Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations

Over the past several years, IRS reviewed the results of its unpaid tax assessments compensating statistical estimation process, identified and documented instances where limitations with the CDDB classification program resulted in misclassifications of account balances, and analyzed this information to identify programming changes to CDDB. In March 2014, IRS provided documentation showing the results of its analysis. IRS's actions sufficiently address our recommendation.

Over the past several years, IRS reviewed the results of its unpaid tax assessments compensating statistical estimation process, identified and documented instances where limitations with the CDDB classification program resulted in misclassifications of account balances, and analyzed this information to identify programming changes to CDDB. In March 2014, IRS provided documentation that it completed implementation of all planned programming changes to CDDB in November 2013. According to IRS, it will address any remaining system limitations affecting its classification of unpaid assessment balances through the implementation of the Custodial Accounts Data Engine 2. IRS's actions sufficiently address our recommendation.

In fiscal year 2015, IRS developed a long-term action plan to address the unpaid assessments material weakness. This plan identifies and documents (1) the specific system and control deficiencies that result in errors in taxpayer accounts and inaccurate classification of unpaid assessments amounts, (2) the actions IRS needs to take to address each related deficiency, and (3) the IRS organizational units that need to be involved in the actions. IRS's actions sufficiently address our recommendation.

Over the years, IRS has devoted significant resources to addressing internal control weaknesses that result in inaccuracies or errors and materially affect the financial reporting of unpaid assessments, and IRS has implemented control procedures to routinely prevent or detect and correct such errors. Specifically, IRS has taken steps to address the causes of data errors, including (1) enhancing its capability to accurately report balances owed that arise as a result of complex assessment situations and (2) implementing a number of quality control reviews to timely monitor, identify, and correct errors that affect taxpayer accounts at the transaction level. During fiscal year 2018, IRS continued to improve internal controls over the management and reporting of unpaid assessments, including implementing the recommendations of an internal task force to address related data quality concerns. In addition, IRS made progress in completing its long-term corrective action plan for resolving these control weaknesses by employing several programming changes for systemically classifying unpaid assessments more accurately. These efforts have yielded positive results over the years, and the magnitude of errors identified through IRS's unpaid assessments statistical estimation process has materially decreased. Furthermore, during our fiscal year 2018 testing of unpaid assessments, we did not find errors substantial enough to cause material inaccuracies in the reported balances. IRS's actions sufficiently address the intent of our recommendation. To provide a recommendation that is better aligned with the remaining control deficiencies in this area that represent a significant deficiency as of September 30, 2018, we have closed this recommendation and included a new recommendation in report number GAO-19-412R under Accounting for Federal Taxes Receivable and Other Unpaid Assessments.

We verified that IRS revised its Internal Revenue Manual to provide specific requirements for supervisors to review the accuracy of credit transactions related to trust fund recovery penalty payments processed through the Automated Trust Fund Recovery system.

We verified that IRS formalized and implemented quarterly reviews of trust fund recovery penalty payment transactions to monitor compliance with the Internal Revenue Manual requirements.

We verified that IRS developed procedures to analyze the results of its quarterly trust fund recovery penalty payment transaction reviews to identify specific factors causing errors.

We verified that IRS developed procedures to address the factors causing errors in the processing of trust fund recovery penalty payment transactions.

IRS revised its methodology for extracting the pre-posted revenue component of its general ledger to master files comparison. This revised methodology appropriately ensures that non-tax revenues and tax revenue transactions already posted to the master files are properly excluded.

On December 21, 2010, IRS updated the desk procedures governing the general ledger to master files comparison to ensure that it reflects the most current process and controls. In addition, we were informed by CFO officials that these procedures would be revisited periodically to ensure they remain current.

IRS agreed with GAO's recommendation and revised the cost allocation desk guide on January 29, 2010, to better document the cost allocation process. We reviewed IRS's revised cost allocation desk guide and noted that it now contained work instructions/job aids that included key processing steps, key sources of input data, and controls to ensure reliability throughout the cost allocation process.

We verified that IRS revised the Internal Revenue Manual to include procedures for Central Insolvency Operation to timely provide acknowledgment of receipt for Form 3210 related to duplicate refund transcripts to the service center campuses.

We verified that IRS revised the Internal Revenue Manual to include procedures for verifying acknowledgments received from Central Insolvency Operation for duplicate refund transcripts at service center campuses.

We verified that IRS revised the Internal Revenue Manual to include procedures to resolve instances in which acknowledgment of receipt for a Form 3210 has not been received.

We verified that IRS updated the Internal Revenue Manual and the Lockbox Document Transmittal form instructions to require service center campuses to acknowledge unprocessable items with receipts received from lockbox banks.

In January 2012, IRS updated the Lockbox Processing Guidelines to require banks to retain all lockbox document transmittals and acknowledgments for a 1-year period. The banks are to have these documents available for review upon request. The update also requires the banks to call IRS if the faxed acknowledgment is not received by a specified time.

