Skip to main content

Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness

GAO-09-513R Published: Jun 24, 2009. Publicly Released: Jun 24, 2009.
Jump To:
Skip to Highlights

Highlights

In November 2008, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2008, and 2007, and on the effectiveness of its internal controls as of September 30, 2008. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). Additionally, in January 2009, we issued a report on information security issues identified during our fiscal year 2008 audit, along with associated recommendations. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2008, regarding internal controls that could be improved for which we currently do not have a specific recommendation outstanding. Although not all of these issues were discussed in our report on the results of our fiscal year 2008 financial statement audit, they all warrant IRS management's attention.

During our audit of IRS's fiscal year 2008 financial statements, we identified several internal control and other management issues not addressed by previous recommendations. These issues concern the following: (1) Controls over computer programs affecting penalty assessments did not ensure that the programs always functioned in accordance with IRS's policies and procedures. (2) Policies and procedures did not require that back up staff be assigned to manual refund monitoring activities when staff assigned to those functions were absent from work for an extended period of time. (3) Procedures for monitoring whether service center campus couriers entrusted with taxpayer receipts and information adhered to courier service requirements lacked adequate criteria for identifying potential deviations from those requirements. (4) Procedures did not exist for tracking, summarizing, and reporting the total number and dollar amount of taxpayer receipts collected at Taxpayer Assistance Centers (TACs). (5) Procedures governing IRS's quarterly duress alarm tests did not specifically require that all duress alarms be tested and that the emergency history report be reviewed to appropriately address reported security breaches or concerns. (6) Procedures did not exist for regularly monitoring the timeliness of purchase card approvals and following up on instances of non-compliance. (7) Controls over the use of appropriated funds did not always prevent the improper use of expired appropriations to fund current year obligations. (8) Controls over the recording of undelivered order transactions (e.g., receipt and acceptance of goods and services, adjustments to estimated obligations, or similar transactions that impact the undelivered order accounts) did not always prevent or detect errors in these accounts. (9) Full cost information to manage specific programs and activities was not readily accessible by program managers. (10) Outcome-based performance measures did not exist to assist in evaluating the effectiveness of IRS's enforcement programs and activities. These issues increase the risk that IRS may fail to prevent or timely detect (1) errors in computer-generated penalty assessments and undelivered order accounts; (2) issuance of erroneous tax refunds; (3) loss, theft, or misuse of taxpayer receipts and information; (4) improper purchase card transactions; and (5) improper use of expired funds. In addition, the lack of detailed cost and related performance measures limits management's ability to assess the effectiveness of programs and determine how best to allocate limited resources.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service The IRS should direct the appropriate IRS officials to correct the Integrated Data Retrieval System (IDRS) computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, failure-to-pay (FTP) penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement.
Closed – Implemented
IRS implemented additional programming changes in January 2009 to ensure that failure to pay penalties are calculated at a reduced rate for all eligible taxpayers who have entered into an installment agreement. IRS's CFO tested the programming changes through August of 2009 to ensure that the programming is operating as intended. We reviewed a non-representative selection of accounts of eligible taxpayers that had entered into installment agreements with IRS and verified that IRS's master file was calculating the failure to pay penalty at the reduced monthly rate of one-quarter of one percent on all of the selected accounts.
Internal Revenue Service The IRS should direct the appropriate IRS officials to add specific requirements to the Internal Revenue Manual (IRM) to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time.
Closed – Implemented
IRS Wage & Investment (W&I) Accounts Management revised IRM 21.4.4 .5.1 (1) on October 2, 2009, with the following: "It is management's responsibility to ensure accounts are monitored each week; however, the actual monitoring can be delegated. When an employee who performs monitoring actions is out on leave, management must reassign the monitoring to a backup". During our fiscal year 2009 audit, we verified that IRS revised its guidelines by adding a note within the IRM stating that it is management's responsibility to ensure accounts are monitored each week.
Internal Revenue Service The IRS should direct the appropriate IRS officials to document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers.
Closed – Implemented
In response to our recommendation, in May 2013, IRS updated the IRM to include a methodology for calculating the allowable timeframe for courier contractors to deliver the submission processing center daily deposit to the depository location. The updated IRM also requires that upon notification of any courier issues, the headquarters deposit analyst will contact headquarters management, and that headquarters management will determine if additional courier surveillance is needed.
Internal Revenue Service The IRS should direct the appropriate IRS officials to document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information.
Closed – Implemented
In April 2011, IRS updated the Statement of Work (SOW), as well as IRM 3.8.45.1.9.7(3), 'Headquarters Deposit Analyst Responsibility,' outlining the minimum requirement that headquarters analysts will conduct courier surveillance during unannounced security reviews. The IRM update also states the time frames for courier delivery of deposits listed in the courier contract SOW will be reassessed during the unannounced internal security reviews by headquarters analysts or whenever the depository location changes.
Internal Revenue Service The IRS should direct appropriate IRS officials to establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide.
Closed – Implemented
In October 2012, IRS updated its policies to require the use of the Form 795A, Remittance and Return Report, through the Accounts Management System, which will help ensure routine reporting of the total dollar amounts and volumes of receipts collected by TAC, group, territory, area, and nationwide. IRS was able to provide the total dollar amounts and volumes of receipts collected for the eight TACs we visited during fiscal year 2014. Additionally, IRS provided the total dollar amounts and volumes of receipts for TACs at the group, territory, area, and nationwide levels. IRS's actions sufficiently address our recommendation.
Internal Revenue Service The IRS should direct the appropriate IRS officials to establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted.
Closed – Implemented
In response to our recommendation, in October 2012, IRS updated Standard Operating Procedure SOP-12-0004, Duress Alarm Test Conducting and Reporting. The updated SOP requires that an inventory of all duress alarms be documented for each location and be readily available to individuals performing duress alarm tests before each test is conducted. In June 2013, we verified that an inventory of all duress alarms was documented and readily available to individuals conducting duress alarm tests at all eight taxpayer assistance centers we visited.
Internal Revenue Service The IRS should direct the appropriate IRS officials to establish procedures to periodically update the inventory of duress alarms at each (Taxpayer Assistance Center) TAC location to ensure that the inventory is current and complete as of the testing date.
Closed – Implemented
In response to our recommendation, in October 2012, IRS updated Standard Operating Procedure SOP-12-0004, Duress Alarm Test Conducting and Reporting. The revised SOP requires IRS personnel to obtain a current listing of alarm points and to validate the alarm points semi-annually to ensure no new alarms were added or any existing alarms were omitted. In June 2013, we verified that IRS personnel were validating the inventory of duress alarms at all eight taxpayer assistance centers we visited.
Internal Revenue Service The IRS should direct the appropriate IRS officials to provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory including date, findings, and planned corrective action and (2) track the findings until they are properly resolved.
Closed – Implemented
In response to our recommendation, in October 2012, IRS updated Standard Operating Procedure SOP-12-0004, Duress Alarm Test Conducting and Reporting. The revised SOP provides instructions for performing quarterly duress alarm tests to ensure that officials performing the test document (1) the test results for each duress alarm tested, including the date the tests were conducted, the number of alarms tested, the number of alarms that passed, which alarms malfunctioned, and (2) track the status of repairs until they are properly resolved. In June 2013, we verified that the instructions in SOP-12-0004 were readily available to individuals conducting duress alarm tests at all eight taxpayer assistance centers we visited.
Internal Revenue Service The IRS should direct the appropriate IRS officials to establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts.
Closed – Implemented
During fiscal year 2017, IRS updated its procedures to require that physical security analysts conduct (1) a monthly documented review of the All Events History Report (AEHR), previously referred to as the Emergency Signal History Report, to ensure that appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) an annual documented review of the emergency contact list for each location to ensure that it is current and includes only appropriate contacts. While IRS met the intent of this recommendation by updating its procedures, we found that in August 2016, IRS removed from the IRM the requirement for physical security analysts to review the AEHR. IRS's removal of the IRM requirement creates a new control deficiency, which we addressed with a new recommendation (see GAO-18-393R).
Internal Revenue Service The IRS should direct the appropriate IRS officials to develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances of non-compliance with required approval timeframes.
Closed – Implemented
IRS Agency Wide Shared Services (AWSS) modified the Purchase Card Handbook (IRM 1.32.6) to meet this requirement, which is expected to be published at the end of January 2010. AWSS Credit Card Services Branch continues to monitor compliance with purchase card requirements through monthly reviews. We confirmed that IRS developed, documented, and implemented procedures to regularly monitor the timeliness of purchase card approvals. Also, we verified that IRS's AWSS Credit Card Services Branch conducts monthly reviews of both web-based and manual purchase card transactions to identify and follow-up on instances of noncompliance with required approval timeframes.
Internal Revenue Service The IRS should direct the appropriate IRS officials to revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability.
Closed – Implemented
The IRS CFO published IRM 1.35.15, Annual Close Guidelines, establishing yearend procedures for expired and closing appropriations. IRM 1.35.15, which was issued September 8, 2009, provides policies and procedures for expired appropriations, including situations when it is appropriate to use expired appropriations, procedures for closing transactions with canceled appropriations, and policies for paying invoices after a fiscal year appropriation is canceled. IRS Corporate Budget revised IRM 1.33.4, Financial Operating Guidelines on April 16, 2010. The revised IRM 1.33.4 clarified procedures regarding the use of expired appropriations and used examples to further illustrate the policies and procedures. IRS Agency-Wide Shared Services updated IRM 1.32.6, Purchase Card Handbook on January 21, 2010. IRM 1.32.6 provides guidance and procedures to preclude the use of expired appropriations when using a purchase card. During the FY 2010 financial audit, we confirmed IRS's actions and IRM revisions as stated above.
Internal Revenue Service The IRS should direct the appropriate IRS officials to reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts.
Closed – Implemented
The IRS CFO issued the "Annual Close and Fiscal Year 2009 Yearend Memorandum" on June 4, 2009. The memorandum states, "The need for timely review of open commitments and obligation continues to be essential Guidelines for the Review of Aging Unliquidated Commitments (AUC) and the Aging Unliquidated Obligations (AUO) Reports". The document provides supporting guidance for reviewing and ensuring the validity of Aging Unliquidated Obligations, liquidating unneeded balances for commitments and obligations, and defining responsibilities. IRS stated that during the AUC/AUO review process, the CFO also reiterates the importance of maintaining accurate obligation and commitment balances to Procurement and the business units. Furthermore, IRM 1.35.15.11.2 was issued September 8, 2009 and re-emphasizes the importance of monitoring and modifying obligations so that they are accurate. We noted, however, that during the FY 2009 Financial Statement Audit, the AUO reviews did not always identify and deobligate obligations that were no longer valid. We found that some unneeded obligations were not reviewed and deobligated in a timely manner because they did not meet the age criteria to be reviewed under the AUO program. In these cases, the age criteria for review would allow obligations with up to 300 days of inactivity to be exempt from review. This situation could lead to the inaccurate reporting of obligations at the fiscal year end. Thus, while we closed this recommendation given that IRS's actions were responsive to it, we have reported the related issues noted above, along with related recommendations for corrective action, in GAO-10-565R, Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations.
Internal Revenue Service The IRS should direct the appropriate IRS officials to perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process.
Closed – Implemented
The IRS CFO initiated weekly reviews of receipt and acceptance transactions called the Aging Unliquidated Accruals (AUA) reviews. We obtained information about the AUA process which is designed to review IRS receipt and acceptance transactions in order to more timely identify and correct errors. During FY 2011, we confirmed that IRS was conducting the AUA reviews.
Internal Revenue Service To facilitate routine collaboration between Chief Financial Officer (CFO) and business operating division officials, including program managers in achieving the goal of making appropriate full cost information readily available to managers and executives to support informed decision-making, the IRS should direct the appropriate IRS officials to establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated.
Closed – Implemented
IRS established a Cost Users Group and developed a regular meeting schedule. The purpose of the group is to identify programs, underlying activities, and outputs and services for which cost information would be beneficial. The group formalized the cost accounting process for each business unit (BU), defines the roles and responsibilities of the CFO and BUs, and determines what cost information would be useful and the means of developing and reporting this information for existing programs and new programs as they are initiated. They share cost accounting information, to leverage best practices between the BUs, and achieve standardization and consistency. Work is formalized and documented through agenda items and minutes. The Associate Chief Financial Officer for Internal Financial Management documented and formalized the cost accounting policy and process including the roles and responsibilities of the Chief Financial Officer, business units, and the Cost Users Group in IRM 1.32.3, Managerial Cost Accounting. The IRM was published in July 2009 and revised in June 2010. The Chief Financial Officer continues to determine useful cost information and the ways for developing and reporting this information for existing programs and new programs as they are initiated. The revised IRM section assigns the CFO responsibility for "working with each unit to identify the specific costs accumulated for identified products and services or metrics and designing the proper costing and allocation methodologies." IRS established the Cost User's Group as the formal mechanism though which IRS's business units can participate in identifying and developing full cost information for their various programs and activities. The Cost User's Group has established a 2-year history of regular meetings focused on Managerial Cost Accounting and the development of internal cost-benefit information for business units.
Internal Revenue Service To facilitate routine collaboration between Chief Financial Officer (CFO) and business operating division officials, including program managers in achieving the goal of making appropriate full cost information readily available to managers and executives to support informed decision-making, the IRS should direct the appropriate IRS officials to complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers. Such full cost data should be readily accessible to IRS program managers whenever they are needed and should include both personnel costs based on time spent on specific activities as well as all associated non-personnel costs and be drawn from or reconcilable to IRS's financial accounting system.
Closed – Implemented
IRS developed cost performance measures at the request of management for a range of products and services in Enforcement and Operations Support. These measures have been incorporated into a series of regularly updated reports to management for their review and action. The CFO continually updates cost benefit analyses related to Field Collection; Automated Collection System (ACS); Automated Substitute for Return (ASFR); Automated Underreporter (AUR); Field Exam; Correspondence Exam; and Earned Income Tax Credit (EITC)-Exam and EITC-AUR, Notices, CAWR/FUTA, 6020(b) as well as additional analyses requested by the Business Units. IRS has continued to conduct annual updates of the internal cost-benefit analyses for several programs, and it has completed additional analyses. Although IRS has not yet completed internal cost-benefit analyses of the full range of its programs and activities, its continuing progress in responding to the requests of the business units for internal cost-benefit information fulfills the intent of our recommendation.
Internal Revenue Service The IRS should direct the appropriate IRS officials to develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities.
Closed – Implemented
IRS has continued to improve its ability to measure performance, including measures of return on investment (ROI). IRS has developed a process to capture full cost and revenue information and designed a methodology for calculating ROI information for a variety of its enforcement programs and activities, including the Automated Underreporter, the Automated Collection System, the Automated Substitute for Return, and several other enforcement activities. In fiscal year 2011, IRS began to calculate the actual ROIs for major enforcement programs related to prior enforcement initiatives for which it had developed prospective ROIs in prior year funding requests. In fiscal year 2012, IRS added ROI information for its Balance Due Notice program, which included ROI information on the various notice letters sent to taxpayers. IRS's business unit responsible for the Balance Due Notice Process has begun using the ROI information in its effort to redesign the notice letters and in making decisions about how to most effectively use the letters.

Full Report

Office of Public Affairs

Topics

Appropriated fundsEvaluation criteriaFederal regulationsFinancial statement auditsFinancial statementsInformation security managementInternal controlsMonitoringNoncompliancePerformance measuresReporting requirementsRequirements definitionTax administration systemsTax information confidentialityTax refundsTaxpayersVoluntary compliancePolicies and proceduresFines and penalties