This is the accessible text file for GAO report number GAO-09-514 
entitled 'Internal Revenue Service: Status of GAO Financial Audit and 
Related Financial Management Report Recommendations' which was released 
on June 25, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Commissioner of Internal Revenue: 

United States Government Accountability Office: 
GAO: 

June 2009: 

Internal Revenue Service: 

Status of GAO Financial Audit and Related Financial Management Report 
Recommendations: 

GAO-09-514: 

GAO Highlights: 

Highlights of GAO-09-514, a report to the Commissioner of Internal 
Revenue. 

Why GAO Did This Study: 

In its role as the nationís tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility to annually collect trillions of 
dollars in taxes, process hundreds of millions of tax and information 
returns, and enforce the nationís tax laws. Since its first audit of 
IRSís financial statements in fiscal year 1992, GAO has identified a 
number of weaknesses in IRSís financial management operations. In 
related reports, GAO has recommended corrective actions to address 
those weaknesses. 

Each year, as part of the annual audit of IRSís financial statements, 
GAO makes recommendations to address any new weaknesses identified and 
follows up on the status of IRSís efforts to address the weaknesses GAO 
identified in previous yearsí audits. The purpose of this report is to 
(1) provide the status of audit recommendations and actions needed to 
fully address them and (2) demonstrate how the recommendations relate 
to control activities central to IRSís mission and goals. 

What GAO Found: 

IRS has made significant progress in improving its internal controls 
and financial management since its first financial statement audit in 
1992, as evidenced by 9 consecutive years of clean audit opinions on 
its financial statements, the resolution of several material internal 
control weaknesses, and actions resulting in the closure of over 200 
financial management recommendations. This progress has been the result 
of hard work throughout IRS and sustained commitment at the top levels 
of the agency. However, IRS still faces financial management 
challenges. At the beginning of GAOís audit of IRSís fiscal year 2008 
financial statements, 81 financial management-related recommendations 
from prior audits remained open because IRS had not fully addressed the 
issues that gave rise to them. During the fiscal year 2008 financial 
audit, IRS took actions that GAO considered sufficient to close 35. At 
the same time, GAO identified additional internal control issues 
resulting in 16 new recommendations. In total, 62 recommendations 
remain open. 

To assist IRS in evaluating and improving internal controls, GAO 
categorized the 62 open recommendations by various internal control 
activities, which, in turn, were grouped into three broad control 
categories. 

Table: Summary of Open Recommendations by Control Category: 

Safeguarding of assets and security activities: 
Open at the beginning of 2008: 21; 
Closed during 2008 audit: 7; 
New from 2008 audit: 6; 
Total remaining open: 20. 

Proper recording and documenting of transactions: 
Open at the beginning of 2008: 33; 
Closed during 2008 audit: 13; 
New from 2008 audit: 4; 
Total remaining open: 24. 

Effective management review and oversight: 
Open at the beginning of 2008: 27; 
Closed during 2008 audit: 15; 
New from 2008 audit: 6; 
Total remaining open: 18. 

Total: 
Open at the beginning of 2008: 81; 
Closed during 2008 audit: 35; 
New from 2008 audit: 16; 
Total remaining open: 62. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

The continued existence of internal control weaknesses that gave rise 
to these recommendations represents a serious obstacle that IRS needs 
to overcome. Effective implementation of GAOís recommendations can 
greatly assist IRS in improving its internal controls and achieving 
sound financial management and can help enable it to more effectively 
carry out its tax administration responsibilities. Most can be 
addressed in the short term (the next 2 years). However, a few 
recommendations, particularly those concerning IRSís automated systems, 
are complex and will require several more years to effectively address. 

What GAO Recommends: 

GAO is not making any recommendations in this report. In commenting on 
this draft report, IRS stated that it is committed to implementing 
appropriate improvements to maintain sound financial management 
practices. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/products/GAO-09-514]. For more 
information, contact Steven J. Sebastian at (202)512-3406 or 
sebastians@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Scope and Methodology: 

IRS's Progress on Financial Management Recommendations: 

Open Recommendations Grouped by Control Activity: 

Open Recommendations Arranged by Related Material Weakness, Significant 
Deficiency, Compliance Issue, or Other Control Issue: 

Concluding Observations: 

Agency Comments and Our Evaluation: 

Appendix I: Status of GAO Recommendations from Internal Revenue Service 
Financial Audits and Related Management Reports: 

Appendix II: Open Recommendations Arranged by Control or Compliance 
Issue: 

Financial Reporting:
Unpaid Tax Assessments:
Information Security:
Tax Revenue and Refunds:
Release of Federal Tax Liens:
Other Control Issues: 

Appendix III: Comments from the Internal Revenue Service: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Summary of Open Recommendations: 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

Table 4: Recommendation to Improve IRS's Controls over Information 
Processing: 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

Table 8: Recommendations to Improve IRS's Execution of Transaction and 
Events: 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

Table 11: Recommendations to Improve IRS's Management of Human Capital: 

Table 12: Material Weakness: Controls over Financial Reporting: 

Table 13: Material Weakness: Controls over Unpaid Assessments: 

Table 14: Significant Deficiency: Controls over Revenues and Issuing 
Refunds: 

Table 15: Compliance with Laws and Regulations: Timely Release of 
Liens: 

Table 16: Other Control Issues Not Associated with a Material Weakness 
or Significant Deficiency: 

Abbreviations: 

CCTV: closed circuit television: 

CDDB: Custodial Detail Data Base: 

FFMIA: Federal Financial Management Improvement Act of 1996: 

FISCAM: Federal Information System Controls Audit Manual: 

FMFIA: Federal Managers' Financial Integrity Act of 1982: 

IDRS: Integrated Data Retrieval System: 

IRACS: Interim Revenue and Accounting Control System: 

IRM: Internal Revenue Manual: 

IRS: Internal Revenue Service: 

LMSB: Large and Mid-sized Business: 

NFC: National Finance Center: 

OMB: Office of Management and Budget: 

P&E: property and equipment: 

SCC: service center campus: 

SETS: Security Entry and Tracking System: 

TAC: taxpayer assistance center: 

TE/GE: Tax Exempt and Government Entities: 

TFRP: Trust Fund Recovery Penalty: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

June 25, 2009: 

The Honorable Douglas H. Shulman: 
Commissioner of Internal Revenue: 

Dear Mr. Shulman: 

In its role as the nation's tax collector, the Internal Revenue Service 
(IRS) has a demanding responsibility to collect taxes, process tax 
returns, and enforce the nation's tax laws. In fiscal year 2008, IRS 
collected about $2.7 trillion in tax payments, processed hundreds of 
millions of tax and information returns, and paid about $426 billion in 
refunds to taxpayers. Because of its role and overall mission, IRS's 
activities affect virtually all of the nation's citizens. It is 
therefore critical that the agency strive to maintain sound financial 
management practices. 

IRS has made much progress in improving its financial management since 
it was first required to prepare a set of financial statements and have 
them in fiscal year 1992. This progress was reflected in its ability to 
obtain and maintain a clean audit opinion on its financial statements 
each year beginning in fiscal year 2000, to correct several material 
internal control weaknesses over the years, and to make many other 
improvements in internal control. At the same time, more remains to be 
done to address long-standing internal control issues that continue to 
exist at the agency. IRS continues to have weak or ineffective internal 
controls over fundamental elements of its operations that leave it 
vulnerable to a greater risk of fraud, waste, abuse, and mismanagement. 
This, in turn, has the potential to affect the lives of the nation's 
taxpayers, as our audits over the years have demonstrated. For example, 
IRS's continued failure to promptly release federal tax liens could 
cause undue hardship and burden to taxpayers who are attempting to sell 
property or apply for commercial credit. 

An agency's internal control environment serves as the first line of 
defense in safeguarding its assets and in preventing and detecting 
errors and fraud, as well as in helping to effectively manage its 
stewardship over public resources.[Footnote 1] Unfortunately, IRS 
continues to be challenged with several long-standing material 
weaknesses in internal control that are at the heart of IRS's 
operations.[Footnote 2] During our audit of IRS's fiscal year 2008 
financial statements, we continued to find material weaknesses in 
controls over: 

* financial reporting, 

* unpaid tax assessments, and: 

* information systems security. 

In addition to the material weaknesses, we continued to identify a 
significant deficiency involving IRS's control over tax revenue and 
refunds, which hampers IRS's ability to optimize the use of its 
resources to collect unpaid taxes and minimize payments of improper 
refunds. This significant deficiency was downgraded from a material 
weakness in fiscal year 2008 because IRS took significant steps to 
address the deficiencies comprising the material weakness, such as 
enhancing its cost accounting capabilities and performance measures. 

To assist IRS in strengthening its internal controls and improving its 
operations, we have made numerous recommendations as part of our annual 
financial statement audits and other financial management-related work 
at IRS. This report is being provided to you to (1) provide the status 
of financial audit and financial management-related recommendations and 
the actions needed to address them and (2) demonstrate how the 
recommendations relate to control activities central to IRS's mission 
and goals. We are not making any recommendations in this report. 

Our work was performed from December 2008 through May 2009 in 
accordance with generally accepted government auditing standards. For 
further details regarding our approach to this audit, see the Scope and 
Methodology section. 

Background: 

Internal control is not one event, but a series of activities that 
occur throughout an entity's operations and on an ongoing basis. 
Internal control should be recognized as an integral part of each 
system that management uses to regulate and guide its operations rather 
than as a separate system within an agency. In this sense, internal 
control is management control that is built into the entity as a part 
of its infrastructure to help managers run the entity and achieve their 
goals on an ongoing basis. 

Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the 
Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires 
agencies to establish and maintain internal control. The agency head 
must annually evaluate and report on the control and financial systems 
that protect the integrity of federal programs. The requirements of 
FMFIA serve as an umbrella under which other reviews, evaluations, and 
audits should be coordinated and considered to support management's 
assertion about the effectiveness of internal control over operations, 
financial reporting, and compliance with laws and regulations. 

Office of Management and Budget (OMB) Circular No. A-123, Management's 
Responsibility for Internal Control, provides the implementing guidance 
for FMFIA, and sets out the specific requirements for assessing and 
reporting on internal controls consistent with the internal control 
standards issued by the Comptroller General of the United States. 
[Footnote 3] The circular defines management's responsibilities related 
to internal control and the process for assessing internal control 
effectiveness, and provides specific requirements for conducting 
management's assessment of the effectiveness of internal control over 
financial reporting. The circular requires management to annually 
provide assurances on internal control in its performance and 
accountability report, and for each of the 24 Chief Financial Officers 
Act agencies to include a separate assurance on internal control over 
financial reporting, along with a report on identified material 
weaknesses and corrective actions.[Footnote 4] The circular also 
emphasizes the need for integrated and coordinated internal control 
assessments that synchronize all internal control-related activities. 

FMFIA requires GAO to issue standards for internal control in the 
federal government. The Standards for Internal Control in the Federal 
Government (i.e., internal control standards) provides the overall 
framework for establishing and maintaining effective internal control 
and for identifying and addressing major performance and management 
challenges and areas at greatest risk of fraud, waste, abuse, and 
mismanagement. 

As summarized in the internal control standards, internal control in 
the government is defined by the following five elements, which also 
provide the basis against which internal controls are to be evaluated: 

* Control environment: Management and employees should establish and 
maintain an environment throughout the organization that sets a 
positive and supportive attitude toward internal control and 
conscientious management. 

* Risk assessment: Internal control should provide for an assessment of 
the risks the agency faces from both external and internal sources. 

* Control activities: Internal control activities help ensure that 
management's directives are carried out. The control activities should 
be effective and efficient in accomplishing the agency's control 
objectives. 

* Information and communications: Information should be recorded and 
communicated to management and others within the entity who need it and 
in a form and within a time frame that enables them to carry out their 
internal control and other responsibilities. 

* Monitoring: Internal control monitoring should assess the quality of 
performance over time and ensure that the findings of audits and other 
reviews are promptly resolved. 

A key objective in our annual audits of IRS's financial statements is 
to obtain reasonable assurance that IRS maintained effective internal 
controls with respect to financial reporting, including safeguarding of 
assets, and compliance with laws and regulations. While we use all five 
elements of internal control as a basis for evaluating the 
effectiveness of IRS's internal controls, our ongoing evaluations and 
tests have focused heavily on control activities to identify internal 
control weaknesses and offer recommendations for corrective action. 
Control activities are the policies, procedures, techniques, and 
mechanisms that enforce management's directives. In other words, they 
are the activities conducted in the everyday course of business that 
are intended to accomplish a control objective, such as ensuring IRS 
employees successfully complete background checks prior to being 
granted access to taxpayer information and receipts. As such, control 
activities are an integral part of an entity's planning, implementing, 
reviewing, and accountability for stewardship of government resources 
and achievement of effective results. 

Scope and Methodology: 

To accomplish our objectives, we evaluated the effectiveness of 
corrective actions IRS implemented during fiscal year 2008 in response 
to open recommendations as part of our fiscal years 2008 and 2007 
financial audits. To determine the current status of the 
recommendations, we (1) obtained IRS's reported status of each 
recommendation and corrective action taken or planned as of April 2009, 
(2) compared IRS's reported status to our fiscal year 2008 audit 
findings to identify any differences between IRS's and our conclusions 
regarding the status of each recommendation, and (3) performed 
additional follow-up work regarding IRS's actions taken to address the 
open recommendations. 

In order to determine how these recommendations fit within IRS's 
management and internal control structure, we compared the open 
recommendations and the issues that gave rise to them, to the control 
activities listed in the internal control standards and to the list of 
major factors and examples outlined in our Internal Control Management 
and Evaluation Tool.[Footnote 5] We also considered how the 
recommendations and the underlying issues were categorized in our prior 
reports; whether IRS had addressed, in whole or in part, the underlying 
control issues that gave rise to the recommendations; and other legal 
requirements and implementing guidance, such as OMB Circular No. A-123; 
FMFIA; and the Federal Information System Controls Audit Manual 
(FISCAM).[Footnote 6] 

Our work was performed from December 2008 through May 2009 in 
accordance with generally accepted government auditing standards. 
Further details on our audit scope and methodology are included in our 
report on the results of our audits of IRS's fiscal years 2008 and 2007 
financial statements.[Footnote 7] 

We requested comments on a draft of this report from the Commissioner 
of Internal Revenue or his designee on May 26, 2009. We received 
comments from the Commissioner on June 11, 2009. We have reprinted 
IRS's written comments in appendix III. 

IRS's Progress on Financial Management Recommendations: 

IRS continues to make progress addressing its significant financial 
management challenges. Over the years since we first began auditing 
IRS's financial statements in fiscal year 1992, IRS has taken actions 
that enabled us to close over 200 of our financial management-related 
recommendations. This includes 35 recommendations we are closing based 
on actions IRS took during the period covered by our fiscal year 2008 
financial audit. At the same time, however, our audits continue to 
identify additional internal control issues, resulting in further 
recommendations for corrective action, including 16 new financial 
management-related recommendations resulting from our fiscal year 2008 
financial audit. These internal control issues, and the resulting 
recommendations, can be directly traced to the control activities in 
the internal control standards. As such, it is essential that they be 
fully addressed and resolved to strengthen IRS's overall financial 
management to efficiently and effectively achieve its goals and 
mission. 

Status of Recommendations Based on the Fiscal Year 2008 Financial 
Statement Audit: 

In July 2008, we issued a report on the status of IRS's efforts to 
implement corrective actions to address financial management 
recommendations stemming from our fiscal year 2007 and prior year 
financial audits and other financial management-related work.[Footnote 
8] In that report, we identified 81 audit recommendations that remained 
open and thus required corrective action by IRS. A significant number 
of these recommendations had been open for several years, either 
because IRS had not taken corrective action or because the actions 
taken had not yet effectively resolved the issues that gave rise to the 
recommendations. 

IRS continued to work to address many of the internal control issues to 
which these open recommendations relate. In the course of performing 
our fiscal year 2008 financial audit, we identified numerous actions 
IRS took to address many of its internal control issues. On the basis 
of IRS's actions, which we were able to substantiate through our audit, 
we are able to close 35 of these prior years' recommendations. IRS 
considers another 18 of the prior years' recommendations to be 
effectively addressed. However, we still consider them to be open 
either because we have not yet been able to verify the effectiveness of 
IRS's actions or because, in our view, the actions taken did not fully 
address the issue that gave rise to the recommendation. 

Forty-six recommendations from prior years remain open, a significant 
number of which have been outstanding for several years. During our 
audit of IRS's fiscal year 2008 financial statements, we identified 
additional issues that require corrective action. In a recent 
management report to IRS,[Footnote 9] we discussed these issues, and 
made 16 new recommendations to address them. Consequently, 62 financial 
management-related recommendations need to be addressed. While most of 
these can be addressed in the short term,[Footnote 10] a few, 
particularly those concerning IRS's automated systems, are complex and 
will require several more years to fully and effectively address. We 
consider 52 recommendations to be short-term and 10 to be long-term. 

In addition to the 62 open recommendations from our financial audits 
and other financial management-related work, there are 74 open 
recommendations stemming from our assessment of IRS's information 
security controls over key financial systems, information, and 
interconnected networks. Those 74 primarily relate to lack of an 
agencywide information security program, which was a key reason for the 
material weakness in IRS's information systems security controls over 
its financial and tax processing systems. Unresolved, previously 
reported recommendations and newly identified recommendations related 
to information security increase the risk of unauthorized disclosure, 
modification, or destruction of financial and sensitive taxpayer data. 
Recommendations resulting from the information security issues 
identified in our annual audits of IRS's financial statements are 
reported separately because of the sensitive nature of these issues. 

Appendix I presents a list of (1) the 81 recommendations based on our 
financial statement audits and other financial management-related work 
that we had not previously reported as closed, (2) IRS-reported 
corrective actions taken or planned as of April 2009, and (3) our 
analysis of whether the issues that gave rise to the recommendations 
have been effectively addressed based primarily on the work performed 
during our fiscal year 2008 financial statement audit. Appendix I 
includes recommendations based on our fiscal year 2008 financial 
statement audit. The appendix lists the recommendations by the date on 
which the recommendation was made and by report number. Appendix II 
presents the open recommendations arranged by related material 
weakness, significant deficiency, compliance issue, or other control 
issue as described in our opinion report on IRS's financial statements. 
[Footnote 11] 

Open Recommendations Grouped by Control Activity: 

Linking the open recommendations from our financial audits and other 
financial management-related work, and the issues that gave rise to 
them, to internal control activities that are central to IRS's tax 
administration responsibilities provides insight regarding their 
significance. 

The internal control standards define 11 control activities grouped 
into three broad categories as shown in table 1.[Footnote 12] The open 
recommendations from our financial audits and financial management- 
related work, and the underlying issues that gave rise to them, can be 
traced to one of the control activities. 

Table 1: Summary of Open Recommendations: 

Control category/control activity: Safeguarding of assets and security 
activities: Physical control over vulnerable assets; 
Open at the beginning of 2008: 9; 
Closed during 2008 audit: 4; 
New from 2008 audit: 6; 
Total remaining open: 11; 
Percentage: 18. 

Control category/control activity: Safeguarding of assets and security 
activities: Segregation of duties; 
Open at the beginning of 2008: 3; 
Closed during 2008 audit: 0; 
New from 2008 audit: 0; 
Total remaining open: 3; 
Percentage: 5. 

Control category/control activity: Safeguarding of assets and security 
activities: Controls over information processing; 
Open at the beginning of 2008: 1; 
Closed during 2008 audit: 0; 
New from 2008 audit: 0; 
Total remaining open: 1; 
Percentage: 1. 

Control category/control activity: Safeguarding of assets and security 
activities: Access restrictions to and accountability for resources and 
records; 
Open at the beginning of 2008: 8; 
Closed during 2008 audit: 3; 
New from 2008 audit: 0; 
Total remaining open: 5; 
Percentage: 8. 

Control category/control activity: Safeguarding of assets and security 
activities: Subtotal; 
Open at the beginning of 2008: 21; 
Closed during 2008 audit: 7; 
New from 2008 audit: 6; 
Total remaining open: 20; 
Percentage: 32. 

Control category/control activity: Proper recording and documenting of 
transactions: Appropriate documentation of transactions and internal 
controls; 
Open at the beginning of 2008: 12; 
Closed during 2008 audit: 3; 
New from 2008 audit: 0; 
Total remaining open: 9; 
Percentage: 15. 

Control category/control activity: Proper recording and documenting of 
transactions: Accurate and timely recording of transactions and events; 
Open at the beginning of 2008: 18; 
Closed during 2008 audit: 9; 
New from 2008 audit: 3; 
Total remaining open: 12; 
Percentage: 19. 

Control category/control activity: Proper recording and documenting of 
transactions: Proper execution of transactions and events; 
Open at the beginning of 2008: 3; 
Closed during 2008 audit: 1; 
New from 2008 audit: 1; 
Total remaining open: 3; 
Percentage: 5. 

Control category/control activity: Proper recording and documenting of 
transactions: Subtotal; 
Open at the beginning of 2008: 33; 
Closed during 2008 audit: 13; 
New from 2008 audit: 4; 
Total remaining open: 24; 
Percentage: 39. 

Control category/control activity: Effective management review and 
oversight: Reviews by management at the functional or activity level; 
Open at the beginning of 2008: 19; 
Closed during 2008 audit: 9; 
New from 2008 audit: 3; 
Total remaining open: 13; 
Percentage: 21. 

Control category/control activity: Effective management review and 
oversight: Establishment and review of performance measures and 
indicators; 
Open at the beginning of 2008: 3; 
Closed during 2008 audit: 3; 
New from 2008 audit: 3; 
Total remaining open: 3; 
Percentage: 5. 

Control category/control activity: Effective management review and 
oversight: Management of human capital; 
Open at the beginning of 2008: 5; 
Closed during 2008 audit: 3; 
New from 2008 audit: 0; 
Total remaining open: 2; 
Percentage: 3. 

Control category/control activity: Effective management review and 
oversight: Subtotal; 
Open at the beginning of 2008: 27; 
Closed during 2008 audit: 15; 
New from 2008 audit: 6; 
Total remaining open: 18; 
Percentage: 29. 

