Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting
GAO-15-480R
Published: May 29, 2015. Publicly Released: May 29, 2015.
Skip to Highlights
Highlights
What GAO Found
During GAO's audit of the Internal Revenue Service's (IRS) fiscal years 2014 and 2013 financial statements, it identified the following new internal control deficiencies in the following areas that contributed to IRS's continuing material weakness in internal control over unpaid tax assessments as of September 30, 2014:
- Corrective action plan for addressing system deficiencies involving unpaid tax assessments: IRS's corrective action plan was not adequate to reasonably assure that system control deficiencies contributing to a material weakness in unpaid tax assessments would be effectively addressed. This increases the risk that IRS's efforts to address numerous control issues affecting the reporting of unpaid assessment amounts and the resultant material weakness will be hampered.
- Accuracy of penalty assessments: IRS's controls over penalty assessments were not operating effectively to reasonably assure the accuracy of penalties recorded in taxpayers' accounts. This increases the risk of errors in IRS's financial statements, may burden taxpayers who are assessed higher amounts in penalties than they actually owe, or result in lost revenue to the federal government when taxpayers are assessed lower penalty amounts than they actually owe.
In addition, GAO identified other new deficiencies in the following areas as of September 30, 2014:
- Transmission of taxpayer receipts and information: IRS's managerial review controls were not effectively designed or implemented to provide reasonable assurance that taxpayer receipts and information sent from taxpayer assistance centers were received by the intended submission processing centers. These deficiencies increase the risk that IRS will not promptly prevent or detect loss of, theft of, or unauthorized access to taxpayer receipts and related sensitive information.
- Unauthorized access awareness training for contractors: IRS did not consistently enforce its policies and procedures requiring that contractors receive unauthorized access awareness training prior to gaining unescorted access to IRS facilities. This deficiency increases the risk of unauthorized disclosure, loss, or theft of taxpayer receipts and related sensitive information.
- Candling procedures at receipt processing facilities: IRS did not adequately enforce its candling policies and procedures at certain receipt processing facilities. This increases the risk of inadvertent loss or destruction of taxpayer receipts and information.
- Capitalization of internal use software costs: IRS did not have sufficient controls in place to reasonably assure that it properly and consistently capitalized certain internal use software costs in accordance with federal accounting standards. This increases the risk of IRS misstating assets and expenses in its financial statements.
- Recording property and equipment acquisitions: IRS's controls were not effectively designed to reasonably assure that asset purchases were properly recorded in its asset management systems. These deficiencies increase the risk of misstatements to its financial statements and the risk of undetected loss or theft of assets, and jeopardize the integrity of the information IRS management uses for decision making.
GAO found that IRS had completed corrective action on 20 of the 51 recommendations from GAO's prior financial audits and other financial management-related work that remained open at the beginning of the fiscal year 2014 audit. As a result, IRS currently has 42 GAO recommendations to address; the previous 31 open recommendations and the 11 new recommendations GAO is making in this report.
Why GAO Did This Study
The purpose of this report is to present those internal control deficiencies identified during GAO's audit of IRS's fiscal years 2014 and 2013 financial statements for which there are no GAO recommendations outstanding. Although some of these deficiencies were not discussed in GAO's report on the results of its financial statement audit because they were not considered, either individually or collectively, to be material weaknesses or significant deficiencies, they nonetheless warrant IRS management's attention. This report provides new recommendations to address the internal control issues GAO identified during its fiscal year 2014 audit, and presents the status of recommendations that remained open from prior GAO reports.
Recommendations
This report provides 2 new recommendations pertaining to the new control deficiencies that contributed to IRS’s continuing material weakness in internal control over unpaid tax assessments and 9 new recommendations related to the other identified deficiencies, for a total of 11 new recommendations. These recommendations are intended to improve IRS’s internal controls over its financial management and accountability of resources as well as bring IRS into conformance with its own policies, Standards for Internal Control in the Federal Government, and Office of Management and Budget Circular No. A-123, Management’s Responsibility for Internal Control. IRS agreed with all 11 of GAO’s new recommendations and stated it is committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to include all key elements as recommended by the OMB Circular No. A-123 implementation guide in IRS's corrective action plan to adequately address the control deficiencies in its systems that are contributing to the material weakness in unpaid tax assessments. |
Closed – Implemented
In fiscal year 2015, IRS developed a long-term action plan to address the unpaid assessments material weakness. This plan identifies and documents (1) the specific system and control deficiencies that result in errors in taxpayer accounts and inaccurate classification of unpaid assessments amounts, (2) the actions IRS needs to take to address each related deficiency, and (3) the IRS organizational units that need to be involved in the actions.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to develop and implement agency-wide procedures to routinely monitor the accuracy of penalties recorded in taxpayer accounts to timely detect and correct errors. |
Closed – Implemented
In January 2017, IRS documented agency-wide procedures to routinely monitor the accuracy of penalties recorded in taxpayer accounts in the IRM, which details the agency-wide procedures IRS developed and implemented, and more specifically, the semiannual reviews it performs to reasonably assure the accuracy of penalty assessments recorded in taxpayer accounts, and timely detect and correct errors. Additionally, IRS conducted penalty quality reviews for February 2017, May 2017, and August 2017. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to determine the reason(s) why taxpayer assistance centers (TAC) managers and personnel did not consistently comply with existing Internal Revenue Manual (IRM) requirements that TAC managers and personnel (1) perform and document reviews of the Follow-Up Review Log by the last day of the following month, (2) maintain control copies of transmittal forms, and (3) ship taxpayer receipts and information via traceable overnight mail and, based on this determination, establish a process to better enforce compliance with these requirements. |
Closed – Implemented
During fiscal year 2016, IRS performed a study of the reasons why TAC managers and personnel did not consistently comply with IRM requirements and determined that staffing shortages, delays in receiving acknowledgments, and training inconsistencies were among the causes. During fiscal year 2017, IRS completed several actions to address its findings, such as establishing TAC appointment services to alleviate scheduling and staffing issues, revising its procedures for documenting transmittal acknowledgments, and providing comprehensive training to TAC managers and personnel. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should update the IRM to require managers to reconcile transmittal forms with the Follow-Up Review Log to reasonably assure that personnel are properly entering transmittal forms into the log and are appropriately documenting follow-up on unacknowledged transmittals of taxpayer receipts and information. |
Closed – Implemented
In January 2017, IRS updated the IRM to require managers to review all remittance transmittals and a sample of non-remittance transmittals each month to ensure that personnel are documenting follow-up on unacknowledged transmittals of taxpayer receipts and information. This update also requires managers to document the results of the monthly review on the Field Assistance TAC Document Transmittal Review and Reconciliation form. As a result, our recommendation to require managers to reconcile the transmittals to the Follow-up Review Logs is no longer applicable, as IRS discontinued the use of the logs given its updated process. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to update the IRM to specify that unauthorized access awareness training requirements apply to non-IRS contractors who have unescorted physical access to IRS facilities. |
Closed – Implemented
During fiscal year 2016, IRS issued interim guidance to update the IRM, which requires that all contractors with unescorted staff-like access, whether directly or indirectly contracted by IRS, complete information protection and security awareness training within 10 business days of approved staff-like access and annually thereafter. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to establish a process to ensure that the requirement for unauthorized access awareness training is explicitly communicated to non-IRS contractors who have unescorted access to IRS facilities. |
Closed – Implemented
During fiscal year 2019, we verified that IRS established policies and procedures to (1) require the documented completion of designated training for IRS contractors and non-IRS contractors before they are granted unescorted facility access and (2) define the roles and responsibilities for communicating this training requirement to IRS contractors and non-IRS contractors. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to establish procedures to monitor whether non-IRS contractors with unescorted physical access to IRS facilities are receiving unauthorized access awareness training. |
Open
During fiscal year 2021, IRS developed an SOP to establish policies and procedures for monitoring and enforcing training requirements that allow contractors to maintain unescorted access to IRS facilities. During fiscal year 2022, IRS officials told us that they will address this recommendation in the future. As a result, this recommendation remains open as of September 30, 2022.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to determine why staff did not consistently comply with IRS's existing requirements for the final candling of receipts at service center campuses and lockbox banks, including logging remittances found during final candling on the final candling log at the time of discovery, safeguarding the remittances at the time of discovery, transferring the remittances to the deposit unit promptly, and passing one envelope at a time over the light source, and based on this determination, establish a process to better enforce compliance with these requirements. |
Closed – Implemented
In fiscal year 2021, IRS stated that it will rely on the Submission Processing internal control reviews in order to achieve better compliance and resolution of previously identified risks related to candling processes and procedures performed at the Service Center Campuses (SCC). These reviews include requirements for assessing whether SCC Candling Unit staff perform required procedures during final candling of receipts, including (1) logging remittances found during final candling on the final candling log at the time of discovery, (2) safeguarding the remittances at the time of discovery, (3) transferring the remittances to the deposit unit promptly, and (4) passing one envelope at a time over the light source. During our testing in fiscal year 2021, we found no exceptions related to this control. As a result, we concluded that IRS's corrective actions as of September 30, 2021, were adequate to close this recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to establish and implement detailed written procedures for properly determining whether internal use software costs should be capitalized or expensed. The procedures should include steps for obtaining the complete documentation required to determine the project phase to which a cost was attributable, specifically for cases in which the invoice, Statement of Work, and internal work-in-process schedule do not provide sufficient information. |
Closed – Implemented
In fiscal year 2015, IRS developed and implemented written procedures to determine whether internal use software (IUS) costs should be capitalized or expensed in accordance with Statement of Federal Financial Accounting Standards No. 10, Accounting for Internal Use Software. The procedures included steps for obtaining supporting documentation (e.g., communications with project managers, status reports/memos) to determine the project phase to which a cost was attributable, specifically for cases in which the invoice, Statement of Work, and internal work-in-process schedule do not provide sufficient information. In addition, based on our fiscal year 2015 IUS acquisition testing, we noted that IRS had implemented these procedures. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to establish and implement written procedures to reasonably assure that assets that are reclassified during the voucher review process are properly added to Knowledge Incident/Problem Service Asset Management (KISAM) or Criminal Investigation Management Information System for tracking purposes, as applicable. |
Closed – Implemented
In fiscal year 2015, IRS revised its written procedures to require that assets reclassified during the voucher review process be added to KISAM or CIMIS. However, the procedures were not revised until after we conducted our internal control testing in fiscal year 2015. We tested IRS's implementation of the revised procedures during our fiscal year 2016 audit and did not identify any exceptions. IRS's actions sufficiently address our recommendation.
|
| Internal Revenue Service | The Commissioner of IRS should direct the appropriate IRS officials to update the Hardware Asset Management Standard Operating Procedure to include a requirement for periodic supervisory review to provide reasonable assurance that certain asset acquisitions are properly entered into KISAM. |
Closed – Implemented
In fiscal year 2015, IRS's IT organization updated its procedures to include quarterly supervisory reviews to reasonably assure that asset acquisitions are properly entered into KISAM. However, our fiscal year 2015 internal control testing included assets that were acquired prior to IRS updating the procedures. We tested IRS's implementation of the revised procedures during our fiscal year 2016 audit and did not identify any exceptions. IRS's actions sufficiently address our recommendation.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
AssetsContractorsFinancial statement auditsFines (penalties)Information securityInternal controlsReporting requirementsSoftwareTaxesUnauthorized access