This is the accessible text file for GAO report number GAO-08-693 entitled 'Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations' which was released on July 2, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Commissioner of Internal Revenue: United States Government Accountability Office: GAO: July 2008: Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations: Status of Recommendations: GAO-08-693: GAO Highlights: Highlights of GAO-08-693, a report to the Commissioner of Internal Revenue. Why GAO Did This Study: In its role as the nation’s tax collector, the Internal Revenue Service (IRS) has a demanding responsibility in annually collecting trillions of dollars in taxes, processing hundreds of millions of tax and information returns, and enforcing the nation’s tax laws. Since its first audit of IRS’s financial statements in fiscal year 1992, GAO has identified a number of weaknesses in IRS’s financial management operations. In related reports, GAO has recommended corrective action to address those weaknesses. Each year, as part of the annual audit of IRS’s financial statements, GAO not only makes recommendations to address any new weaknesses identified but also follows up on the status of weaknesses GAO identified in previous years’ audits. The purpose of this report is to (1) assist IRS management in tracking the status of audit recommendations and actions needed to fully address them and (2) demonstrate how the recommendations relate to control activities central to IRS’s mission and goals. What GAO Found: IRS has made significant progress in improving its internal controls and financial management since its first financial statement audit in 1992, as evidenced by 8 consecutive years of clean audit opinions on its financial statements, the resolution of several material internal control weaknesses, and actions resulting in the closure of over 200 financial management recommendations. This progress has been the result of hard work throughout the agency and sustained commitment at the top levels of the agency. However, IRS still faces financial management challenges. At the beginning of GAO’s audit of IRS’s fiscal year 2007 financial statements, 75 financial management-related recommendations from prior audits remained open because IRS had not fully addressed the issues that gave rise to them. During the fiscal year 2007 financial audit, IRS took actions that enabled GAO to close 18 of those recommendations. At the same time, GAO identified additional internal control issues resulting in 24 new recommendations. In total, 81 recommendations remain open at the end of fiscal 2007. To assist IRS in evaluating and improving internal controls, GAO categorized the 81 open recommendations by various internal control activities, which, in turn, were grouped into three broad control categories. Table: Summary of Open Recommendations by Control Category: Safeguarding of assets and security activities; Open at the beginning of 2007: 19; Closed during 2007 audit: 4; New from 2007 audit: 6; Total open for 2008: 21. Proper recording and documenting of transactions; Open at the beginning of 2007: 33; Closed during 2007 audit: 9; New from 2007 audit: 9; Total open for 2008: 33. Effective management review and oversight; Open at the beginning of 2007: 23; Closed during 2007 audit: 5; New from 2007 audit: 9; Total open for 2008: 27. Total; Open at the beginning of 2007: 75; Closed during 2007 audit: 18; New from 2007 audit: 24; Total open for 2008: 81. Source: GAO analysis of financial management recommendations made to IRS. [End of table] The continued existence of internal control weaknesses that gave rise to these recommendations represents a serious obstacle that IRS needs to overcome. Effective implementation of GAO’s recommendations can greatly assist IRS in improving its internal controls and achieving sound financial management and can help enable it to more effectively carry out its tax administration responsibilities. Most can be addressed in the short term (the next 2 years). However, a few recommendations, particularly those concerning IRS's automated systems, are complex and will require several more years to fully and effectively address. What GAO Recommends: GAO is making no new recommendations in this report. In commenting on this draft report, IRS stated that it is committed to implementing appropriate improvements to maintain sound financial management practices. To view the full product, including the scope and methodology, click on [http://www.gao.gov/cgi-bin/getrpt?GAO-08-693]. For more information, contact Steven J. Sebastian at (202)512-3406 or sebastians@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Scope and Methodology: IRS's Progress on Financial Management Recommendations: Open Recommendations Grouped by Control Activity: Open Recommendations Arranged by Related Material Weakness, Significant Deficiency, Compliance Issue, or Other Control Issue: Concluding Observations: Agency Comments and Our Evaluation: Appendix I: Status of GAO Recommendations from IRS Financial Audits and Related Management Reports: Appendix II: Open Recommendations Arranged by Control or Compliance Issue: Financial Reporting: Unpaid Tax Assessments: Tax Revenue and Refunds: Information Security: Hard-Copy Tax Receipts and Taxpayer Information: Release of Federal Tax Liens: Other Control Issues: Appendix III: Comments from the Internal Revenue Service: Appendix IV: Staff Acknowledgments: Tables: Table 1: Summary of Open Recommendations: Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: Table 3: Recommendations to Improve IRS's Segregation of Duties: Table 4: Recommendation to Improve IRS's Controls over Information Processing: Table 5: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: Table 6: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: Table 8: Recommendations to Improve IRS's Execution of Transaction and Events: Table 9: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: Table 10: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: Table 11: Recommendations to Improve IRS's Management of Human Capital: Table 12: Material Weakness: Controls over Financial Reporting: Table 13: Material Weakness: Controls over Unpaid Assessments: Table 14: Material Weakness: Controls over Revenues and Issuing Refunds: Table 15: Significant Deficiency: Controls over Hard-Copy Receipts and Taxpayer Information: Table 16: Compliance with Laws and Regulations: Timely Release of Liens: Table 17: Other Control Issues Not Associated with a Material Weakness or Significant Deficiency: Abbreviations: ALS: Automated Lien System: ATFR: Automated Trust Fund Recovery: AUR: Automated Underreporter: AWSS: Agency-Wide Shared Services: BPMS: Business Performance Management System: CCTV: closed-circuit television: CDDB: Custodial Detail Data Base: FA: Field Assistance: FMFIA: Federal Managers' Financial Integrity Act of 1982: FMS: Financial Management Service: IDRS: Integrated Data Retrieval System: IFS: Integrated Financial System: IRACS: Interim Revenue and Accounting Control System: IRM: Internal Revenue Manual: IRS: Internal Revenue Service: LEM: Security Law Enforcement Manual: LMSB: Large and Mid- sized Business: LPG: Lockbox Processing Guidelines: LSG: Lockbox Security Guidelines: NFC: National Finance Center: OMB: Office of Management and Budget: P&E: property and equipment: SB/SE: Small Business/Self-Employed: SCC: service center campus: SETS: Security Entry and Tracking System: SP: Submission Processing: TAC: taxpayer assistance center: TE/GE: Tax Exempt and Government Entities: TFRP: Trust Fund Recovery Penalty: W&I: Wage and Investment: United States Government Accountability Office: Washington, DC 20548: July 2, 2008: The Honorable Douglas H. Shulman: Commissioner of Internal Revenue: Dear Mr. Shulman: In its role as the nation's tax collector, the Internal Revenue Service (IRS) has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. In fiscal year 2007, IRS collected about $2.7 trillion in tax payments, processed hundreds of millions of tax and information returns, and paid about $292 billion in refunds to taxpayers. Because of its role and overall mission, IRS's activities touch on virtually all of the nation's citizens. It is therefore critical that the agency strive to maintain sound financial management practices. IRS has made much progress in improving its financial management since it was first required to prepare and have audited a set of financial statements in fiscal year 1992. This progress was reflected in its ability to obtain and maintain a clean audit opinion on its financial statements each year beginning in fiscal year 2000, and to correct several material internal control weaknesses over the years and make many other improvements in internal control. At the same time, more remains to be done to address long-standing internal control issues that continue to exist at the agency. IRS continues to have weak or ineffective internal controls over fundamental elements of its operations that leave it vulnerable to a greater risk of fraud, waste, abuse, and mismanagement. This, in turn, has the potential to affect the lives of the nation's taxpayers, as our audits over the years have demonstrated. An agency's internal control environment serves as the first line of defense in safeguarding its assets and in preventing and detecting errors and fraud, as well as in helping to effectively manage its stewardship over public resources.[Footnote 1] Unfortunately, IRS continues to be challenged with several long-standing material weaknesses in internal control that are at the heart of IRS's operations.[Footnote 2] During our audit of IRS's fiscal year 2007 financial statements, we continued to find material weaknesses in controls over: * financial reporting, * unpaid tax assessments, * identifying and collecting tax revenues due and issuing tax refunds, and: * information systems security. In addition to the material weaknesses, we continued to identify a significant deficiency involving controls over hard-copy tax receipts and taxpayer data, which increase the government's and taxpayer's risk of loss or inappropriate disclosure or use of taxpayer data. To assist IRS in strengthening its internal controls and improving its operations, we have made numerous recommendations as part of our annual financial statement audits and other financial management-related work at IRS. This report is being provided to you to (1) assist IRS management in tracking the status of financial audit and financial management-related recommendations and the actions needed to address them and (2) demonstrate how the recommendations relate to control activities central to IRS's mission and goals. We are making no new recommendations in this report. Our work was performed from December 2007 through May 2008 in accordance with generally accepted government auditing standards. Results in Brief: IRS management continues to make progress in addressing many of the internal control issues that challenge the agency. IRS's actions have enabled us to close over 200 financial management-related recommendations over the years since our first audit of its financial statements in 1992. At the beginning of our fiscal year 2007 IRS financial statement audit, 75 financial management-related recommendations from our prior audits remained open. During the fiscal year 2007 financial statement audit, IRS took actions to effectively address issues that gave rise to numerous recommendations, enabling us to close 18 of those recommendations. Thus, 57 recommendations from prior years' audits remained open at the end of fiscal year 2007. In addition, during our fiscal year 2007 financial audit, we identified a number of additional internal control issues and, in a separate report, made 24 new recommendations to address these newly identified issues.[Footnote 3] As a result, a total of 81 recommendations to address IRS's internal control issues remained open at the end of fiscal year 2007. Additionally, 76 recommendations as a result of our assessment of IRS's information security controls over key financial systems, data, and interconnected networks at IRS's critical data processing facilities remained open at the end of fiscal year 2007. Recommendations resulting from the information security portion of our annual audits of IRS's financial statements are reported separately and are not included in this report primarily because of the sensitive nature of some of these issues. In analyzing the nature of the 81 financial management recommendations open at the end of fiscal year 2007, we determined that 21 recommendations (26 percent) relate to issues associated with IRS's lack of effective controls over safeguarding assets and security activities. Another 33 recommendations (41 percent) relate to issues associated with IRS's inability to properly record and document transactions. The remaining 27 recommendations (33 percent) relate to issues associated with lack of effective management review and oversight. Effectively and fully addressing these open recommendations would greatly assist IRS in improving its internal controls and achieving sound financial management. While most of our open recommendations can be addressed in the short term (within the next 2 years), a few recommendations, particularly those concerning IRS's automated systems, are complex and will require several more years to fully and effectively address. Finally, we analyzed the nature of the open recommendations to relate them to the material weakness, significant deficiency, compliance issue, and other control issues not associated with a material weakness or significant deficiency identified as part of our annual financial statement audits. Appendix II provides a listing of our 81 open recommendations grouped according to their related material weakness, significant deficiency, compliance issue, or other control issue as described in our opinion report on IRS's financial statement[Footnote 4]s. In commenting on a draft of this report, IRS expressed its appreciation for our acknowledgment of the agency's progress in addressing its financial management challenges as evidenced by our closure of 18 open financial management recommendations from GAO's prior year report. We have reprinted IRS's written comments in appendix III. Background: Internal control is not one event, but a series of actions and activities that occur throughout an entity's operations and on an ongoing basis. Internal control should be recognized as an integral part of each system that management uses to regulate and guide its operations rather than as a separate system within an agency. In this sense, internal control is management control that is built into the entity as a part of its infrastructure to help managers run the entity and achieve their goals on an ongoing basis. Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the Federal Managers' Financial Integrity Act of 1982 (FMFIA), requires agencies to establish and maintain internal control. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations. Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for Internal Control, provides the implementing guidance for FMFIA, and sets out the specific requirements for assessing and reporting on internal controls consistent with the internal control standards issued by the Comptroller General of the United States.[Footnote 5] The circular defines management's responsibilities related to internal control and the process for assessing internal control effectiveness, and provides specific requirements for conducting management's assessment of the effectiveness of internal control over financial reporting. The circular requires management to annually provide assurances on internal control in its performance and accountability report, and for each of the 24 Chief Financial Officers Act agencies to include a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.[Footnote 6] The circular also emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities. FMFIA requires GAO to issue standards for internal control in the federal government. The Standards for Internal Control in the Federal Government (i.e., internal control standards) provides the overall framework for establishing and maintaining effective internal control and for identifying and addressing major performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement. As summarized in the internal control standards, the minimum level of quality acceptable for internal control in the government is defined by the following five standards, which also provide the basis against which internal controls are to be evaluated: * Control environment: Management and employees should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. * Risk assessment: Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. * Control activities: Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing the agency's control objectives. * Information and communications: Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. * Monitoring: Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. The third control standard--control activities--helps ensure that management's directives are carried out. Control activities are the policies, procedures, techniques, and mechanisms that enforce management's directives. In other words, they are the activities conducted in the everyday course of business that are intended to accomplish a control objective, such as ensuring IRS employees successfully complete background checks prior to being granted access to taxpayer information and receipts. As such, control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achievement of effective results. A key objective in our annual audits of IRS's financial statements is to obtain reasonable assurance about whether IRS maintained effective internal controls with respect to financial reporting, including safeguarding of assets, and compliance with laws and regulations. While we use all five internal control standards as a basis for evaluating the effectiveness of IRS's internal controls, we place a heavy emphasis on testing control activities. Our evaluations and tests have resulted in the identification of issues in certain internal controls over the years and recommendations for corrective action. Scope and Methodology: To accomplish our objectives, we evaluated the effectiveness of IRS's corrective actions implemented in response to open recommendations during fiscal year 2007 as part of our fiscal years 2007 and 2006 financial audits. To determine the current status of the recommendations, we (1) obtained IRS's reported status of each recommendation and corrective action taken or planned as of April 2008, and (2) compared IRS's reported status to our fiscal year 2007 audit findings to identify any differences between IRS's and our conclusions regarding the status of each recommendation. In order to determine how these recommendations fit within IRS's management and internal control structure, we compared the open recommendations, and the issues that gave rise to them, to the control activities listed in the internal control standards and to the list of major factors and examples outlined in our Internal Control Management and Evaluation Tool.[Footnote 7] We also considered how the recommendations and the underlying issues were categorized in our prior reports; whether IRS had addressed, in whole or in part, the underlying control issues that gave rise to the recommendations; and other legal requirements and implementing guidance, such as OMB Circular No. A-123; FMFIA; and the Federal Information System Controls Audit Manual (FISCAM).[Footnote 8] Our work was performed from December 2007 through May 2008 in accordance with generally accepted government auditing standards. We requested comments on a draft of this report from the Commissioner of Internal Revenue or his designee on June 9, 2008. We received comments from the Commissioner on June 24, 2008. IRS's Progress on Financial Management Recommendations: IRS continues to make progress addressing its significant financial management challenges. Over the years since we first began auditing IRS's financial statements in fiscal year 1992, IRS has taken actions enabling us to close over 200 of our financial management-related recommendations. This includes 18 recommendations we are closing based on actions IRS took during the period covered by our fiscal year 2007 financial audit. At the same time, however, our audits continue to identify additional internal control issues, resulting in our making further recommendations for corrective action, including 24 new financial management-related recommendations resulting from our fiscal year 2007 financial audit. These internal control issues, and the resulting recommendations, can be directly traced to the control activities in the internal control standards. As such, it is essential that they be fully addressed and resolved to strengthen IRS's overall financial management and to assist it in efficiently and effectively achieving its goals and mission. Status of Recommendations Based on the Year 2007 Financial Statement Audit: In June 2007, we issued a report on the status of IRS's efforts to implement corrective actions to address financial management recommendations stemming from our fiscal year 2006 and prior year financial audits and other financial management-related work.[Footnote 9] In that report, we identified 75 audit recommendations that at that time remained open and thus required corrective action by IRS. A significant number of these recommendations had been open for several years, either because IRS had not taken corrective action or because the actions taken had not yet fully and effectively resolved the issues that gave rise to the recommendations. IRS continued to work to address many of the internal control issues to which these open recommendations relate. In the course of performing our fiscal year 2007 financial audit, we identified numerous actions IRS took to address many of its internal control issues. On the basis of IRS's actions, which we were able to substantiate through our audit, we are able to close 18 of these prior years' recommendations. IRS considers another 23 of the prior years' recommendations to be effectively addressed. However, we still consider them to be open either because we had not yet been able to verify the effectiveness of IRS's actions--they occurred subsequent to completion of our audit testing and thus have not been verified, which is a prerequisite to our closing a recommendation--or because the actions taken did not fully address the issue that gave rise to the recommendation. However, continued efforts are needed by IRS to address its internal control issues. While we are able to close 18 financial management recommendations made in prior years, 57 recommendations from prior years remain open, a significant number of which have been outstanding for several years. In some cases, IRS may have effectively addressed the issues that gave rise to the recommendations subsequent to our fiscal year 2007 audit testing. However, in many cases, we determined based on the work performed for our fiscal year 2007 audit that IRS's actions taken to date had not yet fully and effectively addressed the underlying internal control issues. Additionally, during our audit of IRS's fiscal year 2007 financial statements, we identified additional issues that require corrective action by IRS. In a recent management report to IRS,[Footnote 10] we discussed these issues, and made 24 new recommendations to IRS to address them. Consequently, a total of 81 financial management-related recommendations were open at the end of fiscal year 2007 and need to be addressed by IRS. While most of our open recommendations can be addressed in the short term,[Footnote 11] a few recommendations, particularly those concerning IRS's automated systems, are complex and will require several more years to fully and effectively address. We consider 71 recommendations to be short-term and 10 to be long-term. In addition to the 81 open recommendations from our financial audits and other financial management-related work, we have 76 open recommendations as a result of our assessment of IRS's information security controls over key financial systems, data, and interconnected networks at IRS's critical data processing facilities. One of those open recommendations relates to IRS's need to implement an agencywide information security program, the lack of which was a key reason for the material weakness in IRS's information systems security controls over its financial and tax processing systems. Unresolved, previously reported recommendations and newly identified ones related to information security increase the risk of unauthorized disclosure, modification, or destruction of financial and sensitive taxpayer data. Recommendations resulting from of the information security portion our annual audits of IRS's financial statements are reported separately and are not included in this report primarily because of the sensitive nature of some of these issues. Appendix I presents a list of (1) the 81 recommendations we have made based on our financial statement audits and other financial management- related work that we had not previously reported as closed prior to our fiscal year 2007 audit, (2) the status of each of those recommendations and corrective actions taken or planned as of April 2008 as reported to us by IRS, and (3) our analysis of whether the issues that gave rise to the recommendations have been effectively and fully addressed based on the work performed during our fiscal year 2007 financial statement audit. Appendix I also lists new recommendations we have made based on our fiscal year 2007 financial statement audit. The appendix lists the recommendations by the date on which the recommendation was made and by report number. Appendix II presents the open recommendations arranged by related material weakness, significant deficiency, compliance issue, or other control issue as described in our opinion report on IRS's financial statements. Open Recommendations Grouped by Control Activity: Linking the open recommendations from our financial audits and other financial management-related