Control category/control activity: Total; 
Open at the beginning of 2008: 81; 
Closed during 2008 audit: 35; 
New from 2008 audit: 16; 
Total remaining open: 62; 
Percentage: 100. 

Source: GAO analysis of the status of financial management 
recommendations made to IRS. 

[End of table] 

As table 1 indicates, 20 recommendations (32 percent) relate to issues 
associated with IRS's lack of effective controls over safeguarding of 
assets and security activities. Another 24 recommendations (39 percent) 
relate to issues associated with IRS's inability to properly record and 
document transactions. The remaining 18 open recommendations (29 
percent) relate to issues associated with the lack of effective 
management review and oversight. 

On the following pages, we group the 62 open recommendations under the 
control activity to which the condition that gave rise to them most 
appropriately fits. We first define each control activity as presented 
in the internal control standards and briefly identify some of the key 
IRS operations that fall under that control activity. Although not 
comprehensive, the descriptions are intended to help explain why 
actions to strengthen these control activities are important for IRS to 
efficiently and effectively carry out its overall mission. For each 
recommendation, we also indicate whether it is a short-term or long- 
term recommendation. For those characterized as short-term, we believe 
that IRS has the capability to implement solutions within 2 years. 

Safeguarding of Assets and Security Activities: 

Given IRS's mission, the sensitivity of the data it maintains, and its 
processing of trillions of dollars of tax receipts each year, one of 
the most important control activities at IRS is the safeguarding of 
assets. Internal control in this important area should be designed to 
provide reasonable assurance regarding prevention or prompt detection 
of unauthorized acquisition, use, or disposition of an agency's assets. 
We have grouped together the four control activities in the internal 
control standards that relate to safeguarding of assets (including tax 
receipts) and security activities (such as limiting access to only 
authorized personnel): (1) physical control over vulnerable assets, (2) 
segregation of duties, (3) controls over information processing, and 
(4) access restrictions to and accountability for resources and 
records. 

Physical Control over Vulnerable Assets: 

Internal control standard: An agency must establish physical control to 
secure and safeguard vulnerable assets. Examples include security for 
and limited access to assets such as cash, securities, inventories, and 
equipment which might be vulnerable to risk of loss or unauthorized 
use. Such assets should be periodically counted and compared to control 
records. 

IRS collects trillions of dollars in taxes each year, a significant 
amount of which is collected in the form of checks and cash accompanied 
by tax returns and related information. IRS collects taxes both at its 
own facilities as well as at lockbox banks that operate under contract 
with the Department of the Treasury's (Treasury) Financial Management 
Service. IRS acts as custodian for (1) the tax payments it receives 
until they are deposited in the General Fund of the U.S. Treasury and 
(2) the tax returns and related information it receives until they are 
either sent to the Federal Records Center or destroyed. IRS is also 
charged with controlling many other assets, such as computers and other 
equipment, but IRS's legal responsibility to safeguard tax returns and 
the confidential information taxpayers provide on tax returns makes the 
effectiveness of its internal controls with respect to physical 
security essential. 

While effective physical safeguards over receipts should exist 
throughout the year, such safeguards are especially important during 
the peak tax filing season. Each year during the weeks preceding and 
shortly after April 15, an IRS service center campus (SCC) or lockbox 
bank may receive and process daily over 100,000 pieces of mail 
containing returns, receipts, or both. The dollar value of receipts 
each SCC and lockbox bank processes increases to hundreds of millions 
of dollars a day during the April 15 time frame. 

The following 11 recommendations are designed to improve IRS's physical 
controls over vulnerable assets. We consider all of them to be 
correctable on a short-term basis. (See table 2.) 

Table 2: Recommendations to Improve IRS's Physical Controls over 
Vulnerable Assets: 

ID no.: 04-08; 
Recommendations: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms. (short-term) 

ID no.: 06-05; 
Recommendations: Equip all Taxpayer Assistance Centers (TACs) with 
adequate physical security controls to deter and prevent unauthorized 
access to restricted areas or office space occupied by other IRS units, 
including those TACs that are not scheduled to be reconfigured to the 
"new TAC" model in the near future. This includes appropriately 
separating customer service waiting areas from restricted areas in the 
near future by physical barriers such as locked doors marked with signs 
barring entrance by unescorted customers. (short-term) 

ID no.: 06-08; 
Recommendations: Enforce the requirement that all security or other 
responsible personnel at service center campuses (SCC) and lockbox 
banks record all instances involving the activation of intrusion 
alarms, regardless of the circumstances that may have caused the 
activation. (short-term) 

ID no.: 07-04; 
Recommendations: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions. (short-term) 

ID no.: 07-20; 
Recommendations: Establish and maintain sufficient secured storage 
space to properly secure and safeguard property and equipment 
inventory, including in-stock inventories, assets from incoming 
shipments, and assets that are in the process of being excessed and/or 
shipped out. (short-term) 

ID no.: 09-03; 
Recommendations: Document in the Internal Revenue Manual (IRM) minimum 
requirements for establishing criteria for time discrepancies or other 
inconsistencies, which if noted as part of the required monitoring of 
Form 10160, Receipt for Transport of IRS Deposit, would require off-
site surveillance of couriers. (short-term) 

ID no.: 09-04; 
Recommendations: Document in the IRM minimum requirements for 
conducting off-site surveillance of couriers entrusted with taxpayer 
receipts and information. (short-term) 

ID no.: 09-06; 
Recommendations: Establish procedures to ensure that an inventory of 
all duress alarms is documented for each location and is readily 
available to individuals conducting duress alarm tests before each test 
is conducted. (short-term) 

ID no.: 09-07; 
Recommendations: Establish procedures to periodically update the 
inventory of duress alarms at each TAC location to ensure that the 
inventory is current and complete as of the testing date. (short-term) 

ID no.: 09-08; 
Recommendations: Provide instructions for conducting quarterly duress 
alarm tests to ensure that IRS officials conducting the test (1) 
document the test results for each duress alarm listed in the 
inventory, including date, findings, and planned corrective action and 
(2) track the findings until they are properly resolved. (short-term) 

ID no.: 09-09; 
Recommendations: Establish procedures requiring that each physical 
security analyst conduct a periodic documented review of the Emergency 
Signal History Report and emergency contact list for its respective 
location to ensure that (1) appropriate corrective actions have been 
planned for all incidents reported by the central monitoring station 
and (2) the emergency contact list for each location is current and 
includes only appropriate contacts. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Segregation of Duties: 

Internal control standard: Key duties and responsibilities need to be 
divided or segregated among different people to reduce the risk of 
error or fraud. This should include separating the responsibilities for 
authorizing transactions, processing and recording them, reviewing the 
transactions, and handling any related assets. No one individual should 
control all key aspects of a transaction or event. 

IRS employees process trillions of dollars of tax receipts each year, 
of which hundreds of billions are received in the form of cash or 
checks, and for processing hundreds of billions of dollars in refunds 
to taxpayers.[Footnote 13] Consequently, it is critical that IRS 
maintain appropriate separation of duties to allow for adequate 
oversight of staff and protection of these vulnerable resources so that 
no single individual would be in a position of causing an error or 
irregularity, potentially converting the asset to personal use, and 
then concealing it. For example, when an IRS field office or lockbox 
bank receives taxpayer receipts and returns, it is responsible for 
depositing the cash and checks in a depository institution and 
forwarding the related information received to an SCC for further 
processing. In order to adequately safeguard receipts from theft, the 
person responsible for recording the information from the taxpayer 
receipts on a voucher should be different from the individual who 
prepares those receipts for transmittal to the SCC for further 
processing. Also, for procurement of goods and services, the person who 
places an order for goods and services should be different from the 
person who receives the goods and services. Such separation of duties 
will help to prevent the occurrence of fraud, theft of IRS assets, or 
both. 

Implementing the following three recommendations would help IRS improve 
its separation of duties, which will in turn strengthen its controls 
over tax receipts and refunds and procurement activities. All are short-
term in nature. (See table 3.) 

Table 3: Recommendations to Improve IRS's Segregation of Duties: 

ID no.: 02-16; 
Recommendations: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments. (short-
term) 

ID no.: 05-32; 
Recommendations: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed units 
of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages. (short-
term) 

ID no.: 07-21; 
Recommendations: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Controls over Information Processing: 

Internal control standard: A variety of control activities are used in 
information processing. Examples include edit checks of data entered, 
accounting for transactions in numerical sequences, and comparing file 
totals with control totals. There are two broad groupings of 
information systems control--general control (for hardware such as 
mainframe, network, end-user environments) and application control 
(processing of data within the application software). General controls 
include entitywide security program planning, management, and backup 
recovery procedures and contingency and disaster planning. Application 
controls are designed to help ensure completeness, accuracy, 
authorization, and validity of all transactions during application 
processing. 

IRS relies extensively on computerized systems to support its financial 
and mission-related operations. To efficiently fulfill its tax 
processing responsibilities, IRS relies extensively on interconnected 
networks of computer systems to perform various functions, such as 
collecting and storing taxpayer data, processing tax returns, 
calculating interest and penalties, generating refunds, and providing 
customer service. 

As part of our annual audits of IRS's financial statements, we assess 
the effectiveness of IRS's information security controls over key 
financial systems, data, and interconnected networks at IRS's critical 
data processing facilities that support the processing, storage, and 
transmission of sensitive financial and taxpayer data.[Footnote 14] 
From that effort over the years, we have identified information 
security control weaknesses that impair IRS's ability to ensure the 
confidentiality, integrity, and availability of its sensitive financial 
and taxpayer data. As of January 2009, there were 74 open 
recommendations from our information security work designed to improve 
IRS's information security controls.[Footnote 15] As discussed 
previously, recommendations resulting from our information security 
work are reported separately and are not included in this report 
primarily because of the sensitive nature of these issues. 

However, the following short-term recommendation is related to systems 
limitations and IRS's need to enhance its computer programs. (See table 
4.) 

Table 4: Recommendation to Improve IRS's Controls over Information 
Processing: 

ID no.: 02-18; 
Recommendations: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Access Restrictions to and Accountability for Resources and Records: 

Internal control standard: Access to resources and records should be 
limited to authorized individuals, and accountability for their custody 
and use should be assigned and maintained. Periodic comparison of 
resources with the recorded accountability should be made to help 
reduce the risk of errors, fraud, misuse, or unauthorized alteration. 

Because IRS deals with a large volume of cash and checks, it is 
imperative that it maintain strong controls to appropriately restrict 
access to those assets, the records that track those assets, and 
sensitive taxpayer information. Although IRS has a number of both 
physical and information systems controls in place, some of the issues 
we have identified in our financial audits over the years pertain to 
ensuring that those individuals who have direct access to these cash 
and checks are appropriately vetted before being granted access to 
taxpayer receipts and information and to ensuring that IRS maintains 
effective access security control. 

The following five short-term recommendations were intended to help IRS 
improve its access restrictions to assets and records. (See table 5.) 

Table 5: Recommendations to Improve IRS's Access Restrictions to and 
Accountability for Resources and Records: 

ID no.: 08-12; 
Recommendations: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices. (short-term) 

ID no.: 08-13; 
Recommendations: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements. (short-term) 

ID no.: 08-15; 
Recommendations: Establish procedures to require obtaining and 
reviewing documentation of completed background investigations for all 
shredding contractors before granting them access to taxpayer or other 
sensitive IRS information. (short-term) 

ID no.: 08-16; 
Recommendations: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles. (short-term) 

ID no.: 08-17; 
Recommendations: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Recording and Documenting of Transactions: 

IRS has a number of internal control issues that relate to recording 
transactions, documenting events, and tracking the processing of 
taxpayer receipts or information. We have grouped three control 
activities together that relate to proper recording and documenting of 
transactions: (1) appropriate documentation of transactions and 
internal controls, (2) accurate and timely recording of transactions 
and events, and (3) proper execution of transactions and events. 

Appropriate Documentation of Transactions and Internal Control: 

Internal control standard: Internal control and all transactions and 
other significant events need to be clearly documented, and the 
documentation should be readily available for examination. The 
documentation should appear in management directives, administrative 
policies, or operating manuals and may be in paper or electronic form. 
All documentation and records should be properly managed and 
maintained. 

IRS collects and processes trillions of dollars in taxpayer receipts 
annually both at its own facilities and at lockbox banks under contract 
to process taxpayer receipts for the federal government. Therefore, it 
is important that IRS maintain effective controls to ensure that all 
documents and records are properly and timely recorded, managed, and 
maintained both at its facilities and at the lockbox banks. IRS must 
adequately document and disseminate its procedures to ensure that they 
are available for IRS employees. IRS must also document its management 
reviews of controls, such as those regarding refunds and returned 
checks, credit card purchases, and reviews of taxpayer assistance 
centers (TAC). Finally, to ensure future availability of adequate 
documentation, IRS must ensure that its systems, particularly those now 
being developed and implemented, have appropriate capability to trace 
transactions. 

Resolving the following nine recommendations would assist IRS in 
improving its documentation of transactions and internal control 
procedures. Eight of these recommendations are short-term, and one is 
long-term. (See table 6.) 

Table 6: Recommendations to Improve IRS's Documentation of Transactions 
and Internal Control: 

ID no.: 05-39; 
Recommendations: Enforce requirements for documenting monitoring 
actions and supervisory review for manual refunds. (short-term) 

ID no.: 06-01; 
Recommendations: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing. (short-term) 

ID no.: 06-02; 
Recommendations: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals. (short-term) 

ID no.: 06-04; 
Recommendations: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines. (short-term) 

ID no.: 06-07; 
Recommendations: Document supervisory visits by offsite managers to 
TACs not having a manager permanently on-site. This documentation 
should be signed by the manager and should (1) record the time and date 
of the visit, (2) identify the manager performing the visit, (3) 
indicate the tasks performed during the visit, (4) note any problems 
identified, and (5) describe corrective actions planned. (short-term) 

ID no.: 07-15; 
Recommendations: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the Internal Revenue Manual (IRM) 
requirement to timely record bankruptcy discharge information onto 
taxpayer accounts in the master file or to manually release the liens 
in the Automated Lien System. (short-term) 

ID no.: 08-01; 
Recommendations: As IRS proceeds with its implementation of the 
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it 
becomes fully operational and is used in conjunction with the Interim 
Revenue and Accounting Control System (IRACS), will provide IRS with 
the direct transaction traceability for all of its tax-related 
transactions as required by the U.S. Standard General Ledger (SGL), 
Federal Financial Management System Requirements (FFMSR), and the 
Federal Financial Management Improvement Act of 1996 (FFMIA). (long- 
term) 

ID no.: 08-02; 
Recommendations: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid assessment 
estimation process. (short-term) 

ID no.: 08-07; 
Recommendations: Develop and provide comprehensive guidance to assist 
TAC managers in conducting reviews of outlying TACs and documenting the 
results. This guidance should include a description of the key controls 
that should be in place at outlying TACs, specify how often these key 
controls should be reviewed, and specify how the results of each review 
should be documented, including follow-up on issues identified in 
previous TAC reviews. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Accurate and Timely Recording of Transactions and Events: 

Internal control standard: Transactions should be promptly recorded to 
maintain their relevance and value to management in controlling 
operations and making decisions. This applies to the entire process or 
life cycle of a transaction or event from the initiation and 
authorization through its final classification in summary records. In 
addition, control activities help to ensure that all transactions are 
completely and accurately recorded. 

IRS maintains taxpayer records for tens of millions of taxpayers in 
addition to maintaining its own financial records. To carry out this 
responsibility, IRS often has to rely on outdated computer systems or 
manual work-arounds. Unfortunately, some of IRS's recordkeeping 
difficulties we have reported on over the years will not be addressed 
until it can replace its aging systems, an effort that is long-term and 
partly depends on future funding. 

Implementation of the following 12 recommendations would strengthen 
IRS's recordkeeping abilities. (See table 7.) Seven of these 
recommendations are short-term, and 5 are long-term regarding 
requirements for new systems for maintaining taxpayer records. Several 
of the recommendations listed deal with financial reporting processes, 
such as maintaining subsidiary records, recording budgetary 
transactions, and tracking program costs. Some of the issues that gave 
rise to several of our recommendations directly affect taxpayers, such 
as those involving duplicate assessments, errors in calculating and 
reporting manual interest, errors in calculating penalties, and 
recovery of trust fund penalty assessments. Seven of these 
recommendations have remained open at least 5 years and one over 10 
years, reflecting the complex nature of the underlying systems issues 
that must be resolved to fully address some of these issues. 

Table 7: Recommendations to Improve IRS's Accurate and Timely Recording 
of Transactions and Events: 

ID no.: 94-02; 
Recommendations: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions. (short-term) 

ID no.: 99-01; 
Recommendations: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received. (short-term) 

ID no.: 99-03; 
Recommendations: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability. (short-term) 

ID no.: 99-20; 
Recommendations: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance. (long-term) 

ID no.: 99-36; 
Recommendations: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term) 

ID no.: 01-17; 
Recommendations: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur. (long-term) 

ID no.: 01-39; 
Recommendations: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities. (long-term) 

ID no.: 06-22; 
Recommendations: Direct Facilities Management Branch managers to 
research and resolve the aging reports. (short-term) 

ID no.: 08-06; 
Recommendations: In instances where computer programs are not 
functioning in accordance with the intent of the IRM, take appropriate 
action to correct the programs so that they function in accordance with 
the IRM. (long-term) 

ID no.: 09-01; 
Recommendations: Correct the Integrated Data Retrieval System (IDRS) 
computer program for identifying individual taxpayers who have entered 
into an installment agreement so that except in situations where the 
taxpayer did not file the tax return timely, failure-to-pay penalty 
assessments made after the date of the installment agreement are 
calculated using the monthly one-quarter of one percent penalty rate on 
all of the taxpayer's accounts covered by the installment agreement. 
(short-term) 

ID no.: 09-12; 
Recommendations: Reiterate IRS's existing policy requiring that 
transactions be recorded accurately to the undelivered orders 
obligation accounts. (short-term) 

ID no.: 09-13; 
Recommendations: Perform existing reviews of transactions recorded in 
undelivered orders obligation accounts in a more timely manner in an 
effort to detect and correct errors, such as duplicate receipt and 
acceptance charges, earlier in the process. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Proper Execution of Transactions and Events: 

Internal control standard: Transactions and other significant events 
should be authorized and executed only by persons acting within the 
scope of their authority. This is the principal means of ensuring that 
only valid transactions to exchange, transfer, use, or commit resources 
and other events are initiated or entered into. Authorizations should 
be clearly communicated to managers and employees. 

Each year, IRS pays out hundreds of billions of dollars in tax refunds, 
some of which are distributed to taxpayers manually.[Footnote 16] IRS 
requires that all manual refunds be approved by designated officials. 
However, weaknesses in controls for authorizing such refunds expose the 
federal government to losses because of the issuance of improper 
refunds. Likewise, the failure to ensure that employees obtain 
appropriate authorizations to use purchase cards or initiate travel 
similarly leave the government open to fraud, waste, or abuse. Dealing 
with the following three short-term recommendations would improve IRS's 
controls over its manual refund, travel, and purchase card 
transactions. (See table 8.) 

Table 8: Recommendations to Improve IRS's Execution of Transaction and 
Events: 

ID no.: 05-37; 
Recommendations: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds. (short-
term) 

ID no.: 08-24; 
Recommendations: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel. (short-
term) 

ID no.: 09-10; 
Recommendations: Develop, document, and implement procedures to 
regularly monitor the timeliness of purchase card approvals. This 
should include establishing procedures and responsibility for 
identifying and following up on instances of noncompliance with 
required approval timeframes. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Effective Management Review and Oversight: 

All personnel within IRS have an important role in establishing and 
maintaining effective internal controls, but IRS's managers have 
additional review and oversight responsibilities. Management must set 
the objectives, put control activities in place, and monitor and 
evaluate controls to ensure that they are followed. Without adequate 
monitoring by managers, there is a risk that internal control 
activities may not be carried out effectively and in a timely manner. 

We have grouped three control activities related to effective 
management review and oversight: (1) reviews by management at the 
functional or activity level, (2) establishment and review of 
performance measures and indicators, and (3) management of human 
capital. Although we also include the control activity "top-level 
reviews of actual performance" in this grouping, we do not have any 
open recommendations to IRS related to this internal control activity. 

Reviews by Management at the Functional or Activity Level: 

Internal control standard: Managers need to compare actual performance 
to planned or expected results throughout the organization and analyze 
significant differences. 

IRS employs over 100,000 full-time and seasonal employees. In addition, 
as discussed earlier, Treasury's Financial Management Service contracts 
with banks to process tens of thousands of individual receipts, 
totaling hundreds of billions of dollars. Management oversight of 
operations is important at any organization, but is imperative at IRS 
given its mission. 

Implementing the following 11 short-term and 2 long-term 
recommendations would improve IRS's management oversight of courier 
services, contractor facilities, penalty calculations, timely release 
of liens, issuance of manual refunds, and use of appropriated funds. 
(See table 9.) These recommendations were made because an internal 
control activity either did not exist or the existing control was not 
being adequately or consistently applied. 

Table 9: Recommendations to Improve IRS's Reviews by Management at the 
Functional or Activity Level: 

ID no.: 99-22; 
Recommendations: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls. (short-term) 

ID no.: 01-06; 
Recommendations: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues. (short-term) 

ID no.: 05-33; 
Recommendations: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information. (short-term) 

ID no.: 05-38; 
Recommendations: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds. (short-term) 

ID no.: 07-24; 
Recommendations: To the extent that IRS intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work. (short-term) 

ID no.: 07-25; 
Recommendations: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. (short-term) 

ID no.: 07-27; 
Recommendations: Begin devising appropriate A-123 follow-up procedures 
for the last 3 months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. (short-term) 

ID no.: 08-04; 
Recommendations: To address the inconsistency in assigning the 
effective date of an accuracy-related penalty, modify the Business 
Master File computer program so that the date of the deficiency 
assessment is used as the effective date of any associated accuracy-
related penalty. (long-term) 

ID no.: 08-08; 
Recommendations: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC 
managers. (short-term) 

ID no.: 08-14; 
Recommendations: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; document the 
results, including identification of any security issues; and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed. (short-term) 

ID no.: 09-02; 
Recommendations: Add specific requirements to the IRM to require that 
manual refund units assign back up staff to perform manual refund 
monitoring activities whenever a manual refund initiator is absent for 
an extended period of time. (short-term) 

ID no.: 09-05; 
Recommendations: Establish procedures to track and routinely report the 
total dollar amounts and volumes of receipts collected by individual 
TAC location, group, territory, area, and nationwide. (long-term) 

ID no.: 09-11; 
Recommendations: Revise the IRM section related to the limited use of 
expired appropriations to provide additional guidance to help employees 
distinguish between procurement actions that constitute new obligations 
and those that merely adjust or liquidate prior obligations that the 
IRS incurred during an expired appropriation's original period of 
availability. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Establishment and Review of Performance Measures and Indicators: 

Internal control standard: Activities need to be established to monitor 
performance measures and indicators. These controls could call for 
comparisons and assessments relating different sets of data to one 
another so that analyses of the relationships can be made and 
appropriate actions taken. Controls should also be aimed at validating 
the propriety and integrity of both organizational and individual 
performance measures and indicators. 

