Skip to main content

Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

GAO-19-412R Published: May 09, 2019. Publicly Released: May 09, 2019.
Jump To:

Fast Facts

Does the IRS get audited, too?

Every year we audit the IRS's financial statements. Our FY 2018 audit found new and continuing problems related to its internal controls over its financial reporting.

For instance, we found issues with how the IRS:

Accounts for taxes receivable—the money it estimates it will collect from taxes owed

Safeguards taxpayer information

Reviews suspicious and questionable tax returns

Problems like these could lead to misstatements in IRS's financial statements, as well as unauthorized access to taxpayer information.

We made 12 additional recommendations in this report to address these issues.

 

The sign outside of the Internal Revenue Service building.

The sign outside of the Internal Revenue Service building.

Skip to Highlights

Highlights

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified continuing control deficiencies related to IRS's accounting for federal taxes receivable and other unpaid assessments that collectively represent a significant deficiency in IRS's internal control over unpaid tax assessments as of September 30, 2018. GAO also identified new control deficiencies in IRS's internal control over financial reporting that although not considered a material weakness or significant deficiency, nonetheless, warrant IRS management's attention. These control deficiencies concern IRS's

  • nationwide strategy for safeguarding taxpayer receipts and associated information,
  • physical security policies and procedures,
  • review of visitor access logs,
  • transmission of taxpayer receipts,
  • designations of unit security representatives,
  • review of automated tax refund information prior to certification for payment,
  • review of refund schedule numbers for manual refunds, and
  • review of suspicious and questionable tax returns in Examination.

In addition, for six of the 32 recommendations from GAO's prior reports related to control deficiencies in IRS's internal control over financial reporting, GAO found that IRS implemented corrective actions during fiscal year 2018 that resolved the deficiencies, and as a result, these recommendations were closed. GAO closed one additional recommendation that related to unpaid assessments, by making a new recommendation that is better aligned with the remaining deficiencies that collectively represent a significant deficiency in internal controls over this area as of September 30, 2018. As a result, IRS currently has 37 GAO recommendations to address—the previous 25 open recommendations and the 12 new recommendations GAO is making in this report.

Why GAO Did This Study

The purpose of this report is to present those internal control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements for which GAO did not already have any recommendations outstanding. This report provides new recommendations to address these internal control deficiencies and also presents the status, as of September 30, 2018, of IRS's corrective actions taken to address GAO's recommendations from its prior financial audits that remained open as of September 30, 2017.