In 2014, IRS revised the data collection instrument and instructions used in its unannounced reviews of SCCs and lockbox banks to include instructions for the reviewer to address the timely acknowledgment of Lockbox Document Transmittal (LDT) forms, which are used to transmit unprocessable items with receipts. IRS stated that it will continue to enforce the LDT requirements by conducting internal control quality reviews at lockbox sites and following up on the results. Also, IRS stated that it performs monthly managerial reviews to reasonably assure that transmittals are acknowledged and tracked and appropriate actions are taken for any discrepancies noted. In addition, IRS enhanced its safeguards for shipping unprocessable items with receipts by requiring the use of tamper-resistant bags. IRS's actions sufficiently address our recommendation.

On November 29, 2010, IRS's Agency-Wide Shared Services Physical Security and Emergency Preparedness (PSEP) revised the physical security audit management checklist (AMC) assessment questions to more clearly identify which questions were relevant to the type of IRS facility being reviewed. During our fiscal year 2011 financial statement audit, we reviewed the 2011 AMC and verified that each assessment question clearly noted the type of IRS facility to which the question applied.

On November 29, 2010, IRS's Agency-Wide Shared Services Physical Security Emergency Preparedness (PSEP) incorporated instructions for completing the audit management physical security checklist and included them in the revision for use during calendar year 2011. We verified during our fiscal year 2011 financial statement audit that the PSEP audit management physical security checklist contained a detail set of instructions for completing the checklist.

On December 15, 2010, IRS's Territory Managers certified to their Area Directors that all physical security specialists had received Audit Management Checklist training. During our fiscal year 2011 financial statement audit, we verified that IRS conducted training for all Physical Security Specialists responsible for the completion of the Audit Management Checklist.

On July 27, 2010 IRS's Physical Security and Emergency Preparedness (PSEP) revised its Standard Operating Procedures (SOP) 09-0011 to establish a minimum frequency for completing the physical security audit management checklist (AMC) at service center campuses and field office locations. During our fiscal year 2011 financial statement audit, we reviewed the physical security AMC and verified that service center campuses are required to complete the checklist on a quarterly basis, while field offices and other IRS locations must complete the checklist when visited for compliance reviews, risk assessments, or other physical security related reviews.

On July 27, 2010, IRS's Physical Security and Emergency Preparedness (PSEP) office modified the PSEP Standard Operating Procedure (SOP) 09-0011, PSEP Audit Activity Management Program, requiring documented managerial reviews of completed physical security audit management checklists. During our fiscal year 2011 financial statement audit, we verified that IRS's PSEP office did modify the physical security audit management checklist policy requiring documented managerial reviews of completed physical security audit management checklist to include (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken.

We verified that IRS reviewed the TSRRD questions for clarity and as a result revised several of them in January 2011.

IRS included guidance on how to use the taxpayer assistance centers (TAC) Security and Remittance Review Database (TSRRD) in the 2010 and 2011 Filing Season Readiness (FSR) Workshop and TAC managers certified to their Territory Managers on January 14, 2011 that they had completed this training. In addition, we did not identify any TAC managers during our FY 2011 internal control testing visits who had not received this training.

In January 2011, IRS revised the Internal Revenue Manual (IRM) to require that territory managers review the information input by group managers into the TAC Security Remittance Review Database (TSRRD) prior to sending it to Field Assistance headquarters. During our fiscal year 2011 financial statement audit, we reviewed the IRM and verified it requires a documented Territory Manager review of information input by group managers into TSRRD, including the Territory Manager's signature, date of review, problems addressed, and corrective actions planned.

In December 2014, IRS established Policy and Procedures (P&P) 24.1, Information Protection and Security Awareness Training Requirements, which requires all IRS contractors who are provided unescorted access to IRS facilities, sensitive but unclassified information or information systems, or a combination of these to complete security awareness training. During subsequent discussions with IRS officials, we were informed that these requirements only apply to IRS contractors - personnel contracted through IRS Procurement or through contracts administered by IRS Contractor Security Management, and do not apply to non-IRS contractors - personnel who have unescorted access to IRS facilities but are under contract with other federal entities or privately owned entities. As a result, GAO has issued new recommendations to address the deficiencies related to non-IRS contractors in its May 2015 management report (see GAO-15-480R).

In December 2010, IRS designated management responsibility and established a process for monitoring compliance with and enforcing the Internal Revenue Manual training requirement for all service center campus Unit Security Representatives (USR). IRS completed its review of the initial and refresher USR training course content and implemented a revised refresher course on the Enterprise Learning Management System for all USRs. IRS also developed and implemented a reporting capability to identify USRs that fail to comply with the initial and annual training requirements. In January 2011, IRS began distributing the monthly reports on non-compliance to the USR managers. We verified that IRS established a process for monitoring compliance with USR training requirements and designated management to enforce compliance.