IRS's operations include a vast array of activities encompassing 
educating taxpayers, processing of taxpayer receipts and data, 
disbursing hundreds of billions of dollars in refunds to millions of 
taxpayers, maintaining extensive information on tens of millions of 
taxpayers, and seeking collection from individuals and businesses that 
fail to comply with the nation's tax laws. Within its compliance 
function, IRS has numerous activities, including identifying businesses 
and individuals that underreport income, collecting from taxpayers who 
do not pay taxes, and collecting from those receiving refunds for which 
they are not eligible. Although IRS has at its peak over 100,000 
employees, it still faces resource constraints in attempting to fulfill 
its duties. It is vitally important for IRS to have sound performance 
measures to assist it in assessing its performance and targeting its 
resources to maximize the government's return on investment. 

However, in past audits we have reported that IRS did not capture costs 
at the program or activity level to assist in developing cost-based 
performance measures for its various programs and activities. As a 
result, IRS is unable to measure the costs and benefits of its various 
collection and enforcement efforts to best target its available 
resources. 

The following short-term and two long-term recommendations are designed 
to assist IRS in (1) evaluating its operations, (2) determining which 
activities are the most beneficial, and (3) establishing a good system 
for oversight. (See table 10.) These recommendations call for IRS to 
measure, track, and evaluate the costs, benefits, or outcomes of its 
operations--particularly with regard to identifying its most cost- 
effective tax collection activities. 

Table 10: Recommendations to Improve IRS's Establishment and Review of 
Performance Measures and Indicators: 

ID no.: 09-14; 
Recommendations: Establish a formal, documented process for identifying 
over time the full range of IRS's programs and underlying activities, 
outputs, and services for which IRS believes full cost information 
would be useful to executives and program managers. Such a process 
should (1) be formally established and documented through policies, 
procedures, guidance, meeting minutes, and other appropriate means; (2) 
define the roles and responsibilities of the CFO and other business 
units in the process; and (3) be focused on the goal of determining 
what cost information would be useful and the most appropriate means of 
developing and reporting it for both existing programs and new programs 
as they are initiated. (short-term) 

ID no.: 09-15; 
Recommendations: For each of the IRS programs, activities, outputs, and 
services identified for which full cost information would be useful to 
IRS executives and program managers, complete the development of full 
cost methodologies to routinely accumulate and report on their full 
costs, including down to the activity level where appropriate. Such 
full cost data should be readily accessible to IRS program managers 
whenever they are needed and should include both personnel costs based 
on time spent on specific activities as well as all associated non-
personnel costs and be drawn from or reconcilable to IRS's financial 
accounting system. (long-term) 

ID no.: 09-16; 
Recommendations: Develop outcome-oriented performance measures and 
related performance goals for IRS's enforcement programs and activities 
that include measures of the full cost of, and the revenue collected 
from, those programs and activities (return on investment) to assist 
IRS's managers in optimizing resource allocation decisions and 
evaluating the effectiveness of their activities. (long-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Management of Human Capital: 

Internal control standard: Effective management of an organization's 
workforce--its human capital--is essential to achieving results and an 
important part of internal control. Management should view human 
capital as an asset rather than a cost. Only when the right personnel 
for the job are on board and are provided the right training, tools, 
structure, incentives, and responsibilities is operational success 
possible. Management should ensure that skill needs are continually 
assessed and that the organization is able to obtain a workforce that 
has the required skills that match those necessary to achieve 
organizational goals. Training should be aimed at developing and 
retaining employee skill levels to meet changing organizational needs. 
Qualified and continuous supervision should be provided to ensure that 
internal control objectives are achieved. Performance evaluation and 
feedback, supplemented by an effective reward system, should be 
designed to help employees understand the connection between their 
performance and the organization's success. As a part of its human 
capital planning, management should also consider how best to retain 
valuable employees, plan for their eventual succession, and ensure 
continuity of needed skills and abilities. 

IRS's operations cover a wide range of technical competencies with 
specific expertise needed in tax-related matters; financial management; 
and systems design, development, and maintenance. Because IRS has tens 
of thousands of employees spread throughout the country, it is 
imperative that management keeps its guidance up-to-date and its staff 
properly trained. 

Putting the following two short-term recommendations into effect would 
assist IRS in its management of human capital. (See table 11.) 

Table 11: Recommendations to Improve IRS's Management of Human Capital: 

ID no.: 07-08; 
Recommendations: Require that managers or supervisors provide the 
manual refund initiators in their units with training on the most 
current requirements to help ensure that they fulfill their 
responsibilities to monitor manual refunds and document their 
monitoring actions to prevent the issuance of duplicate refunds. (short-
term) 

ID no.: 08-03; 
Recommendations: Document and implement specific detailed procedures 
for reviewers to follow in their review of unpaid assessments 
statistical estimates. Specifically, IRS should require that a detailed 
supervisory review be performed to ensure: (1) the statistical validity 
of the sampling plans, (2) data entered into the sample selection 
programs agree with the sampling plans, (3) data entered into the 
statistical projection programs agree with IRS's sample review results, 
(4) data on the spreadsheets used to compile the interim projections 
and roll-forward results trace back to supporting statistical 
projection results, and (5) the calculations on these spreadsheets are 
mathematically correct. (short-term) 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Open Recommendations Arranged by Related Material Weakness, Significant 
Deficiency, Compliance Issue, or Other Control Issue: 

For several years, we have reported material weaknesses, significant 
deficiencies, noncompliance with laws and regulations, and other 
control issues in our annual financial statement audits and related 
management reports.[Footnote 17] To assist IRS in addressing those 
control issues, appendix II provides summary information regarding the 
primary issue to which each open recommendation is related. To compile 
this summary, we analyzed the nature of the open recommendations to 
relate them to the material weaknesses, significant deficiency, 
compliance issue, and other control issues not associated with a 
material weakness or significant deficiency identified as part of our 
financial statement audit. 

Concluding Observations: 

Increased budgetary pressures and an increased public awareness of the 
importance of internal control require IRS to carry out its mission 
more efficiently and more effectively while protecting taxpayers' 
information. 

Sound financial management and effective internal controls are 
essential if IRS is to efficiently and effectively achieve its goals. 
IRS has made substantial progress in improving its financial management 
since its first financial audit, as evidenced by unqualified audit 
opinions on its financial statements for the past 9 years, resolution 
of several material internal control weaknesses and significant 
deficiencies, and actions taken resulting in the closure of hundreds of 
financial management recommendations. This progress has been the result 
of hard work by many individuals throughout IRS and sustained 
commitment of IRS leadership. Nonetheless, more needs to be done to 
fully address the agency's continuing financial management challenges. 
Further efforts are needed to address the internal control deficiencies 
that continue to exist. Effective implementation of the recommendations 
we have made and continue to make through our financial audits and 
related work could greatly assist IRS in improving its internal 
controls and achieving sound financial management. While we recognize 
that some actions--primarily those related to modernizing automated 
systems--will take a number of years to resolve, most of the open 
recommendations can be addressed in the short term. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, IRS expressed its appreciation 
for our acknowledgment of the agency's progress in addressing its 
financial management changes as evidenced by our closure of 35 open 
financial management recommendations from prior GAO reports. IRS also 
commented that it is committed to implementing appropriate improvements 
to ensure that it maintains sound financial management practices. We 
will review the effectiveness of further corrective actions IRS has 
taken or will take to address all open recommendations as part of our 
audit of IRS's fiscal year 2009 financial statements. 

We are sending copies of this report to the Chairmen and Ranking 
Members of the Senate Committee on Appropriations; Senate Committee on 
Finance; Senate Committee on Homeland Security and Governmental 
Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term 
Growth, Senate Committee on Finance. We are also sending copies to the 
Chairmen and Ranking Members of the House Committee on Appropriations; 
House Committee on Ways and Means; the Chairman and Vice Chairman of 
the Joint Committee on Taxation; the Secretary of the Treasury; the 
Director of OMB; the Chairman of the IRS Oversight Board; and other 
interested parties. The report is also available at no charge on the 
GAO Web site at [hyperlink, http://www.gao.gov]. 

If you or your staffs have any questions concerning this report, please 
contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. GAO staff who made major contributions 
to this report are listed in appendix IV. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

[End of section] 

Appendix I: Status of GAO Recommendations from Internal Revenue Service 
Financial Audits and Related Management Reports: 

This appendix presents a list of (1) the 81 recommendations that we had 
not previously reported as closed, (2) Internal Revenue Service (IRS) 
reported corrective actions taken or planned as of April 2009, and (3) 
our analysis of whether the issues that gave rise to the 
recommendations have been effectively addressed. It also includes 
recommendations based on our fiscal year 2008 financial statement 
audit. The appendix lists the recommendations by the date on which the 
recommendation was made and by report number. 

ID no.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions (short-term); 
Source report: Financial Management: Important IRS Revenue Information 
Is Unavailable or Unreliable (GAO/AIMD-94-22, Dec. 21, 1993); 
Status per IRS: Open. The Deputy Commissioner, Services and Enforcement 
issued a memorandum in July 2008 emphasizing the need to use training 
modules and on-site assistance from the Servicewide Interest Program to 
ensure accurate calculations. Interest-related training was provided to 
personnel by January 2009, and additional guidance will be issued to 
Collection field personnel. SB/SE updated Internal Revenue Manual 
provisions and made upgrades to the commercial software program 
utilized to compute manual interest. SB/SE is developing a random 
sampling process to be completed by October 2009 to measure the 
accuracy of interest computations; 
Status per GAO: Open. During our fiscal year 2006 audit, we tested a 
statistical sample of manual interest transactions and estimated that 
18 percent of IRS's manual interest population contains errors. We 
concluded that IRS controls over this area was still ineffective. The 
ineffectiveness of these controls contributes to errors in taxpayer 
records, which is a major component of the material weakness in IRS's 
management of unpaid assessments. While IRS has undertaken several 
actions to strengthen controls over this area, such as updating 
guidance and providing training related to manual interest 
calculations, it has yet to develop a sampling methodology to monitor 
the accuracy of its manual interest computation and assess the 
effectiveness of its corrective actions. Consequently, we did not test 
IRS controls in this area as part of our fiscal year 2008 audit, as 
both we and IRS believed that the actions taken by IRS thus far would 
not improve the accuracy of the manual interest calculations. We will 
continue to monitor IRS's actions to address this recommendation during 
future audits. 

ID no.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. Small Business/Self-Employed (SB/SE) continues to 
request programming changes to increase Automated Trust Fund Recovery 
systemic processing to reduce the number of accounts requiring manual 
intervention. IRS reviews Trust Fund Recovery Penalty (TFRP) 
transactions to ensure accurate and timely recording, including 
Performance Assurance System reviews by a daily random selection of 
closed cases, management reviews of a random selection of both closed 
and open casework, and Headquarters Operational Reviews. In addition to 
the above reviews, Campus Compliance Services is exploring the 
development and implementation of a statistically valid sampling plan 
to monitor the accuracy and timeliness of the cross-referencing of 
payments and credits to TFRP accounts. The frequency and process for 
performing these internal reviews will be considered during 
development; 
Status per GAO: Open. IRS has made significant progress in this area 
over the past several years. For example, IRS established procedures to 
more clearly link each penalty assessment against a responsible 
corporate officer to a specific tax period of the business account and 
began phasing in the use of the Automated Trust Fund Recovery system 
intended to properly cross-reference payments received. IRS also 
enhanced the Automated Trust Fund Recovery system in fiscal year 2008 
to begin automatically reducing the amounts owed on all related 
accounts when a payment is received from one related party. However, 
the system is currently unable to process all payments related to such 
cases. Consequently, IRS must continue to manually reduce the account 
balance on related accounts for some payments. Thus, the opportunity 
for errors and omissions continues to exist. Our most recent test 
indicates that IRS's controls in this area are still not effective in 
ensuring that all TFRP payments are correctly credited to all related 
parties in a timely manner. We will continue to monitor IRS's actions 
to address this recommendation during future audits. 

ID no.: 99-03; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability (short-term); 
Source report: Internal Revenue Service: Immediate and Long-Term 
Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 
30, 1998); 
Status per IRS: Open. IRS is developing the Custodial Detailed Data 
Base (CDDB), which it believes will ultimately address many of the 
outstanding financial management recommendations. IRS implemented the 
first phase of the CDDB during fiscal year 2006. In fiscal year 2008, 
IRS enhanced CDDB to record unpaid assessments, including accrued 
penalties and interest in the general ledger by the various financial 
reporting categories. The Chief Financial Officer's (CFO) office 
continues to ensure the accuracy of the TFRP cross-referencing using 
weekly CDDB reports. The CFO provides SB/SE with identified errors so 
SB/SE can correct the taxpayers account and CDDB can correctly classify 
the transactions. CDDB is now classifying approximately 80 percent of 
the TFRP inventory where TFRP assessments are appropriately tracked for 
all taxpayers liable but counted only once for reporting purposes; 
Status per GAO: Open. During fiscal year 2008, IRS enhanced CDDB to 
begin regularly recording unpaid assessments, including accrued 
penalties and interest, from its master files to its general ledger by 
the various financial reporting categories (taxes receivable, 
compliance assessments, and write-offs). These enhancements established 
CDDB's capability to function as a subsidiary ledger for unpaid tax 
debt. However, due to inherent limitations in CDDB programs for 
classifying unpaid assessments into the correct financial reporting 
categories and inaccuracies in taxpayer records, IRS is still unable to 
use CDDB as its subsidiary ledger for external reporting of its unpaid 
assessments, and must continue to use a labor-intensive, manual 
compensating process to estimate the year-end balances of the various 
categories of unpaid tax assessments to avoid material misstatements to 
its financial statements. Specifically, IRS had to make over $28 
billion in adjustments to the fiscal year-end 2008 gross taxes 
receivable balance produced by CDDB as part of its manual estimation 
process for financial reporting. Full operational capability of CDDB 
depends on the successful implementation of future system releases 
planned through 2009 and the ability of these releases to address 
current limitations in accurately classifying all of IRS's unpaid 
assessments. The lack of a fully functioning subsidiary ledger capable 
of producing accurate, useful, and timely information with which to 
manage and report externally is a major component of the material 
weakness in IRS's management of unpaid assessments. We will continue to 
monitor IRS's development of CDDB during our fiscal year 2009 and 
future audits. 

ID no.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting TFRP assessments. Once these factors have been 
determined, IRS should develop procedures to reduce the impact of these 
factors and to ensure timely posting to all applicable accounts and 
proper offsetting of refunds against unpaid assessments before issuance 
(long-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Open. SB/SE completed the Control Point Monitor (CPM) 
pilot in May 2008 and prepared a CPM manual. The CPM serves as a 
conduit from the Area Office to the Campus for assessment. The CPM 
manual establishes specific timeframes in which the CPM must 
process/complete required TFRP actions. Implementation of the manual is 
currently being negotiated with the National Treasury Employees Union 
to address impact and implementation issues resulting from the changes 
to the CPM process. SB/SE has created a suite of managerial reports to 
provide oversight of the TFRP process. SB/SE continues to submit Work 
Requests and Information Technology Assets Management System tickets to 
enhance the assessment process to provide greater efficiencies in the 
processing and posting of TFRP assessments; 
Status per GAO: Open. During our fiscal year 2008 audit, we continued 
to identify long delays in processing and posting TFRP assessments. 
Although IRS has developed a draft of the CPM manual to provide better 
guidance for the timely processing of TFRP assessments, the manual is 
currently undergoing internal reviews and awaiting final approval for 
official use. We will continue to monitor IRS's actions to address this 
recommendation during our fiscal year 2009 audit. 

ID no.: 99-22; 
Recommendation: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls (short-term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Closed. All IRS field offices continue to provide 
training and to perform reviews to strengthen controls over 
remittances. SB/SE conducts reviews with each territory manager. 
Headquarters staff ensures Territory managers are enforcing the 
requirement for group managers to randomly sample remittance packages 
for review. Each area director receives a report with any findings and 
recommendations for implementation. All Tax Exempt and Government 
Entities (TE/GE) Division Directors continue to perform operational 
reviews to ensure their subordinate groups are properly processing all 
checks. TE/GE provides training and notices on these procedures. During 
fiscal year 2008, all managers certified in their 2008 Annual Assurance 
Review that vulnerable assets, such as cash, securities, and equipment, 
are physically secured and access to them is controlled. TE/GE will 
also implement by September 2009 requirements to verify that control 
procedures are in place during operational reviews, and include 
information on proper check handling procedures during training for new 
hires and Revenue Agents. Large and Mid-sized Business (LMSB) has 
incorporated instructions on the use of the U.S. Treasury Stamp in 
training given to new hires as part of their on the job training and 
periodically in group meetings. The use of the U.S. Treasury Stamp has 
also been incorporated into the Internal Revenue Manual (IRM) and is 
part of IRS's standard operating procedure used for processing 
payments; 
Status per GAO: Open. The objective of this recommendation was to 
create a mechanism for IRS to monitor the status of pervasive 
weaknesses in controls over taxpayer receipts and information that we 
have found at IRS's field offices over the years. The purpose of this 
monitoring is to facilitate the timely detection and effective 
resolution of issues and to verify the effectiveness of new and 
existing policies and procedures on an ongoing basis. During our fiscal 
year 2008 audit, we identified instances at (1) four SB/SE units where 
there was no segregation of duties between preparation of the payment 
posting vouchers and subsequent preparation of the related document 
transmittals and transmittal package; (2) four SB/SE units where a 
document transmittal form was not prepared when transmitting multiple 
Daily Report of Collection Activity forms to the Submission Processing 
(SP) Center; (3) three SB/SE units where there was no system in place 
to monitor acknowledged/unacknowledged transmittals to the submission 
processing center; (4) five SB/SE units where there was no evidence of 
managerial review of document transmittals; and (5) all 10 field 
offices where there were no procedures in place to verify that names on 
the duress alarm contact list were current and that appropriate first 
responders were contacted in the event of an emergency. Had IRS 
periodically reviewed the effectiveness of these controls in field 
offices as we recommended, these issues might have been detected and 
corrected. We will continue to assess IRS's actions during our fiscal 
year 2009 audit. 

ID no.: 99-25; 
Recommendation: Ensure that additional staff are employed or existing 
staff appropriately cross-trained to be able to perform the master file 
extractions and other ad hoc procedures needed for IRS to continually 
develop reliable balances for financial reporting purposes (short-
term); 
Source report: Internal Revenue Service: Custodial Financial Management 
Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); 
Status per IRS: Closed. IRS augmented its Modernization & Information 
Technology Services staff, and cross-trained employees to increase the 
appropriate depth of experience to perform the master file extractions 
and other ad hoc procedures for financial reporting purposes. 
Modernization & Information Technology Services reduced the Assembler 
Language Code programmer shortages and increased contractor support by 
17 percent. IRS also continues to expand the use of CDDB during the 
annual audit, and the addition of trained Modernization & Information 
Technology Services and contractor staff ensures development of 
reliable balances for financial reporting purposes on a continuing 
basis; 
Status per GAO: Closed. IRS hired additional staff in the Custodial 
Accounting Branch, which has responsibility for the custodial financial 
statements. Also, employees were cross-trained and current systems 
expanded to better support the financial reporting of revenue, refunds, 
and unpaid assessments. In addition, IRS reduced its shortage of 
assembly language programmers by holding training classes for 
employees. 

ID no.: 99-29; 
Recommendation: Develop the data to support meaningful cost information 
categories and cost-based performance measures (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Status per IRS: Closed. IRS developed a cost accounting policy that 
provides guidance on managerial cost concepts for the agency, 
established an Office of Cost Accounting within the CFO, and completed 
several cost pilot projects to demonstrate the viability of its full 
cost methodology at the program level. Performance measures were 
enhanced, and the return on investment for the Earned Income Tax Credit 
program was completed with full cost information. As demonstrated by 
the cost pilots, IRS has the capability to use the cost data within the 
Integrated Financial System (IFS) and the associated workload and 
production data from IFS and its business unit systems to calculate the 
full costs of its products, services, and programs. The IFS contains 4 
years of fully allocated cost data; 
Status per GAO: Closed. IRS has taken several actions to address this 
recommendation and improve its cost accounting capability. For example, 
in fiscal year 2007, IRS developed and issued its first cost accounting 
policy to provide guidance on the concepts and requirements for 
managerial cost accounting within IRS. In addition, in fiscal year 
2008, IRS (1) established an Office of Cost Accounting within its CFO, 
(2) completed several cost pilots to demonstrate its capability to use 
the cost data within IFS and the associated workload and production 
data from its business unit systems to calculate the full costs of its 
products, services, and programs, and (3) completed development of the 
return on investment for the Earned Income Tax Credit program that 
includes full cost information. However, IRS has not extended the cost 
pilot methodology to develop full cost information on the full range of 
IRS's programs. Nevertheless, in order to provide recommendations more 
closely aligned with the current status, we have agreed with IRS to 
close this recommendation based on IRS's progress to date and have 
reported the remaining issues, along with related recommendations for 
corrective action, in our June 2009 management report. See GAO-09-513R 
and recommendations 09-14 and 09-15 in this report. 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records. (long-term); 
Source report: Internal Revenue Service: Serious Weaknesses Impact 
Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 
1999); 
Status per IRS: Open. IRS has established strong internal controls and 
procedures to enhance its ability to account for property and equipment 
in IFS. IRS is looking at enhancing its asset-tracking system to more 
closely reconcile physical asset records to the financial records. This 
would enable targeted reconciliations to occur; 
Status per GAO: Open. Our fiscal year 2008 property and equipment 
valuation testing revealed problems with the linking of the purchase of 
assets recorded in the general ledger system to the P&E inventory 
system, which indicates that IRS's detailed P&E records do not fully 
reconcile to the financial records. We will continue to monitor IRS's 
strategy in addressing these financial management systems issues. 

ID no.: 01-04; 
Recommendation: As an alternative to prematurely suspending active 
collection efforts, and using the best available information, develop 
reliable cost-benefit data relating to collection efforts for cases 
with some collection potential. These cost-benefit data would include 
the full cost associated with the increased collection activity (i.e., 
salaries, benefits, administrative support), as well as the expected 
additional tax collections generated (Short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Closed. IRS is using a workload delivery model in the 
development and monitoring of an Enterprise Collection Plan that aligns 
performance measures across all collection organizations to match 
results against the corporate measures. Results of the model are used 
to project inventory receipt patterns by function and category of work, 
allowing for improved management of corporate collection inventory and 
resource allocation. New models were implemented in the Inventory 
Delivery System on January 12, 2009. The use of a rules engine has also 
been incorporated in the Inventory Delivery System to systemically make 
changes to case routing based on modeling predictions and rules. 
Collection Case Selection continues to provide ad hoc case assignments 
for testing case routing. Cases are selected based on a set of criteria 
and routed to different treatments to determine where like cases should 
be routed in the future. The CFO also included return on investment 
calculations for its collection initiatives in the 2007, 2008, and 2009 
Budget Submissions; 
Status per GAO: Closed. IRS has taken significant steps to address this 
recommendation. IRS built sophisticated computer modeling and risk 
assessment techniques with increased predictive power to improve IRS's 
ability to route unpaid tax cases to the appropriate enforcement 
resource. IRS estimated that those changes have resulted in several 
billion dollars in additional tax collections. IRS has also established 
governance councils for IRS's examination and collection activities. 
Finally, IRS has completed several actions to improve its ability to 
develop full cost information for its enforcement programs. Although 
IRS's actions taken to date are important, they have not fully 
addressed the objectives of our recommendation, such as completing the 
development of full cost methodologies for IRS's programs and 
activities. In order to provide recommendations more closely aligned 
with the current status, we have agreed with IRS to close this 
recommendation based on IRS's progress to date and have reported the 
remaining issues, along with related recommendations for corrective 
action, in our June 2009 management report. See GAO-09-513R and 
recommendations 09-14, 09-15, and 09-16 in this report. 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues (short-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS continues to address issues that cause late 
lien releases through an internal Lien Release Action Plan and by 
conducting reviews as a part of its A-123 controls assessment process. 
Based on the annual sample of lien releases, the results of seven 
errors (liens released in an untimely manner) in 59 observations, yield 
a net most likely error of 12 percent, and (at greater than 95 percent 
confidence level), an upper error limit that could be as high as 21 
percent. IRS added corrective actions to address issues found during 
the review. SB/SE is re-evaluating the fiscal years 2009 and 2010 
overall lien release error rate goals and will submit changes to the 
Lien Release Action Plan; 
Status per GAO: Open. IRS has taken a number of actions over the past 
several years to address this issue. However, during our fiscal year 
2008 audit, we continued to find that IRS did not always release liens 
in a timely manner. In IRS's own Office of Management and Budget (OMB) 
A-123 testing of lien releases, it identified 7 instances out of 59 
cases tested in which it did not release the applicable federal tax 
lien within the statutory 30-day period. The time between the 
satisfaction of the liability and release of the lien ranged from 33 
days to more than 494 days. Based on these results, IRS estimated that 
for about 12 percent of unpaid tax assessment cases that were resolved 
in fiscal year 2008, in which it had filed a tax lien, it did not 
release the lien within 30 days of the resolution of the case. IRS is 
95 percent confident that the percentage of cases in which the lien was 
not released within 30 days does not exceed 21 percent. IRS's 
ineffective controls over this area results in its noncompliance with 
Internal Revenue Code Section 6325 which requires IRS to release its 
tax liens within 30 days of the date the related tax liability is fully 
satisfied. We will continue to monitor IRS's actions to address this 
recommendation in future audits. 

ID no.: 01-12; 
Recommendation: For (1) IRS's Automated Underreporter and Combined 
Annual Wage Reporting programs, (2) screening and examination of Earned 
Income Tax Credit claims, and (3) identifying and collecting previously 
disbursed improper refunds, use the best available information to 
develop reliable cost-benefit data to estimate the tax revenue 
collected by, and the amount of improper refunds returned to, IRS for 
each dollar spent pursuing these outstanding amounts. These data would 
include (1) an estimate of the full cost incurred by IRS in performing 
each of these efforts, including the salaries and benefits of all staff 
involved, as well as any related nonpersonnel costs, such as supplies 
and utilities, and (2) the actual amount (a) collected on tax amounts 
assessed and (b) recovered on improper refunds disbursed (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Closed. IRS has taken steps to examine Earned Income 
Tax Credit claims, and to address the collection of Automated 
Underreporter and Combined Annual Wage Reporting as part of the 
workload delivery model. IRS updated the Earned Income Tax Credit error 
estimates and identified root causes of non-compliance. Additionally, 
in fiscal year 2008, IRS calculated a full-cost return on investment 
for Earned Income Tax Credit and completed an Automated Underreporter 
cost accounting pilot using IFS cost data. This pilot calculated the 
return on investment of Automated Underreporter case closures, which 
represented those cases that were closed after a notice was sent to the 
taxpayer. IRS established Exam and Collection governance bodies to 
improve collection efforts and implemented a modeling tool to better 
target collection efforts; 
Status per GAO: Closed. IRS has taken significant steps to address this 
recommendation, including those listed in the "status per IRS" column. 
IRS's cost pilot projects completed in fiscal year 2008, demonstrated 
IRS's ability to determine the full cost of its programs. Although 
IRS's actions taken to date are important, they have not fully 
addressed the objectives of our recommendation. For example, IRS's cost 
pilot project methodology is time-consuming and requires intensive 
manual intervention, and IRS has not completed the task of developing 
methodologies for its programs and activities. In order to provide 
recommendations more closely aligned with the current status, we have 
agreed with IRS to close this recommendation based on IRS's progress to 
date and have reported the remaining issues, along with related 
recommendations for corrective action, in our June 2009 management 
report. See GAO-09-513R and recommendations 09-14, 09-15, and 09-16 in 
this report. 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur (long-term); 
Source report: Internal Revenue Service: Recommendations to Improve 
Financial and Operational Management (GAO-01-42, Nov. 17, 2000); 
Status per IRS: Open. IRS will continue to pursue alternative 
approaches to enhance its ability to account for leasehold 
improvements; 
Status per GAO: Open. We will continue to monitor IRS's development of 
alternative approaches to enhance its ability to account for P&E 
assets. 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities (long-term); 
Source report: Management Letter: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 
2001); 
Status per IRS: Closed. The IRS is tracking and reporting the actual 
costs associated with reimbursable agreements through various business 
unit work load management tracking systems and IFS. The IRS 
Reimbursable Operating Guidelines established the procedures and 
processes for capturing direct and indirect costs associated with 
reimbursable agreements; 
Status per GAO: Open. IRS has improved its methodology for allocating 
its costs of operations at the business unit level. However, further 
actions are needed for it to accumulate and report actual costs 
associated with specific reimbursable projects. We confirmed that IRS's 
workload management tracking systems now capture details of time 
worked; however, these systems do not capture the full costs associated 
with specific reimbursable projects and do not interface with the 
general ledger (IFS) to capture all costs. We also noted that the 
fiscal year 2008 Reimbursable Operating Guidelines provide detail on 
determining the costs that should be included in the cost projection 
for a reimbursable agreement. However, the guidelines do not describe a 
process for determining the total actual costs incurred at the end of 
the agreement term, determining the difference between actuals and the 
original cost estimate, and refunding or billing for the difference. We 
will continue to monitor IRS's efforts to fully implement its cost 
accounting system and, once it has been fully implemented, evaluate the 
effectiveness of IRS's procedures for developing cost information for 
its reimbursable agreements. 

ID no.: 02-08; 
Recommendation: Implement policies and procedures to require that all 
employees itemize on their time cards the time spent on specific 
projects. (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Status per IRS: Closed. Employees itemize how their time is spent on 
specific projects/tasks in various workload management systems, and 
this information is utilized in the development of cost information 
which is used in resource allocation decisions; 
Status per GAO: Closed. IRS has taken action to address our 
recommendation. We confirmed that IRS currently uses 24 separate 
functional tracking (workload management) systems for various 
categories of employees to itemize and track their time charges. 
Collectively, these systems now capture details of time worked by 
project for all employees. 

ID no.: 02-09; 
Recommendation: Implement policies and procedures to allocate 
nonpersonnel costs to programs and activities on a routine basis 
throughout the year (long-term); 
Source report: Internal Revenue Service: Progress Made, but Further 
Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 
2001); 
Status per IRS: Closed. IFS allocates nonpersonnel costs to programs 
monthly and makes available cost data to managers, including the full 
cost of operating business units, and details on the allocated costs 
(i.e., building rent, depreciation, support costs, etc.). All business 
units can run cost reports as needed; 
Status per GAO: Closed. IRS has taken actions to address this 
recommendation. We confirmed that IRS has improved its cost accounting 
capabilities by developing and implementing a methodology for 
allocating its costs of operations to its business units and to the 
cost categories on the Statement of Net Cost on a monthly basis. 
However, the cost categories on the Statement of Net Cost are at a 
higher level than specific programs and activities. Although IRS has 
developed full cost information on several IRS programs, IRS has not 
developed such information on the full range of IRS programs. However, 
in order to provide recommendations more closely aligned with the 
current status, we have agreed with IRS to close this recommendation 
based on IRS's progress to date and have reported the remaining issues, 
along with related recommendations for corrective action, in our June 
2009 management report. See GAO-09-513R and recommendations 09-14 and 
09-15 in this report. 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments (short-
term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Closed. Wage and Investment (W&I) has taken a number of 
actions to address this recommendation. Field Assistance emphasizes the 
requirement for including a document transmittal form listing the Daily 
Report of Collection Activity forms in transmittal packages, and 
ensuring that they are reconciled and reviewed. Territory managers 
review and discuss monthly reports with the group manager. Results of 
the reviews are forwarded to the area director. Operational reviews at 
all levels are conducted annually to ensure that field offices comply 
with the requirement to prepare Form 3210, which lists all Forms 795 
being shipped to the SP Center. W&I completed its annual Filing Season 
Readiness Workshop for all taxpayer assistance center (TAC) managers, 
which addressed remittance and data security. New managers will attend 
the "Managing a TAC" course during fiscal year 2009, which provides 
ongoing training on payment processing and managerial reviews. 
Operational reviews completed for fiscal year 2008 revealed that the 
TAC managers are validating employee profiles to ensure restricted 
command codes were used according to guidelines; 
Status per GAO: Open. While IRS has cited that it is taking a number of 
actions to ensure existing receipt control policy requirements for 
segregation of duties are followed, one of the main mechanisms it uses 
to enforce this policy is training. IRS conducts an annual Filing 
Season Readiness Workshop for TAC managers and provides training for 
new TAC managers on collecting taxpayer receipts and conducting 
managerial reviews. During our review of the handouts provided for the 
annual readiness workshop we noted several sections that discussed 
IRS's policies related to segregation of duties. In contrast, we found 
that the "Managing a TAC" course for new TAC managers did not 
specifically address those policies. From our discussions with IRS 
officials, the Filing Season Readiness Workshop is conducted annually 
during the first quarter of the fiscal year. Consequently, new TAC 
managers assigned after the first quarter of the fiscal year will not 
receive the same level of training regarding segregation of duties. In 
addition, during our recent visits to selected TACs in March 2009, we 
found instances where segregation of duties related to accepting and 
recording walk-in payments were not implemented. 

ID no.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors (short-term); 
Source report: Management Report: Improvements Needed in IRS's 
Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 
2002); 
Status per IRS: Open. Agency-Wide Shared Services (AWSS) Personnel 
Security has taken several short and long term measures to reduce the 
instance of SETS errors. The short-term measures include (1) publishing 
instructions on the Personnel Security intranet site for SETS users to 
follow while reviewing bi-weekly SETS reports, (2) issuing bi-weekly 
emails to all SETS users with the most current reports to be used in 
identifying and reporting errors to NFC, and (3) compiling weekly 
extracts of all enter-on-duty dates where there were no fingerprint 
results or where the results were after the enter-on-duty date and 
sending those to each employment office for updates and feedback. The 
long-term measures included requesting revisions to SETS; 
Status per GAO: Open. During our fiscal year 2008 audit, we continued 
to identify technical limitations and weaknesses with the SETS 
database. In addition, we found 248 instances where SETS was not 
updated in a timely manner or correctly for new-hire employees 
resulting in errors in the database. We will continue to assess IRS's 
actions during our fiscal year 2009 audit. 

ID no.: 04-08; 
Recommendation: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); 
Status per IRS: Closed. IRS performs monthly unannounced testing of 
guard response to alarms and test results are reviewed by the Security 
Programs Office to enforce and ensure compliance. Test results on guard 
response to alarms are consistently 98 percent or higher, indicating 
substantial compliance with IRS guidelines. Test procedures were 
formalized in IRM 10.2.14 Methods of Providing Protection, issued on 
October 1, 2008. In addition, the Guard Program Specialists from the 
Security Programs Office conduct unannounced alarm tests whenever they 
visit a site to do a Quality Assurance check of security posture and 
programs. Physical Security and Emergency Preparedness (PSEP) continues 
to utilize the Audit Management Checklist as a repeatable process where 
service center campuses (SCC) quarterly validate the performance and 
documentation of monthly unannounced alarm testing; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
instances at two of the three SCCs we visited in which security guards 
did not respond to alarms within the time limit outlined in the IRM. In 
addition, at another SCC we visited, we identified an instance in which 
security guards did not fully investigate the source of an alarm. We 
will continue to evaluate IRS's enforcement of these policies and 
procedures during our fiscal year 2009 audit. 

ID no.: 05-11; 
Recommendation: Enforce adherence to existing instructions on 
safeguarding taxpayer receipts and information, such as securing access 
and candling procedures, at service center campuses selected for 
significant reductions in their submission processing functions (short-
term); 
Source report: Management Report: Review of Controls over Safeguarding 
Taxpayer Receipts and Information at the Brookhaven Service Center 
Campus (GAO-05-319R, Mar 10, 2005); 
Status per IRS: Closed. W&I Accounts Management continues to enforce 
the restricted area access through periodic training. Candling 
procedures are reinforced through monthly internal control reviews of 
the process. In January 2008, Accounts Management increased management 
oversight of internal controls by implementing formal monthly internal 
control reviews at the former Submission Processing rampdown sites. A 
revised review template was developed to evaluate the quality of IRS's 
internal control performance, identify potential deficiencies, and 
allow corrective actions to be taken immediately. The monthly results 
from each field director are forwarded to the Director, Accounts 
Management, and GAO. AWSS provides training when notified by W&I that a 
new monitor has been selected or when an existing monitor requires 
refresher training. Each campus badge office provides training to the 
restricted area door monitors as it pertains to the control, issuance, 
and inventory of the non-photo badges that are assigned at each site; 
Status per GAO: Closed. Accounts Management implemented a monthly 
review to monitor internal controls over taxpayer receipts and 
information at campuses selected for reductions in their submission 
processing functions. 

ID no.: 05-13; 
Recommendation: Enforce its existing requirement that appropriate 
background investigations be completed for contractors before they are 
granted staff-like access to service centers (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. The Program, Planning, and Policy Office 
finalized and issued IRM 10.2.5 Identification Card on September 30, 
2008. Section 10.2.5.6.2(2)a specifies that red photo ID cards may be 
issued to IRS contract employees who have a daily need on a continuing 
basis to be on site at a facility over a period of time, and who have 
been granted interim or final staff-like access to a facility/work area 
with sensitive systems or information. Before a red photo ID card may 
be issued, the contracting officer's technical representative must 
provide the Physical Security Office with a copy of the Personnel 
Security & Investigation background investigation letter approving 
interim or final staff-like access. PSEP continues to utilize the Audit 
Management Checklist as a repeatable process where SCCs quarterly 
validate the filing of contractor background investigation 
documentation; 
Status per GAO: Closed. We verified that IRS finalized and issued IRM 
10.2.5 and continues to utilize the Audit Management Checklist to 
ensure that proper documentation is received and on file for 
contractors before they are granted staff-like access to service 
centers. During our fiscal year 2008 audit, we found no exceptions 
relating to SCCs granting contractors staff-like access before 
appropriate background investigations were completed. 

ID no.: 05-14; 
Recommendation: Require that background investigation results for 
contractors (or evidence thereof) be on file where necessary, including 
at contractor worksites and security offices responsible for 
controlling access to sites containing taxpayer receipts and 
information (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. The Program, Planning, and Policy Office 
finalized and issued IRM 10.2.5 Identification Card on September 30, 
2008. IRM 10.2.5.6.2(2)a specifies that the Form 5519, 13716-A or 
similar identification request Form 13760, and the interim or final 
background investigation letter must be retained and filed in the 
identification media file for each contractor for the life of the 
identification card. PSEP continues to utilize the Audit Management 
Checklist as a repeatable process where SCCs quarterly validate the 
filing of contractor background investigation documentation; 
Status per GAO: Closed. We verified that IRS finalized and issued IRM 
10.2.5 and continues to utilize the Audit Management Checklist to 
ensure that proper documentation is received and on file for 
contractors before they are granted staff-like access to service 
centers. During our fiscal year 2008 audit, we found no exceptions. 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed units 
of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Open. IRS revised IRM 5.1.2.4, Daily Report of 
Collection Activity-Form 795/795A, to establish segregation of duties 
procedures with respect to the preparation of Payment Posting Vouchers, 
Document Transmittal forms, and transmittal packages in the Collection 
Field function; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
instances at four SB/SE units we visited where duties involving the 
preparation of payment posting vouchers, document transmittal forms, 
and transmittal packages were not segregated. Employees informed us 
that they were unaware of a related requirement in the IRM. We will 
continue to assess IRS's actions during our fiscal year 2009 audit. 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. W&I Field Assistance continues to take actions 
to emphasize the requirement for including a document transmittal form 
listing the Daily Report of Collection Activity forms in transmittal 
packages. Operational reviews were conducted at all levels during 
fiscal years 2007 and 2008 to ensure that field offices comply with the 
requirement to prepare Form 3210, which lists all Forms 795 shipped to 
the SP Center. Further, IRM 1.4.11-11 was revised on October 7, 2008, 
to include the purpose, frequency, and documentation required for 
managerial reviews, which includes a review of Form 3210s, and trends 
and error reports. The outcome of the operational reviews revealed that 
managers are complying with the IRM procedures outlined for document 
transmittal; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
instances at four SB/SE units where a document transmittal form was not 
prepared when transmitting multiple Daily Report of Collection Activity 
forms to the SP Center. We will continue to evaluate this issue during 
our fiscal year 2009 audit. 

ID no.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Closed. The IRS enforces documentation requirements 
relating to authorizing officials charged with approving manual 
refunds. IRS created a standard authorization memorandum in September 
2008 for all offices to use. This will negate the disparity among the 
campuses in creating local authorization forms. IRS issued its annual 
solicitation memorandum for authorizing officials charged with 
approving manual refunds in August 2008 and received the annual list of 
authorized signatures by October 31, 2008, per IRM 3.17.79.3.5(4) (d). 
SP completed a sample review as part of the Monthly Security Review 
Checklist per IRM 3.17.79.3.5(3), and completed a 100 percent review of 
the new annual list by December 31, 2008; 
Status per GAO: Open. During our fiscal year 2008 audit, we continued 
to find that the documentation requirements on memorandums, which are 
submitted to the manual refund units listing officials authorized to 
approve manual refunds, were not always complete. For example, some of 
the memorandums did not contain the signatures of the Heads of Office 
that delegated officials the authority to approve manual refunds while 
others did not contain the authorizing official's campus or field 
office organization information as required by the IRM. We verified 
that IRS created a standard authorization memorandum in September 2008. 
However, IRS implemented this corrective action and completed its 
review of the new annual list subsequent to our fiscal year 2008 field 
work. We will evaluate IRS's corrective actions during our fiscal year 
2009 audit. 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Open. IRS continued to enforce the requirements for 
monitoring accounts and reviewing monitoring of accounts for manual 
refunds in fiscal year 2008. SB/SE Campus Compliance Services covered 
this topic in both Filing & Payment Compliance and Campus Reporting 
Compliance Operations during fiscal year 2008 reviews to ensure 
compliance with all IRM provisions for manual refunds. Submission 
Processing conducted refresher training at all sites by September 30, 
2008, in team meetings and annual continuing professional education 
classroom training using IRM 21.4.4 and 3.17.79 as reference materials 
to reinforce the monitoring requirements. As a result of recent 
findings and quarterly review of the manual refund process in Accounts 
Management, both the monitoring and supervisory review process are 
being examined to identify means for improvement. Once the review is 
complete, consideration will be given to implementing any 
recommendations. Accounts Management continues its quarterly reviews of 
the manual refund process; 
Status per GAO: Open. During our fiscal year 2008 audit, we found 
instances where the manual refund initiators did not monitor accounts 
to prevent duplicate refunds and supervisors did not review the 
monitoring of accounts. IRS's review of the monitoring and supervisory 
review process for manual refunds has not been completed. We will 
continue to evaluate IRS's corrective actions during our fiscal year 
2009 audit. 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring actions 
and supervisory review for manual refunds (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-05-247R, Apr 27, 2005); 
Status per IRS: Open. IRS continued to enforce the requirements for 
documenting monitoring actions and supervisory review for manual 
refunds in fiscal year 2008. SB/SE Campus Compliance Services covered 
this topic in both Filing & Payment Compliance and Campus Reporting 
Compliance Operations during their fiscal year 2008 campus reviews to 
ensure all campuses continue to comply with all IRM provisions for 
manual refunds. Submission Processing conducted refresher training at 
all sites by September 30, 2008, in team meetings and annual continuing 
professional education classroom training using IRM 21.4.4 and 3.17.79 
as reference materials to reinforce the monitoring requirements. As a 
result of recent findings and quarterly review of the manual refund 
process in Accounts Management, both the monitoring and supervisory 
review process are being examined to identify means for improvement. 
Once the review is complete, consideration will be given to 
implementing any recommendations. Accounts Management continues its 
quarterly reviews of the manual refund process; 
Status per GAO: Open. During our fiscal year 2008 audit, we continued 
to find instances where the manual refund initiators did not document 
their monitoring of accounts to prevent duplicate refunds. IRS's review 
of the monitoring and supervisory review process for manual refunds has 
not been completed. We will continue to evaluate IRS's corrective 
actions during our fiscal year 2009 audit. 