Recommendations

GAO is making 12 recommendations to address the identified control deficiencies. These recommendations are intended to improve IRS's internal controls over financial reporting as well as to bring IRS into conformance with its own policies and Standards for Internal Control in the Federal Government. IRS stated that it is committed to implementing appropriate improvements to ensure that it maintains sound financial management practices. IRS agreed with GAO's 12 new recommendations and described planned actions to address each recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials implement the necessary actions to effectively address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments. These actions should (1) resolve the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and related taxpayer data to support timely and informed management decisions, and enable appropriate financial reporting of unpaid assessment balances throughout the year, and (2) identify the control deficiencies that result in significant errors in taxpayer accounts and implement control procedures to routinely and effectively prevent, or detect and correct, such errors. (Recommendation 19-01)
Open
During fiscal year 2019, IRS documented the key management decisions in the design and use of the estimation process. However, IRS told us that it placed corrective actions on hold because of limited resources. As a result, we determined that IRS had not completed its corrective actions as of September 30, 2023, and that this recommendation remains open.
Internal Revenue Service
Priority Rec.
We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials document and implement a formal comprehensive strategy to provide reasonable assurance concerning its nationwide coordination, consistency, and accountability for internal control over key areas of physical security. This strategy should include nationwide improvements for (1) coordinating among the functional areas involved in physical security; (2) implementing and monitoring the effectiveness of physical security policies, procedures, and internal controls; and (3) ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect IRS's facilities. (Recommendation 19-02)
Closed – Implemented
In April 2020, IRS completed the development of its nationwide physical security strategy. By March 2021, IRS finished establishing the framework to implement the strategy, which provided reasonable assurance concerning IRS's nationwide coordination, consistency, and accountability for internal control over key areas of physical security. For example, as part of its strategy, IRS implemented (1) a process to ensure that functional areas, such as policy and operations organizations, coordinate to develop and update physical security policy; (2) a mechanism to track the completion of critical security deliverables across facilities to monitor compliance with policies and ensure the effectiveness of internal controls; and (3) a Quality Assurance office to ensure ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect the security of IRS's facilities. IRS's actions addressed the recommendation.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that appropriate IRS officials determine the reasons staff did not consistently comply with IRS's existing requirement for maintaining an emergency contact list at all of its facilities and, based on this determination, establish a process to enforce compliance with the requirement. (Recommendation 19-03)
Closed – Implemented
In fiscal year 2019, the Facilities Management and Security Services (FMSS) used a questionnaire survey to determine the reasons for staff not consistently complying with existing requirements to maintain emergency contact lists. During fiscal year 2020, FMSS developed a process based on feedback obtained from physical security specialists and security section chiefs in response to the questionnaire survey. The process established by IRS, which is documented in their Standard Operating Procedures, includes requirements for designated FMSS employees to develop and review the emergency contact lists for all IRS facilities on an annual basis, or as needed, and document these reviews in a SharePoint site. IRS's actions sufficiently address our recommendation.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that appropriate IRS officials establish and implement policies and procedures requiring that corrective actions be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests. (Recommendation 19-04)
Closed – Implemented
During fiscal year 2021, IRS updated policies in the IRM and related procedures for completing the ACR (formerly Alarm Maintenance and Testing Certification Report) within IRS's new automated tool. During our fiscal year 2022 review of ACRs, we found no exceptions to IRS's implementation of the updated policies and procedures for completing the ACR. As a result, we concluded that IRS's corrective actions as of September 30, 2022, were adequate to close this recommendation.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement policies or procedures, or both, to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured. The policies or procedures should include periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment and systems. (Recommendation 19-05)
Closed – Implemented
In fiscal year 2020, IRS updated policies in the Internal Revenue Manual (IRM) and related procedures requiring the completion of annual maintenance of video surveillance systems (VSS) at IRS facilities to reasonably assure that (1) VSSs are operational, recording activity at the correct time, and properly secured and (2) any related corrective actions and completion dates are properly documented and monitored. In fiscal year 2021, IRS updated policies in the IRM and related procedures for completing annual maintenance of the VSSs within IRS's automated tool, to further ensure consistent and timely completion. During our testing in fiscal year 2021, we reviewed documentation evidencing the annual maintenance of VSSs at three IRS facilities and found no exceptions related to this control. As a result, we concluded that IRS's corrective actions as of September 30, 2021, were adequate to close this recommendation.
Internal Revenue Service We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. (Recommendation 19-06)
Closed – Implemented
During fiscal year 2022, IRS revised its procedures further to better clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the reviews are to be conducted, and (3) how the review should be documented. During our fiscal year 2022, we reviewed the April and May Computer Room Visitor Access Logs. We found no exceptions to IRS's implementation of these updated procedures. As a result, we concluded that IRS's corrective actions as of September 30, 2022, were adequate to close this recommendation.
Internal Revenue Service We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials (1) identify the reason IRS's policies and procedures related to the transmittal forms were not always followed and (2) design and implement actions to provide reasonable assurance that SB/SE units comply with these policies and procedures. (Recommendation 19-07)
Closed – Implemented
In October 2019, the SB/SE Field Collection organization determined that the reasons the policies and procedures related to the transmittal forms were not always followed were either a lack of understanding of the requirements or a lack of consistency in adhering to them. In response, the SB/SE Field Collection organization distributed a memorandum to its area directors, territory managers, and group managers. The memorandum reminded them of the required remittance processing procedures, emphasized the importance of following the procedures, and requested that they further distribute the information in the memorandum within their organizations. IRS officials stated that the memorandum will help assure that SB/SE Field Collection units comply with the policies and procedures related to the transmittal forms. In addition, in July 2020, the SB/SE Examination organization updated the IRM to clarify and supplement the service-wide guidance for the appropriate control, monitoring, and review of the transmittal forms. During our fiscal year 2022 testing of SB/SE remittance processing procedures, we found no exceptions to IRS's implementation of the updated policies related to transmittal forms. As a result, we concluded that IRS's corrective actions as of September 30, 2022, were adequate to close this recommendation.
Internal Revenue Service We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including specifying how the information should be validated. (Recommendation 19-08)
Closed – Implemented
During fiscal year 2021, IRS updated the job aid for processing USR designation forms to include procedures for second-level managers and IDRS security account administrators to validate information on the USR designation forms. During our fiscal year 2022 review of IRS's updated job aid and testing of USR designation forms, we found no exceptions to IRS's implementation of these updated procedures. As a result, we concluded that IRS's corrective actions as of September 30, 2022, were adequate to close this recommendation.
Internal Revenue Service We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. (Recommendation 19-09)
Closed – Implemented
During fiscal year 2020, we verified that the Information Technology organization established and implemented procedures to clearly specify the tax refund data elements that certifying officers (CO) are required to verify before certifying tax refunds in the Secure Payment System (SPS). Specifically, the procedures require that COs verify (1) the total number and amount of tax refund payments in SPS against supporting documentation and (2) that Service Center Numbers within the Refund Schedule Numbers are correct. IRS's actions sufficiently address our recommendation.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement a review process to provide reasonable assurance that the RSNs that Data Conversion key entry operators enter into the ISRP system and post to the master files are correct. (Recommendation 19-10)
Closed – Implemented
During fiscal year 2020, IRS established a process to review the information from manual refund forms entered into the Integrated Submission and Remittance Processing (ISRP) system. Specifically, the new process requires that all fields on the forms, including the Refund Schedule Numbers (RSN), be entered into the ISRP system twice; once during original entry, and again by a separate data entry clerk to identify and correct any discrepancies. As part of our audit, we verified that the RSNs on the manual refund forms we reviewed were correctly entered into the system. IRS's actions sufficiently address our recommendation.
Internal Revenue Service The Commissioner of Internal Revenue should ensure that the appropriate IRS officials implement a validity check in the ISRP system to confirm that RSNs that Data Conversion key entry operators enter into the system have the required 14 digits. (Recommendation 19-11)
Open
During fiscal year 2022, IRS implemented programming changes to ISRP that restricted the input of each individual character of the 14-character RSN. However, during our fiscal year 2023 testing, we continued to find that Data Conversion key entry operators can enter RSNs into the ISRP system with fewer than the required 14 digits. As a result, we determined that IRS had not completed its corrective actions as of September 30, 2023, and that this recommendation remains open.
Internal Revenue Service We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to require that reviewers follow up with tax examiners to verify the errors that tax examiners made in working on cases related to suspicious or questionable tax returns are corrected. (Recommendation 19-12)
Closed – Implemented
In March 2020, IRS updated its IRM to require that reviewers follow up with tax examiners to verify that errors tax examiners made while working cases are corrected. The updated IRM includes policies and procedures for managers and leads to (1) document all cases that are reviewed; (2) track errors found in case reviews; and (3) follow up with tax examiners to ensure that the errors identified have been corrected. During fiscal year 2022, we observed tax examiners working on cases related to suspicious or questionable tax returns. We found no exceptions to IRS's implementation of these updated procedures. As a result, we concluded that IRS's corrective actions as of September 30, 2022, were adequate to close this recommendation.

Full Report

GAO Contacts

Cheryl E. Clark
Director
Financial Management and Assurance

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Accounting standardsFinancial reportingFinancial statementsInternal controlsPolicies and proceduresUnpaid taxesCorrective actionInformation resources managementTaxpayersData errors