On December 15, 2009, IRS updated its USR training manuals and during our fiscal year 2010 audit, we found that they reflected current requirements.

IRS indicated that it performs a review of USR training courses at least annually and, if required, updates the training course and materials. In December 2010, IRS completed its review of the initial and refresher USR training course content and implemented a revised refresher course on the Enterprise Learning Management System for all USRs. We verified that IRS included language in the IRM that requires review of the USR training materials at least annually by the end of each calendar year to ensure they reflect current security policies and procedures.

We verified that IRS has established procedures for business units to monitor their progress in complying with mandatory briefing requirements. In addition, we verified that in fiscal year 2011, IRS distributed various completion statistics of mandatory briefing requirements to designated business unit points of contact, including Human Resource directors.

We confirmed that IRS updated the Receipt and Acceptance Handbook in March 2010 to include the requirement to obtain and retain documentation to support receipt and acceptance before entering the acknowledgment in WebRTS. However during our fiscal year 2010 audit, we found eight instances in which the contracting officer's technical representative did not either obtain or retain written documentation confirming receipt of the service from the end user prior to entering receipt and acceptance. Of these eight instances, three occurred following IRS's update to its guidance. Consequently, while we are closing this recommendation for the action taken, we have made two new recommendations under GAO-12-683R to help improve staff compliance with the requirement.

IRS agreed with GAO's recommendation and stated that it issued a Web Request Tracking System (WebRTS) broadcast e-mail to all WebRTS users on June 2, 2010, to reinforce the use of the receipt and acceptance final flag to ensure timely closure of obligations. During the FY 2010 financial audit, GAO reviewed the WebRTS broadcast e-mail message and noted that it does reinforce the use of the receipt and acceptance final flag to ensure timely closure of obligations.

IRS agreed with GAO's recommendation and stated that it has revised the aging criteria for the fiscal year 2010 Aging Unliquidated Obligation reviews from 300 days to 240 days to review a broader scope of unliquidated obligations sooner. During the FY 2010 financial audit, GAO confirmed that IRS (1) re-evaluated the aging criteria for AUO reviews and (2) revised the aging criteria for obligations from over 300 days to over 240 days.

IRS agreed with GAO's recommendation and stated that it (1) revised its process for manually linking obligations, updated the related procedures, and provided additional training to technicians and supervisors in October 2009 and (2) revised its processes in March 2010 to include a second level review of all linked obligations at the time of the actual linking. During the FY 2010 financial audit, GAO reviewed the updated policies and procedures, evaluated the design and operating effectiveness of related IRS controls, and confirmed IRS's stated actions. GAO did not find any exceptions that were related to this issue during the FY 2010 and FY 2011 financial audits.

IRS agreed with GAO's recommendation and stated that it (1) revised its process for manually linking obligations, updated the related procedures, and provided additional training to technicians and supervisors in October 2009 and (2) revised its processes in March 2010 to include a second level review of all linked obligations at the time of the actual linking. During the FY 2010 financial audit, GAO reviewed the updated policies and procedures, evaluated the design and operating effectiveness of related IRS controls, and confirmed IRS's stated actions. GAO did not find any exceptions that were related to this issue during the FY 2010 and FY 2011 financial audits.

IRS agreed with GAO's recommendation and updated its cost allocation desk guide on January 29, 2010 and the Internal Revenue Manual (IRM) relating to Managerial Cost Accounting on June 8, 2010, to require appropriate segregation of duties within the cost allocation process. We reviewed the revised IRM and cost allocation desk guide and noted it now required segregation of duties when creating, executing, and reconciling monthly cost allocation cycles. During our fiscal year 2010 audit, we observed that IRS implemented these new requirements. IRS segregated the duties of cost accountants during its edit check processes (which occur between executing cycle runs) by having a cost accountant other than the one executing the edit check verify that the cycle ran successfully.

IRS agreed with GAO's recommendation and updated its cost allocation desk guide on January 29, 2010 and the Internal Revenue Manueal (IRM) relating to Managerial Cost Accounting on June 8, 2010, to require timely, documented supervisory reviews at key process points. Specifically, we reviewed the revised IRM and cost allocation desk guide and noted it now requires documented supervisory reviews when creating, executing, and reconciling monthly cost allocation cycles. During our fiscal year 2010 audit, we observed that IRS implemented these new requirements. Specifically, the supervisor reviewed and signed off on completed cycle-run steps within the cycle-run spreadsheet before the cost accountants proceeded to the next step.

IRS established procedures and controls over the master version of the cycle-run spreadsheet to minimize the risk of error or omission on May 6, 2010, such as establishing a unique cycle identifier to identify the cycle run order, and supervisory reviews and other validations to ensure cycles are performed in the proper order. While IRS chose not to assign a unique, sortable identifier to each row in the spreadsheet, the implementation of supervisory reviews at key processing steps helped to ensure that each cycle run was performed and performed in the proper sequence and thus met the intent of our recommendation.