ID no.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. Accounts Management has procedures in place for 
the periodic supervisory review and documentation of the Form 3210 
reconciliation process, which is designed to follow up on 
unacknowledged forms. This process is designed to provide a timely 
account of any discrepancy between the documents listed on the Form 
3210 and those received. For the last 3 years, conference calls have 
been conducted with each directorate to reinforce the correct 
processing of Form 3210s. Recent actions to address the recommendation 
include having "Form 3210 Processing" as an agenda item on the Refund 
Inquiry Units' conference call. In addition, the quarterly Accounts 
Management internal control Form 3210 review now requires that the 
Refund Inquiry Unit be included in the review; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
an instance at one SCC where the Refund Inquiry Unit manager did not 
perform or document periodic reviews of forms used to transmit returned 
refund checks. We will continue to evaluate IRS's actions during our 
fiscal year 2009 audit. 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including SCCs, TACs, and units within Large and 
Mid-sized Business (LMSB) and Tax-Exempt and Government Entities 
(TE/GE), establish a system to track acknowledged copies of document 
transmittals (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. IRS has procedures in place to ensure compliance 
with tracking acknowledgement copies of document transmittals. W&I 
Account Management continues to analyze the results of its quarterly 
reviews. Field Assistance revised the IRM provisions during 2007 to 
provide procedures for requiring TACs to follow up with SP Centers when 
acknowledgments are not received within 10 days. Field Assistance 
revised other IRM provisions to include more detail for processing Form 
3210. The IRM provides guidance to maintain centralized files for 
acknowledged Form 3210 for three years, and provides guidance for 
handling unacknowledged Form 3210. Offices transmitting receipts have a 
system to track acknowledged copies of document transmittals. All TE/GE 
Division Directors continue to use the Quick Reference Guide for 
Processing Checks, including a check sheet and flowchart developed for 
the TE/GE Exam Managers to use when performing operational reviews to 
ensure their subordinate groups are properly processing all checks. 
TE/GE will also implement by September 2009 requirements for each 
Examination Area Manager to verify tracking measures are in place in 
all their groups. LMSB has completed all its planned actions with 
regard to this recommendation and will continue to issue an annual 
executive memorandum on Form 3210 procedures around July 2009; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
instances at three SB/SE units and two TACs where there was no system 
in place to monitor acknowledged/unacknowledged transmittals to the SP 
Center. We will continue to assess IRS's actions during our fiscal year 
2009 audit. 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. IRS revised the IRM on October 1, 2008, to 
include more detail for processing Form 3210. IRM 1.4.11.19.1 provides 
guidance to maintain centralized files for acknowledged Form 3210 for 3 
years. Operational Reviews revealed that managers are in compliance 
with conducting and documenting the document transmittal review that 
includes the reconciliation process of Forms 3210 and 795. All managers 
were reminded to conduct these reviews at the Filing Season Readiness 
Workshop completed by December 15, 2008. The Refund Inquiry Unit 
continues to be included in the Accounts Management quarterly internal 
control review of document transmittal procedures. The review checklist 
includes the timely follow-up and documentation of Form 3210 
acknowledgements as well as the required periodic managerial review. 
For TE/GE, each front line Examination group manager will ensure they 
complete reviews of document transmittals, and TE/GE is adding an 
additional question to TE/GE's 2009 Annual Assurance Review to certify 
all managers addressed this issue by June 2009; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
instances at five SB/SE units and eight TACs where there was no 
evidence of managerial review of document transmittals and one instance 
at a SCC where the Refund Inquiry Unit manager did not perform or 
document periodic reviews of forms used to transmit returned refund 
checks. Moreover, the corrective actions cited by IRS were implemented 
after our fiscal year 2008 fieldwork. We will continue to evaluate 
IRS's corrective actions during our fiscal year 2009 audit. 

ID no.: 06-05; 
Recommendation: Equip all TACs with adequate physical security controls 
to deter and prevent unauthorized access to restricted areas or office 
space occupied by other IRS units, including those TACs that are not 
scheduled to be reconfigured to the "new TAC" model in the near future. 
This includes appropriately separating customer service waiting areas 
from restricted areas in the near future by physical barriers, such as 
locked doors marked with signs barring entrance by unescorted customers 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. IRS continues to work to improve security and 
control access issues in the TACs. Of the 401 TAC locations, 183 have 
been built to design standard, with another 14 scheduled for completion 
by the end of January 2009. Forty-five projects have been approved to 
implement the TAC model in 2009, with another 30 projects pending final 
approval and funding. Forty-four projects are in development for 
implementation from 2010 through 2014. IRS will work to address any 
concerns with the space design/layout of TAC space and continue to roll 
out the TAC Design Model in the remaining locations. While 
implementation of the TAC Model Design is the ideal solution, 
implementation of compensating controls such as theater ropes or other 
barriers, signage and minor alterations/reconfigurations have been 
incorporated in many TAC locations as an interim measure. Using a 
variety of criteria including security, safety and health concerns, IRS 
has identified priority locations for the implementation of the TAC 
Design Model; 
Status per GAO: Open. We will continue to evaluate IRS's actions during 
our fiscal year 2009 audit. 

ID no.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to TACs 
not having a manager permanently on-site. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. Field Assistance uses the TAC Security Remittance 
Review Database, which requires managers to conduct and document their 
reviews to ensure the protection of data and compliance with remittance 
and security procedures. Field Assistance implemented the TAC Security 
Remittance Review Database during the first quarter of fiscal year 
2007. Since implementation, IRS has had numerous problems with the 
system due to technological limitations. Some of the problems IRS 
encountered include erroneously deleted information and an inability to 
save and transmit reports. IRS has attempted to secure funding and 
assistance to convert the database to a user-friendly Web version. The 
system was converted to a Web-modified application effective the second 
quarter of fiscal year 2009. This is only a temporary resolution until 
funding is secured. While the database was being revised, the area 
offices were still responsible for completing the reviews using Data 
Collection Instruments for the first quarter. In addition, IRS also 
tested the Web design prior to its implementation and has initiated a 
review process to engage headquarters, areas and territory management 
staff to identify and correct the database entries. The process will 
include sampling and conducting operational reviews as assurance of the 
database integrity. To enhance everyone's understanding of the process, 
talking points will be developed for discussions between the territory 
and group managers; 
Status per GAO: Open. IRS continues to implement its new process for 
providing oversight of TACs not having a manager permanently on-site 
during our fiscal year 2008 audit. Because the process was not fully 
functional, we were unable to test its implementation during our audit 
fieldwork. We will continue to assess IRS's actions during our fiscal 
year 2009 audit. 

ID no.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms, regardless of the 
circumstances that may have caused the activation (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Open. IRM 10.2.14 Methods of Providing Protection will 
be revised by September 30, 2009, to state: "A record of all instances 
involving the activation of any alarm regardless of the circumstances 
that may have caused the activation, must be documented in a Daily 
Activity Report/Event Log, or other log book and maintained for 2 
years;" 
Status per GAO: Open. During our review and evaluation, we found that 
IRS's corrective actions relating to the recordation of all instances 
involving alarm activations in the Daily Activity Report/Event Log, or 
other log book, were not included in the final version of the IRM. We 
will continue to assess IRS's corrective actions during our fiscal year 
2009 audit. 

ID no.: 06-15; 
Recommendation: Revise the physical security procedures in the IRM to 
require that all SCCs and any respective annex facilities processing 
taxpayer receipts and/or information perform and document monthly tests 
of the facility's intrusion detection alarms. At a minimum, these 
procedures should (1) outline the type of test to be conducted, (2) 
include criteria for assessing whether the controls used to respond to 
the alarm were effective, and (3) require that a logbook be maintained 
to document the test dates, results, and response information (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. IRS performs monthly unannounced testing of 
guard response to alarms, and test results are reviewed by the Security 
Programs Office to enforce and ensure compliance. According to IRS, 
test results on guard response to alarms are consistently 98 percent or 
higher, indicating substantial compliance with IRS guidelines. Test 
procedures were formalized in IRM 10.2.14 Methods of Providing 
Protection issued on October 1, 2008. PSEP continues to utilize the 
Audit Management Checklist as a repeatable process, and SCCs validate 
quarterly the performance and documentation of monthly unannounced 
alarm testing; 
Status per GAO: Closed. IRS revised IRM 10.2.14 to include requirements 
to perform and document monthly tests of intrusion detection alarms, 
including guard responses to alarms. Also, IRS's Audit Management 
Checklist contains review steps for physical security analysts to 
determine whether SCCs and respective annex facilities that process 
taxpayer receipts and/or information perform and document monthly tests 
of intrusion alarms. 

ID no.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-06-543R, May 12, 2006); 
Status per IRS: Closed. This item remains closed since fiscal year 
2006, with AWSS continuing to regularly follow up on disposal actions. 
During fiscal year 2008, IRS implemented a new wizard tool that caused 
a system glitch which prevented IRS from updating all disposals within 
10 work days. Several IRS staff were aware of the glitch and were 
working on the issue. As a result, the disposal action that should have 
been updated in 10 days was actually updated in 15 work days; 
Status per GAO: Open. In fiscal year 2006, IRS re-engineered the P&E 
asset retirement and disposal process to generate exception reports 
that enable management to regularly monitor the aging of transactions 
during the disposal process. However, our testing in fiscal years 2007 
and 2008 noted that disposals shown on the exception report were not 
always being recorded in a timely manner. During our fiscal year 2009 
audit, we will verify that the new software enhancement is operating as 
intended. 

ID no.: 07-01; 
Recommendation: Enforce the existing policy requiring that all lockbox 
banks encrypt backup media containing federal taxpayer information 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS revised the language in Lockbox Security 
Guidelines (LSG) 2.17.8 (9) to mitigate the risk as outlined in the 
Lockbox Electronic Bulletin issued on July 17, 2008. As of September 1, 
2008, all lockbox sites use file encryption, and are in compliance with 
the requirements as outlined in the Lockbox Electronic Bulletin; 
Status per GAO: Closed. IRS revised its LSG to require lockbox banks to 
encrypt backup media containing taxpayer information. IRS has included 
this issue as one of the areas tested during its annual reviews of 
information technology security at its lockbox banks. During our fiscal 
year 2008 internal control testing, we did not identify any instances 
where lockbox banks were not encrypting backup media containing federal 
taxpayer information. 

ID no.: 07-02; 
Recommendation: Ensure that lockbox banks store backup media containing 
federal taxpayer information at an off-site location as required by the 
2006 LSG (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS revised the language in LSG 2.17.8 (9) to 
mitigate the risk as outlined in the Lockbox Electronic Bulletin issued 
on July 17, 2008. As of September 1, 2008, all lockbox sites store 
backup media containing federal taxpayer information at an off-site 
location and are in compliance with the requirements as outlined in the 
Lockbox Electronic Bulletin; 
Status per GAO: Closed. IRS revised its LSG to require lockbox banks to 
store backup media containing taxpayer information at an off-site 
location. IRS has included this issue as one of the areas tested during 
its annual information technology security reviews at lockbox banks. 

ID no.: 07-03; 
Recommendation: Revise instructions for the annual reviews of lockbox 
banks to encompass routine monitoring of backup media containing 
personally identifiable information to ensure that this information is 
(1) encrypted prior to transmission and (2) stored in an appropriate 
off-site location (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS revised the Information Technology Data 
Collection Instruments, which are used during the annual reviews of 
lockbox banks, and the related instructions (1) to ensure that the 
data/image transmissions sent through the Lockbox Electronic Network 
are encrypted prior to transmission and (2) to validate that all backup 
media containing personally identifiable information is stored and 
protected as required in the Lockbox Electronic Bulletin; 
Status per GAO: Closed. IRS revised its Information Technology Data 
Collection Instrument to test whether lockbox banks are (1) encrypting 
personally identifiable information prior to transmission and (2) 
storing backup media containing personally identifiable information at 
an appropriate off-site location. 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. PSEP developed and implemented an action plan 
requiring all SCCs to (1) perform and validate completion of an 
assessment of their CCTV to ascertain if it provided an unobstructed 
view of the exterior of the campus perimeter, and (2) identify problems 
and planned corrective actions to mitigate the identified problems. All 
SCCs validated completion of the CCTV assessment and a total of 16 
problems were identified. Progress on corrective actions was monitored 
and reported to PSEP management on a monthly basis. All corrective 
actions were addressed: 14 were resolved by the installation of CCTV 
cameras and/or removal of obstructions, and 2 were determined by 
management to meet an acceptable level of risk. PSEP continues to 
utilize the Audit Management Checklist as a repeatable process where 
SCCs quarterly validate CCTV coverage of the campus fence line and 
perimeter. The reported corrective actions were completed January 10, 
2008. PSEP will continue to place emphasis on CCTV camera coverage, as 
well as perform regularly scheduled risk assessments of IRS facilities; 
Status per GAO: Open. On January 10, 2008, IRS completed an assessment 
of its CCTVs in all SCCs to ascertain whether they provided an 
unobstructed view of its campuses' exterior perimeter. However, IRS's 
assessment did not account for the CCTV weaknesses that were reported 
in the Fresno SCC's January 2007 risk assessment, which continued to 
exist during our April 2009 visit. During our visit, we found that the 
CCTVs did not provide an unobstructed view of the building exterior or 
fence line, many of the CCTVs were not wired properly and could not be 
used to their full potential. While these weaknesses were reported in 
the January 2007 risk assessment, Fresno was one of the four SCCs that 
did not report any specific weaknesses to the PSEP management that 
requested the assessment of the CCTVs. In view of the weaknesses we 
observed, it is unclear how the Fresno campus reached its conclusion 
that no CCTV problems were reportable to the PSEP requestors performing 
the assessment. We will continue to assess IRS's actions during our 
fiscal year 2009 audit. 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the manual 
refund initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. All W&I functions, except Accounts Management, 
conducted training during 2007 and 2008 for manual refund initiators to 
ensure they fulfill their responsibilities to monitor manual refunds 
and document their monitoring actions to prevent the issuance of 
duplicate refunds. W&I Compliance completed its training for manual 
refund initiators in the W&I campuses in April 2008. SP conducted 
refresher training during fiscal years 2007 and 2008 (continuing 
professional education) and will include again in the fiscal year 2009 
continuing professional education. SP management reviews history sheets 
annotated with taxpayer identification numbers, tax period, transaction 
code, date, and initials of initiator. Accounts Management manual 
refund training has been delayed due to the Economic Stimulus Package 
workload. Accounts Management is re-examining manual refund monitoring 
procedures and will reschedule the training in fiscal year 2009 once 
the review is complete and any changes implemented; 
Status per GAO: Open. During our fiscal year 2008 audit, we found 
instances where the manual refund initiators did not receive training 
on the most current requirements to help ensure that they fulfill their 
responsibilities to monitor manual refunds. We will continue to 
evaluate IRS's corrective actions during our fiscal year 2009 audit. 

ID no.: 07-09; 
Recommendation: Enhance its computer program to check for outstanding 
tax liabilities associated with both the primary and secondary Social 
Security numbers shown on a joint tax return and apply credits to those 
balances before issuing any refund (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. On January 20, 2008, SB/SE implemented the 
programming to check for outstanding liabilities associated with both 
the primary and secondary Social Security numbers on a joint tax return 
for offsetting to any outstanding TFRP liability before issuance of a 
refund; 
Status per GAO: Closed. We verified that IRS implemented the 
programming change to check for outstanding liabilities associated with 
both the primary and secondary Social Security numbers on a joint tax 
return for offsetting to any outstanding TFRP liability before issuance 
of a refund. We reviewed the accounts of a number of taxpayers who (1) 
were assessed a TFRP, (2) filed a joint personal income tax return with 
a spouse, (3) listed her or his Social Security number as the second 
one on the tax return, and (4) had credits on the personal income tax 
account. In each of these cases, we verified that IRS's computer 
program identified the outstanding TFRP and applied the credits to the 
TFRP balance before sending any refund to the taxpayer. Additionally, 
according to IRS, their analysis identified over $10 million of refund 
offsets that have occurred from January 2008 to March 2009 as a result 
of this corrective action. 

ID no.: 07-11; 
Recommendation: Correct the penalty calculation programs in the master 
file so that penalties are calculated in accordance with the applicable 
Internal Revenue Code and implementing IRM guidance (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. SB/SE implemented a system change in January 
2007 to correct the failure-to-pay (FTP) penalty calculation program. 
In June 2008, SB/SE conducted a review of the programming change and 
determined the program is correctly charging the reduced rate on 
subsequent assessments. There was a small subpopulation of accounts 
that the system change did not correct. IRS worked on an additional 
system change to correct penalty calculation programming affecting the 
remainder of the cases and completed its corrective action in August 
2008; 
Status per GAO: Closed. We verified that IRS's system corrected the FTP 
penalty calculation program. We reviewed the accounts of a number of 
taxpayers for whom: (1) IRS increased the FTP penalty rate assessed 
against the taxpayer for failing to pay taxes owed from 0.5 percent to 
1 percent when the taxpayer failed to pay following repeated 
notification of the taxes due, (2) the taxpayer subsequently paid off 
the balance for the specific tax period, and (3) following its system 
change, IRS assessed the taxpayer additional taxes owed for the same 
tax period and a related FTP penalty. In each of these cases, we 
verified that the FTP penalties were calculated in accordance with the 
applicable IRM guidance. 

ID no.: 07-12; 
Recommendation: Research each of the taxpayer accounts that may have 
been affected by the penalty programming errors to determine whether 
they contain overassessed penalties and correct the accounts as needed 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. IRS implemented in January 2007 and August 2008 
the change to the FTP penalty calculation program and also recalculated 
the FTP amount using the correct rate on all open taxpayer accounts 
with this penalty; 
Status per GAO: Closed. We verified that IRS's system change resulted 
in FTP penalties being calculated in accordance with the applicable IRM 
guidance on open taxpayer accounts. We reviewed the accounts of a 
number of taxpayers from IRS's unpaid assessment inventory for whom: 
(1) IRS had increased the FTP penalty rate assessed against the 
taxpayer for failing to pay taxes owed from 0.5 percent to 1 percent 
when the taxpayer failed to pay following repeated notification of the 
taxes due, (2) the taxpayer subsequently paid off the balance for the 
specific tax period, and (3) IRS assessed the taxpayer additional taxes 
owed for the same tax period, with related FTP penalties. In each of 
these cases, we verified that the total recorded FTP penalty 
assessments on the account were in accordance with the applicable IRM 
guidance. 

ID no.: 07-13; 
Recommendation: Establish procedures and specify in the IRM that at the 
time of receipt, employees recording taxpayer payments should (1) 
determine if the payment is more than sufficient to cover the tax 
liability of the tax period specified on the payment or earliest 
outstanding tax period, (2) perform additional research to resolve any 
outstanding issues on the account, (3) determine whether the taxpayer 
has outstanding balances in other tax periods, and (4) apply available 
credits to satisfy the outstanding balances in other tax periods (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. SB/SE published IRM 5.1.2.5.3 in September 2008 
with revisions to 5.1.2.5.3.1(1) through (7) directing employees to 
make the specific determinations and to take the specific actions 
contained in this recommendation; 
Status per GAO: Closed. IRS revised its IRM in September 2008 to 
include instructions specifically addressing this recommendation. The 
IRM now instructs IRS employees to (1) determine if the payment is 
sufficient to cover the tax liability of the tax period specified on 
the payment, (2) perform additional research and resolve any 
outstanding issues on the account, including determining if there are 
any freeze codes that will delay credit posting, (3) determine whether 
the taxpayer has outstanding balances in other tax periods, and (4) 
apply available credits to satisfy the outstanding balances in other 
tax periods. 

ID no.: 07-14; 
Recommendation: Establish procedures and specify in the IRM that 
employees review taxpayer accounts with freeze codes that contain 
credits weekly to (1) research and resolve any outstanding issues on 
the account, (2) determine whether the taxpayer has outstanding 
balances in other tax periods, and (3) apply available credits to 
satisfy the outstanding balances in other tax periods (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. SB/SE published IRM 5.1.2.5.3 in September 2008 
with revisions to 5.1.2.5.3.1(1) through (7) directing employees to 
make the specific determinations and to take the specific actions 
contained in this recommendation; 
Status per GAO: Closed. IRS revised its IRM in September 2008 to 
include instructions specifically addressing this recommendation. The 
IRM now instructs IRS employees to (1) determine if the payment is 
sufficient to cover the tax liability of the tax period specified on 
the payment, (2) perform additional research and resolve any 
outstanding issues on the account, including determining if there are 
any freeze codes that will delay credit posting, (3) determine whether 
the taxpayer has outstanding balances in other tax periods, and (4) 
apply available credits to satisfy the outstanding balances in other 
tax periods. 

ID no.: 07-15; 
Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in the Automated Lien System 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. SB/SE has requested Counsel guidance related to 
lien releases after discharge to determine if a memorandum is needed. 
SB/SE will issue a memorandum to employees by May 2009, if necessary; 
Status per GAO: Open. As part of its own fiscal year 2008 OMB A-123 
testing of lien releases, IRS tested a statistical sample of taxpayer 
accounts requiring a lien release during 2008. In its testing, IRS 
again identified a case in which it did not release the applicable 
federal tax lien within the statutory 30-day period because it did not 
update the taxpayer's account in a timely manner to reflect that the 
taxpayer had been discharged of the taxes in a bankruptcy court. The 
untimely recording of bankruptcy discharges results in the untimely 
release of tax liens and is directly related to IRS's noncompliance 
with Internal Revenue Code Section 6325 which requires IRS to release 
its tax liens within 30 days of the date the related tax liability is 
fully satisfied. We will continue to review IRS's corrective actions to 
address this recommendation during our fiscal year 2009 audit. 

ID no.: 07-17; 
Recommendation: Monitor installment agreement user fee activity on a 
regular basis (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. W&I Compliance continues to use the Installment 
Agreement Account Listings (IAAL) report to monitor user fee activity. 
In January 2008, IRS implemented enhancements to the report and 
increased the frequency of the sweep process from quarterly to weekly; 
Status per GAO: Closed. IRS runs edit checks to test the validity of 
recorded installment agreements, including the user fees, which results 
in the identification of potential errors that are then listed on the 
IAAL. We verified that IRS improved its IAAL report process by grouping 
items that appear on the IAAL into tiers based on priority and 
establishing time frames by tier for investigating and resolving these 
potential errors. In addition, we confirmed that IRS now performs 
managerial reviews on IAAL cases processed by its collection 
operations. IRS also increased the frequency of its computer sweep 
recovery process, which is intended to identify unrecorded user fees, 
from a few times a year to once a week, thus increasing the timeliness 
and accuracy of recorded individual taxpayer user fees. 

ID no.: 07-18; 
Recommendation: Adjust errors in recorded installment agreement user 
fees as necessary to correctly reflect the user fees IRS earned and 
collected from taxpayers (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. W&I Compliance uses a weekly sweep process to 
reconcile installment agreement payments and adjusts those with 
discrepancies or errors to ensure that fees are accurately posted to 
the user fee account; 
Status per GAO: Closed. W&I Compliance's weekly sweep process is 
designed to identify and correct for unrecorded user fees collected 
with the initial installment agreement payment. We verified that IRS's 
improvements to its installment agreement user fees monitoring process 
will help ensure that errors in recorded installment agreement user 
fees are identified and corrected in a more timely manner. 
Additionally, we did not identify any instances of errors in recorded 
installment agreement user fees during our fiscal year 2008 audit. 

ID no.: 07-19; 
Recommendation: Establish sufficient review procedures to help ensure 
that adjustments to installment agreement user fees collected from 
taxpayers are accurately and timely recorded (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. W&I Compliance uses the Installment Agreement 
Account Listings report to identify accounts with user fee errors, 
underpayments, and overpayments that require adjustments. W&I 
consolidated the report listing at one location to provide improved 
oversight of the process. Both W&I and SB/SE program analysts, 
managers, operations management, and headquarters staff conduct reviews 
of the report listing. In January 2008, IRS implemented enhancements to 
the report and increased the frequency of the sweep process used to 
correct accounts from quarterly to weekly. IRS also updated IRM 5.19.1 
in January 2008 to include requirements for case analysis and 
documentation; 
Status per GAO: Closed. We verified that IRS conducts managerial and 
operational reviews on its W&I Compliance Service Collection 
Operations, the division responsible for making the appropriate 
adjustments for errors in recorded installment agreement user fees. 
Additionally, we did not identify any errors in recorded installment 
agreement user fees tested during our fiscal year 2008 audit. 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage space 
to properly secure and safeguard property and equipment inventory, 
including in-stock inventories, assets from incoming shipments, and 
assets that are in the process of being excessed and/or shipped out 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Open. The IRS plans to implement the following 
procedures to ensure that sufficient secured space is maintained for 
Automated Data Processing (ADP) and Non-ADP assets: Requesters needing 
space are to initiate an Employee Resource Center ticket requesting 
"Property Consultation" services, which initiates Real Estate and 
Facilities Management (REFM) activity to work with the requester on 
obtaining the needed secured storage space. When Modernization & 
Information Technology Services property managers need secure storage, 
narrative associated with the Employee Resource Center work ticket must 
state: "Need to consult with local REFM staff on providing a secure 
storage alternative for ADP equipment." This procedure is to be used 
for asset distribution staging or when assets are to be excessed. This 
policy is effective March 30, 2009; 
Status per GAO: Open. IRS completed its corrective action plan after 
the end of our fiscal year 2008 audit. We will review IRS's corrective 
actions during our fiscal year 2009 audit. 

ID no.: 07-21; 
Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-07-689R, May 11, 2007); 
Status per IRS: Closed. AWSS Procurement issued policy Change Notice 07-
08, which contains a revision to Policy and Procedure Memorandum 46.5, 
Receipt, Quality Assurance and Acceptance. The revision limits 
situations in which contracting officers may perform receipt and 
acceptance. In addition to the Policy and Procedure Memorandum 46.5, 
the IRS Acquisition Procedure Subpart 1003.90--Separation of Duties and 
Management Controls--requires separation of duties for requisition 
approval, certification of funds, contract award, and receipt and 
acceptance. Procurement runs Web Request Tracking System reports to 
review the instances where contracting officers performed receipt and 
acceptance to ensure that the receipt and acceptance falls within 
exceptions/procedures outlined in the Policy and Procedure Memorandum 
46.5; 
Status per GAO: Open. During our fiscal year 2008 audit, we noted that 
IRS revised its policy to reflect the situations under which 
contracting officers may perform receipt and acceptance functions. In 
addition, the IRS Acquisition procedures require that no employee shall 
perform more than one of the following four functions: (1) requisition 
approval for supplies and/or services, (2) certify the availability of 
funds, (3) conduct the procurement and execute the contractual 
document, and (4) receive the supplies or services. However, during our 
fiscal year 2008 audit testing, we continued to find instances where 
individuals were performing incompatible functions. We will continue to 
review actions taken by IRS during our fiscal year 2009 audit. 

ID no.: 07-22; 
Recommendation: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. IRS revised its A-123 guidance to include 
templates and procedures for compiling, referencing, and reviewing 
audit working papers to ensure that the results of internal control 
tests are clear and complete to explain how control procedures were 
tested, what results were achieved, and how conclusions were derived 
from those results. During the fiscal year 2008 cycle, the Office of 
Corporate Planning and Internal Control assigned test team leaders and 
independent Office of Corporate Planning and Internal Control reviewers 
to examine workpapers to ensure the test team sufficiently documented 
their work to support their conclusions. The A-123 guidance requires 
that each set of work papers include a summary of findings statement 
setting out the conclusion reached after performing the transaction 
testing; 
Status per GAO: Closed. During our fiscal year 2008 IRS financial 
audit, we verified that IRS revised its A-123 guidance to include 
templates that clearly outline how to document and explain what control 
tests were performed, the scope of control tests, and the results of 
internal control tests performed. IRS's A-123 guidance also requires 
that each set of workpapers include a summary of findings statement 
that clearly concludes on results of test procedures performed by 
staff. We verified that IRS's workpapers documenting A-123 testing 
substantially conformed to the A-123 guidance. 

ID no.: 07-23; 
Recommendation: Clearly document how IRS considered existing reviews 
and audits in determining the nature, scope, and timing of procedures 
it planned to conduct under its OMB Circular No. A-123 process (short-
term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. During the development of fiscal year 2008 A-
123 internal control test plans, IRS analyzed and documented open 
recommendations related to the internal control process/transaction 
being tested. IRS considered the open recommendation findings while 
developing the process/transaction test plan. IRS will continue to 
incorporate the open recommendation findings while planning A-123 
testing; 
Status per GAO: Closed. During fiscal year 2008, we verified that IRS 
included a requirement in its A-123 guidance to determine the adequacy 
and value of management actions taken in response to audits performed 
by GAO and the Treasury Inspector General for Tax Administration 
relating to financial reporting. We also verified that IRS review staff 
followed the A-123 guidance in performing internal control reviews. 

ID no.: 07-24; 
Recommendation: To the extent that IRS intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. IRS will continue to work with Treasury and 
Modernization & Information Technology Services to fully implement A- 
123 requirements for evaluating controls over information technology 
relating to financial statement reporting. IRS will identify areas 
where the work conducted under FISMA does not meet A-123 requirements 
and consider information security findings and recommendations to 
ensure testing procedures meet A-123 requirements; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing this recommendation. 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. IRS revised a limited set of fiscal year 2008 
test plans to pilot the requirement to include an analysis of the 
design for each transaction control set tested. This project is planned 
for completion during the fiscal year 2009 A-123 cycle; 
Status per GAO: Open. We verified that IRS revised a limited number of 
A-123 test plans to include an analysis of the design of internal 
controls tested. During our fiscal year 2009 audit, we will continue to 
review the remaining test plans as IRS revises them. 

ID no.: 07-26; 
Recommendation: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. In fiscal year 2007, IRS established an 
internal crosswalk between A-123 tests and laws and regulations 
significant to financial reporting. In fiscal year 2008, IRS updated 
the crosswalk to a listing of laws and regulations which were expanded 
to include all specific public laws and took the additional step of 
incorporating GAO audit methodology into the linkage; 
Status per GAO: Closed. We obtained and reviewed IRS's laws and 
regulations crosswalk and verified that IRS had identified and planned 
appropriate procedures to test controls over laws and regulations 
considered significant to financial reporting. 

ID no.: 07-27; 
Recommendation: Begin devising appropriate A-123 follow-up procedures 
for the last 3 months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Open. IRS is considering alternative procedures for 
testing transactions to provide assurance for the last 3 months of the 
fiscal year. Although implementation of such procedures is not 
necessary until elimination of the outstanding material weaknesses, IRS 
intends to propose follow-up procedures before the end of the fiscal 
year; 
Status per GAO: Open. We will follow up during future audits to assess 
IRS's progress in implementing this recommendation. 

ID no.: 07-28; 
Recommendation: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results (short-term); 
Source report: Management Report: IRS's First Year Implementation of 
the Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123 (GAO-07-692R, May 18, 2007); 
Status per IRS: Closed. Members of the IRS A-123 workgroup completed 
the United States Department of Agriculture Graduate School course, 
Audit Evidence and Working Papers, covering methods for collecting and 
documenting types of evidence needed to support audit reports and to 
meet professional standards, during the fall of 2007. IRS used concepts 
from this course and best practices from previous cycles to improve the 
curriculum over previous years for the annual IRS A-123 Training 
Workshop to improve proficiency in documentation and analysis in the 
transactional testing. The training also covers the process to be 
followed when reviewing or performing tests of internal controls, 
developing a determination as to whether or not the controls are 
functioning properly, and evaluating the materiality of errors. The 
Office of Corporate Planning and Internal Control is currently 
developing an IRM provision for reference to reinforce the A-123 
guidance provided during the training; 
Status per GAO: Closed. We verified that IRS developed an appropriate 
annual training workshop designed to ensure that their A-123 review 
staff enhance their skills in workpaper documentation, identification 
and testing of internal controls, and evaluation and documentation of 
test results. 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of the 
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it 
becomes fully operational and is used in conjunction with the Interim 
Revenue and Accounting Control System (IRACS), will provide IRS with 
the direct transaction traceability for all of its tax-related 
transactions as required by the U.S. Standard General Ledger (SGL), 
Federal Financial Management System Requirements (FFMSR), and the 
Federal Financial Management Improvement Act of 1996 (FFMIA) (long- 
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. IRS instituted the use of trace identification 
numbers for revenue and refund transactions in fiscal year 2008 to 
provide traceability from the general ledger for tax transactions back 
to source documentation and throughout IRS financial management 
systems. IRS is currently developing additional internal controls for 
tax revenue transactions processed outside of the Electronic Federal 
Tax Payment System, and for transactions recorded into IRACS requiring 
manual transcription. IRS is working to revise each appropriate IRM 
provision and requested programming to implement system controls in 
payment systems to prevent, detect, and correct such transcription and 
input errors by fiscal year 2010. IRS is also developing the Redesign 
Revenue Accounting Control System, an enhancement of IRACS that will 
incorporate the United States Standard General Ledger. IRS plans to 
implement Redesign Revenue Accounting Control System in January 2010; 
Status per GAO: Open. During our future audits, we will continue to 
evaluate IRS's progress in achieving transaction traceability for tax 
revenues processed outside of the Electronic Funds Transaction Payment 
System and taxes receivable transactions. 

ID no.: 08-02; Recommendation: Document and implement the specific 
procedures to be performed by the IRS statistician in each step of the 
unpaid assessment estimation process (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. Revenue Financial Management documented the 
procedures the statistician performs in each step of the unpaid 
assessments estimation process by June 2008. Revenue Financial 
Management is enhancing each of these procedures to include additional 
steps based on the fiscal year 2008 audit. Revenue Financial Management 
will provide the new procedures by May 2009; 
Status per GAO: Open. During our fiscal year 2008 audit, we continued 
to find errors in IRS's unpaid assessment estimates that were not 
detected by IRS's internal reviews. IRS corrected these errors after we 
brought them to its attention. However, until IRS fully documents the 
specific procedures performed by its statistician in each step of the 
unpaid assessment estimation process and the specific procedures for 
reviewers to follow in their reviews, IRS faces increased risk that 
errors in this process will not be prevented or detected and corrected. 
We will continue to review IRS's corrective actions to address this 
recommendation during our fiscal year 2009 audit. 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures for 
reviewers to follow in their review of unpaid assessments statistical 
estimates. Specifically, IRS should require that a detailed supervisory 
review be performed to ensure (1) the statistical validity of the 
sampling plans, (2) data entered into the sample selection programs 
agree with the sampling plans, (3) data entered into the statistical 
projection programs agree with IRS's sample review results, (4) data on 
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection 
results, and (5) the calculations on these spreadsheets are 
mathematically correct (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. In June 2008, Revenue Financial Management 
documented the procedures reviewers should follow during their review 
of the statistical estimates. Revenue Financial Management is adding 
additional levels of review and oversight for fiscal year 2009 and is 
finalizing a Memorandum of Understanding with the Office of Program 
Evaluation and Risk Analysis to perform an independent review; 
Status per GAO: Open. During our fiscal year 2008 audit, we continued 
to find errors in IRS's unpaid assessment estimates that were not 
detected by IRS's internal reviews. IRS corrected these errors after we 
brought them to its attention. However, until IRS fully documents the 
specific procedures performed by its statistician in each step of the 
unpaid assessment estimation process and the specific procedures for 
reviewers to follow in their reviews, IRS faces increased risk that 
errors in this process will not be prevented or detected and corrected. 
We will continue to review IRS's corrective actions to address this 
recommendation during our fiscal year 2009 audit. 

ID no.: 08-04; 
Recommendation: To address the inconsistency in assigning the effective 
date of an accuracy-related penalty, modify the Business Master File 
computer program so that the date of the deficiency assessment is used 
as the effective date of any associated accuracy-related penalty (long-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. In January 2009, IRS implemented programming 
changes to the Business Master File computer program where accuracy-
related penalties assessed subsequent to the programming change will 
carry the same date as the related deficiency assessment; 
Status per GAO: Open. IRS completed its corrective action after the end 
of our fiscal year 2008 audit. We will review IRS's corrective action 
to address this recommendation during our fiscal year 2009 audit. 

ID no.: 08-05; 
Recommendation: Complete and document the review of existing programs 
in the master files that affect penalty calculations to identify any 
instances in which programs are not functioning in accordance with the 
intent of the IRM (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. IRS assembled a team of interest and penalty 
subject matter experts to perform a review of master file programming 
of penalty and interest computations. The review included a general 
random sample of open modules as well as a sample of modules impacted 
by recent implementation of programming changes. SB/SE performed the 
review the week of May 19, 2008. SB/SE will continue to perform these 
reviews periodically and implement any necessary changes to programming 
as a result; 
Status per GAO: Closed. We confirmed that IRS completed its review of 
existing master file computer programs that affect penalty calculations 
and documented a listing of instances in which programs are not 
functioning in accordance with the intent of the IRM. 

ID no.: 08-06; 
Recommendation: In instances where computer programs are not 
functioning in accordance with the intent of the IRM, take appropriate 
action to correct the programs so that they function in accordance with 
the IRM (long-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. IRS formed a cross-functional working group to 
address penalty and interest programming issues in August 2007. This 
group meets biweekly and continues to identify and assess penalty and 
interest issues. When issues that need correction are identified, 
programming changes are requested and IRS performs subsequent testing 
to ensure that the programming change resolved the issue. Resolutions 
of these identified issues are in various stages. Other issues are 
being discussed with Modernization & Information Technology Services to 
determine the most effective way to implement programming changes, and 
on certain cases an impact analysis determined correction is not cost 
effective at this time. Solutions to identified systemic differences 
between IRS systems that cannot be fixed under the current processing 
system are being addressed by modernization efforts; 
Status per GAO: Open. Although IRS completed its review of master file 
computer programs that affect penalty calculations and has planned a 
series of corrective actions, it has not yet completed all of the 
required programming corrections. We will continue to review IRS's 
corrective actions to address this recommendation during our fiscal 
year 2009 and future audits. 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers in conducting reviews of outlying TACs and documenting the 
results. This guidance should include a description of the key controls 
that should be in place at outlying TACs, specify how often these key 
controls should be reviewed, and specify how the results of each review 
should be documented, including follow-up on issues identified in 
previous TAC reviews (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. Managers follow IRM 1.4.11 as comprehensive 
guidance for conducting reviews at all TACs. TAC managers use the one-
day receipt per TAC per quarter process to ensure at least once per 
quarter, the manager performs a one day review of all payment receipts 
as well as the documents associated with the receipts for all employees 
with payment receipts on the date chosen for review. Area directors are 
responsible for the oversight of all TAC activities including outlying 
post of duties. IRM 1.4.11.6.2 outlines the scheduled routine visit 
requirement for each TAC and Exhibit 1.4.11-11 gives a description of 
all required reviews for each TAC, including the frequency. Validation 
of completion is documented through operational reviews. The results of 
the operational reviews indicate a summary of findings, which included 
a corrective action report, completed annually; 
Status per GAO: Open. IRM 1.4.11 provides guidance for managerial 
reviews and frequency of these reviews at outlying TACs. Also, the IRM 
outlines the TAC Security Remittance Review Database process and 
requires managers to input the results of their reviews into the 
database. However, the database was not fully implemented in fiscal 
year 2008. As a result, we were unable to fully test its implementation 
during our audit fieldwork. We will review IRS's corrective actions 
during our fiscal year 2009 audit. 

ID no.: 08-08; 
Recommendation: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC managers 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. The Director of Field Assistance issued a 
quarterly reminder to managers to conduct required reviews on September 
30, 2008. Field Assistance continues to review the monthly reports 
received from field offices, including the status of corrective actions 
noted during operational reviews, to ensure completion of needed 
improvements; 
Status per GAO: Open. We will review IRS's corrective actions during 
our fiscal year 2009 audit. 

ID no.: 08-09; 
Recommendation: Establish a mechanism to monitor compliance with 
existing requirement that TAC employees responsible for accepting 
taxpayer payments in cash have their computer system access 
appropriately restricted to limit their ability to adjust taxpayer 
accounts (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. IRM 1.4.11.19.4.1.1 was revised in April 2008 
to mandate the use of the "restrict" command code in all cases. Group 
managers will continue to be reminded of the existing requirements to 
restrict command codes as part of the Form 809 Annual Reconciliation 
Review. During this review, group managers use a check sheet as shown 
in IRM 3.8.45.29.15, which includes this validity check. The result of 
the review is sent to territory managers and Submission Processing. 
Furthermore, restricted IDRS command codes are addressed in ongoing 
operational reviews. IRM 1.4.11.19.4 guidance is provided to restrict 
the 809 book holders profile when ordering the initial 809 receipt 
book. IRM 1.4.11.19.4.1.1 establishes the requirement for group 
managers to use restrict command codes from an 809 book holders 
profile. IRM 1.4.11-15 TAC Payment Processing Checklist is completed as 
part of the payment processing review conducted quarterly, which 
includes a question addressing restrict command codes. Finally, IRM 
1.4.11.19.4.1.1.1 covers the annual reconciliation of official 
receipts, which managers can use as an annual monitoring process in 
addition to operational reviews; 
Status per GAO: Closed. IRS mandated the use of the restrict command 
codes to TAC employees accepting cash payments to limit their IDRS 
access rights and ability to adjust taxpayer accounts. These procedures 
are monitored during operational reviews conducted by area and 
territory managers, at which time group managers are reminded of the 
existing requirements to restrict command codes. 

ID no.: 08-10; 
Recommendation: Establish procedures requiring periodic verification 
that all individuals designated as first responders to TAC duress 
alarms are appropriately qualified and geographically located to 
respond to the potentially dangerous situations in an effective and 
timely manner (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. Guidance concerning armed first responders to 
TAC duress alarms was reissued via email to area directors for 
distribution on August 19, 2008, and subsequently finalized in IRM 
10.2.14, Methods of Providing Protection, issued October 1, 2008. The 
IRM specifies, "An armed 'First Responder' (guard police) must be 
listed as the first responder, as the shortest possible response time 
is critical with priority notification. The alarm notification priority 
protocols are: (1) First Priority: on-site guards are notified; (2) 
Second Priority, Federal Protective Service is notified, and (3) Third 
Priority, local police who will be notified last." The TAC Scheduled 
Duress Alarm Test Report was revised to include a section to indicate 
the date the notification list for first responders was last updated. 
The reports are rolled up from the Areas/Territories to the Security 
Programs office quarterly. The revised report was instituted via e-mail 
on July 24, 2008. PSEP continues to utilize the Audit Management 
Checklist as a repeatable process where Territory offices validate that 
proper first responders are listed for notification; 
Status per GAO: Closed. IRS established procedures in the IRM requiring 
quarterly verification that individuals designated as first responders 
to TAC duress alarms are appropriately qualified and geographically 
located to respond to the potentially dangerous situations in an 
effective and timely manner. 

ID no.: 08-11; 
Recommendation: Modify the IRM to specify qualifications and 
geographical proximity requirements for individuals designated as first 
responders to duress alarms at IRS facilities, and to require that the 
responsibilities and qualifications of all designated first responders 
be periodically reviewed to verify that over time, they continue to be 
qualified and appropriately located, and to make any necessary 
adjustments (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. IRS finalized and issued IRM 10.2.14, Methods 
of Providing Protection on October 1, 2008. IRM 10.2.14.9.2(7)a 
specifies: "An armed 'First Responder' (guard police) must be listed as 
the first responder, as the shortest possible response time is critical 
with priority notification. The alarm notification priority protocols 
are: (1) First Priority: on-site guards are notified; (2) Second 
Priority, Federal Protective Service is notified, and (3) Third 
Priority, local police who will be notified last." The TAC Scheduled 
Duress Alarm Test Report was revised to include a section to indicate 
the date the notification list for first responders was last updated. 
The reports are rolled up from the Areas/Territories to the Security 
Programs office quarterly. The revised report form was instituted via e-
mail on July 24, 2008. PSEP continues to utilize the Audit Management 
Checklist as a repeatable process where Territory offices validate that 
proper first responders are listed for notification; 
Status per GAO: Closed. IRS revised the IRM to specify the 
qualifications and geographical proximity requirements for individuals 
designated as first responders and included a provision for PSEP to 
conduct quarterly reviews of this issue. 

ID no.: 08-12; Recommendation: Establish procedures to require 
documentation demonstrating that favorable background checks have been 
completed for all contractors prior to allowing them access to TAC and 
other field offices (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. AWSS has been working with the General Services 
Administration (GSA) since March 2008 to implement a process for 
procuring services from GSA to perform contractor background 
investigations. AWSS prepared and submitted a draft interagency 
agreement to GSA for consideration in June 2008. IRS received and 
reviewed the GSA comments, and is finalizing the interagency agreement 
for pricing and services. GSA has submitted a draft three-phase 
schedule for completion of the background investigations that would 
complete enter-on-duty determinations for all facilities by November 
2009. Implementation is contingent upon GSA successfully completing its 
actions; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
instances at three TACs where IRS did not have documentary evidence 
demonstrating the completion of favorable background investigations for 
contractors performing janitorial services during non-operating hours. 
We will review IRS's corrective actions during our fiscal year 2009 
audit. 

ID no.: 08-13; 
Recommendation: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information, and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. IRS developed a Performance Work Statement for a 
National Document Destruction Contract. IRS expects full contract 
implementation by October 1, 2009. Implementing a national contract 
will standardize these requirements and ensure consistency. In the 
interim, the current contracts require a review of contractor 
performance through site visits and to ensure that contractors comply 
with all security requirements for employee clearance prior to 
performing the work. AWSS distributed a message to the Real Estate and 
Facilities Management Territory Managers and Logistics Chiefs on 
January 23, 2009, reinforcing the requirement to review their existing 
shred contracts to ensure they comply with the security requirements 
stated in their respective contracts; 
Status per GAO: Open. As stated in IRS's response, the Performance Work 
Statement for a National Document Destruction Contract will not be 
fully implemented until the first quarter of fiscal year 2010. We will 
review IRS's corrective actions during future audits. 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; document the 
results, including identification of any security issues; and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. IRS developed a Performance Work Statement for a 
National Document Destruction Contract. IRS expects full contract 
implementation by October 1, 2009. Implementing a national contract 
will standardize these requirements and ensure consistency. In the 
interim, the current contracts require a review of contractor 
performance through site visits and to ensure that contractors comply 
with all security requirements for employee clearance prior to 
performing the work. IRS distributed a message on January 23, 2009, 
reinforcing the requirement to review their existing shred contracts to 
ensure they comply with the security requirements stated in their 
respective contracts; 
Status per GAO: Open. As stated in IRS's response, the Performance Work 
Statement for a National Document Destruction Contract will not be 
fully implemented until the first quarter of fiscal year 2010. We will 
review IRS's corrective actions during future audits. 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and reviewing 
documentation of completed background investigations for all shredding 
contractors before granting them access to taxpayer or other sensitive 
IRS information (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Open. IRS developed a Performance Work Statement for a 
National Document Destruction Contract. IRS expects full contract 
implementation by October 1, 2009. Implementing a national contract 
will standardize these requirements and ensure consistency. In the 
interim, the current contracts require a review of contractor 
performance through site visits, in order to ensure that contractors 
comply with all security requirements for employee clearance prior to 
performing the work. IRS distributed a message on January 23, 2009, 
reinforcing the requirement to review their existing shredding 
contracts to ensure they comply with the security requirements stated 
in their respective contracts; 
Status per GAO: Open. As stated in IRS's response, the Performance Work 
Statement for a National Document Destruction Contract will not be 
fully implemented until the first quarter of fiscal year 2010. In 
addition, during our fiscal year 2008 audit, we identified an instance 
at one of three SCCs we visited where shredding service contractor 
employees did not go through background investigations before they were 
granted access to taxpayer or other sensitive information. We will 
review IRS's corrective actions during future audits. 

ID no.: 08-16; 
Recommendation: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. The Human Capital Office issued a notice in 
September 2007 to each Employment Branch Chief to reinforce this 
policy; and the office also sends periodic reminders to the Employment 
Offices during monthly calls with the employment staffs. The Human 
Capital Office also issued Alert 731-2 on September 29, 2008, to all 
Employment Offices clarifying the guidance provided in Policy No. 15. 
In October 2008, Policy and Programs received written confirmation from 
every Employment Office that Policy No. 15 was being followed and that 
the correct Form 13094 was being used; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
four juveniles hired in fiscal year 2008 who were not provided a 
revised Form 13094. We will review IRS's corrective actions during our 
fiscal year 2009 audit. 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. The Human Capital Office revised Form 13094 in 
December 2007 and provided the form and accompanying instructions to 
the employment staff in January 2008. The Human Capital Office also 
issued Alert 731-2 on September 29, 2008, to all Employment Offices 
clarifying the guidance provided in Policy No. 15. In October 2008, 
Policy and Programs received written confirmation from every Employment 
Office that Policy No. 15 was being followed and that the correct Form 
13094 was being used; 
Status per GAO: Open. During our fiscal year 2008 audit, we identified 
five instances where the IRS employment office staff did not verify the 
information on Form 13094 by contacting the reference directly and 
documenting the details of that contact. We will review IRS's 
corrective actions during our fiscal year 2009 audit. 

ID no.: 08-18; 
Recommendation: Issue a memorandum to Receipt Control Operations Unit 
staff reiterating existing requirements for (1) supervisory reviews of 
the processing of TE/GE user fee deposits and (2) key documentation to 
be signed and dated by the supervisor as evidence of that review (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. W&I Submission Processing issued a memorandum 
in April 2008 to the operations manager of Receipt and Control, 
reiterating the requirement to follow procedures in IRM 3.45.1 to 
conduct supervisory reviews of the deposit encoding tapes and the 
recapitulation of remittances, deposit tickets, and to sign or initial 
the documents as evidence that the reviews were completed. Receipt and 
Control is also following IRM 3.45.1 to conduct and document 
supervisory reviews of the TE/GE deposits; 
Status per GAO: Closed. We verified that IRS issued a memorandum to its 
operations manager of Receipt and Control to reinforce procedures in 
its IRM requiring signed supervisory review of TE/GE user fee deposits. 
Additionally, during our fiscal year 2008 audit, we did not identify 
any instances where IRS did not document supervisory review of the 
TE/GE user fee deposits tested. 

ID no.: 08-19; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials and purchase cardholders sign and date monthly account 
statements attesting to their review and completion of the required 
reconciliation process (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. The electronic Purchase Card Module eliminated 
the paper statement of accounts being mailed to purchase cardholders 
using the Purchase Card Module. The purchase cardholder and approving 
official electronically reconcile and approve the transactions, which 
is evidence of their signature approving the transactions. The system 
maintains history on the user login name and date of the action; 
Status per GAO: Closed. We confirmed that IRS modified its existing 
guidelines and fully implemented the Purchase Card Module. During our 
fiscal year 2008 audit, we noted that the purchase card approving 
official's signature attesting to the review and reconciliation of the 
monthly statement is now captured electronically by the Purchase Card 
Module. However, we also noted that the purchase card approving 
officials were not always electronically reconciling and approving 
transactions within the required timeframes documented in IRS's 
existing guidelines. Timely reconciliation and approval of transactions 
is necessary to help ensure that purchase card transactions are valid 
and appropriate. Thus, we are closing this recommendation and opening a 
new recommendation to address this additional issue in our June 2009 
management report. See GAO-09-513R and recommendation 09-10 in this 
report. 

ID no.: 08-20; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders obtain 
funding approval or verify that funds are available for the intended 
purpose prior to making a purchase (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. IRS provides purchase cardholders with funding 
approval requirements during initial and refresher training. The 
guidelines outlining funding requirements are also available online in 
the Purchase Card Guide and on the program specific Web site. As IRS 
converted purchase cardholders to the Purchase Card Module, it 
highlighted this requirement in the transition guidelines; 
Status per GAO: Closed. We confirmed that IRS modified its existing 
guidelines and fully implemented the Purchase Card Module. During our 
fiscal year 2008 audit, we noted that purchase cardholders obtained 
funding approval electronically through the Purchase Card Module prior 
to making a purchase. The Purchase Card Module directly interfaces with 
the funding requisition function of IRS's Web-based Requisition 
Tracking System to verify funds availability. 

ID no.: 08-21; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase card approving 
officials update and maintain appropriate supporting documentation 
(short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. Citibank reports previously received by 
purchase card approving officials were eliminated with implementation 
of the Purchase Card Module. All documentation for purchase card 
activity is maintained electronically in the Purchase Card Module with 
the exception of packing slips/receipts, which are maintained by the 
cardholder. The documentation is available for review by the approving 
official, but approving officials are not required to maintain copies 
of documentation already maintained by the cardholder; 
Status per GAO: Closed. Even though IRS did not modify its existing 
guidelines to require the purchase card approving official to maintain 
copies of the purchase cardholder's supporting documentation, we 
confirmed that IRS now has compensating internal control procedures in 
place to close this recommendation. IRS's existing guidelines require 
the purchase cardholder to maintain the supporting documentation and 
for approving officials to ensure that the cardholders have all 
required documentation. During our fiscal year 2008 audit, we noted 
that the purchase cardholders maintained appropriate supporting 
documentation. 

ID no.: 08-22; 
Recommendation: Modify existing guidelines to provide for detailed 
internal control procedures requiring that purchase cardholders and 
purchase card approving officials retain copies of all supporting 
documents for a reasonable period of time, such as 3 years (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. The requirement to maintain supporting 
documentation for all purchase card activity for 3 years is outlined in 
current guidance and training material provided to cardholders. The 
documentation is available for review by the approving official, but is 
maintained by the cardholder; 
Status per GAO: Closed. Even though IRS did not modify its existing 
guidelines, we confirmed that the current guidelines require 
cardholders to maintain supporting documentation for 3 years. IRS's 
existing guidelines require the purchase cardholder to maintain the 
supporting documentation and for approving officials to ensure that the 
cardholders have all required documentation. During our fiscal year 
2008 audit, we noted that the purchase cardholders maintained 
appropriate supporting documentation. 

ID no.: 08-23; 
Recommendation: Issue a memorandum addressed to all personnel 
responsible for updating inventory records that reiterates IRS's 
existing policy requiring that new assets be inputted into the 
inventory system within 10 days of receipt (short-term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. Modernization & Information Technology Services 
issued a memorandum dated September 5, 2008, and Directive (Asset 
Management Policy Directive AM 034) dated August 18, 2008, to all 
organizations reiterating the IRS policy that new assets must be 
inputted into the inventory system within 10 days of receipt; 
Status per GAO: Closed. During our fiscal year 2008 audit, IRS's 
Associate Chief Information Officer for End User Equipment Services, in 
response to our recommendations, issued a memorandum to all personnel 
responsible for updating inventory. The memorandum reiterated IRS's 
existing policy requiring that new assets be inputted into the 
inventory system within 10 days of receipt. 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel (short-
term); 
Source report: Management Report: Improvements Needed in IRS's Internal 
Controls (GAO-08-368R, June 2008); 
Status per IRS: Closed. AWSS issued communications to all employees 
reiterating the policy requiring all employees to obtain approval of 
travel authorizations before the initiation of travel through periodic 
notices on the IRS intranet with links to Travel Times. In Travel 
Times, IRS has issued: Travel Authorization Reminders (October 2007 and 
February 2008) and Travel Authorization Reminder News from the business 
units (December 2007, February 2008, and May 2008). Furthermore, IRS is 
continuing to implement GovTrip and as of January 1, 2009, has 25,775 
GovTrip users. All users must file a travel authorization before travel 
begins, and GovTrip will not allow a voucher to be created without a 
signed/approved authorization; 
Status per GAO: Open. We confirmed that IRS issued communications to 
staff reiterating the policy that all employees receive travel 
authorization before commencing travel, and that IRS continues to 
implement its GovTrip system with full implementation expected by 
approximately July 2009. However, during our fiscal year 2008 audit, we 
continued to identify instances where IRS staff did not obtain approval 
of travel authorizations in advance of travel. We will continue to 
review actions being taken by IRS to address this recommendation during 
our fiscal year 2009 audit. 

ID no.: 09-01; 
Recommendation: Correct the Integrated Data Retrieval System (IDRS) 
computer program for identifying individual taxpayers who have entered 
into an installment agreement so that except in situations where the 
taxpayer did not file the tax return timely, failure-to-pay penalty 
assessments made after the date of the installment agreement are 
calculated using the monthly one-quarter of one percent penalty rate on 
all of the taxpayer's accounts covered by the installment agreement 
(short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-02; 
Recommendation: Add specific requirements to the IRM to require that 
manual refund units assign back up staff to perform manual refund 
monitoring activities whenever a manual refund initiator is absent for 
an extended period of time (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-03; 
Recommendation: Document in the IRM minimum requirements for 
establishing criteria for time discrepancies or other inconsistencies, 
which if noted as part of the required monitoring of Form 10160, 
Receipt for Transport of IRS Deposit, would require off-site 
surveillance of couriers (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-04; 
Recommendation: Document in the IRM minimum requirements for conducting 
off-site surveillance of couriers entrusted with taxpayer receipts and 
information (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-05; 
Recommendation: Establish procedures to track and routinely report the 
total dollar amounts and volumes of receipts collected by individual 
TAC location, group, territory, area, and nationwide (long-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-06; Recommendation: Establish procedures to ensure that an 
inventory of all duress alarms is documented for each location and is 
readily available to individuals conducting duress alarm tests before 
each test is conducted (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-07; 
Recommendation: Establish procedures to periodically update the 
inventory of duress alarms at each TAC location to ensure that the 
inventory is current and complete as of the testing date (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-08; 
Recommendation: Provide instructions for conducting quarterly duress 
alarm tests to ensure that IRS officials conducting the test (1) 
document the test results for each duress alarm listed in the 
inventory, including date, findings, and planned corrective action and 
(2) track the findings until they are properly resolved (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-09; 
Recommendation: Establish procedures requiring that each physical 
security analyst conduct a periodic documented review of the Emergency 
Signal History Report and emergency contact list for its respective 
location to ensure that (1) appropriate corrective actions have been 
planned for all incidents reported by the central monitoring station 
and (2) the emergency contact list for each location is current and 
includes only appropriate contacts (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-10; 
Recommendation: Develop, document, and implement procedures to 
regularly monitor the timeliness of purchase card approvals. This 
should include establishing procedures and responsibility for 
identifying and following up on instances of non-compliance with 
required approval timeframes (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-11; 
Recommendation: Revise the IRM section related to the limited use of 
expired appropriations to provide additional guidance to help employees 
distinguish between procurement actions that constitute new obligations 
and those that merely adjust or liquidate prior obligations that the 
IRS incurred during an expired appropriation's original period of 
availability (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-12; 
Recommendation: Reiterate IRS's existing policy requiring that 
transactions be recorded accurately to the undelivered orders 
obligation accounts (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-13; 
Recommendation: Perform existing reviews of transactions recorded in 
undelivered orders obligation accounts in a more timely manner in an 
effort to detect and correct errors, such as duplicate receipt and 
acceptance charges, earlier in the process (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-14; 
Recommendation: Establish a formal, documented process for identifying 
over time the full range of IRS's programs and underlying activities, 
outputs, and services for which IRS believes full cost information 
would be useful to executives and program managers. Such a process 
should (1) be formally established and documented through policies, 
procedures, guidance, meeting minutes, and other appropriate means; (2) 
define the roles and responsibilities of the CFO and other business 
units in the process; and (3) be focused on the goal of determining 
what cost information would be useful and the most appropriate means of 
developing and reporting it for both existing programs and new programs 
as they are initiated (short-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-15; 
Recommendation: For each of the IRS programs, activities, outputs, and 
services identified for which full cost information would be useful to 
IRS executives and program managers, complete the development of full 
cost methodologies to routinely accumulate and report on their full 
costs, including down to the activity level where appropriate. Such 
full cost data should be readily accessible to IRS program managers 
whenever they are needed and should include both personnel costs based 
on time spent on specific activities as well as all associated non-
personnel costs and be drawn from or reconcilable to IRS's financial 
accounting system (long-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

ID no.: 09-16; 
Recommendation: Develop outcome-oriented performance measures and 
related performance goals for IRS's enforcement programs and activities 
that include measures of the full cost of, and the revenue collected 
from, those programs and activities (return on investment) to assist 
IRS's managers in optimizing resource allocation decisions and 
evaluating the effectiveness of their activities (long-term); 
Source report: Management Report: Improvements Are Needed to Enhance 
IRS's Internal Controls and Operating Effectiveness (GAO-09-513R, June 
2009); 
Status per IRS: Because this is a recent recommendation, GAO did not 
obtain information on IRS's status in addressing it; 
Status per GAO: Open: This is a recent recommendation. We will verify 
IRS's corrective actions during future audits. 

Source: IRS updates detailing actions to address GAO's recommendations 
and GAO's analysis of IRS's actions. 

[End of table] 

[End of section] 

Appendix II: Open Recommendations Arranged by Control or Compliance 
Issue: 

Financial Reporting: 

The Internal Revenue Service (IRS) does not have financial management 
systems adequate to enable it to accurately generate and report, in a 
timely manner, the information needed to both prepare financial 
statements and manage operations on an ongoing basis. To overcome these 
systemic deficiencies with respect to preparation of its annual 
financial statements, IRS was compelled to employ compensating 
procedures. Specifically, IRS (1) did not have an adequate general 
ledger system for tax-related transactions, and (2) was unable to 
readily determine the costs of its activities and programs and did not 
have cost-based performance information to assist in making or 
justifying resource allocation decisions. As a result, IRS does not 
have data to assist in managing operations on a day-to-day basis and to 
provide an informed basis for making or justifying resource allocation 
decisions. 

Table 12: Material Weakness: Controls over Financial Reporting: 

ID no.: 01-39; 
Recommendation: Develop a mechanism to track and report the actual 
costs associated with reimbursable activities (long-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 08-01; 
Recommendation: As IRS proceeds with its implementation of the 
Custodial Detail Data Base (CDDB), it should verify that CDDB, when it 
becomes fully operational and is used in conjunction with the Interim 
Revenue and Accounting Control System (IRACS), will provide IRS with 
the direct transaction traceability for all of its tax-related 
transactions as required by the U.S. Standard General Ledger (SGL), 
Federal Financial Management System Requirements (FFMSR), and the 
Federal Financial Management Improvement Act of 1996 (FFMIA) (long- 
term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Unpaid Tax Assessments: 

IRS has serious internal control issues that affected its management of 
unpaid tax assessments. Specifically, IRS (1) lacked a subsidiary 
ledger for unpaid tax assessments that would allow it to produce 
accurate, useful, and timely information with which to manage and 
report externally, and (2) experienced errors and delays in recording 
taxpayer information, payments, and other activities. 

Table 13: Material Weakness: Controls over Unpaid Assessments: 

ID No.: 94-02; 
Recommendation: Monitor implementation of actions to reduce the errors 
in calculating and reporting manual interest on taxpayer accounts, and 
test the effectiveness of these actions (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID No.: 99-01; 
Recommendation: Manually review and eliminate duplicate or other 
assessments that have already been paid off to assure that all accounts 
related to a single assessment are appropriately credited for payments 
received (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID No.: 99-03; 
Recommendation: Ensure that IRS's modernization blueprint includes 
developing a subsidiary ledger to accurately and promptly identify, 
classify, track, and report all IRS unpaid assessments by amount and 
taxpayer. This subsidiary ledger must also have the capability to 
distinguish unpaid assessments by category in order to identify those 
assessments that represent taxes receivable versus compliance 
assessments and write-offs. In cases involving trust fund recovery 
penalties, the subsidiary ledger should ensure that (1) the trust fund 
recovery penalty assessment is appropriately tracked for all taxpayers 
liable but counted only once for reporting purposes and (2) all 
payments made are properly credited to the accounts of all individuals 
assessed for the liability (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID No.: 99-20; 
Recommendation: Analyze and determine the factors causing delays in 
processing and posting Trust Fund Recovery Penalty (TFRP) assessments. 
Once these factors have been determined, IRS should develop procedures 
to reduce the impact of these factors and to ensure timely posting to 
all applicable accounts and proper offsetting of refunds against unpaid 
assessments before issuance (long-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID No.: 09-01; 
Recommendation: Correct the Integrated Data Retrieval System (IDRS) 
computer program for identifying individual taxpayers who have entered 
into an installment agreement so that except in situations where the 
taxpayer did not file the tax return timely, failure-to-pay penalty 
assessments made after the date of the installment agreement are 
calculated using the monthly one-quarter of one percent penalty rate on 
all of the taxpayer's accounts covered by the installment agreement 
(short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Information Security: 

Significant information security weaknesses continue to jeopardize the 
confidentiality, availability, and integrity of information processed 
by IRS's key systems, increasing the risk of material misstatement for 
financial reporting. For example, sensitive information, such as user 
identification and passwords for mission-critical applications, 
continued to be readily available to any user on IRS's internal 
network. These IDs and passwords could be used by a malicious user to 
compromise data flowing to and from IFS. Other continuing weaknesses 
included the existence of passwords that were not complex enough to 
avoid being guessed or cracked. In addition, although IRS had improved 
its application of vendor-supplied system patches that protect against 
known vulnerabilities, it still had not patched systems in a timely 
manner. The agency's procurement system, which processed approximately 
$1.8 billion of obligations in fiscal year 2008, also remained at risk 
because previously reported weaknesses had not been corrected. These 
weaknesses included (1) not restricting user's ability to bypass 
application controls, (2) continuing to use unencrypted protocols, and 
(3) not removing separated employees' access in a timely manner. These 
outstanding weaknesses increase the risk that data processed by the 
agency's financial management systems are not reliable. 

