This is the accessible text file for GAO report number GAO-05-247R entitled 'Management Report: Improvements Needed in IRS's Internal Controls' which was released on April 27, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. April 27, 2005: The Honorable Mark W. Everson: Commissioner of Internal Revenue: Subject: Management Report: Improvements Needed in IRS's Internal Controls: Dear Mr. Everson: In November 2004, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2004 and 2003, and on the effectiveness of its internal controls as of September 30, 2004.[Footnote 1] We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996. A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one, will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2004 audit regarding internal controls that could be improved for which we do not currently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2004 audit report, they all warrant management's consideration. This report contains 30 recommendations that we are proposing IRS implement to improve its internal controls. We conducted our audit in accordance with U.S. generally accepted government auditing standards. We requested and received written comments on a draft of this report from the Commissioner of Internal Revenue. Results in Brief: During our fiscal year 2004 audit, we identified a number of internal control issues that adversely affected safeguarding of tax receipts and information, refunds to taxpayers, and lien resolutions. These issues concern (1) enforcement of IRS contractor background investigation policies, (2) omission of certain provisions related to contingency plans and taxpayer privacy in lockbox bank[Footnote 2] service contracts, (3) verification of lockbox bank deposits, (4) procedures for handling taxpayer receipts and information by couriers, (5) safeguarding sensitive systems and equipment in lockbox banks, (6) candling procedures, (7) monitoring and verifying recording and transmittal of taxpayer receipts and information, (8) controls over automated refund disbursements, (9) controls over authorization of manual refunds, and (10) resolution of liens with manually calculated interest or penalties. Specifically, we found the following: * At three IRS service centers we visited, some contractors who had not undergone background investigations and, in some cases, for whom background investigation requests had not been submitted, were granted staff-like access[Footnote 3] to restricted areas. In addition, at one service center we visited, the security office did not maintain files onsite that documented the status of background investigations for contractors with staff-like access to restricted areas. * At three lockbox banks we visited, courier contingency plans did not cover all the contingencies specified in the "Lockbox Processing Guidelines" (LPG),[Footnote 4] and at another lockbox bank we visited, there was no courier contingency plan on file. In addition, at one of the lockbox banks we visited, the courier contract did not contain the language set out in the LPG related to privacy laws applicable to handling taxpayer information, and at three of the lockbox banks we visited, shredding contracts did not include required privacy provisions. * At three lockbox banks we visited, we found that receipts for deposits delivered by courier services to depositories did not always indicate the time and date the deposits were received. We also found that two of these lockbox banks did not obtain deposit receipts from their couriers. * For several courier services transporting taxpayer receipts and information, we found that procedures for handling taxpayer receipts and information at lockbox banks, service centers, or both were not always followed. This included (1) couriers not always transporting taxpayer receipts and information directly to their destination, (2) a courier vehicle containing a pickup that was left unattended, (3) transfer of taxpayer receipts and information from one courier vehicle to another, (4) solo couriers transporting taxpayer receipts and information, and (5) couriers not wearing required uniforms. * At one lockbox bank we visited, the electrical and water shutoff valves were in an area where janitors kept their supplies and which they accessed daily, and the shutoff valves were not locked to prevent tampering. The security system control panel was located in the same area, and the keys to the panel were left on top of the panel. There were no surveillance cameras monitoring this room. * At one lockbox bank we visited, a high-speed machine was used to extract checks from and candle[Footnote 5] envelopes, but no visual inspection or second candling was performed on envelopes opened by this machine. In addition, at one service center we visited, the candling tables in the final candling area did not provide sufficient light to enable personnel to ensure that all contents had been removed from envelopes. * At the two IRS field offices we visited, we found that internal controls were not always properly followed to ensure that recording and transmittal of taxpayer receipts and information were adequately monitored and verified. * At one of the service centers we visited to review refund procedures, IRS did not have adequate controls in place to prevent automated disbursements of improper refunds related to taxpayer accounts under investigation for potential unreported taxes. * At the two service centers we visited to review refund procedures, controls over authorization of manual refunds were not effective. * At the five lien units[Footnote 6] we visited, personnel were not properly verifying manual interest and penalty calculations for taxpayer accounts with liens with manually calculated interest or penalties. The issues noted above increase the risk that (1) taxpayer receipts and information could be lost, stolen, misused, or destroyed; (2) improper refunds to taxpayers could be disbursed; and (3) liens could be released before taxpayers have paid the full amount of interest or penalties due. At the end of our discussion of each of these issues in the following sections, we make recommendations for strengthening IRS's internal controls. These recommendations are intended to bring IRS into conformance with its own policies and with the internal control standards that all federal agencies are required to follow.[Footnote 7] In its comments, IRS substantially agreed with our recommendations and described actions it had taken or planned to take to address the control weaknesses described in this report. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provided our evaluation. Scope and Methodology: As part of our audit of IRS's fiscal years 2004 and 2003 financial statements, we tested IRS's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. This report addresses issues we observed during our fiscal year 2004 audit. For issues related to safeguarding tax receipts, we visited four lockbox banks, four IRS service centers, and two IRS field offices; for issues related to tax refunds, we visited two IRS service centers; and for issues related to liens, we visited five IRS lien units. Further details on our audit scope and methodology are included in our report on the results of our audits of IRS's fiscal years 2004 and 2003 financial statements[Footnote 8] and are reproduced in enclosure II. Enforcement of IRS Contractor Background Investigation Policies: During our fiscal year 2004 audit, we found control deficiencies related to contractor employee background investigations at three of the four service centers we visited. Specifically, at one of these three service centers, IRS had not submitted paperwork for new clearances for 10 contractors with staff-like access even though their background investigations did not meet requirements that took effect in July 2000, including the requirement that such investigations be conducted by IRS's National Background Investigation Center. IRS did not submit paperwork for new clearances for these contractors until January 29, 2004--several years after they had been granted access. At another of these three service centers, one contractor who had not undergone the required background investigation--and for whom there was no evidence that a background investigation had been requested--had had staff-like access to restricted areas at the center for more than a year and a half. At the third of the three service centers, two contractors, one with access to restricted areas and the other with staff-like access to the service center, had not had the required background investigation. In addition, at one of the service centers we visited, the security office responsible for granting contractors unescorted access to restricted areas did not maintain files onsite that documented the status of background investigations for contractors with access to restricted areas. IRS requires that all contractors have successfully completed a background investigation conducted by the National Background Investigation Center before being granted access to taxpayer receipts and information. Further, GAO's Standards for Internal Control in the Federal Government requires agencies to establish controls to safeguard vulnerable assets. Until IRS ensures that only contractors who have successfully met background investigation requirements have access to taxpayer receipts and sensitive information and that service center security offices can verify that these requirements have been met, the federal government will be unnecessarily exposed to the risk of loss, theft, or abuse of taxpayer receipts and information. Recommendations: We recommend that IRS: * enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers and: * require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information. IRS Comments and Our Evaluation: IRS agreed with our recommendation that background investigation results for contractors (or evidence thereof) be on file, where necessary, and stated that the Physical Security Program Office will work with the Business Operating Divisions and Procurement staff to determine if the interagency agreement with the Financial Management Service (FMS) should be modified to include a requirement for lockbox banks to maintain background investigation files. IRS stated that it has addressed the issues that gave rise to our recommendation that it enforce its existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. IRS indicated that it has implemented steps to monitor and enforce existing requirements related to background checks for contractors. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Required Provisions in Lockbox Bank Service Contracts: Lockbox banks enter into contracts with service providers for a variety of services, including transport of taxpayer receipts and information by couriers and shredding of taxpayer information prior to its disposal. During our fiscal year 2004 audit, we found that the contract for courier services at one of the four lockbox banks lacked the language set out in the LPG that would acknowledge the legal restrictions on a courier's handling of taxpayer information. These legal restrictions are imposed by the Privacy Act of 1974[Footnote 9] and certain provisions of the Internal Revenue Code. We also found that contracts for shredding services at three of the four lockbox banks failed to include the mandatory provisions required for complying with federal law related to safeguarding taxpayer information. The LPG requires that the contracts include the safeguard provisions required by the Internal Revenue Code. Omission of privacy-related provisions from lockbox courier or shredding contracts increases the risk of unauthorized disclosure of taxpayer information. In addition to the omission of contract provisions, we found problems in contract implementation during our fiscal year 2004 audit. We found that courier contract disaster contingency plans for three of the four lockbox banks we visited did not address all required contingencies. The other lockbox bank we visited did not have a courier disaster contingency plan on file. The LPG requires that before a contractor provides courier services to a lockbox bank, the contractor is to provide the lockbox bank with a disaster contingency plan. The plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events. Incomplete or inaccessible courier contingency plans increase the risk that courier service could be disrupted and that taxpayer receipts might not be timely deposited and taxpayer accounts might not be timely updated. Recommendations: We recommend that IRS: * require that courier contracts call for couriers to submit contingency plans to lockbox banks, * review lockbox bank courier contingency plans to help ensure that they incorporate all contingencies specified in the LPG, * revise the LPG to specify that courier contingency plans be available at the lockbox banks, and: * review lockbox bank courier and shredding contracts to ensure that they address all privacy-related criteria and include clear reference to privacy-related laws and regulations. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning lockbox bank courier contingency plans and adherence to requirements for inclusion of privacy-related requirements in lockbox bank courier and shredding contracts. To address these recommendations, IRS stated that (1) the LPG has been updated to require that courier services provide lockbox banks with a disaster contingency plan before their contract is implemented; (2) lockbox bank courier contingency plans have been reviewed by Lockbox Coordinators to ensure that the plans address all contingencies specified in the LPG; (3) the LPG would be updated by April 15, 2005, to require all lockbox banks to have the courier contingency plan available on site; and (4) the LPG had been updated on January 1, 2005, to specifically address privacy-related criteria, including references to pertinent sections of the Internal Revenue Code and the Privacy Act of 1974. We have verified the above-noted enhancements to the LPG during our ongoing fiscal year 2005 audit, and we will evaluate their effectiveness as we proceed with the audit. During the fiscal year 2005 financial audit, we will also evaluate the effectiveness of IRS's efforts with respect to reviewing lockbox bank courier contingency plans for completeness. Verification of Lockbox Bank Deposits: During our fiscal year 2004 audit, in reviewing deposit receipts-- receipts for deposits delivered by courier services to depositories-- maintained by courier services under contract to lockbox banks, we found that deposit receipts for three of the lockbox banks we visited did not always indicate the time and date deposits were received by depositories. In addition, we found that two of these lockbox banks did not obtain the deposit receipts from their courier services to verify that the depositories had in fact received the deposits in a timely manner. GAO's Standards for Internal Control in the Federal Government requires that all transactions be clearly documented and that documentation be readily available for examination. Although the LPG requires that lockbox bank couriers, upon delivery of packages to designated sites, annotate time of delivery, it does not require that deposit receipts be time-and date-stamped or that they be returned to the lockbox bank. Unless receipts bear evidence of time and date of deposit and are promptly returned, lockbox banks cannot expeditiously verify timely deposit of receipts, thereby increasing the risk of theft or loss of taxpayer receipts and the risk that such theft or loss might not be promptly detected. Recommendations: We recommend that IRS: * revise the LPG to require that (1) lockbox couriers promptly return deposit receipts to the lockbox banks following delivery of taxpayer remittances to depositories and (2) lockbox banks promptly review the returned deposit receipts; * revise the LPG to require that deposit receipts for taxpayer remittances be time-and date-stamped; and: * better enforce the LPG requirement that lockbox bank couriers annotate the time of delivery on receipts for deposits of taxpayer remittances. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning revisions to the LPG to require prompt return and review of deposit receipts and time-and date- stamping of deposit receipts. IRS also agreed with our recommendation that it better enforce the LPG requirement that lockbox bank couriers annotate the time of delivery on receipts for deposits of taxpayer remittances. To address these recommendations, IRS stated that it had updated the LPG on January 1, 2005, to require that lockbox bank sites: (1) receive back by the next business day the original completed Receipt for Transport of IRS Lockbox Bank Deposit form with the bank representative's name and signature, date, and time the deposit was received by the depository and (2) daily reconcile the Receipt for Transport of IRS Lockbox Bank Deposit form(s) to ensure receipt of dedicated service (i.e., that the time between the lockbox bank's release of the deposit to the courier and the courier's release of the deposit to the depository bank is not excessive). We have verified during our ongoing fiscal year 2005 financial audit that IRS updated the LPG, and we will evaluate the effectiveness of these enhancements as we proceed with the 2005 audit. Procedures for Handling Taxpayer Receipts and Information by Couriers: We have previously reported on various security weaknesses related to courier services at IRS service centers, field offices, and lockbox banks.[Footnote 10] IRS has made an effort to address such weaknesses by adopting more stringent security standards for the couriers who transport IRS's daily deposits to depository institutions. For example, IRS implemented a new lockbox courier policy requiring that more stringent background investigations of couriers be satisfactorily completed before granting them access to taxpayer receipts and information. During our fiscal year 2004 audit, however, we found that IRS did not have controls in place to ensure that the courier requirements were effectively enforced. Specifically, we found the following: * Couriers for two of the lockbox banks we visited did not always transport taxpayer receipts and information directly to their destination. In one case, we observed a courier vehicle make a pickup and then drive to and park at another location, where the vehicle and its contents remained for the rest of the day. In the other case, we observed a courier vehicle stop at an industrial park before proceeding to the depository institution. * A courier van containing the morning pickup from one lockbox bank we visited was left unattended for approximately 30 minutes at the courier service office. * Couriers for one lockbox bank made an unauthorized stop and transferred the contents of the courier vehicle to a pick-up truck. * Solo couriers were permitted to transport taxpayer receipts and information for one service center and two lockbox banks we visited. At the service center, during our review of deposit receipts for the 2 months prior to our visit, we found that in one instance the center's management permitted a solo courier to transport $47 million in receipts to the depository institution. Management informed us that it permitted this solo delivery because (1) the second courier was sick and the courier company was unable to provide another courier; (2) the deposit was large; and (3) it was a Friday, and delaying deposit until the following Monday would have resulted in loss of interest on the $47 million over the weekend. With respect to the two lockbox banks, in one case we observed a courier vehicle depart the courier company with only one courier in the vehicle; in the other case, we observed a courier vehicle with two couriers make a pickup at the lockbox bank and then drop off one of the couriers before completing the delivery. * Couriers were not wearing required uniforms at one service center and one lockbox bank we visited. At the service center, we observed that neither courier transporting deposits to the depository institution was wearing the required company logo shirt. In addition, one courier was not wearing an identification badge, which had instead been placed on the rearview mirror of the transport vehicle. Although lockbox banks have other ways to identify couriers, at the lockbox bank on two separate occasions, we observed couriers--two couriers in one case and one courier in the other case--who were not wearing company uniforms pick up taxpayer receipts and information. Despite IRS's adoption of more stringent security standards for couriers who transport IRS's daily deposits to depository institutions, the findings above demonstrate that weaknesses continue to exist in IRS's enforcement of courier service procedures--specifically, those that require (1) courier service drivers to transport taxpayer receipts and information directly to their destination, with no stops in between; (2) vehicles to always be under the supervision of at least one courier and never left unattended; (3) courier service drivers to travel in pairs when transporting deposits; and (4) courier service drivers for lockbox banks to wear company uniforms. Nonadherence by couriers to IRS procedures increases the risk of loss, theft, or misuse of taxpayer receipts and information. Recommendations: We recommend that IRS: * provide a written reminder to courier contractors of the need to adhere to all courier service procedures; * periodically verify that contractors entrusted with taxpayer receipts and information offsite adhere to IRS procedures; and: * develop alternative back-up plans that are consistent with IRS courier policies and procedures to address instances in which only one courier reports for transport of taxpayer receipts or information, such as requiring that a service center or lockbox bank employee accompany the courier to the depository. IRS Comments and Our Evaluation: IRS agreed with our recommendations that it provide a written reminder to courier contractors of the need to adhere to all courier service procedures, periodically verify that contractors entrusted with taxpayer receipts and information adhere to IRS procedures, and develop alternative back-up plans to address instances in which only one courier reports for transport of taxpayer receipts and information. IRS stated that it (1) intends to provide lockbox banks with a reminder to adhere to all courier service procedures, (2) has updated the LPG to provide that contractor adherence to IRS procedures will be monitored during periodic security reviews, and (3) intends to work with FMS to develop a plan by June 30, 2005, to address instances in which only one courier reports for transport of taxpayer receipts and information. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Safeguarding Sensitive Systems and Equipment in Lockbox Banks: At one of the lockbox banks we visited during our fiscal year 2004 financial audit, we found that the electrical and water shutoff valves were in an area where janitors kept their supplies and which they accessed daily, and that the shutoff valves were not locked to prevent tampering. In addition, the security system control panel was located in the same area as the shutoff valves, and the keys to the security system control panel were left on top of the panel in this room. At the same lockbox bank, we also found that there were no surveillance cameras monitoring the security system controls and the water and electrical shutoff valves that were located in the janitors' supply room. While the LPG does not address utility feeds located within the lockbox facility, it does require that utility feeds at the perimeter of lockbox banks be secured with locking devices and physically protected to prevent tampering or destruction. According to GAO's Standards for Internal Control in the Federal Government, agencies must establish physical control to secure and safeguard vulnerable assets, including providing security for, and limiting access to, equipment that might be vulnerable to unauthorized use. In addition, the LPG requires that items that need a higher level of security, including keys, be controlled and stored in containers to prevent theft and fraud. With respect to security closed-circuit television cameras, the LPG requires that they be deployed both generally and at critical locations throughout lockbox bank facilities to provide direct visual monitoring 24 hours a day. Location of critical controls in frequently accessed areas and lack of effective monitoring of sensitive systems and equipment at lockbox banks increase the risk of unauthorized access, which in turn increases the risk of theft and misuse of taxpayer receipts and information. Recommendations: We recommend that IRS: * formulate a policy to require that critical utility or security controls not be located in areas requiring frequent access, * require lockbox bank management to position closed-circuit television cameras to enable monitoring of secured areas containing sensitive systems or controls, and: * periodically monitor lockbox banks' adherence to the LPG requirement that keys be kept in secured containers within the secured perimeter. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning safeguarding of sensitive systems and equipment in lockbox banks. To require that critical utility or security controls not be located in areas requiring frequent access, IRS stated its intent to (1) ensure that policy guidelines address protection of critical or security controls and (2) work with the Business Operating Divisions and Procurement to incorporate any revised requirements into updated and future interagency agreements with FMS. With respect to requiring lockbox bank management to position closed-circuit television cameras to enable monitoring of secured areas containing sensitive equipment or controls, IRS indicated that as part of its Mission Assurance review process, it would review the use of closed-circuit television at the banks and, within local constraints, expand surveillance capabilities to include utility controls. With respect to periodically monitoring lockbox banks' adherence to the LPG requirement that keys be kept in secured containers within the secured perimeter, IRS stated that Mission Assurance will include controls over keys as part of any and all reviews. IRS also indicated that as part of the review process, it will work with the lockbox banks and lessors to improve security for keys and security panels, irrespective of ownership. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Candling Procedures: IRS uses and requires lockbox banks to use a candling process to determine if any contents remain in open envelopes received from taxpayers before the envelopes are disposed of. Candling is often performed by passing the envelopes over a light source, although other methods mentioned in the 2004 LPG are also allowed, including opening an envelope on three sides and flattening it. The purpose of candling is to prevent the accidental destruction of taxpayer receipts and information. As in previous years,[Footnote 11] we observed weaknesses in controls over candling of envelopes. The weaknesses we observed during our fiscal year 2004 audit are as follows: At one of the lockbox banks we visited, the OPEX System 150, a high- volume machine that extracts checks from envelopes by opening them on three sides, had been deemed by IRS to meet LPG candling requirements because the envelopes were flattened and traveled a distance of 3 linear feet inside the machine before dropping into a bin. The OPEX System 150 entails no visual inspection of opened envelopes. Because envelopes opened by the OPEX System 150 are not visually inspected when they are laid flat, there is no assurance that all their contents have been properly removed. During our visit, we observed the envelopes falling into a bin, with no one watching them as they dropped. Once the bin was full, the envelopes were put into a garbage can to be shredded. At one service center we visited, we observed light bulbs in candling tables in the final candling area that did not provide sufficient light for staff to see whether contents remained in opened envelopes. The 2004 LPG candling requirement was unclear with respect to the number of candlings required for envelopes processed by OPEX equipment. Although the LPG stated that "envelopes must be candled twice before destruction" either through a light source or by splitting the envelopes on three sides and flattening them, the same section of the LPG also stated that splitting envelopes on three sides and flattening them "is sufficient to meet candling requirements without further light source viewing." IRS has no written guidelines for minimum wattage of bulbs in candling tables. Weaknesses in candling procedures increase the potential for inadvertent loss or destruction of taxpayer receipts. Recommendations: We recommend that IRS: * assess technologies that may be exempt from the visual inspection requirement to determine whether they are acceptable methods of satisfying candling objectives and, if so, add such technologies to the LPG list of accepted candling methods; * conduct an assessment of the costs and benefits of relying on only one candling when using certain automated equipment; * clarify the LPG to eliminate confusion about the number of candlings required for different extraction methods; and: * establish guidelines and a testing requirement to ensure satisfactory lighting conditions for effective candling. IRS Comments and Our Evaluation: IRS indicated that it has taken action to address issues that gave rise to our recommendations to (1) assess technologies that may be exempt from the visual inspection requirement to determine whether they are acceptable methods of satisfying candling objectives and, if they are, add them to the LPG list of accepted candling methods and (2) assess the costs and benefits of relying on only one candling when using certain automated equipment. IRS agreed with our recommendation to clarify the LPG to eliminate confusion about the number of candlings required for different extraction methods. IRS indicated that to address the issues raised by these recommendations, it added a provision to the 2005 LPG specifying that envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. During our ongoing fiscal year 2005 audit, we verified that IRS had made this change to the LPG, and we will evaluate the effectiveness of this enhancement as the audit progresses. IRS also agreed with our recommendation to establish guidelines and a testing requirement to ensure satisfactory lighting conditions for effective candling. IRS stated that additional work is needed to strengthen the current procedures in the Internal Revenue Manual (IRM) and that it is in the process of reviewing and strengthening these procedures. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Monitoring and Verifying Recording and Transmittal of Taxpayer Receipts and Information: When an IRS field office receives taxpayer receipts and returns, it is responsible for recording the information received and sending it to a service center for further processing with a transmittal form listing the documents included in the package. However, at the two IRS field offices we visited, we found multiple instances in which internal controls were not in place to ensure that recording and transmittal of taxpayer receipts and information were adequately monitored and verified: At one field office, there was a lack of segregation of duties with respect to handling taxpayer receipts. We observed in seven Small Business/Self-Employed (SB/SE) units[Footnote 12] that the individuals responsible for preparing Payment Posting Vouchers were the same individuals who recorded the information from those vouchers on Document Transmittal forms, which list the contents of a package sent from one IRS location to another, and mailed those forms to the IRS service center. At the other field office, we observed that there was no independent review of documents or payments before they were mailed by their preparer to the service center for processing, nor was there any independent reconciliation of the information on the Document Transmittal forms to those documents or payments. In addition, at the same field office, there was no independent review or reconciliation of payments recorded on Daily Report of Collection Activity forms, which are used to list and transmit tax receipts and returns to service centers, to the actual payments that accompanied the forms before the payments were sent to the service center for processing. One of the field offices sent Daily Report of Collection Activity forms to a service center without listing those forms on, and enclosing with them, a Document Transmittal form, as required by the IRM.[Footnote 13] Only packages containing a single Daily Report of Collection Activity form do not require an accompanying Document Transmittal form. One of the field offices we visited did not use a logbook for filing Document Transmittal forms, and two units at the other field office had no system in place for maintaining and monitoring acknowledgments of Document Transmittal forms. There was no evidence of management review of five units' Document Transmittal form logbooks at one of the field offices. GAO's Standards for Internal Control in the Federal Government requires that key duties and responsibilities be segregated among different people to reduce the risk of error or fraud. In addition, according to the IRM, if a unit sends individually sealed envelopes in one package to the service center, the package must contain a Document Transmittal form listing the enclosed Daily Report of Collection Activity forms and the respective tracking information. The IRM also requires that senders establish a control to ensure delivery of tax receipts and information to IRS service centers and follow up within 10 work days on packages not acknowledged by the center. Not adequately accounting for taxpayer receipts because of insufficient review, reconciliation, monitoring, and segregation of duties increases the risk of error and fraud and, therefore, the potential for loss, theft, and misuse of taxpayer receipts. Recommendations: We recommend that IRS: * establish policies and procedures to require appropriate segregation of duties in SB/SE units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages; * enforce the requirement that a Document Transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information; * establish a procedure for SB/SE field office units to track Document Transmittal forms and acknowledgements of receipt of Document Transmittal forms; and: * require evidence of managerial review of recording, transmittal, and receipt of acknowledgments of taxpayer receipts and information. IRS Comments and Our Evaluation: IRS agreed with our recommendations. To establish policies and procedures to require appropriate segregation of duties in SB/SE units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages, IRS indicated that it will (1) establish procedure for SB/SE field office units to track Document Transmittal forms and acknowledgements of receipt of Document Transmittal forms and (2) strengthen its guidance to revenue officers and develop procedures specifically for field clerical staff. To enforce the requirement that a Document Transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, IRS stated that its procedures will clarify that (1) the designated clerical contacts are responsible for bundling sealed envelopes into a single package for overnight mail to Submission Processing pursuant to the IRM and (2) the designated clerical contacts are to prepare a Document Transmittal form and send the prepared package to Submission Processing via overnight mail. IRS stated that these procedures will direct the designated clerical contact to retain a control copy of the Document Transmittal form and the overnight mail transmittal until the receipted copy of the Document Transmittal form is returned from Submission Processing. In addition, IRS said that it intends to require that the transmittal and the acknowledgement be reconciled monthly, with appropriate follow-up as required. IRS also stated its intent to issue a memorandum to all Field Assistance employees reminding them to adhere to these IRM requirements and to add this as a review item for operational reviews conducted by Field Assistance headquarters and area personnel. To establish a procedure for SB/SE field office units to track Document Transmittal forms and acknowledgements of receipt of Document Transmittal forms, IRS stated that it will clarify its procedures to require that managers ensure continuous coverage of the designated clerical contact duties so that absence due to illness or leave does not disrupt the processing of remittances. With respect to a requirement for evidence of managerial review of recording, transmittal, and receipt of acknowledgements of taxpayer receipts and information, IRS indicated that it will establish procedures to require documented evidence of such review, but noted that it will not implement any procedure that requires 100 percent managerial review. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Controls over the Generation of Automated Refunds in Automated Underreporter Program Cases: Most refunds are generated automatically by IRS when taxpayers file tax returns reflecting a lower tax liability than the amount the taxpayer has paid. Upon receipt of a tax return, IRS records the tax liability for the appropriate tax period. If the taxpayer's payments and credits exceed the tax liability, an automated refund is generated. In July of each year, after the peak tax filing period,[Footnote 14] IRS matches data submitted by taxpayers on their tax returns against data submitted to IRS by third parties to report earnings such as wages, interest, and dividends. This matching process is a key part of IRS's Automated Underreporter Program (AUR). IRS follows up on selected discrepancies identified as a result of the AUR to determine the reason for the discrepancy and attempt to collect any taxes due. If a discrepancy can be resolved by IRS based on review of available documentation, the case is closed. Otherwise, an underreporter notice, which informs the taxpayer of a proposed change to tax liability, is sent to the taxpayer. Because the taxpayer has not yet agreed to an additional tax assessment at this point, no tax liability is entered in the taxpayer's account. Instead, the underreporter notice includes a Consent of Assessment form which the taxpayer is asked to sign and return with his or her payment. When IRS receives this form with the payment, the form alerts employees to route the payment to the AUR unit, which is to record both the payment and the tax assessment in the taxpayer's account. Taxpayers who receive an underreporter notice can choose to agree with the proposed additional assessment, disagree and provide reasons, or ask for an appeal. Once IRS sends an underreporter notice to a taxpayer, an AUR notice indicator is placed on the taxpayer's account within IRS's master files.[Footnote 15] IRS typically places a different type of indicator--known as a freeze code--on taxpayers' accounts that are undergoing examination or investigation. Freeze codes temporarily prevent the automated issuance of a refund until the issue is resolved and the freeze code is removed. An AUR notice indicator, however, does not on its own prevent issuance of an automated refund; rather, it serves as notice to other IRS units that AUR has control of the case and should be notified before any action is taken. Consequently, an automated refund may be improperly generated if a taxpayer submits a payment in response to an AUR notice but does not return a Consent of Assessment form with the payment. At one of the two service centers we visited to review refund procedures during our fiscal year 2004 audit, we found two instances in which IRS generated refunds for taxpayers based on payments received in consideration of unpaid taxes identified by AUR. Both taxpayers received an AUR notice proposing a change in tax liability because of a discrepancy in their tax return, and both submitted a payment to IRS indicating agreement with IRS's finding. However, they did not enclose with their payment the form that accompanied the underreporter notice they received. As a result, IRS employees did not forward the payments to the AUR unit and instead recorded them on the taxpayers' accounts. Since no form had been received from these taxpayers and, consequently, the tax liabilities related to the payments had not been recorded in the taxpayers' accounts, the entire payment amounts were interpreted to be overpayments and refunds were disbursed. Weaknesses in IRS's controls over automated refund disbursements for accounts with AUR notice indicators unnecessarily expose the federal government to losses due to issuance of improper refunds. Recommendation: We recommend that IRS assess options to prevent the generation or disbursement of refunds associated with accounts with unresolved AUR discrepancies, including placement of a freeze or hold on all such accounts, until the AUR review has been completed. IRS Comments and Our Evaluation: IRS indicated that its existing procedures address the issue that gave rise to this recommendation. However, IRS stated that AUR will partner with Submissions Processing to ensure that employees receiving unidentified remittances are aware of the need to conduct IDRS research and how to properly post AUR remittances in these instances. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Controls over Authorization of Manual Refunds: During our fiscal year 2004 financial audit, we found weaknesses in IRS's controls over the authorization of manual refunds at both of the service centers we visited to review refund procedures during our fiscal year 2004 audit. These weaknesses resulted primarily from IRS employees not consistently adhering to policies and: procedures intended to prevent disbursement of improper manual refunds.[Footnote 16] Specifically, IRS employees did not always (1) comply with IRS requirements when authorizing officials to approve manual refunds, (2) monitor or review the monitoring of accounts to prevent duplicate refunds or document that monitoring had been performed, or (3) review computer system command code profiles of approving employees and officials who certify that refund payments are proper to ensure that these officials did not have access to inappropriate command codes that would allow them to both process and approve or certify improper refunds. Authorization to Approve Manual Refunds: The IRM requires that all manual refunds be approved by officials who are designated by managers. To designate approving officials, managers are required to submit documents to the Manual Refund Unit that include the designated approving official's and manager's names and titles or positions, their telephone numbers, their IRS campus or field service organizations, their signatures, and a statement by the delegating manager certifying that sensitive command codes are not authorized for the approving official that would allow the official to both approve and process manual refunds. At both service centers we visited to review refund procedures, however, we found that these controls were not always effective. At one service center, we found documents authorizing approving officials that did not contain the delegating manager's signature and others that did not contain the authorized approving official's signature. We also found the name of an individual on the list of designated approving officials that had been on the list for about 9 months even though the delegating manager had included a statement on the document requesting that the name remain on the list for only 90 days. At the other service center, we found documents that did not contain the name and title or position of the manager submitting the document. Improper authorization of approving officials for manual refunds exposes the federal government to losses due to the increased risk of issuance of improper refunds. Monitoring to Avoid Duplicate Refunds: As we have previously reported,[Footnote 17] the risk of issuance of duplicate refunds is increased because (1) IRS's automated and manual refund systems are not adequately coordinated to prevent the issuance of a duplicate automated refund if a corresponding manual refund has already been generated and (2) manual refunds may not be posted to the taxpayer's account in the master file until up to 6 weeks after the refund has been issued to the taxpayer, potentially allowing a duplicate automated refund to be disbursed in the interim. To mitigate this risk, IRS has implemented various procedures, such as a requirement for employees who have initiated a manual refund to monitor the account to ensure that a duplicate automated refund does not post in the interim as a pending transaction. Supervisors are required to review the initiator's monitoring actions, and both the initiators and supervisors are required to document their monitoring or reviewing actions. We have also previously reported that IRS employees did not always monitor accounts to prevent duplicate refunds and that they were not required to document their reviews. As a result of a previous recommendation we made, IRS revised its procedures to require documentation of monitoring actions and supervisory review of monitoring actions. However, at both service centers we visited, we found that this control was not always effective--IRS employees did not always monitor accounts to prevent duplicate refunds, and their supervisors did not always review monitoring actions to ensure that they were being properly conducted. We also found that IRS employees and supervisors did not always document their monitoring or reviewing actions. We interviewed nine manual refund initiators and their supervisors at the two service centers we visited to review refund procedures. During our review of documentation of their monitoring and reviewing procedures, we found the following: Two initiators did not monitor the accounts to prevent duplicate refunds. Of the seven initiators who did monitor the accounts, three did not sign and date their monitoring action. Three initiators' supervisors did not review the monitoring actions. Of the six supervisors who did review monitoring actions, only one documented, signed, and dated the review. Three of these supervisors documented but did not sign and date their review, and two did not document their review. These weaknesses increase the risk that account monitoring and related reviews may not be conducted on a consistent and timely basis, rendering this control ineffective. As a result, IRS does not have adequate assurance that accounts are being appropriately monitored to prevent duplicate refunds from being paid. Review and Approval of Command Code Profiles: IRS uses IDRS, an online data retrieval and entry system, to process manual refunds. Employees' level of access to IDRS is determined by their specific role and responsibilities. Each employee who uses IDRS is assigned a command code profile that determines the type of transactions he or she can process. To ensure that approving officials do not have sensitive command codes that would allow them to process manual refunds in violation of segregation of duties requirements implemented to reduce the risk of error or fraud, IRS requires service centers to review command code profiles of approving officials. These individuals also review command code profiles of certifying officials, who are responsible for ensuring that refund payments are correct and proper. At both service centers we visited to review refund procedures during our fiscal year 2004 financial audit, however, we found that command code profiles of approving and certifying officials were not always reviewed as required by the IRM. At one service center, we found that the individual responsible for the review did not review the command code profiles for all authorized approving officials. Instead, only employees who had indicated or whose manager had indicated that they had been assigned command codes were selected for review. The reviewer did not verify that the employees who had indicated they did not have assigned command codes had not in fact been assigned command codes. In addition, no one at this service center reviewed the command code profiles of certifying officials. At the other service center, we found that no review of command code profiles for approving officials had been conducted since July 2000, although the IRM requires that a review of the accounts and profiles of all users of IRS's network be conducted at least annually. For certifying officials at this service center, command code profiles had been reviewed monthly. However, since it was a certifying official who conducted the reviews, she also reviewed her own command code profile. The IRM does not specify who should conduct the reviews. Because IRS employees did not always adhere to IRM requirements specifying control procedures over manual refunds and the IRM was not specific as to the timing and assignment of responsibility for reviewing command code profiles, the effectiveness of these controls was impaired. As a result, the risk is increased that IRS could disburse improper manual refunds. Recommendations: We recommend that IRS: * enforce documentation requirements relating to authorizing officials charged with approving manual refunds, * enforce requirements for monitoring accounts and reviewing monitoring of accounts, * enforce requirements for documenting monitoring actions and supervisory review, * enforce the requirement that command code profiles be reviewed at least once annually, and: * specify in the IRM that staff members are not to review their own command code profiles. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning controls over authorization of manual refunds. With respect to the recommendations that call for enforcement of existing documentation, review, and monitoring requirements, IRS indicated its intent to remind management officials annually of these requirements via memorandum, notice, or Alert. IRS noted that as part of the reminder, checksheets will be included and a response will be required confirming that these actions have been taken. IRS also indicated that it will consider including these items in its Management Accountability Review Process. With respect to the recommendation that the IRM specify that staff members are not to review their own command code profiles, IRS stated that IRM wording would be updated and annual memorandums or notices would be sent to management officials reminding them that the approver's manager is responsible for ensuring that the approver's profiles have appropriate restrictions and have been reviewed. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. Resolution of Liens with Manually Calculated Interest or Penalties: During our fiscal year 2004 financial audit, we found that IRS did not properly verify interest or penalties on taxpayers' accounts with manually calculated interest or penalties to ensure that these taxpayers paid the full amount of taxes due before IRS released tax liens associated with their accounts. Specifically, none of the five lien units that we visited properly verified manual interest and penalties. Personnel at these lien units queried IDRS to see if it indicated that an account with a lien with manually calculated interest or penalties had been paid in full. If IDRS indicated that such an account had been paid in full, lien unit personnel incorrectly interpreted this to mean that there were no outstanding interest accruals or penalties and thus released the lien. However, IDRS does not make the manual interest and penalty calculations. Consequently, if IRS personnel do not verify that there are no unassessed interest or penalty amounts, they could close an account as having been fully paid when there are accumulated amounts of interest or penalties that are legally due to the government but that have not been assessed or paid. Interest on most taxpayer accounts is calculated automatically by IDRS. However, IRS must manually calculate interest and penalties on some taxpayers' accounts because IDRS has not been programmed with the capability to calculate interest and penalties in accordance with certain legal requirements. IRS refers to such interest as "restricted interest" because IDRS is restricted from making the interest computations. For these cases, IRS officials must manually calculate the amount of interest or penalties due as of a point in time and manually enter the result into IDRS. However, these manually calculated interest or penalty amounts are not automatically updated with the passage of time to reflect new accruals of interest or penalties-- subsequent calculations of additional interest or penalties must also be done manually. To help ensure that manually calculated interest and penalties are determined properly and that all accruals of interest and penalties are paid, IRS established a control to prevent the release of liens until the amounts of manually calculated interest and penalties are verified. Before releasing a lien, IRS automatically routes all accounts with manual calculations to the lien units. IRS guidance[Footnote 18] calls for lien unit personnel to verify the completeness of manual interest or penalty calculations before releasing the lien but does not show how this is to be done. Instead, it instructs lien unit personnel to "follow local procedures." However, none of the lien unit personnel we interviewed had local procedures for verifying the completeness of manual interest or penalty calculations. If lien units do not properly verify that there are no unassessed interest or penalty amounts for accounts with liens with manually calculated interest or penalties, there is a risk of loss of revenue to the federal government through the premature release of tax liens. Recommendation: We recommend that IRS specify in the IRM how to properly verify interest and penalties for accounts with liens with manually calculated interest or penalties. IRS Comments and Our Evaluation: IRS stated that it has taken actions to address the issue that gave rise to this recommendation. Specifically, IRS stated that it revised the IRM to instruct employees to check IDRS to determine if restricted interest or penalty is due. IRS noted that the IRM now clearly states that there are only two instances for which restricted interest and penalty should not be computed--offer-in-compromise and bankruptcy cases. In addition, IRS noted that tax examiners hired to staff the Centralized Case Processing Lien Processing Unit were provided hands-on training in the computation of restricted interest and penalty and that resolution of these cases moved to Centralized Case Processing effective February 2005. IRS also stated that the centralized site has created a special group of employees who were trained in the resolution of restricted interest and penalty cases and that new hires for this group: will also receive this training. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2005 financial audit. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Minority Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; Senate Committee on the Budget; Subcommittee on Transportation, Treasury, the Judiciary, Housing and Urban Development, and Related Agencies, Senate Committee on Appropriations; Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance; and Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Senate Committee on Homeland Security and Governmental Affairs. We are also sending copies to the Chairmen and Ranking Minority Members of the House Committee on Appropriations; House Committee on Ways and Means; House Committee on Government Reform; House Committee on the Budget; Subcommittee on Transportation, Treasury, and Housing and Urban Development, the Judiciary, District of Columbia, House Committee on Appropriations; Subcommittee on Government Management, Finance, and Accountability, House Committee on Government Reform; and Subcommittee on Oversight, House Committee on Ways and Means. In addition, we are sending copies of this report to the Chairman and Vice-Chairman of the Joint Committee on Taxation, the Secretary of the Treasury, the Director of the Office of Management and Budget, the Chairman of the IRS Oversight Board, and other interested parties. The report is available at no charge on GAO's Web site at http://www.gao.gov. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2004 and 2003 financial statements. If you have any questions or need assistance in addressing these matters, please contact Chuck Fox, Assistant Director, at (202) 512-5261. Other major contributors are listed in enclosure III. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures-3: Comments from the Internal Revenue Service: DEPARTMENT OF THE TREASURY: INTERNAL REVENUE SERVICE: WASHINGTON, D.C. 20224: COMMISSIONER: April 18, 2005: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Sebastian: I am writing in response to your draft of the FY 2004 Management Report titled, Improvements Needed in the IRS' Internal Controls (GAO-05- 247R). I appreciate your continued assistance during our fiscal year financial statement audit. I believe the issues you presented in your report will help us to take the necessary steps to strengthen our controls over safeguarding tax receipts, and to improve financial management. Over the last several years we have made significant progress in addressing our financial management challenges, and we have resolved or substantially mitigated several material weaknesses in our internal controls, including those affecting Treasury Fund balance, budgetary activities, and property and equipment. We are pleased, for the first time, that your yearly audit report contains no recommendations related to operational deficiencies in the Service's administrative accounting procedures. Because of the number of open recommendations related to lockbox issues, the IRS responsibly designated these issues as a reportable condition. We have also developed a comprehensive action plan to address the lockbox weaknesses identified in your report and will monitor the plan through its implementation. I have enclosed a response which addresses each of your 30 recommendations. In closing, we are committed to improving our internal controls and have identified actions to improve the areas identified in your report. We look forward to continuing to work with the GAO to overcome the weaknesses cited in your report. If you have any questions, please contact Janice Lambert, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed for: Mark W. Everson: Enclosure: GAO Recommendations and IRS Responses to GAO FY 2004 Management Report Improvements Needed in the IRS' Internal Controls GAO-05-247R: Recommendation: Enforce IRS' existing requirement that appropriate background investigations be completed for contractors before they are granted staff-like access to service centers. Comments: We believe we have addressed this recommendation. We have implemented steps to monitor and enforce the requirements we issued on September 29, 2003, on the issuance of ID cards to contractors. Our guidance requires that a letter from the National Background Investigation Center (NBIC) indicating successful completion of at least an interim background investigation be received by the issuing office before a contractor can be approved for staff-like access to IRS. The guidance further stipulates that Physical Security staff would, on at least a 6-month basis, make sure that a re-certification is received from the Contracting Officers Technical Representatives (COTR) and confirms the contractors' need for continued staff-like access to the IRS facility. Additionally, as part of the required records and accountability process, non-Federal photo ID cards are audited annually by the issuing office to reconcile numerical and alphabetical files and to assure that ID cards have been recovered upon separation or termination of the contract. Recommendation: Require that background investigation results for contractors (or evidence thereof) be on file where necessary, including at contractor worksites and security offices responsible for controlling access to sites containing taxpayer receipts and information. Comments: We agree with this recommendation. In the guidance memorandum we issued on September 29, 2003, the Physical Security Program Office requires COTRs to complete and submit a request form for every contract employee. Implementation of the standardized form assures that all required information is provided in order for the contractor to receive its IRS photo ID card. This guidance also requires that a copy of the letter from NBIC indicating successful completion of at least an interim background investigation be attached to the request form or no ID card will be issued. Both documents are maintained by the issuing office. The IRS COTR for the lockbox banks verified that all six banks currently maintain background investigation records, including copies of documents submitted to NBIC and lists of cleared personnel. The Physical Security Program Office will work with the Business Operating Divisions (BOD) and Procurement to determine if the interagency agreement with Financial Management Services (FMS) should be modified to include a requirement for lockbox banks to maintain background investigation files. The estimated completion date for the review of the interagency agreement is November 2005. Recommendation: Require that courier contracts call for couriers to submit contingency plans to lockbox banks. Comments: We agree with this recommendation. The Lockbox Processing Guidelines (LPG) was updated on January 1, 2005--LPG 4.2.3.1 (01-01- 2005) Courier Contingency Plan--to require that prior to implementation of the contract, the courier service must provide the lockbox with a disaster contingency plan. The contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events. Recommendation: Review lockbox bank courier contingency plans to help ensure that they incorporate all contingencies specified in the LPG. Comments: We agree with this recommendation. Contingency plans were provided by all lockbox sites and are part of the Filing Season Readiness (FSR) Plan. LPG 4.2.3.1 states "the contingency plan must cover labor disputes, employee strikes, inclement weather, natural disasters, traffic accidents, and unforeseen events." The Lockbox Coordinators reviewed the contingency plans to ensure that these issues were addressed. Recommendation: Revise the LPG to specify that courier contingency plans be available at the lockbox banks. Comments: We agree with this recommendation. LPG 2.1.7 requires each lockbox bank to submit an annual FSR Plan. The plan must be submitted to the Lockbox Field Coordinators for review to ensure each site is prepared for the filing season. Lockbox Field Coordinators will ensure all contingencies specified in the LPG are incorporated in the contract. Additionally, the LPG will be updated by April 15, 2005, to require all lockbox banks to have the courier contingency plan available on site. Recommendation: Review lockbox bank courier and shredding contracts to ensure that they address all privacy-related criteria and include clear reference to privacy-related laws and regulations. Comments: We agree with this recommendation. The LPG was updated on January 1, 2005--LPG 4.2.3(2), Courier Services--which requires lockbox banks to ensure all bonded courier/armored car agreements contain the following language: "As an independent contractor, courier/armored car company under contract with the Financial Institution (FI), I fully understand that much of the information provided to (name of the courier/armored car company) and its employees is privileged, legally and administratively restricted and falls under the provisions of the Privacy Act of 1974 and the Internal Revenue Code (IRC) Sections 6103, 7213, and 7131. The Privacy Act, the safeguards, and the criminal/civil sanctions paragraphs specify (name of the courier/armored car company's) responsibility and liability regarding disclosure of this information. At the expiration of (name of the courier/armored car company's) contract with the Fl, (name of the courier/armored car company) is required to return all documents in its possession to the Internal Revenue Service." We will monitor this action during on-site reviews. Recommendation: Revise the LPG to require that (1) lockbox couriers promptly return deposit receipts to the lockbox banks, following delivery of taxpayer remittances to depositories and (2) lockbox banks promptly review the returned deposit receipts. Comments: We agree with this recommendation. The LPG was updated on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form--which requires the lockbox site to receive back by the next business day the original completed Receipt for Transport of IRS Lockbox Bank Deposit Form with the bank representative's name and signature, date and time the deposit was received by the depository. The guidance also requires the lockbox site to reconcile daily the Receipt for Transport of IRS Lockbox Bank Deposit Form(s) to ensure receipt of dedicated service (e.g., the time between your release to the courier and the release to the bank is not in excess). If discrepancies are found, the Lockbox Field Coordinator should be notified immediately. Recommendation: Revise the LPG to require that deposit receipts for taxpayer remittances be time and date-stamped. Comments: We agree with this recommendation. The LPG was updated on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form-to require the courier service employee to return the form to the lockbox site on the next business day, ensuring the following information is completed on the form: the depository bank employee's name and signature, the date the deposit was received by the depository, and the time the deposit was received by the depository. Recommendation: Better enforce the LPG requirement that lockbox bank couriers annotate the time of delivery on receipts for deposits of taxpayer remittances. Comments: We agree with this recommendation. The LPG was updated on January 1, 2005--LPG 4.2.3.1.8, Receipt for Transport of IRS Lockbox Bank Deposit Form-to require lockbox bank couriers to annotate the time of delivery of receipts for deposits of taxpayer remittances. Recommendation: Provide a written reminder to courier contractors of the need to adhere to all courier service procedures. Comments: We agree with this recommendation. We will develop an annual memorandum by January 1, 2006, to require banks to remind courier contractors to adhere to all courier service procedures in the LPG. We will monitor adherence during site reviews. Recommendation: Periodically verify that contractors entrusted with taxpayer receipts and information offsite adhere to IRS procedures. Comments: We agree with this recommendation. The 2005 LPG 4.2.3.1.8(1) has been updated, and the procedures will be monitored during the periodic Security Reviews. Recommendation: Develop alternative, back-up plans that are consistent with IRS courier policies and procedures to address instances in which only one courier reports for transport of taxpayer receipts or information, such as requiring that a service center or lockbox bank employee accompany the courier to the depository. Comments: We agree with this recommendation. We will work with FMS to develop an alternative back-up plan by June 30, 2005. Recommendation: Formulate a policy to require that critical utility or security controls not be located in areas requiring frequent access. Comments: We agree with this recommendation. We will ensure policy guidelines address protection of critical or security controls. We will work with the BODs and Procurement to incorporate any revised requirements into updated and future interagency agreements with FMS. Recommendation: Require lockbox bank management to position closed- circuit television cameras to enable monitoring of secured areas containing sensitive systems or controls. Comments: We agree with this recommendation. The IRS, through Procurement, enters into an interagency agreement with FMS for lockbox services, which in turn makes arrangements with banks. These arrangements are non-procurement contracts that require adherence to the IRS LPG. Internal Revenue Manual (IRM) 3.0.230.5 (dated 1-20-05) indicates the Revenue and Deposit Branch, Lockbox Policy and Procedures: "coordinates with FMS any new or updated processing changes, obtains data for the re-bidding of contract(s) and finalizes the Lockbox Processing Guidelines (LPG)." Since lockbox banks are already required to comply with the IRS LPG, there is no need for the COTR to do anything else. The LPG does require and the lockbox banks have installed cameras to monitor critical areas and assets in those parts of a facility controlled by the banks. As part of the Mission Assurance review process, we will review the use of closed-circuit television at the banks and, within local constraints, expand surveillance capabilities to include utility controls. Recommendation: Periodically monitor lockbox banks' adherence to the LPG requirement that keys be kept in secured containers within the secured perimeter. Comments: We agree with this recommendation. The LPG guidelines require that keys and panels controlled by the banks should be properly stored and secured and Mission Assurance will include key control as part of any and all reviews. As part of the review process, we will work with the banks and lessors to improve security for keys and security panels, irrespective of ownership. Recommendation: Assess technologies that may be exempt from the visual inspection requirement to determine whether they are acceptable methods of satisfying candling objectives and, if so, add such technologies to the LPG list of accepted candling methods. Comments: We feel we have addressed this recommendation in the 2005 LPG, and have shared this information with GAO. We determined current technologies are not exempt from the candling requirement and added to the 2005 LPG 3.2.8 (1) envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables. Recommendation: Conduct an assessment of the costs and benefits of relying on only one candling when using certain automated equipment. Comments: We feel we have addressed this recommendation in the 2005 LPG and have shared this information with GAO. We assessed the candling functions on automated equipment and included in the 2005 LPG under 3.2.8 section (1) a requirement that envelopes opened (either manually or by OPEX equipment) on three or more sides must be candled once on the candling tables. We will monitor adherence during site reviews. Recommendation: Clarify the LPG to eliminate confusion about the number of candlings required for different extraction methods. Comments: We agree with this recommendation. We have updated the 2005 LPG under 3.2.8, "Candling" to require envelopes opened (either manually or by OPEX) on three or more sides must be candled once on the candling tables. All other envelopes must be candled twice on the candling tables. Recommendation: Establish guidelines and a testing requirement to ensure satisfactory lighting conditions for effective candling. Comments: We agree with this recommendation. The IRS agrees that additional work is needed to strengthen the current procedures contained in IRM 3.10.72, Batching, Sorting and Numbering. Currently, our Campus management tests 10 envelopes at the start of each shift to ensure that maximum envelope recognition is met and that all contents left in envelopes can be easily detected. The IRS is in the process of reviewing and strengthening these procedures. Recommendation: Establish policies and procedures to require appropriate segregation of duties in SB/SE units of field offices with respect to preparation of Payment Posting Vouchers, Document Transmittal forms, and transmittal packages. Comments: We agree with this recommendation. We will establish a procedure(s) for SB/SE field office units to track Document Transmittal forms and acknowledgements of receipt of Document Transmittal forms. We currently have numerous procedures in place which provide guidance to revenue officers regarding the processing of returns and payments. However, we do not currently have procedures specifically for our field clerical staff. We will strengthen our guidance to revenue officers and will develop procedures specifically for our field clerical staff. Our procedures will clarify that revenue officers are responsible for submitting an appropriately labeled sealed envelope containing the Daily Report of Collection Activity form to a designated clerical contact in the Post of Duty (POD). This guidance will apply unless the revenue officers are working away from the POD on extended field calls or Flexiplace, or are working in a single revenue officer POD. Those revenue officers will send the envelope directly to Submission Processing. Recommendation: Enforce the requirement that a Document Transmittal form listing the enclosed Daily Report of Collection Activity forms be included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports compiled by the service center teller units receiving the information. Comments: We agree with this recommendation. Our procedures will clarify that the designated clerical contacts are responsible for bundling the sealed envelopes into a single package for overnight mail to Submission Processing pursuant to the IRM. The procedures will also clarify that the designated clerical contacts will prepare a Document Transmittal form and send the prepared package to Submission Processing via overnight mail. The procedures will direct the designated clerical contact to retain a control copy of the Document Transmittal form and the overnight mail transmittal until the receipted copy of the Document Transmittal form is returned from Submission Processing. We will also require that the transmittal and the acknowledgement be reconciled on a monthly basis, with appropriate follow-up as required. The Taxpayer Assistance Center, GAO visited, was instructed to ensure that a Document Transmittal form be prepared and enclosed in the package when multiple Daily Reports of Collection Activity are sent to the service center. We will issue a memorandum to all Field Assistance employees reminding them to adhere to these IRM requirements. We will also add this as a review item for operational reviews conducted by Field Assistance headquarters and area personnel. Recommendation: Establish a procedure for SB/SE field office units to track Document Transmittal forms and acknowledgements of receipt of Document Transmittal forms. Comments: We agree with this recommendation. Our procedures will clarify that the managers should ensure continuous coverage of the designated clerical contact duties so that absence due to illness or leave does not disrupt the processing of remittances. Recommendation: Require evidence of managerial review of recording, transmittal, and receipt of acknowledgments of taxpayer receipts and information. Comments: We agree with this recommendation. We will establish a procedure(s) to require evidence of managerial review of recording, transmittal, and receipt of acknowledgements of taxpayer receipts and information. However, we will not implement any procedure requiring 100 percent managerial review. The new procedure(s) will call for random managerial spot-checking of packages prepared for submission to Submission Processing by revenue officers working in PODS or by the designated clerical contacts in the PODS. The new procedure(s) will not call for any random managerial spot-checking of packages prepared by revenue officers working away from the POD on extended field calls or Flexiplace. Instead, on those packages, we will continue to rely on the remittance reviews conducted by remittance processing personnel in Submission Processing. These reviews will be documented by the revenue officer group manager and be retained for the appropriate period required under record management guidelines. Recommendation: Assess options to prevent the generation or disbursement of refunds associated with accounts with unresolved Automated Underreporter Program (AUR) discrepancies, including placement of a freeze or hold on all such accounts, until the AUR review has been completed. Comments: We feel the procedures that we have in place adequately address preventing the generation or disbursement of refunds associated with AUR accounts if followed. Submissions Processing's IRM 3.8.45 requires employees receiving an unidentified remittance to conduct Individual Data Retrieval System (IDRS) research to determine if there is an open account that allows for posting of the remittance. AUR cases are identified in IDRS by transaction code (TC) 922. Once the TC 922 is found through research, the remittance should be posted as a TC 640 which is an "Advanced Payment of Determined deficiency or Underreporter Proposal." In the cases identified by GAO it is apparent that appropriate IDRS research was not conducted or remittances were posted erroneously as a TC 610 which will refund out if the taxpayer's tax return does not indicate a balance due. AUR will partner with Submissions Processing to ensure that employees receiving unidentified remittances are aware of the need to conduct IDRS research, and how to properly post AUR remittances in these instances. Recommendation: Enforce documentation requirements relating to authorizing officials charged with approving manual refunds. Comments: We agree with this recommendation. We will enforce requirements to document monitoring by reminding management officials annually via a memorandum, notice or an Alert. As part of the reminder, the IRM check sheets will be included and a response will be required confirming these actions have been taken. In addition, we will consider including this item in the Management Accountability Review Process. Recommendation: Enforce requirements for monitoring accounts and reviewing monitoring of accounts. Comments: We agree with this recommendation. We will enforce monitoring requirements by reminding management officials annually via a memorandum, notice or an Alert. As part of the reminder, the IRM check sheets will be included and a response will be required confirming these actions have been taken. In addition, we will consider including this item in the Management Accountability Review Process. Recommendation: Enforce requirements for documenting monitoring actions and supervisory review. Comments: We agree with this recommendation. We will enforce requirements to document monitoring by reminding management officials annually via a memorandum, notice or an Alert. As part of the reminder, the IRM check sheets will be included and a response will be required confirming these actions have been taken. In addition, we will consider including this item in the Management Accountability Review Process. Recommendation: Enforce the requirement that command code profiles be reviewed at least once annually. Comments: We agree with this recommendation. We will enforce annual review of command code profiles by reminding management officials annually via a memorandum or notice. As part of the reminder, the IRM check sheets will be included and a response will be required confirming these actions have been taken. In addition, we will consider including this in the Management Accountability Review Process. Recommendation: Specify in the IRM that staff members are not to review their own command code profiles. Comments: We agree with this recommendation. IRM wording will be updated and recommendations will be included in annual reminders (memos/notices, etc,) to management officials that the approver's manager is responsible for ensuring that approver's profiles have appropriate restrictions and have been reviewed. Recommendation: Specify in the IRM how to properly verify interest and penalties for accounts with liens with manually calculated interest or penalties. Comments: We have taken actions to implement this recommendation. During the Fiscal Year 2004 financial audit, GAO determined that IRS did not properly verify restricted interest and penalty computations before releasing the federal tax lien in some instances. GAO recommends that restricted interest and penalty methodology be included in the Federal Tax Lien, Internal Revenue Manual. We agree that an account with a zero balance "assessed" status does not mean that additional accruals are not due. We also agree that additional guidance was needed in this area. The newly revised IRM instructs employees to check IDRS to determine if restricted interest or penalty is due. The IRM now clearly states that there are only two instances where restricted interest and penalty should not be computed, offer-in-compromise and bankruptcy cases. Also, instructions for computing restricted interest and penalty are found in the Automated Lien System (ALS) User Guide as well as in training material and desk guides. In addition, tax examiners hired to staff the Centralized Case Processing (CCP), Lien Processing Unit were provided hands on training in the computation of restricted interest and penalty. Resolution of these cases moved to CCP effective February 2005. The centralized site has created a special group of employees who were trained in the resolution of restricted interest and penalty cases. New hires for this group will also receive this training. Details on Audit Methodology: To fulfill our responsibilities as the auditor of the Internal Revenue Service's (IRS) financial statements, we did the following: Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. This included testing selected statistical samples of unpaid assessment, revenue, refund, accrued expenses, payroll, nonpayroll, property and equipment, and undelivered order transactions. These statistical samples were selected primarily to substantiate balances and activities reported in IRS's financial statements. Consequently, dollar errors or amounts can and have been statistically projected to the population of transactions from which they were selected. In testing these samples, certain attributes were identified that indicated either significant deficiencies in the design or operation of internal control or compliance with provisions of laws and regulations. These attributes, where applicable, can be and have been statistically projected to the appropriate populations. Assessed the accounting principles used and significant estimates made by management. Evaluated the overall presentation of the financial statements. Obtained an understanding of internal controls related to financial reporting (including safeguarding assets), compliance with laws and regulations (including the execution of transactions in accordance with budget authority), and performance measures reported in the Management Discussion and Analysis. Tested relevant internal controls over financial reporting (including safeguarding assets) and compliance, and evaluated the design and operating effectiveness of internal controls. Considered the process for evaluating and reporting on internal controls and financial management systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers' Financial Integrity Act of 1982. Tested compliance with selected provisions of the following laws and regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1) and 31 U.S.C. § 1517(a)); Agreements for payment of tax liability in installments (26 U.S.C. § 6159); Purpose Statute (31 U.S.C. § 1301); Release of lien or discharge of property (26 U.S.C. § 6325); Interest on underpayment, nonpayment, or extensions of time for payment of tax (26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611); Determination of rate of interest (26 U.S.C. § 6621); Failure to file tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to pay estimated income tax (26 U.S.C. § 6655); Prompt Payment Act (31 U.S.C. § 3902(a), (b), and (f) and 31 U.S.C. § 3904); Fair Labor Standards Act of 1938, as amended (29 U.S.C. § 206); Civil Service Retirement Act of 1930, as amended (5 U.S.C. §§ 5332, 5343); Federal Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§ 8422, 8423, and 8432); Social Security Act, as amended (26 U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909); and Consolidated Appropriations Act, 2004, Pub. L. No. 108-199, 118 Stat. 3 (Jan. 23, 2004). Tested whether IRS's financial management systems substantially comply with the three requirements of the Federal Financial Management Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), title VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996) (codified at 31 U.S.C. § 3512 note). GAO Contacts and Staff Acknowledgments: GAO Contacts: Chuck Fox, (202) 512-5261: Alain Dubois, (202) 512-6365: Acknowledgments: Staff who made key contributions to this report were Esther Tepper, Theresa Bowman, Gloria Cano, George Ogilvie, John Ryan, and Jeffrey Yoder. (196035): FOOTNOTES [1] GAO, Financial Audit: IRS's Fiscal Years 2004 and 2003 Financial Statements, GAO-05-103 (Washington, D.C.: Nov. 10, 2004). [2] Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government to perform certain financial services, including processing tax documents, depositing the receipts, and then forwarding the documents and data to IRS's service center campuses, which update taxpayers' accounts. [3] Staff-like access consists of unescorted access to IRS-owned or controlled facilities, information systems, security items and products, or sensitive but unclassified information. [4] Internal Revenue Service, "2004 Lockbox Processing Guidelines" (Washington, D.C: January 2004), and subsequent 2004 updates. The 2004 LPG provides guidelines for processing work at lockbox banks serving IRS for the 2004 tax processing year. [5] Candling is a process used by IRS to determine if any contents remain in open envelopes, which is often achieved by passing the envelopes over a light source. [6] Lien units are separate offices established by IRS to handle lien processing, including release of tax liens. As of June 1, 2004, IRS had 33 lien units located throughout the United States. IRS is currently reorganizing the physical structure and management of its lien units and by mid-2005 plans to have consolidated them into one physical location, called the Central Lien Processing Unit, at its Cincinnati campus. [7] GAO, Standards for Internal Control in the Federal Government, GAO/ AIMD-00-21.3.1 (Washington, D.C.: November 1999). [8] GAO-05-103. [9] Privacy Act of 1974, 5 U.S.C. § 552a. [10] See, e.g., GAO, Management Report: Improvements Needed in IRS's Internal Controls and Accounting Procedures, GAO-04-553R (Washington, D.C.: Apr. 26, 2004), and Management Report: Improvements Needed in IRS's Internal Controls, GAO-03-562R (Washington, D.C.: May 20, 2003). [11] See, e.g., GAO, Management Report: Improvements Needed in IRS's Internal Control and Accounting Procedures, GAO-04-553R (Washington, D.C.: Apr. 26, 2004). [12] SB/SE units are field office units that serve partially or fully self-employed individuals, individual filers with certain types of nonsalary income, and small businesses. [13] The IRM outlines business rules and administrative procedures and guidelines IRS uses to conduct business and contains policy, direction, and delegations of authority necessary to carry out IRS responsibilities to administer tax law and other legal provisions. [14] IRS's master files contain detailed records of taxpayer accounts. [15] Most refunds are generated automatically; under certain circumstances, however, IRS processes refunds manually to expedite payment. Such refunds include those over $10 million, those requested by taxpayers for immediate payment due to hardship or emergency, those to beneficiaries of deceased taxpayers, and those that need to be expedited because IRS is in jeopardy of paying interest for exceeding the 45-day limit for processing a return. [16] GAO, Internal Revenue Service: Recommendations to Improve Financial and Operational Management, GAO-01-42 (Washington, D.C.: Nov. 17, 2002). [17] This guidance consists of a detailed manual distributed to lien unit personnel at a February 2003 workshop. [18] The peak tax filing season primarily occurs from January 1 to April 15 of each year.