United States Government Accountability Office Washington, DC 20548 June 25, 2012 The Honorable Douglas H. Shulman Commissioner of Internal Revenue Subject: Management Report: Improvements Are Needed to Enhance the Internal Revenue Service’s Internal Controls and Operating Effectiveness Dear Mr. Shulman: In November 2011, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2011, and 2010, and on the effectiveness of its internal control over financial reporting as of September 30, 2011.1 We also reported our conclusions on IRS’s compliance with selected provisions of laws and regulations and on whether IRS’s financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996. In March 2012, we issued a report on information security issues identified during our fiscal year 2011 audit, along with associated recommendations for corrective actions.2 The purpose of this report is to present internal control deficiencies identified during our audit of IRS’s fiscal year 2011 financial statements for which we do not already have any recommendations outstanding. Although most of these deficiencies were not discussed in our report on the results of our fiscal year 2011 financial statement audit because they were not considered material weaknesses or significant deficiencies, they nonetheless warrant IRS management’s attention.3 This report 1 GAO, Financial Audit: IRS’s Fiscal Years 2011 and 2010 Financial Statements, GAO-12-165 (Washington, D.C.: Nov. 10, 2011). 2 GAO, Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data, GAO-12-393 (Washington, D.C.: Mar. 16, 2012). 3 A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis. Materiality represents the magnitude of an omission or misstatement of an item in a financial report that, when considered in light of surrounding GAO-12-683R IRS Management Report provides 30 recommendations to address the internal control deficiencies we identified. We will issue a separate report on the status of IRS’s implementation of the recommendations from our prior IRS financial audits and related financial management reports, as well as this one. Results in Brief During our audit of IRS’s fiscal year 2011 financial statements, we identified new internal control deficiencies in the following areas: Monitoring Information Systems Material to Financial Reporting. IRS management had not performed sufficient monitoring of internal control over information systems material to financial reporting to determine whether such control was affected by any deficiencies in internal control that either individually or collectively constitute a material weakness that had not previously been reported, in accordance with Office of Management and Budget requirements. This was primarily because (1) IRS had not yet fully implemented key components of its information security program in fiscal year 2011; (2) IRS’s monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting; and (3) IRS has a previously identified material weakness in information security that still existed in fiscal year 2011 which rendered it unnecessary for IRS to support an assertion indicating that the related internal controls were effective.4 Tax Revenue Comparison. IRS did not always evaluate or resolve unusual variances identified in its comparison of tax revenue recorded in its general ledger to detailed tax revenue transactions recorded in its master files.5 In addition, although there was managerial review of the comparison as required by IRS’s procedures, the reviewer did not question these variances. These conditions existed primarily because IRS’s procedures did not instruct the preparer or the reviewer to evaluate and resolve significant or unusual variances that could indicate processing or other errors that would render the revenue data unreliable. circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the inclusion or correction of the item. 4 Supporting an assertion that internal control over financial reporting is effective (referred to as unqualified assurance) requires monitoring of those internal controls that is adequate to provide management with sufficient, appropriate evidence to conclude that no material weaknesses exist. However, when these internal controls are already known to be affected by one or more material weaknesses, they are considered to be ineffective and thus an unqualified assertion is not appropriate. Therefore, the agency does not need to be able to support one. 5 The master files contain detailed records of taxpayer accounts. Page 2 GAO-12-683R IRS Management Report Treasury Forfeiture Fund Reimbursable Revenue. IRS improperly recorded anticipated revenue from the Department of the Treasury Forfeiture Fund (TFF) rather than actual revenue earned, contrary to federal accounting standards.6 IRS is reimbursed from the TFF for its tax enforcement expenditures and consequently should record the reimbursements as reimbursable revenue. However, in fiscal year 2011, IRS improperly recorded reimbursable revenue and the related accounts receivable from the TFF for expenditures it had not yet incurred. According to IRS, this occurred because the unit responsible for tax enforcement erroneously included both actual and estimated future expenditures in the amount it reported to IRS accounting staff that record TFF revenue and the related accounts receivable, and the accounting staff were not aware that all of the expenditures had not been incurred at the time it recorded the revenue and receivable. Physical Security Reviews. IRS’s service center campus (SCC) and field office physical security personnel did not always properly or timely (1) complete the audit management checklists used to assess the physical security controls in place at these sites and (2) document supervisory reviews of completed checklists.7 This occurred primarily because IRS lacked procedures requiring centralized monitoring to detect whether analysts were properly completing such checklists and whether managers were timely and properly documenting their reviews of the completed checklists. Integrated Data Retrieval System Access. Two clerks in the campus support unit at one SCC improperly had the ability to make adjustments to a taxpayer’s account through the Integrated Data Retrieval System while also maintaining physical possession of hard-copy receipts in the course of their payment processing duties.8 Consequently, they had the potential to misappropriate a payment and alter the taxpayer’s account to conceal the theft. This occurred because IRS procedures did not specifically prohibit access to such system commands for certain campus support employees who were responsible for processing payments, and thus, IRS procedures did not require monitoring these particular employees’ system accesses. 6 The Federal Accounting Standards Advisory Board (FASAB) is the body designated by the American Institute of Certified Public Accountants as the source of generally accepted accounting principles for federal reporting entities. The FASAB develops accounting standards and principles for the federal government, after considering the financial and budgetary information needs of congressional oversight groups, executive agencies, and the needs of other users of federal financial information. 7 SCCs process tax returns and payments submitted by taxpayers. 8 A taxpayer’s account is a record of individual modules in IRS’s master files containing tax assessment, payment, and other information related to a specific type of tax for a specific period. A taxpayer may have multiple account modules within IRS’s master files under a unique identification number (i.e., Social Security number or an employer identification number). Each unique account module is identified by the taxpayer identification number, tax type (e.g., excise tax, individual tax, payroll tax), and specific tax period (e.g., year, quarter). Page 3 GAO-12-683R IRS Management Report Monthly Rent Bill Allocation. The rent processing administrator was responsible for performing all of the key steps involved in allocating costs from the rent bill without any supervisory review and could edit lease data entered by another staff member without any independent review. This occurred because IRS did not have policies or procedures that required a supervisory review or proper segregation of duties over the rent allocation process. Graphic Database Interface System Quarterly Reviews. IRS field managers did not always sufficiently document or accurately summarize the results of their quarterly reviews of employee locations recorded in IRS’s Graphic Database Interface system (GDI). This occurred because IRS did not have sufficiently detailed written procedures for documenting the GDI quarterly reviews nor require supervisory review of the reported results. Leasehold Improvement Disposal Estimate. IRS incorrectly calculated its leasehold improvement disposal estimate, which resulted in understatements to leasehold improvement expenses and accumulated depreciation. In addition, supervisors responsible for reviewing the disposal calculations did not identify these errors. These conditions existed because IRS did not have procedures to assess the completeness and accuracy of the data extracted from GDI used in the calculation and supervisors had competing work demands which hindered them from identifying these errors. Verification of End-user Receipt of Goods and Services. IRS staff did not always confirm, or obtain documentation of confirmation, with the end user of the satisfactory receipt of a purchased product or service before entering receipt and acceptance of the good/service into the procurement system. This occurred because IRS staff were not always aware of the requirement to obtain and document end-user receipt confirmation and IRS did not perform any monitoring for compliance. Patient Protection and Affordable Care Act Expenses. IRS did not always identify expenses related to the implementation of the Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act (collectively referred to as PPACA) and timely determine whether to charge individual PPACA-identified expenses to the PPACA appropriation established within the Department of Health and Human Services or to one of IRS’s own appropriations. This occurred because employees did not always charge time spent on PPACA to the proper codes, supervisors did not ensure their employees’ time was appropriately coded, and IRS lacked an adequate process to timely review all PPACA-coded expenses to determine which appropriation to charge before fiscal year-end. Time Card Approvals. Employee time cards were not always approved by a manager before being transmitted to the National Finance Center for processing and payment. This occurred because managers did not follow IRS’s procedures to electronically sign employees’ time cards, IRS did not Page 4 GAO-12-683R IRS Management Report have procedures requiring payroll staff to centrally review time cards to ensure all time cards were signed before submitting them for payment, and IRS’s payroll system did not have an edit check to prevent unsigned electronic time cards from being submitted for payment. Employee Within-Grade Pay Increases. IRS did not always (1) make timely decisions on granting or denying within-grade increases (WGIs) in pay to employees with below fully successful ratings as required by IRS policies and procedures, and (2) timely grant WGIs to such employees if warranted. This occurred primarily because IRS did not have a central monitoring process in place to ensure that managers made and timely carried out all WGI-required actions for employees with below fully successful performance ratings and that such employees subsequently entitled to receive a WGI, were granted it. Recycled Payroll Errors. IRS did not timely research and resolve recycled errors– payroll transactions with data errors that prevented them from automatically posting to IRS’s general ledger— resulting in recycled errors that had accumulated for over 7 years without being resolved. These errors accumulated because IRS did not have procedures requiring timely research and correction of such errors. These deficiencies increase the risk that IRS may not prevent or promptly detect and correct (1) weaknesses in its internal control over its information systems material to financial reporting; (2) errors in dollar amounts recorded in the master files and general ledgers; (3) physical security deficiencies at its SCCs and field offices; (4) loss, theft, or misappropriation of hard-copy taxpayer receipts; (5) errors in the allocation of space-related expenses; (6) premature payments to vendors before goods or services were received and receipt confirmed; (7) misidentified PPACA expenses; (8) payroll errors; and (9) improper or delayed within-grade pay increases. In addition, the control deficiencies identified resulted in overstatements to Treasury Forfeiture Fund reimbursable revenue and accounts receivable, and understatements to leasehold improvement disposal expenses, accumulated depreciation, payroll expenses, and payroll liabilities. We are making 30 recommendations that, if effectively implemented, should address the internal control deficiencies we identified. These recommendations are intended to bring IRS into conformance with its own policies, the Standards for Internal Control in the Federal Government, or both.9 We provided IRS with a draft of this report and obtained its written comments. In its comments, IRS agreed with all but 2 of our 30 recommendations and described actions it had taken, had under way, or planned to take to address the control weaknesses described in this report. IRS did not agree with 2 of the 9 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers’ Financial Integrity Act of 1982). Page 5 GAO-12-683R IRS Management Report recommendations we made to address our finding that employee time cards were not always approved by a manager before being transmitted for processing and payment. Specifically, IRS disagreed with the recommendations to revise its (1) current payroll standard operating procedures and (2) planned new payroll policy to require that a designated proxy authorized to approve time cards on behalf of a manager be at an equivalent level to or higher level than the manager. In its comments, IRS stated that its policy of granting temporary approval authority to nonsupervisory personnel is not inconsistent with the Internal Revenue Manual (IRM) and that it is not practical for IRS to establish a minimum grade standard for acting individuals.10 We do not concur with IRS’s views on this matter, and as we discuss in further detail later in the report, we reaffirm our recommendations. In addition to its written comments, IRS provided technical comments on a draft of this report, which we incorporated as appropriate. At the end of our discussion of each of the issues in this report, we have summarized IRS’s related comments and provided our evaluation. We have also reprinted IRS’s comments in enclosure II. Scope and Methodology This report addresses internal control deficiencies we identified during our audit of IRS’s fiscal years 2011 and 2010 financial statements. As part of our audit, we tested IRS’s internal control over financial reporting.11 We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions. To assess internal controls related to safeguarding taxpayer receipts and information, we visited three SCCs, four lockbox banks,12 seven Small Business/Self-Employed Division units,13 and 10 The IRM outlines business rules and administrative procedures and guidelines IRS uses to conduct its operations, and contains policy, direction, and delegations of authority necessary to carry out IRS’s responsibilities to administer tax law and other legal provisions. 11 An entity’s internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and (2) transactions are executed in accordance with the laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements. 12 Lockbox banks are financial institutions designated as depositories and financial agents of the U.S. government under contract with the Department of the Treasury’s Financial Management Service to perform certain financial services, including processing tax documents, depositing the receipts, and forwarding the documents and data to IRS’s SCCs, which update taxpayers’ accounts. During fiscal year 2011, there were seven lockbox banks processing taxpayer receipts on behalf of IRS. 13 Small Business/Self-Employed Division units are field offices that serve partially or fully self- employed individuals, individual filers with certain types of nonsalary income, and small businesses. Page 6 GAO-12-683R IRS Management Report eight taxpayer assistance centers.14 We performed our audit of IRS’s fiscal years 2011 and 2010 financial statements in accordance with U.S. generally accepted government auditing standards. We believe that our audit provided a reasonable basis for our findings and conclusions in this report. Further details on our audit scope and methodology are provided in our November 2011 report on the results of our audit of IRS’s fiscal years 2011 and 2010 financial statement audit and are summarized in enclosure I.15 Monitoring Information Systems Material to Financial Reporting IRS’s management did not perform sufficient monitoring of internal control over its automated information systems material to financial reporting (financial reporting systems) to determine whether such control was affected by any deficiencies in internal control that either individually or collectively constitute a material weakness that had not previously been reported.16 The Office of Management and Budget’s (OMB) Circular No. A-123 (A-123) and its related implementation guide (A-123 guide) require agencies to annually assess the effectiveness of their internal control over financial reporting and to provide a statement of assurance attesting to whether these internal controls are effective as of June 30 each year.17 Under A-123, in order for an agency to support an assertion that its internal control is effective (referred to as unqualified assurance), it must have first determined, based on its A-123 internal control assessment process, that there are no material weaknesses in internal control over financial reporting. A-123 and the A-123 guide also include requirements for agencies’ monitoring of internal control over automated information systems that affect financial reporting in order to (1) determine whether these internal controls are effective, and (2) if warranted, provide management with the 14 Taxpayer assistance centers are field assistance units, located within IRS’s Wage and Investment division, designed to serve taxpayers who choose to seek help from IRS in person. Services provided include interpreting tax laws and regulations, preparing tax returns, resolving inquiries on taxpayer accounts, receiving payments, forwarding those payments to appropriate SCCs for deposit and further processing, and performing other services designed to minimize the burden on taxpayers in satisfying their tax obligations. These offices are much smaller facilities than SCCs or lockbox banks, with staffing ranging from 1 to about 35 employees. 15 See GAO-12-165. 16 We would generally consider a system to be quantitatively material to financial reporting if it processes and/or reports a material dollar amount of the transactions that are included in agency internal and/or external financial reports during a reporting period. The assessment of the significance of a deficiency in the internal control over such a system may be elevated if it also exhibits qualitative characteristics, such as processing (1) an inordinately large volume of financial transactions, and/or (2) related sensitive information the safeguarding of which is a matter of substantial concern to financial statement users. 17 OMB Circular No. A-123, Management’s Responsibility for Internal Control (rev. Dec. 21, 2004) and Chief Financial Officer’s Council, Implementation Guide for OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A, Internal Control Over Financial Reporting (Washington, D.C.: July 2005). As a bureau of the Department of the Treasury, IRS provides an A- 123 assurance statement to Treasury which, in turn, prepares an A-123 assurance statement for the department as a whole. Page 7 GAO-12-683R IRS Management Report sufficient, appropriate evidence necessary to support an assertion that these controls are effective. Since IRS’s June 30, 2011, A-123 assertion on the effectiveness of its internal control over financial reporting was qualified based on the existence of material weaknesses in internal control over unpaid tax assessments and information security, it was not necessary for IRS to support such an assertion.18 However, because IRS did not effectively monitor its financial reporting systems, it is at increased risk of undetected deficiencies in internal control over these systems, potentially exposing its financial information to error or fraud and related sensitive information to unauthorized disclosure beyond the risks already identified by the audit process. In addition, IRS would not have been able to support an A-123 assurance statement asserting that its financial reporting systems were free of material weaknesses, if such a conclusion were otherwise warranted. In December 2004, OMB significantly revised A-123, and in July 2005, the Chief Financial Officer’s Council issued a related implementation guide. We reviewed IRS’s implementation of the revised circular in fiscal year 2006, and found that IRS’s A-123 assessment process was adequate to support its resultant June 30, 2006, assurance statement which was qualified based on the existence of several material weaknesses in internal control, including a material weakness over computer security (also known as information security).19 However, we also alerted IRS that significant additional work would be needed to enable it to support an unqualified A- 123 assurance statement, once the identified material weaknesses were resolved, and assuming that no other material weaknesses were identified. In subsequent years, IRS resolved two of its material weaknesses in internal control, and its A-123 internal control assessments in each of the affected areas in fiscal year 2011 were sufficient to support IRS’s assertion that it did not have any related material weaknesses. However, two other material weaknesses in internal control, one of which was in information security continued to exist as of its June 30, 2011, assurance statement. IRS has devoted significant resources to resolve its material weakness in internal control over information security, and while it has made notable progress in addressing a number of the control deficiencies we have identified, much remains to be done. Supporting an assertion that internal control over financial reporting systems are effective requires not only resolving the previously identified material weakness in internal control over information security, but also monitoring of all of these systems that is sufficient in both scope and methodology to reliably determine whether there are any other deficiencies in internal control that are either individually or collectively material. Before this can be accomplished, however, the scope and nature of the automated systems and related internal controls that affect financial 18 GAO-12-165. The material weakness in internal control over information security encompasses deficiencies we identified in internal control over key IRS financial and tax processing systems that we considered to be material to financial reporting. An unpaid tax assessment is a legally enforceable claim against a taxpayer and consists of taxes, penalties, and interest that have not been collected or abated (a reduction in a tax assessment). 19 GAO, Management Report: IRS’s First-Year Implementation of the Requirements of the Office of Management and Budget’s (OMB) Revised Circular No. A-123, GAO-07-692R (Washington, D.C.: May 18, 2007). Page 8 GAO-12-683R IRS Management Report reporting need to be defined and appropriately documented. The A-123 guide requires agencies to develop and document a thorough understanding of their financial reporting operations and how these operations are supported by automated systems, to include: determining which specific automated systems are involved in the financial reporting process; understanding what role each of these automated systems plays in the financial reporting process and the nature and magnitude of transactions it processes and/or reports; determining whether each automated system identified is material to the financial reporting process (is a financial reporting system) and, for each system that is determined to be a financial reporting system, determining whether it is controlled by the agency or by an external service provider: for those financial reporting systems that are controlled by the agency, identifying and documenting the internal controls that each system utilizes to ensure that the financial transactions it processes are authorized, processed, and reported only in accordance with management policy; and for those financial reporting systems that are controlled by an external service provider, coordinating with the service provider to obtain an annual assurance statement that highlights key controls and the results of annual testing, and if available, reviewing the most recent report prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16.20 The A-123 guide also specifies that related documentation should (1) include copies of written policies and procedures, written memoranda, and flowcharts of system configurations and significant processes; and (2) identify the control objectives and the related control points designed to achieve those objectives. Completion of these steps is necessary to provide a baseline for the design and implementation of routine monitoring of these internal controls. However, IRS had not yet established an appropriate baseline for monitoring internal control over its automated systems that are material to financial reporting that would have enabled IRS to support an unqualified assurance as of June 30, 2011, had that been appropriate. For example, IRS did not have a complete inventory identifying the specific automated systems that affected its financial reporting. Consequently, IRS also had not identified which of its automated systems were considered to be material to financial reporting. As a result, IRS lacked reasonable assurance that the 20 SSAE No. 16, Reporting on Controls at a Service Organization, which was effective June 15, 2011, and its predecessor, Statement on Auditing Standards (SAS) No. 70, Service Organizations, provide standards governing reporting on internal control at service providers upon which other entities rely to support significant aspects of their operations. Page 9 GAO-12-683R IRS Management Report scope of any automated system monitoring procedures it conducted was sufficient to enable it to determine whether internal control over financial reporting was effective. For example, for its financial reporting process, IRS places extensive reliance on automated systems that are controlled by external service providers, including the processing of its payroll transactions and tax revenue collections. The A-123 guide specifies that such automated systems are considered part of an entity’s information system if they significantly affect financial transactions or reports, and should therefore be considered in making an assessment of the effectiveness of internal control over financial reporting. The A-123 guide describes the nature of the procedures which may be used to monitor internal control over such service providers as follows: (1) perform tests of entity internal control over the activities of the service provider, (2) perform tests of internal control at the service provider, or (3) review periodic reports prepared by the service provider in accordance with applicable standards. Based on these procedures, the agency should obtain an understanding of the controls at the service provider that are relevant to the entity’s internal control over financial reporting and the controls at the entity itself over the activities of the service provider, and obtain evidence that the controls at the service provider which are relevant to management’s assertion, are operating effectively. However, as of June 30, 2011, IRS had not determined which of the externally controlled automated systems it relied upon were considered material to its financial reporting process, and had not established and implemented procedures to monitor these systems’ internal control over financial reporting. Consequently, with respect to externally controlled automated systems that were material to financial reporting, IRS had not determined whether they were affected by any deficiencies in internal control nor had it assessed related risks to the integrity of financial data, accuracy of financial reporting, or safeguarding of related sensitive information. In July 2011, we provided IRS a list of the automated systems we were aware of that, based on our understanding, appeared to be controlled by external service providers and to be material to IRS’s financial reporting process. IRS subsequently agreed with our conclusions with respect to 13 of these systems and identified several additional systems, and initiated related monitoring efforts. We also found that the monitoring IRS conducted over its internally controlled financial reporting systems in fiscal year 2011 was not always effective. For example: Page 10 GAO-12-683R IRS Management Report Tests and evaluations of policies, procedures, and controls related to IRS’s financial reporting systems were not always effective. As we previously reported, the scope of such tests was limited, and related and previously reported weaknesses had not been corrected.21 Because testing was not comprehensive, the risk that IRS may not be aware of existing vulnerabilities is increased. As we previously reported, IRS did not thoroughly validate the effectiveness of corrective actions implemented to address previously reported weaknesses. As a result, IRS overestimated the extent of its progress in correcting these issues, and underestimated the extent of remaining weaknesses.22 In addition, we found that some internal control deficiencies we identified affecting IRS’s internally controlled financial reporting systems had not previously been detected by IRS’s existing monitoring process. While no monitoring process should be expected to identify all deficiencies in internal control, the magnitude of the deficiencies we identified of which IRS was not aware indicated that its monitoring of internal control over its financial reporting systems was not effective in fiscal year 2011. These deficiencies in IRS’s monitoring of its financial reporting systems existed for several reasons: As we have previously reported, IRS had not yet fully implemented key components of its comprehensive information security program during fiscal year 2011.23 The Federal Information Security Management Act (FISMA) requires agencies to develop, document, and implement an information security program that encompasses, among other elements, (1) periodic risk assessments, (2) risk-based policies and procedures that are designed to cost-effectively ensure compliance with applicable requirements, (3) plans for providing adequate information security, (4) security awareness training for personnel, (5) periodic testing and evaluation, and (6) a remedial action process to address identified deficiencies.24 However, in each of these areas, IRS’s information security program was not fully effective in fiscal year 2011. 21 GAO-12-393. 22 GAO-12-393. 23 GAO-12-393. 24 FISMA was enacted as title III of the E-Government Act of 2002, Pub L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). FISMA was enacted to strengthen the security of information and systems within federal agencies. FISMA requires each agency to develop, document, and implement an agencywide information security program for the information and information systems that support the operations and assets of the agency, using a risk-based approach to information security management. Page 11 GAO-12-683R IRS Management Report IRS’s monitoring of internal control over its automated systems has been focused on compliance with FISMA and related National Institute of Standards and Technology (NIST) standards.25 However, FISMA and NIST requirements, while very important, are intended to strengthen the overall security of IRS’s automated information systems in general, rather than to provide specific assurance over the integrity of financial reporting, and thus alone are not sufficient for this purpose. Because IRS has had a material weakness in its internal control over information security each year since the revised A-123 was first effective in fiscal year 2006, it has not been necessary for IRS to support an assertion that related internal control over its financial reporting systems was effective. As a result of these limitations in the scope and methodology of IRS’s financial reporting systems monitoring process in fiscal year 2011, IRS management did not have sufficient information available to reliably conclude whether there were any deficiencies in internal control over systems that were individually or collectively material to financial reporting, apart from those issues that had been previously identified and reported. Consequently, IRS could not have supported an A-123 statement of assurance indicating that related internal control was effective, even if providing such an assertion would have otherwise been appropriate. In addition, the lack of effective monitoring increases the risk that additional deficiencies in internal control of which IRS is not aware may exist in these systems, further increasing the risk of compromising the integrity of financial reports and the confidentiality of related sensitive information. Appropriately minimizing these risks requires establishing and effectively implementing routine, effective monitoring of internal control surrounding all aspects of the flow of financial transaction data from the time it is first entered to a financial reporting system until the data are included in internal and/or external financial reports. This includes monitoring internal control over (1) the safeguarding of the data that reside in any of these systems, and (2) the transmission of data between multiple systems, if applicable. Identifying, documenting, and monitoring such internal controls requires close cooperation between information technology specialists who have the necessary systems expertise, chief financial officer personnel who understand the financial transactions being processed and reported, and where externally controlled systems are being relied upon, the service providers who control those systems. IRS has made progress in this regard. For example, during fiscal year 2011 IRS established cross-functional teams incorporating representatives from the financial and information technology disciplines to address areas considered to be of high risk. However, successful, ongoing monitoring of internal control over these systems requires a long-term commitment to routine, institutionalized monitoring over time as conditions change, existing systems continue to age and evolve, and new systems are brought into service. As noted above, we previously reported some of these issues in a management report that discussed IRS’s fiscal year 2011 internal control over information 25 FISMA also assigned to NIST the responsibility for developing standards and guidelines that include minimum information security requirements. See 15 U.S.C. § 278g-3. Page 12 GAO-12-683R IRS Management Report security, and provided appropriate related recommendations.26 With respect to those control deficiencies discussed in this section that were not included in that report, our recommendations are detailed below. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Establish and document an inventory of the specific systems involved in IRS’s financial reporting process, including (1) describing what role each system plays in the financial reporting process, (2) concluding whether each system is considered to be material to financial reporting and why, and (3) denoting whether each system is controlled by IRS or by an external service provider and, if the latter, identifying the service provider. Enhance existing policies and procedures pertaining to monitoring internal control over the automated systems operated by IRS personnel to specifically provide for routine, documented monitoring of the specific internal controls within its financial reporting systems that are intended to ensure the integrity of the data reported in the financial statements and other financial reports. This monitoring process should (1) involve both automated systems specialists and individuals with expertise in accounting and reporting, as appropriate, (2) encompass the specific automated internal controls that affect the authorizing, processing, transmitting, or reporting of material financial transactions, and (3) be designed to determine whether these internal controls are in place and operating effectively. For any system identified as material to IRS’s financial reporting process which is controlled by an external service provider, establish policies and procedures requiring and defining a routine, documented process for coordinating with the service provider to appropriately monitor related internal control. This may entail establishing an agreement with each service provider to allow IRS personnel the access to either (1) the system concerned, as necessary to perform appropriate monitoring of internal control over financial reporting; or (2) periodic reports prepared in accordance with SSAE No. 16 documenting the results of monitoring performed by the service provider. Establish policies and procedures with respect to any external financial reporting system IRS personnel themselves do not directly monitor that specify required steps to routinely review periodic reports prepared by service providers’ auditors in accordance with SSAE No. 16, including steps to document (1) an assessment of whether a review’s scope, methodology, and timing is appropriate to satisfy IRS’s objectives; (2) any control deficiencies disclosed in the report, and an assessment of their materiality to IRS’s financial reporting process and related risks; and (3) any compensating internal controls needed to mitigate any actual or potential effects of identified 26 GAO-12-393. Page 13 GAO-12-683R IRS Management Report deficiencies upon IRS’s internal and external financial reports resulting from any (a) material weakness, or (b) significant shortcoming in the scope, methodology, or timing of any SSAE No. 16 report reviewed relative to IRS’s internal control objectives. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that it would take the following actions by December 2013. IRS stated that it would modify its listing of systems involved in the financial reporting process to include (1) a description of the role each system plays, (2) whether the system is considered material to the financial statements, and (3) whether the system is controlled by IRS or by an external service provider and, if the latter, identify the service provider. For all systems identified as material to IRS’s financial reporting process, IRS stated that it would enhance existing policies and procedures to appropriately monitor internal controls over the automated systems operated by IRS personnel to include performing periodic and routine examinations of the financial systems that authorize, process, transmit, or report material financial transactions; such reviews will use multidisciplinary teams consisting of automated systems specialists and accounting and reporting experts. IRS will develop policies and procedures using the financial systems monitoring process to determine whether the internal controls over these automated systems are in place and operating effectively. In addition, for all externally controlled financial systems that are identified as material to the financial statements, IRS stated that it would establish procedures for coordinating an internal control review with service providers and develop policies and procedures to document and routinely report on reviews of external providers’ adherence to IRS’s internal control objectives. IRS’s proposed actions, if successfully carried out, should address the intent of our recommendations. We will evaluate IRS’s progress and the effectiveness of its actions during future audits. Tax Revenue Comparison During our fiscal year 2011 financial audit, we found that IRS did not always evaluate or resolve unusual variances identified in its comparison of tax revenue recorded in its general ledger to detailed tax revenue transactions recorded in its master files. IRS uses two different systems to record tax revenue transactions. IRS records summary-level financial information by tax class in its general ledger, which it uses to report total federal tax revenue receipts on the Statement of Custodial Activity,27 and records detailed transaction-level activity in its master files, which it uses to report receipts by both tax class and tax year in the notes to the financial statements. Since the two systems are not integrated, IRS performs a comparison between the tax revenue recorded in the general ledger and that recorded in the master files to (1) ensure that the two independent systems are materially consistent 27 Tax class refers to the classification of nonexchange revenues for taxes levied against taxpayers for the following tax categories: (1) individual income, Federal Insurance Contributions Act (FICA), and Self-Employment Contribution Act (SECA); (2) corporate income; (3) excise; (4) estate and gift; (5) railroad retirement; and (6) federal unemployment. Page 14 GAO-12-683R IRS Management Report for both internal and external reporting purposes, and (2) account for expected timing differences between the general ledger postings and the master files. This is critical because the general ledger is used to generate the financial statements while only the master files have the detail to support the breakout of revenue collections by tax year in the footnotes to the financial statements in conformity with federal accounting standards.28 Under IRS’s tax revenue collection and posting process used in fiscal year 2011, IRS normally recorded taxpayer receipts in the general ledger daily while the specific detailed transaction activity was updated in the master files weekly. Consequently, at any point in time, the general ledger revenue balance should have been larger than the master files balance since taxpayer receipts were posted to the master files later. However, during our fiscal year 2011 audit, we found that IRS’s comparison identified variances in which the master files revenue balance exceeded the general ledger revenue balances for both the (1) corporate and (2) estate and gift tax classes, yet IRS did not evaluate these variances or attempt to resolve them until after we brought the matter to its attention. Such variances could be an indication of processing or other errors, which could render the revenue data unreliable. In addition, although there was managerial review of the comparison as required by IRS’s procedures, the reviewer did not question these variances. Internal control standards state that control activities, including comparisons, must be clearly documented, periodically updated, and readily available for examination.29 Further, information presented in these comparisons must be evaluated in order to be most useful to the agency. IRS staff did not always evaluate or resolve the unusual variances identified in its comparison of tax revenue recorded in the general ledger to that recorded in its master files because IRS lacked sufficiently detailed guidance over the steps required to effectively prepare and review the comparison. Specifically, IRS’s written procedures only required that a comparison be performed and be reviewed by management. Although an IRS official told us that the preparer of the comparison should evaluate and resolve significant and unusual variances, the written procedures did not instruct the preparer or reviewer to evaluate and resolve such variances, nor did they specify criteria for determining what constituted a significant or unusual variance. IRS reconciled the revenue recorded in the general ledger to the revenue deposited at Treasury to ensure the general ledger balances 28 Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, paragraph 65.3, May 10, 1996, states that cash collections and refunds by tax year and type of tax should include cash collections and cash refunds for the reporting period and for sufficient prior periods to illustrate (1) the historical timing of tax collections and refunds, and (2) any material trends in collection and refund patterns. 29 GAO/AIMD-00-21.3.1. Page 15 GAO-12-683R IRS Management Report were materially correct.30 However, the comparison of the general ledger to the master files was IRS’s only means of ensuring that tax revenue collection information presented by tax year in its notes to the financial statements were accurately presented and materially correct. By not evaluating and resolving significant or unusual variances in the comparison of the general ledger to master files, IRS is at increased risk that errors in the master files may not be identified and appropriately resolved. This, in turn, (1) jeopardizes the integrity of the underlying taxpayer accounts, which could increase the burden to affected taxpayers; and (2) puts IRS at risk of inaccurately reporting its revenue collections by tax year. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Update IRS’s procedures for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions recorded in the master files to (1) establish minimum criteria defining a significant or unusual variance and (2) specify the steps required to effectively evaluate and resolve these variances. Update IRS’s procedures for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions recorded in the master files to require that management reviews ensure preparers evaluate and resolve unusual or significant variances. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that by October 2012 it would update its revenue reconciliation desktop procedures to establish minimum criteria for defining significant or unusual variances related to revenue, specify the steps required to effectively evaluate and resolve these variances, and require a review and sign-off by a manager to ensure that preparers evaluate and resolve significant or unusual variances. IRS’s proposed actions, if successfully carried out, should address the intent of our recommendations. We will evaluate IRS’s progress and the effectiveness of its actions during future audits. Treasury Forfeiture Fund Reimbursable Revenue During our fiscal year 2011 financial audit, we found that IRS improperly recorded and reported anticipated revenue from the Department of the Treasury Forfeiture Fund (TFF) rather than actual revenue earned, contrary to federal accounting standards. IRS receives funds from TFF under the Treasury Forfeiture Fund Act of 30 In accordance with 26 U.S.C. § 7809, unless a specific statutory exception applies, all taxes collected by IRS are required to be paid daily into the U.S. Treasury. IRS accomplishes this by depositing all of the taxes collected to various financial institutions, which in turn make daily deposits via wire transfer or through the Automated Clearing House (an electronic network for financial transactions) to the Federal Reserve Bank for credit to the Treasury’s general account. Page 16 GAO-12-683R IRS Management Report 1992.31 These funds represent reimbursements for tax law enforcement expenditures. In its procedures implementing the act, IRS states that mandatory tax law enforcement expenditures include costs of activities incurred in seizing assets from the public for unpaid tax debts; and discretionary tax law enforcement expenditures include costs of specific projects related to enforcement activities. In accordance with Treasury’s accounting policy for the recognition of TFF revenue and related intradepartmental transactions, IRS initially records all reimbursements from TFF as reimbursable revenue and subsequently reclassifies the portion received for discretionary expenditures as transfers in without reimbursement for financial reporting purposes.32 IRS’s Beckley Finance Center (BFC) is responsible for recording reimbursable revenue, transfers in without reimbursement, and accounts receivable from TFF. The amounts recorded by BFC are based on expenditures reported to it by IRS’s Criminal Investigation division (CID), which performs the tax enforcement services for which TFF reimburses IRS. During our testing of IRS’s TFF revenue earned during fiscal year 2011, we found that IRS improperly recorded reimbursable revenue and the related accounts receivable from the TFF at fiscal year-end based on anticipated (i.e., estimated) rather than actual revenue earned. Specifically, we found IRS recorded $38 million in reimbursable revenue for both mandatory and discretionary TFF expenditures in fiscal year 2011, while actual expenditures totaled $11.3 million, resulting in IRS overstating reimbursable revenue and accounts receivable by $26.7 million.33 According to the memorandum of understanding between Treasury and IRS, TFF will reimburse IRS only for actual expenditures. By recording TFF revenue based on anticipated rather than actual expenditures, IRS overstated the amount of reimbursable revenue, transfers in without reimbursement, and accounts receivable reported in its fiscal year 2011 financial statements by the portion of the estimated expenditures IRS did not actually incur by fiscal year-end. Should IRS not actually spend the amount estimated, subsequent years’ accounts will be understated when IRS adjusts for the difference between the estimated and actual expenditures. According to federal accounting standards, revenue from exchange transactions should be recognized when services are performed or when costs are incurred from providing the services.34 IRS’s Reimbursable Operating Guidelines also state that revenue should not be recognized until costs have been incurred.35 The guidelines 31 31 U.S.C. § 9703. 32 Reimbursable revenue is included in “earned revenue” on IRS’s Statement of Net Cost and “transfers in without reimbursement” is included in “transfers in/out without reimbursement” on IRS’s Statement of Changes in Net Position. 33 $18.3 million of reimbursable revenue was subsequently transferred to transfers in without reimbursement for financial statement reporting purposes. 34 Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, par. 36(a) and 37, May 10, 1996, amended June 30, 2011. 35 IRM § 126.96.36.199.2 (5), Recognition of Earned Reimbursements (rev. Feb. 11, 2011). Page 17 GAO-12-683R IRS Management Report also require reimbursable projects to be closed at the end of each fiscal year. However, IRS officials informed us that because CID had contracts that extended beyond the end of the fiscal year, CID erroneously reported to BFC total TFF expenditures for the fiscal year that included both (1) actual expenditures incurred and (2) expenditures it expected to incur in the future under these contracts, even though those expenditures had not yet occurred. IRS officials also said BFC was unaware that CID had not yet incurred all of these expenditures until we brought it to their attention, and thus, it improperly recorded reimbursable revenue that had not been earned, contrary to federal accounting standards. This resulted in overstated amounts being reported in IRS’s financial statements. IRS officials said they have since discussed this with CID staff and are developing a process to help ensure that amounts for TFF reimbursable revenue and related accounts are recorded properly. Recommendation for Executive Action We recommend that you direct the appropriate IRS officials to establish and document procedures for ensuring that recorded reimbursable revenue, transfers in without reimbursement, and accounts receivable from the TFF conform to federal accounting standards. IRS Comments and Our Evaluation IRS agreed with our recommendation and stated that in January 2012 it developed and implemented a direct charge reimbursable process for mandatory TFF expenditures. If successfully carried out, this should address the intent of our recommendation for mandatory TFF expenditures. IRS stated that it is still in discussions with Treasury to develop related processes for recording discretionary TFF expenditures that will conform to federal accounting standards. We will evaluate IRS’s progress and the effectiveness of its actions during future audits. Physical Security Reviews During our fiscal year 2011 financial audit, we found that physical security analysts did not always properly or timely complete the Physical Security and Emergency Preparedness (PSEP) audit management checklist at the SCCs and field office locations we visited. In addition, we found that PSEP territory managers did not always properly or timely document their required reviews of completed checklists. IRS PSEP analysts at SCCs and field offices are responsible for completing the audit management checklist, which includes steps to test controls for limiting and controlling building access, reviewing security guards’ training records and performance requirements, and validating that surveillance cameras and other related equipment are properly operating. We previously recommended that IRS improve its internal controls related to physical security at its processing facilities and field offices by (1) reviewing the audit management checklist for clarity and revising the assessment questions as appropriate, (2) issuing written guidance to accompany the audit management checklist that explains the relevance of the questions and the methods that should be used to assess and test the related Page 18 GAO-12-683R IRS Management Report controls, (3) providing training to physical security analysts responsible for completing the audit management checklist to help ensure that checklist questions are answered appropriately and accurately, (4) establishing and documenting the minimum frequency for how often the audit management checklist should be completed at each SCC and field office, and (5) establishing policies requiring documented managerial reviews of completed audit management checklists. Furthermore, we recommended that managerial reviews should document (1) the time and date of the review, (2) the name of the manager performing the review, (3) the supporting documentation reviewed, (4) any problems identified with the responses on the checklists, and (5) corrective actions to be taken.36 IRS implemented corrective actions to address these recommendations. Specifically, in July 2010, IRS revised the Standard Operating Procedures (SOP) for completing the audit management checklist to include requirements for PSEP analysts to complete the audit management checklist quarterly at SCCs and for territory managers to document their review of completed checklists. In addition, in December 2010, IRS asserted that PSEP security analysts had received training on the proper completion of the audit management checklist. However, during our fiscal year 2011 audit, we found that physical security analysts and territory managers did not always follow the requirements outlined in the SOP. Specifically, we found the following: At all three SCCs we visited, analysts did not complete the checklist quarterly as required. Specifically, at one SCC we visited in April 2011, we found that the checklist had not been completed since February 2008, a span of over 2 years. At a second SCC, we found that analysts did not complete the checklist during the first two quarters of fiscal year 2011 or the last two quarters of fiscal year 2010. At another SCC, we found that the analyst did not complete the checklist during the first two quarters of fiscal year 2011. At two field offices, physical security analysts did not use the most recent version of the checklist at the time of the most recent review. At one field office, the checklist did not include the territory manager’s signature indicating that it had been reviewed. At another field office, the territory manager signed the checklist but did not indicate the date of the review. At two other field offices, the territory manager’s review was dated 5 months after the checklist was completed. The PSEP analysts and territory managers we spoke with during our visits all stated that they were aware of the requirements for completion and review of the audit management checklist contained in the SOP, but that they had not been followed due to oversight or other tasks being given higher priority. In addition, we found that there was no requirement for centralized monitoring to detect whether (1) analysts were properly completing checklists, and (2) territory managers were timely and 36 GAO, Management Report: Improvements Are Needed in IRS’s Internal Controls and Compliance with Laws and Regulations, GAO-10-565R (Washington, D.C.: June 28, 2010). Page 19 GAO-12-683R IRS Management Report properly documenting their reviews of the completed checklists. Also, the PSEP SOP did not specify the required timing of the management review to help ensure that analysts properly completed the checklists and that identified problems were timely addressed. Internal control standards state that control evaluations, such as reviews of control design and tests of internal controls, are useful because they focus directly on the controls' effectiveness at a specific time.37 These evaluations should be accurately and promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. Deficiencies found during such evaluations should be communicated to individuals at least one level of management above the individual performing the evaluation. Not properly completing or timely reviewing the audit management checklist increases the risk that weaknesses in controls designed to secure and safeguard vulnerable assets will go undetected and/or uncorrected. This, in turn, increases the risk that IRS will not properly detect or prevent the theft, loss of, or unauthorized access to taxpayer receipts and related sensitive information. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Establish requirements specifying a required time frame for territory managers to perform the required review and approval of completed audit management checklists. Establish procedures requiring PSEP headquarters to centrally monitor compliance with the audit management checklist process to ensure that (1) PSEP analysts timely complete their physical security reviews using the proper audit management checklists and (2) territory managers timely review and properly document their reviews of completed audit management checklists. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that by October 2012 it would update the audit management checklist SOP to require that territory managers review and approve completed checklists within 30 days of the PSEP analyst’s signature date. IRS also stated that the updated SOP would require the Audit Management Program Office to perform quarterly reviews designed to ensure that (1) territory offices complete the audit management checklist at campuses on a quarterly basis and at posts-of-duty on an annual basis using the most current checklist and (2) territory managers document their review and approval of completed checklists within 30 days of the PSEP analyst’s signature date. IRS’s proposed actions, if successfully carried out, should address the intent of our 37 GAO/AIMD-00-21.3.1. Page 20 GAO-12-683R IRS Management Report recommendations. We will evaluate IRS’s progress and the effectiveness of its actions during future audits. Integrated Data Retrieval System Access During our fiscal year 2011 audit, we found that IRS’s controls did not provide for effective segregation of duties for processing of hard-copy taxpayer receipts at consolidated SCCs. Specifically, during our visit to the campus support unit at one SCC, we identified two clerks who had the ability to make adjustments to a taxpayer’s account through the Integrated Data Retrieval System (IDRS),38 and who also maintained physical possession of hard-copy taxpayer receipts in the course of their payment processing duties. Consequently, they had the potential to misappropriate a payment and alter the taxpayer’s account to conceal the theft. Internal control standards state that key duties and responsibilities should be segregated among different people to reduce the risk of error or fraud.39 The standards further state that this segregation of duties should include dividing the responsibilities for authorizing, recording, and reviewing transactions, as well as handling any related assets. No one individual should be in a position to both cause and conceal an error or irregularity by controlling certain key aspects of a transaction or event. Internal control standards also state that internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations, and includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties. IRS’s IRM states that the first line manager of IDRS users is responsible for day-to-day implementation and administration of IDRS security in his or her unit, which includes ensuring the command code usage of employees with sensitive command codes are reviewed at least monthly.40 A lack of sufficient segregation of duties over campus support activities increases the risk of unauthorized access to taxpayer information, which can lead to the loss, theft, or misuse of this information. In campus support units, IRS clerks process hard-copy taxpayer receipts through an electronic check presentment system by manually feeding checks into a scanner.41 The scanned image of the check is then electronically transmitted to the bank for deposit. Clerks also use IDRS, which allows them to access taxpayer account 38 IDRS is an IRS computer system that provides employees with the ability to research taxpayer account information, request tax returns and account transcripts, input transactions such as adjustments and entity changes, input collection information for storage and processing in the system, and generate notices, collection documents, and other outputs. 39 GAO/AIMD-00-21.3.1. 40 IRM § 10.8.34.3.1.3 (1), (2), Front/First Line Manager (Oct. 14, 2011). Each employee who uses IDRS is assigned a command code profile that determines the types of transactions he or she can process. 41 During fiscal year 2009, IRS implemented the electronic check presentment systems in its consolidated SCCs. The system was implemented in selected taxpayer assistance centers during a pilot program in fiscal year 2011. As of March 2012, IRS has expanded the program to include 383 of its existing 398 taxpayer assistance centers. Page 21 GAO-12-683R IRS Management Report information. Each employee’s level of access to IDRS is determined by his or her specific role and responsibilities and is controlled by a command code profile that determines the type of transactions he or she can process. A Unit Security Representative (USR) assigns IDRS command code profiles to each employee. In some cases, the group manager is designated as the USR, while in other cases, the group manager is not the USR but coordinates with the USR to help ensure that IDRS security is effectively implemented for the group. In reviewing the IDRS command code profiles of clerks at the campus support unit we visited, we noted two clerks’ profiles included command codes that allowed them to make adjustments to a taxpayer’s account. IRM section 10.8.34, which contains universal security policies for all IRS units, prohibits certain types of employees from having command codes that allow them to make adjustments to the balance of a taxpayer’s account, but it does not explicitly prohibit such command codes for campus support clerks who process payments through the electronic check presentment system. Furthermore, the campus support managers we spoke with stated they primarily relied upon IRM section 21, Customer Account Services, for guidance over campus support operations, which also does not explicitly prohibit such command codes for campus support clerks who process payments through the electronic check presentment system. In addition, while IRM section 10.8.34.3.1.3 requires front line IDRS group managers to review the command code profiles of employees with sensitive command code combinations at least monthly, neither IRM section 10, Security, Privacy, and Assurance, nor IRM section 21 explicitly identified campus support clerks who processed payments through the electronic check presentment system as an IDRS user class for which certain sensitive command codes were prohibited, and thus the managers we spoke with did not perform the monitoring activities required by IRM section 10.8.34.3.1.3. By not ensuring that computer access rights of campus support employees responsible for processing hard-copy taxpayer receipts through the electronic check presentment system have been appropriately restricted, IRS increases the risk of loss, theft, or misappropriation of such receipts. Recommendation for Executive Action We recommend that you direct the appropriate IRS officials to update the IRM to specify steps to be followed to prevent campus support clerks as well as any other employees who process payments through the electronic check presentment system from making adjustments to taxpayer accounts. IRS Comments and Our Evaluation IRS agreed with our recommendation and stated that by July 2012 it would update the IRM to require managers to use the Automated Command Code Access Control System to ensure that all campus support employees who process payments through the electronic check presentment system have the appropriate command code restriction in their IDRS profile to prevent them from having the ability to adjust taxpayer accounts. IRS’s proposed actions, if successfully carried out, should address the weaknesses we identified related to campus support employees who Page 22 GAO-12-683R IRS Management Report process payments through the electronic check presentment system. We will evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012 financial statements. Monthly Rent Bill Allocation During our fiscal year 2011 financial audit, we found that IRS did not have effective segregation of duties or supervisory review over its process for allocating costs from the monthly rent bill to IRS’s business units. In order to properly allocate building rent and other building occupancy costs to the occupying business units, IRS links each room in a building to the employee who occupies the space using its Graphic Database Interface system (GDI). Once linked, GDI attributes the square footage to the employee as well as to the employee’s business unit. Conference rooms and other shared spaces are allocated among business units based on each unit’s share of the total occupancy of a given building. Ultimately, the allocation of space-related costs, which in fiscal year 2011 totaled $747 million, is included in IRS’s Statement of Net Cost. Staff from IRS’s Real Estate and Facilities Management division (REFM), specifically the rent processing administrator and the delegated lease administrator, are responsible for maintaining rent data in GDI. The rent processing administrator receives and uploads into GDI monthly the bill from the General Services Administration (GSA) detailing the square footage and rent charges for buildings owned by GSA.42 The delegated lease administrator maintains lease data and rent charges for buildings not owned by GSA by inputting into GDI monthly the square footage and cost data for buildings owned by private landlords.43 Following the completion of the data input, the delegated lease administrator informs the rent processing administrator that the lease data for the non-GSA owned buildings in GDI are complete and accurate. The rent processing administrator is responsible for reviewing rent data from both GSA and non-GSA leases to ensure the completeness of the data within GDI; if he/she finds discrepancies, he/she can edit the data in the system to correct the discrepancies. Consequently, the rent processing administrator is the key person who manages virtually all aspects of the space assignments which, in turn, affects the allocation of rent and other building costs. Each month, the rent processing administrator schedules automated processes within GDI to allocate total rent costs among the business units based on square footage using the linkage between employees and rooms. This allocation provides information to IRS on the total space usage and cost of occupancy for each business unit for management purposes. It also determines the allocation of rent to operating business units, and ultimately each program area, for reporting on IRS’s Statement of Net Cost. To help ensure that the GDI automated processes properly assigned rent costs to the business units, the rent processing administrator 42 GSA is the government’s landlord, providing office and other workspace services for the federal government. In fiscal year 2011, GSA leased approximately 705 buildings to IRS, consisting of 28.6 million square feet of space. 43 In fiscal year 2011, IRS leased space in 19 non-GSA owned buildings. Page 23 GAO-12-683R IRS Management Report generates a rent check summary report from GDI, which identifies any remaining rent costs not allocated to business units. The rent processing administrator is responsible for reviewing this report and resolving any errors to ensure all rent costs are ultimately allocated. During a walkthrough conducted during the fiscal year 2011 audit, we noted IRS did not properly segregate duties or require supervisory review for certain key activities performed by the rent processing administrator when allocating costs from the monthly rent bill in GDI. Specifically, we found the following: The rent processing administrator was responsible for performing essential steps when allocating costs from the rent bill, such as loading the rent bills received by e-mail from GSA into GDI and ensuring that rooms are properly assigned to occupant employees. The rent processing administrator was also the only individual reviewing the rent check summary report, which serves as the key control in ensuring that all rent costs were properly allocated. There was no independent review of the rent check summary report or any supervisory review over the process. The delegated lease administrator was responsible for inputting non-GSA lease information to GDI and verifying its accuracy before releasing it to the rent processing administrator. However, the rent processing administrator had the ability to edit the non-GSA lease data after input without any subsequent supervisory review. In both cases, we found that IRS did not have policies or procedures that required a supervisory review or proper segregation of duties over the rent allocation process. Internal control standards state that key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud.44 This should include separating the responsibilities for processing transactions and for reviewing them. Additionally, internal control should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. By conducting the monthly rent processing without effective segregation of duties and monitoring in place, IRS increases the risk of the misallocation of rent and space- related expenses which use square footage as a basis for allocation on the Statement of Net Cost. It also increases the risk of management making decisions based on inaccurate information about its space and rent costs. After we identified these issues, REFM revised its policy in September 2011 to require an independent review of the monthly rent totals from both GSA and non- GSA leases. This action should help address this issue, provided IRS appropriately implements the new requirement. However, additional requirements are needed to address the ability of the rent processing administrator to edit the non-GSA lease data after input, since those changes would not be evident by reviewing the summarized monthly totals. 44 GAO/AIMD-00-21.3.1. Page 24 GAO-12-683R IRS Management Report Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Implement the September 2011 revised policy that requires an independent review of the rent check summary report to help ensure that the monthly rent allocation process is properly completed. Establish a policy requiring an independent review of changes made by the rent processing administrator to non-GSA lease data in GDI. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that it implemented the policy requiring independent review of the rent check summary report in October 2011. IRS stated that the process now includes independent verification by three IRS representatives and correction of any errors as they are identified during the reviews. IRS also stated that it issued a revised policy in March 2012 requiring an independent review of changes made by the rent processing administrator to non- GSA lease data in GDI, and implemented the policy the following month. IRS’s stated actions, if successfully carried out, should address the intent of our recommendations. We will evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012 financial statements. GDI Quarterly Reviews During our fiscal year 2011 financial statement audit, we found that IRS did not sufficiently document or accurately summarize the results of its GDI quarterly reviews. IRS’s REFM division conducts a quarterly review of employee locations recorded in GDI to verify the accuracy of employee location data, which, as discussed previously, is used by IRS to allocate building rent and other occupancy costs to the occupying business units for reporting in IRS’s Statement of Net Cost. IRS verifies approximately one-eighth of its total building space each quarter so that by the end of a 2-year cycle, 100 percent of its space will have been reviewed.45 To complete the quarterly review, the field Computer-Aided Facilities Management (CAFM) program manager in each geographic territory is required to (1) conduct a walkthrough of the space selected for verification that quarter to verify the accuracy of employee room assignments recorded in GDI, (2) complete GDI validation walkthrough sheets documenting the results of the walkthroughs, and (3) correct the data in GDI if found to be incorrect.46 After completing the walkthroughs and the GDI validation walkthrough sheets, the field CAFM program managers are to record the total number of rooms reviewed and errors found in each building onto GDI 45 Total building space includes both GSA and non-GSA owned space. 46 A field CAFM program manager is assigned to each of IRS’s 14 territories, which are major regions throughout the United States in which IRS’s offices are located. Page 25 GAO-12-683R IRS Management Report Quarterly Review Certifications and forward the certifications to the National CAFM Program Manager. The National CAFM Program Manager assigns the GDI program analyst the task of summarizing the results of all of the GDI Quarterly Review Certifications into the CAFM Quarterly Review Statistics, which is a high-level summary of the findings from all of the reviewed territories that REFM management uses to help monitor how well field CAFM program managers are keeping GDI data up to date. We reviewed the results of IRS’s fiscal year 2011 third quarter GDI review, which covered 41 buildings across 13 territories.47 Of the 41 buildings reviewed, we found reporting errors or insufficient documentation for 18 of the buildings, as well as inconsistencies in reported results across territories.48 Specifically, we found the following: For six buildings, field CAFM program managers did not correctly record the number of occupancy errors from the individual GDI validation walkthrough sheets onto the GDI Quarterly Review Certifications, which caused the GDI program analyst to roll-up incorrect data onto the CAFM Quarterly Review Statistics. For five buildings, field CAFM program managers did not correctly record the number of rooms reviewed from the individual GDI validation walkthrough sheets onto the GDI Quarterly Review Certifications, which caused the GDI program analyst to roll-up incorrect data onto the CAFM Quarterly Review Statistics. For nine buildings, field CAFM program managers did not maintain sufficient documentation to support the number of rooms reviewed. Specifically, they did not use the GDI validation walkthrough sheets—which document a complete listing of the rooms reviewed—or otherwise document all of the rooms reviewed. Field CAFM program managers were inconsistent in how they counted and recorded occupant errors on the GDI Quarterly Review Certifications. For example, many field CAFM program managers did not include instances in which a room was noted as vacant in GDI, but was actually occupied by an employee, or when a room was noted as occupied in GDI but was actually vacant. Instead, they only included instances in which the employee listed as occupying a room in GDI was not the actual occupant. The National CAFM Program Manager informed us that occupant errors should include all of these errors. Since the GDI program analyst used the field managers’ 47 IRS only reviewed 13 of its 14 territories in the third quarter due to travel budget reductions. IRS postponed the quarterly review for 1 territory until the fourth quarter. 48 We identified errors with 18 buildings. However, 2 buildings each had 2 different types of errors associated with them, resulting in a total of 20 exceptions identified. Page 26 GAO-12-683R IRS Management Report occupant error totals on their certifications to compile the overall results, the CAFM Quarterly Review Statistics were inaccurate. We found that at the time of our review, REFM written policy did not require supervisory review to ensure that the field CAFM program managers correctly transferred data from the GDI validation walkthrough sheets to the GDI Quarterly Review Certifications. Further, REFM written policy did not detail what types of errors were required to be included on the CAFM Quarterly Review Certifications or Statistics, and did not require staff to use the GDI validation walkthrough sheets to document their review of individual buildings. Internal control standards require that agencies (1) implement internal control procedures to ensure the accurate and timely recording of transactions and events, (2) promptly record transactions to maintain their relevance and value to management in controlling operations and making decisions, (3) have reliable communications and accurate data in order to achieve their control objectives and help management ensure the effective and efficient use of resources, and (4) clearly document internal control and all transactions and have the documentation readily available for examination.49 From our review, we found that the field CAFM program managers did not record data correctly or consistently when recording the data from the GDI validation walkthrough sheets onto the GDI Quarterly Review Certifications, which resulted in inaccurate CAFM Quarterly Review Statistics data. While these internal control issues did not result in misstatements to IRS’s financial statements, without accurate data on the CAFM Quarterly Review Statistics, REFM management’s ability to use the statistics as a tool for monitoring and assessing the performance of its territories in keeping GDI data up to date is hindered. After we identified these issues, REFM established a policy in October 2011 to provide further guidance to staff conducting the quarterly GDI reviews. The policy now requires supervisory review of the GDI Quarterly Review documentation. Furthermore, it requires all staff to use a consistent template for their reviews and it clearly defines what constitutes an error. However, while the new policy is a good first step, it doesn’t go far enough to help ensure that the CAFM Quarterly Review Statistics are accurate. Specifically, while the new policy requires a supervisory review of documentation, it does not clearly require a comparison of the CAFM Quarterly Review Certifications and Statistics against the GDI validation walkthrough sheets. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Revise existing written procedures to require supervisory review of the CAFM Quarterly Review Certifications and Statistics against the GDI validation walkthrough sheets. 49 GAO/AIMD-00-21.3.1. Page 27 GAO-12-683R IRS Management Report Establish mechanisms to monitor the implementation of and compliance with the revised policy established in October 2011 that requires field CAFM program managers to maintain GDI Quarterly Review documentation, including GDI validation walkthrough sheets and GDI Quarterly Review certifications, and defines the type of errors that should be captured on the CAFM Quarterly Review Certifications to help ensure that field CAFM program managers consistently compile the errors found in their quarterly reviews for compilation in the overall CAFM Quarterly Review Statistics. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that it revised its written procedures in April 2012 to require supervisory review of the CAFM Quarterly Review Certifications and Statistics against the GDI validation walkthrough sheets, provided training to staff on the revised procedure in May 2012, and plans to implement the procedure in June 2012. IRS also stated that in April 2012, it updated and implemented the October 2011 policy, which now requires CAFM program managers to submit electronic versions of the GDI validation walkthrough sheets and GDI Quarterly Review Certifications for territory manager review and approval, and for the territory manager to forward this documentation to the GDI program analyst and the National CAFM Program Manager for receipt, compilation, and retention. Finally, IRS stated that it updated its policy in October 2011 to clarify the types of errors and the process for reporting them on the CAFM quarterly reviews and subsequently developed a reviewers’ aid for collecting and tallying the statistics, provided training, and added a formal review of the GDI quarterly review documentation to the annual GDI program review process. IRS’s actions, if successfully carried out, should address the intent of our recommendations. We will evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012 financial statements. Leasehold Improvement Disposal Estimate During our fiscal year 2011 financial audit, we found that IRS’s Office of Financial Reporting (OFR) made errors in its leasehold improvements (LHI) disposal estimate. The estimate represents LHI that were disposed of during the fiscal year; thus, it reduces the book value of LHI reported on IRS’s balance sheet, statement of net cost, and notes to the financial statements. In developing its fiscal year 2011 LHI disposal estimate, we found that OFR (1) did not include all of the leases extracted from its lease database, (2) erroneously included five leases that had been disposed of in fiscal year 2010 and thus had already been included in its fiscal year 2010 estimate, and (3) made an error in one of the formulas used in the LHI disposal estimate that OFR staff and supervisors did not detect. IRS’s Corporate Planning and Internal Controls group also identified the first issue in October 2011 as a result of its A-123 review. Page 28 GAO-12-683R IRS Management Report In accordance with federal accounting standards, IRS is to capitalize costs for nonroutine repairs and alterations to leased property that extend the useful life of leased space.50 These capitalized costs are to be recorded as LHI. Because IRS does not have a subsidiary ledger for LHI, it cannot associate dollar values for specific LHI in the capitalized property and equipment balance. We previously recommended that IRS develop a subsidiary ledger for LHI and implement procedures to record LHI costs as they occur.51 While IRS implemented procedures to record LHI costs as they occur, OFR had not developed a subsidiary ledger because of other system priorities. Lacking a subsidiary ledger, OFR developed a methodology in fiscal year 2009 to calculate an estimate of the LHI to be disposed of for the year and recorded in the property and equipment accounting records. Specifically, OFR extracts lease information from GDI, which contains details on all of IRS’s leased properties, and calculates the percentage of leases that expired in the current year. OFR then applies the percentage to the LHI balance for the respective fiscal year to calculate the disposal estimate, which it records in the general ledger. During our review of IRS’s fiscal year 2011 LHI disposal estimate, we found that OFR made several errors in calculating the estimate. These included the following: Of the 2,104 leases recorded in GDI, 969 or 46 percent did not have start dates and/or expiration dates which are used to calculate the LHI disposal estimate. OFR staff did not know whether these leases should have been included in the disposal estimate and therefore, excluded them. Not determining whether these leases should have been included in calculating the LHI disposal estimate increased the potential for misstatement in the LHI disposal amount and accumulated depreciation reported on IRS’s statement of net cost and balance sheet. In addition, we found that OFR did not perform any procedures to determine the completeness or accuracy of the extracted GDI data fields. OFR officials stated that they relied on REFM, which manages GDI data, to ensure that the data were complete and accurate. Because OFR did not perform any procedures to determine whether the extraction from the GDI system was complete and accurate, the data extracted may not have been reliable to properly calculate the LHI disposal estimate. We identified five instances in which the same leases were used in the leasehold improvement disposal calculation for both fiscal years 2010 and 2011. These errors occurred because these lease agreements were due to expire in fiscal year 2010 but were extended into fiscal year 2011 and OFR was not aware of the lease extensions. Because these expired leases were counted twice in the disposal estimate, IRS understated LHI and understated 50 Statement of Federal Financial Accounting Standards No. 6, Accounting for Property, Plant, and Equipment, par. 37, November 30, 1995. 51 GAO, IRS Financial and Operational Management: Recommendations to Improve Financial and Operational Management, GAO-01-42 (Washington, D.C.: Nov. 17, 2000). Page 29 GAO-12-683R IRS Management Report accumulated depreciation by approximately $3.5 million at September 30, 2010. We also found that OFR used an incorrect formula to calculate the projected accumulated depreciation associated with the disposed LHI. This resulted in understatements of accumulated depreciation and the loss on disposals of approximately $4.7 million, which are reported on IRS’s balance sheet and statement of net cost. OFR staff informed us that the disposal calculations and supervisory reviews were performed at year-end when the agency faced other competing work demands, which limited the time that supervisors were able to devote to the review. As a result, neither the staff nor managers caught the formula error until we brought it to their attention. Internal control standards require that control activities ensure that all transactions are complete and accurately recorded.52 The standards also require that ongoing monitoring, such as supervisory review, occurs in the normal course of operations. While the IRM specifies how the LHI disposal estimate should be calculated, it did not require OFR to test or verify the completeness and accuracy of the data extracted from GDI nor compare prior year expired leases used in the estimate in order to reduce the likelihood of leases being used more than once in the disposal estimates.53 OFR performed supervisory review of the disposal calculations, but did not detect the errors we found in the disposal estimate. By not ensuring that (1) the data used in the LHI disposal estimate was complete and accurate, including identifying leases that may have been counted more than once; and (2) all estimates were thoroughly reviewed for accuracy, the resulting LHI disposal estimates were incorrect. Therefore, IRS is at increased risk of relying on inaccurate data for management decision making and of reporting errors in its financial statements. IRS began taking corrective actions to address these issues after they were brought to its attention. For example, OFR modified its procedures in January 2012 to compare current year lease data to prior year lease data to identify expired leases that may erroneously appear in both databases, and to verify that leases due to expire in the current fiscal year were not extended. The revised procedures also require preparing quarterly disposal estimates rather than just one estimate at year- end, which should provide more time for supervisory review and identification of potential errors. While these are positive steps to address the errors we identified, the procedures do not include steps to help ensure the reliability of the data extracted from GDI that are used to calculate the LHI disposal estimate. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: 52 GAO/AIMD-00-21.3.1. 53 IRM § 188.8.131.52, Administrative Accounting, Property and Equipment Accounting: Disposals (Oct. 1, 2010). Page 30 GAO-12-683R IRS Management Report Establish procedures to require OFR to ensure that extracted GDI data used to calculate the leasehold improvement disposal estimate is complete and accurate. Implement the revised January 2012 procedures requiring comparison of the leases used in the prior year with the current year leases to help ensure that expired leases have not been extended and thus, are only counted once in the disposal estimates; and, preparation and review of leasehold improvement disposal calculations quarterly. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that in January 2012 it (1) implemented procedures to review the extracted GDI data for accuracy, and would continue to monitor the leasehold improvement disposal estimate for completeness and accuracy; (2) implemented the revised procedures requiring comparison of prior year to current year leases to ensure that expired leases are only counted once in the disposal estimates; and (3) implemented the revised procedures requiring preparation and review of leasehold improvement disposal calculations on a quarterly basis. IRS’s proposed actions, if successfully carried out, should address the intent of our recommendations. We will evaluate IRS’s progress and the effectiveness of its actions during our audit of IRS’s fiscal year 2012 financial statements. Verification of End-user Receipt of Goods and Services During our fiscal year 2011 financial audit, we found that IRS staff did not always confirm, or obtain documentation of confirmation, with the end user of a purchased product or service that the item was satisfactorily received before entering receipt and acceptance of the good/service into IRS’s procurement system. This confirmation is essential because in many instances, the end user of the product (i.e., the requestor who physically receives the good or service) is at a different geographic location than the staff responsible for entering receipt and acceptance into the system. As a result, without following up with the end user, the staff cannot ensure that the good or service met contractual requirements before authorizing payment to the vendor. All purchase requisitions that go through IRS’s procurement department are assigned to a contracting officer (CO).54 A contracting officer may assign a contracting officer’s technical representative (COTR) to perform certain tasks, including maintaining documentation of the receipt and acceptance of purchased 54 Other transactions, such as micropurchases up to $3,000, are processed by business units rather than by the Office of Procurement. Page 31 GAO-12-683R IRS Management Report goods or services in the Web Request Tracking System (WebRTS), IRS’s procurement system.55 Staff use this system to create, route, approve, track, and fund requisitions, and record the receipt and acceptance of the items purchased. Receipt signifies IRS’s acknowledgment that supplies were received or services were rendered, while acceptance signifies that IRS assumes ownership of the supplies or approves of the services rendered. Consequently, prior to entering receipt and acceptance into WebRTS, the CO/COTR is to ensure the good or service conforms to the contract requirements. In addition, IRS’s accounting technicians who process payments rely on the assertion of the COs/COTRs that goods or services have been received and accepted as a basis for authorizing payment. During our audit of IRS’s fiscal year 2009 financial statements, we found that the COTRs did not always obtain or maintain documentation of confirmation with the end user of a purchased product or service prior to entering receipt and acceptance in WebRTS. We recommended that IRS establish procedures requiring COs/COTRs to obtain and retain documentation to support receipt and acceptance prior to entering acknowledgement of receipt and acceptance in WebRTS. IRS subsequently modified its Receipt and Acceptance Handbook in March 2010 to specifically require COs/COTRs to obtain and retain documentation to support receipt and acceptance before entering the acknowledgement in WebRTS. IRS reinforced this requirement through presentations at conferences held in March and May, 2010. However, following the issuance and announcement of the policy, we continued to identify instances in which the CO/COTR did not confirm or obtain documentation of confirmation of receipt from the end user prior to entering receipt and acceptance in WebRTS. During our fiscal year 2011 audit, we tested a statistical sample of 86 expense transactions (excluding payroll and travel expenses) processed between October 1, 2010, and May 31, 2011, and identified 11 instances where the COTRs could not provide documentation showing they had confirmed that the end users received and accepted the goods or services before the COTRs entered receipt and acceptance into WebRTS.56 This marks an increase from the 8 instances we identified during the fiscal year 2010 financial audit, during which the requirement to obtain and maintain documentation of confirmation was established. Furthermore, we found at least 2 of the COTRs responsible for the 11 exceptions identified in fiscal year 2011 were unaware of the policy requiring them to obtain written confirmation of receipt from the end user prior to entering receipt and acceptance in WebRTS. 55 According to IRS’s policy, a CO must assign a COTR for any contract over $150,000. For contracts of $150,000 or less, a CO has the option of assigning a COTR. If a COTR is not assigned to a contract, then the CO assumes the duties otherwise performed by the COTR. 56 For these 11 transactions, a COTR was assigned the responsibility of confirming receipt with the end user. Of the 86 transactions we tested, 52 were transactions that were processed through the procurement department. However, because our sample was designed to test all expense transactions (excluding payroll and travel expenses), including transactions such as printing, rent, and training that do not go through the procurement department, we are unable to project the exceptions that only applied to procurement transactions to the entire population. Page 32 GAO-12-683R IRS Management Report Internal control standards require all personnel to possess and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal control.57 This is one of several factors that affect the control environment, which provides discipline and structure, as well as the climate which influences the quality of internal control. In addition, the standards state that management should ensure that skill needs are continually assessed and that the organization is able to obtain a workforce that has the required skills that match those necessary to achieve organizational goals. Training should be aimed at developing and retaining employee skill levels to meet changing organizational needs. Additionally, the standards require that internal controls should generally be designed to assure that ongoing monitoring occurs in the course of normal operations. Such monitoring is performed continually, is ingrained in the agency’s operations, and includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties. IRS’s procurements undergo various levels of review to assess compliance with laws, regulations, and IRS policy. However, these required reviews do not include an assessment of the CO’s/COTR’s adherence to the policy requiring documentation from the end user of receipt and acceptance of the good or service. In addition, although IRS notified employees of the new policy through presentations at two conferences, some COs/COTRs were still unaware of the requirement at the time of our testing. Without a proper review process in place to monitor compliance with its revised policy, IRS officials did not recognize the need for additional staff training to effectively implement the policy. By not obtaining and documenting confirmation that the end user actually received the good or service before entering receipt and acceptance, there is an increased risk that a CO/COTR could enter an invalid receipt and acceptance into WebRTS, which would result in IRS issuing payments to vendors or contractors for goods or services that were not received or did not fully conform to contractual requirements. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Provide training to COs/COTRs on their specific procedural requirements for obtaining and maintaining end user documentation of receipt and acceptance of the good or service prior to entering acknowledgement of receipt and acceptance in the procurement system. Establish a mechanism to periodically monitor CO/COTR compliance with the requirement to obtain and document end user confirmation of receipt prior to entering receipt and acceptance to the procurement system. 57 GAO/AIMD-00-21.3.1. Page 33 GAO-12-683R IRS Management Report IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that it has (1) revised its policy and procedures to provide specific procedural requirements for obtaining and maintaining end user documentation of receipt and acceptance of goods and services prior to entering receipt and acceptance in the procurement system; (2) developed and disseminated a user guide and a manager guide to assist business units in properly performing and monitoring receipt and acceptance; (3) conducted four receipt and acceptance workshops for COs, contracting officer representatives (CORs, formerly COTRs), managers of CORs, and end users; and (4) implemented a process to conduct at least three separate reviews of receipt and acceptance transactions annually to monitor compliance with the requirement to obtain and document end user confirmation prior to entering receipt and acceptance in the procurement system. IRS also stated that by December 2012 it plans to develop and administer training via the Enterprise Learning Management System—IRS’s online training system—to everyone profiled to enter receipt and acceptance into the procurement system. IRS’s actions, if successfully carried out, should address the intent of our recommendations. We will evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012 financial statements and future audits. Patient Protection and Affordable Care Act Expenses During our fiscal year 2011 financial audit, we found that IRS did not always identify expenses related to the Patient Protection and Affordable Care Act and the Health Care and Education Reconciliation Act of 2010 (collectively referred to as PPACA) and timely determine the appropriation to which it would charge individual PPACA- identified expenses.58 Congress enacted PPACA in March 2010 and assigned IRS a role in its implementation. Furthermore, PPACA established the Health Insurance Reform Implementation Fund (the PPACA appropriation) within the Department of Health and Human Services (HHS), providing $1 billion of no-year funding for federal administrative expenses to be incurred in carrying out PPACA.59 HHS subsequently made defined amounts of the PPACA appropriation available to IRS and other agencies by asking the Department of the Treasury’s Financial Management Service to establish an allocation account for each agency, from which the agencies could then obligate funds for appropriate PPACA-related purposes.60 IRS established a 58 See Patient Protection and Affordable Care Act, Pub. L. No. 111-148, 124 Stat. 119 (Mar. 23, 2010); Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029 (Mar. 30, 2010). PPACA consists of provisions intended to reform the private insurance market and expand health insurance coverage to the uninsured. 59 Section 1005 of the Health Care and Education Reconciliation Act, which is codified at 42 U.S.C. § 18121, established the Health Insurance Reform Implementation Fund. No-year funding represents budget authority that remains available for obligation for an indefinite period of time. 60 After HHS had established the PPACA Fund allocation accounts for IRS and other agencies, GAO issued a legal opinion, concluding that amounts in the fund are available to pay federal administrative expenses to finance the immediate implementation of PPACA, whether such expenses are incurred by HHS or by other federal agencies. B-321823, Dec. 6, 2011 (Department of Health and Human Services—Administrative Expenses). Page 34 GAO-12-683R IRS Management Report process for identifying and tracking its PPACA-related expenses to determine which expenses to charge to the PPACA appropriation and for internal management purposes. Specifically, IRS required each business unit to determine if an expense, including both labor expenses and purchases of goods and services, was related to the PPACA implementation. IRS required that the business units code such expenses with a PPACA internal order number so that IRS could identify which expenses to charge to the PPACA appropriation and which to charge to IRS’s own appropriations. Because expenses that were charged to the PPACA appropriation would not be funded by IRS and thus, should not appear on IRS’s financial statements, it was important for IRS to make this determination prior to compiling its year-end financial statements. During the fiscal year 2011 audit, we identified (1) one instance in which IRS did not properly identify PPACA expenses and (2) multiple expenses coded as PPACA in IRS’s general ledger for which IRS had not determined whether they could have been charged to the PPACA appropriation prior to preparing its financial statements. Specifically: During our interim testing of a sample of payroll expense transactions, we found an instance in which an IRS employee was detailed to work on PPACA- related projects from January 2011 through March 2011.61 However, the employee did not assign a PPACA internal order number to his/her time charges. In addition, the employee’s supervisor did not identify or correct the error during his/her review and approval of the employee’s time cards. IRS agreed that this employee’s time was incorrectly coded and subsequently made an adjustment to charge the appropriate time to a PPACA code. During our interim testing, IRS acknowledged that because PPACA was enacted relatively recently, it was still educating staff on identifying and coding these expenses and was in the process of manually reviewing its expenses to ensure that all expenses that could be charged to the PPACA appropriation would be identified and transferred by year-end. However, subsequently, at fiscal year-end we identified over $3.2 million in expenses coded to PPACA internal order numbers but not charged to the PPACA appropriation. When we brought these expenses to IRS’s attention, IRS officials informed us it would not have time to review them and determine whether they could be charged to the PPACA appropriation before year-end, so they remained on IRS’s books.62 We noted that $3.1 million of the total related to eight payments under a single contract that was in support of 61 We identified this error during our interim testing of a statistical sample of 108 payroll transactions that occurred from October 1, 2010, through June 30, 2011. We did not propose an audit adjustment of the projected error at that point because IRS was in the process of making significant adjustments to identify and reclassify PPACA expense transactions prior to year-end. At year-end, we reviewed IRS’s reclassifications and performed data analysis on IRS’s fiscal year 2011 payroll database and determined no further adjustments were needed for the projected error. 62 We proposed an audit adjustment of over $3.2 million for the expenses with a PPACA internal order number that was included in IRS’s year-end trial balance. Page 35 GAO-12-683R IRS Management Report PPACA implementation which the business unit had correctly coded to a PPACA internal order number. Following the end of the fiscal year, we inquired with IRS’s legal counsel as to why IRS did not fund these expenses from the PPACA appropriation. IRS’s legal counsel informed us that since the time HHS made PPACA appropriation amounts available to IRS, it was IRS’s intent to pay for costs such as these out of the PPACA appropriation and that IRS should have funded the entire contract against those funds. IRS’s counsel added that IRS would address this issue by deobligating the $3.1 million obligated under the contract, as well as an additional $500,000 obligated but not yet spent at fiscal year-end from the agency’s own appropriations, and obligating the $3.6 million total against the PPACA appropriation instead.63 In both cases, we found that IRS did not have adequate procedures to ensure that PPACA expenses were properly identified and timely reviewed. In the first instance, IRS officials informed us that they were aware employees were not always charging labor time spent on PPACA projects to the PPACA internal order codes, and that they made several attempts to instruct employees and timekeepers on the proper coding. In the second instance, IRS lacked a review process to periodically identify and timely review expenses assigned a PPACA internal order number in order to determine if these expenses were in fact related to PPACA implementation and could be funded by the PPACA appropriation. Internal control standards state that financial information is needed for both external and internal uses.64 It is required to develop financial statements for periodic external reporting, and, on a day-to-day basis, to make operating decisions, monitor performance, and allocate resources. Pertinent information should be identified, captured, and distributed in a form and time frame that permits people to perform their duties efficiently. Furthermore, IRS has recognized the importance of managerial cost accounting by issuing its own policy on cost accounting. The policy states that the purpose of accumulating and tracking costs is to enhance managers’ ability to measure the costs of activities within their areas of control and to identify operational trends and variances and optimize the use of IRS’s resources. By not properly identifying and timely reviewing its PPACA expenses, IRS risks being unaware of the true cost of its PPACA activities. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Establish a mechanism for monitoring compliance with the existing requirement for employees and timekeepers to charge labor time spent on PPACA projects to the PPACA accounting code, such as through issuing 63 A deobligation is an agency’s cancellation or downward adjustment of previously obligated funds, enabling the agency to use those deobligated funds to acquire other goods or services within those funds’ period of availability. 64 GAO/AIMD-00-21.3.1. Page 36 GAO-12-683R IRS Management Report periodic alerts, providing training and guidance, and/or having managers perform periodic reviews of employee labor time charges. Design and implement procedures specifying the review steps required to identify and research all transactions identified with a PPACA internal order number in the agency’s expense files to confirm that they are PPACA-related expenses and, if so, to ensure that they are charged to the PPACA appropriation where appropriate. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that it implemented several corrective actions in October 2011, including issuing periodic reminders of the procedures for proper coding of PPACA labor charges, communicating at monthly division finance officer meetings the importance of correctly charging time spent on PPACA activities, monitoring PPACA expenses as part of the monthly execution report process, and reemphasizing the need for business units to conduct monthly reviews of PPACA labor charges. Additionally, IRS stated that it has implemented procedures to identify, review, and validate all PPACA expenses as part of its monthly execution report process and will conduct a review at year-end to ensure the accuracy of PPACA charges. IRS’s actions, if successfully carried out, should address the intent of our recommendations. We will evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012 financial statements. Time Card Approvals During our fiscal year 2011 financial audit, we found that employee time cards were not always approved by a manager before being transmitted to the National Finance Center (NFC) for processing and payment.65 The IRM requires that all time and attendance records include evidence of approval by an authorized official, and that the validated and signed Pay Period 3081 Listing from IRS’s Single Entry Time Reporting System (SETR) is the official time and attendance document from which employees are paid.66 IRS employees record their time and attendance information either directly in SETR—IRS’s electronic time and attendance system—on the Pay Period 3081 Listing (electronic time card) or on other forms or formats that are subsequently input into SETR, such as a manual time card. Managers are required to review, validate, and electronically sign their employees’ time cards in SETR every pay period. The manager must, if expected to be away from the office temporarily, designate a proxy to validate and electronically sign his/her employees’ time cards in SETR.67 However, if a designated proxy validates and signs the time 65 NFC is a component of the U.S. Department of Agriculture that provides administrative and financial services to many federal agencies, including IRS, on a reimbursable basis. IRS forwards personnel and payroll data to the NFC to process its payroll. 66 IRM § 6.630.1.27(3.j), (5) Time and Attendance Records (Mar. 12, 2010). 67 Managers may designate an authorized proxy to sign time cards in SETR for the manager for up to 180 days. Page 37 GAO-12-683R IRS Management Report cards in SETR, the manager must manually sign a printed copy of the electronic time card or other manual time card.68 According to IRS’s payroll standard operating procedures in effect during the period covered by our review, regardless of who signs the time card, the manager is responsible for ensuring that all time and attendance data entered in SETR—including organization codes, internal order codes, and appropriation fund codes—are accurate and match the manual time card if used. We tested a statistical sample of 108 payroll transactions covering payroll expenses recorded from October 1, 2010, through June 30, 2011, and found three cases in which IRS did not electronically or manually approve the employee’s time and attendance prior to payroll processing.69 In one case, a manager’s designated proxy electronically signed an employee’s time card in SETR; however, the manager did not sign the manual time card until the week before we performed our payroll transaction testing, 38 weeks after the pay period. In two cases, the employees’ time cards were not electronically signed in SETR by either the manager or a proxy; consequently, SETR automatically printed “not signed” in the signature field of the SETR printout. In the first case, the manager did not sign the manual time card until after the employee was paid. In the second case, the manager signed a manual time card, but did not date the approval. These weaknesses were caused by several factors. First, managers did not follow proper IRM procedures to electronically or manually approve employees’ time cards before employees were paid. IRS payroll officials told us they were aware of this problem and even maintained a “repeat offenders” list of managers that frequently did not comply with the requirements, but the problem persisted. Second, neither the IRM nor IRS’s SOP defines when the managers are required to sign the manual time card when a designated proxy signs the electronic time card in SETR.70 Third, neither the IRM nor IRS’s SOP requires the human resource specialists, who are responsible for reviewing the time cards before processing, to ensure that all time cards were signed by a manager or proxy before processing pay. Finally, there was no edit check in SETR to prevent an unsigned time card from being processed. Internal control standards state that transactions should be accurately and timely recorded to maintain their relevance and value to management in controlling 68 IRM § 6.6184.108.40.206, Administration of the Federal Leave System – Manager Responsibilities (Mar. 12, 2010). 69 Based on our payroll testing, we estimated that the value of such expenses that could have the same control error could be as high as $359.4 million (i.e., the net upper error limit at an 86 percent confidence level) out of a population of $6.4 billion. 70 The SOP provides detailed procedures and guidance to staff for carrying out specific responsibilities. Page 38 GAO-12-683R IRS Management Report operations and making decisions.71 By not ensuring time and attendance was approved by the employee’s manager before payment, IRS risks overpaying for hours employees did not work, underpaying for hours worked but not recorded, and charging incorrect fund codes, internal order codes, and other accounting codes that affect the proper funding and classification of expenses. During the week of our payroll testing in August 2011, IRS revised its SOP to specify that the manager or designated proxy is accountable for the validity of all time card data, rather than just the manager. However, the updated procedures do not specifically state that the designated proxy be an equivalent official or higher level manager as required in the IRM. For example, payroll officials informed us a designated proxy may be a lead secretary. However, this is inconsistent with the IRM which states that the manager, equivalent official, or higher level manager is responsible for the approval of the time and attendance record, and that only these individuals may certify a subordinate’s hours worked and leave taken in SETR.72 A lower level proxy, who could be lower graded than the employee whose time card they are approving, may not have the knowledge to verify that the time charges are accurate, meet applicable legal requirements, and were charged to the correct fund codes, organization codes, and projects. A lower level proxy may also be less inclined to question or prevail in a disagreement with a higher level employee over the number of hours worked. To address the problem with unsigned time cards, IRS officials informed us that they were aware that managers were not always in compliance with validating and signing their employees’ time cards and stated they will implement a new policy in June 2012, to be documented in the IRM, that will (1) require the manager, or the manager’s designated proxy, to electronically sign each employee’s time card in SETR before transmitting employee’s pay records to NFC; and, (2) eliminate the use of manual time cards, making the electronic time card in SETR the only official time and attendance record. Thus, if an employee’s electronic time card in SETR is not signed, the employee will not be paid. However, the new policy will not require the designated proxy to be equivalent or at a higher level than the employee’s manager; thus, there may continue to be lower level proxies verifying and approving time and attendance data for higher graded employees. Implementing such a policy without this requirement would put IRS at greater risk of improperly over or underpaying employees, charging payroll expenses to the incorrect appropriation, and of misclassifying payroll expenses for both internal and external reporting purposes. Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Revise the payroll standard operating procedures to specify steps that the human resource specialists are required to follow to ensure that each 71 GAO/AIMD-0021.3.1. 72 IRM § 6.630.1.27(11), Time and Attendance Records (Mar. 12, 2010). Page 39 GAO-12-683R IRS Management Report electronic time card is signed by an authorized official before the time card is transmitted to NFC for processing and payment. Revise the payroll standard operating procedures to require that the designated proxy for a manager required to approve time cards be at an equivalent or higher level as the manager, consistent with the IRM. Incorporate in the planned 2012 policy change requiring the manager or designated proxy to sign the electronic time card before transmitting payroll records to NFC the requirement that the designated proxy be at an equivalent or higher level than the employee’s manager. Implement an edit control in IRS’s time card system to identify and prevent the processing of time cards that have not been electronically signed. IRS Comments and Our Evaluation IRS agreed with our first and fourth recommendations in this area. With respect to these two recommendations, IRS stated that by July 2012, it plans to (1) update its payroll SOP to specify steps that human resource specialists will be required to take to ensure that all electronic time cards are signed by an authorized official before they are transmitted and (2) implement an edit that will require an electronic signature for all time cards. If fully and effectively implemented, these actions should address the related deficiencies. We will monitor IRS’s progress on these efforts during our audit of its fiscal year 2012 financial statements. With respect to our remaining two recommendations in this area, while IRS disagreed with our recommendations, we continue to believe that additional action is warranted. Consequently, we are reaffirming both recommendations. IRS disagreed with our recommendations that it revise both its current payroll standard operating procedures and its planned 2012 payroll policy to require that a designated proxy authorized to approve time cards be at an equivalent level to or higher level than the manager. In its comments, IRS cited IRM 220.127.116.11.4, which states that “an acting official assumes the full authority vested in or delegated to that position.”73 IRS used this to support its position that once a manager designates a staff member as his or her proxy, the staff member becomes the equivalent of the manager. IRS further stated that it is not practical for IRS to establish a minimum grade standard for those who may be designated as acting managers. Consequently, based on IRS’s comments, any of IRS’s approximately 100,000 staff members can be designated as an acting supervisor for time card approval. Such unrestricted delegation is inconsistent with other IRM policies and related IRS delegation orders. Specifically, as prescribed by IRM 6.618.104.22.168, managers have a fundamental responsibility to ensure that government resources are used efficiently 73 IRM § 22.214.171.124.4, Internal Management Documents System, Delegation Orders, Related Management Matters (Oct. 10, 2008). Page 40 GAO-12-683R IRS Management Report and effectively, with minimum potential for waste, fraud, and mismanagement, and are accountable for (1) ensuring that all leave charges are properly recorded; (2) counseling employees on policies, regulations, and procedures related to leave and absence; and (3) identifying and correcting leave abuse and potential abuse.74 Consequently, relying on nonmanagers to perform important responsibilities, such as time card approval, when they may not have received the proper training to do so, increases the risk that errors or violations may go undetected. Similarly, because of the high volume of IRS’s workload during tax season and the nature of its tax law enforcement work, many IRS employees may earn overtime, night differentials, law enforcement differentials, or a combination of these. Unless a designated proxy has been properly trained on related legal and regulatory requirements for these various types of pay, including who is eligible to earn them, when they may be earned, and any limitations, that proxy may not have the knowledge to ensure that what employees record on their time cards meets all legal and regulatory requirements. Further, allowing non-supervisory-level employees to serve as designated proxies for time card approval is inconsistent with related IRS procedural requirements for approval of leave and overtime. Specifically, Delegation Order 6-12 provides that authority to approve absences and charges to leave may only be delegated to employees in supervisory positions.75 Similarly, Delegation Order 6-14 provides that authority for approving the performance of paid overtime and work on holidays may only be delegated to a second-level supervisor or above.76 Consequently, allowing a nonsupervisor to approve a time card containing recorded leave, overtime, or holiday work violates these delegation orders. Finally, internal control standards state that an agency’s control environment is affected by the manner in which the agency delegates authority and responsibility throughout the organization, and that good human capital policies should include providing a proper amount of supervision.77 For all of the reasons discussed above, we believe that IRS’s current procedures do not establish adequate internal control over the payroll approval process and do not comply with IRS’s own requirements. Until IRS takes our recommended actions to establish appropriate levels of approval both in its current procedures and planned 2012 policy change, IRS will continue to be at increased risk of improperly over- or underpaying employees, not meeting pay- related legal and regulatory requirements, and charging payroll expenses to incorrect appropriation and other accounting codes. 74 IRM § 6.6126.96.36.199, Administration of the Federal Leave System - Manager Responsibilities (Mar. 12, 2010). 75 IRM § 188.8.131.52, Delegation Order 6-12 (Oct. 23, 1998). 76 IRM § 184.108.40.206, Delegation Order 6-14 (Oct. 23, 1998). 77 GAO/AIMD-00.21.3.1. Page 41 GAO-12-683R IRS Management Report Employee Within-Grade Pay Increases During our fiscal year 2011 financial audit, we found that IRS managers did not always (1) make timely decisions on granting or denying within-grade increases (WGI) in pay to employees with below fully successful performance ratings, and (2) timely grant WGIs to such employees if warranted. Managers prepare annual performance appraisals and enter them in Human Resources (HR) Connect, the personnel processing system used by IRS.78 The performance ratings in HR Connect are linked to NFC, which automatically processes WGIs in preparing IRS’s payroll for all employees who received a fully successful or higher rating based on the applicable waiting period and step.79 WGIs for employees who received a less than fully successful rating are not granted automatically and must be decided by each employee’s manager on a case-by-case basis. Each pay period, HR specialists send notifications to all managers listing their employees with less than fully successful ratings who have a WGI due within 90 days. Each manager must then provide each listed employee with a 60-day notification letter giving the employee an opportunity to improve his/her performance. If the employee’s performance does not sufficiently improve within the 60 days, the manager, in consultation with IRS Labor Relations, must notify the employee that the WGI is being denied before the due date of the WGI. If the employee sufficiently improves, the manager must provide a WGI release to the IRS payroll center. If the manager fails to (1) send the employee a 60-day notification letter in time or (2) notify the employee prior to the due date that the WGI is being denied, IRS payroll officials told us that they determined IRS must grant the employee a WGI.80 During our testing of payroll transactions, we found one instance where the manager did not properly follow IRS’s required procedures for granting or denying a WGI to an employee with a below fully successful rating.81 Specifically, the manager failed to send the employee a 60-day notification letter and provide the employee an opportunity to improve his/her performance. IRS did not become aware that the WGI was not processed until 1 year later, when the HR specialists sent the 90-day notice to the manager for a subsequent WGI. According to IRS officials, this occurred 78 HR Connect is a web-based personnel processing system owned by Treasury which IRS uses to record all personnel actions, including performance appraisals. 79 For IRS employees compensated under the General Schedule, each pay grade has 10 steps. WGIs are periodic pay increases in a graded employee's pay from one step to the next higher step of that grade and are due based on the employee’s current step. Specifically, if employees are advancing to steps 2, 3, or 4, they must wait 1 year to be qualified for a WGI. For employees advancing to steps 5, 6, or 7, they must wait 2 years; and for employees advancing to steps 8, 9, 10, they must wait 3 years to be qualified for a WGI. 80 IRM § 6.500.1.3.8, Acceptable Level of Competence Determinations – Denying Within-Grade Increases (July 1, 2003). 81 During our audit, we did not specifically test for within-grade increases. This exception was identified after reviewing adjustments for retroactive pay that were processed in the same pay period as our sample transaction. Therefore, we cannot project the results for the substantive error because we selected our sample from IRS’s entire population, and not just from employees who received a within-grade increase. Page 42 GAO-12-683R IRS Management Report because the manager was not fully aware of his WGI responsibilities for employees with less than fully successful ratings, and thus did not carry out the actions he needed to take for this employee. In addition, IRS did not have a process in place requiring HR specialists to track and follow up with the managers they notified to ensure the managers followed required procedures and made timely determinations to deny or release the WGIs. IRS’s payroll staff stated that they consulted with IRS’s Labor Relations Policy office, which advised them that since the manager did not provide the employee a 60-day notification letter giving the employee the opportunity to improve his/her performance, the employee was entitled to receive a WGI retroactive to the employee’s WGI due date. Because IRS did not have a process in place to track whether managers of employees with below fully successful ratings took the required WGI actions, IRS also lacked a means of ensuring that employees whose managers failed to take such actions received a retroactive WGI. Subsequent to our bringing this issue to their attention, IRS payroll officials informed us that they were aware of this problem and had conducted a study in 2009 to investigate the causes for past due WGIs for employees with less than fully successful ratings. A March 2010 summary of the study results reported that the study found that managers were not aware of their responsibilities and the correct steps they were required to take to either release or withhold WGIs for their employees. The study found that most managers believed that a less than fully successful rating was sufficient to deny a WGI and thus, had not taken the required actions. Consequently, by not issuing these employees a 60-day notification letter, assessing their resulting performance, and making a determination to release or deny a WGI, IRS was required under its procedures to grant these employees retroactive pay increases. The study team made several recommendations to improve the WGI process, such as (1) sending notification and instructions to managers informing them of the WGI process 90 days in advance of the projected WGI date for those employees with a less than fully successful rating; (2) along with the 90-day advance notice, providing the managers a response form to complete indicating the date the 60-day notification letter to the employee was issued and a due date for the manager to provide the information to a central unit for tracking; (3) updating the HR Connect system to send an alert or ‘pop-up’ window to the manager that would provide additional information and instruction at the time a less than fully successful rating is entered; and (4) providing assistance to managers so that labor relations specialists can guide managers through the steps they need to take. IRS officials informed us that they started corrective actions to address the recommendations but had not fully implemented or documented these improvements in procedures or in the IRM. In particular, IRS had not yet implemented procedures to centrally track and follow up to ensure key WGI steps were performed; thus, IRS was continuing to rely on individual managers to carry out the necessary steps timely and correctly and could not ensure that all employees entitled to a WGI, received one. Without central monitoring and follow-up to ensure managers are carrying out their duties, IRS is at increased risk of granting WGIs to employees who may not have earned them and of failing to pay employees WGIs they are—through management’s inaction—entitled to receive. Page 43 GAO-12-683R IRS Management Report Recommendations for Executive Action We recommend that you direct the appropriate IRS officials to do the following: Remind managers of their responsibilities, procedures, and required time frames for either granting or denying a within-grade pay increase for employees with below fully successful ratings, such as by providing alerts in HR Connect when a manager enters a less than fully successful rating or providing training to remind them of their responsibilities. Establish procedures for HR specialists to track and monitor supervisory actions taken for employees with less than fully successful ratings that have a within-grade pay increase due date within 90 days to include specific required steps for: following-up with managers to ensure the managers properly issue the employees a 60-day notification letter providing them an opportunity to improve their performance, make a timely determination on releasing or denying a within-grade pay increase, and properly carry out the requirements necessary to support the decision made; and timely granting a within-grade pay increase to such employees who were not given a 60-day notification letter. IRS Comments and Our Evaluation IRS agreed with our recommendations and stated that in April 2012 it issued an SOP outlining procedures for the suppression and release of WGIs, and plans to issue an alert in July 2012 to remind managers of their responsibilities and where to locate appropriate procedures. IRS also stated it will include links or regulatory references in the notices it sends to managers of employees with less than fully successful ratings with projected WGIs due in 90 days. By August 2012, IRS stated that it plans to establish a specific process for human resource specialists to track and monitor timely actions required by managers when employees have less than fully successful ratings. IRS’s actions, if successfully carried out, should address the intent of our recommendations. We will evaluate IRS’s progress and the effectiveness of its actions during our audit of IRS’s fiscal year 2012 financial statements and future audits. Recycled Payroll Errors During our fiscal year 2011 financial statement audit, we found that IRS did not timely research and resolve recycled payroll transaction errors. Recycled errors are rejected payroll transactions that contained erroneous or invalid accounting data, such as incorrect fund codes, that prevented the transactions from posting automatically to IRS’s general ledger. IRS sends its biweekly time and attendance (i.e., payroll) information and personnel actions to be processed—such as promotion pay increases—to NFC, which processes the biweekly paychecks issued to IRS Page 44 GAO-12-683R IRS Management Report employees. After processing and issuing the paychecks, NFC provides IRS with data files containing the payroll and personnel transactions processed. IRS uses its Automated Interface to the National Finance Center system (AINFC) to integrate the payroll and personnel accounting data and generate extract files which IRS uses to record the payroll expenses to its general ledger. Prior to recording the transactions, AINFC performs a series of edit checks to ensure that the accounting data in the payroll transactions are valid and that the accounting data between related payroll and personnel transactions are consistent. Payroll transactions that do not pass the edit checks cannot be validated by AINFC and thus, do not automatically post to the general ledger. These transactions end up in the recycled errors file. During our fiscal year 2011 audit, we found that as of March 2011, IRS’s recycled errors file contained $4.8 million of payroll transactions that had accumulated for over 7 years without being resolved. These recycled errors represented actual amounts processed and paid to employees by NFC and thus did not affect employee pay; however, they had not been recorded in IRS’s general ledger. These accumulated for so long because IRS did not have procedures for payroll staff to research the cause of these errors on a regular basis and make the appropriate corrections. By not researching and correcting the errors on a timely basis to ensure the related payroll transactions were timely posted to its general ledger, IRS’s payroll expenses and liabilities were understated in its financial statements. Internal control standards require that transactions be accurately and timely recorded to maintain their relevance and value to management in controlling operations and making decisions.82 After we brought this issue to the attention of IRS officials, they began researching the errors and made two system changes to AINFC late in fiscal year 2011 that resolved all but $1.2 million of the accumulated errors. IRS officials informed us that they will continue researching and resolving these errors into fiscal year 2012. While these are positive steps to address the long- standing errors, IRS has not yet established procedures requiring that the recycled errors file be reviewed on a regular basis so that any new errors can be timely researched and corrected. Recommendation for Executive Action We recommend that you direct the appropriate IRS officials to establish and document procedures for payroll staff to research and correct recycled errors from payroll processing on a regular and timely basis. IRS Comments and Our Evaluation IRS agreed with our recommendation and stated that by September 2012 it will identify, document, and implement procedures for addressing and correcting recycled errors going forward. IRS’s proposed actions, if successfully carried out, 82 GAO/AIMD-00-21.3.1. Page 45 GAO-12-683R IRS Management Report should address the intent of our recommendations. We will evaluate IRS’s progress and the effectiveness of its actions during future audits. ---- This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and to the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency’s first request for appropriations made more than 60 days after the date of this report. Furthermore, to ensure that GAO has accurate, up- to-date information on the status of your agency’s actions on our recommendations, we request that you also provide us with a copy of your agency’s statement of actions taken on open recommendations. Please send your statement of action to me or Doreen Eng, Assistant Director, at firstname.lastname@example.org. This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; House Committee on Appropriations; House Committee on Ways and Means; and House Committee on Oversight and Government Reform, and to the Chairman and Vice-Chairman of the Senate Joint Committee on Taxation. We are also sending copies to the Secretary of the Treasury, the Acting Director of the Office of Management and Budget, and the Chairman of the IRS Oversight Board. The report is available at no charge on GAO’s website at http://www.gao.gov. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS’s fiscal years 2011 and 2010 financial statements. Please contact me at (202) 512-3406 or email@example.com if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III. Sincerely yours, Steven J. Sebastian Managing Director Financial Management and Assurance Enclosures – 3 Page 46 GAO-12-683R IRS Management Report Enclosure I: Details on Audit Methodology To fulfill our responsibilities as the auditor of the Internal Revenue Service’s (IRS) financial statements, we did the following. Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; this included selecting statistical samples of unpaid assessments, revenue, refunds, payroll and nonpayroll expenses, property and equipment, and undelivered order transactions.83 Assessed the accounting principles used and significant estimates made by management. Evaluated the overall presentation of the financial statements. Obtained an understanding of IRS and its operations, including its internal control over financial reporting. Considered IRS’s process for evaluating and reporting on internal control and financial systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers’ Financial Integrity Act of 1982, and Office of Management and Budget Circular No. A-123, Management’s Responsibility for Internal Control. Assessed the risk of (1) material misstatement in the financial statements and (2) material weakness in internal control over financial reporting. Tested relevant internal control over financial reporting. Evaluated the design and operating effectiveness of internal control over financial reporting based on the assessed risk. Tested compliance with selected provisions of the following legal provisions: Internal Revenue Code; Anti-Deficiency Act, as amended; Purpose Statute; Prompt Payment Act; Pay and Allowance System for Civilian Employees; Federal Employees’ Retirement System Act of 1986, as amended; Social Security Act of 1935, as amended; Federal Employees Health Benefits Act of 1959, as amended; Full-Year Continuing Appropriations Act, 2011, which incorporates, by reference, certain provisions of the Financial Services and General Government Appropriations Act, 2010; Federal Employees’ Compensation Act; Civil Service Retirement Act; and the Tax Relief, Unemployment Insurance Reauthorization, and Jobs Creation Act of 2010. 83 These statistical samples were selected primarily to determine the validity of balances and activities reported in IRS’s financial statements. We projected any errors in dollar amounts to the population of transactions from which they were selected. In testing some of these samples, certain attributes were identified that indicated deficiencies in the design or operation of internal control. These attributes, where applicable, were statistically projected to the appropriate populations. Page 47 GAO-12-683R IRS Management Report Enclosure I: Details on Audit Methodology Tested whether IRS’s financial management systems substantially complied with the three requirements of the Federal Financial Management Improvement Act of 1996. Performed such other procedures as we considered necessary in the circumstances. Page 48 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 49 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 50 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 51 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 52 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 53 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 54 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 55 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 56 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 57 GAO-12-683R IRS Management Report Enclosure II: Comments from the Internal Revenue Service Page 58 GAO-12-683R IRS Management Report Enclosure III: GAO Contact and Staff Acknowledgments GAO Contact: Steven J. Sebastian, (202) 512-3406 or firstname.lastname@example.org. Staff Acknowledgments The following individuals made major contributions to this report: Doreen Eng, Assistant Director; Oliver Culley, Auditor-in-Charge; Crystal Alfred; Laura Bednar; Sharon Byrd; Mark Canter; Lauren S. Fassler; Chuck Fox; Jennifer Franks; Mickie Gray; Mary Ann Hardy; David Hayes; Jeff Knott; Tuan Lam; Cynthia Ma; Joshua Marcus; Julie Phillips; Jim Rinaldi; John Sawyer; Christopher Spain; Chevalier Strong; Cynthia Teddleton; Lien To; LaDonna Towler; Cherry Vasquez; and Gary Wiggins. (196249) Page 59 GAO-12-683R IRS Management Report This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. The Government Accountability Office, the audit, evaluation, and GAO’s Mission investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (www.gao.gov). Each weekday afternoon, GAO Reports and GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, Testimony go to www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness
Published by the Government Accountability Office on 2012-06-25.
Below is a raw (and likely hideous) rendition of the original report. (PDF)