Material Weakness: Controls over Information Systems Security: 

Although IRS has made some progress in addressing previous weaknesses 
we identified in its information systems security controls and physical 
security controls, these and new weaknesses in information systems 
security continue to impair IRS's ability to ensure the 
confidentiality, integrity, and availability of financial and tax- 
processing systems. As of January 2009, there were 74 open 
recommendations from our information systems security work designed to 
help IRS improve its information systems security controls. Those 
recommendations are reported separately and are not included in this 
report primarily because of the sensitive nature of some of the issues. 

Tax Revenue and Refunds: 

Weaknesses in control over tax revenue and refunds continue to hamper 
IRS's ability to optimize the use of its limited resources to collect 
unpaid taxes and minimize payment of improper refunds. Specifically, 
IRS has not (1) developed performance metrics and goals on the cost of, 
and the revenue collected from, IRS's various enforcement programs and 
activities, with the exception of the Earned Income Tax Credit program; 
or (2) fully established and implemented the financial management 
structure and processes to provide IRS key financial management data on 
costs and enforcement tax revenue. These deficiencies inhibit IRS's 
ability to appropriately assess and routinely monitor the relative 
merits of its various enforcement initiatives and adjust its strategies 
as needed. This, in turn, can significantly affect both the level of 
enforcement tax revenue collected and improper refunds disbursed. 

Table 14: Significant Deficiency: Controls over Revenues and Issuing 
Refunds: 

ID no.: 09-02; 
Recommendation: Add specific requirements to the Internal Revenue 
Manual (IRM) to require that manual refund units assign back up staff 
to perform manual refund monitoring activities whenever a manual refund 
initiator is absent for an extended period of time (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 09-14; 
Recommendation: Establish a formal, documented process for identifying 
over time the full range of IRS's programs and underlying activities, 
outputs, and services for which IRS believes full cost information 
would be useful to executives and program managers. Such a process 
should (1) be formally established and documented through policies, 
procedures, guidance, meeting minutes, and other appropriate means; (2) 
define the roles and responsibilities of the CFO and other business 
units in the process; and (3) be focused on the goal of determining 
what cost information would be useful and the most appropriate means of 
developing and reporting it for both existing programs and new programs 
as they are initiated (short-term); 
Control activity: Establishment and review of performance measures and 
indicators. 

ID no.: 09-15; 
Recommendation: For each of the IRS programs, activities, outputs, and 
services identified for which full cost information would be useful to 
IRS executives and program managers, complete the development of full 
cost methodologies to routinely accumulate and report on their full 
costs, including down to the activity level where appropriate. Such 
full cost data should be readily accessible to IRS program managers 
whenever they are needed and should include both personnel costs based 
on time spent on specific activities as well as all associated non-
personnel costs and be drawn from or reconcilable to IRS's financial 
accounting system (long-term); 
Control activity: Establishment and review of performance measures and 
indicators. 

ID no.: 09-16; 
Recommendation: Develop outcome-oriented performance measures and 
related performance goals for IRS's enforcement programs and activities 
that include measures of the full cost of, and the revenue collected 
from, those programs and activities (return on investment) to assist 
IRS's managers in optimizing resource allocation decisions and 
evaluating the effectiveness of their activities (long-term); 
Control activity: Establishment and review of performance measures and 
indicators. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Release of Federal Tax Liens: 

IRS did not always release the applicable federal tax lien within 30 
days of the tax liability being either paid off or abated, as required 
by the Internal Revenue Code (section 6325). The Internal Revenue Code 
grants IRS the power to file a lien against the property of any 
taxpayer who neglects or refuses to pay all assessed federal taxes. The 
lien serves to protect the interest of the federal government and as a 
public notice to current and potential creditors of the government's 
interest in the taxpayer's property. 

Table 15: Compliance with Laws and Regulations: Timely Release of 
Liens: 

ID no.: 01-06; 
Recommendation: Implement procedures to closely monitor the release of 
tax liens to ensure that they are released within 30 days of the date 
the related tax liability is fully satisfied. As part of these 
procedures, IRS should carefully analyze the causes of the delays in 
releasing tax liens identified by our work and prior work by IRS's 
former internal audit function and ensure that such procedures 
effectively address these issues (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-15; 
Recommendation: Issue a memorandum to employees in the Centralized 
Insolvency Office reiterating the IRM requirement to timely record 
bankruptcy discharge information onto taxpayer accounts in the master 
file or to manually release the liens in the Automated Lien System 
(short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

Other Control Issues: 

The recommendations listed below pertain to issues that do not rise 
individually or in the aggregate to the level of a significant 
deficiency or a material weakness. However, these issues do represent 
weaknesses in various aspects of IRS's control environment that should 
be addressed. 

Table 16: Other Control Issues Not Associated with a Material Weakness 
or Significant Deficiency: 

ID no.: 99-22; 
Recommendation: Expand IRS's current review of campus deterrent 
controls to include similar analyses of controls at IRS field offices 
in areas such as courier security, safeguarding of receipts in locked 
containers, requirements for fingerprinting employees, and requirements 
for promptly overstamping checks made out to "IRS" with "Internal 
Revenue Service" or "United States Treasury." Based on the results, IRS 
should make appropriate changes to strengthen its physical security 
controls (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 99-36; 
Recommendation: Make enhancements to IRS financial systems to include 
recording plant and equipment (P&E) and capital leases as assets when 
purchased and to generate detailed records for P&E that reconcile to 
the financial records (long-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 01-17; 
Recommendation: Develop a subsidiary ledger for leasehold improvements 
and implement procedures to record leasehold improvement costs as they 
occur (long-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 02-16; 
Recommendation: Ensure that field office management complies with 
existing receipt control policies that require a segregation of duties 
between employees who prepare control logs for walk-in payments and 
employees who reconcile the control logs to the actual payments (short-
term); 
Control activity: Segregation of duties. 

ID no.: 02-18; 
Recommendation: Work with the National Finance Center (NFC) to resolve 
the technical limitations that exist within the Security Entry and 
Tracking System (SETS) database and continue to periodically review 
SETS data to detect and correct errors (short-term); 
Control activity: Controls over Information processing. 

ID no.: 04-08; 
Recommendation: Enforce policies and procedures to ensure that service 
center campus security guards respond to alarms (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 05-32; 
Recommendation: Establish policies and procedures to require 
appropriate segregation of duties in small business/self-employed units 
of field offices with respect to preparation of Payment Posting 
Vouchers, Document Transmittal forms, and transmittal packages (short-
term); 
Control activity: Segregation of duties. 

ID no.: 05-33; 
Recommendation: Enforce the requirement that a document transmittal 
form listing the enclosed Daily Report of Collection Activity forms be 
included in transmittal packages, using such methods as more frequent 
inspections or increased reliance on error reports compiled by the 
service center teller units receiving the information (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 05-37; 
Recommendation: Enforce documentation requirements relating to 
authorizing officials charged with approving manual refunds (short-
term); 
Control activity: Proper execution of transactions and events. 

ID no.: 05-38; 
Recommendation: Enforce requirements for monitoring accounts and 
reviewing monitoring of accounts for manual refunds (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 05-39; 
Recommendation: Enforce requirements for documenting monitoring actions 
and supervisory review for manual refunds (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-01; 
Recommendation: Require that Refund Inquiry Unit managers or 
supervisors document their review of all forms used to record and 
transmit returned refund checks prior to sending them for final 
processing (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-02; 
Recommendation: Enforce compliance with existing requirements that all 
IRS units transmitting taxpayer receipts and information from one IRS 
facility to another, including service center campuses (SCC), taxpayer 
assistance centers (TAC), and units within Large and Mid-sized Business 
(LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a 
system to track acknowledged copies of document transmittals (short-
term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-04; 
Recommendation: Require that managers or supervisors document their 
reviews of document transmittals to ensure that taxpayer receipts 
and/or taxpayer information mailed between IRS locations are tracked 
according to guidelines (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-05; 
Recommendation: Equip all TACs with adequate physical security controls 
to deter and prevent unauthorized access to restricted areas or office 
space occupied by other IRS units, including those TACs that are not 
scheduled to be reconfigured to the "new TAC" model in the near future. 
This includes appropriately separating customer service waiting areas 
from restricted areas in the near future by physical barriers such as 
locked doors marked with signs barring entrance by unescorted customers 
(short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 06-07; 
Recommendation: Document supervisory visits by offsite managers to TACs 
not having a manager permanently on site. This documentation should be 
signed by the manager and should (1) record the time and date of the 
visit, (2) identify the manager performing the visit, (3) indicate the 
tasks performed during the visit, (4) note any problems identified, and 
(5) describe corrective actions planned (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 06-08; 
Recommendation: Enforce the requirement that all security or other 
responsible personnel at SCCs and lockbox banks record all instances 
involving the activation of intrusion alarms, regardless of the 
circumstances that may have caused the activation (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 06-22; 
Recommendation: Direct Facilities Management Branch managers to 
research and resolve the aging reports (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 07-04; 
Recommendation: Develop and implement appropriate corrective actions 
for any gaps in closed circuit television (CCTV) camera coverage that 
do not provide an unobstructed view of the entire exterior of the SCC's 
perimeter, such as adding or repositioning existing CCTV cameras or 
removing obstructions (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 07-08; 
Recommendation: Require that managers or supervisors provide the manual 
refund initiators in their units with training on the most current 
requirements to help ensure that they fulfill their responsibilities to 
monitor manual refunds and document their monitoring actions to prevent 
the issuance of duplicate refunds (short-term); 
Control activity: Management of human capital. 

ID no.: 07-20; 
Recommendation: Establish and maintain sufficient secured storage space 
to properly secure and safeguard property and equipment inventory, 
including in-stock inventories, assets from incoming shipments, and 
assets that are in the process of being excessed and/or shipped out 
(short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 07-21; 
Recommendation: Develop and implement procedures to require that 
separate individuals place orders with vendors and perform receipt and 
acceptance functions when the orders are delivered (short-term); 
Control activity: Segregation of duties. 

ID no.: 07-24; 
Recommendation: To the extent that IRS intends to use the information 
security work conducted under the Federal Information Security 
Management Act of 2002 (FISMA) to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of Office of Management and Budget (OMB) Circular No. 
A-123 and, considering the findings and recommendations of our work on 
IRS's information security, expand FISMA procedures or perform 
additional procedures as part of the A-123 reviews to augment FISMA 
work (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-25; 
Recommendation: Revise A-123 test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 07-27; 
Recommendation: Begin devising appropriate A-123 follow-up procedures 
for the last 3 months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-02; 
Recommendation: Document and implement the specific procedures to be 
performed by the IRS statistician in each step of the unpaid assessment 
estimation process (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-03; 
Recommendation: Document and implement specific detailed procedures for 
reviewers to follow in their review of unpaid assessments statistical 
estimates. Specifically, IRS should require that a detailed supervisory 
review be performed to ensure (1) the statistical validity of the 
sampling plans, (2) data entered into the sample selection programs 
agree with the sampling plans, (3) data entered into the statistical 
projection programs agree with IRS's sample review results, (4) data on 
the spreadsheets used to compile the interim projections and roll-
forward results trace back to supporting statistical projection 
results, and (5) the calculations on these spreadsheets are 
mathematically correct (short-term); 
Control activity: Management of human capital. 

ID no.: 08-04; 
Recommendation: To address the inconsistency in assigning the effective 
date of an accuracy-related penalty, modify the Business Master File 
computer program so that the date of the deficiency assessment is used 
as the effective date of any associated accuracy-related penalty (long-
term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-06; 
Recommendation: In instances where computer programs are not 
functioning in accordance with the intent of the IRM, take appropriate 
action to correct the programs so that they function in accordance with 
the IRM (long-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 08-07; 
Recommendation: Develop and provide comprehensive guidance to assist 
TAC managers in conducting reviews of outlying TACs and documenting the 
results. This guidance should include a description of the key controls 
that should be in place at outlying TACs, specify how often these key 
controls should be reviewed, and specify how the results of each review 
should be documented, including follow-up on issues identified in 
previous TAC reviews (short-term); 
Control activity: Appropriate documentation of transactions and 
internal controls. 

ID no.: 08-08; 
Recommendation: Establish a process to periodically update and 
communicate the specific required reviews for all off-site TAC managers 
(short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-12; 
Recommendation: Establish procedures to require documentation 
demonstrating that favorable background checks have been completed for 
all contractors prior to allowing them access to TAC and other field 
offices (short-term); 
Control activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-13; 
Recommendation: Require including, in all shredding service contracts, 
provisions requiring (1) completed background investigations for 
contractor employees before they are granted access to sensitive IRS 
information and (2) periodic, unannounced inspections at off-site 
shredding facilities by IRS to verify ongoing compliance with IRS 
safeguards and security requirements (short-term); 
Control activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-14; 
Recommendation: Revise the IRM to include a requirement that IRS 
conduct periodic, unannounced inspections at off-site contractor 
facilities entrusted with sensitive IRS information; document the 
results, including identification of any security issues; and verify 
that the contractor has taken appropriate corrective actions on any 
security issues observed (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 08-15; 
Recommendation: Establish procedures to require obtaining and reviewing 
documentation of completed background investigations for all shredding 
contractors before granting them access to taxpayer or other sensitive 
IRS information (short-term); 
Control activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-16; 
Recommendation: Reinforce existing policies requiring the use of the 
revised Form 13094 when hiring juveniles (short-term); 
Control activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-17; 
Recommendation: Reinforce existing policies requiring verification of 
the information on Form 13094 by contacting the reference directly and 
documenting the details of this contact (short-term); 
Control activity: Access restrictions to and accountability for 
resources and records. 

ID no.: 08-24; 
Recommendation: Issue a memorandum to employees that reiterates IRS 
policy requiring all employees to obtain appropriate approvals of 
travel authorizations prior to the initiation of their travel (short-
term); 
Control activity: Proper execution of transactions and events. 

ID no.: 09-03; 
Recommendation: Document in the IRM minimum requirements for 
establishing criteria for time discrepancies or other inconsistencies, 
which if noted as part of the required monitoring of Form 10160, 
Receipt for Transport of IRS Deposit, would require off-site 
surveillance of couriers (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 09-04; 
Recommendation: Document in the IRM minimum requirements for conducting 
off-site surveillance of couriers entrusted with taxpayer receipts and 
information (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 09-05; 
Recommendation: Establish procedures to track and routinely report the 
total dollar amounts and volumes of receipts collected by individual 
TAC location, group, territory, area, and nationwide (long-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 09-06; 
Recommendation: Establish procedures to ensure that an inventory of all 
duress alarms is documented for each location and is readily available 
to individuals conducting duress alarm tests before each test is 
conducted (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 09-07; 
Recommendation: Establish procedures to periodically update the 
inventory of duress alarms at each TAC location to ensure that the 
inventory is current and complete as of the testing date (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 09-08; 
Recommendation: Provide instructions for conducting quarterly duress 
alarm tests to ensure that IRS officials conducting the test (1) 
document the test results for each duress alarm listed in the 
inventory, including date, findings, and planned corrective action and 
(2) track the findings until they are properly resolved (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 09-09; 
Recommendation: Establish procedures requiring that each physical 
security analyst conduct a periodic documented review of the Emergency 
Signal History Report and emergency contact list for its respective 
location to ensure that (1) appropriate corrective actions have been 
planned for all incidents reported by the central monitoring station 
and (2) the emergency contact list for each location is current and 
includes only appropriate contacts (short-term); 
Control activity: Physical control over vulnerable assets. 

ID no.: 09-10; 
Recommendation: Develop, document, and implement procedures to 
regularly monitor the timeliness of purchase card approvals. This 
should include establishing procedures and responsibility for 
identifying and following up on instances of noncompliance with 
required approval timeframes (short-term); 
Control activity: Proper execution of transactions and events. 

ID no.: 09-11; 
Recommendation: Revise the IRM section related to the limited use of 
expired appropriations to provide additional guidance to help employees 
distinguish between procurement actions that constitute new obligations 
and those that merely adjust or liquidate prior obligations that the 
IRS incurred during an expired appropriation's original period of 
availability (short-term); 
Control activity: Reviews by management at the functional or activity 
level. 

ID no.: 09-12; 
Recommendation: Reiterate IRS's existing policy requiring that 
transactions be recorded accurately to the undelivered orders 
obligation accounts (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

ID no.: 09-13; 
Recommendation: Perform existing reviews of transactions recorded in 
undelivered orders obligation accounts in a more timely manner in an 
effort to detect and correct errors, such as duplicate receipt and 
acceptance charges, earlier in the process (short-term); 
Control activity: Accurate and timely recording of transactions and 
events. 

Source: GAO analysis of financial management recommendations made to 
IRS. 

[End of table] 

[End of section] 

Appendix III: Comments from the Internal Revenue Service: 

Department Of The Treasury: 
Internal Revenue Service: 
Commissioner: 
Washington, D.C. 20224: 

June 11, 2009: 

Mr. Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

I am writing in response to the Government Accountability Office (GAO) 
draft report titled, IRS: Status of GAO Financial Audit and Related 
Financial Management Report Recommendations (GAO-09-514). 

As GAO noted in the report, IRS continues to make significant progress 
in improving our internal controls and financial management as 
evidenced by nine consecutive years of clean audit opinions on our 
financial statements. We are pleased that you acknowledged our progress 
in addressing our financial management challenges and agreed to close 
35 prior year financial management recommendations. 

We are committed to implementing appropriate improvements to ensure 
that the IRS maintains sound financial management practices. If you 
have any questions, please contact Alison Doone, Chief Financial 
Officer, at (202) 622-6400. 

Sincerely, 

Signed by: 

Douglas H. Shulman: 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, the following individuals made 
major contributions to this report: William J. Cordrey, Assistant 
Director; Ray Bush; Stephanie Chen; Nina Crocker; Oliver Culley; 
Charles Ego; Doreen Eng; Charles Fox; Valerie Freeman; Ted Hu; Richard 
Larsen; Delores Lee; Gail Luna; Julie Phillips; John Sawyer; 
Christopher Spain; Cynthia Teddleton; Lien To; LaDonna Towler; and Gary 
Wiggins. 

[End of section] 

Footnotes: 

[1] Management is responsible for establishing and maintaining internal 
control to achieve the objectives of effective and efficient 
operations, reliable financial reporting, and compliance with 
applicable laws and regulations. See 31 U.S.C. ß 3512(c), (d), commonly 
known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA); 
see [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], 
Standards for Internal Control in the Federal Government, at 4-5 
(November 1999). The actions required by agencies and individual 
federal managers includes taking proactive measures to develop and 
implement appropriate, cost-effective internal control for results-
oriented management; to assess the adequacy of internal control in 
federal programs and operations; to identify needed improvements; and 
to take corresponding corrective actions. 

[2] A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. A significant deficiency is a control 
deficiency, or combination of deficiencies, that adversely affects the 
entity's ability to initiate, authorize, record, process, or report 
financial data reliably in accordance with generally accepted 
accounting principles such that there is more than a remote likelihood 
that a misstatement of the entity's financial statements that is more 
than inconsequential will not be prevented or detected. A control 
deficiency exists when the design or operation of a control does not 
allow management or employees, in the course of performing their 
assigned functions, to prevent or detect misstatements on a timely 
basis. 

[3] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[4] The circular requires agencies and individual federal managers to 
take systematic and proactive measures to (1) develop and implement 
appropriate, cost-effective internal control for results-oriented 
management; (2) assess the adequacy of internal control in federal 
programs and operations; (3) separately assess and document internal 
control over financial reporting consistent with the process defined in 
appendix A of the circular; (4) identify needed improvements; (5) take 
corresponding corrective action; and (6) report annually on internal 
control through management assurance statements. 

[5] GAO, Internal Control Standards: Internal Control Management and 
Evaluation Tool, [hyperlink, http://www.gao.gov/products/GAO-01-1008G] 
(Washington, D.C.: August 2001). 

[6] GAO, Federal Information System Controls Audit Manual (FISCAM), 
[hyperlink, http://www.gao.gov/products/GAO-09-232G] (Washington, D.C.: 
February 2009). FISCAM contains guidance for reviewing information 
system controls that affect the security of computerized data. 

[7] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial 
Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] 
(Washington, D.C.: Nov. 10, 2008). 

[8] GAO, Internal Revenue Service: Status of Financial Audit and 
Related Financial Management Report Recommendations, [hyperlink, 
http://www.gao.gov/products/GAO-08-693] (Washington, D.C.: July 2, 
2008). 

[9] GAO, Management Report: Improvements Are Needed to Enhance IRS's 
Internal Controls and Operating Effectiveness, [hyperlink, 
http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 
2009). 

[10] We define short-term recommendations as those that we believe 
could be addressed within 2 years at the time we made the 
recommendation. We define long-term recommendations as those we 
expected to require 2 years or more to implement at the time we made 
the recommendation. 

[11] [hyperlink, http://www.gao.gov/products/GAO-09-119]. 

[12] Table 1 does not include the 11th control activity, "top-level 
reviews of actual performance," because we do not have any 
recommendations related to this internal control activity. 

[13] The vast majority of federal tax payments are made for both 
businesses and individuals via the Electronic Federal Tax Payment 
System. 

[14] Information security controls include electronic access controls, 
software change controls, physical security, segregation of duties, and 
service continuity. These controls are designed to ensure that access 
to data is appropriately restricted, only authorized changes to 
computer programs are made, physical access to sensitive computing 
resources and facilities is protected, computer security duties are 
segregated, and backup and recovery plans are adequate to ensure the 
continuity of essential operations. 

[15] GAO, Information Security: Continued Efforts Needed to Address 
Significant Weaknesses at IRS, [hyperlink, 
http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 
2009). 

[16] Most refunds are generated automatically. However, under certain 
circumstances, IRS processes refunds manually to expedite payment. Such 
refunds include those over $10 million, those requested by taxpayers 
for immediate payment due to hardship or emergency, those to 
beneficiaries of deceased taxpayers, and those that need to be 
expedited because IRS is in jeopardy of paying interest for exceeding 
the 45-day limit for processing a return. 

[17] [hyperlink, http://www.gao.gov/products/GAO-09-119]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAOís actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAOís Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: