This is the accessible text file for GAO report number GAO-09-513R entitled 'Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness' which was released on June 24, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-09-513R: United States Government Accountability Office: Washington, DC 20548: June 24, 2009: The Honorable Douglas H. Shulman: Commissioner of Internal Revenue: Subject: Management Report: Improvements Are Needed to Enhance IRS's Internal Controls and Operating Effectiveness: Dear Mr. Shulman: In November 2008, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2008, and 2007, and on the effectiveness of its internal controls as of September 30, 2008. [Footnote 1] We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). Additionally, in January 2009, we issued a report [Footnote 2] on information security issues identified during our fiscal year 2008 audit, along with associated recommendations. The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2008, regarding internal controls that could be improved for which we currently do not have a specific recommendation outstanding. Although not all of these issues were discussed in our report on the results of our fiscal year 2008 financial statement audit, they all warrant IRS management's attention. This report contains 16 recommendations that we are proposing IRS implement to improve its internal controls. We will issue a separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one. We conducted our audit in accordance with U.S. generally accepted government auditing standards. Results in Brief: During our audit of IRS's fiscal year 2008 financial statements, we identified several internal control and other management issues not addressed by previous recommendations. These issues concern the following: * Controls over computer programs affecting penalty assessments did not ensure that the programs always functioned in accordance with IRS's policies and procedures. * Policies and procedures did not require that back up staff be assigned to manual refund monitoring activities when staff assigned to those functions were absent from work for an extended period of time. * Procedures for monitoring whether service center campus couriers entrusted with taxpayer receipts and information adhered to courier service requirements lacked adequate criteria for identifying potential deviations from those requirements. * Procedures did not exist for tracking, summarizing, and reporting the total number and dollar amount of taxpayer receipts collected at Taxpayer Assistance Centers (TACs).[Footnote 3] * Procedures governing IRS's quarterly duress alarm tests did not specifically require that all duress alarms be tested and that the emergency history report be reviewed to appropriately address reported security breaches or concerns. * Procedures did not exist for regularly monitoring the timeliness of purchase card approvals and following up on instances of non- compliance. * Controls over the use of appropriated funds did not always prevent the improper use of expired appropriations to fund current year obligations. * Controls over the recording of undelivered order transactions (e.g., receipt and acceptance of goods and services, adjustments to estimated obligations, or similar transactions that impact the undelivered order accounts) did not always prevent or detect errors in these accounts. * Full cost information to manage specific programs and activities was not readily accessible by program managers. * Outcome-based performance measures did not exist to assist in evaluating the effectiveness of IRS's enforcement programs and activities. These issues increase the risk that IRS may fail to prevent or timely detect (1) errors in computer-generated penalty assessments and undelivered order accounts; (2) issuance of erroneous tax refunds; (3) loss, theft, or misuse of taxpayer receipts and information; (4) improper purchase card transactions; and (5) improper use of expired funds. In addition, the lack of detailed cost and related performance measures limits management's ability to assess the effectiveness of programs and determine how best to allocate limited resources. At the end of our discussion of each of these matters in the following sections, we make recommendations for strengthening IRS's internal controls or processes. These recommendations are intended to bring IRS into conformance with its own policies, the Standards for Internal Control in the Federal Government,[Footnote 4] or both, as well as to enhance IRS's ability to manage its resources. In its comments, IRS agreed with all but one of our 16 recommendations and described actions it had taken, underway, or planned to take to address the control weaknesses described in this report. While not explicitly agreeing or disagreeing with the one remaining recommendation, IRS described additional considerations that guide its resource allocation decision process. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provided our evaluation. We have also reprinted IRS's comments in enclosure II. Scope and Methodology: This report addresses issues we observed during our audit of IRS's fiscal years 2008 and 2007 financial statements. As part of our audit, we tested IRS's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. To assess internal controls related to safeguarding taxpayer receipts and information, we visited 3 service center campuses,[Footnote 5] 3 lockbox banks,[Footnote 6] 10 TACs, and 5 field office units.[Footnote 7] We conducted our fieldwork between January 2008 and November 2008. Further details on our audit scope and methodology are included in our report on the results of our audits of IRS's fiscal years 2008 and 2007 financial statements.[Footnote 8] Additionally, details on our methodology are reproduced in their entirety in enclosure I. Penalty Calculation Programs: IRS's controls over computer programs affecting penalty assessments did not always ensure that the programs were designed or functioned in accordance with the intent of established policies and procedures. The Internal Revenue Code (IRC)[Footnote 9] grants IRS broad authority to assess penalties against taxpayers for noncompliance with tax laws such as failing to file a tax return, failing to pay taxes owed, or inaccurately reporting taxes. IRS establishes the specific policies and procedures for calculating and assessing penalties in its Internal Revenue Manual (IRM).[Footnote 10] In accordance with the IRM, IRS's business operating divisions work with its Modernization and Information Technology Services to implement computerized programs within its master files[Footnote 11] to calculate and assess penalties against taxpayers in relation to unpaid tax assessments or violations of the tax laws. During our testing of a sample of taxpayer account modules[Footnote 12] from IRS's fiscal year 2008 inventory of unpaid tax assessments, [Footnote 13] we identified one case where IRS's penalty calculation programs did not function in accordance with the IRM. In this case, a taxpayer entered into an installment agreement with IRS in May 2007 that covered both the taxpayer's business and personal tax liabilities. The taxpayer's business and personal accounts had different taxpayer identification numbers (TINs). According to the IRM, IRS is required to reduce the monthly rate it charges for a failure-to- pay (FTP) penalty[Footnote 14] to one-quarter of one percent of the amount of tax assessed in calculating the FTP penalty when an individual taxpayer enters into an installment agreement with the IRS.[Footnote 15] IRS's computer program recognized the installment agreement condition and reduced the FTP penalty rate on the taxpayer's business account because this is where the installment agreement payments were to be applied first. However, we found that the computer program did not recognize that the taxpayer's personal account was also covered by the installment agreement and did not reduce the FTP penalty rate on that account. According to IRS, this occurred because in December 2006, IRS began using the Integrated Data Retrieval System (IDRS)[Footnote 16] for identifying taxpayer accounts with installment agreements as opposed to using its master files for this purpose. However, IRS did not verify that the IDRS programs reduced the FTP penalty rate on all of the taxpayer's accounts covered by the installment agreement. According to IRS, it had identified this problem in July 2007 and took action to correct the IDRS program. IRS believed it had resolved the problem in October 2007. However, its corrective actions did not address the unusual situation where an individual taxpayer had an installment agreement covering multiple TINs. After we brought this specific error to its attention, IRS researched IDRS and determined that the remaining program error may[Footnote 17] have caused the FTP penalties to be over-assessed against approximately 12,000 taxpayers. [Footnote 18] We had previously reported that IRS's controls did not ensure computer programs affecting penalty computations were designed or functioned in accordance with the intent of IRS's policies and procedures.[Footnote 19] In August 2007, IRS established additional procedures to institutionalize reviews of newly implemented computer programs and program changes affecting penalty computations to ensure they are designed and function in accordance with the intent of IRS's policies. The specific error we identified in 2008 relates to computer programs that IRS had implemented before 2007 and thus, would not have been covered by the forward looking policy. To provide this look-back perspective for programs already in place, IRS initiated an internal study during 2008 to identify other existing penalty programs that were not functioning in accordance with the IRM. In our previous management report, we had recommended that IRS 1) complete and document the results of that review and 2) take appropriate action to correct any programs that were not functioning in accordance with the IRM. IRS completed its review in June 2008 and documented a listing of computer programs affecting penalty calculations that did not conform to its policies, but IRS had not completed corrective actions to address the issues it identified. As a result, inaccurate penalty assessments were made against some taxpayers. Recommendation: We recommend that you direct the appropriate IRS officials to correct the IDRS computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, FTP penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement. IRS Comments and Our Evaluation: IRS agreed with our recommendation and stated that it had implemented programming changes in January 2009 so that FTP penalty assessments are calculated at the reduced rate for all eligible installment agreements. We will evaluate the effectiveness of IRS's programming change during our audit of IRS's fiscal year 2009 financial statements. Monitoring of Manual Refunds: During our fiscal year 2008 financial audit, we found that IRS's internal controls for processing manual refunds were not fully effective in minimizing the risk of issuing duplicate refunds. Specifically, we found that IRS did not have policies and procedures for assigning back up staff to ensure that ongoing monitoring activities were performed while staff who routinely initiate manual refunds were absent for an extended period of time. Without designating back up staff to perform the weekly monitoring of a taxpayer's manual refund account, there is an increased risk that the issuance of a duplicate refund will not be prevented. Most refunds are generated automatically by IRS's automated systems after the taxpayers' returns are posted to their accounts in IRS's master files. However, in certain situations, refunds are processed manually to expedite the refund process when it is considered to be in the best interest of IRS and/or the taxpayer. Because a manual refund is not generated through routine IRS automated system processing, it is not subject to most of the automated system validity checks performed and may be issued within a few days of initiation. However, while manual refunds can be issued quickly, they are not posted to the taxpayers' master file accounts until several weeks after being issued. Conversely, automated refunds are first posted to the taxpayer's master file account and issued to the taxpayer afterwards. The delay in recording manual refunds to taxpayer accounts increases the potential for erroneous or duplicate refunds because IRS's manual and automated refund processing are not systematically coordinated to prevent duplicate refunds from being issued. To prevent duplicate refunds from being issued, the IRM requires manual refund initiators, who process manual refunds, to (1) closely monitor the taxpayer's account and (2) document their monitoring activity until the manual refund posts to the taxpayer's master file account. When the manual refund posts to the taxpayer's master file account, IRS's automated system removes the credit balance from the taxpayer's account, which prevents a duplicate automated refund from being issued. However, throughout the period it takes for the manual refund to post, the manual refund initiators are responsible for monitoring the accounts for the posting of a duplicate refund generated by IRS's automated system. Whenever manual refund initiators identify the posting of a duplicate automated refund, they are required to take the necessary action to stop the automated refund from actually being issued to the taxpayer. During our 2008 review of manual refund activities at one campus, we found that IRS did not perform and document weekly monitoring activities of manual refunds in one unit while the responsible manual refund initiator was absent or on leave. We reviewed four taxpayer accounts where a manual refund had been issued prior to our visit and found that for one of the accounts, monitoring was not performed and documented weekly as required by the IRM. According to the manual refund initiator's supervisor, the employee that initiated the manual refund went on leave after initiating the refund. However, there were no specific IRM procedures for monitoring manual refund accounts when initiators responsible for monitoring are absent, such as designating staff to act as back ups to monitor manual refund accounts. As a result, when manual refund initiators are absent more than a week, monitoring of manual refund accounts and documenting of monitoring activities are not conducted as required by the IRM. Consequently, IRS faces an increased risk that duplicate refunds will not be detected and stopped in time to prevent their disbursement. Recommendation: We recommend that you direct the appropriate IRS officials to add specific requirements to the IRM to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time. IRS Comments and Our Evaluation: IRS agreed with our recommendation and stated it would revise the IRM by September 2009 to require management to reassign the monitoring of manual refunds to back up staff when employees who perform monitoring actions on manual refund activities are out on leave one week or more. We will verify the changes to the IRM during future audits after IRS has updated the IRM. Courier Monitoring at Service Center Campuses: During our fiscal year 2008 financial audit, we found that IRS officials were not effectively monitoring couriers while they were in transit between service center campuses (SCC) and depository institutions. IRS contracts with courier companies to transfer taxpayer receipts from the SCCs to financial institutions for deposit. IRS developed policies designed to minimize the risk of losses while couriers are en route to the financial institutions, such as requiring that couriers travel directly to their designated destinations without unauthorized stops. We previously reported instances where couriers were not always following IRS policies for handling taxpayer receipts and information.[Footnote 20] These instances included (1) couriers' not always transporting taxpayer receipts and information directly to their destinations, (2) couriers leaving their vehicles containing deposits unattended, (3) couriers making unauthorized stops and transferring the taxpayer receipts and information from the vehicle used to pick up the deposit to another vehicle, and (4) solo couriers transporting taxpayer receipts and information. In response, IRS implemented several corrective actions including instructing SCC officials to (1) monitor the Form 10160, Receipt for Transport of IRS Deposit, used by couriers to document the delivery of tax payments to the depository institution to ensure that the form included a date and time stamp and the signature of a depository institution employee acknowledging receipt, (2) review the Form 10160 and note any time discrepancies, and (3) question couriers if discrepancies are identified and document this information in the Courier Incident Log. In addition, IRS previously communicated to us that SCC officials would use their discretion to determine whether it is necessary to conduct surveillance on couriers if inconsistencies are identified.[Footnote 21] At each of the three SCCs we visited during our fiscal year 2008 audit, we found that IRS had not (1) provided guidance to assist SCC officials in identifying discrepancies and determining whether to initiate procedures to trail couriers or (2) established minimum standards for how often the trailing should occur as part of its efforts to routinely monitor deposits entrusted to couriers off-site. Specifically, the instruction that SCC officials use their discretion in determining whether to trail couriers--which was not documented in any IRS guidance--was vague regarding criteria for trailing couriers in the event that specified time discrepancies or other inconsistencies were noted with respect to the courier's performance. As a result, these officials were unaware how or if they should perform this type of monitoring activity. Consequently, the campuses lacked the necessary means to effectively monitor adherence to the requirement that contract couriers travel directly from the campus to the depository institution without unauthorized or stops. Internal control standards[Footnote 22] require that agencies establish physical controls to secure and safeguard vulnerable assets, such as IRS receipts and taxpayer information, and that access be limited to authorized individuals to reduce the risk of unauthorized use or loss to the government. In addition, internal control should be designed to assure that ongoing monitoring occurs in the course of normal operations. The IRM requires that SCC employees ensure that couriers do not make any stops between the campus and the depository institution. However, the IRM did not establish (1) criteria for determining whether to trail couriers in the event certain time discrepancies or other inconsistencies were noted, or (2) guidance for conducting off-site courier surveillance. Because this criteria and guidance were not established, the risk is increased that taxpayer receipts and information may be lost while in the custody of contract couriers, and that any losses that occur may not be timely detected. Recommendations: We recommend that you direct the appropriate IRS officials to document in the IRM minimum requirements for: * Establishing criteria for time discrepancies or other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off- site surveillance of couriers. * Conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. IRS Comments and Our Evaluation: IRS agreed with our recommendations concerning courier monitoring at SCCs. IRS stated that it added criteria for establishing specific time requirements and escalation procedures to the courier instructions in the IRM in May 2009. In addition, IRS stated that it will develop and implement procedures for courier surveillance at submission processing campuses and update the IRM with the courier surveillance procedures by December 2009. We will verify the changes to the IRM during future audits after IRS has updated the IRM. Volume of Receipts at Taxpayer Assistance Centers: During our fiscal year 2008 financial audit, we found that information on the total number and dollar amount of taxpayer receipts received at IRS's TACs was not readily available to IRS management. Specifically, we found that IRS did not track the total number or dollar amount of taxpayer receipts received at TACs at the individual TAC, group, territory, area, or nationwide level. Because this financial information was not tracked and therefore not readily available, IRS management lacked financial information that would be useful in making operating decisions and assessing risk at the TACs. Internal control standards[Footnote 23] state that information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. In addition, internal control should be designed to assure that ongoing monitoring occurs in the course of normal operations. Program managers need financial data to determine whether they are meeting their goal of being accountable for the effective and efficient use of resources. The volume of receipts processed by a specific location is the type of financial information that would be useful in making informed operating decisions, such as determining how to effectively manage the risks associated with receiving tax receipts and taxpayer information. For example, TACs that receive a larger amount of cash receipts may need more stringent physical security and procedural controls in place to help ensure that identified risks are appropriately mitigated. Also, the volume and amount of receipts may affect decisions on staffing levels and service hours at the TACs. Because IRS does not track the dollar amounts and volumes of taxpayer receipts received at TACs and does not routinely report this information to allow for periodic monitoring of risk, it lacks certain information which could assist in managing the risk associated with receiving tax receipts and taxpayer information at its TAC facilities. Recommendation: We recommend that you direct appropriate IRS officials to establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide. IRS Comments and Our Evaluation: IRS agreed with our recommendation and stated it will establish procedures and, contingent on the availability of funding, design a system to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide by October 2012. We will evaluate the effectiveness of IRS's efforts during future audits. Taxpayer Assistance Center Electronic Alarm System: During our fiscal year 2008 financial audit, we found that IRS's control procedures at the 10 TACs we visited did not ensure that all duress alarms were tested and that related physical security issues were monitored and appropriately addressed. To manage the risk of physical threats to IRS employees and the assets they safeguard, IRS maintains a system of electronic duress alarms at key locations in its TACs. The duress alarms are linked to a staffed central monitoring station that is responsible for notifying a qualified first responder and contacting a designated IRS official or officials when an alarm is set off. The activation of each alarm, including date and time, is compiled by the central monitoring station in an Emergency Signal History report. This report summarizes the results of the activation of the duress alarm, even in test status, and also details all incidents recorded by the central monitoring station, such as activated intrusion detection alarm signals and the response of the dispatcher. The report is available to the IRS physical security analyst responsible for each TAC location and is sometimes used as a tool to conduct quarterly tests of a facility's duress alarms. The IRM requires quarterly testing of TAC duress alarms. During our audit, we found that IRS's existing procedures did not (1) provide reasonable assurance that quarterly tests of a facility's duress alarms were complete, the results documented, and any findings tracked until they are resolved; (2) require periodic documented reviews of the central monitoring station's Emergency Signal History reports to ensure that security activity detailed in the reports were monitored; and (3) include a requirement to track the latest update (calendar date) of the emergency contact list provided to the central monitoring station in order to ensure that appropriate IRS officials were contacted during emergencies. Specifically, we found the following: * At four TACs, IRS did not include all of the duress alarms in the most recent quarterly alarm test. * At one TAC, IRS was unable to provide evidence documenting that all duress alarms were included in the most recent quarterly alarm test. * At all 10 TACs we visited, there was no documented review of the (1) Emergency Signal History reports generated by the central monitoring station or (2) emergency contact lists provided by IRS to the central monitoring station. As part of our review, we asked each of the IRS officials responsible for conducting the quarterly alarm test for the instructions used to conduct the test. In each instance, we were informed that there were no instructions available. Our review of four TACs revealed that a total of five duress alarms were not included in the most recent quarterly test. IRS's policy for conducting quarterly duress alarm tests did not require an inventory of the duress alarms before the tests were conducted or a reconciliation of those alarms to the test results. In response to our findings, IRS officials told us that the alarms were not tested because the person conducting the test was either unaware of the alarms, overlooked the alarms, or was not informed that a new alarm had been installed. At a fifth TAC, IRS could not provide evidence that all alarms were tested. In reviewing the Emergency Signal History reports, we found an instance at one TAC where the central monitoring station dispatcher, in response to an alarm activation, contacted an employee who no longer worked at the location to investigate the alarm and close out the alarm activation. In another instance, an unauthorized individual had access to the security code and was allowed to close out an alarm activation. Additionally, during our review of the emergency contact list at another TAC, we noted one employee on the list who no longer worked at that location. In each of these instances, the physical security analysts were unaware of these issues until we brought the matters to their attention. Internal control standards[Footnote 24] require physical controls to limit access to vulnerable assets and require that access to resources and records, such as IRS receipts and taxpayer information, be limited to authorized individuals to reduce the risk of unauthorized use or loss to the government. Internal controls need to be clearly documented and should appear in official procedural guidance. Also, these standards require agencies to enforce adherence to management policies and procedural requirements, such as management reviews, to create and maintain records providing evidence that these controls are executed and to assure that ongoing monitoring occurs to assess the quality of performance over time. These monitoring controls include ongoing management and supervisory activities, comparisons, and reconciliations. In addition, IRS's IRM establishes security requirements intended to minimize the potential for loss of life and property, the disruption of services and functions, and the unauthorized disclosure of documents and information. However, if IRS employees responsible for conducting quarterly alarm tests or other reviews are not provided instructions for conducting these tests and a listing of the electronic alarms at each location, and are not adequately documenting the results of these tests, IRS cannot be assured that the internal controls over this activity are being effectively carried out. This, in turn, increases the risk that IRS will not appropriately respond in an emergency situation to protect its employees and facilities and to safeguard taxpayer receipts and information. Recommendations: We recommend that you direct appropriate IRS officials to do the following: * Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. * Establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure that the inventory is current and complete as of the testing date. * Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. * Establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. IRS Comments and Our Evaluation: IRS agreed with our recommendations to enhance controls over duress alarm testing and the monitoring actions to address physical security issues. IRS stated that it will issue interim guidance requiring Territory Managers to: 1) document the inventory of all duress alarms for each location so that it is readily available to individuals conducting duress alarm tests before each test is conducted; 2) update the inventory of all duress alarms quarterly; 3) document the results of the quarterly duress alarm tests, including date, findings, and planned corrective action, and track the findings until they are resolved; 4) ensure that the Physical Security and Emergency Preparedness office (PSEP) representative at each facility conducts a periodic documented review of the central monitoring station's Emergency Signal History Report; 5) require that the PSEP representative ensure that appropriate corrective actions are planned for all deficiencies or incidents requiring actions reported by the central monitoring station; and 6) require the PSEP representative to conduct a periodic review of the emergency contact list for each location to ensure it is current and includes only appropriate contacts. IRS stated that it plans to revise the IRM to include all of the above guidance by September 2009. We will verify the changes to the IRM and evaluate the effectiveness of IRS's efforts after the changes are fully implemented during future audits. Purchase Card Approvals: During our fiscal year 2008 financial audit, we found that IRS's controls over the processing of purchase card transactions did not adequately ensure that approving officials reviewed and approved purchases timely. We selected a statistical sample of 80 manual and Web- based purchase card transactions processed between October 9, 2007, and May 8, 2008.[Footnote 25] We found that 6 of these 80 transactions had not been approved by an approving official within IRS's required time frames. On the basis of this work, we estimate that 7.5 percent of total purchase card transactions processed between October 9, 2007, and May 8, 2008 had not been approved by an approving official within IRS's established time frames.[Footnote 26] IRS's purchase card guide requires purchase card approving officials to review and approve manual transactions within 3 calendar days from receipt of the purchase cardholder's statement of account. The guide also requires approving officials to review and approve Web-based transactions within 10 business days of the transaction's download date in IRS's Purchase Card Module.[Footnote 27] The six transactions we identified were approved after these time frames and included both manual and Web-based purchase card transactions. For example, an approving official did not approve one Web-based transaction until 5 weeks after the transaction's download date. Internal control standards[Footnote 28] require transactions to be promptly recorded and authorized by persons acting within the scope of their authority. This is the principal means of assuring that only valid transactions are initiated or entered into. The late approvals for these six transactions had not previously been identified by IRS in part because IRS did not have adequate controls to monitor for compliance with the required approval time frames. Because IRS must pay the purchase card issuing bank on time, regardless of whether the transactions have been approved or not, it is critical for approving officials to review and approve these transactions timely so that any disputed or rejected purchases can be promptly investigated and resolved. The lack of procedures to identify and follow up on overdue approvals compromises internal control over the purchase card program and increases the risk of erroneous, improper, and fraudulent purchases. Recommendation: We recommend that you direct appropriate IRS officials to develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances of non- compliance with required approval timeframes. IRS Comments and Our Evaluation: IRS agreed with our recommendation to monitor the timeliness of purchase card approvals and to follow up on non-compliance. IRS stated that its Agency-Wide Shared Services (AWSS) Credit Card Services Branch now monitors compliance with purchase card requirements through monthly reviews. We will review the documentation and scope of these monthly reviews and review IRS's actions to address non-compliance during our audit of IRS's fiscal year 2009 financial statements to ensure this issue is being appropriately addressed. Use of Expired Appropriations: During our fiscal year 2008 audit, we found that IRS's controls over the use of appropriated funds did not always prevent the improper use of expired appropriations to fund current year obligations. While testing a statistical sample of 14 upward adjustments to prior year obligations as of July 31, 2008, we found two instances of improper contract actions totaling over $485,000 in which IRS improperly used fiscal year 2007 appropriations, which had expired, to fund fiscal year 2008 procurement transactions.[Footnote 29] In both instances, the obligation of prior year appropriations was improper, as was the recorded upward adjustment to prior year obligations. After we brought these matters to its attention, IRS made adjustments to correct the errors by de-obligating fiscal year 2007 funds that were improperly used and obligating fiscal year 2008 funds to pay for the transactions in question. Because IRS corrected these errors, it was able to avoid violating the Antideficiency Act, which prohibits IRS officers and employees from obligating or expending funds in advance or in excess of applicable appropriations.[Footnote 30] Additionally, because these were unique situations, we concluded that projecting the exceptions to the population of upward adjustments would be inappropriate. In the first instance, an IRS employee used a purchase card to place orders for calendars in October 2007, the first month of fiscal year 2008, and charged the purchase against fiscal year 2007 funds that had been committed (or administratively reserved) in the prior fiscal year. In accordance with the Recording Statute,[Footnote 31] IRS should not have recorded an obligation of funds until it had a binding agreement [Footnote 32] with another party, which occurred in fiscal year 2008 when IRS placed its order. Furthermore, because the obligation occurred in fiscal year 2008, under the Time Statute,[Footnote 33] IRS should have used fiscal year 2008 funds to pay for it. In the second instance, IRS inappropriately used expired fiscal year 2007 appropriations to fund two contract modifications, in December 2007 and again in January 2008, to acquire information technology support services for fiscal year 2008. The original contract and the subsequent modifications included a "Limitation of Funds"[Footnote 34] clause which made it clear that IRS had obligated only a portion of the estimated cost of performance under the contract and the contractor would not be paid additional amounts unless IRS obligated additional funds to the contract. Further, the funding modifications covered fiscal year 2008 "severable services"[Footnote 35] and therefore were new obligations that should have been funded with fiscal year 2008 appropriations. Internal control standards[Footnote 36] require agencies to establish controls to assure that only valid transactions to exchange, transfer, use, or commit resources and other events are initiated or entered into. IRS's IRM restates the Account Closing Law that (1) new obligations may not be incurred against expired appropriations and (2) expired balances are available only for upward and downward adjustments to existing obligations during the 5 years following expiration of obligation authority.[Footnote 37] However, the IRM provides little or no guidance to help employees distinguish between procurement actions that constitute new obligations versus adjustments to existing obligations as would be needed in complex situations where such distinctions are not readily discernable. IRS had a review and approval process in place that was designed to assure that appropriated funds were used as intended and during their periods of availability. However, during fiscal year 2008, this process was not fully effective in preventing or detecting the improper use of expired appropriations to fund IRS's current year procurement transactions. In both cases that we identified, the actions taken by IRS personnel indicated there was a lack of understanding about the proper uses of expired funds. As a result, IRS faces increased risk that the appropriated funds it receives may be improperly used in its operations after their periods of availability have expired and that it may be unable to detect and correct such improper acts in time to avoid violating applicable laws and regulations that govern the use of appropriated funds. Recommendations: We recommend that you direct the appropriate IRS officials to revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. IRS Comments and Our Evaluation: IRS agreed with our recommendation and stated that by September 2009, it would: 1) revise the Financial Operating Guidelines section of the IRM to provide additional guidance to clarify existing procedures regarding the use of expired appropriations, 2) issue an Annual Close Guidelines section of the IRM to establish year-end procedures for expired and closing appropriations, and 3) update the Purchase Card Handbook section of the IRM to provide guidance and procedures to preclude the use of expired appropriations when using a purchase card. We will verify the changes to the IRM and evaluate the effectiveness of IRS's efforts after they are fully implemented during future audits. Recording of Undelivered Orders Transactions: During our fiscal year 2008 audit, we found that IRS's controls over the recording of undelivered orders transactions did not always prevent or detect errors that occurred in the accounts. While testing a statistical sample of 107 undelivered orders as of August 31, 2008, we found that IRS staff made errors that were not readily detected and corrected in recording receipt and acceptance transactions and vendor invoices in the undelivered orders obligation accounts. Specifically, we found two exceptions totaling over $410,000 in which IRS recorded duplicate receipt and acceptance entries to the undelivered orders balances. In a third instance, IRS charged invoice amounts to an incorrect expenditure category. Based on our testing, we estimate that the balance of undelivered orders at the time of our testing may be misstated by as much as $3.3 million. In one instance, receipt and acceptance for communication services in the amount of $1,726.18 was charged and recorded twice in the undelivered orders account. The second recording was based on a corrected invoice that IRS received several months after it had paid the first invoice and was detected as a duplicate during the invoice payment process. Although it had been identified for correction approximately 4 months earlier, the duplicate receipt and acceptance remained inappropriately charged against the undelivered orders balance at the time of our testing in September 2008. In another instance, receipt and acceptance for management support services in the amount of $409,243.83 was charged and recorded twice to the undelivered orders account. The duplicate receipt and acceptance was posted in March 2008; however, it was not corrected until September 2008. In addition, we found one instance in which IRS charged three invoices that totaled $125,302.32 to the incorrect expenditure category of an undelivered orders sample item. These transactions were charged to contractual labor, an expense, but they should have been charged to alteration and repairs, an asset. Although IRS conducted extensive reviews of its procurement transactions during the invoice payment process and has been successful in preventing and detecting duplicate payments, any necessary corrective actions resulting from these reviews may not occur for four months or longer after the recording of receipt and acceptance against the undelivered orders balance and, therefore, errors may not be detected and corrected in a timely manner. As a result, the undelivered orders balance could be misstated at any given point during the fiscal year. Internal control standards[Footnote 38] require that transactions and other events be accurately and timely recorded to maintain their relevance and value to management in controlling operations and making decisions. Control activities also help to ensure that all transactions are completely and accurately recorded. In addition, the IRM requires that commitments and obligations be posted timely, and financial plan managers should make every effort to ensure that data are accurately posted.[Footnote 39] Nonetheless, because IRS did not have effective controls in place to ensure it properly recorded receipt and acceptance transactions to its undelivered orders account balances and charged obligations to correct obligation lines, IRS had less assurance that government funds were used as intended and that financial transactions would be accurately recorded in the accounts and reported in the financial statements. Recommendations: We recommend that you direct the appropriate IRS officials to do the following: * Reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts. * Perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. IRS Comments and Our Evaluation: IRS agreed with our recommendations and stated that it will issue a memorandum by June 2009 to reiterate its policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts. IRS also stated that in December 2008, it initiated weekly reviews of receipt and acceptance transactions to more timely identify and correct errors. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2009 financial statements. Full Cost Management Information: In our fiscal year 2008 audit,[Footnote 40] we reported that IRS had not completed the process of developing and institutionalizing the use of full cost information for the range of its programs and activities. The full cost[Footnote 41] of programs and activities is an essential component of the information IRS managers need to evaluate effectiveness and make better informed decisions about the allocation of resources among competing demands. Internal control standards[Footnote 42] state that for an entity to control its operations, it must have relevant and reliable information and its program managers must have operational and financial data to determine whether they are meeting their goals for effective and efficient use of resources. Federal Accounting Standards Advisory Board's Statement of Federal Financial Accounting Standards (SFFAS) No. 4, Managerial Cost Accounting Standards and Concepts[Footnote 43] discusses concepts and gives guidance to federal agencies on developing and providing managerial cost data to managers. In discussing the concept of managerial cost accounting information, the statement says that one of the objectives of managerial cost accounting is to provide program managers[Footnote 44] with relevant and reliable information relating costs to programs, their activities, and composition. The statement further says that a fundamental undertaking of managerial cost accounting is to match costs with activities and outputs. The statement notes several criteria for cost accounting information, including that it be (1) developed in such a way as to ensure that it has the ability to assist in the measurement of performance, which the statement says is one of the purposes of managerial cost accounting; (2) reliable and reported on a consistent basis; (3) at a reasonable and useful level of data precision; (4) able to accommodate special information needs of management; and (5) documented through a manual or handbook. IRS has recognized the importance of managerial cost accounting by issuing its own policy on cost accounting. The policy says that one of the criteria for IRS's managerial cost accounting is to recognize the full cost of outputs. The policy also says that the purpose of accumulating and tracking costs is to (1) enhance managers' ability to measure the costs of activities within their areas of control and to identify operational trends and variances, (2) compare costs of producing outputs across different business operating divisions, and (3) optimize the use of IRS's resources. IRS also took several additional steps to institutionalize the policy and the use of full cost data in making management decisions, including (1) establishing an Office of Cost Accounting within its Chief Financial Officer (CFO) organization, (2) planning for the inclusion of the cost policy in the IRM, and (3) developing a training program to explain the cost policy to IRS managers: To develop full cost information for its programs, IRS has had to develop methodologies that supplement the cost data in its cost accounting system, the Integrated Financial System (IFS).[Footnote 45] IFS accumulates full cost information at the cost center level, [Footnote 46] which are low level organizational units, such as an office within a business operating division. However, IRS cannot generate information on the full cost of many of its various programs and activities directly from IFS because, in many instances, the IFS cost centers do not equate directly to the various programs and activities that IRS undertakes. In order to establish this relationship and produce managerially useful full cost data for program officials, IRS conducted several cost pilot projects to develop and test methodologies to determine the full cost of certain programs, such as the Automated Underreporter (AUR) program. For the cost pilot projects, IRS combined IFS cost data with data from its various workload management systems,[Footnote 47] such as the time employees spend on specific programs. The cost pilot projects developed full cost information at the program summary level but not down to the level of the activities within those programs. For example, in the cost pilot for the Automated Underreporter (AUR) program, IRS developed summary level full cost data on the many AUR matching activities, but IRS could not identify the cost of the individual matching activities[Footnote 48] that employees undertake because IRS's workload management systems do not contain such data. However, IRS does have data on the revenue collected as a result of the matches. Although IRS cannot extract such work activity level data from its current systems, SFFAS No. 4 addresses such situations by acknowledging that in some instances agencies may have to use cost finding techniques to develop some cost elements. The full cost methodologies IRS developed were generally focused on large programs and not on developing full cost data on specific activities within these programs and their outputs.[Footnote 49] However, the development of cost data to match against tax collections generated by these activities and products is important. Without comparable full cost information on its programs and activities, IRS is missing a key component of the information necessary to measure the effectiveness of its enforcement efforts. The cost pilot projects have demonstrated that IRS can develop full cost data at a program summary level, and as such, represent significant progress. The approach used by the cost pilot projects requires that a specific methodology be developed for each program and would also require IRS to develop comparable specific methodologies to develop full cost information on additional programs or activities. Thus, continued efforts are needed to provide IRS managers the full cost information that will allow them to better measure performance and optimize resource allocation decisions affecting IRS's programs and activities. Although IRS has begun to take these important steps, it has not yet institutionalized a formal process to identify over time the full range of programs and activities for which IRS would consider full cost information to be useful to executives and program managers in evaluating effectiveness and in optimizing resource allocation decisions.[Footnote 50] We acknowledge that identifying these programs and activities and developing full cost information for each of them presents significant challenges and will require a sustained effort. However, without readily available cost information for IRS's programs and activities, IRS's executives and managers are lacking a critical component of the range of information they need to make informed decisions. To date, IRS's CFO officials have provided significant leadership in promoting cost awareness throughout IRS and developing full cost methodologies as envisioned by SFFAS No. 4. Continued leadership from those officials as well as the involvement of IRS's business operating division officials is vital. SFFAS No. 4's concept is for agencies to develop complete and robust cost accounting information on a full range of agency outputs and products that would allow agency executives and program managers to compare the effectiveness of various programs and to optimize the allocation of resources among them. Recommendations: To facilitate routine collaboration between CFO and business operating division officials, including program managers in achieving the goal of making appropriate full cost information readily available to managers and executives to support informed decision-making, we recommend that you direct the appropriate IRS officials to do the following: * Establish a formal, documented process for identifying over time the full range of IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means; (2) define the roles and responsibilities of the CFO and other business units in the process; and (3) be focused on the goal of determining what cost information would be useful and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. * For each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever they are needed and should include both personnel costs based on time spent on specific activities as well as all associated non-personnel costs and be drawn from or reconcilable to IRS's financial accounting system. IRS Comments and Our Evaluation: IRS agreed with our recommendations and cited several corrective actions taken, including having established the Cost Users Group through which the business units identify their needs for full cost information that would be useful to executives and program managers. In addition, IRS stated that it would continue to develop full cost information for each of the areas identified by the business units and that this information will be available to IRS program managers as needed. We will evaluate the effectiveness of IRS's efforts during future audits. Performance Measures for Enforcement Activities: In our fiscal year 2008 audit,[Footnote 51] we reported that IRS had not developed key outcome-oriented performance measures,[Footnote 52] such as dollars collected compared to total costs, to assess the effectiveness of its enforcement programs and activities. The IRS includes performance measures as an integral part of its Management Discussion and Analysis, which is required supplementary information to its financial statements. Internal control standards discuss the need for management to track major agency achievements and compare them to the plans, goals, and objectives established under the Government Performance and Results Act of 1993 (GPRA).[Footnote 53] The standards further state that managers need to compare actual performance to planned or expected results (goals) throughout the organization and analyze significant differences. GPRA also discusses the need for agencies to develop performance plans with outcome-oriented goals and objectives.[Footnote 54] IRS's existing performance measures, and their related goals, for its enforcement efforts focus on process-oriented work-in-process indicators related to discrete activities within the overall collection effort, such as the percentage of various types of tax returns examined, AUR coverage,[Footnote 55] criminal investigations completed, and the number of tax returns examined and closed. While each of these measures may serve an important operational purpose, they are not designed to measure the contribution each of these activities makes to the collection of unpaid taxes, nor do they compare the cost of collection activities to the tax revenue generated. IRS does not have such outcome-based performance measures and related goals that are designed to assess how effective its individual enforcement programs and activities are in collecting unpaid taxes compared to their costs. As a result, IRS lacks an effective means by which to measure the extent to which it is effectively utilizing its available resources to achieve a critical aspect of its overall mission of collecting unpaid taxes. We have previously noted this lack of performance information. For example, last year we reported that IRS's collection performance measures address collection coverage and collection efficiency but not dollars collected.[Footnote 56] We have also reported that although IRS has made the collection of unpaid payroll taxes one of its top priorities, it has not established measures or goals to assess its progress in collecting or preventing the accumulation of payroll tax debt.[Footnote 57] Additionally, we reported that IRS does not have specific lower-level performance metrics that target collection actions or collection results for unpaid payroll taxes and that such performance metrics could be useful to IRS in measuring the success of its efforts to collect or prevent the further accumulation of unpaid payroll taxes and to formulate more effective approaches to dealing with this compliance issue. One reason IRS has been reluctant to use enforcement revenue data to evaluate programs and develop performance measures is because, under the Internal Revenue Service Restructuring and Reform Act of 1998, [Footnote 58] IRS is prohibited from using "records of tax enforcement results" to evaluate employees or impose or suggest production quotas or goals for employees. However, as we pointed out in our fiscal year 2008 financial audit,[Footnote 59] the statute does not establish a blanket prohibition on using quantity (dollar) measures to evaluate organization performance. Performance measures and goals for IRS's enforcement programs and activities, including measures of the dollars collected compared to the cost to assess and collect those dollars, are essential tools to assist management in assessing the relative merits of its resource allocation options. IRS has developed extensive collections data on IRS's enforcement programs, some of which is detailed down to the activity level. For example, IRS has data on taxes collected from it's over 60 AUR third-party matching activities, such as matching a taxpayer's reported income against forms 1099 for dividends and interest or form W- 2 wages. This data could be used to develop performance measures, such as return on investment and related performance goals to evaluate the effectiveness of those activities, but as discussed in the section of this report on "Full Cost Management Information," IRS has not developed comparable cost data. IRS has developed return on investment information on a limited number of programs for which it has both cost and enforcement revenue data. However, without comparable cost and enforcement data on its programs and activities, IRS has limited ability to develop performance measures or related goals and to compare the relative effectiveness of its programs and activities. We have previously recommended that IRS extend the use of return on investment in future budget proposals to include major enforcement programs. [Footnote 60] We acknowledge that IRS may face significant challenges developing data to calculate such measures and goals. However, doing so would better position IRS to evaluate the effectiveness of its enforcement activities, optimize the allocation of resources among its various programs and work activities, and provide better information with which to defend its budget proposals. Although IRS management must consider many factors beyond cost and collections--such as coverage, compliance,[Footnote 61] and budgetary issues--when making resource allocation decisions, full cost and tax collection information should also be a critical factor. In addition, developing and tracking performance goals against actual performance would assist IRS in evaluating the effectiveness of its various programs and activities in achieving IRS's mission. Recommendation: We recommend that you direct appropriate IRS officials to develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. IRS Comments and Our Evaluation: While not explicitly agreeing or disagreeing with our recommendation, IRS stated that it will continue to improve the analytical tools it uses to inform its resource decisions for major enforcement programs. IRS noted that return on investment is but one tool that can be used to improve resource allocation decision-making and that IRS currently uses a broader set of tools in addition to return on investment, such as cost/benefit analysis that incorporates a wide range of tangible and intangible costs and benefits. As we indicated in our report, we acknowledge that managing IRS's overall mission of enforcing the tax laws and promoting compliance necessitates a wide variety of information and performance measurement tools and that measuring return on investment is but one such tool. However, it is a critical one. While IRS has developed return on investment information for a limited number of programs for which it has both cost and enforcement revenue data, as we discuss in the report, it has not done so for many of its programs and activities where it does not currently have cost data to match against revenue collections, and thus does not use such information to assist in making routine resource allocation decisions. IRS's current performance measures and goals for its enforcement activities address only non- financial outputs, such as coverage and case closure. We believe that IRS's lack of outcome-related performance measures and related goals for its enforcement programs and activities that would be focused on the return (taxes collected) and the investment (cost) limits its ability to determine the cost-effectiveness of those programs and activities, to evaluate their relative effectiveness, to make more informed enforcement-related resource allocation decisions, and to justify budget requests for its existing programs. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. Furthermore, to assure GAO has accurate, up-to-date information on the status of your agency's actions on our recommendations, we request that you also provide us with a copy of your agency's statement of actions taken on open recommendations. Please send your statement of action to me or Ted Hu, Assistant Director, at HuT@gao.gov. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; and Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance. We are also sending copies to the Chairmen and Ranking Members of the House Committee on Appropriations and House Committee on Ways and Means, the Chairman and Vice-Chairman of the Joint Committee on Taxation, the Secretary of the Treasury, the Director of OMB, and the Chairman of the IRS Oversight Board. The report is available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2008 and 2007 financial statements. Please contact me at (202) 512-3406 or sebastians@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this correspondence. GAO staff who made major contributions to this report are listed in enclosure III. Sincerely yours, Signed by: Steven J. Sebastian: Director: Financial Management and Assurance: Enclosures - 3: [End of section] Enclosure I: Details on Audit Methodology: To fulfill our responsibilities as the auditor of IRS's financial statements, we did the following: * We examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. This included selecting statistical samples of unpaid assessments, revenue, refunds, accrued expenses, payroll, nonpayroll, property and equipment, accounts payable, and undelivered order transactions. These statistical samples were selected primarily to substantiate balances and activities reported in IRS's financial statements. Consequently, dollar errors or amounts can and have been statistically projected to the population of transactions from which they were selected. In testing some of these samples, certain attributes were identified that indicated deficiencies in the design or operation of internal control. These attributes, where applicable, can be and have been statistically projected to the appropriate populations. * We assessed the accounting principles used and significant estimates made by management. * We evaluated the overall presentation of the financial statements. * We obtained an understanding of IRS and its operations, including its internal control related to financial reporting (including safeguarding assets) and compliance with laws and regulations (including the execution of transactions in accordance with budget authority). * We tested relevant internal control over financial reporting (including safeguarding assets) and compliance, and evaluated the design and operating effectiveness of internal control. * We considered IRS's process for evaluating and reporting on internal control and financial management systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers' Financial Integrity Act of 1982, and OMB Circular No. A-123, Management's Responsibility for Internal Control. * We tested compliance with selected provisions of the following laws and regulations: Anti-Deficiency Act, as amended (31 U.S.C. § 1341(a)(1) and 31 U.S.C. § 1517(a)); Purpose Statute (31 U.S.C. § 1301(a)); Release of lien (26 U.S.C. § 6325 (a)); Interest on underpayment, nonpayment, or extension of time for payment of tax (26 U.S.C. § 6601); Interest on overpayments (26 U.S.C. § 6611); Determination of rate of interest (26 U.S.C. § 6621); Failure to file tax return or to pay tax (26 U.S.C. § 6651); Failure by individual to pay estimated income tax (26 U.S.C. § 6654); Failure by corporation to pay estimated income tax (26 U.S.C. § 6655); General rule on deposit of internal revenue collections (26 U.S.C. § 7809(a)); Interest penalties under the Prompt Payment Act (31 U.S.C. § 3902(a), (b), and (f)); Limitations on discount payments under the Prompt Payment Act (31 U.S.C. § 3904); Pay and Allowance System for Civilian Employees (5 U.S.C. §§ 5332 and 5343, and 29 U.S.C. § 206); Federal Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§ 8422, 8423, and 8432(c)(1)(A)); Social Security Act of 1935, as amended (26 U.S.C. §§ 3101 and 3121 and 42 U.S.C. § 430); Federal Employees Health Benefits Act of 1959, as amended (5 U.S.C. §§ 8905, 8906, and 8909); Financial Services and General Government Appropriations Act, 2008, Pub. L. No. 110-161, div. D, tit. I, 121 Stat. 1844 (Dec. 26, 2007); Revised Continuing Appropriations Resolution, 2007, Pub. L. No. 110-5, §§ 101, 103, 104, 21050, 21053, 121 Stat. 8, 9, 54 (Feb. 15, 2007), which incorporates by reference certain provisions in the Department of the Treasury Appropriations Act, 2006, Pub. L. No. 109-115, div. A, tit. II, 119 Stat. 2432, 2436- 7 (Nov. 30, 2005); and Revised Continuing Appropriations Resolution, 2007, Pub. L. No. 110-5, §§ 21051, 21052, 121 Stat. 8, 54 (Feb. 15, 2007), which incorporates by reference certain provisions in Title II of H.R. 5576 (109th Congress, June 14, 2006); Economic Stimulus Act of 2008, Pub. L. No. 110-185, 122 Stat. 613 (Feb. 13, 2008). * We tested whether IRS's financial management systems substantially comply with the three requirements of the Federal Financial Management Improvement Act of 1996 (Pub. L. No. 104-208, div. A, § 101(f), tit. VIII, 110 Stat. 3009, 3009-389 (Sept. 30, 1996); (reprinted in 31. U.S.C. § 3512 note). [End of section] Enclosure II: Comments from the Internal Revenue Service: Department Of The Treasury: Internal Revenue Service: Commissioner: Washington, D.C. 20224: June 3, 2009: Mr. Steven J. Sebastian: Director: Financial Management and Assurance: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Sebastian: I am writing in response to the Government Accountability Office (GAO) draft of the Fiscal Year (FY) 2008 Management Report titled, Improvements Are Needed To Enhance IRS's Internal Controls and Operating Effectiveness (GAO-09-513R). As GAO noted in the report titled, Financial Audit: IRS's Fiscal Yews 2008 and 2007 Financial Statements, we continue to make significant progress in addressing remaining financial management issues and have substantially mitigated weaknesses in internal controls. In FY 2008, GAO determined that the remaining issues related to tax revenue and refunds no longer constitute a material weakness, In addition, GAO concluded that the remaining issues related to safeguarding hard-copy taxpayer receipts and data no longer constitute a significant deficiency because of the significant improvements in internal controls at the submission processing centers and the lockbox banks. I have enclosed a response which addresses each of your recommendations. We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact Alison Doone, Chief Financial Officer, at (202) 622-6400. Sincerely, Signed by: Douglas H. Shulman: Enclosure: [End of letter] GAO Recommendations and IRS Responses to GAO FY 2008 Management Report "Improvements Are Needed To Enhance IRS's Internal Controls and Operating Effectiveness", GAO-09-513R: Recommendation #1: We recommend that you direct appropriate IRS officials to correct the Integrated Data Retrieval System (IDRS) computer program for identifying individual taxpayers who have entered into an installment agreement so that except in situations where the taxpayer did not file the tax return timely, failure-to pay (FTP) penalty assessments made after the date of the installment agreement are calculated using the monthly one-quarter of one percent penalty rate on all of the taxpayer's accounts covered by the installment agreement. Comments: We agree with this recommendation. We implemented programming changes in January 2009 so that FTP penalty assessments are calculated at the reduced rate for all eligible installment agreements. Recommendation #2: We recommend that you direct appropriate IRS officials to add specific requirements to the Internal Revenue Manual (IRM) to require that manual refund units assign back up staff to perform manual refund monitoring activities whenever a manual refund initiator is absent for an extended period of time. Comments: We agree with this recommendation. Wage and Investment (W&I) Accounts Management will revise IRM 21.4.4.5, Other Manual Refund Requirements, to state, "When an employee who performs monitoring actions is out on extended leave (one week or more), management must reassign the monitoring to a backup." Anticipated completion of the recommendation is September 2009. Recommendation #3: We recommend that you direct the appropriate IRS officials to document in the IRM minimum requirements for establishing criteria for time discrepancies or other inconsistencies, that if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of couriers. Comments: We agree with this recommendation. W&I Submission Processing added criteria for establishing specific time requirements and escalation procedures to the courier instructions in IRM 3.8.45, Manual Deposit Process, on May 15, 2009. W&I also will update the IRM after courier surveillance procedures are developed. Anticipated completion of the recommendation is December 2009. Recommendation #4: We recommend that you direct appropriate IRS officials to document in the IRM minimum requirements for conducting off-site surveillance of couriers entrusted with taxpayer receipts and information. Comments: We agree with this recommendation. The Director, Submission Processing (SP), and Agency-Wide Shared Services (AWSS) will implement procedures for courier surveillance at SP campuses. Anticipated completion of the recommendation is December 2009. Recommendation #5: We recommend that you direct appropriate IRS officials to establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual Taxpayer Assistance Center (TAC) location, group, territory, area, and nationwide. Comments: We agree with this recommendation. W&I Field Assistance will establish procedures, and contingent on available funding, design a system to track and routinely report the total dollar amounts and volumes of receipts collected by individual TAC location, group, territory, area, and nationwide. Anticipated completion of the recommendation is October 2012. Recommendation #6: We recommend that you direct appropriate IRS officials to establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily available to individuals conducting duress alarm tests before each test is conducted. Comments: We agree with this recommendation. The AWSS Physical Security and Emergency Preparedness office (PSEP) will issue interim guidance requiring Territory Managers to document the inventory of all duress alarms for each location that is readily available to individuals conducting duress alarm tests before each test is conducted. This requirement will be included in the next revision of IRM 10.2.14. Anticipated completion of the recommendation is September 2009. Recommendation #7: We recommend that you direct appropriate IRS officials to establish procedures to periodically update the inventory of duress alarms at each TAC location to ensure it is current and complete as of the testing date. Comments: We agree with this recommendation. PSEP will issue interim guidance requiring Territory Managers to update the inventory of all duress alarms quarterly. This requirement will be included in the next revision of IRM 10.2.14. Anticipated completion of the recommendation is September 2009. Recommendation #8: We recommend that you direct appropriate IRS officials to provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test (1) document the test results for each duress alarm listed in the inventory including date, findings, and planned corrective action and (2) track the findings until they are properly resolved. Comments: We agree with this recommendation. PSEP will issue interim guidance requiring Territory Managers to document the results of the quarterly duress alarm tests, including date, findings, and planned corrective action, and track the findings until they are resolved. This requirement will be included in the next revision of IRM 10.2.14. Anticipated completion of the recommendation is September 2009. Recommendation #9: We recommend that you direct appropriate IRS officials to establish procedures requiring that each physical security analyst conduct a periodic documented review of the Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency contact list for each location is current and includes only appropriate contacts. Comments: We agree with this recommendation. PSEP will issue interim guidance requiring Territory Managers to ensure that the PSEP representative at each facility conduct a periodic documented review of the central monitoring station's Emergency Signal History Report and ensure that appropriate corrective actions are planned for all deficiencies or incidents requiring actions reported by the central monitoring station. The PSEP representative also will conduct a periodic review of the emergency contact list for each location to ensure it is current and includes only appropriate contacts. These requirements will be included in the next revision of IRM 10.2.14. Anticipated completion of the recommendation is September 2009. Recommendation #10: We recommend that you direct appropriate IRS officials to develop, document, and implement procedures to regularly monitor the timeliness of purchase card approvals. This should include establishing procedures and responsibility for identifying and following up on instances on non-compliance with required approval timeframes. Comments: We agree with this recommendation. AWSS updated the Purchase Card Guide (Document 9185) in February 2009 to establish required deadlines for timely reconciliation and approval of purchase card transactions. The AWSS Credit Card Services Branch monitors compliance with purchase card requirements through monthly reviews. Recommendation #11: We recommend that you direct appropriate IRS officials to revise the IRM section related to the limited use of expired appropriations to provide additional guidance to help employees distinguish between procurement actions that constitute new obligations and those that merely adjust or liquidate prior obligations that the IRS incurred during an expired appropriation's original period of availability. Comments: We agree with this recommendation. The Chief Financial Officer (CFO) will revise IRM 1.33.4, Financial Operating Guidelines, to provide additional guidance to clarify existing procedures regarding the use of expired appropriations. In addition, the CFO will issue IRM 1.35.15, Annual Close Guidelines, to establish year-end procedures for expired and closing appropriations. AWSS also will update IRM 1.32.6, Purchase Card Handbook, to provide guidance and procedures to preclude the use of expired appropriations when using a purchase card. Anticipated completion of the recommendation is September 2009. Recommendation #12: We recommend that you direct appropriate IRS officials to reiterate IRS's existing policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts. Comments: We agree with this recommendation. The CFO will issue a memorandum reiterating the policy requiring that transactions be recorded accurately to the undelivered orders obligation accounts- Anticipated completion of the recommendation is June 2009. Recommendation #13: We recommend that you direct appropriate IRS officials to perform existing reviews of transactions recorded in undelivered orders obligation accounts in a more timely manner in an effort to detect and correct errors, such as duplicate receipt and acceptance charges, earlier in the process. Comments: We agree with this recommendation. In December 2008, CFO initiated weekly reviews of receipt and acceptance transactions to more timely identify and correct errors. Recommendation #14: We recommend that you direct appropriate IRS officials to establish a formal, documented process for identifying over time the full range IRS's programs and underlying activities, outputs, and services for which IRS believes full cost information would be useful to executives and program managers. Such a process should (1) be formally established and documented through policies, procedures, guidance, meeting minutes, and other appropriate means, (2) define the roles and responsibilities of the CFO and other business units in the process, and (3) be focused on the goal of determining what cost information would be useful, and the most appropriate means of developing and reporting it for both existing programs and new programs as they are initiated. Comments: We agree with this recommendation. In December 2008, the CFO Office of Cost Accounting established a Cost Users Group through which the business units identify their needs for full cost information that would be useful to executives and program managers. In addition, the Collection Governance Council and the Examination Enforcement Governance Council are working with CFO to determine relevant cost information to support oversight of their respective areas. In August 2007, CFO established a cost accounting policy regarding CFO and business unit roles and responsibilities related to managerial cost accounting. The policy will be published as IRM 1.32.3, Cost Accounting Policy. Anticipated completion of the recommendation is September 2009. Recommendation #15: We recommend that you direct appropriate IRS officials responsible for each of the IRS programs, activities, outputs, and services identified for which full cost information would be useful to IRS executives and program managers, complete the development of full cost methodologies to routinely accumulate and report on their full costs, including down to the activity level where appropriate. Such full cost data should be readily accessible to IRS program managers whenever it is needed, and should include both personnel costs based on time spent on specific activities as well as all associated non-personnel costs and be drawn from or reconcilable to IRS's financial accounting system. Comments: We agree to continue to develop full cost information for each of the areas identified by the business units and this information will be available to IRS program managers as needed. Recommendation #16: We recommend that you direct the appropriate IRS officials to develop outcome-oriented performance measures and related performance goals for IRS's enforcement programs and activities that include measures of the full cost of, and the revenue collected from, those programs and activities (return on investment) to assist IRS's managers in optimizing resource allocation decisions and evaluating the effectiveness of their activities. Comments: As we stated in our response to the GAO report, "IRS: Assessment of the 2009 Budget Request and an Update on 2008 Performance (Job Code 450651)," the IRS agrees to continue to improve the analytical tools it uses to inform its resource decisions for major enforcement programs. The IRS already uses cost/benefit analysis, return on investment, evaluation of possible future scenarios, and enterprise risk management techniques for a wide range of resource allocations decisions, such as service and enforcement initiatives included in the President's Budget. It is important to understand that return on investment is but one tool that can be used to improve resource allocation decision-making. Currently, the IRS uses a broader set of tools, such as cost/benefit analysis that incorporates a wide range of tangible and intangible costs and benefits (such as equitable coverage rates for different groups of taxpayers, enhancing respect for the law, and ensuring that disadvantaged populations of taxpayers receive adequate levels of service). It is not prudent to rely exclusively on return on investment as the sole determinant of resource allocation. [End of section] Footnotes: [1] GAO, Financial Audit: IRS's Fiscal Years 2008 and 2007 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-09-119] (Washington, D.C.: Nov. 10, 2008). [2] GAO, Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS, [hyperlink, http://www.gao.gov/products/GAO-09-136] (Washington, D.C.: Jan. 9, 2009). [3] TACs are field assistance units, located within IRS's Wage and Investment operating division, designed to serve taxpayers who choose to seek help from IRS in person. Services provided include interpreting tax laws and regulations, preparing tax returns, resolving inquiries on taxpayer accounts, receiving payments, forwarding those payments to appropriate service center campuses for deposit and further processing, and performing other services designed to minimize the burden on taxpayers in satisfying their tax obligations. These offices are much smaller facilities than service center campuses or lockbox banks, with staffing ranging from 1 to about 35 employees. [4] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act of 1982). [5] Service center campuses process tax returns and payments submitted by taxpayers. [6] Lockbox banks are commercial banks that operate under contract with the Treasury's Financial Management Service to provide tax receipt processing and deposit services on behalf of IRS. [7] Field offices are comprised of various units located within IRS's Small Business and Self Employed (SB/SE), Large and Mid-Size Business (LMSB), and Tax-Exempt and Government Entities (TE/GE) operating divisions that administer tax services to corporations, partnerships, small businesses, state and Indian tribal governments, major universities, community organizations, municipalities, pension funds, and individuals with certain types of nonsalary income. [8] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [9] See 26 U.S.C. §§ 6651, 6654, 6655, 6662. [10] See IRM, § 20.1.2, Failure to File/Failure to Pay Penalties (Apr. 25, 2008). [11] IRS's master files contain detailed records of taxpayer accounts. There are several master files, the most significant of which are the individual master file, which contains tax records of individual taxpayers, and the business master file, which contains tax records of corporations and other businesses. [12] A taxpayer may have multiple accounts and account modules within IRS's master files. Each unique account is identified by a taxpayer identification number (i.e., social security number or an employer identification number). Each account contains unique modules identified by the specific tax period (e.g., year, quarter) and tax type (e.g., excise tax, individual tax, payroll tax, etc.). Our approach to testing penalty transactions in IRS's unpaid assessments inventory involves selecting a sample of taxpayer account modules and verifying the accuracy of all penalty calculations on each sampled account module. [13] Unpaid assessments are legally enforceable claims against taxpayers and consist of taxes, penalties, and interest that have not been collected or abated. IRS records and retains the record of all unpaid assessments made against taxpayers in the master files. [14] Failure-to-pay penalty is a penalty that IRS assesses against taxpayers when taxpayers fail to pay their outstanding tax liability by the return due date. The failure-to-pay penalty is calculated based on the amount of taxes outstanding in the taxpayer's account module, a penalty rate stipulated in the IRC and IRM, and the number of months the taxes remain unpaid. See 26 U.S.C. § 6651 and IRM § 20.1.2 (Apr. 25, 2008). The monthly FTP penalty rate generally starts at one-half of one percent (see IRM § 20.1.2.1.2). IRS may increase the monthly rate to one percent when the taxpayer fails to pay after repeated notices (see IRM § 20.1.2.6 and 20.1.2.6.1). [15] An exception to this policy occurs if the taxpayer did not file the tax return by the due date. In such situations, IRS would not reduce the FTP penalty rate to one-quarter of one percent even if the taxpayer subsequently enters into an installment agreement (see IRM § 20.1.2.8). [16] IDRS is the system that IRS uses to retrieve and adjust information in taxpayer accounts on the master files. [17] The computerized calculation and assessment of FTP penalties on taxpayer accounts is affected by many factors, including whether the taxpayer makes a payment following the tax assessment. Consequently, IRS was unable to determine whether the approximately 12,000 taxpayers meeting this situation had actually been assessed more FTP penalty than prescribed by its policies. [18] We reviewed IRS's criteria for identifying the affected taxpayers and concur that the problem was confined to those identified by IRS. Consequently, we did not project these errors to IRS's population of unpaid assessments. [19] GAO, Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-08-368R] (Washington, D.C.: Jun. 4, 2008) and GAO, Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-07-689R] (Washington, D.C.: May 11, 2007). [20] GAO, Management Report: Improvements Needed in IRS's Internal Controls, [hyperlink, http://www.gao.gov/products/GAO-05-247R] (Washington, D.C.: Apr. 27, 2005). [21] GAO, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations, [hyperlink, http://www.gao.gov/products/GAO-08-693 (Washington, D.C.: July 2, 2008). [22] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [23] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [24] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [25] The sample population consisted of 143,341 purchase card transactions totaling $31 million. [26] We are 95 percent confident that the actual percentage of purchase card transactions not approved in a timely manner is not more that 14.3 percent. [27] The IRS Purchase Card Guide summarizes IRS policies and procedures relating to the use of the government purchase card. The procedures outlined in the guide apply to all IRS business organizations. While the guidelines may be further restricted by a business organization, the purchase card guide policies and procedures must be followed. [28] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [29] The IRS appropriations were available for obligation until the end of each respective fiscal year (September 30). The funds remain in an expired status for 5 years thereafter. 31 U.S.C. §§ 1552, 1553. [30] 31 U.S.C. § 1341. [31] 31 U.S.C. § 1501(a). The Recording Statute, which governs the proper recording of obligations, requires an agency to record an obligation of an appropriation or fund only when the agency has sufficient documentary evidence of a binding agreement with another party "executed before the end of the period of availability…for specific goods to be delivered…or work or service to be provided." [32] A binding agreement is a contract or other agreement enforceable by law. [33] 31 U.S.C. § 1502(a). The Time Statute, which underpins the bona fide needs rule, authorizes agencies to use a fiscal year appropriation only to pay for expenses "properly incurred" or contracts "properly made" during the fiscal year for which the appropriation is available. [34] FAR §§ 32.705-2, 52.232-22. The Federal Acquisition Regulation's (FAR) "limitation of funds" clause imposes a cost ceiling: the task order "specifies the amount presently available for payment by the Government and allotted to this contract." FAR § 52.232-22(b). [35] Services are severable when they can be divided into components that independently provide value to meet the agency's needs as the service is rendered. [36] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [37] See IRM, §1.33.4.4.6, which restates the Account Closing Law (31 U.S.C. § 1553). [38] See [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [39] See IRM, § 1.33.4.4.3. [40] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [41] The "full cost" of a program or activity includes all the direct costs, including personnel time charges, and indirect costs, such as the allocation of overhead costs, that are applicable to the program or activity. [42] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [43] FASAB Statement of Federal Financial Accounting Standards 4: Managerial Cost Accounting Standards and Concepts, Version 7 (Washington, D. C.: June 30, 2008). [44] Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting, defined "program managers" as individuals who manage federal programs, and stated that "Their concerns include operating plans, program operations, and budget execution." SFFAC No. 1, par. 85. [45] IFS is IRS's administrative accounting system, which IRS uses to facilitate its core financial management activities, including general ledger, budget formulation, accounts payable, accounts receivable, funds management, cost management, and financial reporting. IFS includes a cost module that IRS uses to facilitate the recording of cost information for financial reporting and managerial cost accounting purposes. [46] IRS defines a cost center as the lowest level at which the IRS segregates costs. Cost centers are "buckets" that capture costs where someone has control or responsibility. Each cost center has a manager and a head count and occupies space. [47] IRS's workload management systems are electronic databases that record individual employees' time charges. [48] These activities generally consist of matching reports of income paid to a taxpayer, such as reports of wages, dividends, interest, etc., to the income reported on the taxpayer's income tax filing to identify discrepancies which may indicate unpaid taxes. [49] An exception is installment agreements. As the result of an internal Treasury audit finding, IRS hired a contractor in late fiscal year 2008 to develop the cost of an installment agreement to support IRS's user fee charges. (Treasury Inspector General for Tax Administration, Installment Agreement User Fees Were Not Properly Calculated or Always Collected, 2008-40-113 (Washington, D.C.: May 2008.) [50] In fiscal year 2009, IRS created an informal cost users group with which CFO officials have worked to identify additional full cost methodology development projects. [51] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [52] The term, "outcome-oriented performance metrics," refers to the measurement of the end result of a work activity or series of activities, such as the taxes collected as a result of a tax assessment and the collection actions taken by IRS employees, such as telephone calls to tax debtors. [53] [hyperlink, http://www.gao.gov/products/GAO-AIMD-00-21.3.1]; GPRA, Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). [54] GPRA, Pub. L. No. 103-62, § 4(b), 107 Stat. 285, 287 (Aug. 3, 1993) (codified, as amended, at 31 U.S.C. § 1115(a)). [55] Coverage is the term used by IRS to refer to the number of each type of case that is worked, such as individual income tax, business payroll tax, or corporate income tax. [56] GAO, Tax Debt Collection: IRS Has a Complex Process to Attempt to Collect Billions of Dollars in Unpaid Tax Debts, [hyperlink, http://www.gao.gov/products/GAO-08-728] (Washington, D.C.: June13, 2008). [57] GAO, Tax Compliance: Businesses Owe Billions in Federal Payroll Taxes, [hyperlink, http://www.gao.gov/products/GAO-08-617] (Washington, D.C.: July 25, 2008). Payroll taxes are amounts employers withhold from employees' wages for federal income taxes, Social Security, and Medicare, as well as the employer's mandatory matching contributions for Social Security and Medicare taxes. [58] Internal Revenue Service Restructuring and Reform Act of 1998, Pub. L. No. 105-206, § 1204, 112 Stat. 683, 722 (July 22, 1998) (reprinted in 26 U.S.C. § 7804 note). [59] [hyperlink, http://www.gao.gov/products/GAO-09-119]. [60] GAO, Internal Revenue Service: Fiscal Year 2009 Budget Request and Interim Performance Results of IRS's 2008 Tax Filing Season, [hyperlink, http://www.gao.gov/products/GAO-08-567] (Washington, D.C.: Mar. 13, 2008). [61] Compliance is a term used by the IRS to indicate whether a taxpayer has met its tax responsibilities by filing a timely tax return, making accurate reports on those returns, and voluntarily paying the required tax. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: