Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness
Highlights
In November 2010, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2010, and 2009, and on the effectiveness of its internal control over financial reporting as of September 30, 2010. We also reported our conclusions on IRS's compliance with selected provisions of laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996. In March 2011, we issued a report on information security issues identified during our fiscal year 2010 audit, along with associated recommendations for corrective actions. The purpose of this report is to present internal control issues identified during our audit of IRS's fiscal year 2010 financial statements for which we do not already have any recommendations outstanding. While two of these issues contributed to a significant deficiency in internal control discussed in our report on the results of our fiscal year 2010 financial statement audit, they all warrant IRS management's attention. This report provides 29 recommendations to address the internal control issues we identified. We will issue a separate report on the status of IRS's implementation of the recommendations from our prior IRS financial audits and related financial management reports, as well as this one.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to put procedures in place to periodically monitor the effectiveness of the new FTHBC validity checks for the duration of the filing of FTHBC claims to verify that they are working as intended. |
During our fiscal year 2012 audit, we verified that IRS officials put procedures in place to peridically monitor the effectiveness of the new FTHBC validity checks for the duration of the filing of FTHBC claims to ensure they are working as intended.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish a mechanism to enforce the existing requirement for appropriate managers to immediately notify the manual refund units of any personnel changes affecting the approval or processing of manual refunds. This may be accomplished through mechanisms such as issuing periodic alerts, providing training, having the manual refund unit perform quarterly validations of the list of manual refund approving officials, or a combination of these. |
IRS incorporated a procedural change in the Internal Revenue Manual requiring quarterly reviews to validate changes to the lists of officials authorized to approve manual refunds. During our FY 2012 audit, we verified the validated reviews of the list of officials authorized.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to send out a reminder to all staff to follow policies and procedures for obtaining approval and funding of proposed purchases prior to entering into an agreement with vendors. |
During our fiscal year 2011 audit, we verified that IRS sent out a reminder to remind staff to obtain approval and funding prior to entering into an agreement with vendors. Furthermore, we did not identify any instances in which IRS entered into an agreement without first obtaining approval and funding for the purchase during our detailed testing of fiscal year 2011 nonpayroll expenses.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish formal written procedures requiring staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services. |
In June 2013, IRS issued a memorandum to its procurement staff as part of IRS's procurement policies that requires staff to review purchase contract terms against the goods and services received to date before requesting additional goods or services. Specifically, the memorandum reiterated principles, policies, and procedures, which required staff to know the quantity and other ceiling limits on their respective contracts and orders and to not exceed those limits unless the contract or order is appropriately modified increasing those limits.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish procedures to centrally review and monitor the timeliness of personnel action requests and approvals to help ensure compliance with the IRM and applicable OPM regulations and guidance. |
During fiscal year 2014, IRS established review and monitoring procedures to centrally monitor the timeliness of personnel action requests and approvals. IRS also issued an Employment Operations alert to documents its procedures to review, monitor, and analyze timeliness of personnel action requests.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to adopt the local field office's timekeeping procedures or similar procedures for entering and verifying the accuracy of time and attendance information entered into Single Entry Time Reporting System (SETR) throughout IRS for use by all units in which employees do not enter their own time charges directly to SETR. |
The revised SOP states that business units may develop local office timekeeping procedures for entering and verifying the accuracy of time and attendance information entered into SETR if employees do not enter their own time. However, regardless of the specific procedures established, managers are now responsible for ensuring that the time entered in SETR for both weeks of the pay period for employees that do not enter their own time into SETR matches the source document prior to validating and electronically signing the employee's SETR timecard.
|
Internal Revenue Service | The Commissioner of the IRS should further revise your detailed procedures for implementing the requirement to validate the appropriateness of NFC programming changes after such changes are made. These revisions should (1) clarify the criteria for determining what programming changes will be subject to validation, (2) identify officials responsible for making and documenting these determinations, and (3) require postimplementation statistical sampling from a targeted population that consists of employees who are most likely to be affected by the NFC programming change. |
We reviewed IRS's revised SOP and verified that it clarifies the criteria for determining which program changes are subject to validation and identifies the officials responsible for making these determinations. Furthermore, the revised SOP establishes guidelines for post-validation random sample testing from the population affected by the programming change.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to take steps to effectively implement procedures at BFC requiring cash receipts to be immediately logged under dual control when first discovered in the mail room. |
During our fiscal year 2011 audit, we verified that IRS effectively implemented procedures at the Beckley Finance Center requiring cash receipts to be immediately logged under dual control when first discovered in the mail room.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to take steps to effectively implement procedures at BFC requiring mail room staff to maintain custody of the control log at all times. |
During our fiscal year 2011 audit, we verified that IRS effectively implemented procedures at the Beckley Finance Center requiring mail room staff to maintain custody of the control log at all times.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to take steps to effectively implement procedures at BFC requiring the amount of cash receipts initially discovered in the mail room to be independently reconciled to the amount deposited and recorded in the general ledger. |
During our fiscal year 2011 audit, we verified that IRS effectively implemented procedures at the Beckley Finance Center requiring the amount of cash receipts initially discovered in the mail room to be independently reconciled to the amount deposited and recorded in the general ledger.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to perform a review of all existing contracts under $100,000 that (1) do not have an appointed contracting officer's technical representative (COTR) and (2) do not require that contract employees obtain background investigations to assess whether the services performed under each contract warrant a requirement that contract employees obtain background investigations. |
During fiscal year 2015, IRS performed a review of existing contracts to assess whether the services performed under each contract warrant a requirement that contract employees obtain background checks; however, the review excluded interagency agreement contracts. During fiscal year 2016, IRS completed its review of interagency agreements to determine whether the services performed under each contract warrant the contracts to be modified to require background investigations on contract employees. IRS's actions sufficiently address our recommendation.
|
Internal Revenue Service | Based on a review of all existing contracts under $100,000 without an appointed COTR that should require contract employees to obtain favorable background investigation results, the Commissioner of the IRS should direct the appropriate IRS officials to amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted. |
During fiscal year 2019, we reviewed IRS contracts meeting the criteria of our recommendation and determined that IRS required all relevant contract employees to obtain favorable background investigations before routine, unescorted, unsupervised physical access to taxpayer information was granted. IRS's actions sufficiently address our recommendation.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations as applicable, commensurate with the assessed risk. |
During fiscal year 2019, the Office of Procurement, Human Capital Office, and Facilities Management and Security Services established a policy requiring collaborative oversight for ensuring any individuals who require routine, unescorted physical access to taxpayer information obtain favorably adjudicated background investigation results. Specifically, the policy designates responsibilities for (1) identifying and communicating the need for individuals to be given routine, unescorted physical access to taxpayer information; (2) assessing applicable position related risks; (3) completing investigative background screening procedures applicable to determined position-related risk; (4) adjudicating background investigation results; and (5) maintaining documentation to support granting access to taxpayer information, as necessary. IRS's actions sufficiently address our recommendation.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish procedures to provide a consistent methodology for calculating and establishing allowable deposit courier trip time limits to be used by both SCCs and lockbox banks that would assist in detecting potential unauthorized stops or other contractual violations for deposit couriers. Such procedures should include instructions for documenting and supporting how the trip limits were determined and require justification and approval for all established time limits that exceed the average trip time. |
For service center campuses (SCC), IRS established a consistent methodology for calculating and establishing allowable deposit courier trip time limits. In addition, IRS performs surveillance of the couriers at least annually as part of its unannounced security reviews to monitor and detect potential unauthorized stops or other contractual violations. For lockbox banks, IRS updated the methodology for determining allowable deposit courier trip times and requires, at minimum, a quarterly observation of couriers transporting IRS lockbox deposits or taxpayer information. IRS's actions sufficiently address our recommendation.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish procedures to require periodic reassessments of, and updates to, deposit courier allowable trip time limits to account for changes in courier routes or other conditions that may affect trip times. |
In response to our recommendation, IRS took action to update IRM 3.8.45 Manual Deposit Process, to include procedures to reassess service center campus deposit courier trip times during unannounced security reviews or whenever there is a change in depository location. In addition, IRS updated LSG 2.16, which requires lockbox banks to perform an annual detailed analysis to establish acceptable courier timeframes.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to enforce existing contractual requirements for the cargo doors of contract courier vehicles to be locked after picking up taxpayer information. |
On April 6, 2012, IRS updated the IRM to require monthly reviews of the shipping and receiving processes and random on-site reviews to ensure that vehicles' cargo doors are locked prior to delivery and upon receipt of pipeline work from one facility to the other. In addition, during our fiscal year 2013 audit, we verified that Real Estate and Facilities Management staff conducted random monthly reviews of its contract courier routes to ensure that couriers were locking cargo doors.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to establish procedures to prevent or detect unauthorized access to taxpayer information in contract courier vehicles during transit. These procedures should detail specific activities to be performed by both the business units sending and receiving the information transported by the contract courier. |
On April 6, 2012, IRS updated the IRM to require monthly reviews of the shipping and receiving processes and random on-site reviews to ensure that vehicles' cargo doors are locked prior to delivery and upon receipt of pipeline work from one facility to the other. In addition, during our fiscal year 2013 audit, we verified that Real Estate and Facilities Management staff conducted random monthly reviews of its contract courier routes to ensure that couriers were locking cargo doors.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to revise the guidance for conducting the periodic reviews of the contract couriers transporting taxpayer information from one IRS processing facility to another to include procedures for (1) physically verifying that courier vehicle cargo doors are locked after picking up this information and remain locked during transit to the final destination and (2) documenting the basis for the reviewer's conclusions. |
On April 6, 2012, IRS updated the IRM to require monthly reviews of the shipping and receiving process and random on-site reviews to ensure that vehicles' cargo doors are locked prior to delivery and upon receipt of pipeline work from one facility to the other. Specifically, the IRM requires the monthly reviews to be documented, initialed and dated by the reviewer, and maintained on file for no less than 1 year. In addition, any discrepancies identified during the review should be reported to the headquarters IRM analyst within 2 business days after the review has been conducted. During our fiscal year 2013 audit, we verified that Real Estate and Facilities Management conducted and documented random monthly reviews of its contract courier routes to ensure that couriers were locking cargo doors.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to revise the Internal Revenue Manual (IRM) to include a comprehensive process that Small Business/Self-Employed Division (SB/SE) unit managers should follow when performing reviews of the document transmittal process for determining whether staff are (1) maintaining control copies of document transmittal forms, (2) reconciling all document transmittal forms on a biweekly basis to ensure that all transmittals were received, and (3) following up on transmittals that are not timely acknowledged. |
In response to our recommendation, in December 2011, IRS published the update to IRM 1.4.50-Collection Group Manager, Territory Manager and Area Director Operational Aid. This revision includes provisions that management should take to determine whether their staff are: (1) maintaining control copies of document transmittal forms, (2) reconciling all document transmittal forms on a biweekly basis to ensure that all transmittals were received, and (3) following up on transmittals that are not timely acknowledged.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to include specifying minimally acceptable steps SB/SE unit managers should follow in documenting the results of required reviews of the document transmittal process. |
In response to our recommendation, in December 2011, IRS updated IRM 1.4.50, Collection Group Manager, Territory Manager, and Area Manager Director Operational Aid. This includes minimum steps for Small Business/Seld Employed unit managers to follow in their reviews of the document transmittal process.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to define and specify in the IRM what types of IRS facilities constitute a processing facility. |
We verified that the IRM was updated to reflect the inclusion of off-site campus locations with Receipt and Control and submission processing type functions under the two-year compliance review requirement.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to perform an assessment of the off-site processing facilities to determine the frequency with which compliance reviews should be performed for these locations commensurate with the specific operational activities performed and the assessed level of risk associated with the facility. |
IRS performed an assessment of the off-site processing facilities. As a result of that assessment and our recommendation, IRS determined compliance reviews for off-site campus locations with Receipt and Control and submission processing type functions should be performed on a recurring basis every two years - the same frequency as processing and computing center facilities.
|
Internal Revenue Service | Based on the results of an assessment of off-site processing facilities that process taxpayer receipts and related taxpayer information, the Commissioner of the IRS should direct the appropriate IRS officials to revise the IRM to specify the frequency with which compliance reviews should be performed at these facilities. |
IRS performed an assessment of the off-site processing facilities. As a result of that assessment and our recommendation, IRS updated IRM 10.2.2 to require recurring compliance reviews every two years for off-site campus locations with Receipt and Control and submission processing type functions.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved. |
IRS officials indicated that effective December 2019, the security guard services at IRS facilities are provided by the Department of Homeland Security's Federal Protective Service (FPS). During fiscal year 2020, IRS revised its policy to complement the terms of the FPS contract, which requires security guards to report lighting outages and items needing repair, among other conditions. Specifically, IRS updated their Standard Operating Procedures for the tracking and reporting of security deficiencies, including lighting outages, to specify (1) whom security guards are to contact to report lighting outages and (2) how Facilities Management and Security Services employees need to document, monitor, and resolve the lighting outages. IRS's actions sufficiently address our recommendation.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to revise the nature and scope of the SCCs' and lockbox banks' physical security reviews to include periodic after dark assessments of physical security controls. |
In January 2013, IRS revised the Audit Management Checklist to include periodic after-dark assessments of physical security controls and verification that guards are properly reporting lighting outages.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to take steps to effectively implement the procedures requiring property staff to verify that the asset purchase price shown in the Asset Management Report agrees with the asset purchase price shown in IFS and to resolve any variances before entering the information into Information Technology Asset Management System (ITAMS). |
In fiscal year 2011, IRS revised its operating procedures to require that property staff conduct research to ensure that the price of an asset on the Asset Management Report agrees with the price listed in IFS and resolve any variances before uploading an asset into its new property management system. During our fiscal year 2012 audit, we verified that procedures were effectively implemented.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to finalize procedures requiring that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. |
During our fiscal year 2011 audit, IRS finalized procedures requiring that copier hard drives be removed and destroyed or properly cleaned prior to disposal.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to revise the IRM to incorporate the new copier disposal procedures that require that copier hard drives be removed and destroyed or otherwise appropriately cleaned before disposing of copiers. |
During our fiscal year 2011 audit, IRS revised its IRM to incorporate the new copier disposal procedures. The IRM now includes guidance for removing and destroying or otherwise appropriately cleaning copier hard drives before disposing of copiers.
|
Internal Revenue Service | The Commissioner of the IRS should direct the appropriate IRS officials to issue a memorandum to all business units reminding them that only designated Real Estate Facilities Management (REFM) staff are authorized to dispose of copiers. |
During our fiscal year 2011 audit, IRS issued a memorandum to all business units. The memorandum reminds business units that the disposal of copiers must be coordinated through REFM.
|