Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials implement the necessary actions to effectively address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments. These actions should (1) resolve the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and related taxpayer data to support timely and informed management decisions, and enable appropriate financial reporting of unpaid assessment balances throughout the year, and (2) identify the control deficiencies that result in significant errors in taxpayer accounts and implement control procedures to routinely and effectively prevent, or detect and correct, such errors. (Recommendation 19-01)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS documented the key management decisions in the design and use of the estimation process. This step should reduce the risk that IRS may perform sampling procedures inconsistent with management intent or plans. Continued management commitment and sustained efforts are necessary to build on the progress made to date and to fully address IRS's remaining unresolved issues concerning the management and reporting of unpaid assessments. We will assess IRS's progress in addressing these issues during our audit of IRS's fiscal year 2020 financial statements.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials document and implement a formal comprehensive strategy to provide reasonable assurance concerning its nationwide coordination, consistency, and accountability for internal control over key areas of physical security. This strategy should include nationwide improvements for (1) coordinating among the functional areas involved in physical security; (2) implementing and monitoring the effectiveness of physical security policies, procedures, and internal controls; and (3) ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect IRS's facilities. (Recommendation 19-02)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that Facilities Management and Security Services is in the process of developing and documenting a formal, comprehensive strategy. According to IRS officials, this strategy will include different overarching goals, such as improving workforce effectiveness, ensuring appropriate monitoring functions and employee accountability, and improving coordination and communication of policies and procedures. IRS plans to complete the formal, comprehensive strategy during fiscal year 2020 and finalize the implementation of this strategy by March 2021.

Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials determine the reasons staff did not consistently comply with IRS's existing requirement for maintaining an emergency contact list at all of its facilities and, based on this determination, establish a process to enforce compliance with the requirement. (Recommendation 19-03)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS used a questionnaire survey and obtained feedback from security section chiefs and physical security specialists to determine the reasons staff did not consistently comply with IRS's existing requirement to maintain an emergency contact list at all IRS facilities. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will establish a process to better enforce compliance with the requirement based on the results of the feedback obtained.

Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials establish and implement policies and procedures requiring that corrective actions be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests. (Recommendation 19-04)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will (1) update the Internal Revenue Manual to reflect the requirement to use the Alarm Maintenance and Testing Certification Report to document alarm testing results, including any malfunctioning alarms and related corrective actions taken, as appropriate;, and (2) review the Alarm Maintenance and Testing Certification Report Form and incorporate any additional instructions and fields to document the specific alarms tested, the testing results, and related corrective actions taken, as appropriate.

Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement policies or procedures, or both, to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured. The policies or procedures should include periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment and systems. (Recommendation 19-05)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Facilities Management and Security Services will develop, document, and implement policies or procedures, or both, to provide reasonable assurance of the accuracy and physical security of the video surveillance systems at all IRS facilities by including periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. (Recommendation 19-06)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Information Technology and the Criminal Investigation organizations will update and implement their policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials (1) identify the reason IRS's policies and procedures related to the transmittal forms were not always followed and (2) design and implement actions to provide reasonable assurance that SB/SE units comply with these policies and procedures. (Recommendation 19-07)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that the Small Business/Self-Employed (SB/SE) Field Collection organization determined that the reasons the policies and procedures were not always followed were either a lack of understanding of the requirements or a lack of consistency in adhering to them. In order to address this, in October 2019, Field Collection distributed a memorandum to its area directors, territory managers, and group managers, reminding them of the required remittance processing procedures, emphasizing the importance of following the procedures, and requesting that they distribute the information in the memorandum within their organization. IRS officials stated that the memorandum will help assure that SB/SE Field Collection units comply with the applicable policies and procedures. Since this memorandum was issued after the end of our fiscal year 2019 audit, we will review the implementation of this action during our fiscal year 2020 audit. Further, IRS officials stated that during fiscal year 2020, the SB/SE Examination organization will identify the reason that IRS's policies and procedures for transmittal forms were not followed, and based on this, it will add guidance to the applicable Internal Revenue Manual sections to clarify and supplement the service-wide guidance for the appropriate control, monitoring, and review of the forms used to transmit packages containing personally identifiable information.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including specifying how the information should be validated. (Recommendation 19-08)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, the Information Technology (IT) organization updated IRS's Integrated Data Retrieval System (IDRS) security policy contained in the Internal Revenue Manual to ensure that the IDRS account administration process complies with IRS's personnel security policy regarding background investigation completion dates. In addition, IRS officials stated that by November 2020, the IT organization will update the Unit Security Representative (USR) designation form, as well as policies and procedures, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including how the information should be validated.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. (Recommendation 19-09)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During fiscal year 2019, the Information Technology organization updated its standard operating procedures to clearly specify the tax refund data elements that the Processing Validation Section Certifying Officers are required to verify before certifying the tax refunds in the Secure Payment System. Since IRS completed this action after we had already performed our fiscal year 2019 testing related to the certification of tax refunds, we will evaluate IRS's actions to address this recommendation during our fiscal year 2020 audit.

Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement a review process to provide reasonable assurance that the RSNs that Data Conversion key entry operators enter into the ISRP system and post to the master files are correct. (Recommendation 19-10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the Wage & Investment organization will establish and implement a review process to provide reasonable assurance that the Refund Schedule Numbers on manual refund forms are transcribed accurately into the Integrated Submission and Remittance Processing system.

Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials implement a validity check in the ISRP system to confirm that RSNs that Data Conversion key entry operators enter into the system have the required 14 digits. (Recommendation 19-11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS officials stated that the Wage and Investment organization agrees that developing and implementing a Unified Work Request for programming changes is needed to systemically validate the refund schedule numbers input into the Integrated Submission and Remittance Processing system; however, IRS officials indicated that the organization is unable to commit to implementing a corrective action because of budgetary constraints. As a result, IRS will place this recommendation on hold until funds are available.

Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to require that reviewers follow up with tax examiners to verify the errors that tax examiners made in working on cases related to suspicious or questionable tax returns are corrected. (Recommendation 19-12)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that by April 2020, IRS will update and implement policies or procedures, or both, requiring that reviewers follow up with tax examiners to verify that the errors tax examiners made in working a case related to suspicious or questionable tax returns are corrected.