work, and the issues that gave rise to them, to internal control activities that are central to IRS's tax administration responsibilities provides insight regarding their significance. The internal control standards define 11 control activities. These control activities can be further grouped into three broad categories: * Safeguarding of assets and security activities: - physical control over vulnerable assets, - segregation of duties, - controls over information processing, and: - access restrictions to and accountability for resources and records. * Proper recording and documenting of transactions: - appropriate documentation of transactions and internal control, - accurate and timely reporting of transactions and events, and: - proper execution of transactions and events. * Effective management review and oversight: - reviews by management at the functional or activity level, - establishment and review of performance measures and indicators, - management of human capital, and: - top-level reviews of actual performance. Each of the open recommendations from our financial audits and financial management-related work, and the underlying issues that gave rise to them, can be traced back to 1 of the 11 control activities (grouped into three broad categories). Table 1 presents a summary of the open recommendations, each of which is categorized by the control activity to which it best relates. Table 1: Summary of Open Recommendations: Control category/control activity: Safeguarding of assets and security activities: Physical control over vulnerable assets; Open at start of fiscal year 2007 audit: 12; Closed during fiscal year 2007 audit: 3; Control category/control activity: New from fiscal year 2007 audit: 0; Total open as of the end of fiscal year 2007: 9; Percentage: 11. Control category/control activity: Safeguarding of assets and security activities: Segregation of duties; Open at start of fiscal year 2007 audit: 4; Closed during fiscal year 2007 audit: 1; New from fiscal year 2007 audit: 0; Total open as of the end of fiscal year 2007: 3; Percentage: 4. Control category/control activity: Safeguarding of assets and security activities: Controls over information processing[A]; Open at start of fiscal year 2007 audit: 1; Closed during fiscal year 2007 audit: 0; New from fiscal year 2007 audit: 0; Total open as of the end of fiscal year 2007: 1; Percentage: 1. Control category/control activity: Access restrictions to and accountability for resources and records; Open at start of fiscal year 2007 audit: 2; Closed during fiscal year 2007 audit: 0; New from fiscal year 2007 audit: 6; Total open as of the end of fiscal year 2007: 8; Percentage: 10. Control category/control activity: Subtotal; Open at start of fiscal year 2007 audit: 19; Closed during fiscal year 2007 audit: 4; New from fiscal year 2007 audit: 6; Total open as of the end of fiscal year 2007: 21; Percentage: 26. Control category/control activity: Proper recording and documenting of transactions: Appropriate documentation of transactions and internal controls; Open at start of fiscal year 2007 audit: 13; Closed during fiscal year 2007 audit: 6; New from fiscal year 2007 audit: 5; Total open as of the end of fiscal year 2007: 12; Percentage: 15. Control category/control activity: Proper recording and documenting of transactions: Accurate and timely recording of transactions and events; Open at start of fiscal year 2007 audit: 19; Closed during fiscal year 2007 audit: 3; New from fiscal year 2007 audit: 2; Total open as of the end of fiscal year 2007: 18; Percentage: 22. Control category/control activity: Proper recording and documenting of transactions: Proper execution of transactions and events; Open at start of fiscal year 2007 audit: 1; Closed during fiscal year 2007 audit: 0; New from fiscal year 2007 audit: 2; Total open as of the end of fiscal year 2007: 3; Percentage: 4. Control category/control activity: Proper recording and documenting of transactions: Subtotal; Open at start of fiscal year 2007 audit: 33; Closed during fiscal year 2007 audit: 9; New from fiscal year 2007 audit: 9; Total open as of the end of fiscal year 2007: 33; Percentage: 41. Control category/control activity: Effective management review and oversight: Reviews by management at the functional or activity level; Open at start of fiscal year 2007 audit: 17; Closed during fiscal year 2007 audit: 5; New from fiscal year 2007 audit: 7; Total open as of the end of fiscal year 2007: 19. Percentage: 23. Control category/control activity: Effective management review and oversight: Establishment and review of performance measures and indicators; Open at start of fiscal year 2007 audit: 3; Closed during fiscal year 2007 audit: 0; New from fiscal year 2007 audit: 0; Total open as of the end of fiscal year 2007: 3; Percentage: 4. Control category/control activity: Effective management review and oversight: Management of human capital; Open at start of fiscal year 2007 audit: 3; Closed during fiscal year 2007 audit: 0; New from fiscal year 2007 audit: 2; Total open as of the end of fiscal year 2007: 5; Percentage: 6. Control category/control activity: Effective management review and oversight: Subtotal; Open at start of fiscal year 2007 audit: 23; Closed during fiscal year 2007 audit: 5; New from fiscal year 2007 audit: 9; Total open as of the end of fiscal year 2007: 27; Percentage: 33. Total; Open at start of fiscal year 2007 audit: 75; Closed during fiscal year 2007 audit: 18. New from fiscal year 2007 audit: 24; Total open as of the end of fiscal year 2007:81; Percentage: 100. Source: GAO analysis of the status of financial management recommendations made to IRS. [A] Does not include an additional 76 information systems security recommendations, which are reported separately because of the sensitive nature of some of the issues that gave rise to these recommendations. [End of table] As table 1 indicates, 21 recommendations (26 percent) relate to issues associated with IRS's lack of effective controls over safeguarding of assets and security activities. Another 33 recommendations (41 percent) relate to issues associated with IRS's inability to properly record and document transactions. The remaining 27 open recommendations (33 percent) relate to issues associated with the lack of effective management review and oversight. On the following pages, we group the 81 open recommendations under the control activity to which the condition that gave rise to them most appropriately fits. We first define each control activity as presented in the internal control standards and briefly identify some of the key IRS operations that fall under that control activity. Although not comprehensive, the descriptions are intended to help explain why actions to strengthen these control activities are important for IRS to efficiently and effectively carry out its overall mission. For each recommendation, we also indicate whether it is a short-term or long- term recommendation. Safeguarding of Assets and Security Activities: Given IRS's mission, the sensitivity of the data it maintains, and its processing of trillions of dollars of tax receipts each year, one of the most important control activities at IRS is the safeguarding of assets. Internal control in this important area should be designed to provide reasonable assurance regarding prevention or prompt detection of unauthorized acquisition, use, or disposition of an agency's assets. We have grouped together the four control activities in the internal control standards that relate to safeguarding of assets (including tax receipts) and security activities (such as limiting access to only authorized personnel): (1) physical control over vulnerable assets, (2) segregation of duties, (3) controls over information processing, and (4) access restrictions to and accountability for resources and records. Physical Control over Vulnerable Assets: Internal control standard: an agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment which might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records. IRS is charged with collecting trillions of dollars in taxes each year, a significant amount of which is collected in the form of checks and cash accompanied by tax returns and related information. IRS collects taxes both at its own facilities as well as at lockbox banks that operate under contract with the Department of the Treasury's Financial Management Service (FMS) to provide processing services for certain taxpayer receipts for IRS. IRS acts as custodian for (1) the tax payments it receives until they are deposited in the General Fund of the U.S. Treasury and (2) the tax returns and related information it receives until they are either sent to the Federal Records Center or destroyed. IRS is also charged with controlling many other assets, such as computers and other equipment, but IRS's legal responsibility to safeguard tax returns and the confidential information taxpayers provide on tax returns makes the effectiveness of its internal controls with respect to physical security essential. IRS receives cash and checks mailed to its service centers or lockbox banks with accompanying tax returns and information or payment vouchers and payments made in person at its offices. While effective physical safeguards over receipts should exist throughout the year, it is especially important during the peak tax filing season. Each year during the weeks preceding and shortly after April 15, an IRS service center campus (SCC) or lockbox bank may receive and process daily over 100,000 pieces of mail containing returns, receipts, or both. The dollar value of receipts each service center and lockbox bank processes increases to hundreds of millions of dollars a day during the April 15 time frame. Of our 81 open recommendations, the following 9 open recommendations are designed to improve IRS's physical controls over vulnerable assets. All are short-term in nature. (See table 2.) Table 2: Recommendations to Improve IRS's Physical Controls over Vulnerable Assets: ID no.: 04-08; Recommendations: Enforce policies and procedures to ensure that service center campus security guards respond to alarms. (short-term). ID no.: 06-05; Recommendations: Equip all Taxpayer Assistance Centers (TACs) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. (short- term). ID no.: 06-08; Recommendations: Enforce the requirement that all security or other responsible personnel at SCCs and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation. (short-term). ID no.: 06-15; Recommendations: Revise the physical security procedures in the Internal Revenue Manual (IRM) to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facilities' intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information. (short-term). ID no.: 07-01; Recommendations: Enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information. (short-term). ID no.: 07-02; Recommendations: Ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 Lockbox Security Guidelines. (short-term). ID no.: 07-03; Recommendations: Revise instructions for the annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off-site location. (short-term). ID no.: 07-04; Recommendations: Develop and implement appropriate corrective actions for any gaps in closed circuit TV (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term). ID no.: 07-20; Recommendations: Establish and maintain sufficient secured storage space to properly secure and safeguard its property and equipment inventory, including in-stock inventories assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Segregation of Duties: Internal control standard: Key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. No one individual should control all key aspects of a transaction or event. IRS employees are responsible for processing trillions of dollars of tax receipts each year, of which hundreds of billions are received in the form of cash or checks,[Footnote 12] and for processing hundreds of billions of dollars in refunds to taxpayers. Consequently, it is critical that IRS maintain appropriate separation of duties to allow for adequate oversight of staff and protection of these vulnerable resources so that no single individual would be in a position of causing an error or irregularity, potentially converting the asset to personal use, and then concealing it. For example, when an IRS field office or lockbox bank receives taxpayer receipts and returns, it is responsible for depositing the cash and checks in a depository institution and forwarding the related information received to an SCC for further processing. In order to adequately safeguard receipts from theft, the person responsible for recording the information from the taxpayer receipts on a voucher should be different from the individual who prepares those receipts for transmittal to the SCC for further processing. Also, for procurement of goods and services, the person who places an order for goods and services should be different from the person who receives the goods and services. Such separation of duties will help to prevent the occurrence of fraud, theft of IRS assets, or both. The following three open recommendations would help IRS improve its separation of duties, which will in turn strengthen its controls over tax receipts and refunds and procurement activities. All are short-term in nature. (See table 3.) Table 3: Recommendations to Improve IRS's Segregation of Duties: ID no.: 02-16; Recommendations: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short- term). ID no.: 05-32; Recommendations: Establish policies and procedures to require appropriate segregation of duties in small business/self- employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term). ID no.: 07-21; Recommendations: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Controls over Information Processing: Internal control standard: A variety of control activities are used in information processing. Examples include edit checks of data entered, accounting for transactions in numerical sequences, and comparing file totals with control totals. There are two broad groupings of information systems control--general control (for hardware such as mainframe, network, end-user environments) and application control (processing of data within the application software). General controls include entitywide security program planning, management, and backup recovery procedures and contingency and disaster planning. Application controls are designed to help ensure completeness, accuracy, authorization, and validity of all transactions during application processing. IRS relies extensively on computerized systems to support its financial and mission-related operations. To efficiently fulfill its tax processing responsibilities, IRS relies extensively on interconnected networks of computer systems to perform various functions, such as collecting and storing taxpayer data, processing tax returns, calculating interest and penalties, generating refunds, and providing customer service. As part of our annual audits of IRS's financial statements, we assess the effectiveness of IRS's information security controls[Footnote 13] over key financial systems, data, and interconnected networks at IRS's critical data processing facilities that support the processing, storage, and transmission of sensitive financial and taxpayer data. From that effort over the years, we have identified information security control weaknesses that impair IRS's ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data. As of January 2008, there were 76 open recommendations from our information security work designed to improve IRS's information security controls.[Footnote 14] As discussed previously, recommendations resulting from our information security work are reported separately and are not included in this report primarily because of the sensitive nature of these issues. However, the following open short-term recommendation is related to systems limitations and IRS's need to enhance its computer programs. (See table 4.) Table 4: Recommendation to Improve IRS's Controls over Information Processing: ID no.: 02-18; Recommendations: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Access Restrictions to and Accountability for Resources and Records: Internal control standard: Access to resources and records should be limited to authorized individuals, and accountability for their custody and use should be assigned and maintained. Periodic comparison of resources with the recorded accountability should be made to help reduce the risk of errors, fraud, misuse, or unauthorized alteration. Because IRS deals with a large volume of cash and checks, it is imperative that it maintain strong controls to appropriately restrict access to those assets, the records that track those assets, and sensitive taxpayer information. Although IRS has a number of both physical and information system controls in place, some of the issues we have identified in our financial audits over the years pertain to ensuring that those individuals who have direct access to these cash and checks are appropriately vetted before being granted access to taxpayer receipts and information and to ensuring that IRS maintains effective access security control. The following eight open short-term recommendations would help IRS improve its access restrictions to assets and records. (See table 5.) Table 5: Recommendations to Improve IRS's Access Restrictions to and Accountability for Resources and Records: ID no.: 05-11; Recommendations: Enforce adherence to existing instructions on safeguarding taxpayer receipts and information, such as securing access and candling procedures, at service center campuses selected for significant reductions in their submission processing functions. (short- term). ID no.: 05-13; Recommendations: Enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. (short- term). ID no.: 08-09; Recommendations: Establish a mechanism to monitor compliance with existing requirement that TAC employees responsible for accepting taxpayer payments in cash have their computer system access appropriately restricted to limit their ability to adjust taxpayer accounts. (short-term). ID no.: 08-12; Recommendations: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term). ID no.: 08-13; Recommendations: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term). ID no.: 08-15; Recommendations: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term). ID no.: 08-16; Recommendations: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles. (short-term). ID no.: 08-17; Recommendations: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Recording and Documenting of Transactions: One of the largest obstacles continuing to face IRS management is the agency's lack of an integrated financial management system capable of producing the accurate, useful, and timely information IRS managers need to assist in making well-informed day-to-day decisions. While IRS is making progress in modernizing its financial management capabilities, it nonetheless continues to face many pervasive internal control weaknesses related to its long-standing systems deficiencies that we have reported each year since we began auditing its financial statements in fiscal year 1992. These deficiencies can only be addressed as part of a longer-term effort to overhaul and integrate IRS's financial management system structure. Because of the long- standing, pervasive nature of these deficiencies, their resolution is likely to require more than 2 additional years. Nevertheless, IRS also has a number of internal control issues that relate to recording transactions, documenting events, and tracking the processing of taxpayer receipts or information, which do not depend upon longer-term efforts to overhaul and integrate its information systems. We have grouped three control activities together that relate to proper recording and documenting of transactions: (1) appropriate documentation of transactions and internal controls, (2) accurate and timely recording of transactions and events, and (3) proper execution of transactions and events. Appropriate Documentation of Transactions and Internal Control: Internal control standard: Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained. IRS collects and processes trillions of dollars in taxpayer receipts annually both at its own facilities and at lockbox banks under contract to process taxpayer receipts for the federal government. Therefore, it is important that IRS maintain effective controls to ensure that all documents and records are properly and timely recorded, managed, and maintained both at its facilities and at the lockbox banks. IRS must adequately document and disseminate its procedures to ensure that they are available for IRS employees. IRS must also document its management reviews of those controls, such as those regarding refunds and returned checks, credit card purchases, and reviews of TACs. Finally, to ensure future availability of adequate documentation, IRS must ensure that its systems, particularly those now being developed and implemented, have appropriate capability to trace transactions. The following 12 open recommendations would assist IRS in improving its documentation of transactions and internal control procedures. Eleven of these recommendations are short-term, and one is long-term. (See table 6.) Table 6: Recommendations to Improve IRS's Documentation of Transactions and Internal Control: ID no.: 05-14; Recommendations: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information. (short-term). ID no.: 05-39; Recommendations: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short- term). ID no.: 06-01; Recommendations: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term). ID no.: 06-02; Recommendations: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term). ID no.: 06-04; Recommendations: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term). ID no.: 06-07; Recommendations: Document supervisory visits by offsite managers to TACs not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term). ID no.: 07-15; Recommendations: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System (ALS). (short-term). ID no.: 08-01; Recommendations: As IRS proceeds with its implementation of Custodial Detail Data Base (CDDB), it should verify that when it becomes fully operational, CDDB, when used in conjunction with the Interim Revenue and Accounting Control System (IRACS), will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and thus Federal Financial Management Improvement Act of 1996 (FFMIA). (long- term). ID no.: 08-02; Recommendations: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term). ID no.: 08-07; Recommendations: Develop and provide comprehensive guidance to assist TAC managers to use in conducting reviews of outlying TACS and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term). ID no.: 08-21; Recommendations: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials update and maintain appropriate supporting documentation. (short-term). ID no.: 08-22; Recommendations: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card holders and purchase card approving officials retain copies of all supporting documents for a reasonable period of time, such as 3 years. (short- term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Accurate and Timely Recording of Transactions and Events: Internal control standard: Transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. In addition, control activities help to ensure that all transactions are completely and accurately recorded. IRS is responsible for maintaining taxpayer records for tens of millions of taxpayers in addition to maintaining its own financial records. To carry out this responsibility, IRS often has to rely on outdated computer systems or manual work-arounds. Unfortunately, some of IRS's recordkeeping difficulties we have reported on over the years will not be addressed until it can replace its aging systems, which is a long-term effort and depends on future funding. The following 18 open recommendations would strengthen IRS's recordkeeping abilities. (See table 7.) Twelve of these recommendations are short-term, and 6 are long-term. They include specific recommendations regarding requirements for new systems for maintaining taxpayer records. Several of the recommendations listed affect financial reporting processes, such as subsidiary records and appropriate allocation of costs. Some of the issues that gave rise to several of our recommendations directly affect taxpayers, such as those involving duplicate assessments, errors in calculating and reporting manual interest, errors in calculating penalties, and recovery of trust fund penalty assessments. About 38 percent of these recommendations are 5 years or older and 1 is over 10 years old, reflecting the complex nature of the underlying system issues that must be resolved to fully address of some of these issues. Table 7: Recommendations to Improve IRS's Accurate and Timely Recording of Transactions and Events: ID no.: 94-02; Recommendations: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts and test the effectiveness of these actions. (short- term). ID no.: 99-01; Recommendations: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term). ID no.: 99-03; Recommendations: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short-term). ID no.: 99-20; Recommendations: Analyze and determine the factors causing delays in processing and posting Trust Fund Recovery Penalty (TFRP) assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (long-term). ID no.: 99-36; Recommendations: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term). ID no.: 01-17; Recommendations: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term). ID no.: 01-39; Recommendations: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term). ID no.: 02-08; Recommendations: Implement policies and procedures to require that all employees itemize on their time cards the time spent on specific projects. (long-term). ID no.: 02-09; Recommendations: Implement policies and procedures to allocate nonpersonnel costs to programs and activities on a routine basis throughout the year. (long-term). ID no.: 06-22; Recommendations: Direct Facilities Management Branch managers to research and resolve the aging reports (short-term). ID no.: 07-09; Recommendations: Enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary Social Security numbers shown on a joint tax return and apply credits to those balances before issuing any refund. (short-term). ID no.: 07-11; Recommendations: Correct the penalty calculation programs in the master file so that penalties are calculated in accordance with the applicable Internal Revenue Code and implementing IRM guidance. (short-term). ID no.: 07-12; Recommendations: Research each of the taxpayer accounts that may have been affected by the penalty programming errors to determine whether they contain overassessed penalties and correct the accounts as needed. (short-term). ID no.: 07-13; Recommendations: Establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods. (short-term). ID no.: 07-14; Recommendations: Establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods. (short-term). ID no.: 07-18; Recommendations: Adjust errors in recorded installment agreement user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers. (short-term). ID no.: 08-06; Recommendations: In instances where computer programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (short-term). ID no.: 08-23; Recommendations: Issue a memorandum addressed to all personnel responsible for updating inventory records that reiterates IRS's existing policy requiring that new assets be inputted into the inventory system within 10 days of receipt. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Proper Execution of Transactions and Events: Internal control standard: Transactions and other significant events should be authorized and executed only by persons acting within the scope of their authority. This is the principal means of ensuring that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. Authorizations should be clearly communicated to managers and employees. IRS employs tens of thousands of people in its 10 SCCs, three computing centers, and numerous field offices throughout the United States. In addition, the number of staff increases significantly during the peak of the tax filing season. Because of the significant number of personnel involved, IRS must maintain effective control over which employees are authorized to either view or change sensitive taxpayer data. IRS's ability to establish access rights and permissions for information systems is a critical control. Each year, IRS pays out hundreds of billions of dollars in tax refunds, some of which are distributed to taxpayers manually.[Footnote 15] IRS requires that all manual refunds be approved by designated officials. However, weaknesses in the authorization of such approving officials expose the federal government to losses because of the issuance of improper refunds. Likewise, the failure to ensure that employees obtain appropriate authorizations to use purchase cards or initiate travel similarly leave the government open to fraud, waste, or abuse. The following three open short-term recommendations would improve IRS's controls over its manual refund, purchase card, and travel transactions. (See table 8.) Table 8: Recommendations to Improve IRS's Execution of Transaction and Events: ID no.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term). ID no.: 08-20; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders obtain funding approval or verify that funds are available for the intended purpose prior to making a purchase. (short-term). ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates the policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of travel. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Effective Management Review and Oversight: All personnel within IRS have an important role in establishing and maintaining effective internal controls, but IRS's managers have additional review and oversight responsibilities. Management must set the objectives, put control activities in place, and monitor and evaluate controls to ensure that they are followed. Without effective monitoring by managers, internal control activities may not be carried out consistently and on time. We have grouped three control activities together related to effective management review and oversight: (1) reviews by management at the functional or activity level, (2) establishment and review of performance measures and indicators, and (3) management of human capital. Although we also include the control activity "top-level reviews of actual performance" in this grouping, we do not have any open recommendations to IRS related to this internal control activity. Reviews by Management at the Functional or Activity Level: Internal control standard: Managers need to compare actual performance to planned or expected results throughout the organization and analyze significant differences. IRS has over 71,000 full-time employees and hires over 23,000 seasonal personnel to assist during the tax filing season. In addition, as discussed earlier, Treasury's Financial Management Service contracts with banks to process tens of thousands of individual receipts, totaling hundreds of billions of dollars. At any organization, management oversight of operations is important, but with an organization as vast in scope as IRS, management oversight is imperative. The following 18 short-term and one long-term open recommendations would improve IRS's management oversight of lockbox banks, courier services, user fees, penalty calculations, issuance of manual refunds, and the timely release of liens. (See table 9.) Many of these recommendations were made to correct instances where an internal control activity either does not exist or where an established control is not being adequately or consistently applied. However, a number of these recommendations are aimed at enhancing IRS's own assessment of its internal controls over financial reporting in accordance with the requirements of the revised OMB Circular No. A-123. Table 9: Recommendations to Improve IRS's Reviews by Management at the Functional or Activity Level: ID no.: 99-22; Recommendations: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term). ID no.: 01-06; Recommendations: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term). ID no.: 05-33; Recommendations: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term). ID no.: 05-38; Recommendations: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term). ID no.: 07-17; Recommendations: Monitor installment agreement user fee activity on a regular basis. (short-term). ID no.: 07-19; Recommendations: Establish sufficient review procedures to help ensure that adjustments to installment agreement user fees collected from taxpayers are accurately and timely recorded. (short- term). ID no.: 07-22; Recommendations: Document the results of internal control tests conducted in a manner sufficiently clear and complete to explain how control procedures were tested, what results were achieved, and how conclusions were derived from those results, without reliance on supplementary oral explanation. (short-term). ID no.: 07-23; Recommendations: Clearly document how it considered existing reviews and audits in determining the nature, scope, and timing of procedures it planned to conduct under its OMB Circular No. A-123 process. (short- term). ID no.: 07-24; Recommendations: To the extent that it intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short- term). ID no.: 07-25; Recommendations: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term). ID no.: 07-26; Recommendations: Work with Treasury to identify laws and regulations that are significant to financial reporting, test controls over compliance with those laws and regulations, and evaluate and report on the results of such control reviews. (short-term). ID no.: 07-27; Recommendations: Begin devising appropriate A-123 follow-up procedures for the last 3 months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved. (short-term). ID no.: 08-04; Recommendations: To address the inconsistency in assigning the effective date of an accuracy penalty, modify the Business Master File computer program so that the date of the deficiency assessment is used as the effective date of any related accuracy penalty. (long-term). ID no.: 08-05; Recommendations: Complete and document the review of existing programs in the master files that affect penalty calculations to identify any instances in which programs are not functioning in accordance with the intent of the IRM. (short-term). ID no.: 08-08; Recommendations: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers. (short-term). ID no.: 08-11; Recommendations: Modify the IRM to specify qualifications and geographical proximity requirements for individuals designated as first responders to duress alarms at IRS facilities, and to require that the responsibilities and qualifications of all designated first responders be periodically reviewed to verify that over time, they continue to be qualified and appropriately located, and to make any necessary adjustments. (short-term). ID no.: 08-14; Recommendations: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term). ID no.: 08-18; Recommendations: Issue a memorandum to Receipt Control Operations Unit staff reiterating existing requirements for (1) supervisory reviews of the processing of TE/GE user fee deposits and (2) key documentation to be signed and dated by the supervisor as evidence of that review. (short-term). ID no.: 08-19; Recommendations: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials and purchase cardholders sign and date monthly account statements attesting to their review and completion of the required reconciliation process. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Establishment and Review of Performance Measures and Indicators: Internal control standard: Activities need to be established to monitor performance measures and indicators. These controls could call for comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Controls should also be aimed at validating the propriety and integrity of both organizational and individual performance measures and indicators. IRS's operations include a vast array of activities encompassing educating taxpayers, processing of taxpayer receipts and data, disbursing hundreds of billions of dollars in refunds to millions of taxpayers, maintaining extensive information on tens of millions of taxpayers, and seeking collection from individuals and businesses that fail to comply with the nation's tax laws. Within its compliance function, IRS has numerous activities, including identifying businesses and individuals that underreport income, collecting from taxpayers that do not pay taxes, and collecting from those receiving refunds for which they are not eligible. Although IRS has at its peak over 94,000 employees, it still faces resource constraints in attempting to fulfill its duties. Because of this, it is vitally important for IRS to have sound performance measures to assist it in assessing its performance and targeting its resources to maximize the government's return on investment. However, in past audits we have reported that IRS did not capture costs at the program or activity level to assist in developing cost-based performance measures for its various programs and activities. As a result, IRS is unable to measure the costs and benefits of its various collection and enforcement efforts to best target its available resources. The following three long-term open recommendations are designed to assist IRS in evaluating its operations, determining which activities are the most beneficial, and establishing a good system for oversight. (See table 10.) These recommendations call for IRS to measure, track, and evaluate the costs, benefits, or outcomes of its operations-- particularly with regard to identifying its most effective tax collection activities. Table 10: Recommendations to Improve IRS's Establishment and Review of Performance Measures and Indicators: ID no.: 99-29; Recommendations: Develop the data to support meaningful cost information categories and cost-based performance measures. (long- term). ID no.: 01-04; Recommendations: As an alternative to prematurely suspending active collection efforts, and using the best available information, develop reliable cost-benefit data relating to collection efforts for cases with some collection potential. These cost-benefit data would include the full cost associated with the increased collection activity (i.e., salaries, benefits, administrative support), as well as the expected additional tax collections generated. (long-term). ID no.: 01-12; Recommendations: For (1) IRS's Automated Underreporter (AUR) and Combined Annual Wage Reporting (CAWR) programs, (2) screening and examination of Earned Income Tax Credit claims, and (3) identifying and collecting previously disbursed improper refunds, use the best available information to develop reliable cost-benefit data to estimate the tax revenue collected by, and the amount of improper refunds returned to, IRS for each dollar spent pursuing these outstanding amounts. These data would include (1) an estimate of the full cost incurred by IRS in performing each of these efforts, including the salaries and benefits of all staff involved, as well as any related nonpersonnel costs, such as supplies and utilities and (2) the actual amount (a) collected on tax amounts assessed and (b) recovered on improper refunds disbursed. (long-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Management of Human Capital: Internal control standard: Effective management of an organization's workforce--its human capital--is essential to achieving results and an important part of internal control. Management should view human capital as an asset rather than a cost. Only when the right personnel for the job are on board and are provided the right training, tools, structure, incentives, and responsibilities is operational success possible. Management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. Qualified and continuous supervision should be provided to ensure that internal control objectives are achieved. Performance evaluation and feedback, supplemented by an effective reward system, should be designed to help employees understand the connection between their performance and the organization's success. As a part of its human capital planning, management should also consider how best to retain valuable employees, plan for their eventual succession, and ensure continuity of needed skills and abilities. IRS's operations cover a wide range of technical competencies with specific expertise needed in tax-related matters; financial management; and systems design, development, and maintenance. Because IRS has tens of thousands of employees spread throughout the country, it is imperative that management keeps its guidance up-to-date and its staff properly trained. The following five open short-term recommendations would assist IRS in its management of human capital. (See table 11.) Table 11: Recommendations to Improve IRS's Management of Human Capital: ID no.: 99-25; Recommendations: Ensure that additional staff are employed or existing staff appropriately cross-trained to be able to perform the master file extractions and other ad hoc procedures needed for IRS to continually develop reliable balances for financial reporting purposes. (short- term). ID no.: 07-08; Recommendations: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short- term). ID no.: 07-28; Recommendations: Provide A-123 review staff appropriate training, such as that available for financial auditors, to enhance their skills in workpaper documentation, identification and testing of internal controls, and evaluation and documentation of results. (short- term). ID no.: 08-03; Recommendations: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term). ID no.: 08-10; Recommendations: Establish procedures requiring periodic verification that all individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner. (short-term). Source: GAO analysis of financial management recommendations made to IRS. [End of table] Open Recommendations Arranged by Related Material Weakness, Significant Deficiency, Compliance Issue, or Other Control Issue: For several years, we have reported material weaknesses, a significant deficiency, noncompliance with laws and regulations, and other control issues in our annual financial statement audits and related management reports.[Footnote 16] To assist IRS in addressing those control issues, Appendix II provides summary information regarding the primary issue to which each open recommendation is related. To compile this summary, we analyzed the nature of the open recommendations to relate them to the material weaknesses, significant deficiency, compliance issues, and other control issues not associated with a material weakness or significant deficiency identified as part of our financial statement audit. Concluding Observations: Increased budgetary pressures and an increased public awareness of the importance of internal control require IRS to carry out its mission more efficiently and more effectively while protecting taxpayers' information. Sound financial management and effective internal controls are essential if IRS is to efficiently and effectively achieve its goals. IRS has made substantial progress in improving its financial management since its first financial audit, as evidenced by consecutive clean audit opinions on its financial statements for the past 8 years, resolution of several material internal control weaknesses, and actions taken resulting in the closure of hundreds of financial management recommendations. This progress has been the result of hard work by many individuals throughout IRS and sustained commitment of IRS leadership. Nonetheless, more needs to be done to fully address the agency's continuing financial management challenges. Further efforts are needed to address the internal control deficiencies that continue to exist. Effective implementation of the recommendations we have made and continue to make through our financial audits and related work could greatly assist IRS in improving its internal controls and achieving sound financial management. While we recognize that some actions-- primarily those related to modernizing automated systems--will take a number of years to resolve, most of our outstanding recommendations can be addressed in the short-term. Agency Comments and Our Evaluation: In commenting on a draft of this report, IRS expressed its appreciation for our acknowledgment of the agency's progress in addressing its financial management challenges as evidenced by our closure of 18 open financial management recommendations from GAO's prior year report. IRS also commented that it is committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. We will review the effectiveness of further corrective actions IRS has taken or will take and the status of IRS's progress in addressing all open recommendations as part of our audit of IRS's fiscal year 2008 financial statements. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term Growth, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Members of the House Committee on Appropriations; House Committee on Ways and Means; the Chairman and Vice Chairman of the Joint Committee on Taxation; the Secretary of the Treasury; the Director of OMB; the Chairman of the IRS Oversight Board; and other interested parties. Copies will be made available to others upon request. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any questions concerning this report, please contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Steven J. Sebastian: Director Financial Management and Assurance: [End of section] Appendix I: Status of GAO Recommendations from IRS Financial Audits and Related Management Reports: ID no.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short- term); Financial Management: Important IRS Revenue Information Is Unavailable or Unreliable (GAO/AIMD-94-22; , Dec. 21, 1993); Status per IRS: Open. The Internal Revenue Service's (IRS) Exam Policy has expanded its action plan to include short-term actions for fiscal year 2008. By June 30, 2008, it plans to issue a memorandum to emphasize the importance of training employees who calculate interest and outline available training modules. By September 30, 2008, it plans to offer assistance reviews as requested to verify adherence to procedures, and to improve the process for employees to elevate issues to the program office for resolution. By January 1, 2009, Exam Policy will coordinate additional interest- related training to target field exam and collection personnel; Status per GAO: Open. In testing a statistical sample of 45 manual interest transactions recorded during fiscal year 2006, we found eight errors relating to the calculation and recording of manually calculated interest. Based on this, we estimated that 18 percent of IRS's manual interest population contains errors and concluded that IRS's controls over this area remain ineffective. The ineffectiveness of these controls contributes to errors in taxpayer records, which is a major component of the material weakness in IRS's unpaid assessments. During fiscal year 2007, IRS did not make any significant improvements to controls related to manual interest calculations. We will continue to evaluate IRS's corrective actions in future audits. ID no.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term)Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Status per IRS: Open. IRS's Small Business/Self-Employed (SB/SE) Division began a Trust Fund Recovery Penalty (TFRP) Database Cleanup Initiative in September 2006 that involved a combined systemic clean-up and systemically-assisted, manual cleanup. SB/SE completed the clean-up initiative in January 2008. According to IRS, one of the accomplishments of the clean-up initiative was to reduce cross- reference errors by 32.4 percent. IRS will continue to identify and submit work requests to address current programming shortfalls, corrections and enhancements to the Automated Trust Fund Recovery (ATFR) program and database. The Work Request Tracking System will improve the Area Office, Control Point Monitoring, and Campus Compliance components of the database. These enhancements and improvements include but are not limited to minimizing accounts requiring manual intervention, providing increased managerial oversight through the creation of various reports and improvements to the current inventory delivery system; Status per GAO: Open. IRS has taken several actions to strengthen controls and correct programming or procedural deficiencies in the cross-referencing of payments. To ensure quality, timeliness, and accuracy of the TFRP process, IRS recently completed a quality review process that improved the accuracy rate of cross- references recorded in its master files. Additionally, IRS continues to monitor the accuracy and effectiveness of the TFRP process and all corrective actions already in place. However, IRS's actions have not been completely successful in addressing this issue. As part of our fiscal year 2007 financial audit, we reviewed a statistical sample of 76 TFRP payments, made on accounts created since August 2001. We found nine instances in which IRS did not properly record the payments to all related taxpayer accounts. We estimate that 11.8 percent of these payments may not be properly recorded. Thus, we conclude that IRS's controls over this area remain ineffective. The ineffectiveness of these controls contributes to errors in taxpayer records, which is a major component of our reported material weakness in IRS's unpaid assessments. We will continue to review IRS's corrective actions to address this issue during our fiscal year 2008 audit. ID no.: 99-03; Recommendation: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving trust fund recovery penalties, the subsidiary ledger should ensure that (1) the trust fund recovery penalty assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short-term); Source report: Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, Oct. 30, 1998); Status per IRS: Open. IRS is developing the Custodial Detailed Data Base (CDDB), which it believes will ultimately address many of the outstanding financial management recommendations. IRS implemented the first phase of the CDDB during fiscal year 2006. In fiscal year 2007, IRS enhanced the CDDB to process a larger percentage of accounts associated with unpaid payroll taxes and began journalizing unpaid assessment information from CDDB to the Interim Revenue and Accounting Control System (IRACS) weekly; the first step in establishing CDDB to serve as the subsidiary ledger for unpaid assessments. For fiscal year 2008, IRS is continuing to enhance the CDDB in order to process an even larger percentage of accounts associated with unpaid payroll taxes; Status per GAO: Open. IRS's development and use of CDDB has improved its ability to analyze and classify related taxpayer accounts associated with unpaid payroll taxes. However, CDDB is currently not able to analyze and classify 100 percent of such cases. In fiscal year 2007, IRS implemented CDDB programs to begin journalizing tax debt information from its master files to its general ledger weekly, a first step in establishing CDDB's capability to serve as a subsidiary ledger for unpaid tax debt. However, IRS is presently unable to use CDDB as its subsidiary ledger for posting tax debt information to its general ledger in a manner that ensures reliable external reporting. Specifically, to report balances for taxes receivables and other unpaid tax assessments in its financial statements and required supplemental information, IRS must continue to apply statistical sampling and estimation techniques to master file data processed through CDDB at year-end. Even though CDDB is capable of analyzing master file data weekly to produce tax debt information classified into the various financial reporting categories (taxes receivables, compliance assessments, and write-offs), this information contains material inaccuracies. For example, over $20 billion in adjustments to the year- end gross taxes receivable balance produced