for the website's content.

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In February 2018, the Office of Management and Budget (OMB) and General Services Administration launched an updated version of Performance.gov. Our updated analysis of information presented on the site in August 2020 found that it does not meet all requirements. However, OMB continues to take action to address this recommendation. For example, Performance.gov does not include a required inventory of federal programs. In July 2020, OMB reported that it is working with agencies to address this requirement. Beginning with the fiscal year 2021 federal budget cycle, OMB and agencies plan to merge implementation of existing web-based reporting of performance and spending data to provide a more coherent picture of federal programs and activities. We will continue to monitor the status of actions taken to address this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable JIE cost estimate and baseline, consistent with the best practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) was responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department approved a cost baseline for one of the components of JIE, the Joint Regional Security Stacks (JRSS), and developed a cost estimate for another component, the Enterprise Collaboration and Productivity Services (ECAPS) program. The ECAPS cost estimate was substantially consistent with the practices described in the report. However, the JRSS cost estimate was not developed consistent with the best practices described in the report. Specifically, the department did not demonstrate that the cost estimate was well documented, comprehensive, accurate, and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps in the JRSS cost estimate; however, as of July 2019, DOD had not provided the documentation. The officials also stated that planning for JIE components other than JRSS and ECAPS had not begun; therefore, there were no other JIE component cost estimates. We will continue to monitor the department's efforts to implement this recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JIE schedule management plan and reliable schedule, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not yet implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network part of the Joint Regional Security Stacks (JRSS) component; however, the schedule was not consistent with the practices described in our report. In addition, In May 2019, officials in the Office of the DOD CIO stated that another JIE initiative, the Enterprise Collaboration and Productivity Services program, had an approved baseline schedule. However, as of July 2019, DOD had not provided the schedule.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a JRSS schedule management plan and reliable JRSS schedule and schedule baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, it has not implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In March 2017, the JIE Executive Committee approved a schedule baseline for the Non-secure Internet Protocol Router network component of JRSS; however, the schedule was not consistent with the practices described in our report. In May 2019, officials in the Office of the DOD CIO said that the JRSS schedule had not been re-baselined and the department had not developed a schedule management plan. We will continue to monitor the department's efforts to implement the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to complete an assessment to determine the number of staff and the specific skills and abilities needed to effectively achieve JIE, consistent with the workforce planning practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation and has taken steps to implement it; however, more needs to be done. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, the department has developed an inventory of cybersecurity knowledge and skills of existing staff. Specifically, we reported in our June 2018 report Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466) that the department had developed an assessment that included the percentage of cybersecurity personnel holding certifications and the level of preparedness of personnel without existing credentials to take certification exams. In August 2018, the office of the DOD CIO stated that the department planned to identify work roles of critical need and establish gap assessment and mitigation strategies by April 2019. However, as of July 2019, the department had not provided an update on the status of its efforts to address the recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a strategy for conducting JIE security assessments that describes the resources needed to execute the strategy, responsible organizations, and a schedule to complete the assessments.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however, as of August 2018, it has not provided evidence that it has addressed it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing the Joint Information Environment (JIE), and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. In May 2019, the office of the DOD CIO stated that it had developed a schedule to complete JIE security assessments. However, as of July 2019, the office had not provided the schedule or demonstrated that it has a strategy for conducting JIE security assessments that includes the rest of the elements of our recommendation.

Recommendation: To help the department achieve the benefits anticipated from JIE, the Secretary should direct the DOD CIO and other entities, as appropriate, to develop a reliable Joint Regional Security Stacks (JRSS) cost estimate and baseline, consistent with practices described in this report.

Agency: Department of Defense
Status: Open

Comments: DOD partially concurred with our recommendation; however it has not fully implemented it. In its written response to our draft report, DOD stated that its partial concurrence was due to the language we used to introduce the recommendations. Specifically, we stated that the Secretary of Defense should direct the appropriate entities to implement the recommendations. In its comments, DOD stated that the DOD Chief Information Officer (CIO) is responsible for implementing JIE, and referred to a May 2013 memo from the Deputy Secretary of Defense directing DOD components to participate in and implement JIE under the direction of the DOD CIO. In response to DOD's comments, we revised the language used to introduce our recommendations. Specifically, we revised the language to call for the Secretary to direct the DOD CIO and other entities, as appropriate, to take the recommended actions. Since we made our recommendation, in April 2017, the JRSS program office documented the methodology, ground rules and assumptions, among other things, used to develop the cost estimate we reviewed in our report, and the JIE Executive Committee established the estimate as its JRSS cost baseline. However, the cost estimate documentation was not sufficient to address our recommendation. Specifically, it did not demonstrate that the cost estimate was well documented, comprehensive, accurate and credible. In May 2019, officials in the Office of the DOD CIO stated that it would provide documentation to address the gaps. However, as of July 2019, DOD had not provided the documentation.

Recommendation: To strengthen the transparency of the complaints process, the Secretary of Homeland Security should direct CBP and ICE to develop and issue guidance on how and which complaint mechanisms should be communicated to individuals in custody at holding facilities.

Agency: Department of Homeland Security
Status: Open

Comments: In May 2016, we reported on the Department of Homeland Security's management and oversight of short-term holding facilities. We found, for example, that only 4 of 17 Border Patrol holding facilities posted information on how individuals can contact the DHS OIG to file general complaints, and the remaining facilities did not have information posted on any complaint mechanisms, such as the Joint Intake Center or CBP INFO Center. In December 2016, ICE Enforcement and Removal Operations (ERO) sent a broadcast to ICE field offices stating that posters should be visible at all of ICE ERO temporary holding facilities. This broadcast directed ICE ERO Field Office staff to immediately post copies of the Detention Reporting and Information Line poster, both in English and in Spanish, in temporary confinement areas or other areas so that it is visible to individuals in custody at ICE ERO temporary holding facilities. With regard to CBP, in October 2019, officials informed us there is no current CBP guidance requiring signage in CBP holding facilities to communicate complaint mechanisms other than the Prison Rape Elimination Act poster, which relates to reporting mechanisms for any potential incidents of sexual abuse and assault. In September 2020, CBP told us it planned to implement the necessary corrective actions to close this recommendation by March 31, 2021. In order to be able to close the recommendation as implemented, we will need to see updated guidance to the field about the posters that should be displayed in CBP facilities.

Recommendation: The Commissioner of Internal Revenue should direct the referral programs to establish a mechanism to coordinate on a plan and timeline for developing a consolidated, online referral submission in order to better position IRS to leverage specialized expertise while exploring options to further consolidate the initial screening operations.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS had taken some action to establish a mechanism to coordinate on a plan and timeline for developing a consolidated, online referral submission, as GAO recommended in its February 2016 report. IRS established a cross-functional team in February 2016 to comprehensively review IRS's referral programs. Among other things, the team has explored options to consolidate the initial screening operations and determine the scope and complexity for moving the referral process to an online format. According to IRS, an electronic submission process is expected to provide better access to the program and reduce the burden associated with making a written report or referral. In November 2016, the cross-functional team requested information technology resources for fiscal year 2019 to develop an online system which could potentially replace four separate referral forms, filter out incomplete referrals, and electronically route referrals for further IRS action. IRS assessed options for consolidating all forms for the various referral programs and determined that consolidating them to a single form was not feasible because of the technical nature and complexity of the various referral types. The cross-functional team had worked with IRS On Line Services to develop an online application prototype and was considering the cost-effectiveness of a commercial off-the-shelf product. According to IRS, the online application will make it easier for the public to report possible tax violations. Also, the online system will improve efficiency in coordination and provide reports that will be incorporated into the quarterly coordination meetings of the new cross-division referral coordination committee. As of January 2020, IRS was still considering funding for online referral submission development. IRS estimated that a commercial off-the-shelf product would cost about $2 million with an online referral capacity operational within one year. IRS said it will consider further consolidating the referral programs once the online application is in place. Without continued progress on efforts to consolidate referral intake, IRS faces continued inefficiencies in receiving and processing referrals as well as public confusion caused by trying to choose among multiple forms.

Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to develop an updated plan for VBMS that includes (1) a schedule for when VBA intends to complete development and implementation of the system, including capabilities that fully support disability claims, pension claims, and appeals processing and (2) the estimated cost to complete development and implementation of the system.

Agency: Department of Veterans Affairs
Status: Open
Priority recommendation

Comments: The Department of Veterans Affairs (VA) concurred with our recommendation and as of January 2020, is continuing to develop requirements for VBMS in order to develop functionality to replace legacy information systems. In addition, the department subsequently provided us with expected completion dates for implementation of claims and appeals processing, but has not provided a schedule for the implementation of pension claims processing. To fully implement this recommendation, the department needs to provide the expected completion date for pension claims processing and an estimate of the cost to complete remaining development and implementation of VBMS.

Recommendation: To improve VA's efforts to effectively complete the development and implementation of VBMS, the Secretary of Veterans Affairs should direct the Under Secretary for Benefits and the Chief Information Officer to reduce the incidence of high- and medium-priority level defects that are present at the time of future VBMS releases.

Agency: Department of Veterans Affairs
Status: Open

Comments: The Department of Veterans Affairs (VA) concurred with this recommendation and reiterated its plans and procedures for decreasing the incidences of defects in each system release. However, while the most recent VBMS release (i.e., May 2019) showed a decrease in the number of high- and medium-priority level defects, the release in February 2019 showed an increase in the number of high- and medium-priority defects. In addition, both the February 2019 and May 2019 releases showed the presence of the highest severity defects--critical--which have extensive user impact and workarounds do not exist. We will continue to monitor VA's actions and progress in response to this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish and implement an organization-wide policy for developing cost estimates that includes key practices as discussed in this report.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a centralized Library-wide Project Management Office, located within the Office of the Chief Information Officer (OCIO). Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing cost estimates. Further, in August 2017 the Project Management Office finalized guidance for developing cost estimates that generally includes the key practices discussed in our report. However, none of the cost estimates for three key investments fully met the practices associated with a comprehensive estimate. In October 2019, the Library provided evidence of its Monte-Carlo risk assessment process. We are currently assessing whether this process is consistent with the practices found in our Cost Estimating and Assessment Guide. We will continue to evaluate the Library's progress in implementing this recommendation.

Recommendation: To effectively plan and manage its acquisitions of IT systems and increase the likelihood of delivering promised system capabilities on time and within budget, the Librarian should establish a time frame for finalizing and implementing an organization-wide policy for developing and maintaining project schedules that includes key practices as discussed in this report, and finalize and implement the policy within the established time frame.

Agency: Library of Congress
Status: Open

Comments: The Library of Congress generally agreed with, and has begun to take steps to implement, this recommendation. Specifically, in January 2017 the Library established a Project Management Office within the Office of the Chief Information Officer (OCIO) and tasked the office with communicating and enforcing Library requirements for project management and systems development. Additionally, in June 2017 the Library updated its regulations to give the Project Management Office the authority to establish organization-wide policy for developing and maintaining schedules. Further, in August 2017 the Project Management Offices finalized guidance for developing schedules that generally includes the key practices discussed in our report. However, none of the schedules for three key investments fully met the practices associated with a well-constructed schedule. In October 2019, the Library provided the schedules that it uses to manage select projects. We are currently reviewing this scheduling documentation to determine the extent to which the Library is implementing its scheduling guidance.

Recommendation: To improve the reliability and reporting of investment performance information and management of selected major investments, the Commissioner of the IRS should direct the Chief Technology Officer to modify reporting of the Affordable Care Act Administration testing status to senior management to include a comprehensive report on all impacted systems--including an explanation for why impacted systems were not tested at a particular level--and ensure this reporting is aligned with the manner in which testing is being performed.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS disagreed with this recommendation at the time we made it stating that it followed a rigorous risk-based process for planning the tests of ACA-impacted systems, including the types and levels of testing, and that it had comprehensive reporting for the filing season 2015 release, which included ACA impacted systems. However, as noted in our report, our review of ACA Testing Review Checkpoint reports and filing season reports, which officials stated were used to provide comprehensive reports to senior managers, did not identify the status of testing for all systems impacted by ACA Releases 5.0 and 6.0. In September 2017, IRS finished developing ACA and the investment transitioned to the operations and maintenance phase. We followed up with IRS to determine the extent to which it might be implementing the recommendation in light of this transition. In response, in June and December 2019 , IRS provided some documentation, including systems acceptance test plans and end-of-test results reports for ACA releases completed since September 2017. We reviewed the documentation provided and determined that it did not provide a status of testing for all systems impacted as we recommended. As of September 2020, we were following up with IRS to determine if the agency has other documentation provided to senior managers that addresses our recommendation.

Recommendation: To help improve DOD's milestone decision process, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology and Logistics in collaboration with the military service acquisition executives, program executive officers, and program managers to, as a longer-term effort, select several current or new major defense acquisition programs to pilot, on a broader scale, different approaches for streamlining the entire milestone decision process, with the results evaluated and reported for potential wider use. The pilot programs should consider the following: (1) Defining the appropriate information needed to support milestone decisions while still ensuring program accountability and oversight. The information should be based on the business case principles needed for well-informed milestone decisions including well defined requirements, reasonable life-cycle cost estimates, and a knowledge-based acquisition plan. (2) Developing an efficient process for providing this information to the milestone decision authority by (a) minimizing any reviews between the program office and the different functional staff offices within each chain of command level and (b) establishing frequent, regular interaction between the program office and milestone decision makers, in lieu of documentation reviews, to help expedite the process.

Agency: Department of Defense
Status: Open
Priority recommendation

Comments: DOD concurred with this recommendation, and as of February 2020 the Services each identified one pilot program for implementation of streamlined acquisition processes. The Army chose the Improved Turbine Engine Program; the Navy chose the MQ-25 Stingray Unmanned Carrier Aviation Program; and the Air Force chose the MH-139 Grey Wolf Program. In July 2020, DOD indicated that specific streamlining initiatives for these programs will be developed in the near future after Executive Review at the Service level and after the Office of the Under Secretary of Defense (Acquisition and Sustainment) has been informed.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to improve reporting of FOIA costs by including salaries, employee benefits, non-personnel direct costs, indirect costs, and costs for other offices.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to direct USCIS and Coast Guard to fully implement the recommended FOIA processing system capabilities and the section 508 requirement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To improve the management of DHS FOIA requests, the Secretary of DHS should direct the Chief FOIA Officer to determine the viability of re-establishing the service-level agreement between the U.S. Citizenship and Immigration Services (USCIS) and U.S. Immigration and Customs Enforcement to eliminate duplication in the processing of immigration files. If the benefits of doing so would exceed the costs, re-establish the agreement.

Agency: Department of Homeland Security
Status: Open

Comments: As of August 2020, we have followed up with the department to request documentation but have not yet received evidence of DHS's planned actions to address this recommendation.

Recommendation: To better protect plan sponsors and participants who use managed account services, the Secretary of Labor should direct the Assistant Secretary for the EBSA to consider the fiduciary status of managed account providers when they offer services on an opt-in basis and, if necessary, make regulatory changes or provide guidance to address any issues.

Agency: Department of Labor
Status: Open

Comments: DOL concurred with this recommendation and agreed to review existing guidance and consider whether additional guidance is needed in light of the various business models we described. On April 8, 2016, DOL issued a final rule that clarified that anyone providing advice that is individualized or specifically directed to a participant pertaining to a decision to take, or refrain from taking, a distribution from the plan is a fiduciary. According to DOL, this final rule will better protect plan participants by requiring service providers who provide investment advice to act in their clients' best interest, preventing the erosion of their retirement savings by fees and substandard performance attributable to conflicts of interest. In 2018, a court ruling vacated this regulation; there is legal uncertainty surrounding the regulation and its effect regarding fiduciary duties,

Recommendation: To help sponsors who offer managed account services or who are considering doing so better protect their 401(k) plan participants, the Secretary of Labor should direct the Assistant Secretary for EBSA to require plan sponsors to request from record keepers more than one managed account provider option, and notify the Department of Labor if record keepers fail to do so.

Agency: Department of Labor
Status: Open

Comments: DOL agreed to consider this recommendation in connection with a regulatory project on standards for brokerage windows in participant-directed individual account plans. However, in Spring 2017, DOL removed this project as an active project on its regulatory agenda. GAO believes requiring plan sponsors to ask for more than one choice of a provider may be an effective method of broadening plan sponsors' choices of managed account providers. In April 2018, DOL reported that it was not able to allocate staff time and resources to this recommendation and does not yet have a specific timeline for any next action.

Recommendation: To help sponsors and participants more effectively assess the performance of managed accounts, the Secretary of Labor should direct the Assistant Secretary for EBSA to amend participant disclosure regulations to require that sponsors furnish standardized performance and benchmarking information to participants. To accomplish this, EBSA could promulgate regulations that would require sponsors who offer managed account services to provide their participants with standardized performance and benchmarking information on managed accounts. For example, sponsors could periodically furnish each managed account participant with the aggregate performance of participants' managed account portfolios and returns for broad-based securities market indexes and applicable customized benchmarks, based on those benchmarks provided for the plan's designated investment alternatives.

Agency: Department of Labor
Status: Open

Comments: DOL agreed to consider this recommendation in connection with (1) its regulatory project on standards for brokerage windows in participant directed individual account plans and (2) open proposed rulemaking project involving the qualified default investment alternative and participant-level fee disclosure regulations. In Spring 2017, the project on brokerage windows was removed as an active project on DOL's regulatory agenda, and the project on qualified default investment alternatives was moved to the long-term action category. In April 2018, DOL reported that it was not able to allocate staff time and resources to this recommendation and does not yet have a specific timeline for any next action.

Recommendation: To help sponsors and participants more effectively assess the performance of managed accounts, the Secretary of Labor should direct the Assistant Secretary for EBSA to amend service provider disclosure regulations to require that providers furnish standardized performance and benchmarking information to sponsors. To accomplish this, EBSA could promulgate regulations that would require service providers to disclose to sponsors standardized performance and benchmarking information on managed accounts. For example, providers could, prior to selection and periodically thereafter, as applicable, furnish sponsors with aggregated returns for generalized conservative, moderate, and aggressive portfolios, actual managed account portfolio returns for each of the sponsor's participants, and returns for broad-based securities market indexes and applicable customized benchmarks, based on those benchmarks provided for the plan's designated investment alternatives.

Agency: Department of Labor
Status: Open

Comments: DOL agreed to consider this recommendation in connection with (1) its regulatory project on standards for brokerage windows in participant directed individual account plans and (2) open proposed rulemaking project involving the qualified default investment alternative and participant-level fee disclosure regulations. In Spring 2017, the project on brokerage windows was removed as an active project on DOL's regulatory agenda, and the project on qualified default investment alternatives was moved to the long-term action category of DOL's regulatory agenda. In April 2018, DOL reported that it was not able to allocate staff time and resources to this recommendation and does not yet have a specific timeline for any next action.

Recommendation: To help sponsors who offer managed account services or who are considering doing so better protect their 401(k) plan participants, the Secretary of Labor should direct the Assistant Secretary for EBSA to provide guidance to plan sponsors for selecting and overseeing managed account providers that addresses: (1) the importance of considering multiple providers when choosing a managed account provider, (2) factors to consider when offering managed accounts as a Qualified Default Investment Alternative or on an opt-in basis, and (3) approaches for evaluating the services of managed account providers.

Agency: Department of Labor
Status: Open

Comments: DOL agreed to consider this recommendation in connection with a regulatory project on standards for brokerage windows in participant-directed individual account plans. However, in Spring 2017, DOL removed this project as an active project on its regulatory agenda. GAO continues to believe that plan sponsors would benefit from additional guidance for selecting and overseeing managed account providers. In April 2018, DOL reported that it was not able to allocate staff time and resources to this recommendation and does not yet have a specific timeline for any next action.

Recommendation: The Commissioner of Internal Revenue should direct the appropriate officials to define and implement a process, including defined criteria, for reselecting ongoing projects.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In March, 2017, IRS issued its Portfolio Investment Plan Process Description Manual for selecting and prioritizing new and ongoing operations support activities. The manual includes criteria for prioritizing selections; and provides for comparing assets against one another to create a prioritized portfolio; and ensuring executives' funding decisions are based upon the process for selecting and prioritizing activities. In March 2018, IRS updated the manual and also issued related detailed procedures. In May 2019, IRS stated that its Information Technology/Strategy and Planning group had developed a prioritization process and associated scoring criteria to help facilitate decision making for business systems modernization programs, projects, and capabilities. The agency noted that improvements were being made to the process and full implementation was anticipated for June 2019.In April 2020, IRS informed us that it had moved its target for fully implementing the recommendation to November 2020. We will continue to monitor IRS's efforts to implement the recommendation.

Recommendation: To improve the Bureau's use of its master schedule to manage the 2020 decennial census, the Secretary of Commerce should require the Director of the U.S. Census Bureau to include estimates of the resources, such as labor, materials, and overhead costs, in the 2020 integrated schedule for each activity as the schedule is built, and prepare to carry out other steps as necessary to conduct systematic schedule risk analyses on the 2020 schedule.

Agency: Department of Commerce
Status: Open
Priority recommendation

Comments: Commerce neither agreed nor disagreed with this recommendation. Regarding GAO's 2013 assessment of the Bureau's schedule (GAO-14-59), Bureau officials stated that they hoped to begin identifying the resources needed for each activity in their schedules by early 2014. Bureau officials announced they had completed the 2020 Census schedule in July 2016, and have since periodically described their intent to link resources to activities within their schedules. However, as of May 2018, when the Bureau had not taken these steps. Senior Bureau officials stated that it would require additional staffing in order to plan for and implement this recommendation. In July 2018 (GAO-18-589) we reported again on the status of the Bureau's scheduling, stating that when the Bureau has resource loaded its schedule, it will be able to use the schedule more effectively as a management tool. The Bureau took steps toward assigning resources to its master activity schedule for the 2020 Census, but effectively ran out of time to do so. Assigning resources to large complex schedules is easier to do early in schedule development process, as we recommended the Bureau do in 2009 for its 2020 Census schedule. This recommendation will remain open pending the Bureau taking steps in developing its 2030 schedule with appropriate resources linked to it.