This is the accessible text file for GAO report number GAO-14-433R entitled 'Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls' which was released on July 2, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-14-443R: United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: July 2, 2014: The Honorable John Koskinen: Commissioner of Internal Revenue: Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls: Dear Mr. Koskinen: In December 2013, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2013, and 2012, and on the effectiveness of its internal control over financial reporting as of September 30, 2013.[Footnote 1] We also reported our conclusions on IRS's compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements. In April 2014, we issued a report on information security issues identified during our audit, along with associated recommendations for corrective actions.[Footnote 2] The purpose of this report is to present internal control deficiencies identified during our audit of IRS's fiscal years 2013 and 2012 financial statements for which we do not already have any recommendations outstanding. Although most of these deficiencies were not discussed in our report on the results of our financial statement audit because they were not considered to be material weaknesses or significant deficiencies, they nonetheless warrant IRS management's attention.[Footnote 3] This report provides 17 recommendations to address the internal control issues we identified. This report also presents the status, as of September 30, 2013, of IRS's corrective actions taken to address our 60 previous recommendations that remained open at the end of the fiscal year 2012 audit.[Footnote 4] Results in Brief: During our audit of IRS's fiscal years 2013 and 2012 financial statements, we identified the following eight new internal control deficiencies, including the first item listed below that was included in our report on the results of our audit as a contributing factor to IRS's continuing significant deficiency in internal control over financial reporting systems as of September 30, 2013: * Monitoring of internal control at external service organizations. IRS did not obtain sufficient, appropriate evidence to conclude whether internal control at service organizations that were responsible for operating information systems affecting IRS's financial reporting was effective as of September 30, 2013. This hinders IRS's ability to reasonably assure the integrity and security of the financial data these service organizations process on behalf of IRS and could potentially lead to financial statement misstatements. * Processing of time cards. IRS's policies and procedures for time card approvals and follow-up of time card exceptions were not always effectively followed to reasonably assure that IRS employees' time cards were proper and that staff did not receive excess pay. This increases the risk that employees may be paid for hours they did not work. * Receipt and acceptance of goods and services. IRS did not adequately monitor receipt and acceptance transactions staff entered into its procurement system or provide adequate staff training to reasonably assure the accurate and timely recording of goods and services received. This increases the risk of IRS misstating expenses in its financial statements. * Asset acquisition and disposal process. IRS's controls were not effectively designed and implemented to reasonably assure that (1) assets acquired were timely and accurately recorded in its asset management system, (2) adequate documentation and approval were obtained prior to asset disposal, and (3) assets disposed of did not contain confidential taxpayer or sensitive information. These deficiencies increase the risk that (1) IRS managers may make operating decisions based on inaccurate or erroneous information, (2) lost or stolen government property may be undetected, and (3) taxpayer data or other sensitive information could be compromised. * Recording of installment agreement user fees. IRS did not have a formal process in place to estimate the financial statement impact of unrecorded installment agreement user fee revenue at year-end or criteria with which to measure the significance of this amount to objectively determine and document whether a year-end adjustment was necessary and, if so, to record an adjustment to reasonably assure that user fees received were properly reflected in its financial statements. These deficiencies increase the risk that IRS's year-end financial statements may be misstated. * Collection of installment agreement user fees. IRS's controls were not effectively designed to prevent or identify and resolve in a timely manner duplicate installment agreement user fees charged to and collected from taxpayers. Since IRS collects user fees by reclassifying existing tax payments as user fee payments, these duplicate user fees resulted in IRS's records erroneously showing the affected taxpayers owing additional taxes, thereby increasing taxpayer burden. * Refunds disbursed to deceased taxpayers. IRS did not have sufficient controls in place to reasonably assure that refunds disbursed on behalf of deceased taxpayers were valid prior to disbursement. This increases the risk that IRS may issue invalid refunds to deceased taxpayers and fraudulent refunds to identity thieves. * Deceased taxpayer representatives. IRS's controls were not operating effectively to reasonably assure that refunds were not disbursed to deceased taxpayers who did not have a personal representative or surviving spouse identified on their accounts to receive the refunds.[Footnote 5] This increases IRS's risk of issuing refunds to unauthorized individuals and fraudulent refunds to identity thieves. This report provides 2 new recommendations pertaining to the new control deficiency contributing to IRS's significant deficiency in internal control over financial reporting systems and 15 new recommendations related to the other identified deficiencies. These recommendations are intended to improve IRS's internal controls over its financial management and accountability of resources as well as bring IRS into conformance with its own policies, Standards for Internal Control in the Federal Government,[Footnote 6] or both. As of September 30, 2013, IRS had completed corrective action on 26 of the 60 recommendations from our prior financial audits and other financial management-related work that remained open at the beginning of fiscal year 2013. As a result, IRS currently has 51 recommendations that need to be addressed, which consists of the previous 34 open recommendations as well as the 17 new recommendations we are making in this report. Details on the status of each recommendation are included in enclosure I. Our recommendations related to IRS's information systems security are reported separately and not included here because of the sensitive nature of many of the control deficiencies that gave rise to the recommendations.[Footnote 7] We provided IRS with a draft of this report and obtained its written comments. In its comments, IRS agreed with all 17 of our new recommendations and described the actions it had taken, had under way, or planned to take to address the control deficiencies described in this report. In addition to its written comments, IRS provided technical comments on a draft of this report, which we incorporated as appropriate. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provided our evaluation. We have reprinted IRS's comments in their entirety in enclosure II. Scope and Methodology: This report addresses internal control deficiencies we identified during our audit of IRS's fiscal years 2013 and 2012 financial statements. As part of our financial statement audit, we tested IRS's internal control over financial reporting.[Footnote 8] We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions and for the safeguarding of assets and taxpayer information. In conducting the audit, we reviewed applicable IRS policies and procedures, observed operations, tested statistical and nonstatistical samples of transactions, examined relevant documents and records, and interviewed management and staff. Further details on our audit scope and methodology are provided in our December 2013 report on the results of our audit of IRS's fiscal years 2013 and 2012 financial statements.[Footnote 9] We performed our audit of IRS's fiscal years 2013 and 2012 financial statements in accordance with U.S. generally accepted government auditing standards. We believe our audit provided a reasonable basis for our conclusions in this report. Monitoring of Internal Control at External Service Organizations: During our fiscal year 2013 audit, we found that IRS did not obtain sufficient, appropriate evidence to allow it to adequately assess the effectiveness of internal control at three of the four service organizations IRS relied upon for significant aspects of its financial reporting. This hindered IRS's ability to reasonably assure the integrity and security of the financial data these service organizations process on behalf of IRS, which could potentially lead to financial statement misstatements. IRS utilizes service organizations for various aspects of processing and reporting financial transactions. For example, IRS forwards personnel and payroll information to the National Finance Center (NFC) to process its payroll. During fiscal year 2013, four service organizations each operated one or more automated information systems that were relevant and material to IRS's financial reporting.[Footnote 10] The implementation guide for the Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control (A-123 guide), specifies that such systems are considered to be part of an entity's information system.[Footnote 11] Consequently, IRS is responsible for assessing the extent to which it relies on the internal controls of its service organization and, where appropriate, monitoring the effectiveness of internal control over its financial reporting at service organizations.[Footnote 12] Effective monitoring requires that sufficient, appropriate evidence of the effectiveness of internal control over financial reporting at these entities be annually reviewed and assessed by IRS. To be sufficient, the evidence needs to reflect the current state of internal control at the service organization, and to either be prepared independently of service organization management or to be sufficiently validated by IRS personnel to assess its reliability. The A-123 guide states that agency management should coordinate with material service organizations to obtain an annual assurance statement that highlights key controls and the results of annual testing. The A-123 guide also requires the service organizations themselves to identify the major controls affecting the user entity and to coordinate the timing of the assessment and resulting assurance statement for appropriate reliance by the user entity. Accordingly, the objectives and timing of the service organization's assurance statement should be aligned with the user entity's annual assessment, which for IRS is September 30, its fiscal year-end. During fiscal year 2013, IRS took a series of steps to assess the effectiveness of internal control at its service organizations. IRS reviewed the Statement on Standards for Attestation Engagements No. 16 (SSAE No. 16) report prepared by NFC's auditor covering the period October 1, 2012, through July 31, 2013, and a subsequent letter from NFC's auditor that extended the auditor's assurance on the effectiveness of NFC's internal control through September 30, 2013. [Footnote 13] Consequently, IRS obtained and reviewed sufficient, appropriate evidence to enable a reasonable assessment of NFC's internal controls as of the end of the fiscal year. However, it was unclear how IRS addressed the user controls--controls that user organizations such as IRS are expected to have--identified in that report. NFC's SSAE No. 16 report included a list of user controls that were not included in the scope of NFC's internal control or the SSAE No. 16 report. This list alerted user entities such as IRS that they could not rely on the SSAE No. 16 report for assurance as to the effectiveness of the specific user internal controls listed. Since the user entities relying upon the report nevertheless remain responsible for the effectiveness of internal control over their financial reporting, it is incumbent upon each of them to review this list; determine which (if any) of the internal controls listed are relevant and significant to their financial reporting; and to the extent these controls are, verify that the entity has pertinent internal controls in place and operating effectively. We did not find evidence that IRS reviewed the list of user controls in NFC's SSAE No. 16 report and performed these related verification procedures. The other three service organizations did not have SSAE No. 16 reviews performed in fiscal year 2013.[Footnote 14] Consequently, for these organizations IRS (1) conducted on-site visits and (2) reviewed documentation of monitoring of internal controls provided by the service organizations. However, for these three service organizations, the evidence IRS gathered and reviewed was not sufficient for determining the effectiveness of internal control for the following reasons. * IRS conducted its on-site visits from February through May 2013 with most of the visits conducted in February. Since a significant amount of time passed between the completion of the visits and September 30, these visits were not sufficient to support the status of controls at the end of the fiscal year.[Footnote 15] * According to the workpapers IRS provided to us, the monitoring documentation IRS reviewed that was provided by the service organizations primarily reflected dates that ranged from June 2010 through April 2013, with most of the evidence dated prior to fiscal year 2013.[Footnote 16] Thus, the documentation did not provide sufficient evidence of the current state of internal control as of September 30, 2013. * It was unclear based on the documentation of these reviews whether the information IRS obtained and reviewed had been prepared independently of service organization management or, if not, whether it had been sufficiently validated by IRS to determine its reliability. IRS has taken steps to improve internal controls related to its service organizations. In our management report based on our audit of IRS's fiscal years 2011 and 2010 financial statements, we identified a number of deficiencies in IRS's process for monitoring internal control over service organizations and made related recommendations. [Footnote 17] For example, IRS had not identified the full range of financial reporting systems for which it relied on service organizations, assessed their materiality to financial reporting, or performed effective monitoring of these financial reporting systems as of the date of its A-123 assurance statement. Since that time, IRS has made significant progress in improving these important monitoring controls. Among other actions, IRS has (1) prepared inventories of its internal and external financial reporting systems and assessed the materiality of each; (2) conducted analyses to identify the controls, risks, and related mitigations and monitoring requirements for its significant financial processes; (3) reviewed monitoring documents from its service organizations and conducted on-site visits; and (4) developed standard operating procedures for external systems review that document policies and procedures governing how such reviews are to be conducted and the results documented, including requiring that external systems reviews be conducted as close as possible to the end of the fiscal year.[Footnote 18] However, IRS's new procedures do not require documented review of the user controls that are listed as the responsibility of the user entity in any SSAE No. 16 reports being relied upon to ensure that IRS has the appropriate related controls in place. In addition, in our fiscal year 2011 management report we recognized the importance of active service organization participation in and support of this process in order for it to succeed, and noted that it may be necessary to work with the service organizations to establish agreements that make appropriate provision for effective monitoring. [Footnote 19] This is important because both IRS and its service organizations have critical roles to play in the monitoring process. In order for it to be effective, there needs to be a mutual understanding of the roles and responsibilities of each party and recognition of the need for them to work collaboratively if they are to achieve a positive result. However, we found that the agreements between IRS and its service organizations in place during fiscal year 2013 did not address monitoring responsibilities consistent with the requirements each party is expected to adhere to under OMB Circular No. A-123, including providing IRS access to the service organization personnel, documents, facilities, or combination of these necessary to allow IRS to timely and effectively review the most recent annual SSAE No. 16 report (if available). Rather, they only specified that IRS would be notified if and when there were significant changes in the system or a security issue affecting the system was identified. However, such negative assurance does not meet the requirements of OMB Circular No. A-123 or provide IRS with the sufficient, appropriate evidence it needs to obtain reasonable assurance that internal control over financial reporting is effective. Absent written agreements between IRS and its service organizations documenting a mutual understanding of what is expected of each party and specifying that each agrees to fulfill its respective monitoring responsibilities under OMB Circular No. A-123, the risk that monitoring of internal control will not be effective is significantly increased. Although IRS has taken positive steps to improve internal controls over the transactions affected by the systems these service organizations operate, remaining deficiencies in IRS's monitoring of service organizations increase the risk that deficiencies in internal control over these systems may not be timely detected or corrected, thereby hindering IRS's ability to reasonably assure the integrity and security of the financial data these service organizations process for IRS and potentially leading to financial statement misstatements. Recommendations for Executive Action: To improve the effectiveness of its monitoring of internal control over external service organizations' operating information systems material to IRS's financial reporting, we recommend that you direct the appropriate IRS officials to take the following two actions: * Revise the service organization monitoring procedures to require, when using an auditor's report prepared in accordance with SSAE No. 16 to monitor internal control over financial reporting, clearly documenting that IRS appropriately (1) considered any user controls identified as not being included within the scope of the SSAE No. 16 report, (2) identified those user controls that are relevant and material to IRS, and (3) verified that either those controls or comparable, relevant user controls were in place and operating effectively at IRS. * For each service organization that is significant to IRS's financial reporting and related internal control and for which a current SSAE No. 16 report has not been prepared, establish a memorandum of understanding or agreement with the organization that requires (1) both parties to perform procedures that are consistent with the most current requirements of OMB Circular No. A-123 and (2) the service organization to provide IRS access to the organization's personnel, documents, facilities, or combination of these necessary to allow IRS to timely and effectively conduct its own monitoring procedures or review and validate the reliability of monitoring documentation prepared by organization management, as appropriate. Agency Comments and Our Evaluation: IRS agreed with our recommendations and stated that in May 2014, it revised the service organization monitoring procedures to require, when using an auditor's report prepared in accordance with SSAE No. 16 to monitor internal control over financial reporting, clearly documenting that IRS appropriately (1) considered any user controls identified as not being included within the scope of the SSAE No. 16 report; (2) identified those user controls that are relevant and material to IRS; and (3) verified that either those controls or comparable, relevant user controls were in place and operating effectively at IRS. IRS also stated that by December 2015, it will establish memorandums of understanding or agreements with the service organizations for which a current SSAE No. 16 report has not been prepared that require (1) both parties to perform procedures that are consistent with the most current requirements of OMB Circular No. A- 123 and (2) the service organization to provide IRS access to the organization's personnel, documents, facilities, or combination of these necessary to allow IRS to timely and effectively conduct its own monitoring procedures or review and validate the reliability of monitoring documentation prepared by organization management, as appropriate. IRS's actions, if effectively implemented, should address the issues that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2014 financial statements and future audits. Processing of Time Cards: During our fiscal year 2013 audit, we found instances in which IRS employees submitted improper time cards and, as a result, received excess pay. Pursuant to federal personnel law and implementing Office of Personnel Management regulations and guidance, IRS policy provides that full-time employees are scheduled to work 80 hours each biweekly pay period; any hours worked beyond 80 are considered overtime (for eligible IRS employees) or credit hours.[Footnote 20] For each biweekly pay period, IRS employees, or designated staff, input time worked and any leave taken during the pay period to their electronic time cards in IRS's timekeeping system. At the close of each pay period, managers are to confirm the accuracy of all of the entries in each employee's time card and indicate their approval through an electronic signature in the timekeeping system. According to IRS's Posted Duty Hours Over 80 Desk Guide, following the managers' certification, but before transmitting the time cards to NFC for processing and payment, the timekeeping staff should review all time cards with over 80 hours recorded. IRS conducts this review to ensure that employees are receiving overtime pay or credit hours, as appropriate, for any hours worked in excess of 80. If any excess hours were not charged to overtime or credit hours, the timekeeping staff is to contact the time card approver to make corrections. In fiscal year 2013, IRS required employees to take scheduled furlough days because of budget cuts resulting from sequestration.[Footnote 21] On designated furlough days, IRS policy prohibited employees from performing IRS work activities and the employees were required to charge 8 hours to a special furlough code on their time cards. [Footnote 22] Therefore, in a pay period with a furlough day, full- time employees were required to charge no more than 72 regular hours and 8 furlough hours, thereby totaling 80 hours.[Footnote 23] However, during testing of a statistical sample of 109 payroll transactions, we found that during a pay period with a designated furlough day, two IRS employees recorded regular work hours and furlough hours that totaled 81 hours.[Footnote 24] In both instances, the supervisors had approved the time cards and the employees were paid for the excess hours. The overpayments to the employees occurred because two controls that should have prevented or detected these errors were not effectively carried out. First, both employees' managers did not identify the errors before approving the employees' time cards. IRS stated that both managers missed the excess hours because of human error. Second, although these two employees appeared in an exception report listing time cards with over 80 hours, the designated timekeeping staff did not follow up, confirm that these were errors, and make corrections. IRS officials stated that over 800 employees appeared on the exception report for the pay period, which they noted was an unusually high number in part because of the furlough, and that the timekeeping staff missed these two employees' accounts because of human error.[Footnote 25] This increases the likelihood that other employees, in addition to the two we identified in the sample, similarly recorded their time and attendance incorrectly during that pay period without detection. We also found that while IRS's Posted Duty Hours Over 80 Desk Guide provides instructions for timekeeping staff to review the exception report and resolve errors, it did not contain explicit instructions for identifying and correcting a time card when regular work hours and furlough hours combine to exceed 80 hours. Further, the Internal Revenue Manual (IRM)--which establishes policy--did not require such a review. After we brought these two exceptions to IRS's attention, IRS corrected the errors and took action to collect the overpaid hour from each of the two employees. Internal control standards require that internal controls should provide reasonable assurance regarding the prevention of or prompt detection of the unauthorized disposition of agency assets.[Footnote 26] This includes providing reasonable assurance that payments to employees for hours not worked are prevented or detected. Without effective time card controls, there is increased risk that employees may be paid for time that they did not work. In response to our finding, in September 2013, IRS revised its desk guide to provide an additional example of an incorrectly completed time card containing unpaid leave, which can be furlough hours or employee-initiated leave without pay, and what action the timekeeper should take. However, the added example did not provide explicit instructions on identifying and correcting a time card when regular work hours and furlough hours combine to exceed 80 hours. Without these explicit instructions, timekeeping staff may overlook cases in which employees record over 80 hours without also recording overtime or credit hours. Further, the complex scenarios and numerous rules cited in the desk procedures and our findings illustrate the need for both timekeeping staff and the supervisors who approve the employees' time cards to be aware of time and attendance policies. Recommendations for Executive Action: We recommend that you direct the appropriate IRS officials to take the following three actions: * Issue a reminder to employees responsible for approving time cards that they need to fully understand IRS policy regarding the number of regular work hours employees can record, particularly during pay periods with mandatory furlough hours, and their responsibility for enforcing the policy. * Establish a written requirement for timekeeping staff to complete a review of all time cards with over 80 hours before IRS transmits time cards to NFC for processing or immediately after so that errors can be timely identified and corrected. * Revise the desk procedures for the review of time cards with over 80 hours to include detailed guidance on what time charges are allowable for cases in which an employee has both furlough hours and paid hours in a pay period. Agency Comments and Our Evaluation: IRS agreed with our recommendations and stated that by September 2014, it will (1) issue a reminder to managers and employees responsible for time and attendance of their responsibility to review records for accuracy, ensure compliance with policy, and enforce IRS policy related to regular work hours authorized and when more than 80 hours of work is reported in a pay period and (2) establish a written requirement for timekeeping staff to complete a review of all time cards with over 80 hours before it transmits time cards to NFC for processing or immediately after to timely identify and correct errors. These actions, if effectively implemented, should address the issues that gave rise to our recommendations. Additionally, IRS stated that in April 2014, it updated the desk procedures for the review of time cards with over 80 hours to include detailed examples and explanations on what time charges are allowable for cases in which an employee has both furlough hours and overtime in a pay period. As noted in our report, however, the exceptions we noted were not limited to instances when both furlough hours and overtime hours occurred in the same pay period. We will review IRS's revised desk procedures to determine whether they provide sufficient guidance for identifying potential errors when an employee has both furlough hours and regular paid hours that exceed 80 hours in a pay period, and evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2014 financial statements. Receipt and Acceptance of Goods and Services: During our fiscal year 2013 audit, we found that IRS staff did not always enter the receipt and acceptance of goods and services accurately or timely into its Integrated Procurement System (IPS). [Footnote 27] Specifically, we found that IRS staff did not always enter the correct dollar amount of goods or services received and accepted, the correct dates of receipt and acceptance, or receipt and acceptance into IPS--and thus record the expense--until months after the expense occurred. Because both the dollar amount of receipt and acceptance entered and the date of entry affect the value and timing of recorded expenses, it is important for IRS to timely and accurately record receipt and acceptance amounts and dates to reasonably assure that recorded expenses are valid, complete, and reported accurately in IRS's financial statements.[Footnote 28] All purchase requisitions that go through IRS's Office of Procurement are assigned to a contracting officer (CO). Although the CO is responsible for the acceptance of goods and services, a CO may assign a contracting officer's representative (COR) to perform certain tasks, such as obtaining and maintaining documentation that supports the receipt of purchased goods and services and recording receipt and acceptance in IPS. Although it is generally the CORs who perform receipt and acceptance after verifying with the appropriate end user that the goods or services were satisfactorily received, in some instances end users with IPS access are responsible for entering receipt and acceptance directly.[Footnote 29] IRS's IRM requires that designated IRS staff enter into IPS (1) receipt at the time of delivery of the goods or completion of services and (2) acceptance no later than the seventh calendar day after receipt has occurred, unless the contract specifies a longer time frame or there are unresolved issues with the goods or services.[Footnote 30] During our testing of a statistical sample of 84 nonpayroll expenses, we noted 4 instances in which IRS did not enter receipt and acceptance into IPS accurately or timely in accordance with the IRM.[Footnote 31] Specifically, we found the following: * IRS entered receipt and acceptance for the wrong amount. IRS received two invoices that totaled $3.6 million but the COR entered a receipt and acceptance amount of $5.1 million, which was the full amount of the obligation, even though all of the goods and services had not yet been received.[Footnote 32] IRS was not aware of the error until 2 months later when it received the third invoice and discovered that no remaining funds were available on the obligation. * IRS entered receipt and acceptance twice for the same service. This occurred because IRS erroneously created two contract line items for the same monthly service, and thus the end user recorded the receipt and acceptance amount and date twice--once under each contract line item--for the same month. This also resulted in recording the expense twice. IRS was unaware these errors occurred until we brought them to its attention. * IRS entered receipt and acceptance with the wrong date. IRS received an invoice on February 26, 2013, but the COR erroneously entered a receipt and acceptance date of February 26, 2012. When we inquired about this, IRS officials initially stated the COR made a typographical error and should have entered a receipt and acceptance date of February 26, 2013. However, the invoice was for fees associated with the partial termination of a contract that ended June 14, 2012. Consequently, neither the invoice receipt date nor the receipt and acceptance date the COR entered were correct. After further inquiry, IRS confirmed that the receipt and acceptance date should have been June 14, 2012. * IRS did not enter receipt and acceptance timely for services rendered. In one case, the responsible end user did not enter the receipt and acceptance amount and date for services until 8 months after the services were received. According to IRS, this occurred because the COR told the end user not to perform receipt and acceptance for services until notified by the Beckley Finance Center. [Footnote 33] However, IRS could not explain the reason for the delay. The IRM requires the Office of Procurement to (1) establish and monitor the functions of the COs and CORs, as they relate to receipt and acceptance, and (2) train employees on their responsibilities as they relate to the procurement process, including the receipt and acceptance process and documentation requirements.[Footnote 34] However, when we inquired what procedures or controls IRS had established to carry out the monitoring requirement in the IRM, Office of Procurement officials stated that they did not have such monitoring procedures in place. In addition, the IRM monitoring requirement did not extend to end users who are responsible for entering receipt and acceptance on behalf of a CO or COR. Further, while IRS provides mandatory training to all employees who are granted IPS access to perform receipt and acceptance, the training did not include specific instructions for determining the proper dates and amounts to enter for receipt and acceptance.[Footnote 35] Internal control standards require that (1) agencies implement internal control procedures to ensure the accurate and timely recording of transactions, (2) agencies ensure that all personnel possess and maintain a level of competence that allows them to accomplish their assigned duties as well as understand the importance of developing and implementing good internal controls, and (3) internal controls generally be designed to assure that ongoing monitoring occurs in the course of normal operations.[Footnote 36] Without effective monitoring and training, IRS staff may not always record proper receipt and acceptance dates and amounts or record receipt and acceptance timely in accordance with IRS policy, and managers may not detect such problems. In turn, this increases IRS's risk of misstating expenses in its financial statements. Recommendations for Executive Action: We recommend that you direct the appropriate IRS officials to take the following three actions: * Update the IRM to require monitoring the functions of all staff as they relate to receipt and acceptance functions, including applicable end users. * Establish and implement written procedures for the Office of Procurement to monitor the receipt and acceptance functions of all staff who perform receipt and acceptance. Such monitoring should include reviewing the accuracy and timeliness of receipt and acceptance dates and amounts. * Enhance existing mandatory training for all employees who are granted IPS access to perform receipt and acceptance to include specific instructions for determining the appropriate dates and amounts to enter for receipt and acceptance in IPS. Agency Comments and Our Evaluation: IRS agreed with our recommendations and stated that by July 2015, it will update the IRM to require monitoring the functions of all staff as they relate to receipt and acceptance functions, including applicable end users, and will establish and implement written procedures for the Office of Procurement to monitor the accuracy and timeliness of the receipt and acceptance functions, including dates and amounts, of all staff who perform receipt and acceptance. Additionally, IRS stated that by April 2015, it will enhance existing mandatory training for all employees who are granted IPS access to perform receipt and acceptance to include specific instructions for determining the appropriate dates and amounts to enter for receipt and acceptance in IPS. IRS's actions, if effectively implemented, should address the issues that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during future audits of IRS's financial statements. Asset Acquisition and Disposal Process: During our fiscal year 2013 audit, we found several instances where IRS's internal controls over its asset acquisition and disposal processes were ineffective. IRS uses the Knowledge, Incident/Problem, Service Asset Management (KISAM) system to track its information technology (IT) and non-IT equipment from acquisition to disposal. [Footnote 37] IRS uses a separate asset management system, the Criminal Investigation Management Information System (CIMIS), to track and record its investigative equipment and vehicles.[Footnote 38] The IRM requires that designated IRS staff update the appropriate asset management system within 10 workdays of the date an asset is received, moved, or transferred.[Footnote 39] For example, when a new IT asset is delivered to IRS, the local IT personnel responsible for receipt of the physical asset are to update KISAM to reflect the asset received within 10 workdays of the receipt date. To update the record in KISAM, the IT personnel will either change the status of the skeletal record in the asset management system or create a new record and manually input the asset data into the asset management system.[Footnote 40] Similarly, when an asset is disposed of, its final disposition status must also be entered into the corresponding asset management system within 10 workdays of the disposal action. This should occur after the appropriate disposal forms have been completed and approved and any equipment containing hard drives have been wiped clean of proprietary software and taxpayer data. The IRM also requires that (1) proper disposal codes be used to document the method of asset removal from active inventory,[Footnote 41] (2) the CIMIS equipment coordinator submit the required disposal documentation prior to placing a vehicle into final disposal in CIMIS,[Footnote 42] and (3) the hard drives of IT equipment be completely overwritten and a statement added to the disposal form to certify that all sensitive information has been removed and verified.[Footnote 43] During our fiscal year 2013 audit, we tested a nonstatistical selection of 10 asset purchases and 10 asset disposals and found 8 instances where IRS's controls were not effective in reasonably assuring the accuracy of recorded asset data and proper asset disposal information.[Footnote 44] Specifically we found the following: * Five instances where the asset records in KISAM were not accurately or timely recorded. There were two assets that IRS received in September 2012 and November 2012 that were not recorded in KISAM until February 2013 and March 2013, respectively. This occurred because the Enterprise Operations unit (EOps) responsible for receiving the shipment did not have proper access in KISAM to record these assets. [Footnote 45] Additionally, two disposed assets were recorded in KISAM with the incorrect final disposition status. One was recorded in KISAM as disposed of via abandonment/destruction and the other was recorded as to be provided to the General Services Administration (GSA) for donation to a third party.[Footnote 46] However, IRS transferred both assets to a nonprofit educational organization. IRS stated that these disposals were coded in error. We also identified an instance where the KISAM purchase price of an asset was recorded at more than $100,000 over the invoice purchase price. This occurred because IRS staff recorded an estimated price of the asset in KISAM instead of the asset's price from the electronic packing slip, contrary to IRS's standard operating procedures.[Footnote 47] Although the dollar amounts in IRS's financial statements come from its general ledger system rather than KISAM, inaccurate data in KISAM nonetheless limit its usefulness as a management tool. * Two instances where assets were disposed of prior to the completion or proper approval of the required disposal forms. Specifically, a Criminal Investigation unit leased vehicle was returned to the dealership in March 2013, but the appropriate disposal form was not completed and approved until April 2013. In another instance, the official who signed the disposal approval form, which he was not authorized to approve, also recorded the disposal of the asset in KISAM. IRS acknowledged that the official should not have signed as the approver. IRS could not explain why the staff involved did not follow procedures in these instances. * One instance where IRS disposed of an asset that contained a hard drive without ensuring that the sensitive taxpayer information within the hard drive was appropriately destroyed or removed. Specifically, IRS was not able to provide documentation to support that the hard drive had been wiped clean. Internal control standards require that agencies (1) implement internal control procedures to ensure the accurate and timely recording of transactions and events, (2) promptly record transactions to maintain their relevance and value to management in controlling operations and making decisions, (3) authorize and execute transactions and other significant events only by persons acting within the scope of their authority, and (4) divide or segregate key duties and responsibilities among different people to reduce the risk of error or fraud.[Footnote 48] While IRS has policies and procedures governing the acquisition and disposal of assets, the responsible staff did not always follow them. In addition, IRS acknowledged that modifications to current EOps processes are needed to reasonably assure the timely recording of all IT assets, such as providing requisite permissions to certain EOps staff to enable them to directly update KISAM. Until IRS addresses these deficiencies, there is increased risk that (1) IRS managers may make operating decisions based on inaccurate or erroneous information, (2) government property may be lost or stolen and not be detected, and (3) taxpayer data or other sensitive information could be compromised. Recommendations for Executive Action: We recommend that you direct the appropriate IRS officials to take the following two actions: * Issue a memorandum to all business units reminding them of the existing policies and procedures that are intended to reasonably assure that (1) asset records are timely and accurately recorded, (2) approval is obtained prior to the disposal of assets and only approved by those properly authorized to do so, and (3) hard drives of disposal assets are wiped clean of sensitive information prior to the disposition. * Update EOps policies and procedures as necessary, which may include providing requisite permissions to certain EOps staff to enable them to directly update KISAM, to reasonably assure that assets received are recorded in the asset management systems within 10 workdays as required by the IRM. Agency Comments and Our Evaluation: IRS agreed with our recommendations and stated that by September 2014, it will issue a memorandum to all business units reminding them of the existing policies and procedures that are intended to reasonably assure that (1) asset records are timely and accurately recorded, (2) approval is obtained prior to the disposal of assets and only approved by those properly authorized to do so, and (3) hard drives of disposal assets are wiped clean of sensitive information prior to the disposition. IRS also stated that in May 2014, it expanded the EOps server role (user access profile) in KISAM to provide staff with this profile the ability to add, record, and receive EOps equipment asset records in KISAM concurrent with the inventory event. Additionally, IRS stated that by December 2014, it will update its policies and procedures to require EOps inventory staff to report all inventory events within 10 days of the transaction. IRS's actions, if effectively implemented, should address the issues that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2014 financial statements and future audits. Recording of Installment Agreement User Fees: During our fiscal year 2013 audit, we found that IRS did not adjust its accounting records for installment agreement (IA) user fee revenue that IRS had earned and collected but not yet recorded by the end of the fiscal year. According to IRS officials, they had determined that the financial statement impact was immaterial. However, we found that IRS's informal assessment had not considered the potential impact of unrecorded IA user fees on its fund balance with Treasury account, leading to a $33 million understatement to that account in its fiscal year 2013 financial statements.[Footnote 49] Additionally, we found that IRS did not have a formal process in place to estimate the financial statement impact of unrecorded IA user fees or criteria with which to measure the significance of this amount to objectively determine and document whether an adjustment was necessary and, if so, to record an adjustment. IRS allows taxpayers to enter into IA arrangements to satisfy their tax debts when a taxpayer is unable to pay the amount owed in full. [Footnote 50] Under such arrangements, IRS agrees to let taxpayers pay their tax liabilities in installments over a specified period of time in exchange for a user fee taken out of the taxpayer's first installment payment.[Footnote 51] IRS initially records the entire amount of the installment payment as tax revenue in its Integrated Data Retrieval System (IDRS).[Footnote 52] According to IRS officials, this is done to simplify the process for recording the user fee portion separately from tax. Once a week, IRS runs an automated program called the IA User Fee Sweep to determine if taxpayers with IA arrangements have made sufficient payment to cover the amount of the user fee owed and, if so, reclassify the amount of the IA user fee owed from a tax payment to a user fee payment in the taxpayer's account in IDRS.[Footnote 53] Although the program is run weekly, it takes approximately 5 weeks to reclassify such payments. According to IRS officials, this lag is necessary to record the tax payment and to ensure that the payment does not get reversed (e.g., as a result of a taxpayer writing a check with insufficient funds) before it is reclassified as user fee revenue. As a result of this 5-week delay, user fees collected during the last 5 weeks of the fiscal year are not recorded as user fee revenue and cash collections until the following fiscal year. Similarly, user fee revenue and cash collections recorded during the first 5 weeks of the fiscal year were actually earned and collected in the previous fiscal year. Depending on the amounts that cross fiscal years, user fee revenue, reported as exchange revenue on the financial statements, is either overstated or understated. [Footnote 54] However, the corresponding cash collected, which is reported under fund balance with Treasury on the financial statements, is understated by the entire amount of fees that have been collected but not yet recorded as cash by the end of the fiscal year.[Footnote 55] Using actual user fee collection data provided by IRS for the current and prior fiscal years, we performed a trend analysis and estimated that IRS collected $33 million of IA user fees that had not been recorded as user fee revenue and cash by the end of fiscal year 2013. Thus, we determined that the potential impact to the fiscal year 2013 ending balance reported for fund balance with Treasury on IRS's Balance Sheet was a $33 million understatement. This understatement was not corrected until early fiscal year 2014 when IRS eventually reclassified the fees collected in fiscal year 2013 from tax revenue to user fee revenue as a result of the automated sweep process. We also determined that the potential net impact to the fiscal year 2013 balance reported for exchange revenue on IRS's Statement of Net Cost was a $6 million overstatement, after accounting for the impact of the collections recorded during fiscal year 2013 that had been collected in fiscal year 2012.[Footnote 56] Statement of Federal Financial Accounting Standards No. 7 establishes that when services are provided to the public, revenue should be recognized when the services are performed.[Footnote 57] Internal control standards state that federal agencies should promptly record transactions to maintain their relevance and value to management in controlling operations and making decisions.[Footnote 58] The standards further state that control activities should help to ensure that all transactions are completely and accurately recorded. Absent such controls, IRS is at increased risk of misstatements on its financial statements. Recommendations for Executive Action: We recommend that you direct the appropriate IRS officials to take the following two actions: * Establish and document objective criteria for determining materiality for the purpose of determining whether to record an adjustment for IA user fees collected but not yet recorded as exchange revenue or cash in IRS's fund balance with Treasury in IRS's accounting records by fiscal year-end. * Establish and implement written procedures for (1) estimating the potential financial statement impact of IA user fees collected but not yet recorded as exchange revenue or cash in IRS's accounting records by fiscal year-end, (2) comparing the potential impact against established materiality criteria, and (3) making an adjustment in IRS's accounting records for the amount of the potential impact if it meets or exceeds the established criteria for recording such an adjustment. Agency Comments and Our Evaluation: IRS agreed with our recommendations and stated that by September 2014, it will establish and document objective criteria for determining materiality to determine whether to record an adjustment for IA user fees collected but not yet recorded as exchange revenue or cash in IRS's fund balance with Treasury in IRS's accounting records by fiscal year-end. Also by September 2014, IRS stated that it will establish and implement written procedures for (1) estimating the amount of IA user fees collected but not yet recorded as exchange revenue or cash in IRS's accounting records by fiscal year-end, (2) determining a materiality amount for assessing uncorrected misstatements in the financial statements using established criteria, and (3) determining if an adjustment is required in IRS's accounting records for the amount of the potential impact if it meets or exceeds the established criteria for recording such an adjustment. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2014 financial statements. Collection of Installment Agreement User Fees: During our fiscal year 2013 audit, we found that IRS erroneously charged and collected duplicate IA user fees from 76 taxpayers that had agreements with IRS to pay their tax liabilities in installments. In fiscal year 2013, IRS generally charged taxpayers a $105 fee to enter into a new installment agreement.[Footnote 59] As discussed above, IRS initially records all installment payments in IDRS as tax payments, then subsequently transfers or reclassifies a portion to user fee payments to cover fees owed. According to the IRM, IA user fees are to be recorded systemically by the IA user fee sweep program and employees are not to enter them manually except under special circumstances, such as when the taxpayer specifically requests to pay the user fee or the agreement is manually monitored by IRS.[Footnote 60] For our fiscal year 2013 audit, IRS provided us data extracts of IA user fee transactions from its master files for the period from October 1, 2012, through June 30, 2013.[Footnote 61] In reviewing these data extracts, we identified 76 transactions with a dollar amount that exceeded the $105 maximum IA user fee rate in effect at the time. After we brought this to the attention of IRS officials, they investigated these transactions and informed us that IRS erroneously recorded and thus charged duplicate IA user fees in all 76 instances. According to an IRS official, these duplicate charges resulted from either (1) an IRS employee manually transferring a payment from tax payments to user fee payments in a taxpayer's account in which a user fee had already been recorded either by another employee or the sweep program to cover the fee owed or (2) an employee manually transferring a payment without properly changing the status of the fee in IDRS from unpaid to paid, thus resulting in the sweep program automatically transferring another payment to cover the fee owed. Internal control standards state that an agency's internal control should provide reasonable assurance that transactions are accurately recorded.[Footnote 62] However, an IRS official said that IRS did not have controls that would have allowed it to prevent or detect these errors. The official also said that some employees may not have properly followed IRS procedures to allow the sweep program to systemically record the fee rather than manually entering it in IDRS. Since the recording of an IA user fee, whether automatically or manually, results in IRS charging and collecting the fee, the 76 duplicate fees recorded by IRS resulted in the affected taxpayers paying the same fee twice. Additionally, since IRS records a fee by reversing a tax payment and reclassifying it as a user fee payment, IRS records erroneously showed that the affected taxpayers owed additional taxes, increasing taxpayer burden. Although IRS officials told us that these taxpayers receive periodic notices of the amounts they paid to IRS--and could have reviewed the notices and detected the duplicate fees themselves--IRS should have internal controls in place to help it identify errors rather than relying on taxpayers to identify them. After we informed IRS of this issue, an IRS official said that IRS investigated and corrected all 76 errors and issued an alert to remind employees of IRS's existing policies specifying the limited circumstances in which an IA user fee should be manually processed. However, without establishing and implementing controls that will allow it to prevent or timely detect and correct these errors in the future, IRS is likely to continue overcharging some taxpayers for IA user fees owed without detection, thus increasing taxpayer burden. Recommendation for Executive Action: We recommend that you direct the appropriate IRS officials to establish and implement procedures to periodically review master file data extracts of installment agreement user fee transactions to identify and investigate potential duplicate installment agreement user fees charged to taxpayers and make timely corrections. Agency Comments and Our Evaluation: IRS agreed with our recommendation and stated that by September 2014, it will perform a review of IA user fee master file data extracts to identify and investigate potential duplicate IA user fees charged to taxpayers and make timely corrections for fiscal year 2014. IRS also stated that by December 2014, it will establish, document, and implement procedures to periodically review IA user fee master file data extracts to identify and investigate potential duplicate IA user fees charged to taxpayers and make timely corrections. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendation. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2014 financial statements and future audits. Refunds Disbursed to Deceased Taxpayers: During our fiscal year 2013 audit, we found numerous instances in which IRS disbursed invalid refunds to deceased taxpayers.[Footnote 63] Specifically, based on our review of a sample of 67 suspicious refunds disbursed to deceased taxpayers during fiscal year 2013, we found that 52 of the refund claims, or 78 percent, were invalid. [Footnote 64] Of the 52 invalid refund claims, the majority (43 refunds, or 83 percent) were processed by units in the Submission Processing (SP) organization.[Footnote 65] In these instances, we found the examiners in the SP units did not follow policies and procedures to review the refund claims filed. Further, after we provided these invalid refunds to IRS for investigation, it concluded that 20 of the 43 invalid refunds processed by SP units appeared to be the result of identity theft. The Social Security Administration (SSA) provides IRS with weekly updates on individual deaths. During our fiscal year 2012 audit, we found that IRS did not have effective controls in place to reasonably assure that the death information provided by SSA was used to reflect the taxpayers' deceased status in IRS's records.[Footnote 66] In response, in fiscal year 2013, IRS established a computer program that routinely performs a comparison of date of death information between SSA and the master files. If there is a discrepancy, the computer program automatically adjusts the taxpayer's account in the master files to reflect the deceased status and closes the account to prevent any automated refunds from being issued.[Footnote 67] Tax returns submitted using a deceased taxpayer's Social Security number whose account reflects a deceased status indicator are rejected by IRS's automated tax processing system and forwarded to an SP unit for further review. IRS's policies and procedures require examiners in the SP units to review these deceased taxpayers' returns for errors and validity and make the appropriate corrections prior to further processing.[Footnote 68] For example, errors may include filing an incorrect tax form or using an incorrect filing status.[Footnote 69] Further, the SP examiners are required to perform additional reviews and procedures to identify fraudulent returns filed on behalf of deceased taxpayers, such as requesting additional documentation to support the taxpayers' deceased status and other return information.[Footnote 70] IRS's policies and procedures allow the examiners to reopen the closed taxpayer accounts to process refund claims and require the examiners to subsequently close the accounts after processing the refund.[Footnote 71] Although these policies and procedures exist, examiners in the SP units did not always follow them. For example, we found that the examiners did not always perform research to validate the deceased status of a taxpayer before processing the submitted tax return, which, in some cases, resulted in issuing refunds to identity thieves posing as the deceased taxpayers. Similarly, examiners processed refund claims based on incorrect tax forms filed as well as inappropriate filing status claims that did not meet tax rules for deceased taxpayers. IRS officials stated that these errors were due to human error on the part of the examiners. We reviewed the training manuals used by examiners in various SP units during fiscal year 2013 and found that the training manuals did not include sufficient guidance for processing refund claims filed on behalf of deceased taxpayers. For example, only certain tax forms may be used to file a refund claim on behalf of a deceased taxpayer, but the training did not include instructions for the examiners to ensure that a correct tax form was filed before processing a refund claim associated with a deceased taxpayer. Further, we found that for 3 of the invalid claims, the examiners reopened the associated taxpayer accounts but did not subsequently close them after the refund claims were processed, thus leaving the accounts vulnerable to further invalid claims and potential identity theft. This occurred because IRS did not have procedures requiring (1) a review process to ensure that the accounts related to deceased taxpayers were only reopened for valid refunds and (2) monitoring to ensure that accounts related to deceased taxpayers that were reopened were timely closed after processing the refund. Internal control standards state that controls should serve as the first line of defense in preventing and detecting errors and fraud, and that control activities should be in place and be properly applied so that only valid transactions are processed.[Footnote 72] However, the control deficiencies we found concerning the processing of tax returns related to deceased taxpayers increase the risk of IRS issuing erroneous refunds to deceased taxpayers and fraudulent refunds to identity thieves. Subsequent to our fiscal year 2013 audit, IRS updated some of the training manuals used by the SP units to include additional guidance on the processing of refund claims filed on behalf of deceased taxpayers. However, we found that the updated training manuals still did not include, for example, instructions for examiners to ensure that a correct tax form was filed before processing a refund claim on behalf of a deceased taxpayer. This increases the risk that invalid refunds will continue to be disbursed. Recommendations for Executive Action: We recommend that you direct the appropriate IRS officials to take the following three actions: Update the training manuals and related training provided to Submission Processing examiners to ensure that the examiners are provided proper guidance for correctly processing refund claims associated with deceased taxpayers. * Establish and implement policies and procedures requiring a review process to reasonably assure that the accounts related to deceased taxpayers are only reopened for valid refunds. * Establish and implement policies and procedures that require monitoring to reasonably assure that accounts related to deceased taxpayers that have been reopened are timely closed after processing the refund. Agency Comments and Our Evaluation: IRS agreed with our recommendations and stated that by December 2014, it will update the training manuals and related training provided to Submission Processing examiners to ensure that the examiners are provided proper guidance for correctly processing refund claims associated with deceased taxpayers. To address the remaining two recommendations, IRS stated that it has taken or will take the following four actions: (1) revised and improved its review process in November 2013 to identify and lock the accounts of deceased individuals; (2) established and implemented policies and procedures in February 2014 that require monitoring to reasonably assure that reopened accounts related to deceased taxpayers are timely closed after processing refund claims or other account action; (3) by September 2014, initiate periodic reminders to appropriate employees stressing the importance of performing requisite account monitoring and completing closing actions timely; and (4) by September 2016, complete testing and evaluating the effectiveness of these processes. IRS's actions, if effectively implemented, should address the issues that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2014 financial statements and future audits. Deceased Taxpayer Representatives: During fiscal year 2013, IRS disbursed refunds to deceased taxpayers who did not have a personal representative or a surviving spouse named on their accounts as the authorized recipients of these refunds. Most refunds are generated automatically by IRS's automated systems after the taxpayers' returns are posted to their accounts in the master file. However, in situations involving a tax return filed on behalf of a deceased taxpayer, the IRM requires that overpayment returns filed by anyone other than the surviving spouse be accompanied by appropriate documentation that names the personal representative who is authorized to receive the refund, such as a Form 1310, Statement of Person Claiming Refund Due a Deceased Taxpayer, or a certificate showing a court appointment.[Footnote 73] The IRM also requires that staff update the deceased taxpayer's account in the master file to agree with the information on the Form 1310 or court certificate. When processing returns covering the tax year in which the taxpayer died, the IRM requires that a personal representative or a surviving spouse (representative) be listed on a deceased taxpayer's account before disbursing an automated refund on behalf of the deceased taxpayer to ensure that the refund is issued to the correct person. According to the IRM, when there is no representative named on the deceased taxpayer's account, IRS is required to take additional actions to identify and name a representative on the account.[Footnote 74] During our review of a statistical sample of 161 refunds disbursed to deceased taxpayers in fiscal year 2013, we found that IRS issued 20 refunds to 15 deceased taxpayers with no representatives named on the deceased taxpayers' accounts.[Footnote 75] One of these refunds occurred because IRS did not follow its procedures requiring staff to identify and name a representative on the deceased taxpayer's account when one was not listed. For the other 19 refunds, the IRM did not specifically require the staff to identify and name a representative on the account because these particular refunds pertained to tax years prior to the taxpayers' year of death, and the IRM only addressed situations when processing returns covering the tax year in which the taxpayer died. However, regardless of the taxpayer's year of death, the risk of disbursing a refund to an unauthorized recipient is the same. Furthermore, we found that 9 of these 19 refunds, as well as the 1 refund that pertained to the tax year of the taxpayer's death, were undeliverable and reissued as many as three times.[Footnote 76] Internal control standards provide that internal control should be designed to provide reasonable assurance regarding the prevention of or prompt detection of unauthorized use or disposition of assets. By not establishing and enforcing procedures to prevent refunds from being disbursed to deceased taxpayers with no representative named on their accounts, IRS increases the risk that (1) a refund made on behalf of a deceased taxpayer will be received by an unauthorized representative and (2) fraudulent refunds could be issued to identity thieves. After we provided the results of our tests to IRS, IRS updated the IRM in April 2014 to require that when there is no representative named on the deceased taxpayer's account and a tax return is filed on behalf of the deceased taxpayer for tax years prior to the taxpayer's year of death, additional procedures must be followed to identify and name a representative on the deceased taxpayer's account.[Footnote 77] We commend IRS for taking prompt action to address this deficiency. However, to further reduce the risks, it is important that IRS ensure that responsible staff follow the established procedures. We will assess the effectiveness of IRS's revised procedures during our fiscal year 2014 audit. Recommendation for Executive Action: We recommend that you direct the appropriate IRS officials to issue a memorandum to IRS staff reminding them of the requirements and the procedures to follow to ensure that a representative is listed on a deceased taxpayer's account before issuing a refund on the account. Agency Comments and Our Evaluation: IRS agreed with our recommendation and stated that by September 2015, it will issue a memorandum to IRS staff reminding them of the requirements and the procedures to follow to ensure that a representative is listed on a deceased taxpayer's account before issuing a refund on the account so that refunds issued on behalf of decedents are paid to an authorized representative or entity. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendation. We will evaluate the effectiveness of IRS's efforts during future audits of IRS's financial statements. Status of Open Recommendations: IRS has continued to work to address many of the control deficiencies related to open recommendations from our prior financial audits and other financial management-related work.[Footnote 78] At the beginning of our fiscal year 2013 financial audit, there were 60 recommendations to improve IRS's financial operations and internal controls from prior year audits that we reported as open in our status of recommendations in the management report issued in May 2013.[Footnote 79] In the course of performing our fiscal year 2013 financial audit, we identified numerous actions IRS took to address many of the previously identified control deficiencies. On the basis of IRS's actions taken through September 30, 2013, which we were able to substantiate through our audit, we are closing 26 of these recommendations. Consequently, a total of 51 recommendations need to be addressed--34 remaining from our prior years' audits and the 17 new recommendations we are making in this report. See enclosure I for more details on our assessment of the status of IRS's actions to address our prior year recommendations. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and to the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of this report. Furthermore, to ensure that GAO has accurate, up-to-date information on the status of your agency's actions on our recommendations, we request that you also provide us with a copy of your agency's statement of actions taken on open recommendations. Please send your statement of actions to me or Doreen Eng, Assistant Director, at engd@gao.gov. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Members of the Senate Committee on Appropriations, Senate Committee on Finance, Senate Committee on Homeland Security and Governmental Affairs, House Committee on Appropriations, House Committee on Ways and Means, and House Committee on Oversight and Government Reform, and to the Chairman and Vice-Chairman of the Senate Joint Committee on Taxation. We are also sending copies to the Secretary of the Treasury, the Director of the Office of Management and Budget, and the Chairman of the IRS Oversight Board. In addition, the report is available at no charge on GAO's website at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2013 and 2012 financial statements. If you or your staff have any questions about this report, please contact me at (202) 512-9377 or clarkce@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III. Sincerely yours, Signed by: Cheryl E. Clark: Director: Financial Management and Assurance: Enclosures - 3: [End of section] Enclosure I: Status of Recommendations That Were Open at the Beginning of GAO's Audit of the Internal Revenue Service's (IRS) Fiscal Year 2013 Financial Statements: GAO/AIMD-99-16[Footnote 80]: Controls over unpaid tax assessments - trust fund recovery penalty. ID no.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received; Action taken: IRS has taken a number of actions over the years to identify and eliminate duplicate assessments related to unpaid payroll taxes and trust fund recovery penalties (TFRP) that have already been paid. These corrective actions include implementing a computer system to automatically credit related taxpayer accounts for payments received, performing special reviews to correct errors in TFRP accounts, and formalizing quarterly testing of TFRP payment processing to identify and address the root cause of errors and delays in reducing the balance of duplicate assessments. Based on testing performed as part of our fiscal year 2013 audit, we concluded that IRS has implemented controls to effectively identify and eliminate, on an ongoing basis, duplicate assessments that have already been paid off; Status: Closed. GAO-01-42[Footnote 81]: Controls over release of tax liens. ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues; Action taken: IRS has taken a number of actions over the years to improve the timeliness of lien release processing, including (1) system enhancements to improve the timeliness of recognizing when a taxpayer has fully satisfied the outstanding tax liability and (2) conducting semiannual testing to evaluate the timeliness of its release of tax liens. In October 2013, IRS formalized its semiannual reviews of lien releases by including the requirement for these reviews in its Internal Revenue Manual (IRM). Our review of IRS's lien release timeliness in 2013 and 2012 found significant improvements in lien release timeliness over prior years; Status: Closed. GAO-05-247R[Footnote 82]: Controls over transmittal of taxpayer receipts and information. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information; Action taken: Since the issuance of this recommendation IRS has taken several actions to address this recommendation. Specifically, it updated the IRM to require (1) the use of a document transmittal form 3210 when sending multiple Daily Report of Collection Activity forms and (2) managers to ensure document transmittal forms are used when transmittal packages include more than one Daily Report of Collection Activity form. In addition, in June 2013, it completed a review of three collection field areas to assess their use of the document transmittal form 3210 to ensure compliance with the IRM. Based on the results, IRS determined no further actions were necessary. We believe that IRS's efforts and actions over the years to enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages sufficiently addresses this recommendation; Status: Closed. Controls over manual refunds: ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds; Action taken: IRS stated that based on GAO's prior findings, it has strengthened the processes for monitoring and reviewing monitoring of manual refund accounts and has updated related guidance in the IRM. However, during our fiscal year 2013 audit, we continued to find instances in which manual refund accounts were not monitored and the individuals responsible for monitoring manual refunds were not aware of the related IRM updates and thus did not always follow the required procedures. We also found that supervisors did not always complete the required reviews to ensure that the required monitoring was being performed. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds; Action taken: IRS stated that it clarified requirements in the IRM to address documenting the monitoring actions and supervisory review of manual refunds. IRS also reviewed the documentation of the manual refund monitoring process. However, during our fiscal year 2013 audit, we continued to find instances where IRS did not complete and document monitoring actions and did not perform supervisory review for manual refunds. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. GAO-06-543R[Footnote 83]: Controls over transmittal of taxpayer receipts and information. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including service center campuses, taxpayer assistance centers (TAC), and units within the Large Business and International (LB&I) and the Tax Exempt and Government Entities (TEGE) business operating units, establish a system to track acknowledged copies of document transmittals; Action taken: IRS has taken several corrective actions across its business operating units to address this recommendation. Specifically, IRS updated (1) guidance on the use of the TAC follow-up review logs for tracking unacknowledged document transmittal forms and (2) its agency-wide requirements for shipping taxpayer information and receipts, including requirements for senders to track document transmittals and perform follow-up actions when needed. During our fiscal year 2013 audit, we visited two service center campuses, eight TACs, three LB&I offices, and two TEGE offices, all of which had systems for tracking acknowledged copies of document transmittals; Status: Closed. Controls over physical security. ID no.: 06-05; Recommendation: Equip all TACs with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring entrance by unescorted customers; Action taken: IRS's efforts to address this recommendation are ongoing as it continues to use several solutions to help secure nonmodel TACs, including using theater rope or other barriers, signage, and other minor alterations to deter unauthorized access. IRS stated that it continued to identify priority locations for TAC model build out by evaluating TAC sites and customer feedback. Priority status goes to sites with security, safety, and environmental health concerns. Of the 397 TAC locations, IRS stated that 306 have the model TAC, with another 2 scheduled for completion prior to the 2014 filing season. IRS also stated that by October 2014, it will build out all TACs in compliance with its security guidelines. However, IRS reports that this action depends greatly on continued funding and overcoming scheduling complexities. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. GAO-07-689R[Footnote 84]: Controls over manual refunds. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds; Action taken: In March 2013, IRS developed a training analysis process to identify employees who have missed required training and ensure that all employees who initiate, approve, or monitor manual refunds complete appropriate annual training. In January 2013, IRS also updated its guidance in the IRM to reflect the training requirement. However, during our fiscal year 2013 audit, we continued to find instances in which the individuals who processed manual refunds did not complete the required training. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. GAO-08-368R[Footnote 85] Controls over tax penalty assessments. ID no.: 08-06; Recommendation: In instances where computer programs that control penalty assessments are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM; Action taken: IRS's efforts to address this recommendation are ongoing. IRS reported that efforts to address this recommendation have been delayed because of implementation of the Patient Protection and Affordable Care Act mandates. IRS expects to complete its corrective action by September 2015. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. GAO-09-513R[Footnote 86]: Controls over couriers. ID no.: 09-03; Recommendation: Document in the IRM the minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers; Action taken: In December 2012, IRS updated the IRM to include a methodology for calculating the allowable time frame for courier contractors to deliver the service center campus daily deposits to the depository location. The updated IRM also requires that upon notification of any courier issues, the headquarters deposit analyst will contact headquarters management, and that headquarters management will (1) determine if additional courier surveillance is needed and (2) make the decision to resume or terminate the courier contract; Status: Closed. Controls over tax receipts tracking. ID no.: 09-05; Recommendation: Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide; Action taken: IRS stated that in October 2012, it updated its policies to require the use of the Form 795A, Remittance and Return Report, through the Accounts Management System, which will help ensure routine reporting of the total dollar amounts and volumes of receipts collected by TAC, group, territory, area, and nationwide. However, when we requested IRS to provide the total dollar amounts and volumes of receipts collected for the eight TACs we visited during fiscal year 2013, IRS was unable to provide the data. IRS stated that the data for all payments are not available at the TAC level. Although IRS was able to track and report the total dollar amounts at the area and nationwide levels, it was unable to track and report these amounts at the individual TAC, group, or territory level. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. Controls over physical security - alarms. ID no.: 09-06; Recommendation: Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted; Action taken: In October 2012, IRS updated Standard Operating Procedure (SOP) 12-0004a, Duress Alarm Test Conducting and Reporting. The updated SOP requires that an inventory of all duress alarms be documented for each location and be readily available to individuals performing duress alarm tests before each test is conducted; Status: Closed. ID no.: 09-07; Recommendation: Establish procedures to periodically update the inventory of duress alarms at each taxpayer assistance center location to ensure that the inventory is current and complete as of the testing date; Action taken: In October 2012, IRS updated SOP-12-0004a, Duress Alarm Test Conducting and Reporting. The updated SOP requires IRS personnel to obtain a current listing of alarm points and to validate the alarm points semiannually to ensure that no new alarms were added or any existing alarms were omitted; Status: Closed. ID no.: 09-08; Recommendation: Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective action, and (2) track the findings until they are properly resolved; Action taken: In October 2012, IRS updated SOP-12-0004a, Duress Alarm Test Conducting and Reporting, to require that officials performing the tests (1) document the test results for each duress alarm tested, including the date the tests were conducted, the number of alarms tested, the number of alarms that passed, and which alarms malfunctioned, and (2) track the status of repairs until they are properly resolved. In June 2013, we verified that the instructions in SOP-12-0004a were readily available to individuals conducting duress alarm tests at all eight TACs we visited; Status: Closed. ID no.: 09-09; Recommendation: Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts; Action taken: In response to our recommendation, IRS issued SOP-12- 0004a, Duress Alarm Test Conducting and Reporting, in October 2012. We reviewed the SOP and found that it included procedures requiring physical security analysts to review emergency contact lists semiannually to ensure that they are current. However, it did not include procedures requiring physical security analysts to review the emergency signal history report, now referred to as the All Events History Report (AEHR), to ensure that appropriate corrective actions have been planned for all incidents reported by the central monitoring station. During our analysis of the fiscal year 2013 AEHR for three of the eight field offices we visited, we did not find any evidence indicating that the reports had been reviewed by a physical security analyst. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. GAO-10-565R[Footnote 87]: ID no.: Controls over unpaid tax assessments - financial reporting. ID no.: 10-01; Recommendation: Review the results of IRS's unpaid tax assessments compensating statistical estimation process to identify and document instances where systemic limitations in the Custodial Detail Data Base (CDDB) resulted in misclassifications of account balances that, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments; Action taken: Over the past several years, IRS reviewed the results of its unpaid tax assessments compensating statistical estimation process, identified and documented instances where limitations with the CDDB classification program resulted in misclassifications of account balances, and analyzed this information to identify significant deficiencies requiring programming changes to the CDDB classification program. On March 2014, IRS provided documentation of its analysis, CDDB systemic limitations it identified for correction, and the CDDB programming changes implemented through November 2013. As these actions occurred after the end of fiscal year 2013, we will evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 10-02; Recommendation: Research and implement programming changes to allow the CDDB to more accurately classify taxpayer accounts among the three categories of unpaid tax assessments; Action taken: Over the past several years, IRS reviewed the results of its unpaid tax assessments compensating statistical estimation process, identified and documented instances where systemic limitations with the CDDB classification program resulted in misclassifications of account balances, and analyzed this information to identify significant deficiencies requiring programming changes to the CDDB classification program. On March 2014, IRS provided documentation of its analysis, the CDDB systemic limitations it identified for correction, and the CDDB programming changes implemented through November 2013. As these changes occurred after the end of fiscal year 2013, we will evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 10-03; Recommendation: Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect the financial reporting of unpaid tax assessments; Action taken: IRS's efforts to address this recommendation are ongoing. During our fiscal year 2013 audit, we and IRS continued to identify misclassified unpaid assessments resulting from inaccuracies or errors in taxpayer accounts. By November 2014, IRS plans to identify the underlying control weaknesses contributing to errors in taxpayer accounts. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. ID no.: 10-04; Recommendation: Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors; Action taken: IRS's efforts to address this recommendation are ongoing. During fiscal year 2013, we and IRS continued to identify misclassified unpaid assessments that resulted from inaccuracies or errors in taxpayer accounts. By November 2014, IRS plans to identify the underlying control weaknesses contributing to errors to taxpayer accounts, which would allow IRS to design and implement appropriate control procedures to prevent, or to detect and correct, future errors. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. Controls over transmittal of taxpayer receipts and information. ID no.: 10-20; Recommendation: Establish procedures to monitor the process used by service center campuses and lockbox banks to acknowledge and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies and instituting appropriate corrective actions as needed; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by March 2014, it will work with the lockbox sites and its service center campuses to roll out a new process nationwide to improve monitoring of the actions that service center campuses and lockbox banks perform to acknowledge and track transmittals of unprocessable items with receipts. IRS also stated that it is currently piloting the new process at the Austin service center campus and the JP Morgan Chase-Charlotte lockbox site. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 10-29; Recommendation: Analyze the various contractor access arrangements and establish a policy that requires security awareness training for all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information; Action taken: IRS performed a risk assessment and identified contractors with unescorted work space access (i.e., janitors, cleaning personnel, building maintenance personnel, and repair personnel) as posing a moderate risk. To mitigate this risk, IRS established a policy in July 2013 that requires security awareness training for all IRS contractors who are provided unescorted access to IRS facilities, sensitive but unclassified information or information systems, or a combination of these. The policy allows several exceptions to this training requirement. For example, contracts with an estimated value less than $25,000 are excluded. However, we currently have three open recommendations (see recommendations 11-11, 11-12, and 11-13) addressing deficiencies where we identified contractors working under a less than $25,000 contract that had possession of IRS outgoing mail that contained information related to taxpayers. Under the policy, this contract and potentially others would be omitted from the security awareness training requirement despite the risk those contractors may pose. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. GAO-11-494R[Footnote 88]: Controls over purchases. ID no.: 11-04; Recommendation: Establish formal written procedures requiring staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services; Action taken: In June 2013, IRS issued a memorandum to its procurement staff as part of IRS's procurement policies that requires staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services. Specifically, the memorandum reiterated principles, policies, and procedures, which required staff to know the quantity and other ceiling limits on their respective contracts and orders and to not exceed those limits unless the contract or order is appropriately modified increasing those limits; Status: Closed. Controls over personnel actions. ID no.: 11-05; Recommendation: Establish procedures to centrally review and monitor the timeliness of personnel action requests and approvals to help ensure compliance with the Internal Revenue Manual and applicable Office of Personnel Management regulations and guidance; Action taken: IRS's efforts to address this recommendation are ongoing. In fiscal year 2013, IRS's Human Capital Office (HCO) took various actions related to this recommendation, such as (1) communicating the results of its analysis on the timeliness of personnel action requests (PAR) to Employment Operations senior and frontline leadership and (2) issuing Leader's Alerts and conducting training for managers to educate them on the importance of the timely submission of PARs. For fiscal year 2014, IRS stated that it plans to increase its performance goals on the processing and timely submission of PARs and focus its efforts on increasing accountability at all levels. IRS plans to analyze the timeliness of PAR actions and report the results to leadership on a quarterly basis. However, IRS still has not documented any procedures related to the PAR analysis or other monitoring activities. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: Controls over contractor access to sensitive information. ID no.: 11-11; Recommendation: Perform a review of all existing contracts under $100,000 that (1) do not have an appointed contracting officer's technical representative and (2) do not require that contract employees obtain background investigations to assess whether the services performed under each contract warrant a requirement that contract employees obtain background investigations; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by May 2014 it would complete an analysis of contracts that had previously not included background investigation requirements. IRS stated that it will identify any risks and provide a mitigation plan for each risk identified. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 11-12; Recommendation: Based on a review of all existing contracts under $100,000 without an appointed contracting officer's technical representative that should require contract employees to obtain favorable background investigation results, amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by May 2014 it would complete an analysis of contracts that had previously not included background investigation requirements. IRS stated that it will identify any risks and provide a mitigation plan for each risk identified. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 11-13; Recommendation: Establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the HCO the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk; Action taken: IRS's efforts to address this recommendation are ongoing. IRS provided Policy and Procedures Memorandum No. 39.1(F), Contractor Submission of Credit Checks, Fingerprints and Other Security Documentation, dated July 10, 2013, which requires certain contractors with access to IRS-owned or IRS-controlled facilities, sensitive but unclassified information, or information systems to receive favorable background investigations prior to gaining access to taxpayer receipts and information. However, this policy does not explicitly require collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. Controls over couriers. ID no.: 11-14; Recommendation: Establish procedures to provide a consistent methodology for calculating and establishing allowable deposit courier trip time limits to be used by both service center campuses and lockbox banks that would assist in detecting potential unauthorized stops or other contractual violations by deposit couriers. Such procedures should include instructions for documenting and supporting how the trip limits were determined and require justification and approval for all established time limits that exceed the average trip time; Action taken: IRS has established a methodology for calculating and establishing allowable deposit courier trip time limits; however, it is unclear whether the established methodology would assist in detecting potential unauthorized stops or other contractual violations for deposit couriers. For example, the methodology states that the average trip time documented on Form 10160, Receipt for Transport of IRS Deposit, is the base of the allowable time, and that additional time should be added to the base depending on the length of trip time and number of traffic lights. Since the average trip times already include the time required to make the entire trip, adding additional time to the base time does not make this policy effective in detecting potential unauthorized stops or other contractual violations for deposit couriers. During our fiscal year 2013 audit, we found that one of the three lockbox banks we visited instructed deposit couriers to deliver receipts to a depository bank for which there was no established deposit courier time limit. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 11-16; Recommendation: Enforce existing contractual requirements for the cargo doors of contract courier vehicles to be locked after picking up taxpayer information; Action taken: On April 6, 2012, IRS updated the IRM to require monthly reviews of the shipping and receiving processes and random on-site reviews to ensure that vehicles' cargo doors are locked prior to delivery and upon receipt of pipeline work from one facility to the other. In addition, during our fiscal year 2013 audit, we verified that Real Estate and Facilities Management staff conducted random monthly reviews of its contract courier routes to ensure that couriers were locking cargo doors; Status: Closed. ID no.: 11-17; Recommendation: Establish procedures to prevent or detect unauthorized access to taxpayer information in contract courier vehicles during transit. These procedures should detail specific activities to be performed by both the business unit sending and receiving the information transported by the contract courier; Action taken: On April 6, 2012, IRS updated the IRM to require the submission processing manager or designee to ensure that (1) the courier truck's door is secured with a numbered tie lock before leaving the originating area and (2) the tie lock is still secured upon arrival at the receiving area. In addition, during our fiscal year 2013 audit, we verified that Real Estate and Facilities Management staff conducted random monthly reviews of its contract courier routes to ensure that couriers were locking cargo doors; Status: Closed. ID no.: 11-18; Recommendation: Revise the guidance for conducting the periodic reviews of the contract couriers transporting taxpayer information from one IRS processing facility to another to include procedures for (1) physically verifying that courier vehicle cargo doors are locked after picking up this information and remain locked during transit to the final destination and (2) documenting the basis for the reviewer's conclusions; Action taken: On April 6, 2012, IRS updated the IRM to require monthly reviews of the shipping and receiving process and random on-site reviews to ensure that vehicles' cargo doors are locked prior to delivery and upon receipt of pipeline work from one facility to the other. Specifically, the IRM requires the monthly reviews to be documented, initialed and dated by the reviewer, and maintained on file for no less than 1 year. In addition, any discrepancies identified during the review should be reported to the headquarters IRM analyst within 2 business days after the review has been conducted. During our fiscal year 2013 audit, we verified that Real Estate and Facilities Management conducted and documented random monthly reviews of its contract courier routes to ensure that couriers were locking cargo doors; Status: Closed. Controls over physical security - lighting. ID no.: 11-24; Recommendation: Revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved; Action taken: While following up on IRS's actions to address this recommendation, we found that the post orders at one of IRS's SCC did not include procedures specifying (1) whom to contact to report lighting outages or (2) how to document and track lighting outages until resolved. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: GAO/AIMD-99-16: Controls over unpaid tax assessments - trust fund recovery penalty: Open. ID no.: 11-25; Recommendation: Revise the nature and scope of the service center campuses' and lockbox banks' physical security reviews to include periodic after-dark assessments of physical security controls; Action taken: In January 2013, IRS revised the Audit Management Checklist to include periodic after-dark assessments of physical security controls and verification that guards are properly reporting lighting outages; Status: Closed. GAO-12-683R[Footnote 89]: Controls over financial reporting. ID no.: 12-01; Recommendation: Establish and document an inventory of the specific systems involved in IRS's financial reporting process, including (1) describing what role each system plays in the financial reporting process; (2) concluding whether each system is considered to be material to financial reporting and why; and (3) denoting whether each system is controlled by IRS or by an external service provider and, if the latter, identifying the service provider; Action taken: In fiscal year 2013, IRS modified its listing of systems involved in the financial reporting process to include (1) a description of the role each system plays; (2) whether the system is considered relevant and significant to IRS's financial reporting; and (3) whether the system is controlled by IRS or by a service organization and, if the latter, identified the service organization; Status: Closed. ID no.: 12-02; Recommendation: Enhance existing policies and procedures pertaining to monitoring internal control over the automated systems operated by IRS personnel to specifically provide for routine, documented monitoring of the specific internal controls within its financial reporting systems that are intended to ensure the integrity of the data reported in the financial statements and other financial reports. This monitoring process should (1) involve both automated systems specialists and individuals with expertise in accounting and reporting, as appropriate; (2) encompass the specific automated internal controls that affect the authorizing, processing, transmitting, or reporting of material financial transactions; and (3) be designed to determine whether these internal controls are in place and operating effectively; Action taken: IRS's efforts to address this recommendation are ongoing. IRS has updated the IRM to include a section on continuous monitoring, has created a crosswalk to map National Institute of Standards and Technology publications to the IRM requirements for information technology security, and has developed documents detailing flow analysis of automated systems supporting IRS's financial reporting. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 12-03; Recommendation: For any system identified as material to IRS's financial reporting process that is controlled by an external service provider, establish policies and procedures requiring and defining a routine, documented process for coordinating with the service provider to appropriately monitor related internal control. This may entail establishing an agreement with each service provider to allow IRS personnel the access to either (1) the system concerned, as necessary, to perform appropriate monitoring of internal control over financial reporting, or (2) periodic reports prepared in accordance with the Statements on Standards for Attestation Engagements (SSAE) No. 16 documenting the results of monitoring performed by the service provider; Action taken: In December 2013, IRS established procedures for reviewing service organizations' operating information systems affecting IRS's financial reporting. However, we found that the agreements with service providers did not facilitate and support monitoring by IRS as intended by this recommendation. Nevertheless, we are closing this recommendation because of the progress made by IRS since fiscal year 2011 when we identified the deficiencies that gave rise to this recommendation; the issuance of Appendix D to Office of Management and Budget Circular No. A-123, which requires SSAE No. 16 reports for all the service organizations supporting IRS's financial reporting, effective fiscal year 2014; and the new recommendations we are making in this report that are more specific to current circumstances; Status: Closed. ID no.: 12-04; Recommendation: Establish policies and procedures with respect to any external financial reporting system IRS personnel themselves do not directly monitor that specify required steps to routinely review periodic reports prepared by service providers' auditors in accordance with SSAE No. 16, including steps to document (1) an assessment of whether a review's scope, methodology, and timing is appropriate to satisfy IRS's objectives; (2) any control deficiencies disclosed in the report, and an assessment of their materiality to IRS's financial reporting process and related risks; and (3) any compensating internal controls needed to mitigate any actual or potential effects of identified deficiencies upon IRS's internal and external financial reports resulting from any (a) material weakness or (b) significant shortcoming in the scope, methodology, or timing of any SSAE No. 16 report reviewed relative to IRS's internal control objectives; Action taken: In December 2013, IRS developed policies and procedures to document and routinely report on reviews of service organizations' adherence to IRS's internal control objectives for systems identified as affecting IRS's financial reporting process. We noted that while they address consideration of any control deficiencies identified in an SSAE No. 16 report (if prepared), as well as associated corrective actions and any compensating controls, they do not clearly address consideration of whether the scope and methodology of the report are appropriate to IRS's internal control objectives. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. Controls over accuracy of tax records. ID no.: 12-05; Recommendation: Update IRS's procedures for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions recorded in the master files to (1) establish minimum criteria defining a significant or unusual variance and (2) specify the steps required to effectively evaluate and resolve these variances; Action taken: In January 2014, IRS updated its revenue reconciliation SOP for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions recorded in the master files. These procedures establish minimum criteria defining a significant variance and specify the steps required to effectively evaluate and resolve them; Status: Closed. ID no.: 12-06; Recommendation: Update IRS's procedures for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions recorded in the master files to require that management reviews ensure preparers evaluate and resolve unusual or significant variances; Action taken: In January 2014, IRS updated its revenue reconciliation SOP for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions recorded in the master files. These procedures require a review and sign-off by the manager or a management official to ensure that preparers evaluate and resolve substantive variances; Status: Closed. Controls over reimbursable revenue. ID no.: 12-07; Recommendation: Establish and document procedures for ensuring that recorded reimbursable revenue, transfers in without reimbursement, and accounts receivable from the Department of the Treasury Forfeiture Fund (TFF) conform to federal accounting standards; Action taken: IRS established and documented procedures for recording reimbursable revenue, transfers in without reimbursement, and accounts receivable from the TFF during fiscal years 2012 and 2013. Additionally, in January 2014, IRS further revised its procedures by including objective criteria for staff to use in determining materiality for the purpose of deciding whether to record an accrual for revenue earned but not yet recorded by fiscal year-end. IRS's revised procedures, if effectively implemented, should allow IRS to ensure that recorded TFF transactions conform to federal accounting standards; Status: Closed. Controls over physical security - review checklists. ID no.: 12-09; Recommendation: Establish procedures requiring Physical Security and Emergency Preparedness (PSEP) headquarters to centrally monitor compliance with the audit management checklist process to ensure that (1) PSEP analysts timely complete their physical security reviews using the proper audit management checklists and (2) territory managers timely review and properly document their reviews of completed audit management checklists; Action taken: During fiscal year 2013, we verified that IRS updated the Audit Management Checklist Standard Operating Procedures. The procedures state that the Security, Standards, and Enhancements office will manage and maintain oversight of the PSEP Audit Management Program, which includes reviewing completed audit management checklists on a quarterly basis to ensure that the required reviews have been completed timely using the most current checklist, and that territory managers have documented their review and approval in a timely manner; Status: Closed. Controls over separation of duties. ID no.: 12-10; Recommendation: Update the IRM to specify steps to be followed to prevent campus support clerks as well as any other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts; Action taken: IRS's efforts to address this recommendation are ongoing. IRS completed a formal risk assessment in May 2013, focusing on separation of duties pertaining to remittance processing within the Wage and Investment Division. The risk assessment identified several options for management to mitigate risk. IRS stated that by December 2014, it will identify appropriate actions to mitigate unacceptable risks levels in IRS's TACs and will update the IRM accordingly. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. ID no.: 12-24; Recommendation: Revise the payroll standard operating procedures to require that the designated proxy for a manager required to approve time cards be at an equivalent or higher level as the manager, consistent with the Internal Revenue Manual; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by December 2014, IRS's Support Services, Human Capital, and Chief Financial Officer organizations plan to form a joint work group to reevaluate IRS's current time and attendance proxy process and provide recommendations and action plans to IRS leadership and implement appropriate changes to the process. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. ID no.: 12-25; Recommendation: In the planned 2012 policy change requiring the manager or designated proxy to sign the electronic time card before transmitting payroll records to the National Finance Center, require that the designated proxy be at an equivalent or higher level than the employee's manager; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by December 2014, IRS's Support Services, Human Capital, and Chief Financial Officer organizations plan to form a joint work group to reevaluate IRS's current time and attendance proxy process and provide recommendations and action plans to IRS leadership and implement appropriate changes to the process. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. ID no.: 12-26; Recommendation: Implement an edit control in IRS's time card system to identify and prevent the processing of time cards that have not been electronically signed; Action taken: In June 2013, IRS implemented an edit control in its time card system that effectively prevented the National Finance Center from processing time cards that have not been electronically signed. In addition, we observed IRS personnel track and follow up with supervisors and managers on time cards without electronic signatures; Status: Closed. Controls over employee pay increases. ID no.: 12-28; Recommendation: Establish procedures for human resource specialists to track and monitor supervisory actions taken for employees with less than "fully successful" ratings that have a within-grade pay increase due date within 90 days to include specific required steps for following up with managers to ensure the managers (1) properly issue the employees a 60-day notification letter providing them an opportunity to improve their performance, (2) make a timely determination on releasing or denying a within-grade pay increase, and (3) properly carry out the requirements necessary to support the decision made; Action taken: In October 2013, IRS published revised supplemental guidance that outlines within-grade pay increase time frames and procedures for managers, human resource specialists, and Labor Relations. The guidance includes (1) a 90-day and 60-day notification process for human resource specialists to remind managers to issue a 60-day notification letter for employees with less than "fully successful" ratings who are due a within-grade pay increase, (2) procedures for human resource specialists and Labor Relations to follow up after the manager makes the determination to deny or release the within-grade pay increase, and (3) steps for Labor Relations to take if the managers do not respond to the reminders or make timely determinations on within-grade pay increases; Status: Closed. ID no.: 12-29; Recommendation: Establish procedures for human resource specialists to track and monitor supervisory actions taken for employees with less than "fully successful" ratings that have a within-grade pay increase due date within 90 days to include specific required steps for timely granting a within-grade pay increase to such employees who were not given a 60-day notification letter; Action taken: In June 2013, IRS revised its policy to require that employees must achieve a "fully successful" rating in order to qualify for a within-grade pay increase and that the increase cannot be granted solely as a result of a manager's inaction or untimely action. Thus, even if there is less than 60 days before the employee's within- grade pay increase due date, the employee must be given a full 60-day period to improve, after which the manager must determine that the employee is performing at a "fully successful" level (or above) prior to the within-grade pay increase being granted. The within-grade pay increase will not become effective until the first pay period following the manager's determination; Status: Closed. GAO-13-420R[Footnote 90]: Controls over unpaid assessments. ID no.: 13-01; Recommendation: Update the existing guidance for classifying and determining the dollar amount of individual unpaid assessments to provide additional guidance or specific procedures to follow when evaluating taxpayer accounts that involve complex legal and accounting interpretations. In updating the guidance, consider whether additional levels of management review should be performed on such complex cases; Action taken: In March 2013, IRS updated its guidance for evaluating taxpayer accounts reviewed as part of its compensating process for deriving reported unpaid assessment amounts. The update provides additional guidance when evaluating accounts that involve complex legal and accounting interpretations. The guidance also includes requirements for additional levels of management review on complex cases; Status: Closed. ID no.: 13-02; Recommendation: Provide training on the new guidance to help staff evaluate and determine the proper accounting classification and amount of unpaid tax assessments, and to help with supervisory review of the sampled taxpayer accounts; Action taken: When IRS updated its guidance for evaluating taxpayer accounts reviewed as part of its compensating process for deriving reported unpaid assessments amounts in March 2013, it provided training to staff on evaluating and determining the accounting classification and amount of the sampled taxpayer accounts. The training also covered supervisory review of the sampled accounts; Status: Closed. Controls over refunds. ID no.: 13-03; Recommendation: Finalize implementation of the automated process for (1) routinely updating date of death information and deceased status in the master files using Social Security Administration data and (2) preventing automatic processing of a tax return submitted using a deceased taxpayer's Social Security number; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that it has implemented a process to weekly update date of death information to the master file and will continue to evaluate the process for additional improvements. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 13-04; Recommendation: Implement policies and procedures that require the manual refund unit to verify that (1) any manual refund signature authorization forms that are signed by a delegated official are accompanied by a designation to act form and (2) the designation to act form is dated prior to the approval date on the manual refund signature authorization form; Action taken: In February 2013, IRS updated the guidance in the IRM to include the requirement that individuals allowed to approve the issuance of manual refunds are properly appointed and authorized to do so. However, during our fiscal year 2013 audit, we found instances where the delegated official authorized individuals to sign and approve manual refunds when the delegated official did not have the authority to do so. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. Controls over system access. ID no.: 13-05; Recommendation: Perform a risk assessment to determine the appropriate level of Integrated Data Retrieval System (IDRS) access that should be granted to employee groups that handle hard-copy taxpayer receipts and related sensitive taxpayer information as part of their job responsibilities; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by October 2014, its Wage and Investment (W&I) and Information Technology (IT) organizations will work jointly to perform a risk assessment to determine the appropriate level of IDRS access that should be granted to employees who handle hard-copy taxpayer receipts and related taxpayer information. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. ID no.: 13-06; Recommendation: Based on the results of the risk assessment, update the IRM accordingly to specify the appropriate level of IDRS access that should be allowed for (1) remittance perfection technicians and (2) all other employee groups with IDRS access that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by October 2014, its W&I and IT organizations will work jointly to perform a risk assessment to determine the appropriate level of IDRS access that should be granted to employees who handle hard-copy taxpayer receipts and related taxpayer information. Once the appropriate level has been established, IRS plans to jointly update the applicable IRM sections by December 2015 to specify the appropriate level of IDRS access for employee groups with IDRS access. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. ID no.: 13-07; Recommendation: Establish procedures to implement the updated IRM, including required steps to follow to prevent (1) remittance perfection technicians and (2) all other employee groups that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities from gaining access to command codes not required as part of their designated job duties; Action taken: IRS's efforts to address this recommendation are ongoing. IRS stated that by October 2014, its W&I and IT organizations will work jointly to perform a risk assessment to determine the appropriate level of IDRS access that should be granted to employees who handle hard-copy taxpayer receipts and related taxpayer information. IRS plans to use the results of the risk assessment to evaluate existing controls that prevent employees from gaining access to command codes not required for their designated job duties and establish and document additional or replacement procedures as applicable. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 and future audits; Status: Open. Controls over cost allocation. ID no.: 13-08; Recommendation: Establish and implement written procedures to ensure that only costs are included in the cost allocation process; Action taken: IRS established and implemented written procedures to ensure that only costs are included in the cost allocation process prior to the beginning of the fiscal year. However, IRS has not established written procedures to ensure that only costs are included in the cost allocation process prior to issuing its financial statements at fiscal year-end. IRS officials indicated that IRS plans to establish additional procedures during fiscal year 2014 to fully address our recommendation. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 13-09; Recommendation: Revise existing procedures to require staff responsible for monitoring the cost allocation to review the Presentation 1.1 report to determine if costs were fully allocated to the direct business units and, if not, to allocate the remaining costs; Action taken: In June 2013, IRS revised its existing procedures to require staff to review the Presentation 1.1 report to determine if costs were fully allocated to its five operational business units-- Criminal Investigation, LB&I, Small Business/Self-Employed, TEGE, and W&I. Additionally, IRS officials stated that IRS plans to further revise its procedures during fiscal year 2014 to include instructions for staff to allocate any remaining costs identified during their review of the Presentation 1.1 report. We will continue to evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. ID no.: 13-10; Recommendation: Establish and implement written procedures to require that the Office of Cost Accounting inform the Debt Collection Unit of any changes to assigned functional area codes to be used for posting user fee transactions in its Integrated Financial System (IFS); Action taken: In October 2013, IRS established and implemented written procedures to require the Office of Cost Accounting to certify a list of assigned functional area codes to be used for posting user fee transactions in IFS. The procedures require a user fee accountant to forward this listing to the Debt Collection Unit at the beginning of each fiscal year and each time a functional area code change occurs, thus notifying the Debt Collection Unit of functional area codes changes. We will evaluate IRS's implementation of these written procedures during our fiscal year 2014 audit; Status: Open. Controls over obligation of funds. ID no.: 13-11; Recommendation: Establish and implement written policies or procedures that require the agency to record the obligation of funds when a contract or agreement is entered into and prior to taking delivery of goods or services; Action taken: In September 2013, IRS established policies and procedures that listed various goods and services contracted by IRS and specified, as appropriate, the time frame to record obligations of funds and that obligations must be recorded prior to the start of services and ordering of goods. Because this policy was not established until the end of fiscal year 2013, we will evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. Controls over excise tax certifications. ID no.: 13-12; Recommendation: Develop and implement a formal training program for staff assigned to perform and review excise tax certifications, including a comprehensive step-by-step description of the excise tax certification process; Action taken: In April 2013, IRS developed and implemented training for all staff currently assigned to prepare and review IRS's excise tax certifications. The training was given by an excise tax subject matter expert and involved performing actual excise tax certification procedures following IRS's documented process. Our review of IRS excise tax certifications completed during fiscal year 2013 detected significantly fewer errors than in the prior year; Status: Closed. ID no.: 13-13; Recommendation: Review existing supervisory review procedures to identify and implement additional needed actions to better ensure that certification errors do not continue to go undetected; Action taken: In December 2012, IRS enhanced its reviewer check sheets to better guide reviewers to detect errors in IRS's excise tax certification results. Our review of IRS excise tax certifications completed during fiscal year 2013 detected significantly fewer errors than in the prior year; Status: Closed. ID no.: 13-14; Recommendation: Develop and implement written procedures requiring IRS to obtain documented concurrence from the other Treasury agencies involved in the excise tax collection and distribution process of any changes affecting how IRS calculates the amount of excise taxes it certifies to trust funds before IRS implements the change to its excise tax certification process; Action taken: IRS issued written guidance in March 2014 requiring IRS personnel to obtain documented concurrence from affected Department of the Treasury organizations before implementing any changes to how IRS calculates the amount of excise taxes certified to trust funds. As this occurred after the end of fiscal year 2013, we will evaluate IRS's actions to address this recommendation during our fiscal year 2014 audit; Status: Open. Source: GAO. [End of table] [End of section] Enclosure II: Comments from the Internal Revenue Service: Department of The Treasury: Internal Revenue Service: Commissioner: Washington, D.C. 20224: June 25, 2014: Ms. Cheryl E. Clark: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Clark: I am writing in response to the Government Accountability Office (GAO) draft report titled Management Report: Improvements Are Needed to Enhance the IRS's Internal Controls (GAO-14-433R), We are pleased that GAO acknowledged our progress in addressing our financial management challenges and agreed to close 26 prior year financial management recommendations. We continue to make significant progress in addressing internal control deficiencies and financial management as evidenced by 14 consecutive years of clean audit opinions on our financial statements. During fiscal year 2013, IRS strengthened its processes and controls over the timely release of tax liens and transmittals of taxpayer receipts and information, as well as its oversight of duress alarms, allowing for the closure of several longstanding recommendations. The enclosed response addresses each of your new recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact me, or a member of your staff ma contact Robin Canady, Chief Financial Officer, at (202) 317-6400. Sincerely, Signed by: John A. Koskinen: Enclosure: GAO Recommendations and IRS Responses to GAO FY 2013 Management Report "Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls" GAO-14-433R: Recommendation #1: We recommend that you direct the appropriate IRS officials to revise the service organization monitoring procedures to require, when using an auditor's report prepared in accordance with SSAE No. 16 to monitor internal control over financial reporting, clearly documenting that IRS appropriately (1) considered any user controls identified as not being included within the scope of the SSAE No. 16 report, (2) identified those user controls that are relevant and material to IRS, and (3) verified that either those controls or comparable, relevant user controls were in place and operating effectively at IRS. Comments: The IRS agrees with this recommendation and we consider it closed. In May 2014, the Chief Financial Officer (CFO) and Information Technology (IT) organizations revised the service organization monitoring procedures to require, when using an auditor's report prepared in accordance with SSAE No. 16 to monitor internal control over financial reporting, that it be clearly documented that the IRS appropriately (1) considered any user controls identified as not being included within the scope of the SSAE No. 16 report, (2) identified those user controls that are relevant and material to IRS, and (3) verified that either those controls or comparable, relevant user controls were in place and operating effectively at IRS. Recommendation #2: We recommend that you direct the appropriate IRS officials for each service organization that is significant to IRS's financial reporting and related internal control and for which a current SSAE No. 16 report has not been prepared, establish a memorandum of understanding or agreement with the organization that requires (1) both parties to perform procedures that are consistent with the most current requirements of OMB Circular No. A-123 and (2) the service organization to provide IRS access to the organization's personnel, documents, and/or facilities necessary to allow IRS to timely and effectively conduct its own monitoring procedures or review and validate the reliability of monitoring documentation prepared by organization management, as appropriate. Comments: The IRS agrees with this recommendation. By December 2015, the CFO organization and the impacted business units will establish memorandums of understanding or agreements with the service organizations for which a current SSAE No. 16 report has not been prepared that require (1) both parties to perform procedures that are consistent with the most current requirements of OMB Circular No. A- 123 and (2) the service organization to provide IRS access to the organization's personnel, documents, and/or facilities necessary to allow IRS to timely and effectively conduct its own monitoring procedures or review and validate the reliability of monitoring documentation prepared by the organization's management, as appropriate. Recommendation #3: We recommend that you direct the appropriate IRS officials to issue a reminder to employees responsible for approving time cards that they need to fully understand IRS policy regarding the number of regular work hours employees can record, particularly during pay periods with mandatory furlough hours, and their responsibility for enforcing the policy. Comments: The IRS agrees with this recommendation. By September 2014, the Agency-Wide Shared Services (AWSS) organization will issue an updated SETR Alert and a Leaders' Alert to continue to remind managers and employees responsible for time and attendance of their responsibility to review records for accuracy, ensure compliance with policy, and enforce IRS policy. Specifically, the communication will address current policies related to regular work hours authorized and when more than 80 hours of work is reported in a pay period. Recommendation #4: We recommend that you direct the appropriate IRS officials to establish a written requirement for timekeeping staff to complete a review of all time cards with over 80 hours before IRS transmits time cards to the NFC for processing or immediately after so that errors can be timely identified and corrected. Comments: The IRS agrees with this recommendation. By September 2014, the AWSS organization will establish a written requirement for timekeeping staff to complete a review of all time cards with over 80 hours before IRS transmits them to NFC for processing or immediately after so that errors can be timely identified and corrected. Recommendation #5: We recommend that you direct the appropriate IRS officials to revise the desk procedures for the review of time cards with over 80 hours to include detailed guidance on what time charges are allowable for cases in which an employee has both furlough hours and paid hours in a pay period. Comments: The IRS agrees with this recommendation and we consider it closed. In April 2014, the AWSS organization updated the Memphis Payroll Center Desk Guide "Over 80 Hours Report" to provide more detailed examples and explanations of the over 80 hours issue including how time should be reported when Leave Without Pay (LWOP)/Furlough is also posted in a pay period, since the IRS must compensate for any LWOP reported when overtime is also worked. For example, if an employee is furloughed for 8 hours and worked 16 hours of overtime in the same pay period, the first 8 hours must be reported as regular hours worked and the additional 8 hours are posted as overtime. This ensures that the entire tour of duty is reported prior to any overtime hours. Recommendation #6: We recommend that you direct the appropriate IRS officials to update the IRM to require monitoring the functions of all staff, as they relate to receipt and acceptance functions, including applicable end-users. Comments: The IRS agrees with this recommendation. By July 2015, the CFO and AWSS organizations will update IRM 1.35.3, Administrative Accounting, Receipt and Acceptance Guidelines, to require monitoring the functions of all staff, as they relate to receipt and acceptance functions, including applicable end-users. Recommendation #7: We recommend that you direct the appropriate IRS officials to establish and implement written procedures for the Office of Procurement to monitor the receipt and acceptance functions of all staff who perform receipt and acceptance. Such monitoring should include reviewing the accuracy and timeliness of receipt and acceptance dates and amounts. Comments: The IRS agrees with this recommendation. By July 2015, the AWSS organization will establish and implement written procedures to be used by Procurement staff to monitor the accuracy and timeliness of the receipt and acceptance functions, including dates and amounts, of all staff that perform receipt and acceptance. Recommendation #8: We recommend that you direct the appropriate IRS officials to enhance existing mandatory training for all employees who are granted IPS access to perform receipt and acceptance to include specific instructions for determining the appropriate dates and amounts to enter for receipt and acceptance in IPS. Comments: The IRS agrees with this recommendation. By April 2015, the AWSS organization will enhance existing mandatory training for all employees who are granted Integrated Procurement System (IPS) access to perform receipt and acceptance to include specific instructions for determining the appropriate dates and amounts to enter for receipt and acceptance in IPS. Recommendation #9: We recommend that you direct the appropriate IRS officials to issue a memorandum to all business units reminding them of the existing policies and procedures that are intended to reasonably assure that (1) asset records are timely and accurately recorded, (2) approval is obtained prior to the disposal of assets and only approved by those properly authorized to do so, and (3) hard drives of disposal assets are wiped clean of sensitive information prior to the disposition. Comments: The IRS agrees with this recommendation. By September 2014, the IT, AWSS, and Criminal Investigation (CI) organizations will issue a memorandum to all IRS business units reinforcing existing policies and procedures that are intended to reasonably assure that (1) asset records are timely and accurately recorded, (2) approval is obtained prior to the disposal of assets and only approved by those properly authorized to do so, and (3) hard drives of disposal assets are wiped clean of sensitive information prior to the disposition. Recommendation #10: We recommend that you direct the appropriate IRS officials to update EOps policies and procedures as necessary, which may include providing requisite permissions to certain EOps staff to enable them to directly update KISAM, to reasonably assure that assets received are recorded in the asset management systems within 10 workdays as required by the IRM. Comments: The IRS agrees with this recommendation. * As of May 2014, the IT organization, as part of its continual process improvement effort, expanded the EOps server role in KISAM Asset Manager to include additional transactional update capabilities. The enhanced EOps server role provides the EOps staff with permission to timely execute KISAM transactions to add, record and receive EOps equipment asset records concurrent with the inventory event. * By December 2014, the IT organization will update its policies and procedures to require EOps inventory staff to report all inventory events within 10 days of the transaction. Recommendation #11: We recommend that you direct the appropriate IRS officials to establish and document objective criteria for determining materiality for the purpose of determining whether to record an adjustment for IA user fees collected but not yet recorded as exchange revenue or cash in IRS's fund balance with Treasury in IRS's accounting records by fiscal year-end. Comments: The IRS agrees with this recommendation. By September 2014, the CFO organization will establish and document objective criteria for determining materiality for the purpose of determining whether to record an adjustment for Installment Agreement (IA) user fees collected but not yet recorded as exchange revenue or cash in IRS's fund balance with Treasury in IRS's accounting records by fiscal year-end. Recommendation #12: We recommend that you direct the appropriate IRS officials to establish and implement written procedures for (1) estimating the potential financial statement impact of IA user fees collected but not yet recorded as exchange revenue or cash in IRS's accounting records by fiscal year-end, (2) comparing the potential impact against established materiality criteria, and (3) making an adjustment in IRS's accounting records for the amount of the potential impact if it meets or exceeds the established criteria for recording such an adjustment. Comments: The IRS agrees with this recommendation. By September 2014, the CFO organization will establish and implement written procedures for fiscal year-end requiring (1) the Office of Cost Accounting to estimate the amount of IA user fees collected but not recorded/reclassified as exchange revenue or cash in IRS's accounting records at fiscal year-end, (2) the Office of Financial Reports (OFR) to determine a materiality amount for assessing uncorrected misstatements in the financial statements using an established criteria, and (3) OFR to review the estimated amount of IA user fees collected but not yet recorded and compare it to the materiality amount, determining if an adjustment is required in the IRS's accounting records for the amount of the potential impact if it meets or exceeds the established materiality threshold for recording such an adjustment. Recommendation #13: We recommend that you direct the appropriate IRS officials to establish and implement procedures to periodically review master file data extracts of installment agreement user fee transactions to identify and investigate potential duplicate installment agreement user fees charged to taxpayers and make timely corrections. Comments: The IRS agrees with this recommendation. * By September 2014, the CFO, Small Business/Self-Employed, and Wage and Investment (W&I) organizations will perform a review of the IA user fee master file data extracts, identify and investigate potential duplicate IA user fees charged to taxpayers, and make timely corrections for FY 2014. * By December 2014, the CFO organization and the appropriate IRS compliance organization(s), will establish, document, and implement a process and related cross-functional procedures requiring a periodic review of the IA user fee master file data extracts to identify and investigate potential duplicate IA user fees charged to taxpayers and make timely corrections. Recommendation #14: We recommend that you direct the appropriate IRS officials to update the training manuals and related training provided to Submission Processing examiners to ensure that the examiners are provided proper guidance for correctly processing refund claims associated with deceased taxpayers. Comments: The IRS agrees with this recommendation. By December 2014, the W&I organization will update the training materials and training provided to Submission Processing examiners to ensure that the examiners are provided proper guidance for correctly processing refund claims associated with deceased taxpayers. Recommendation #15: We recommend that you direct the appropriate IRS officials to establish and implement policies and procedures requiring a review process to reasonably assure that the accounts related to deceased taxpayers are only re-opened for valid refunds. Comments: The IRS agrees with this recommendation. * In November 2013, the W&I organization revised and improved its review process to identify and lock the accounts of deceased individuals, reducing the risk of improperly issued refunds to deceased taxpayer accounts when IRS is notified of an individuals' death. * In February 2014, the W&I organization established and implemented policies and procedures that require monitoring to reasonably assure that accounts related to deceased taxpayers that have been re-opened are timely closed after processing the refund or other account action. * By September 2014, the W&I organization will initiate periodic reminders to appropriate employees stressing the importance of performing requisite account monitoring and completing closing actions timely. * By September 2016, the W&I organization will complete testing and evaluating the effectiveness of these processes. Recommendation #16: We recommend that you direct the appropriate IRS officials to establish and implement policies and procedures that require monitoring to reasonably assure that accounts related to deceased taxpayers that have been re-opened are timely closed after processing the refund. Comments: The IRS agrees with this recommendation. * In November 2013, the W&I organization revised and improved its review process to identify and lock the accounts of deceased individuals, reducing the risk of improperly issued refunds to deceased taxpayer accounts when IRS is notified of an individuals' death. * In February 2014, the W&I organization established and implemented policies and procedures that require monitoring to reasonably assure that accounts related to deceased taxpayers that have been re-opened are timely closed after processing the refund or other account action. * By September 2014, the W&I organization will initiate periodic reminders to appropriate employees stressing the importance of performing requisite account monitoring and completing closing actions timely. * By September 2016 the W&I organization will complete testing and evaluating the effectiveness of these processes. Recommendation #17: We recommend that you direct the appropriate IRS officials to issue a memorandum to IRS staff reminding them of the requirements and the procedures to follow to ensure that a representative is listed on a deceased taxpayer's account before issuing a refund on the account. Comments: The IRS agrees with this recommendation. By September 2015, the W&I organization will issue a memorandum to appropriate IRS staff reminding them of the requirements and procedures to follow to ensure that a representative is listed on a deceased taxpayer's account before issuing a refund on the account and refunds issued on behalf of decedents are paid to an authorized representative or entity. [End of section] Enclosure III: GAO Contact and Staff Acknowledgments: GAO Contact: Cheryl E. Clark, (202) 512-9377 or clarkce@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made major contributions to this report: Doreen Eng (Assistant Director), Jeremy Choi (Auditor-in-Charge), Crystal Alfred, Deyanna Beeler, Sharon Byrd, Stephanie Chen, Liliam Coronado, Nina Crocker, Charles Fox, Maria Hasan, David Hayes, Tyrone Hutchins, Jenny Li, Andy Long, Joshua Marcus, Seong Park, Lien To, LaDonna Towler, and Cherry Vasquez. [End of section] Footnotes: [1] GAO, Financial Audit: IRS's Fiscal Years 2013 and 2012 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-14-169] (Washington, D.C.: Dec. 12, 2013). [2] GAO, Information Security: IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk, [hyperlink, http://www.gao.gov/products/GAO-14-405] (Washington, D.C.: Apr. 8, 2014). [3] A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [4] GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-13-420R] (Washington, D.C.: May 13, 2013). [5] A taxpayer's personal representative may be a court appointed representative or another person authorized on the account to claim a refund for the decedent's estate. The representative's full name and address is recorded on the account. [6] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act). [7] Although most of our recommendations regarding our information security work are sensitive and reported to IRS separately, we have reported our objectives, summary results, and nonsensitive recommendations in a publicly available report; see [hyperlink, http://www.gao.gov/products/GAO-14-405]. [8] An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and (2) transactions are executed in accordance with the laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements. [9] [hyperlink, http://www.gao.gov/products/GAO-14-169]. [10] These service organizations consisted of (1) NFC, (2) the Department of the Treasury (which includes the Bureau of the Fiscal Service), (3) the General Services Administration, and (4) the United States Postal Service. We would generally consider a system to be quantitatively material to financial reporting if it processes, reports, or both processes and reports a material dollar amount of the transactions that are included in agency internal financial reports, external financial reports, or both during a reporting period. The assessment of the significance of a deficiency in internal control over such a system may be elevated because of qualitative characteristics, such as processing an inordinately large volume of transactions; related sensitive information, the safeguarding of which is a matter of substantial concern to financial statement users; or both. [11] Office of Management and Budget, Management's Responsibility for Internal Control, OMB Circular No. A-123 (Dec. 21, 2004), defines management's responsibilities for developing and maintaining effective internal control, including federal managers' responsibilities for establishing, assessing, correcting, and reporting on internal control. The Implementation Guide for OMB Circular A-123, Management's Responsibility for Internal Control: Appendix A, Internal Control Over Financial Reporting (July 2005), is intended to assist federal managers with implementing a process for assessing the effectiveness of the entity's internal control over financial reporting. [12] IRS can reduce its reliance on the service organizations' internal controls to the extent that IRS has determined that it has sufficient internal controls in place over the activity being processed or reported by the system(s) the service organization operates to reduce to a low level the risk of undetected material misstatement of balances or compromise of sensitive information. [13] SSAE No. 16, Reporting on Controls at a Service Organization (March 2010), contains standards for a service organization's auditors to use in reporting on the service organization's controls over the services it provides to user entities (such as IRS) when those controls are likely to be relevant to user entities' internal control over financial reporting. [14] Service organizations were not required to have SSAE No. 16 reviews performed prior to fiscal year 2014. However, beginning in fiscal year 2014, OMB Circular No. A-123 Appendix D requires service organizations to provide their user entities with a report based on an evaluation of the effect of the service organizations' internal control on the user entities' control over financial reporting. [15] The Statement on Standards for Attestation Engagements (AT) Section 801; Reporting on Controls at a Service Organization, indicates that an SSAE No. 16 report that covers a period of less than 6 months is unlikely to be useful to user entities and their auditors. The same principle applies to other monitoring activities performed by service organizations. Activities completed prior to March 31 do not cover at least 6 months of the fiscal year. In addition, AT Section 501; An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements, indicates that if a significant amount of time passes between completion of the auditor's monitoring procedures and the date of management's assertion on the effectiveness of internal control as of September 30, additional procedures should be performed to determine whether the status has subsequently changed. [16] The workpapers IRS provided to us did not always reflect the dates of the monitoring documents reviewed by IRS. [17] GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-12-683R] (Washington, D.C.: June 25, 2012). [18] Internal Revenue Service, External Systems Review Standard Operating Procedures, version 1.7 (Washington, D.C.: Dec. 3, 2013). [19] [hyperlink, http://www.gao.gov/products/GAO-12-683R]. [20] See Internal Revenue Manual 6.610.1, IRS Hours of Duty, January 22, 2013. Credit hours are hours within a flexible work schedule that an employee elects to work, with supervisory approval, in excess of the employee's basic work requirement. Employees are not paid for credit hours when they earn them. An employee may use credit hours during a subsequent day to allow the employee to be absent an equal number of hours of the employee's basic work requirement with no loss of basic pay. See also Office of Personnel Management, "Pay and Leave: Work Schedules - Fact Sheet: Credit Hours Under a Flexible Work Schedule," accessed April 22, 2014, [hyperlink, http://www.opm.gov/policy-data-oversight/pay-leave/work-schedules/fact- sheets/credit-hours-under-a-flexible-work-schedule/]. [21] The Budget Control Act of 2011, Pub. L. No. 112-25, 125 Stat. 240 (Aug. 2, 2011), which amended the Balanced Budget and Emergency Deficit Control Act of 1985 (BBEDCA), imposed discretionary spending limits for fiscal years 2012 through 2021 to reduce projected spending by about $1 trillion. The Budget Control Act also established the Joint Select Committee on Deficit Reduction, which was tasked with proposing legislation to reduce the deficit by an additional $1.2 trillion through fiscal year 2021. The Joint Committee failed to report a proposal, and Congress and the President did not enact legislation. This failure triggered the sequestration process in section 251A of BBEDCA, which is classified, as amended, at 2 U.S.C. § 901a. Section 251A required OMB to calculate, and the President to order, a sequestration of discretionary and direct spending on March 1, 2013. On that date, the President ordered a sequestration (i.e., an across-the-board cancellation of budgetary resources) to achieve $85.3 billion in reductions across the federal government. [22] To help accomplish its share of the budget cuts under sequestration, IRS employees were furloughed--that is, placed in a temporary nonduty, nonpay status for nondisciplinary reasons--for 3 days, one day each in May, June, and July 2013. [23] Regular hours do not include overtime or credit hours earned. [24] We identified these two instances during testing of a statistical sample of 109 transactions covering expenses recorded from October 1, 2012, through June 30, 2013. However, since the two exceptions we noted were furlough related, we determined it would not be appropriate to project the results to the entire population. [25] We did not test any of the other time cards listed on the exception report to determine whether they were all correctly recorded. [26] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [27] Receipt signifies IRS's acknowledgment that goods or services were received. Acceptance signifies that IRS assumes ownership of the goods or approves of the services rendered, that the goods or services meet contractual requirements, and that the government is obligated to pay the vendor. [28] The exceptions we noted did not result in overpayments to vendors because IRS only paid the vendors the amounts invoiced, which were not in error. [29] End users are IRS staff who physically receive the goods or services. [30] IRM § 1.35.3.10.4, Electronic Receipt and Acceptance (Aug. 5, 2011). [31] Of the 84 transactions we tested, 61 were transactions that were processed through IRS's Office of Procurement. However, because the sample was designed to test all nonpayroll expense transactions, including transactions such as printing, rent, and travel expenses that were not processed through the Office of Procurement, we were unable to project the exceptions that only applied to procurement transactions to the entire population. In addition, while receipt and acceptance errors could similarly be made with respect to purchases of capitalized assets, we did not include such asset purchases in our population and thus did not test those items for this attribute. [32] An obligation results in funds being set aside for the purchase price of the goods or services to be received to ensure that sufficient funds are available to pay for the items upon delivery. [33] The Beckley Finance Center processes payments to vendors after the COR or end user enters receipt and acceptance in IPS. [34] IRM § 1.35.3.8.7, Director, Office of Procurement, Agency-Wide Shared Services (July 5, 2012). [35] Prior to engaging in receipt and acceptance functions and entering information into IPS, CORs, end users, and their managers are required to take a specific training course on receipt and acceptance responsibilities. [36] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [37] IT equipment recorded in KISAM includes computer desktops, laptops, mainframes, routers, servers, disk arrays, and video equipment. IT equipment that is relatively inexpensive to replace is not recorded in KISAM. This includes keyboards, mice, disk drives, and monitors. Non-IT equipment recorded in KISAM includes all leased property and all motor vehicles owned and leased by IRS with the exception of investigative motor vehicles. As of June 2013, KISAM included more than 279,000 asset records of IT and non-IT equipment. [38] Investigative equipment recorded in CIMIS includes fleet vehicles, surveillance vehicles, radio communication equipment, firearms, body armor, electronic surveillance equipment, cameras and lenses, night vision equipment, and badges. As of June 2013, CIMIS included more than 5,800 records of investigative equipment. [39] IRM § 2.14.1.13.11.1, 10 Workdays Business Rule (Nov. 8, 2011). [40] After the requisition is awarded, IRS requires that certain IT vendors provide information on each of the assets prior to IRS receiving the assets ordered. This information usually comes in the form of a spreadsheet that contains data elements for each asset listed, such as the serial number, bar code, price, shipping date, and purchase order number. The asset management program office will use it to create a skeletal record in KISAM as a placeholder for the assets to be received. Assets that do not have a skeletal record in KISAM upon delivery will be manually input into the asset management system. [41] IRM § 2.14.1.13.12.7, Assignments (Nov. 8, 2011), and § 1.14.4.14.5.2, Disposition of Property - Excess (May 8, 2012). [42] IRM § 9.10.1.10.1, Disposing Vehicles (June 15, 2010). [43] IRM § 2.14.1.13.20, Excess and Disposal of IT Equipment (Nov. 8, 2011). [44] We reviewed a nonstatistical selection of 10 property and equipment acquisition transactions greater than $50,000 that were recorded in IRS's Integrated Financial System as of May 31, 2013. Of these, 3 were KISAM assets while the rest were nonpersonal property that is not tracked in either KISAM or CIMIS (specifically, internal use software and leasehold improvements). We also reviewed a nonstatistical selection of 7 KISAM assets and 3 CIMIS assets from a database of disposed assets recorded in each system as of June 30, 2013. Because both the acquisitions and disposals were nonstatistical selections, the results cannot be projected to the respective populations. [45] EOps is responsible for providing business entities and taxpayers with efficient, reliable, and secure server and mainframe services. [46] GSA helps federal agencies dispose of personal property that is no longer needed. GSA's property donation program enables certain nonfederal organizations to obtain such surplus property. [47] Internal Revenue Service, IRS Standard Operating Procedure, SACM/HDW-A/FY-001 v.2 (Feb. 16, 2011). [48] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [49] We proposed an audit adjustment for the $33 million understatement to fund balance with Treasury. Although IRS agreed with the amount of and reason for the adjustment, it did not record the adjustment because the amount of the error, in conjunction with other known and likely misstatements, did not cause the financial statements as a whole to be materially misstated. Nevertheless, by not recording the adjustment, IRS reported inaccurate information on its fiscal year 2013 financial statements. [50] IRS is authorized to make IA arrangements under 26 U.S.C. § 6159. [51] IRS charges IA user fees under the authority of 31 U.S.C. § 9701, and the implementing User Fee Regulations, codified, as amended, at 26 C.F.R. part 300. [52] IDRS is an IRS computer system that provides employees with the ability to research taxpayer account information, manually enter transactions, and make adjustments to taxpayer accounts. Transactions recorded in IDRS are transmitted to the master files daily. IRS's master files contain detailed records of taxpayer accounts, including information on tax and user fee assessments and payments. The information recorded in master files is ultimately recorded in IRS's general ledger, which is used to prepare the financial statements. [53] If the first payment is less than the amount of the fee owed, then the sweep program does not transfer any amounts until the taxpayer has made enough payments to cover the full amount of the fee. [54] Exchange revenue is reported as an offset to gross cost on IRS's Statement of Net Cost. It consists of revenues IRS earns or collects from the public and other federal, state, local, foreign, and private entities for providing services for which IRS receives fees or cost reimbursements. In fiscal year 2013, IRS reported $498 million of exchange revenue on its financial statements, of which $194 million consisted of IA user fee revenue. [55] In fiscal year 2013, IRS reported $2,251 million in its fund balance with Treasury account on the Balance Sheet. Unlike exchange revenue, which starts with a beginning balance of zero every year, fund balance with Treasury is an asset account with a balance that carries forward from year to year. Thus, the understatement to fund balance with Treasury from the previous year carries forward to the current year's beginning balance. This understatement is corrected early in the fiscal year when IRS eventually records the user fees that were collected in the previous year. Similarly, the understatement to fund balance with Treasury at the end of the current fiscal year will not be corrected until the following fiscal year. Thus, the impact on fund balance with Treasury on the current year's financial statements is the entire amount of this understatement. Since tax revenues collected by IRS do not belong to IRS, the user fees that are initially recorded as tax revenue are not recorded as cash in IRS's fund balance with Treasury account and are not transferred to the Department of the Treasury. Although this error also overstated the amount of tax revenues recorded in IRS's master files, it did not affect the amount of tax revenue reported on IRS's financial statements because reported tax revenues are rounded to the nearest billion. [56] The potential impact to exchange revenue was an overstatement, because the amount of fees recorded or reclassified as user fee revenue at the beginning of fiscal year 2013 that had been collected in fiscal year 2012 exceeded our $33 million estimate of fees that were collected during but not reclassified as user fee revenue by the end of fiscal year 2013. [57] Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, para. 36(a), May 10, 1996, as amended through June 30, 2013. [58] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [59] In fiscal year 2013, the maximum IA fee was $105; IRS also charged $52 to taxpayers that made their installment payments via direct debit; $43 to taxpayers whose incomes were at or below 250 percent of the poverty level; and $45 to taxpayers that restructured or reinstated a previous agreement. See the implementing User Fee Regulations, codified, as amended, at 26 C.F.R. part 300. [60] IRM § 5.19.1.5.4.6.2, Manual Establishment of a User Fee Module (Nov. 3, 2010), and § 5.19.1.5.4.6.3, User Fee Payment Transfer/User Fee Abatements (Dec. 4, 2009). [61] IRS's master files contain detailed records of taxpayer accounts. [62] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [63] Invalid refunds are refunds that should not have been issued. [64] The 67 refunds reviewed were selected from a population of 211 refunds issued during fiscal year 2013 that we identified as suspicious based on our comparison of death information IRS received from the Social Security Administration to related tax filing information in IRS's master files. The population of 211 refunds consisted of (1) 181 refunds issued to deceased taxpayers receiving one suspicious refund each, from which we selected a statistical sample of 37 refunds, and (2) 30 refunds issued to 12 deceased taxpayers that had received multiple suspicious refunds, from which we selected all of them for review. Based on the statistical sample of 37 refunds, we identified 33 invalid refunds and are 90 percent confident that at as much as 94.5 percent of the 181 suspicious refunds disbursed to deceased taxpayers resulted in invalid refunds. For the sample of 30 refunds disbursed to 12 deceased taxpayers, which was 100 percent of the population of multiple refunds that were disbursed, we identified 19 invalid refunds that were disbursed to 8 deceased taxpayers. As a result, we concluded that 63.3 percent of the 30 suspicious refunds, which were issued to 66.7 percent of the 12 deceased taxpayers in our population, were invalid. [65] The SP organization processes tax returns, related documents, and payments at IRS's Wage and Investment Submission Processing Centers. The IRS SP units that process deceased taxpayer tax returns include the Error Resolution System and the Entity Unpostable units. Of the 52 invalid refund claims identified, IRS indicated that SP reviewed 43 of these claims before the refunds were allowed to be disbursed. The other 9 invalid refund claims were processed by other IRS organizations, such as Accounts Management. [66] [hyperlink, http://www.gao.gov/products/GAO-13-420R]. [67] IRS also uses date of death information to assign certain error codes to the tax returns submitted using a deceased taxpayer's Social Security number. These error codes do not close the taxpayer's account. However, these returns will still be forwarded to an SP unit for review. [68] IRM § 3.12.3, Error Resolution, Individual Income Tax Returns (Jan. 1, 2013); IRM § 3.13.122, Campus Document Services, Individual Master File (IMF) Entity Control Unpostables (Jan. 1, 2013); and IRM § 3.13.5, Campus Document Services - Individual Master File (IMF) Account Numbers (Jan. 1, 2013). [69] A surviving spouse or a court-appointed representative is permitted to request a tax refund on behalf of the deceased taxpayer. However, the filing process and required tax form is different if filed during the year of death than if filed after the year of death. For example, a request for a refund for a deceased taxpayer after the year of death must be claimed by filing a Form 1041, U.S. Income Tax Return for Estates and Trusts, rather than filing a Form 1040, U.S. Individual Income Tax Return. Further, generally, the rules for deductions allowed to individual taxpayers also apply to deceased taxpayers when a final tax return is filed in the year of death. However, in the years subsequent to the deceased taxpayers' year of death, the rules on the eligibility for these deductions change. See Internal Revenue Service, Survivors, Executors, and Administrators, IRS Publication 559 (rev. Jan. 31, 2014). [70] IRM § 3.12.3.58.7.3, Correction Procedures (EC 028) (Jan. 1, 2013). [71] IRM § 3.13.122.21.4, UPC 182 - Social Security Number (SSN) Belongs to a Single Taxpayer (Jan. 1, 2013). [72] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [73] IRM § 21.6.6.3.22.2, Processing Decedent Account Refunds (Mar. 25, 2013). [74] IRM § 21.4.4, Refund Inquiries, Manual Refunds (Oct. 1, 2012). [75] The 161 refunds reviewed were statistically selected from a population of 3,648 suspicious refunds issued by IRS from January 1, 2013, through June 30, 2013, to deceased taxpayers for tax years 2008 and prior. The population of 3,648 refunds consisted of (1) 2,840 refunds issued to deceased taxpayers receiving one suspicious refund each, from which we selected a statistical sample of 45 refunds, and (2) 808 refunds issued to 316 deceased taxpayers that had received multiple suspicious refunds, from which we selected a statistical sample of 116 refunds disbursed to 42 deceased taxpayers for review. Multiple refunds may result, for example, from claims for multiple tax years. Based on the statistical sample of 45 refunds, we identified 11 refunds disbursed to deceased taxpayers who did not have a representative. As a result, we are 90 percent confident that as much as 34.5 percent of the 2,840 suspicious refunds disbursed to deceased taxpayers were issued on accounts that did not have a representative. For the statistical sample of 116 refunds disbursed to 42 deceased taxpayers, we identified 9 refunds disbursed to 4 deceased taxpayers who did not have a representative. As a result, we are 90 percent confident that as much as 11.6 percent of the 808 suspicious refunds, which pertain to 17.4 percent of the 316 deceased taxpayers, were issued on accounts that did not have a representative. [76] IRS considers a refund to be undeliverable if a refund check is returned by the post office or if the check is not cashed within the 12-month period allowed by the Limited Payability provision set forth by the Competitive Equality Banking Act of 1987, Pub. L. No. 100-86, § 1002, 101 Stat. 552, 658 (Aug. 10, 1987), codified at 31 U.S.C. § 3328. See IRM § 21.4.2.4.7, Limited Payability (LP) Rules (Oct. 1, 2006). [77] IRM § 21.6.6.3.22.2, Processing Decedent Account Refunds (Apr. 7, 2014). [78] This does not include information systems security recommendations reported separately and with limited distribution because of their sensitive nature. See [hyperlink, http://www.gao.gov/products/GAO-14-405]. [79] [hyperlink, http://www.gao.gov/products/GAO-13-420R]. [80] GAO, Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management, [hyperlink, http://www.gao.gov/products/GAO/AIMD-99-16] (Washington, D.C.: Oct. 30, 1998). [81] GAO, Internal Revenue Service: Recommendations to Improve Financial and Operational Management, [hyperlink, http://www.gao.gov/products/GAO-01-42] (Washington, D.C.: Nov. 17, 2000). [82] GAO, Management Report: Improvements Needed in IRS’s Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27, 2005). [83] GAO, Management Report: Improvements Needed in IRS’s Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-06-543R] (Washington, D.C.: May 12, 2006). [84] GAO, Management Report: Improvements Needed in IRS’s Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11, 2007). [85] GAO, Management Report: Improvements Needed in IRS’s Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-08-368R] (Washington, D.C.: June 4, 2008). [86] GAO, Management Report: Improvements Needed to Enhance IRS’s Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-513R] (Washington, D.C.: June 24, 2009). [87] GAO, Management Report: Improvements Are Needed in IRS’s Internal Controls and Compliance with Laws and Regulations, [hyperlink, http://www.gao.gov/products/GAO-10-565R] (Washington, D.C.: June 28, 2010). [88] GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-11-494R] (Washington, D.C.: June 21, 2011). [89] GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-12-683R] (Washington, D.C.: June 25, 2012). [90] GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-13-420R] (Washington, D.C.: May 13, 2013). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]