by CDDB were needed to correct for errors. Full operational capability of CDDB is several years away and depends in part on the successful implementation of future system releases through 2009. The lack of a fully functioning subsidiary ledger capable of producing accurate, useful, and timely information with which to manage and report externally is a major component of our reported material weakness in IRS's unpaid assessments. We will continue to monitor IRS's development of CDDB during our fiscal year 2008 and future audits. ID no.: 99-19; Recommendation: Ensure that walk-in payment receipts are recorded in a control log prior to depositing the receipts in the locked container and ensure that the control log information is reconciled to receipts prior to submission of the receipts to another unit for payment processing. To ensure proper segregation of duties, an employee not responsible for logging receipts in the control log should perform the reconciliation. (short-term); Status report: Internal Revenue Service: Physical Security Over Taxpayer Receipts and Data Needs Improvement (GAO/AIMD-99-15, Nov. 30, 1998); Status per IRS: Closed. Recommendation is no longer directly applicable to IRS's current business operations. The Wage and Investment (W&I) Division is no longer organized by districts, and no longer has teller functions. The operations aspect of the recommendation has been addressed with procedures and processes in recommendation 99-22. Managerial aspects of the control logs and reviews are addressed in recommendations 02-16 and 05-33, where IRS addresses its monitoring activities and efforts to improve its current state of compliance; Status per GAO: Closed. The original report issued in November 1998 directs the intent of this recommendation to the Customer Service Units at district offices that collected walk-in payments. Since that time IRS reorganized its operations into four operating divisions with particular responsibility for the collection of individual and corporate taxes, examination of returns, and taxpayer assistance. Specifically, the W&I Division's Taxpayer Assistance Centers (TACs) now handle the collection of walk-in payment receipts. Therefore, we agree that recommendations 99-22, 02-16 and 05-33 address the substance of the weaknesses reported in the November 1998 report. We will continue to monitor those recommendations to assess IRS's corrective actions. ID no.: 99-20; Recommendation: Analyze and determine the factors causing delays in processing and posting Trust Fund Recovery Penalty (TFRP) assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (long-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Open. IRS implemented the Area Office (AO) ATFR Web application. This implementation included the Web version of the Control Point Monitoring (CPM) portion of the application. The CPM acts as the conduit from the AO to the Campus for assessment. IRS drafted new Internal Revenue Manual (IRM) procedures to complement the CPM AO Web processing, and is currently testing these procedures. IRS plans to assess the results of the test and implement the IRM procedures as appropriate. IRS continues to identify and submit Work Requests and Information Technology Assets Management System tickets to enhance the assessment process and provide for efficiencies in the CPM process. These include but are not limited to the systemic generation of the Form 5942, redefining the current inventory assignment system and creating inventory and management reports; Status per GAO: Open. To ensure quality, timeliness, and accuracy of the TFRP process, the IRS initiated a quality review process that focused on two primary areas, the first being consolidation of all TFRP work to one campus. Consolidation of all SB/SE ATFR work to the Ogden Campus was completed in September 2005. All W&I business unit TFRP work was transferred to SB/SE Campuses as of January 2006. The second area IRS undertook was the task of rewriting the ATFR area office user component to provide system flexibility that better replicates the realities of the current trust fund investigation/proposal process. IRS continues to monitor the accuracy and effectiveness of the TFRP process and all corrective actions already in place. According to IRS, it completed consolidation of ATFR work at its Ogden Campus by September 2005. However, during our fiscal year 2007 audit, we continued to find long delays in IRS's processing and posting of TFRP assessments. In one case, we noted that IRS did not record the assessment against the responsible officer until 4 years after it made the determination that the officer was responsible for the TFRP. In another case, IRS did not record the TFRP assessment against the officer until almost 3 years after it made the determination that the officer was responsible for the TFRP. Such delays in recording taxpayer information contribute to errors in taxpayer records, which is a major component of our reported material weakness in IRS's unpaid assessments. We will continue to review IRS's corrective actions related to this issue as part of our fiscal year 2008 audit. ID no.: 99-22; Recommendation: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Closed. All IRS field offices continue to provide training and to perform reviews to strengthen controls over remittances. The Large and Mid-sized Business (LMSB) requires each field executive to certify that each group either had in its possession or was able to obtain the stamp. LMSB obtained certifications from the LMSB Industry Headquarter Offices that field groups are maintaining and using the US Treasury stamps, and that they are covering these procedures periodically in group meetings or through issuance of memorandums. LMSB implemented a training module on July 28, 2006 on the responsibilities and procedures for payment processing and check handling. SB/SE collection group managers have been instructed to periodically review remittance packages transmitted by revenue officers and designated clerical employees using a random selection process. In addition, territory managers review the group manager's control of those reviews. SB/SE Headquarters will be addressing this in interviews with territory managers as part of their operational reviews. Tax Exempt and Government Entities (TE/GE) continues to perform reviews to ensure adherence to the IRM procedures and to require managers to confirm that each group either had in its possession or was able to obtain the stamp; Status per GAO: Open. The objective of this recommendation was to create a mechanism for IRS to monitor the status of pervasive weaknesses in controls over taxpayer receipts and information that we have found at IRS's field offices over the years. The purpose of this monitoring is to facilitate the timely detection and effective resolution of issues and to verify the effectiveness of new and existing policies and procedures on an ongoing basis. During our fiscal year 2007 audit, we identified one instance at an SB/SE unit where employees did not have access to stamps needed to overstamp improper payee lines. Also, at five SB/SE field offices we found that there was no system in place or evidence maintained to track acknowledged document transmittals. Had IRS periodically reviewed the effectiveness of these controls in field offices as we recommended, these issues might have been detected and corrected. In addition, during our review of IRS's response to this recommendation, we asked IRS to provide a list and blank copies of the reviews that are performed within the LMSB, SBSE, and TEGE business units that address key controls over (1) physical security, (2) procedural safeguards, and (3) the transfer of taxpayer receipts and information. While IRS provided extensive explanations of the various procedures and reviews that are performed, IRS did not provide copies of the reviews covering all three business units for our evaluation to assess the adequacy and frequency of these reviews. We will continue to assess IRS's actions during our fiscal year 2008 audit. ID no.: 99-25; Recommendation: Ensure that additional staff are employed or existing staff appropriately cross-trained to be able to perform the master file extractions and other ad hoc procedures needed for IRS to continually develop reliable balances for financial reporting purposes. (short- term); Source report: Internal Revenue Service: Custodial Financial Management Weaknesses (GAO/AIMD-99-193, Aug. 4, 1999); Status per IRS: Open. The IRS is continuing to develop CDDB. Each release is providing more detail for unpaid assessments, and new functionality will be added for revenue and refunds in fiscal year 2008 to reduce the reliance on master file extracts and ad hoc procedures. The Chief Financial Officers (CFO) office has hired three additional staff and is cross-training existing staff to perform more of the ad hoc procedures to reduce the work on Modernization & Information Technology Services for financial reporting purposes. IRS continues to have contractor support to ensure that master file extracts and other ad hoc procedures are in place to continually develop reliable balances for financial reporting purposes while it finalizes CDDB and develops the IRACS redesign to be a compliant general ledger; Status per GAO: Open. We will continue to assess IRS's actions during our fiscal year 2008 audit. ID no.: 99-29; Recommendation: Develop the data to support meaningful cost information categories and cost-based performance measures. (long- term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999); Status per IRS: Open. IRS now has 3 complete years of fully allocated cost data in the Integrated Financial System (IFS). The Statement of Net Costs is now produced from the cost accounting module of IFS. IRS also initiated a project in fiscal year 2007 to identify the issues associated with developing a methodology for determining the costs of performance measures within IRS; Status per GAO: Open. We confirmed that IRS continued to improve its cost accounting capability in fiscal year 2007. However, while the cost accounting module of IFS successfully produced the Statement of Net Costs, it still does not provide IRS with the ability to produce full cost information for its performance measures. IRS states that it initiated a strategy to develop cost data for performance measures. We will continue to review and assess IRS's initiatives during our fiscal year 2008 audit. ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Source report: Internal Revenue Service: Serious Weaknesses Impact Ability to Report on and Manage Operations (GAO/AIMD-99-196, Aug. 9, 1999); Status per IRS: Closed. IRS continues to strengthen internal controls and procedures to enhance its ability to account for P&E in IFS. P&E, including capital leases, are recorded as assets when purchased. During fiscal year 2007, IRS revised the dollar threshold for review of P&E accounting transactions and conducted intensive reviews of the large- dollar transactions, increasing the accuracy of P&E reporting. IRS also improved its capability to capitalize assets or expense other items and to properly account for Business System Modernization costs in internal use software; Status per GAO: Open. Our fiscal year 2007 P&E valuation testing revealed problems with the linking of the purchase of assets recorded in the general ledger system to the P&E inventory system, which indicates that IRS's detailed P&E records do not yet fully reconcile to the financial records. We will continue to monitor IRS's strategy in addressing these financial management system issues. ID no.: 01-04; Recommendation: As an alternative to prematurely suspending active collection efforts, and using the best available information, develop reliable cost-benefit data relating to collection efforts for cases with some collection potential. These cost-benefit data would include the full cost associated with the increased collection activity (i.e., salaries, benefits, administrative support), as well as the expected additional tax collections generated. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS has developed a workload delivery model that integrates the work plans of each source of assessment to evaluate the overall impact on downstream collection operations. IRS is continuing to look at case delivery practices from an overall perspective and make recommendations for changes to case routing and assignment priorities. IRS is also monitoring the nonfiler strategy and work plans to improve the identification of and selection of nonfiler cases to balance the working of nonfiler inventory with balance-due inventory. Additionally, IRS is also continuing the project to enhance its decision analytical models used for selecting cases based on their predicted collection potential to apply decision analytics to both delinquent accounts and unfiled returns; apply decision analytics to all categories of taxpayer not just small business, self-employed; expand the use of internal and external data sources to increase the portion of cases predicted by the models; ultimately develop alternative treatment strategies based on the least costly treatment indicated by the models; and update definitions for complex cases to improve routing to field collection; Status per GAO: Open. According to IRS, SB/SE has initiated several projects to build additional decision analytical models to increase its ability to route cases to the appropriate resource. These projects utilize more sophisticated computer modeling and risk assessment techniques to improve the targeting of cases to pursue. The Collection Governance Council was established to ensure the inventory is balanced and resources are expended appropriately. IRS has estimated several billion dollars in additional tax collections have been realized through the use of the collection approach developed from the projects. Although these efforts have helped IRS target cases for collection, its ability to assess the relative merits of these efforts continues to be hindered by its inability to reliably measure how much it collects as a result of these efforts, relative to their associated costs. In addition, these efforts are primarily focused on SB/SE, thus they do not represent an integrated agencywide systemic approach to managing the collection of unpaid taxes across the scope of IRS's activities. IRS has made some improvements in prioritizing its inventory of collection cases; but more needs to be done by IRS to address the full range of cost-benefit considerations. We will continue to review IRS's initiatives to manage resource allocation levels for its collection efforts. ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS continues to address and correct issues that cause late lien releases through a Lien Release Action Plan, and conducting reviews as a part of A-123. In April 2007 IRS's review of lien releases found it had improved the timely release of liens to 88 percent, a 19 percentage point increase from the 69 percent timeliness rate in fiscal year 2006. IRS added new action items and corrective actions to address new and repeat issues. IRS's goal is to reduce overall lien release error rates to below 5 percent by September 30, 2009; Status per GAO: Open. IRS has taken a number of actions over the past several years to address this issue. IRS developed an action plan to incorporate the requirements of the revised OMB Circular No. A-123. The overall action addresses untimely lien releases, including identification of causes and where they occur organizationally. For example, IRS centralized all lien processing at its Cincinnati Service Center Campus in 2005. Additionally, in July 2006, IRS enhanced various lien-processing exception reports to include a cumulative listing of unresolved lien releases, allowing it to more readily track the release status and take corrective action. However, during our fiscal year 2007 audit, we continued to find delays in the release of liens. In its OMB No. A-123 testing of lien releases, IRS found 7 instances out of 59 cases tested in which it did not release the applicable federal tax lien within the statutory period. The time between the satisfaction of the liability and release of the lien ranged from 35 days to 135 days. Based on its sample, IRS estimated that for about 12 percent of unpaid tax assessment cases in which it had filed a tax lien that were resolved in fiscal year 2007, it did not release the lien within 30 days. IRS is 95 percent confident that the percentage of cases in which the lien was not released within 30 days does not exceed 21 percent. IRS's ineffective controls over this area results in its non-compliance with Internal Revenue Code section 6325 which requires IRS to release its tax liens within 30 days of the date the related tax liability was fully satisfied, had become legally unenforceable, or the Secretary of the Treasury has accepted a bond for the assessed tax. We will continue to assess the affect of IRS's actions and continue to review IRS's testing of tax lien releases as part of our fiscal year 2008 audit. ID no.: 01-12; Recommendation: For (1) IRS's Automated Underreporter (AUR) and Combined Annual Wage Reporting (CAWR) programs, (2) screening and examination of Earned Income Tax Credit claims, and (3) identifying and collecting previously disbursed improper refunds, use the best available information to develop reliable cost-benefit data to estimate the tax revenue collected by, and the amount of improper refunds returned to, IRS for each dollar spent pursuing these outstanding amounts. These data would include (1) an estimate of the full cost incurred by IRS in performing each of these efforts, including the salaries and benefits of all staff involved, as well as any related nonpersonnel costs, such as supplies and utilities and (2) the actual amount (a) collected on tax amounts assessed and (b) recovered on improper refunds disbursed. (long-term); Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Open. IRS has taken steps to screen and examine Earned Income Tax Credit (EITC) claims and to address the collection of AUR and CAWR as part of the workload delivery model. For EITC IRS is pursuing estimating the full cost of these programs, and in the interim IRS is using information such as annual error rate estimates and high-level return on investment (ROI) computations for EITC base compliance activities and initiatives to make sound decisions about resource investments. IRS employs a ROI estimate for compliance activities that uses labor costs associated with protecting revenue for both pre-refund and post-refund activities. Since labor represents approximately 73 percent of the total IRS budget (2007) and 91 percent of the EITC budget, ROI calculations using labor costs provide valid cost/benefit data which are used, along with other data and program considerations, to make sound program decisions. The IRS released two reports that include ROI discussions and it is in the process of finalizing a summary report on the 3-year test to assess investments in a certification requirement versus other potential compliance investments. SB/SE is monitoring the nonfiler strategy and work plans to improve the identification of and selection of non-filer cases to balance the working of nonfiler inventory with balance-due inventory. SB/SE continues to review this model to ultimately develop alternative treatment strategies based on the least costly treatment indicated by the models. The CFO also initiated a cost pilot during fiscal year 2007 to determine the costs of several performance measures within AUR, and will share this information at the conclusion of the cost pilot; Status per GAO: Open. In fiscal year 2008, we will continue to follow up on IRS's progress on the various initiatives taken as well as IRS's progress in estimating the full cost of these programs. ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur; Source report: Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, Nov. 17, 2000); Status per IRS: Closed. IRS continues to strengthen internal controls and procedures to enhance its ability to account for P&E in IFS. P&E, including capital leases, are recorded as assets when purchased. During fiscal year 2007, IRS revised the dollar threshold for review of P&E accounting transactions and conducted intensive reviews of the large- dollar transactions, increasing the accuracy of P&E reporting. IRS also improved its capability to capitalize assets or expense other items and to properly account for Business System Modernization costs in internal use software. Currently, IRS does not have a subsidiary ledger for leasehold improvements. A subsidiary ledger requires an enhancement to IFS. Funding for enhancements was denied for fiscal years 2007, 2008 and 2009. Depending on the amount of any future funding and prioritization of enhancements, it is not known when or if IRS can accomplish what was originally agreed to. Considering the age of this report and the long-term unknowns, IRS considers this action closed until further follow-up is required; Status per GAO: Open. IRS implemented the first release of IFS on November 10, 2004, which allowed recording leasehold improvements as assets when purchased. A subsidiary ledger for leasehold improvements has not been developed. According to IRS, it lacks the funding to make the enhancements to IFS that are needed to develop a subsidiary ledger for leasehold improvements. Until it determines the amount of its future funding and prioritization of IFS enhancements, IRS will remain unsure of any additional actions it will take to accomplish this recommendation. We will continue to evaluate IRS's efforts to enhance its ability to account for P&E assets, including leasehold improvements. ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term); Source report: Management Letter: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-01-880R, July 30, 2001); Status per IRS: Closed. The CFO implemented IFS on November 10, 2004 which included a cost module. The cost module currently has 3 years of data which provide managers with basic cost data for decision making in relation to their activities. IRS continues to improve the allocation methodology so that it can determine the detail behind the allocated costs; Status per GAO: Open. We confirmed that IRS has procedures for costing reimbursable agreements that provide the basic framework for the accumulation of both direct and indirect costs at the necessary level of detail. IRS has improved its methodology for allocating its costs of operations to its business units. However, further actions are needed for it to accumulate and report actual costs associated with specific reimbursable projects. We will continue to monitor IRS's efforts to fully implement its cost accounting system and, once it has been fully implemented, evaluate the effectiveness of IRS's procedures for developing cost information for its reimbursable agreements. ID no.: 02-08; Recommendation: Implement policies and procedures to require that all employees itemize on their time cards the time spent on specific projects. (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Status per IRS: Open. IRS is exploring other system-based ways of capturing both time and costs associated with its projects and activities and does not anticipate implementing the requirement for employees to itemize their time in the near future; Status per GAO: Open. IRS states that it is exploring other system- based ways of capturing both time and costs associated with its projects and activities and does not anticipate implementing the requirement for employees to itemize their time in the near future. We will continue to monitor IRS's efforts to fully implement its cost accounting system. Once it has been fully implemented, we will evaluate the effectiveness of IRS's procedures for developing cost information to use in resource allocation decisions, which is the underlying basis for our making this recommendation. ID no.: 02-09; Recommendation: Implement policies and procedures to allocate nonpersonnel costs to programs and activities on a routine basis throughout the year. (long-term); Source report: Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management (GAO-02-35, Oct. 19, 2001); Status per IRS: Closed. IRS now allocates all costs, both personnel and nonpersonnel, to the major program areas described in the Statement of Net Costs on a monthly basis; Status per GAO: Open. We confirmed that IRS has improved its cost accounting capabilities by developing and implementing procedures for allocating its costs of operations to its business units and to the cost categories in its Statement of Net Cost on a monthly basis. However, the cost categories on the Statement of Net Cost are at a higher level than specific programs and activities. Therefore, further actions are still needed to enable IRS to allocate nonpersonnel costs to the detailed level of specific programs and activities. We will continue to monitor IRS's efforts to fully implement its cost accounting system and, once it has been fully implemented, evaluate the effectiveness of IRS procedures for developing cost information for specific programs and activities to use in resource allocation decisions. ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short- term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Status per IRS: Open. During fiscal year 2007, IRS conducted Operational Reviews of its W&I Field Assistance area groups. These reviews included compliance with this recommendation. While groups were generally in compliance, IRS recognized the need for additional training. Field Assistance is conducting Filing Season Readiness training for Managers in fiscal year 2008 that includes remittance and security training. The fiscal year 2008 performance commitments address remittance security and shared responsibility for operational reviews. Operational reviews at all levels will be conducted during fiscal year 2008 to ensure consistency; Status per GAO: Open. During our fiscal year 2007 audit, we visited 10 TACs and identified weaknesses over the payment processing and TAC managerial reviews that would address this recommendation at all 10 locations. We will review IRS's additional planned corrective actions during our fiscal year 2008 audit. ID no.: 02-18; Recommendation: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short- term); Source report: Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls (GAO-02-746R, July 18, 2002); Status per IRS: Closed. SETS data are reviewed on a bi-weekly basis to detect and correct errors. Monitoring SETS falls across a broad group of Chief Human Capital and Agency-Wide Shared Services (AWSS) staff. IRS provided guidance in November 2007 to all involved staff reminding them to monitor SETS systemic issues and immediately elevate those issues for NFC correction. Until a SETS replacement is developed, continuous monitoring will occur; Status per GAO: Open. During our fiscal year 2007 audit, we continued to identify technical limitations and weaknesses with the SETS database. Specifically, during our analysis of the SETS data, we found multiple instances where (1) employees entered on duty either prior to the Office of Personnel Management completing their fingerprint check, IRS receiving their fingerprint check results, or both and (2) employees entered on duty with expired fingerprint check results (over 180 days old). The guidance provided to staff in November 2007 was subsequent to the completion of our fiscal year 2007 audit. We will evaluate IRS's additional corrective actions during our fiscal year 2008 audit. ID no.: 04-03; Recommendation: Develop procedures to require lockbox managers to provide satisfactory evidence that managerial reviews are performed in accordance with established guidelines. At a minimum, reviewers should sign and date the reviewed documents and provide any comments that may be appropriate in the event that their reviews identified problems or raised questions. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); Status per IRS: Closed. IRS continues to conduct on-site reviews looking at logs for desk and work area, date stamp, cash, candling, shred, and mail. IRS uses the data collection instrument (DCI) entitled "Processing-Internal Controls" and uses the results of these reviews to roll them into a calculation to determine each bank's score in the new bank performance measurement process. In addition, lockbox personnel are required to perform similar reviews monthly and report results to the lockbox field coordinators. The report must contain the date of review, shifts reviewed, results of the review (even when no items are found) and include a reviewer and site manager's initials; a signature as required by the Lockbox Processing Guidelines (LPG); or both. Additional reviews are performed on the monthly F9535/Discovered Remittance, candling log, disk checks/ audits, and shred reports received from the lockbox site by the lockbox field coordinators; Status per GAO: Closed. We verified that IRS established and implemented a Processing Internal Controls and Physical Security DCIs. These DCIs are used to assess the required managerial reviews that are performed at each lockbox bank. ID no.: 04-08; Recommendation: Enforce policies and procedures to ensure that service center campus security guards respond to alarms.; Source report: Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures (GAO-04-553R, April 26, 2004); Status per IRS: Closed. IRS continues to perform monthly unannounced testing of guard response to alarms, and documentation from these reviews is maintained at each service center campus. Roll-up documentation from Physical Security Area managers is provided to the Program, Planning, and Policy Office (PPPO) for reports to higher-level management. PPPO also conducts random unannounced spot checks when on- site at campuses and computing centers; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at two of five SCCs we visited in which security guards did not respond properly to alarms. We will evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 05-11; Recommendation: Enforce adherence to existing instructions on safeguarding taxpayer receipts and information, such as securing access and candling procedures, at service center campuses selected for significant reductions in their submission processing functions. (short- term); Source report: Management Report: Review of Controls over Safeguarding Taxpayer Receipts and Information at the Brookhaven Service Center Campus (GAO-05-319R, Mar 10, 2005); Status per IRS: Closed. Accounts Management is enforcing adherence to existing instructions for securing access to restricted areas through trained security monitors at consolidated sites. These clerks receive training annually, as well as periodic briefings, on the issuance and inventory of badges and the security of taxpayer information and receipts. Candling procedures are reinforced through training and team meetings. Local management ensures that correct procedures are followed when reviewing equipment and candling logs; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at one SCC we visited with reduced submission processing functions where (1) neither the door monitor nor the payment processing supervisor in the receipt and control area inspected visitors' belongings when they exited the restricted area and (2) the inside envelope of the 3210 transmittal package did not contain a statement indicating that the information inside is for limited official use. We will continue to assess IRS's actions during our fiscal year 2008 audit. ID no.: 05-12; Recommendation: Document a methodology for estimating anticipated rapid changes in mail volume at future SCCs selected for significant reductions in their submission processing functions, taking into consideration factors such as the prior rampdown experience at Brookhaven. (short-term); Source report: Management Report: Review of Controls over Safeguarding Taxpayer Receipts and Information at the Brookhaven Service Center Campus (GAO-05-319R, Mar 10, 2005); Status per IRS: Closed. IRS has developed and implemented a methodology for estimating mail volumes and resource requirements for use in future submission processing consolidations. IRS used the prior campus consolidation experiences from both Brookhaven and Memphis in its projections for the Philadelphia Campus Support Department; Status per GAO: Closed. During our fiscal year 2007 audit, IRS W&I staff provided us with a methodology and estimation for anticipated rapid changes in mail volume at future SCCs selected for significant reductions in their submission processing functions. ID no.: 05-13; Recommendation: Enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. PPPO issued notification in February 2007 reminding Physical Security area directors that required documentation from contracting officers' technical representatives is needed to support the issuance of identification media before granting staff-like access to contractors, and that all forms must remain on file. The Audit Management Checklist is also used to ensure that proper documentation is received and filed. All IRMs have been updated and renumbered. IRM 10.2.5 Identification Card specifies that Form 5519, 13716-A or similar identification request form (13760), and the interim or final background investigation letter must be retained and filed in the identification media file on each contractor for the life of the identification card; Status per GAO: Open. During our fiscal year 2007 audit, we identified four contractors at one of five SCCs we visited who were granted staff- like access before background investigations had been completed. Also, we obtained and reviewed SCC contractor background investigation data from all 10 SCCs and found that 3 SCCs permitted five contractors staff- like access before their background investigations had been completed. In addition, IRM series 10.2 mentioned in IRS's response to this recommendation is currently in draft, under review, and waiting to be finalized. We will evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 05-14; Recommendation: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information. (short-term)]; Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr 27, 2005); Status per IRS: Closed. PPPO issued notification in February 2007 reminding Physical Security area directors that documentation from the contracting officer's technical representative is needed to support the issuance of identification media before granting staff-like access to contractors, and that all forms remain on file. The Audit Management Checklist is also used to ensure that proper documentation is received and filed. All IRMs have been updated and renumbered. IRM 10.2.5 Identification Card specifies that Form 5519, 13716-A or similar identification request form (13760), and the interim or final background investigation letter must be retained and filed in the identification media file on each contractor for the life of the identification card; Status per GAO: Open. As of the time of our audit, the IRM 10.2 series was in draft, under review, and waiting to be finalized. We will monitor its final implementation and continue to evaluate IRS's policies and procedures related to background investigations for contractors during our fiscal year 2008 audit. ID no.: 05-22; Recommendation: Provide a written reminder to courier contractors of the need to adhere to all courier service procedures. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. Submission Processing issued an annual reminder memorandum to the courier contractors on February 27, 2007. Additionally, the lockbox banks security team verified that all lockbox bank sites issued an annual reminder memorandum to courier contractors reminding them to adhere to all courier service procedures in the Lockbox Security Guidelines (LSG); Status per GAO: Closed. We verified that reminder memorandums were issued to the SCC and lockbox bank couriers. ID no.: 05-23; Recommendation: Periodically verify that contractors entrusted with taxpayer receipts and information off site adhere to IRS procedures. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr 27, 2005); Status per IRS: Closed. Submission Processing revised the LSG 2.5 during 2007 to provide for periodic verification that couriers adhere to IRS policy while transporting taxpayer receipts and information. In IRS's campuses, IRS ensures couriers sign, date, and note the time of pickup on Form 10160, Receipt for Transport of IRS Deposit. When the couriers drop off the deposit, IRS ensures Form 10160 is date and time stamped. Each campus reviews the form and notes any time discrepancies. Couriers are questioned if discrepancies are found and the information is noted in the Courier Incident Log. If inconsistencies are noted, the centers use their discretion to determine whether it is necessary to trail the couriers; Status per GAO: Closed. We verified that IRS revised its LSG to include provisions for periodic verification that couriers adhere to IRS procedures for transporting taxpayer receipts and information. We also noted that procedures were established at the campuses involving the review of the returned Form 10160. ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self- employed units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Open. SB/SE revised IRM 5.1.2, 1.4.50, 4.20.3, and 4.20.4 to address this recommendation. The Director, Examination sent a memorandum to all Examination area directors on October 17, 2006 reminding them of the payment processes outlined in IRM 5.1.2, and requiring periodic reviews of payment processing procedures during their group operational reviews; Although SB/SE believes its current field payment processing procedures sufficiently addresses segregation of duties, it is currently conducting a risk assessment to identify potential weaknesses; Status per GAO: Open. The status information provided by IRS did not clearly address segregation of duties within the SB/SE business units. When we issued this recommendation, we noted that (1) individuals responsible for preparing payment posting vouchers were the same individuals who recorded the information from those vouchers on the document transmittal and mailed those forms to the IRS service center and (2) there was no independent review or reconciliation of documents or payments before they were mailed by their preparer. During our recent visits to selected SB/SE units in March 2008, we found that this condition continued to exist. Duties involving the preparation of payment posting vouchers, document transmittal forms, and transmittal packages were not segregated. Employees informed us that there was no related requirement in the IRM. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr 27, 2005); Status per IRS: Open. W&I Field Assistance has taken a number of actions to emphasize the requirement for including a document transmittal form listing the Daily Report of Collection Activity forms in transmittal packages, and ensuring that they are reconciled and reviewed by the secretary, initial assistant representative, or manager in offices where these positions are located. Territory managers review and discuss the monthly Trends and Patterns reports with the group manager. Results of the reviews are forwarded to the area director. Operational reviews at all levels will be conducted annually to ensure that field offices comply with the requirement to prepare Form 3210, which lists all Forms 795 being shipped to the Submission Processing Center; Beginning in March 2008 Collection began annual reviews of a sample of groups in each area to ensure the reviews described in IRM 1.4.50 are taking place. The results of the headquarters review will be documented in the area operational review. SB/SE is currently reviewing the language in IRM 1.4.50, Collection Group Manager, Territory Manager and Area Director Operational Aid to determine if clarification is needed; Status per GAO: Open. During our visits to several SB/SE business units, we found that a document transmittal form was not being used to transmit multiple Daily Report of Collection Activity forms to the respective service center campus. We will continue to assess IRS's actions during our fiscal year 2008 audit. ID no.: 05-36; Recommendation: Assess options to prevent the generation or disbursement of refunds associated with accounts with unresolved Automated Under Reporter (AUR) discrepancies, including placement of a freeze or hold on all such accounts, until the AUR review has been completed. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. The procedures to prevent the generation or disbursement of refunds associated with AUR accounts are in place and included in IRM 3.8.45. Employees are required to conduct Integrated Data Retrieval System (IDRS) research after receiving an unidentified remittance to determine if there is an open account that allows for posting of the remittance. Submission Processing issued a Hot Topic on January 25, 2007, which added procedures to IRM 3.17.10 to check for cases that can be identified as an AUR payment and research IDRS for CP2000 Indicators: TC 922, "F" Freeze Code, and campus under reporter programs; Status per GAO: Closed. We confirmed that IRS updated IRM 3.8.45 and IRM 3.17.10 to include the requirement that employees conduct IDRS research after receiving unidentified remittances. ID no.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. IRS issued its annual memorandum in August 2007 and received the annual list of authorized signatures by October 31, 2007, per IRM 3.17.79.3.5(4)(d). Submission Processing completed a sample review as part of the Monthly Security Review Checklist per 3.17.79.3.5(3), and completed a 100 percent review of the new annual list in November 2007; Status per GAO: Open. During our fiscal year 2007 audit, we continued to find that the documentation requirements on memorandums, which are submitted to the manual refund units listing officials authorized to approve manual refunds, were incomplete. The annual memorandums issued, the annual list of authorized signatures, and the reviews performed noted in IRS's response to this recommendation were subsequent to our fieldwork. We will follow up on IRS's efforts to improve the documentation requirements during our fiscal year 2008 audit. ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr 27, 2005); Status per IRS: Closed. IRS issued guidance on enforcing requirements for monitoring accounts and reviewing monitoring of accounts via Hot Topics on April 30, 2007 and again on July 13, 2007. Department managers provided subordinate managers and the employees refresher training using IRM 21.4.4 and 3.17.79 as reference materials to reinforce the monitoring requirements. Accounts Management completed refresher training at all campuses from January through May 2007. SB/SE Campus Compliance Services (CCS) continues to stress the importance of following all IRM procedures for the manual refunds. To ensure that the campuses continue to comply with all IRM provisions for manual refunds, the CCS directors are covering this topic in both filing & payment compliance and campus reporting compliance operations during their fiscal year 2008 campus reviews. The Taxpayer Advocate Service (TAS) has specific IRM requirements and controls for all employees and managers to monitor the posting of manual refunds to prevent duplicate refunds, and to document in the Taxpayer Advocate Management Information System (TAMIS) that all actions were completed. TAS also updated its manual refund training on March 12, 2007, re-emphasizing the requirement to monitor manual refunds to prevent duplicate refunds; Status per GAO: Open. We verified that IRS issued the Hot Topics, which included providing managers and the employees training to reinforce monitoring requirements. However, during our fiscal year 2007 audit, we continued to find instances where the manual refund initiators, leads, or both did not monitor accounts to prevent duplicate refunds. We also found that some of the supervisors did not review the initiators' or leads' work to ensure that the monitoring of accounts was performed. We will continue to review IRS's monitoring and review efforts during our fiscal year 2008 audit. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. Submission Processing (SP) issued guidance on enforcing requirements for monitoring accounts and reviewing monitoring of accounts via Hot Topics on April 30, 2007 and again on July 13, 2007. Department managers provided subordinate managers and the employees refresher training using IRM 21.4.4 and 3.17.79 as reference materials to reinforce the monitoring requirements. Accounts Management completed refresher training at all campuses from January through May 2007. IRS continues to use the Manual Refund Check Sheet and monthly security reviews to ensure compliance with IRM requirements, and these reviews are forwarded monthly to SP headquarters for consolidation and review by headquarters analysts and management. The SB/SE Campus Compliance Services continues to stress the importance of following all IRM procedures for the manual refunds. To ensure that the campuses continue to comply with all IRM provisions for manual refunds, the CCS directors are covering this topic in both filing & payment compliance and campus reporting compliance operations during their fiscal year 2008 campus reviews. The TAS has specific IRM requirements and controls for all employees and managers to monitor the posting of manual refunds until posted to prevent duplicate refunds, and to document in TAMIS that all actions were completed. TAS also updated its manual refund training on March 12, 2007, re-emphasizing the requirement to monitor manual refunds to prevent duplicate refunds; Status per GAO: Open. We verified that IRS issued the Hot Topics, which included providing managers and employees training to reinforce the monitoring requirements. However, during our fiscal year 2007 audit, we continued to find instances where the requirement for documenting monitoring actions and documenting supervisory review were not enforced. We will continue to review IRS's monitoring and review efforts during our fiscal year 2008 audit. ID no.: 05-40; Recommendation: Enforce the requirement that command code profiles be reviewed at least once annually. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 05-247R, Apr 27, 2005); Status per IRS: Closed. IRS issued a Hot Topic on January 10, 2007 and again on March 30, 2007 as a reminder to ensure adherence to the existing process of enforcing the requirement that command code profiles be reviewed at least once annually. The Manual Refund Unit has included a signed and dated copy of the Command Code: RSTRK input (action performed through the use of IDRS in the file with the authorization memorandums to verify compliance with IRM 3.17.79.1.7. The Monthly Security Review Checklist was updated to add this review; Status per IRS: Closed. During our fiscal year 2007 audit, we found that the requirements that command code profiles be reviewed at least once annually were enforced. ID no.: 05-41; Recommendation: Specify in the IRM that staff members are not to review their own command code profiles. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-05-247R, Apr 27, 2005); Status per IRS: Closed. IRS updated IRM 10.8.34 IDRS Security Handbook replacing the IDRS Security Law Enforcement Manual (LEM) 25.10.3. Section 10.8.34.5.3.1 (3) - (6) prohibits managers from being in the same IDRS unit as the employees they review. Section 10.8.34.8.2.2.5 (2) (f) requires managers to review reports monthly to ensure profiles have appropriate restrictions. Section 10.8.34.8.2.2.5 (2) (m) prohibits employees from reviewing their own profile or any other report data pertaining to themselves. IRS also updated the IDRS section of the annual FMFIA Self-Assessment Tool for Managers with item 4.50 requiring the quarterly review of IDRS user profiles in accordance with the IRM, and item 4.52 requiring managers to indicate that they completed a review of IDRS security reports and appropriate action has been taken to correct weaknesses; Status per GAO: Closed. During our fiscal year 2007 audit, we found no instances of staff members reviewing their own command codes. We verified that IRS has updated IRM 10.8.34 IDRS Security Handbook, which has replaced IDRS Security LEM 25.10.3. We also verified that section 10.8.34.5.3.1 (3) - (6) prohibits managers from being in the same IDRS unit as the employees they oversee; section 10.8.34.8.2.2.5 (2) (f) requires managers to review reports monthly to ensure that profiles have appropriate restrictions; and section 10.8.34.8.2.2.5 (2) (m) prohibits employees from reviewing their own profile or any other report data pertaining to themselves. ID no.: 06-01; Status per IRS: Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. W&I's Accounts Management will confirm during the site operational reviews that managers are performing a follow-up and documentation acknowledgement of receipt of Form 3210. This item will be monitored during the fiscal year 2008 quarterly reviews. During fiscal year 2007, IRS completed conference calls prior to each directorates filing season readiness (FSR) certification, and will continue to provide directions during the fiscal year 2008 FSR conference calls to enforce management controls to complete, review, approve, and follow up on receipt of Forms 3210 in Accounts Management; Status per GAO: Open. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. LMSB has issued procedures to the field on the responsibilities for using receipt transmittals. LMSB employees are reminded annually through executive memorandum of Form 3210 procedures and responsibilities. LMSB has also issued memos to the field to remind and reinforce the use of Form 3210 and establishment of a follow-up system for unacknowledged 3210s. A Closing Checklist for LMSB Cases which includes Form 3210 requirement reminders was created to assist LMSB employees when transmitting cases. LMSB Technical training has certified that Form 3210 procedures and responsibilities are included in revenue agent training materials. LMSB Human Capital Office has included the requirement that Industry Territory Managers review Form 3210 utilization and follow-up procedures during operational reviews in a memorandum dated December 13, 2006; IRMs 21.3.4.7 and 1.4.11.19.1 were revised during 2007 to provide procedures for requiring TACs to follow-up with SP centers when acknowledgments are not received within 10 days. Similarly, W&I Accounts Management revised IRMs 21.5.4.2 and 1.4.16 for this requirement. W&I Field Assistance will conduct operational reviews during and after filing season to monitor compliance, and is currently enhancing the existing TAC Security and Remittance Review Database to provide more comprehensive and quantitative data for analysis. Reviews conducted during 2007 showed that offices transmitting receipts have a system to track acknowledged copies of document transmittals. Planned reviews will enforce existing requirements for both organizations; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at one SCC and four TACs where there was no system in place or evidence maintained to track acknowledged document transmittals. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 06-03; Recommendation: Provide instructions to document the follow-up procedures performed in those cases where transmittals have not been timely acknowledged. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 06-543R, May 12, 2006); Status per IRS: Closed. LMSB has issued procedures to the field on the responsibilities for using receipt transmittals. LMSB employees are reminded annually through executive memorandum of Form 3210 procedures and responsibilities. LMSB has also issued memos to the field to remind and reinforce the use of Form 3210 and establishment of a follow-up system for unacknowledged 3210s. A closing checklist for LMSB cases was created to assist LMSB employees when transmitting cases. LMSB technical training has certified that Form 3210 procedures and responsibilities are included in revenue agent training materials. LMSB Human Capital Office has included the requirement that Industry Territory Managers review Form 3210 utilization and follow-up procedures during operational reviews in a memorandum dated December 13, 2006. IRMs 21.3.4.7 and 1.4.11.19.1 were revised to provide procedures for requiring TACs to follow-up with SP centers when acknowledgments are not received within 10 days. IRM 1.4.11.19.1 Maintaining Form 795/795A Centralized Files provides instruction to document follow-up of unacknowledged document transmittals. To help reinforce the importance of the follow-up managers are required to attend classroom training. New and acting managers attended “Managing a TAC” training in 2007, and all managers attend a filing season readiness workshop. W&I Accounts Management revised IRMs 21.5.4.2 and 1.4.16 for this requirement. Planned reviews will enforce existing requirements; Status per GAO: Closed. During our fiscal year 2007 audit, we verified that the IRM includes procedures for LMSB and TE/GE units to follow up with the destination sites if remittance transmittals are not returned within 10 days or if all remittances were not marked with a distinctive checkmark. Also, we verified that the IRM contains Field Assistance (TAC) procedures for monitoring document transmittal acknowledgments. ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. LMSB has issued procedures to the field on the responsibilities for using receipt transmittals. LMSB employees are reminded annually through executive memorandum of Form 3210 procedures and responsibilities. LMSB has also issued memos to the field to remind and reinforce the use of Form 3210 and establishment of a follow-up system for unacknowledged 3210s. A closing checklist for LMSB cases was created to assist LMSB employees when transmitting cases. LMSB technical training has certified that Form 3210 procedures and responsibilities are included in revenue agent training materials. LMSB Human Capital Office has included the requirement that Industry Territory Managers review Form 3210 utilization and follow-up procedures during operational reviews in a memorandum dated December 13, 2006. IRM 1.4.11.19.5 Field Assistance Manager Review outlines instructions for managers to perform a minimum of two reviews per quarter per employee for payment processing and reconciliation procedures that include 3210 and 795 segregation of duties. A certification template has been created and placed in the IRM 1.4.11-10 for managers to confirm the review being conducted. To help reinforce the importance of the follow-up managers are required to attend classroom training. New and acting managers attended “Managing a TAC” training in 2007 and all managers will attend a Filing Season Readiness Workshop. During the training the requirement to conduct reviews and document results will be emphasized. W&I Accounts Management revised IRMs 21.5.4.2 and 1.4.16 for this requirement; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at seven TACs where there was no evidence of managerial review of document transmittals and one instance at one of five SCCs we visited in which one Refund Inquiry Unit manager did not document his review of the document transmittals. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 06-05; Recommendation: Equip all Taxpayer Assistance Centers (TACs) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. W&I Field Assistance (FA) and AWSS are currently implementing plans to correct security and control access issues in TACs. Field Assistance identified 120 locations and AWSS completed a detailed analysis on each one. Most locations were identified as space and design issues that require implementation of the TAC Model Design. For locations that were not space and design issues, AWSS provided the funding and implemented corrective actions. Most of the security and control access issues affect small TACs. FA and AWSS have developed a strategic TAC Model implementation plan and the new "Mini TAC Model Design" to correct security and control access issues in the remaining offices; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at two TACs where the controlled area was not equipped with physical security controls adequate to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 06-07; Recommendation: Document supervisory visits by offsite managers to TACS not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Open. Effective November 27, 2007, FA managers are no longer required to document visits to outlying TACs by using a checklist. Instead, new processes were implemented that will better gauge managers' adherence to remittance and physical security internal controls. The new process includes the following: (1) A performance commitment for each level of FA management (director, area director, territory manager (TM), and TAC manager). The commitment requires managers to conduct and document reviews to ensure protection of data and equipment and ensure compliance with remittance and security procedures. (2) Implementation of a tiered operational review approach. This will allow FA to determine if TAC managers are performing required reviews, conducting periodic visits, and focusing on actions that mitigate control weaknesses. Headquarters (HQ) reviews focus on the Area Offices, Area Office operational reviews focus on TMs, and TM reviews focus on each TAC manager. (3) TAC managers and TMs using DCIs to conduct physical security and remittance reviews. (4) TAC managers inputting review results into the TAC Security and Remittance Review Database. Database information will be analyzed at the headquarters level to identify top issues needing attention and to develop corrective actions; Status per GAO: Open. IRS no longer requires TAC managers to document their visits to outlying TACs by using a checklist but has implemented new procedures involving FA managers at all levels to ensure that periodic reviews are performed and centrally documented. However, these changes occurred subsequent to our fiscal year 2007 audit. We will assess, during our fiscal year 2008 audit, whether the new procedures will effectively mitigate the risks that the previous recommendation of documenting supervisory visits was originally designed to address. ID no.: 06-08; Recommendation: Enforce the requirement that all security or other responsible personnel at service center campuses (SCC) and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. In January 2006, the lockbox bank LSG 2.2.3.1.5 (6) was revised to add the requirement that banks maintain a logbook of incident reports and any applicable supporting documentation, and note corrective follow-up actions taken on each incident. IRS reinforced the requirement to maintain a logbook in sequential date order in the 2007 LSG. For SCCs, the requirement for all activations of alarms to be logged in security console logs has been on the Audit Management Checklist since June 2006. Interim IRM 1.16.12A Security Guard Service and Explosive Detection Dogs, issued in November 2006, states the requirement for the guard console blotter/event log to be annotated to record and document the guard force response to each alarm activation exercise. Draft IRM 10.2.14 Methods of Providing Protection (awaiting finalization) states, "A record of all instances involving the activation of any alarm regardless of the circumstances that may have caused the activation, must be documented in a Daily Activity Report/ Event Log, or other log book and maintained for two-years." The IRM 1.16 series is being changed to 10.2; Status per GAO: Open. As of the time of our audit, the IRM changes were in draft, under review, and waiting to be finalized. During our fiscal year 2007 audit, we identified three instances at one of four lockbox banks we visited in which the activation of intrusion alarms were not recorded by security guards. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 06-09; Recommendation: Reemphasize the need for the security guards at all TACs to ensure that key posts of duty, such as entrances to facilities, are not left unattended. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. W&I issued a memorandum on April 5, 2007, to address this issue. Additionally, a letter was issued to the Director, Security and Law Enforcement of Homeland Security, to ensure that security officers are aware of their duties and responsibilities at key post of duty; Status per GAO: Closed. We did not identify any instances where key posts of duty were left unattended by security guards during our fiscal year 2007 audit. ID no.: 06-11; Recommendation: Refine the scope and nature of its periodic reviews of candling processes at SCCs to ensure they (1) encompass tests of whether envelopes are properly candled through observation of candling in process and inquiry of employees who perform initial and final candling and (2) document the nature and scope of the test and observation results. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. IRS continues to use the Security Review Check List to document the effectiveness of the initial and final candling process, and to talk to employees who perform initial and final candling as part of the monthly campus and national office security reviews; Status per GAO: Closed. We verified that IRS revised its Security Review Checklist to document, through observation, the effectiveness of the initial and final candling process. During our fiscal year 2007 audit, we non-statistically selected and reviewed several campus security review reports and found no instances where the reports did not document the number of employees who were questioned about their knowledge of candling procedures and the responses received from the employees. ID no.: 06-14; Recommendation: Refine the scope and nature of its periodic security reviews to encompass (1) testing the effectiveness of controls intended to ensure that only individuals with proper credentials are permitted access to SCCs and lockbox banks, and (2) reviewing the integrity of perimeter security at SCCs. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. As of January 1, 2007, IRS revised LSG section 2.2.3.1(6) k to restrict access of all delivery personnel. The IRS Lockbox Security Review Team observed the lockbox site's process of delivery personnel while on-site to ensure compliance with the LSG requirement. In addition, section 2.2.2.13.1 (CCTV Cameras) (2)g of the LSG was revised to add that cameras must capture images of all persons entering and exiting perimeter doors and other critical ingress/egress points, including but not limited to the computer room and closets containing main utility feeds. AWSS continues to complete compliance reviews, risk assessments, and quarterly audit management checklist reviews. Since April 2006, the service center campuses have been providing quarterly verification that all guards have been reminded to inspect and scrutinize all badges of personnel accessing IRS facilities. During the past year, IRS has accessed closed-circuit television (CCTV) capabilities and is currently taking corrective actions to allow the unobstructed surveillance of campus fence lines and the facility perimeters; Status per GAO: Closed. We verified that IRS refined the scope and nature of its periodic security reviews by (1) performing periodic tests of whether lockbox personnel are only allowing authorized individuals to access the facility and verifying that CCTVs are capturing key areas and (2) conducting quarterly assessments of the integrity of perimeter access controls. ID no.: 06-15; Recommendation: Revise the physical security procedures in the Internal Revenue Manual (IRM) to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. IRM 1.16.12 was revised and documents the requirements to test, document, report and follow-up on service center campus intrusion detection alarms. Physical Security area directors began implementing the new procedures in January 2007. Test results are rolled-up to PPPO for quarterly reports for upper management; Status per IRS: Open. IRS officials informed us that the IRM section is in draft and currently in the review stage. We will follow up on the finalization of this IRM and continue to assess IRS's actions during our fiscal year 2008 audit. ID no.: 06-21; Recommendation: Generate aging reports when an asset remains in pending disposal status for longer than a specified period of time. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. This recommendation remains closed, as IRS reported in fiscal year 2006. AWSS reports that the re-engineered process is working as intended. Aging record reports are monitored monthly, and AWSS staff follows up on disposal actions to identify issues or problems; Status per GAO: Closed. During fiscal year 2006, IRS re-engineered the P&E asset retirement and disposal process. The new process generates exception reports that enable management to monitor the aging of transactions during the disposal process. Our fiscal year 2007 review of P&E internal controls showed that anomaly reports are now being generated when an asset remains in a disposal code for an extended period of time. ID no.: 06-22; Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-06-543R, May 12, 2006); Status per IRS: Closed. This recommendation remains closed as IRS reported in fiscal year 2006. AWSS reports that the reengineered process is working as intended. Aging record reports are monitored monthly and AWSS staff follows up on disposal actions to identify issues or problems; Status per GAO: Open. During fiscal year 2006, IRS re-engineered the P&E asset retirement and disposal process. The new process generates exception reports that enable management to monitor the aging of transactions during the disposal process. While our fiscal year 2007 review of P&E internal controls showed that anomaly reports are now being generated when an asset remains in a disposal code for an extended period of time, our audit testing revealed that disposals are still not being recorded in a timely manner. Our inquiries of IRS management revealed that management is not always reviewing the anomaly reports as required by the reengineered process. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 07-01; Recommendation: Enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. IRS is currently evaluating this recommendation to determine the best means to safeguard (e.g. encryption) and/or retain taxpayer data. To assist in the evaluation process, IRS plans to complete a cost-benefit analysis to determine the best solution. The tentative date for completion of the cost-benefit analysis and any resulting solution is September 30, 2008. In the interim, to mitigate the risk of losing personally identifiable information (PII), IRS plans to incorporate specific guidelines in the calendar year 2008 LSG to clearly require that all lockbox sites store backup media containing PII in locked containers. The calendar year 2008 LSG was issued on December 19, 2007; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at all four lockbox banks we visited where backup data tapes containing federal taxpayer information were not encrypted. We will evaluate IRS's planned corrective actions during our fiscal year 2008 audit. ID no.: 07-02; Recommendation: Ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 Lockbox Security Guidelines (LSG). (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 07-689R, May 11, 2007); Status per IRS: Open. IRS is currently evaluating this recommendation to determine the best means to safeguard (e.g. encryption) and/or retain taxpayer data. To assist in the evaluation process, IRS plans to complete a cost-benefit analysis to determine the best solution. The tentative date for completion of the cost-benefit analysis and any resulting solution is September 30, 2008. In the interim, to mitigate the risk of losing PII, IRS plans to incorporate specific guidelines in the calendar year 2008 LSG to clearly require that all lockbox sites store backup media containing PII in locked containers. The calendar year 2008 LSG was issued in December 19, 2007; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at all four lockbox banks we visited where backup media containing federal taxpayer information was not stored at an off-site location. We will evaluate IRS's planned corrective actions during our fiscal year 2008 audit. ID no.: 07-03; Status per IRS: Recommendation: Revise instructions for the annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off-site location. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. IRS is currently evaluating this recommendation to determine the best means to safeguard (e.g. encryption) and/or retain taxpayer data. To assist in the evaluation process, IRS plans to complete a cost-benefit analysis to determine the best solution. The tentative date for completion of the cost-benefit analysis and any resulting solution is September 30, 2008. In the interim, to mitigate the risk of losing PII, IRS plans to incorporate specific guidelines in the calendar year 2008 LSG to clearly require all lockbox sites store backup media containing PII in locked containers. The calendar year 2008 LSG was issued in December 19, 2007. For the Lockbox Electronic Network (LEN), it electronically transmits all transactional data, including federal taxpayer information, from the lockbox banks to IRS via the Martinsburg Computing Center, which is currently going to the Tennessee Computing Center. The electronic transmission securely transmits the data through the use of Virtual Private Network devices like the devices used at the computing centers which will encrypt the data as it is being transmitted. Effective March 2008, the LEN is being used to transmit the data to the SP centers. Cartridges will only be used in the event of an emergency or contingency situation where the LEN transmission fails; Status per GAO: Open. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit TV (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 07-689R, May 11, 2007); Status per IRS: Open. All SCCs conducted an assessment of the CCTV systems concerning unobstructed views of fence lines and perimeter, and identified problems that were documented in an action plan developed in May 2007 and completed by February 2008; Status per GAO: Open. During our fiscal year 2007 audit, we identified instances at three of five SCCs we visited where security cameras did not provide an unobstructed view of the entire perimeter of the facility. We will evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 07-05; Recommendation: Revise instructions for quarterly physical security reviews to require analysts to (1) document any issues identified as well as planned implementation dates of corrective actions to be taken and (2) track the status of corrective actions identified during the quarterly assessments to ensure they are promptly implemented. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. Procedures were implemented requiring Physical Security analysts to document issues/problems during quarterly reviews, establish corrective action due dates, and track progress to ensure implementation of all corrective actions. The new procedures and reporting formats were implemented in June 2007. Compliance with the procedures is monitored during Physical Security area director operational reviews and random sampling by PPPO; Status per GAO: Closed. We verified that IRS revised its procedures and reporting formats to require its Physical Security analysts to (1) document concerns identified during quarterly physical security reviews, (2) establish corrective action implementation dates, and (3) track those actions to ensure and monitor implementation. ID no.: 07-06; Recommendation: Revise procedures contained in the Manual Refund Desk Reference to reflect the IRM requirements for manual refund initiators to (1) monitor the manual refund accounts in order to prevent duplicate refunds, and (2) document their monitoring actions. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. Employees have been instructed to recognize only IRM 3.17.79 and IRM 21 as the official authoritative guidance for processing manual refunds. Submission Processing (SP) conducted a conference call with designated campus planning and analysis staff, SP Headquarters staff and the IRM owner for 21.4.4, and issued a Hot Topic on April 30, 2007. SP also provided sites with this information and contacted authors of IRM 21.4.4 and IRM 4.4.19. Accounts Management and SB/SE Compliance will review the IRM to ensure that instructions are correct and that related training course modules are correct; Status per GAO: Closed. IRS's action satisfies the intent of this recommendation. ID no.: 07-07; Recommendation: Provide to all IRS units responsible for processing manual refunds the same most current version of the Manual Refund Desk Reference. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. W&I reinforced IRM 3.17.79.0 and 21.4.4 as the official authoritative guidance for processing manual refunds. SP provided sites with this information and also contacted authors of IRM 21.4.4 and IRM 4.4.19. The Account Management analyst and the SB/SE Compliance analyst will review the IRM to ensure that instructions are correct and that related training course modules are accurate; Status per IRS: Closed. IRS's action satisfies the intent of this recommendation. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 07-689R, May 11, 2007); Status per IRS: Open. All W&I business functions conducted training by July 2007, except for Compliance, which is planned to be completed by April 2008. SP management reviews history sheets annotated with taxpayer identification numbers, tax period, transaction code, date, and initials of initiator. SP conducted team refresher training by July 30, 2007. This refresher training will also be included in fiscal year 2008 continuing professional education. A manual refunds refresher course was distributed by the Accounts Management Program Management/Process Assurance and training was completed by June 2007. The course emphasized the required monitoring of manual refunds and the documentation of monitoring actions. Accounts Management will conduct additional training by July 15, 2008, for employees who initiate manual refunds; Status per GAO: Open. We will review IRS's records of training during our fiscal year 2008 audit. ID no.: 07-09; Recommendation: Enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary Social Security Numbers shown on a joint tax return and apply credits to those balances before issuing any refund. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS submitted a work request on June 26, 2007, to update its computer programs to check for outstanding liabilities associated with both the primary and secondary Social Security numbers on a joint tax return and offsetting to any outstanding TFRP liability before issuance of a refund. The programming change was implemented on January 20, 2008; Status per GAO: Open. The programming change was initiated after our fiscal year 2007 audit was complete. We will evaluate the effectiveness of IRS's corrective action during our fiscal year 2008 audit. ID no.: 07-10; Recommendation: Instruct Revenue Officers making the TFRP assessments to research whether the responsible officers are filing jointly with their spouses and to place a refund freeze on the joint account until the computer programming change can be completed. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS counsel said that it was acceptable for the revenue officer to also freeze the refund of any spouse at the time of approval of recommendation for a TFRP assessment or at the time the TFRP assessment is made, Therefore, IRS's SB/SE issued interim guidance on July 23, 2007, for input of transaction code 130 to freeze potential individual master file refunds for all individuals determined responsible for the TFRP; Status per GAO: Closed. Based on our review of the IRS interim guidance issued on July 23, 2007, we verified that IRS instructed revenue officers making TFRP assessments to research whether responsible officers are filing jointly with their spouses and to place refund freezes on the joint accounts. ID no.: 07-11; Recommendation: Correct the penalty calculation programs in the master file so that penalties are calculated in accordance with the applicable Internal Revenue Code and implementing IRM guidance. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS implemented a system change in January 2007 to correct the penalty calculation program; Status per GAO: Open. We will evaluate the effectiveness of IRS's corrective action during our fiscal year 2008 audit. ID no.: 07-12; Recommendation: Research each of the taxpayer accounts that may have been affected by the penalty programming errors to determine whether they contain overassessed penalties and correct the accounts as needed. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. IRS implemented a system change in January 2007 that corrected debit balance taxpayer accounts affected by the programming error; Status per GAO: Open. We will evaluate the effectiveness of IRS's corrective action during our fiscal year 2008 audit. ID no.: 07-13; Recommendation: Establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. The Deputy Commissioner for Services and Enforcement issued a memorandum to all functions titled "Service wide Action to Prevent Late Lien Releases," in January 2007. The memorandum directed manual lien releases when systemic processes do not release liens. Based on the memorandum, IRS revised several IRM sections. In addition, IRS plans to revise IRM 5.1.2 by May 2008 to include all four elements contained in this recommendation; Status per GAO: Open. During our fiscal year 2007 audit, we identified issues that resulted in the untimely release of a tax lien. We will continue to review IRS's corrective actions to address this issue during our fiscal year 2008 audit[Empty]. ID no.: 07-14; Recommendation: Establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. IRS completed programming changes in January 2007 that allow lien releases regardless of freeze codes. In addition, the Deputy Commissioner for Services and Enforcement issued a memorandum to all functions titled "Service wide Action to Prevent Late Lien Releases," in January 2007. The memorandum directed manual lien releases when systemic processes do not release liens. Based on the memorandum IRS revised several IRM sections. Finally, IRS plans to revise IRM 5.1.2 by May 2008 to include all of the elements contained in this recommendation; Status per GAO: Open. During our fiscal year 2007 audit, we identified issues that resulted in the untimely release of a tax lien. We will continue to review IRS's corrective actions to address this issue during our fiscal year 2008 audit. ID no.: 07-15; Recommendation: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System (ALS). (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. In order to facilitate timely lien releases, IRS put a new "My Eureka" report in place for the Centralized Insolvency Office. IRS generates and resolves issues on this report weekly. IRS revised IRM 5.9.17.11.6 in March 2007 to reference the report and request manual lien releases. Campus Compliance analysts conduct reviews quarterly to ensure appropriate actions are taken. However, IRS's fiscal year 2007 OMB Circular No. A-123 review of its lien release process identified two lien release errors associated with bankruptcy discharges. Therefore, IRS has added new action items to the Lien Release Action Plan, to establish new controls and oversight by management in CIO and Field Insolvency to ensure that IRM guidelines are followed and new procedures for Field Insolvency. In addition, IRS identified an instance where Field Insolvency failed to release a lien after an Exempt/Abandoned Asset review. Therefore, Collection Policy will review Field Insolvency by June 30, 2008, and consider the addition of new corrective actions to reduce lien errors based on this issue; Status per GAO: Open. During our fiscal year 2007 audit, we identified issues that resulted in the untimely release of a tax lien. We will continue to review IRS's corrective actions to address this issue during our fiscal year 2008 audit. ID no.: 07-16; Recommendation: Issue a memorandum to employees in the Centralized Lien Processing Unit reiterating the IRM requirement to date stamp and maintain the billing support voucher as evidence of timely processing by IRS. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. The IRM for the Centralized Lien Unit (CLU) provides specific direction to date stamp and maintain billing support vouchers (BSVs) as evidence of timely releases of federal tax liens. In November 2006 CLU began a new process of scanning BSVs, and associating BSVs with Specific Lien Identification (SLID) numbers in order to ensure that BSVs are retrievable and show that liens were timely released. IRS trained employees on this process as it was rolled out. In May 2007 IRS completed the 2007 OMB Circular No. A-123 review on the timeliness of lien releases. The review found that BSVs were stamped appropriately in all cases reviewed; Status per GAO: Closed. In our review of IRS's fiscal year 2007 OMB circular No. A-123 lien testing results, we verified that IRS was able obtain the date stamped billing vouchers for all of its sample items. ID no.: 07-17; Recommendation: Monitor installment agreement user fee activity on a regular basis. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 07-689R, May 11, 2007); Status per IRS: Closed. The collection activity reports (CAR) capture data each month on installment agreement activity. The number of installment agreements, number of user fees paid and user fee dollar amounts are extracted from the installment agreement reports. These reports are utilized by Headquarters to conduct month-to-month and year- to-year comparisons for trend analysis. Headquarters will monitor collections on the CAR and balance those collections against what is projected and what is in the financial system, and use historical trends to identify issues; Status per IRS: Open. IRS's actions to monitor and analyze installment agreement user fee collections at headquarters were initiated after our fiscal year 2007 audit was completed. We will review and evaluate IRS's efforts to monitor installment agreement user fee activity during our fiscal year 2008 audit. ID no.: 07-18; Recommendation: Adjust errors in recorded installment agreement user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. A sweep process that collects paid fees and records them in the user fee account has been established. Effective January 2008, the sweep is run weekly to ensure accurate and more timely accounting of fee dollars; Status per GAO: Open. The action described in IRS's response does not fully ensure that recorded installment agreement user fees correctly reflect user fees earned and collected from taxpayers because it is not designed for that purpose. IRS's sweep (recovery) process is designed to identify and correct for unrecorded user fees collected with the initial installment agreement payment but incorrectly posted against the taxpayer's debt (tax module). We will continue to review and evaluate IRS's efforts to address issues related to installment agreement user fees during our fiscal year 2008 audit. ID no.: 07-19; Recommendation: Establish sufficient review procedures to help ensure that adjustments to installment agreement user fees collected from taxpayers are accurately and timely recorded. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Closed. Steps to ensure appropriate assessment and collection of user fees are already in place. The user fee category on the Installment Agreement Accounts Listing (IAAL) compares unpaid and overpaid user fee money and makes adjustments accordingly. The IAAL for W&I is consolidated at one site. For both W&I and SBSE, the IAAL is subjected to Planning and Analysis Support, Managerial, Operations and Headquarters review; Status per GAO: Open. IRS was in the process of updating its operating procedures to account for and record new installment agreement user fee amounts when we completed our fiscal year 2007 audit. We will review and evaluate IRS's use of the IAAL and Managerial, Operations, and Headquarters review processes during our fiscal year 2008 audit. ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard its property and equipment inventory, including in-stock inventories assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-07-689R, May 11, 2007); Status per IRS: Open. IRS is identifying locations that need additional secured storage space and will obtain the necessary space as appropriate. Scheduled completion date is October 1, 2009. Processes and procedures are in place for business units to request space, either secured or non-secured. AWSS negotiated processes and procedures with the business units that are now part of AWSS's Senior Commissioner Representative Handbook. Business units needing secured space must follow established guidance. Also, processes have been set for business units to approve and fund their space requests; Status per GAO: Open. IRS has implemented a plan to obtain additional secured storage space as deemed necessary, with a scheduled completion date of October 1, 2009. We will monitor IRS's corrective actions during our fiscal years 2008 and 2009 audits. ID no.: 07-21; Recommendation: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 07-689R, May 11, 2007); Status per IRS: Closed. IRS updated the IRM in September 2007 and sent a reminder to those with acquisition authority about the IRS acquisition procedures developed in December 2002. The update included reference to Policy and Procedures Memorandum No. 46.5, "Receipt, Quality Assurance and Acceptance," reiterating requirements for separation of duties; Status per GAO: Open. Our fiscal year 2007 review of internal controls over property and equipment revealed that at least one IRS employee was permitted to place orders with vendors and perform receipt and acceptance functions when the orders were delivered. We will continue to evaluate IRS's corrective actions during our fiscal year 2008 audit. ID no.: 07-22; Recommendation: Document the results of internal control tests conducted in a manner sufficiently clear and complete to explain how control procedures were tested, what results were achieved, and how conclusions were derived from those results, without reliance on supplementary oral explanation. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. In the fiscal year 2007 A-123 cycle, IRS expanded its A-123 guidance, improved review procedures, and improved training. As IRS prepares for the fiscal year 2008 A-123 cycle, it plans to continue to further enhance its in-house training and has instituted procedures to address the clarity and completeness of its explanations; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 07-23; Recommendation: Clearly document how it considered existing reviews and audits in determining the nature, scope, and timing of procedures it planned to conduct under its A-123 process.; Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. In fiscal year 2007, IRS made progress on this recommendation by adding a requirement to test plan templates to document audits reviewed. During the fiscal year 2008 planning phase, IRS plans to fully document the existing reviews and audits; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 07-24; Recommendation: To the extent that it intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short- term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. IRS plans to continue to work with the Department of the Treasury and GAO to fully implement OMB Circular No. A-123 requirements for evaluating controls over information technology relating to financial statement reporting; Status per IRS: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. IRS is piloting a limited set of fiscal year 2008 test plans, which include an analysis of the design for each transaction control set tested, with full implementation expected in the fiscal year 2009 A-123 cycle; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 07-26; Recommendation: Work with Treasury to identify laws and regulations that are significant to financial reporting, test controls over compliance with those laws and regulations, and evaluate and report on the results of such control reviews. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. In fiscal year 2007, IRS established an internal crosswalk between A-123 tests and laws and regulations significant to financial reporting. IRS plans to further refine this linkage for the fiscal year 2008 A-123 process; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 07-27; Recommendation: Begin devising appropriate A-123 follow- up procedures for the last 3 months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved. (short-term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. Although implementation of such procedures is not necessary until elimination of the outstanding material weaknesses, IRS plans to develop follow-up procedures that provide assurance for the last 3 months of the fiscal year; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 07-28; Recommendation: Provide A-123 review staff appropriate training, such as that available for financial auditors, to enhance their skills in workpaper documentation, identification and testing of internal controls, and evaluation and documentation of results. (short- term); Source report: Management Report: IRS's First Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123 (GAO-07-692R, May 18, 2007); Status per IRS: Open. IRS has enhanced training at the beginning of each A-123 cycle to include an external course designed for financial auditors on preparing workpapers. IRS evaluated results from fiscal year 2007 and has incorporated improvements to the fiscal year 2008 training to ensure its curriculum addresses issues in testing approach, testing methodology, workpaper reviews, and lessons learned; Status per GAO: Open. We will follow up during future audits to assess IRS's progress in implementing its OMB Circular No. A-123 review procedures. ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of CDDB, it should verify that when it becomes fully operational, CDDB, when used in conjunction with IRACS, will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and thus Federal Financial Management Improvement Act of 1996 (FFMIA). (long-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll- forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-04; Recommendation: To address the inconsistency in assigning the effective date of an accuracy penalty, modify the Business Master File computer program so that the date of the deficiency assessment is used as the effective date of any related accuracy penalty. (long-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-05; Recommendation: Complete and document the review of existing programs in the master files that affect penalty calculations to identify any instances in which programs are not functioning in accordance with the intent of the IRM. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-06; Recommendation: In instances where computer programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers to use in conducting reviews of outlying TACS and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-08; Recommendation: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-09; Recommendation: Establish a mechanism to monitor compliance with existing requirement that TAC employees responsible for accepting taxpayer payments in cash have their computer system access appropriately restricted to limit their ability to adjust taxpayer accounts. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-10; Recommendation: Establish procedures requiring periodic verification that all individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-11; Recommendation: Modify the IRM to specify qualifications and geographical proximity requirements for individuals designated as first responders to duress alarms at IRS facilities, and to require that the responsibilities and qualifications of all designated first responders be periodically reviewed to verify that over time, they continue to be qualified and appropriately located, and to make any necessary adjustments. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-13; Recommendation: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-16; Recommendation: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-18; Recommendation: Issue a memorandum to Receipt Control Operations Unit staff reiterating existing requirements for (1) supervisory reviews of the processing of TE/GE user fee deposits and (2) key documentation to be signed and dated by the supervisor as evidence of that review. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-19; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials and purchase cardholders sign and date monthly account statements attesting to their review and completion of the required reconciliation process. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-20; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders obtain funding approval or verify that funds are available for the intended purpose prior to making a purchase. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO- 08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-21; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials update and maintain appropriate supporting documentation. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-22; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders and purchase card approving officials retain copies of all supporting documents for a reasonable period of time, such as 3 years. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-23; Recommendation: Issue a memorandum addressed to all personnel responsible for updating inventory records that reiterates IRS's existing policy requiring that new assets be inputted into the inventory system within 10 days after receipt. (short-term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open. This is a recent recommendation. We will review IRS's corrective actions during future audits. ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term); Source report: Management Report: Improvements Needed in IRS's Internal Controls (GAO-08-368R, June 2008); Status per IRS: Because this is a recent recommendation, GAO did not obtain information on IRS's status in addressing it; Status per GAO: Open: This is a recent recommendation. We will review IRS's corrective actions during future audits. Source: IRS updates detailing its actions to address GAO's recommendations and GAO's analysis of IRS's actions. [End of table] [End of section] Appendix II: Open Recommendations Arranged by Control or Compliance Issue: Financial Reporting: IRS does not have financial management systems adequate to enable it to accurately generate and report, in a timely manner, the information needed to both prepare financial statements and manage operations on an ongoing basis. To overcome these systemic deficiencies with respect to preparation of its annual financial statements, IRS was compelled to employ extensive compensating procedures. Specifically, IRS (1) did not have an adequate general ledger system for tax-related transactions, and (2) was unable to readily determine the costs of its activities and programs and did not have cost-based performance information to assist in making or justifying resource allocation decisions. As a result, IRS does not have real-time data needed to assist in managing operations on a day-to-day basis and to provide an informed basis for making or justifying resource allocation decisions. Table 12: Material Weakness: Controls over Financial Reporting: ID no.: 99-25; Recommendation: Ensure that additional staff are employed or existing staff appropriately cross-trained to be able to perform the master file extractions and other ad hoc procedures needed for IRS to continually develop reliable balances for financial reporting purposes. (short- term); Control Activity: Management of human capital. ID no.: 99-29; Recommendation: Develop the data to support meaningful cost information categories and cost-based performance measures. (long- term); Control Activity: Establishment and review of performance measures and indicators. ID no.: 01-39; Recommendation: Develop a mechanism to track and report the actual costs associated with reimbursable activities. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 02-08; Recommendation: Implement policies and procedures to require that all employees itemize on their time cards the time spent on specific projects. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 02-09; Recommendation: Implement policies and procedures to allocate nonpersonnel costs to programs and activities on a routine basis throughout the year. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 08-01; Recommendation: As IRS proceeds with its implementation of CDDB, it should verify that when it becomes fully operational, CDDB, when used in conjunction with IRACS, will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Standard General Ledger (SGL), Federal Financial Management System Requirements (FFMSR), and thus Federal Financial Management Improvement Act of 1996 (FFMIA). (long-term); Control Activity: Appropriate documentation of transactions and internal controls. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Unpaid Tax Assessments: IRS has serious internal control issues that affected its management of unpaid tax assessments. Specifically, (1) IRS lacked a subsidiary ledger for unpaid tax assessments that would allow it to produce accurate, useful, and timely information with which to manage and report externally, and (2) IRS experienced errors and delays in recording taxpayer information, payments, and other activities. Table 13: Material Weakness: Controls over Unpaid Assessments: ID. No.: 94-02; Recommendation: Monitor implementation of actions to reduce the errors in calculating and reporting manual interest on taxpayer accounts, and test the effectiveness of these actions. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID. No.: 99-01; Recommendation: Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts related to a single assessment are appropriately credited for payments received. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID. No.: 99-03; Recommendation: Ensure that IRS's modernization blueprint includes developing a subsidiary ledger to accurately and promptly identify, classify, track, and report all IRS unpaid assessments by amount and taxpayer. This subsidiary ledger must also have the capability to distinguish unpaid assessments by category in order to identify those assessments that represent taxes receivable versus compliance assessments and write-offs. In cases involving TFRP, the subsidiary ledger should ensure that (1) the TFRP assessment is appropriately tracked for all taxpayers liable but counted only once for reporting purposes and (2) all payments made are properly credited to the accounts of all individuals assessed for the liability. (short- term); Control Activity: Accurate and timely recording of transactions and events. ID. No.: 99-20; Recommendation: Analyze and determine the factors causing delays in processing and posting Trust Fund Recovery Penalty (TFRP) assessments. Once these factors have been determined, IRS should develop procedures to reduce the impact of these factors and to ensure timely posting to all applicable accounts and proper offsetting of refunds against unpaid assessments before issuance. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID. No.: 07-11; Recommendation: Correct the penalty calculation programs in the master file so that penalties are calculated in accordance with the applicable Internal Revenue Code and implementing IRM guidance. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID. No.: 07-12; Recommendation: Research each of the taxpayer accounts that may have been affected by the penalty programming errors to determine whether they contain overassessed penalties and correct the accounts as needed. (short-term); Control Activity: Accurate and timely recording of transactions and events. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Tax Revenue and Refunds: IRS does not, at present, have agencywide cost-benefit information, related cost-based performance measures, or a systematic process for ensuring it is using its resources to maximize its ability to collect what is owed and minimize the disbursements of improper tax refunds in the context of its overall mission and responsibilities. These deficiencies inhibit IRS's ability to appropriately assess and routinely monitor the relative merits of its various initiatives and adjust its strategies as needed. This, in turn, can significantly affect both the level of tax revenue collected and the magnitude of improper refunds paid. Table 14: Material Weakness: Controls over Revenues and Issuing Refunds: ID no.: 01-04; Recommendation: As an alternative to prematurely suspending active collection efforts, and using the best available information, develop reliable cost-benefit data relating to collection efforts for cases with some collection potential. These cost-benefit data would include the full cost associated with the increased collection activity (i.e., salaries, benefits, administrative support), as well as the expected additional tax collections generated. (short-term); Control Activity: Establishment and review of performance measures and indicators. ID no.: 01-12; Recommendation: For (1) IRS's Automated Underreporter (AUR) and Combined Annual Wage Reporting (CAWR) programs, (2) screening and examination of Earned Income Tax Credit claims, and (3) identifying and collecting previously disbursed improper refunds, use the best available information to develop reliable cost-benefit data to estimate the tax revenue collected by, and the amount of improper refunds returned to, IRS for each dollar spent pursuing these outstanding amounts. These data would include (1) an estimate of the full cost incurred by IRS in performing each of these efforts, including the salaries and benefits of all staff involved, as well as any related nonpersonnel costs, such as supplies and utilities and (2) the actual amount (a) collected on tax amounts assessed and (b) recovered on improper refunds disbursed. (long-term); Control Activity: Establishment and review of performance measures and indicators. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Information Security: Significant weaknesses in information security controls continue to threaten the confidentiality, integrity, and availability of IRS's financial processing systems and information. IRS has weaknesses in controls for protecting access to systems and information, as well as other information security controls that affect key financial systems- -particularly IFS and IRACS. For example, sensitive information, including user identification, passwords, and software code for mission- critical applications, was accessible on an internal Web site to anyone who could connect to IRS's internal network--without having to log in to the network. The information gained through this access could be used to alter data flowing to and from IFS. In addition, configuration flaws in the mainframe allowed users unrestricted access to all programs and data on the mainframe, including IRACS. Because this access was not controlled by the security system, no security violation logs would be created, reducing IRS's ability to detect unauthorized access. Weaknesses also existed in other areas, such as protecting against unauthorized physical access to sensitive computer resources and patching servers to protect against known vulnerabilities. Material Weakness: Controls over Information Systems Security: Although IRS has made some progress in addressing previous weaknesses we identified in its information systems security controls and physical security controls, these and new weaknesses in information systems security continue to impair IRS's ability to ensure the confidentiality, integrity, and availability of financial and tax- processing systems. As of January 2008, there were 76 open recommendations from our information systems security work designed to help IRS improve its information systems security controls. Our recommendations resulting from our information systems security work are reported separately and are not included in this report primarily because of the sensitive nature of some of those issues. Hard-Copy Tax Receipts and Taxpayer Information: IRS manually processes hundreds of billions of dollars of hard-copy taxpayer receipts and related taxpayer information at its service center campuses, field office taxpayer assistance centers, other field office units, and commercial lockbox banks. However, we have identified weaknesses in IRS's controls designed to safeguard these taxpayer receipts and information which increase the risk that receipts in the form of checks, cash, and the like could be misappropriated or that the information could be compromised. Table 15: Significant Deficiency: Controls over Hard-Copy Receipts and Taxpayer Information: ID no.: 99-22; Recommendation: Expand IRS's current review of campus deterrent controls to include similar analyses of controls at IRS field offices in areas such as courier security, safeguarding of receipts in locked containers, requirements for fingerprinting employees, and requirements for promptly overstamping checks made out to "IRS" with "Internal Revenue Service" or "United States Treasury." Based on the results, IRS should make appropriate changes to strengthen its physical security controls. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 02-16; Recommendation: Ensure that field office management complies with existing receipt control policies that require a segregation of duties between employees who prepare control logs for walk-in payments and employees who reconcile the control logs to the actual payments. (short- term); Control Activity: Segregation of duties. ID no.: 04-08; Recommendation: Enforce policies and procedures to ensure that service center campus security guards respond to alarms. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 05-11; Recommendation: Enforce adherence to existing instructions on safeguarding taxpayer receipts and information, such as securing access and candling procedures, at service center campuses selected for significant reductions in their submission processing functions. (short- term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 05-13; Recommendation: Enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. (short- term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 05-14; Recommendation: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 05-32; Recommendation: Establish policies and procedures to require appropriate segregation of duties in small business/self- employed units of field offices with respect to preparation of payment posting vouchers, document transmittal forms, and transmittal packages. (short- term); Control Activity: Segregation of duties. ID no.: 05-33; Recommendation: Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 06-01; Recommendation: Require that Refund Inquiry Unit managers or supervisors document their review of all forms used to record and transmit returned refund checks prior to sending them for final processing. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-02; Recommendation: Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one IRS facility to another, including SCCs, TACs, and units within Large and Mid-sized Business (LMSB) and Tax-Exempt and Government Entities (TE/GE), establish a system to track acknowledged copies of document transmittals. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-04; Recommendation: Require that managers or supervisors document their reviews of document transmittals to ensure that taxpayer receipts and/or taxpayer information mailed between IRS locations are tracked according to guidelines. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-05; Recommendation: Equip all Taxpayer Assistance Centers (TACs) with adequate physical security controls to deter and prevent unauthorized access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be reconfigured to the "new TAC" model in the near future. This includes appropriately separating customer service waiting areas from restricted areas in the near future by physical barriers such as locked doors marked with signs barring entrance by unescorted customers. (short- term); Control Activity: Physical control over vulnerable assets. ID no.: 06-07; Recommendation: Document supervisory visits by offsite managers to TACS not having a manager permanently on-site. This documentation should be signed by the manager and should (1) record the time and date of the visit, (2) identify the manager performing the visit, (3) indicate the tasks performed during the visit, (4) note any problems identified, and (5) describe corrective actions planned. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-08; Recommendation: Enforce the requirement that all security or other responsible personnel at service center campuses (SCC) and lockbox banks record all instances involving the activation of intrusion alarms regardless of the circumstances that may have caused the activation. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 06-15; Recommendation: Revise the physical security procedures in the Internal Revenue Manual (IRM) to require that all SCCs and any respective annex facilities processing taxpayer receipts and/or information perform and document monthly tests of the facility's intrusion detection alarms. At a minimum, these procedures should (1) outline the type of test to be conducted, (2) include criteria for assessing whether the controls used to respond to the alarm were effective, and (3) require that a logbook be maintained to document the test dates, results, and response information. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 07-01; Recommendation: Enforce the existing policy requiring that all lockbox banks encrypt backup media containing federal taxpayer information. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 07-02; Recommendation: Ensure that lockbox banks store backup media containing federal taxpayer information at an off-site location as required by the 2006 Lockbox Security Guidelines. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 07-03; Recommendation: Revise instructions for the annual reviews of lockbox banks to encompass routine monitoring of backup media containing personally identifiable information to ensure that this information is (1) encrypted prior to transmission and (2) stored in an appropriate off-site location. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 07-04; Recommendation: Develop and implement appropriate corrective actions for any gaps in closed circuit TV (CCTV) camera coverage that do not provide an unobstructed view of the entire exterior of the SCC's perimeter, such as adding or repositioning existing CCTV cameras or removing obstructions. (short-term); Control Activity: Physical control over vulnerable assets. ID no.: 08-07; Recommendation: Develop and provide comprehensive guidance to assist TAC managers to use in conducting reviews of outlying TACS and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-08; Recommendation: Establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-09; Recommendation: Establish a mechanism to monitor compliance with existing requirement that TAC employees responsible for accepting taxpayer payments in cash have their computer system access appropriately restricted to limit their ability to adjust taxpayer accounts. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-10; Recommendation: Establish procedures requiring periodic verification that all individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner. (short-term); Control Activity: Management of human capital. ID no.: 08-11; Recommendation: Modify the IRM to specify qualifications and geographical proximity requirements for individuals designated as first responders to duress alarms at IRS facilities, and to require that the responsibilities and qualifications of all designated first responders be periodically reviewed to verify that over time, they continue to be qualified and appropriately located, and to make any necessary adjustments. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-12; Recommendation: Establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-13; Recommendation: Require including, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-14; Recommendation: Revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information, document the results, including identification of any security issues, and verify that the contractor has taken appropriate corrective actions on any security issues observed. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-15; Recommendation: Establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information. (short-term); Control Activity: Access restrictions to and accountability for resources and records. ID no.: 08-16; Recommendation: Reinforce existing policies requiring the use of the revised Form 13094 when hiring juveniles. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-17; Recommendation: Reinforce existing policies requiring verification of the information on Form 13094 by contacting the reference directly and documenting the details of this contact. (short- term); Control Activity: Management of human capital. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Release of Federal Tax Liens: IRS did not always release the applicable federal tax lien within 30 days of the tax liability being either paid off or abated, as required by the Internal Revenue Code. The Internal Revenue Code grants IRS the power to file a lien against the property of any taxpayer who neglects or refuses to pay all assessed federal taxes. The lien serves to protect the interest of the federal government and as a public notice to current and potential creditors of the government's interest in the taxpayer's property. Under section 6325 of the Internal Revenue Code, IRS is required to release federal tax liens within 30 days after the date the tax liability is satisfied or has become legally unenforceable or the Secretary of the Treasury has accepted a bond for the assessed tax. Table 16: Compliance with Laws and Regulations: Timely Release of Liens: ID no.: 01-06; Recommendation: Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the delays in releasing tax liens identified by our work and prior work by IRS's former internal audit function and ensure that such procedures effectively address these issues. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-13; Recommendation: Establish procedures and specify in the IRM that at the time of receipt, employees recording taxpayer payments should (1) determine if the payment is more than sufficient to cover the tax liability of the tax period specified on the payment or earliest outstanding tax period, (2) perform additional research to resolve any outstanding issues on the account, (3) determine whether the taxpayer has outstanding balances in other tax periods, and (4) apply available credits to satisfy the outstanding balances in other tax periods. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 07-14; Recommendation: Establish procedures and specify in the IRM that employees review taxpayer accounts with freeze codes that contain credits weekly to (1) research and resolve any outstanding issues on the account, (2) determine whether the taxpayer has outstanding balances in other tax periods, and (3) apply available credits to satisfy the outstanding balances in other tax periods. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 07-15; Recommendation: Issue a memorandum to employees in the Centralized Insolvency Office reiterating the IRM requirement to timely record bankruptcy discharge information onto taxpayer accounts in the master file or to manually release the liens in the Automated Lien System (ALS). (short-term); Control Activity: Appropriate documentation of transactions and internal controls. Source: GAO analysis of financial management recommendations made to IRS. [End of table] Other Control Issues: The recommendations listed below do not rise to the level of a significant deficiency or a material weakness. However, these issues do represent weaknesses in various aspects of IRS's control environment that should be addressed. Table 17: Other Control Issues Not Associated with a Material Weakness or Significant Deficiency: ID no.: 99-36; Recommendation: Make enhancements to IRS financial systems to include recording plant and equipment (P&E) and capital leases as assets when purchased and to generate detailed records for P&E that reconcile to the financial records. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 01-17; Recommendation: Develop a subsidiary ledger for leasehold improvements and implement procedures to record leasehold improvement costs as they occur. (long-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 02-18; Recommendation: Work with the National Finance Center (NFC) to resolve the technical limitations that exist within the Security Entry and Tracking System (SETS) database and continue to periodically review SETS data to detect and correct errors. (short- term); Control Activity: Controls over Information processing. ID no.: 05-37; Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. (short- term); Control Activity: Proper execution of transactions and events. ID no.: 05-38; Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 05-39; Recommendation: Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short- term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 06-22; Recommendation: Direct Facilities Management Branch managers to research and resolve the aging reports (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 07-08; Recommendation: Require that managers or supervisors provide the manual refund initiators in their units with training on the most current requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring actions to prevent the issuance of duplicate refunds. (short-term); Control Activity: Management of human capital. ID no.: 07-09; Recommendation: Enhance its computer program to check for outstanding tax liabilities associated with both the primary and secondary Social Security numbers shown on a joint tax return and apply credits to those balances before issuing any refund. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 07-17; Recommendation: Monitor installment agreement user fee activity on a regular basis. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-18; Recommendation: Adjust errors in recorded installment agreement user fees as necessary to correctly reflect the user fees IRS earned and collected from taxpayers. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 07-19; Recommendation: Establish sufficient review procedures to help ensure that adjustments to installment agreement user fees collected from taxpayers are accurately and timely recorded. (short- term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-20; Recommendation: Establish and maintain sufficient secured storage space to properly secure and safeguard its property and equipment inventory, including in-stock inventory assets from incoming shipments, and assets that are in the process of being excessed and/or shipped out. (short- term); Control Activity: Physical control over vulnerable assets. ID no.: 07-21; Recommendation: Develop and implement procedures to require that separate individuals place orders with vendors and perform receipt and acceptance functions when the orders are delivered. (short- term); Control Activity: Segregation of duties. ID no.: 07-22; Recommendation: Document the results of internal control tests conducted in a manner sufficiently clear and complete to explain how control procedures were tested, what results were achieved, and how conclusions were derived from those results, without reliance on supplementary oral explanation. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-23; Recommendation: Clearly document how it considered existing reviews and audits in determining the nature, scope, and timing of procedures it planned to conduct under its A-123 process. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-24; Recommendation: To the extent that it intends to use the information security work conducted under the Federal Information Security Management Act of 2002 (FISMA) to meet related A-123 requirements, identify the areas where the work conducted under FISMA does not meet the requirements of OMB Circular No. A-123 and, considering the findings and recommendations of our work on IRS's information security, expand FISMA procedures or perform additional procedures as part of the A-123 reviews to augment FISMA work. (short- term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-25; Recommendation: Revise A-123 test plans to include appropriate consideration of the design of internal controls in addition to implementation of controls over individual transactions. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-26; Recommendation: Work with Treasury to identify laws and regulations that are significant to financial reporting, test controls over compliance with those laws and regulations, and evaluate and report on the results of such control reviews. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-27; Recommendation: Begin devising appropriate A-123 follow- up procedures for the last three months of the fiscal year to be implemented once the material weaknesses identified through the annual financial statement audits have been resolved. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 07-28; Recommendation: Provide A-123 review staff appropriate training, such as that available for financial auditors, to enhance their skills in workpaper documentation, identification and testing of internal controls, and evaluation and documentation of results. (short- term); Control Activity: Management of human capital. ID no.: 08-02; Recommendation: Document and implement the specific procedures to be performed by the IRS statistician in each step of the unpaid assessment estimation process. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-03; Recommendation: Document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll- forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. (short-term); Control Activity: Management of human capital. ID no.: 08-04; Recommendation: To address the inconsistency in assigning the effective date of an accuracy penalty, modify the Business Master File computer program so that the date of the deficiency assessment is used as the effective date of any related accuracy penalty. (long-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-05; Recommendation: Complete and document the review of existing programs in the master files that affect penalty calculations to identify any instances in which programs are not functioning in accordance with the intent of the IRM. (long-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-06; Recommendation: In instances where computer programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 08-18; Recommendation: Issue a memorandum to Receipt Control Operations Unit staff reiterating existing requirements for (1) supervisory reviews of the processing of TE/GE user fee deposits, and (2) key documentation to be signed and dated by the supervisor as evidence of that review. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-19; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials and purchase cardholders sign and date monthly account statements attesting to their review and completion of the required reconciliation process. (short-term); Control Activity: Reviews by management at the functional or activity level. ID no.: 08-20; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders obtain funding approval or verify that funds are available for the intended purpose prior to making a purchase. (short-term); Control Activity: Proper execution of transactions and events. ID no.: 08-21; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase card approving officials update and maintain appropriate supporting documentation. (short-term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-22; Recommendation: Modify existing guidelines to provide for detailed internal control procedures requiring that purchase cardholders and purchase card approving officials retain copies of all supporting documents for a reasonable period of time, such as three years. (short- term); Control Activity: Appropriate documentation of transactions and internal controls. ID no.: 08-23; Recommendation: Issue a memorandum addressed to all personnel responsible for updating inventory records that reiterates IRS's existing policy requiring that new assets be inputted into the inventory system within 10 days after receipt. (short-term); Control Activity: Accurate and timely recording of transactions and events. ID no.: 08-24; Recommendation: Issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approvals of travel authorizations prior to the initiation of their travel. (short- term); Control Activity: Proper execution of transactions and events. Source: GAO analysis of financial management recommendations made to IRS. [End of table] [End of section] Appendix III: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Washington, D.C. 20224: June 24, 2008: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, N.W.: Washington, D.C. 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft report titled, IRS: Status of GAO Financial Audit and Related Financial Management Report Recommendations (GAO-08-693). As GAO noted in the report, IRS continues to make significant progress in improving our internal controls and financial management as evidenced by eight consecutive years of clean audit opinions on our financial statements. We are pleased that you acknowledged our progress in addressing our financial management challenges and agreed to close 18 prior year financial management recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact Alison Doone, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Douglas H. Shulman [End of section] Appendix IV Staff Acknowledgments: GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov: Acknowledgments: In addition to the contact named above, the following individuals made major contributions to this report: William J. Cordrey, Assistant Director; Gloria Cano; Stephanie Chen; Nina Crocker; John Davis; Charles Ego; Charles Fox; Valerie Freeman; Ted Hu; Delores Lee; John Sawyer; Angel Sharma; Peggy Smith; Cynthia Teddleton; and Gary Wiggins. [End of section] Footnotes: [1] Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Part of the actions required by agencies and individual federal managers includes taking proactive measures to develop and implement appropriate, cost-effective internal control for results-oriented management; to assess the adequacy of internal control in federal programs and operations; to identify needed improvements; and to take corresponding corrective actions. [2] A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. A significant deficiency is a control deficiency, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. A control deficiency exists when the design or operation of a control does not allow management or employees, in the course of performing their assigned functions, to prevent or detect misstatements on a timely basis. [3] GAO, Management Report: Improvements Needed in IRS's Internal Controls, GAO-08-368R (Washington, D.C.: June 4, 2008). [4] GAO, Financial Audit: IRS's Fiscal Years 2007 and 2006 Financial Statements, GAO-08-166 (Washington, D.C.: Nov. 9, 2007). [5] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Nov. 1999). [6] The circular requires agencies and individual federal managers to take systematic and proactive measures to (1) develop and implement appropriate, cost-effective internal control for results-oriented management; (2) assess the adequacy of internal control in federal programs and operations; (3) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A of the circular; (4) identify needed improvements; (5) take corresponding corrective action; and (6) report annually on internal control through management assurance statements. [7] GAO, Internal Control Standards: Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001). [8] GAO/AIMD-12.19.6 (Washington, D.C.: January 1999). FISCAM contains guidance for reviewing information system controls that affect the security of computerized data (revised June 2001). [9] GAO, Internal Revenue Service: Status of Financial Audit and Related Financial Management Report Recommendations, GAO-07-629 (Washington, D.C.: June 7, 2007). [10] GAO-08-368R. [11] We define short-term recommendations as those that we believe could be addressed within 2 years at the time we made the recommendation. We define long-term recommendations as those we expected to require 2 years or more to implement at the time we made the recommendation. [12] The vast majority of federal tax payments are made for both businesses and individuals via the Electronic Federal Tax Payment System. [13] Information security controls include electronic access controls, software change controls, physical security, segregation of duties, and service continuity. These controls are designed to ensure that access to data is appropriately restricted, only authorized changes to computer programs are made, physical access to sensitive computing resources and facilities is protected, computer security duties are segregated, and backup and recovery plans are adequate to ensure the continuity of essential operations. [14] GAO, Information Security: IRS Needs to Address Pervasive Weaknesses, GAO-08-211 (Washington, D.C.: Jan. 8, 2008). [15] Most refunds are generated automatically. However, under certain circumstances, IRS processes refunds manually to expedite payment. Such refunds include those over $10 million, those requested by taxpayers for immediate payment due to hardship or emergency, those to beneficiaries of deceased taxpayers, and those that need to be expedited because IRS is in jeopardy of paying interest for exceeding the 45-day limit for processing a return. [16] GAO -08-166. GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: