oversight

Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Controls and Operating Effectiveness

Published by the Government Accountability Office on 2012-06-25.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States Government Accountability Office
Washington, DC 20548



           June 25, 2012


           The Honorable Douglas H. Shulman
           Commissioner of Internal Revenue

           Subject: Management Report: Improvements Are Needed to Enhance the Internal
                    Revenue Service’s Internal Controls and Operating Effectiveness

           Dear Mr. Shulman:

           In November 2011, we issued our report on the results of our audit of the financial
           statements of the Internal Revenue Service (IRS) as of, and for the fiscal years
           ending, September 30, 2011, and 2010, and on the effectiveness of its internal
           control over financial reporting as of September 30, 2011.1 We also reported our
           conclusions on IRS’s compliance with selected provisions of laws and regulations
           and on whether IRS’s financial management systems substantially comply with the
           requirements of the Federal Financial Management Improvement Act of 1996. In
           March 2012, we issued a report on information security issues identified during our
           fiscal year 2011 audit, along with associated recommendations for corrective
           actions.2

           The purpose of this report is to present internal control deficiencies identified during
           our audit of IRS’s fiscal year 2011 financial statements for which we do not already
           have any recommendations outstanding. Although most of these deficiencies were
           not discussed in our report on the results of our fiscal year 2011 financial statement
           audit because they were not considered material weaknesses or significant
           deficiencies, they nonetheless warrant IRS management’s attention.3 This report
           1
            GAO, Financial Audit: IRS’s Fiscal Years 2011 and 2010 Financial Statements, GAO-12-165
           (Washington, D.C.: Nov. 10, 2011).
           2
            GAO, Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting
           and Taxpayer Data, GAO-12-393 (Washington, D.C.: Mar. 16, 2012).
           3
            A material weakness is a deficiency, or a combination of deficiencies, in internal control such that
           there is a reasonable possibility that a material misstatement of the entity’s financial statements will
           not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency,
           or a combination of deficiencies, in internal control that is less severe than a material weakness, yet
           important enough to merit the attention of those charged with governance. A deficiency in internal
           control exists when the design or operation of a control does not allow management or employees, in
           the normal course of performing their assigned functions, to prevent, or detect and correct
           misstatements on a timely basis. Materiality represents the magnitude of an omission or
           misstatement of an item in a financial report that, when considered in light of surrounding


                                                                          GAO-12-683R IRS Management Report
provides 30 recommendations to address the internal control deficiencies we
identified. We will issue a separate report on the status of IRS’s implementation of
the recommendations from our prior IRS financial audits and related financial
management reports, as well as this one.

Results in Brief

During our audit of IRS’s fiscal year 2011 financial statements, we identified new
internal control deficiencies in the following areas:

        Monitoring Information Systems Material to Financial Reporting. IRS
         management had not performed sufficient monitoring of internal control over
         information systems material to financial reporting to determine whether such
         control was affected by any deficiencies in internal control that either
         individually or collectively constitute a material weakness that had not
         previously been reported, in accordance with Office of Management and
         Budget requirements. This was primarily because (1) IRS had not yet fully
         implemented key components of its information security program in fiscal year
         2011; (2) IRS’s monitoring of its systems focused primarily on Federal
         Information Security Management Act and related National Institute of
         Standards and Technology requirements, which were not intended to provide
         assurance over the integrity of financial reporting; and (3) IRS has a
         previously identified material weakness in information security that still existed
         in fiscal year 2011 which rendered it unnecessary for IRS to support an
         assertion indicating that the related internal controls were effective.4

        Tax Revenue Comparison. IRS did not always evaluate or resolve unusual
         variances identified in its comparison of tax revenue recorded in its general
         ledger to detailed tax revenue transactions recorded in its master files.5 In
         addition, although there was managerial review of the comparison as required
         by IRS’s procedures, the reviewer did not question these variances. These
         conditions existed primarily because IRS’s procedures did not instruct the
         preparer or the reviewer to evaluate and resolve significant or unusual
         variances that could indicate processing or other errors that would render the
         revenue data unreliable.



circumstances, makes it probable that the judgment of a reasonable person relying on the information
would have been changed or influenced by the inclusion or correction of the item.
4
 Supporting an assertion that internal control over financial reporting is effective (referred to as
unqualified assurance) requires monitoring of those internal controls that is adequate to provide
management with sufficient, appropriate evidence to conclude that no material weaknesses exist.
However, when these internal controls are already known to be affected by one or more material
weaknesses, they are considered to be ineffective and thus an unqualified assertion is not
appropriate. Therefore, the agency does not need to be able to support one.
5
The master files contain detailed records of taxpayer accounts.



Page 2                                                         GAO-12-683R IRS Management Report
        Treasury Forfeiture Fund Reimbursable Revenue. IRS improperly
         recorded anticipated revenue from the Department of the Treasury Forfeiture
         Fund (TFF) rather than actual revenue earned, contrary to federal accounting
         standards.6 IRS is reimbursed from the TFF for its tax enforcement
         expenditures and consequently should record the reimbursements as
         reimbursable revenue. However, in fiscal year 2011, IRS improperly recorded
         reimbursable revenue and the related accounts receivable from the TFF for
         expenditures it had not yet incurred. According to IRS, this occurred because
         the unit responsible for tax enforcement erroneously included both actual and
         estimated future expenditures in the amount it reported to IRS accounting
         staff that record TFF revenue and the related accounts receivable, and the
         accounting staff were not aware that all of the expenditures had not been
         incurred at the time it recorded the revenue and receivable.

        Physical Security Reviews. IRS’s service center campus (SCC) and field
         office physical security personnel did not always properly or timely (1)
         complete the audit management checklists used to assess the physical
         security controls in place at these sites and (2) document supervisory reviews
         of completed checklists.7 This occurred primarily because IRS lacked
         procedures requiring centralized monitoring to detect whether analysts were
         properly completing such checklists and whether managers were timely and
         properly documenting their reviews of the completed checklists.

        Integrated Data Retrieval System Access. Two clerks in the campus
         support unit at one SCC improperly had the ability to make adjustments to a
         taxpayer’s account through the Integrated Data Retrieval System while also
         maintaining physical possession of hard-copy receipts in the course of their
         payment processing duties.8 Consequently, they had the potential to
         misappropriate a payment and alter the taxpayer’s account to conceal the
         theft. This occurred because IRS procedures did not specifically prohibit
         access to such system commands for certain campus support employees
         who were responsible for processing payments, and thus, IRS procedures did
         not require monitoring these particular employees’ system accesses.



6
 The Federal Accounting Standards Advisory Board (FASAB) is the body designated by the American
Institute of Certified Public Accountants as the source of generally accepted accounting principles for
federal reporting entities. The FASAB develops accounting standards and principles for the federal
government, after considering the financial and budgetary information needs of congressional
oversight groups, executive agencies, and the needs of other users of federal financial information.
7
SCCs process tax returns and payments submitted by taxpayers.
8
 A taxpayer’s account is a record of individual modules in IRS’s master files containing tax
assessment, payment, and other information related to a specific type of tax for a specific period. A
taxpayer may have multiple account modules within IRS’s master files under a unique identification
number (i.e., Social Security number or an employer identification number). Each unique account
module is identified by the taxpayer identification number, tax type (e.g., excise tax, individual tax,
payroll tax), and specific tax period (e.g., year, quarter).


Page 3                                                          GAO-12-683R IRS Management Report
        Monthly Rent Bill Allocation. The rent processing administrator was
         responsible for performing all of the key steps involved in allocating costs
         from the rent bill without any supervisory review and could edit lease data
         entered by another staff member without any independent review. This
         occurred because IRS did not have policies or procedures that required a
         supervisory review or proper segregation of duties over the rent allocation
         process.

        Graphic Database Interface System Quarterly Reviews. IRS field
         managers did not always sufficiently document or accurately summarize the
         results of their quarterly reviews of employee locations recorded in IRS’s
         Graphic Database Interface system (GDI). This occurred because IRS did not
         have sufficiently detailed written procedures for documenting the GDI
         quarterly reviews nor require supervisory review of the reported results.

        Leasehold Improvement Disposal Estimate. IRS incorrectly calculated its
         leasehold improvement disposal estimate, which resulted in understatements
         to leasehold improvement expenses and accumulated depreciation. In
         addition, supervisors responsible for reviewing the disposal calculations did
         not identify these errors. These conditions existed because IRS did not have
         procedures to assess the completeness and accuracy of the data extracted
         from GDI used in the calculation and supervisors had competing work
         demands which hindered them from identifying these errors.

        Verification of End-user Receipt of Goods and Services. IRS staff did not
         always confirm, or obtain documentation of confirmation, with the end user of
         the satisfactory receipt of a purchased product or service before entering
         receipt and acceptance of the good/service into the procurement system. This
         occurred because IRS staff were not always aware of the requirement to
         obtain and document end-user receipt confirmation and IRS did not perform
         any monitoring for compliance.

        Patient Protection and Affordable Care Act Expenses. IRS did not always
         identify expenses related to the implementation of the Patient Protection and
         Affordable Care Act and the Health Care and Education Reconciliation Act
         (collectively referred to as PPACA) and timely determine whether to charge
         individual PPACA-identified expenses to the PPACA appropriation
         established within the Department of Health and Human Services or to one of
         IRS’s own appropriations. This occurred because employees did not always
         charge time spent on PPACA to the proper codes, supervisors did not ensure
         their employees’ time was appropriately coded, and IRS lacked an adequate
         process to timely review all PPACA-coded expenses to determine which
         appropriation to charge before fiscal year-end.

        Time Card Approvals. Employee time cards were not always approved by a
         manager before being transmitted to the National Finance Center for
         processing and payment. This occurred because managers did not follow
         IRS’s procedures to electronically sign employees’ time cards, IRS did not


Page 4                                                 GAO-12-683R IRS Management Report
         have procedures requiring payroll staff to centrally review time cards to
         ensure all time cards were signed before submitting them for payment, and
         IRS’s payroll system did not have an edit check to prevent unsigned
         electronic time cards from being submitted for payment.

        Employee Within-Grade Pay Increases. IRS did not always (1) make timely
         decisions on granting or denying within-grade increases (WGIs) in pay to
         employees with below fully successful ratings as required by IRS policies and
         procedures, and (2) timely grant WGIs to such employees if warranted. This
         occurred primarily because IRS did not have a central monitoring process in
         place to ensure that managers made and timely carried out all WGI-required
         actions for employees with below fully successful performance ratings and
         that such employees subsequently entitled to receive a WGI, were granted it.

        Recycled Payroll Errors. IRS did not timely research and resolve recycled
         errors– payroll transactions with data errors that prevented them from
         automatically posting to IRS’s general ledger— resulting in recycled errors
         that had accumulated for over 7 years without being resolved. These errors
         accumulated because IRS did not have procedures requiring timely research
         and correction of such errors.

These deficiencies increase the risk that IRS may not prevent or promptly detect and
correct (1) weaknesses in its internal control over its information systems material to
financial reporting; (2) errors in dollar amounts recorded in the master files and
general ledgers; (3) physical security deficiencies at its SCCs and field offices; (4)
loss, theft, or misappropriation of hard-copy taxpayer receipts; (5) errors in the
allocation of space-related expenses; (6) premature payments to vendors before
goods or services were received and receipt confirmed; (7) misidentified PPACA
expenses; (8) payroll errors; and (9) improper or delayed within-grade pay
increases. In addition, the control deficiencies identified resulted in overstatements
to Treasury Forfeiture Fund reimbursable revenue and accounts receivable, and
understatements to leasehold improvement disposal expenses, accumulated
depreciation, payroll expenses, and payroll liabilities.

We are making 30 recommendations that, if effectively implemented, should address
the internal control deficiencies we identified. These recommendations are intended
to bring IRS into conformance with its own policies, the Standards for Internal
Control in the Federal Government, or both.9

We provided IRS with a draft of this report and obtained its written comments. In its
comments, IRS agreed with all but 2 of our 30 recommendations and described
actions it had taken, had under way, or planned to take to address the control
weaknesses described in this report. IRS did not agree with 2 of the

9
 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington,
D.C.: November 1999), contains the internal control standards to be followed by executive agencies
in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512 (c), (d)
(commonly referred to as the Federal Managers’ Financial Integrity Act of 1982).



Page 5                                                      GAO-12-683R IRS Management Report
recommendations we made to address our finding that employee time cards were
not always approved by a manager before being transmitted for processing and
payment. Specifically, IRS disagreed with the recommendations to revise its (1)
current payroll standard operating procedures and (2) planned new payroll policy to
require that a designated proxy authorized to approve time cards on behalf of a
manager be at an equivalent level to or higher level than the manager. In its
comments, IRS stated that its policy of granting temporary approval authority to
nonsupervisory personnel is not inconsistent with the Internal Revenue Manual
(IRM) and that it is not practical for IRS to establish a minimum grade standard for
acting individuals.10 We do not concur with IRS’s views on this matter, and as we
discuss in further detail later in the report, we reaffirm our recommendations. In
addition to its written comments, IRS provided technical comments on a draft of this
report, which we incorporated as appropriate. At the end of our discussion of each of
the issues in this report, we have summarized IRS’s related comments and provided
our evaluation. We have also reprinted IRS’s comments in enclosure II.

Scope and Methodology

This report addresses internal control deficiencies we identified during our audit of
IRS’s fiscal years 2011 and 2010 financial statements. As part of our audit, we
tested IRS’s internal control over financial reporting.11 We designed our audit
procedures to test relevant controls, including those for proper authorization,
execution, accounting, and reporting of transactions. To assess internal controls
related to safeguarding taxpayer receipts and information, we visited three SCCs,
four lockbox banks,12 seven Small Business/Self-Employed Division units,13 and




10
  The IRM outlines business rules and administrative procedures and guidelines IRS uses to conduct
its operations, and contains policy, direction, and delegations of authority necessary to carry out IRS’s
responsibilities to administer tax law and other legal provisions.
11
  An entity’s internal control over financial reporting is a process effected by those charged with
governance, management, and other personnel, the objectives of which are to provide reasonable
assurance that (1) transactions are properly recorded, processed, and summarized to permit the
preparation of financial statements in accordance with U.S. generally accepted accounting principles,
and assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and (2)
transactions are executed in accordance with the laws governing the use of budget authority and
other laws and regulations that could have a direct and material effect on the financial statements.
12
  Lockbox banks are financial institutions designated as depositories and financial agents of the U.S.
government under contract with the Department of the Treasury’s Financial Management Service to
perform certain financial services, including processing tax documents, depositing the receipts, and
forwarding the documents and data to IRS’s SCCs, which update taxpayers’ accounts. During fiscal
year 2011, there were seven lockbox banks processing taxpayer receipts on behalf of IRS.
13
 Small Business/Self-Employed Division units are field offices that serve partially or fully self-
employed individuals, individual filers with certain types of nonsalary income, and small businesses.



Page 6                                                         GAO-12-683R IRS Management Report
eight taxpayer assistance centers.14 We performed our audit of IRS’s fiscal years
2011 and 2010 financial statements in accordance with U.S. generally accepted
government auditing standards. We believe that our audit provided a reasonable
basis for our findings and conclusions in this report. Further details on our audit
scope and methodology are provided in our November 2011 report on the results of
our audit of IRS’s fiscal years 2011 and 2010 financial statement audit and are
summarized in enclosure I.15

Monitoring Information Systems Material to Financial Reporting

IRS’s management did not perform sufficient monitoring of internal control over its
automated information systems material to financial reporting (financial reporting
systems) to determine whether such control was affected by any deficiencies in
internal control that either individually or collectively constitute a material weakness
that had not previously been reported.16 The Office of Management and Budget’s
(OMB) Circular No. A-123 (A-123) and its related implementation guide (A-123
guide) require agencies to annually assess the effectiveness of their internal control
over financial reporting and to provide a statement of assurance attesting to whether
these internal controls are effective as of June 30 each year.17 Under A-123, in order
for an agency to support an assertion that its internal control is effective (referred to
as unqualified assurance), it must have first determined, based on its A-123 internal
control assessment process, that there are no material weaknesses in internal
control over financial reporting. A-123 and the A-123 guide also include
requirements for agencies’ monitoring of internal control over automated information
systems that affect financial reporting in order to (1) determine whether these
internal controls are effective, and (2) if warranted, provide management with the

14
  Taxpayer assistance centers are field assistance units, located within IRS’s Wage and Investment
division, designed to serve taxpayers who choose to seek help from IRS in person. Services provided
include interpreting tax laws and regulations, preparing tax returns, resolving inquiries on taxpayer
accounts, receiving payments, forwarding those payments to appropriate SCCs for deposit and
further processing, and performing other services designed to minimize the burden on taxpayers in
satisfying their tax obligations. These offices are much smaller facilities than SCCs or lockbox banks,
with staffing ranging from 1 to about 35 employees.
15
 See GAO-12-165.
16
  We would generally consider a system to be quantitatively material to financial reporting if it
processes and/or reports a material dollar amount of the transactions that are included in agency
internal and/or external financial reports during a reporting period. The assessment of the significance
of a deficiency in the internal control over such a system may be elevated if it also exhibits qualitative
characteristics, such as processing (1) an inordinately large volume of financial transactions, and/or
(2) related sensitive information the safeguarding of which is a matter of substantial concern to
financial statement users.
17
 OMB Circular No. A-123, Management’s Responsibility for Internal Control (rev. Dec. 21, 2004) and
Chief Financial Officer’s Council, Implementation Guide for OMB Circular A-123, Management’s
Responsibility for Internal Control, Appendix A, Internal Control Over Financial Reporting
(Washington, D.C.: July 2005). As a bureau of the Department of the Treasury, IRS provides an A-
123 assurance statement to Treasury which, in turn, prepares an A-123 assurance statement for the
department as a whole.



Page 7                                                          GAO-12-683R IRS Management Report
sufficient, appropriate evidence necessary to support an assertion that these
controls are effective. Since IRS’s June 30, 2011, A-123 assertion on the
effectiveness of its internal control over financial reporting was qualified based on
the existence of material weaknesses in internal control over unpaid tax
assessments and information security, it was not necessary for IRS to support such
an assertion.18 However, because IRS did not effectively monitor its financial
reporting systems, it is at increased risk of undetected deficiencies in internal control
over these systems, potentially exposing its financial information to error or fraud
and related sensitive information to unauthorized disclosure beyond the risks already
identified by the audit process. In addition, IRS would not have been able to support
an A-123 assurance statement asserting that its financial reporting systems were
free of material weaknesses, if such a conclusion were otherwise warranted.

In December 2004, OMB significantly revised A-123, and in July 2005, the Chief
Financial Officer’s Council issued a related implementation guide. We reviewed
IRS’s implementation of the revised circular in fiscal year 2006, and found that IRS’s
A-123 assessment process was adequate to support its resultant June 30, 2006,
assurance statement which was qualified based on the existence of several material
weaknesses in internal control, including a material weakness over computer
security (also known as information security).19 However, we also alerted IRS that
significant additional work would be needed to enable it to support an unqualified A-
123 assurance statement, once the identified material weaknesses were resolved,
and assuming that no other material weaknesses were identified. In subsequent
years, IRS resolved two of its material weaknesses in internal control, and its A-123
internal control assessments in each of the affected areas in fiscal year 2011 were
sufficient to support IRS’s assertion that it did not have any related material
weaknesses. However, two other material weaknesses in internal control, one of
which was in information security continued to exist as of its June 30, 2011,
assurance statement.

IRS has devoted significant resources to resolve its material weakness in internal
control over information security, and while it has made notable progress in
addressing a number of the control deficiencies we have identified, much remains to
be done. Supporting an assertion that internal control over financial reporting
systems are effective requires not only resolving the previously identified material
weakness in internal control over information security, but also monitoring of all of
these systems that is sufficient in both scope and methodology to reliably determine
whether there are any other deficiencies in internal control that are either individually
or collectively material. Before this can be accomplished, however, the scope and
nature of the automated systems and related internal controls that affect financial
18
  GAO-12-165. The material weakness in internal control over information security encompasses
deficiencies we identified in internal control over key IRS financial and tax processing systems that
we considered to be material to financial reporting. An unpaid tax assessment is a legally enforceable
claim against a taxpayer and consists of taxes, penalties, and interest that have not been collected or
abated (a reduction in a tax assessment).
19
 GAO, Management Report: IRS’s First-Year Implementation of the Requirements of the Office of
Management and Budget’s (OMB) Revised Circular No. A-123, GAO-07-692R (Washington, D.C.:
May 18, 2007).


Page 8                                                        GAO-12-683R IRS Management Report
reporting need to be defined and appropriately documented. The A-123 guide
requires agencies to develop and document a thorough understanding of their
financial reporting operations and how these operations are supported by automated
systems, to include:

        determining which specific automated systems are involved in the financial
         reporting process;

        understanding what role each of these automated systems plays in the
         financial reporting process and the nature and magnitude of transactions it
         processes and/or reports;

        determining whether each automated system identified is material to the
         financial reporting process (is a financial reporting system) and, for each
         system that is determined to be a financial reporting system, determining
         whether it is controlled by the agency or by an external service provider:

            for those financial reporting systems that are controlled by the agency,
             identifying and documenting the internal controls that each system utilizes
             to ensure that the financial transactions it processes are authorized,
             processed, and reported only in accordance with management policy; and

            for those financial reporting systems that are controlled by an external
             service provider, coordinating with the service provider to obtain an annual
             assurance statement that highlights key controls and the results of annual
             testing, and if available, reviewing the most recent report prepared in
             accordance with Statement on Standards for Attestation Engagements
             (SSAE) No. 16.20

The A-123 guide also specifies that related documentation should (1) include copies
of written policies and procedures, written memoranda, and flowcharts of system
configurations and significant processes; and (2) identify the control objectives and
the related control points designed to achieve those objectives. Completion of these
steps is necessary to provide a baseline for the design and implementation of
routine monitoring of these internal controls.

However, IRS had not yet established an appropriate baseline for monitoring internal
control over its automated systems that are material to financial reporting that would
have enabled IRS to support an unqualified assurance as of June 30, 2011, had that
been appropriate. For example, IRS did not have a complete inventory identifying
the specific automated systems that affected its financial reporting. Consequently,
IRS also had not identified which of its automated systems were considered to be
material to financial reporting. As a result, IRS lacked reasonable assurance that the

20
  SSAE No. 16, Reporting on Controls at a Service Organization, which was effective June 15, 2011,
and its predecessor, Statement on Auditing Standards (SAS) No. 70, Service Organizations, provide
standards governing reporting on internal control at service providers upon which other entities rely to
support significant aspects of their operations.


Page 9                                                         GAO-12-683R IRS Management Report
scope of any automated system monitoring procedures it conducted was sufficient to
enable it to determine whether internal control over financial reporting was effective.
For example, for its financial reporting process, IRS places extensive reliance on
automated systems that are controlled by external service providers, including the
processing of its payroll transactions and tax revenue collections. The A-123 guide
specifies that such automated systems are considered part of an entity’s information
system if they significantly affect financial transactions or reports, and should
therefore be considered in making an assessment of the effectiveness of internal
control over financial reporting. The A-123 guide describes the nature of the
procedures which may be used to monitor internal control over such service
providers as follows:

   (1) perform tests of entity internal control over the activities of the service
       provider,

   (2) perform tests of internal control at the service provider, or

   (3) review periodic reports prepared by the service provider in accordance with
       applicable standards.

Based on these procedures, the agency should

      obtain an understanding of the controls at the service provider that are
       relevant to the entity’s internal control over financial reporting and the controls
       at the entity itself over the activities of the service provider, and

      obtain evidence that the controls at the service provider which are relevant to
       management’s assertion, are operating effectively.

However, as of June 30, 2011, IRS had not determined which of the externally
controlled automated systems it relied upon were considered material to its financial
reporting process, and had not established and implemented procedures to monitor
these systems’ internal control over financial reporting. Consequently, with respect
to externally controlled automated systems that were material to financial reporting,
IRS had not determined whether they were affected by any deficiencies in internal
control nor had it assessed related risks to the integrity of financial data, accuracy of
financial reporting, or safeguarding of related sensitive information. In July 2011, we
provided IRS a list of the automated systems we were aware of that, based on our
understanding, appeared to be controlled by external service providers and to be
material to IRS’s financial reporting process. IRS subsequently agreed with our
conclusions with respect to 13 of these systems and identified several additional
systems, and initiated related monitoring efforts.

We also found that the monitoring IRS conducted over its internally controlled
financial reporting systems in fiscal year 2011 was not always effective. For
example:




Page 10                                                GAO-12-683R IRS Management Report
        Tests and evaluations of policies, procedures, and controls related to IRS’s
         financial reporting systems were not always effective. As we previously
         reported, the scope of such tests was limited, and related and previously
         reported weaknesses had not been corrected.21 Because testing was not
         comprehensive, the risk that IRS may not be aware of existing vulnerabilities
         is increased.

        As we previously reported, IRS did not thoroughly validate the effectiveness
         of corrective actions implemented to address previously reported
         weaknesses. As a result, IRS overestimated the extent of its progress in
         correcting these issues, and underestimated the extent of remaining
         weaknesses.22

In addition, we found that some internal control deficiencies we identified affecting
IRS’s internally controlled financial reporting systems had not previously been
detected by IRS’s existing monitoring process. While no monitoring process should
be expected to identify all deficiencies in internal control, the magnitude of the
deficiencies we identified of which IRS was not aware indicated that its monitoring of
internal control over its financial reporting systems was not effective in fiscal year
2011.

These deficiencies in IRS’s monitoring of its financial reporting systems existed for
several reasons:

        As we have previously reported, IRS had not yet fully implemented key
         components of its comprehensive information security program during fiscal
         year 2011.23 The Federal Information Security Management Act (FISMA)
         requires agencies to develop, document, and implement an information
         security program that encompasses, among other elements, (1) periodic risk
         assessments, (2) risk-based policies and procedures that are designed to
         cost-effectively ensure compliance with applicable requirements, (3) plans for
         providing adequate information security, (4) security awareness training for
         personnel, (5) periodic testing and evaluation, and (6) a remedial action
         process to address identified deficiencies.24 However, in each of these areas,
         IRS’s information security program was not fully effective in fiscal year 2011.


21
 GAO-12-393.
22
 GAO-12-393.
23
 GAO-12-393.
24
  FISMA was enacted as title III of the E-Government Act of 2002, Pub L. No. 107-347, 116 Stat.
2899, 2946 (Dec. 17, 2002). FISMA was enacted to strengthen the security of information and
systems within federal agencies. FISMA requires each agency to develop, document, and implement
an agencywide information security program for the information and information systems that support
the operations and assets of the agency, using a risk-based approach to information security
management.



Page 11                                                     GAO-12-683R IRS Management Report
        IRS’s monitoring of internal control over its automated systems has been
         focused on compliance with FISMA and related National Institute of
         Standards and Technology (NIST) standards.25 However, FISMA and NIST
         requirements, while very important, are intended to strengthen the overall
         security of IRS’s automated information systems in general, rather than to
         provide specific assurance over the integrity of financial reporting, and thus
         alone are not sufficient for this purpose.

        Because IRS has had a material weakness in its internal control over
         information security each year since the revised A-123 was first effective in
         fiscal year 2006, it has not been necessary for IRS to support an assertion
         that related internal control over its financial reporting systems was effective.

As a result of these limitations in the scope and methodology of IRS’s financial
reporting systems monitoring process in fiscal year 2011, IRS management did not
have sufficient information available to reliably conclude whether there were any
deficiencies in internal control over systems that were individually or collectively
material to financial reporting, apart from those issues that had been previously
identified and reported. Consequently, IRS could not have supported an A-123
statement of assurance indicating that related internal control was effective, even if
providing such an assertion would have otherwise been appropriate. In addition, the
lack of effective monitoring increases the risk that additional deficiencies in internal
control of which IRS is not aware may exist in these systems, further increasing the
risk of compromising the integrity of financial reports and the confidentiality of related
sensitive information. Appropriately minimizing these risks requires establishing and
effectively implementing routine, effective monitoring of internal control surrounding
all aspects of the flow of financial transaction data from the time it is first entered to a
financial reporting system until the data are included in internal and/or external
financial reports. This includes monitoring internal control over (1) the safeguarding
of the data that reside in any of these systems, and (2) the transmission of data
between multiple systems, if applicable. Identifying, documenting, and monitoring
such internal controls requires close cooperation between information technology
specialists who have the necessary systems expertise, chief financial officer
personnel who understand the financial transactions being processed and reported,
and where externally controlled systems are being relied upon, the service providers
who control those systems. IRS has made progress in this regard. For example,
during fiscal year 2011 IRS established cross-functional teams incorporating
representatives from the financial and information technology disciplines to address
areas considered to be of high risk. However, successful, ongoing monitoring of
internal control over these systems requires a long-term commitment to routine,
institutionalized monitoring over time as conditions change, existing systems
continue to age and evolve, and new systems are brought into service.

As noted above, we previously reported some of these issues in a management
report that discussed IRS’s fiscal year 2011 internal control over information

25
 FISMA also assigned to NIST the responsibility for developing standards and guidelines that include
minimum information security requirements. See 15 U.S.C. § 278g-3.


Page 12                                                     GAO-12-683R IRS Management Report
security, and provided appropriate related recommendations.26 With respect to those
control deficiencies discussed in this section that were not included in that report,
our recommendations are detailed below.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Establish and document an inventory of the specific systems involved in IRS’s
         financial reporting process, including (1) describing what role each system
         plays in the financial reporting process, (2) concluding whether each system
         is considered to be material to financial reporting and why, and (3) denoting
         whether each system is controlled by IRS or by an external service provider
         and, if the latter, identifying the service provider.

        Enhance existing policies and procedures pertaining to monitoring internal
         control over the automated systems operated by IRS personnel to specifically
         provide for routine, documented monitoring of the specific internal controls
         within its financial reporting systems that are intended to ensure the integrity
         of the data reported in the financial statements and other financial reports.
         This monitoring process should (1) involve both automated systems
         specialists and individuals with expertise in accounting and reporting, as
         appropriate, (2) encompass the specific automated internal controls that
         affect the authorizing, processing, transmitting, or reporting of material
         financial transactions, and (3) be designed to determine whether these
         internal controls are in place and operating effectively.

        For any system identified as material to IRS’s financial reporting process
         which is controlled by an external service provider, establish policies and
         procedures requiring and defining a routine, documented process for
         coordinating with the service provider to appropriately monitor related internal
         control. This may entail establishing an agreement with each service provider
         to allow IRS personnel the access to either (1) the system concerned, as
         necessary to perform appropriate monitoring of internal control over financial
         reporting; or (2) periodic reports prepared in accordance with SSAE No. 16
         documenting the results of monitoring performed by the service provider.

        Establish policies and procedures with respect to any external financial
         reporting system IRS personnel themselves do not directly monitor that
         specify required steps to routinely review periodic reports prepared by service
         providers’ auditors in accordance with SSAE No. 16, including steps to
         document (1) an assessment of whether a review’s scope, methodology, and
         timing is appropriate to satisfy IRS’s objectives; (2) any control deficiencies
         disclosed in the report, and an assessment of their materiality to IRS’s
         financial reporting process and related risks; and (3) any compensating
         internal controls needed to mitigate any actual or potential effects of identified

26
 GAO-12-393.


Page 13                                                 GAO-12-683R IRS Management Report
        deficiencies upon IRS’s internal and external financial reports resulting from
        any (a) material weakness, or (b) significant shortcoming in the scope,
        methodology, or timing of any SSAE No. 16 report reviewed relative to IRS’s
        internal control objectives.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that it would take the following
actions by December 2013. IRS stated that it would modify its listing of systems
involved in the financial reporting process to include (1) a description of the role
each system plays, (2) whether the system is considered material to the financial
statements, and (3) whether the system is controlled by IRS or by an external
service provider and, if the latter, identify the service provider. For all systems
identified as material to IRS’s financial reporting process, IRS stated that it would
enhance existing policies and procedures to appropriately monitor internal controls
over the automated systems operated by IRS personnel to include performing
periodic and routine examinations of the financial systems that authorize, process,
transmit, or report material financial transactions; such reviews will use
multidisciplinary teams consisting of automated systems specialists and accounting
and reporting experts. IRS will develop policies and procedures using the financial
systems monitoring process to determine whether the internal controls over these
automated systems are in place and operating effectively. In addition, for all
externally controlled financial systems that are identified as material to the financial
statements, IRS stated that it would establish procedures for coordinating an internal
control review with service providers and develop policies and procedures to
document and routinely report on reviews of external providers’ adherence to IRS’s
internal control objectives. IRS’s proposed actions, if successfully carried out, should
address the intent of our recommendations. We will evaluate IRS’s progress and the
effectiveness of its actions during future audits.

Tax Revenue Comparison

During our fiscal year 2011 financial audit, we found that IRS did not always
evaluate or resolve unusual variances identified in its comparison of tax revenue
recorded in its general ledger to detailed tax revenue transactions recorded in its
master files. IRS uses two different systems to record tax revenue transactions. IRS
records summary-level financial information by tax class in its general ledger, which
it uses to report total federal tax revenue receipts on the Statement of Custodial
Activity,27 and records detailed transaction-level activity in its master files, which it
uses to report receipts by both tax class and tax year in the notes to the financial
statements. Since the two systems are not integrated, IRS performs a comparison
between the tax revenue recorded in the general ledger and that recorded in the
master files to (1) ensure that the two independent systems are materially consistent

27
  Tax class refers to the classification of nonexchange revenues for taxes levied against taxpayers for
the following tax categories: (1) individual income, Federal Insurance Contributions Act (FICA), and
Self-Employment Contribution Act (SECA); (2) corporate income; (3) excise; (4) estate and gift; (5)
railroad retirement; and (6) federal unemployment.



Page 14                                                       GAO-12-683R IRS Management Report
for both internal and external reporting purposes, and (2) account for expected
timing differences between the general ledger postings and the master files. This is
critical because the general ledger is used to generate the financial statements while
only the master files have the detail to support the breakout of revenue collections
by tax year in the footnotes to the financial statements in conformity with federal
accounting standards.28

Under IRS’s tax revenue collection and posting process used in fiscal year 2011,
IRS normally recorded taxpayer receipts in the general ledger daily while the specific
detailed transaction activity was updated in the master files weekly. Consequently, at
any point in time, the general ledger revenue balance should have been larger than
the master files balance since taxpayer receipts were posted to the master files later.
However, during our fiscal year 2011 audit, we found that IRS’s comparison
identified variances in which the master files revenue balance exceeded the general
ledger revenue balances for both the (1) corporate and (2) estate and gift tax
classes, yet IRS did not evaluate these variances or attempt to resolve them until
after we brought the matter to its attention. Such variances could be an indication of
processing or other errors, which could render the revenue data unreliable. In
addition, although there was managerial review of the comparison as required by
IRS’s procedures, the reviewer did not question these variances.

Internal control standards state that control activities, including comparisons, must
be clearly documented, periodically updated, and readily available for examination.29
Further, information presented in these comparisons must be evaluated in order to
be most useful to the agency. IRS staff did not always evaluate or resolve the
unusual variances identified in its comparison of tax revenue recorded in the general
ledger to that recorded in its master files because IRS lacked sufficiently detailed
guidance over the steps required to effectively prepare and review the comparison.
Specifically, IRS’s written procedures only required that a comparison be performed
and be reviewed by management. Although an IRS official told us that the preparer
of the comparison should evaluate and resolve significant and unusual variances,
the written procedures did not instruct the preparer or reviewer to evaluate and
resolve such variances, nor did they specify criteria for determining what constituted
a significant or unusual variance. IRS reconciled the revenue recorded in the general
ledger to the revenue deposited at Treasury to ensure the general ledger balances




28
   Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other
Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, paragraph
65.3, May 10, 1996, states that cash collections and refunds by tax year and type of tax should
include cash collections and cash refunds for the reporting period and for sufficient prior periods to
illustrate (1) the historical timing of tax collections and refunds, and (2) any material trends in
collection and refund patterns.
29
 GAO/AIMD-00-21.3.1.



Page 15                                                         GAO-12-683R IRS Management Report
were materially correct.30 However, the comparison of the general ledger to the
master files was IRS’s only means of ensuring that tax revenue collection
information presented by tax year in its notes to the financial statements were
accurately presented and materially correct. By not evaluating and resolving
significant or unusual variances in the comparison of the general ledger to master
files, IRS is at increased risk that errors in the master files may not be identified and
appropriately resolved. This, in turn, (1) jeopardizes the integrity of the underlying
taxpayer accounts, which could increase the burden to affected taxpayers; and (2)
puts IRS at risk of inaccurately reporting its revenue collections by tax year.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Update IRS’s procedures for comparing tax revenue recorded in the general
         ledger to detailed tax revenue transactions recorded in the master files to (1)
         establish minimum criteria defining a significant or unusual variance and (2)
         specify the steps required to effectively evaluate and resolve these variances.

        Update IRS’s procedures for comparing tax revenue recorded in the general
         ledger to detailed tax revenue transactions recorded in the master files to
         require that management reviews ensure preparers evaluate and resolve
         unusual or significant variances.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that by October 2012 it would
update its revenue reconciliation desktop procedures to establish minimum criteria
for defining significant or unusual variances related to revenue, specify the steps
required to effectively evaluate and resolve these variances, and require a review
and sign-off by a manager to ensure that preparers evaluate and resolve significant
or unusual variances. IRS’s proposed actions, if successfully carried out, should
address the intent of our recommendations. We will evaluate IRS’s progress and the
effectiveness of its actions during future audits.

Treasury Forfeiture Fund Reimbursable Revenue

During our fiscal year 2011 financial audit, we found that IRS improperly recorded
and reported anticipated revenue from the Department of the Treasury Forfeiture
Fund (TFF) rather than actual revenue earned, contrary to federal accounting
standards. IRS receives funds from TFF under the Treasury Forfeiture Fund Act of


30
  In accordance with 26 U.S.C. § 7809, unless a specific statutory exception applies, all taxes
collected by IRS are required to be paid daily into the U.S. Treasury. IRS accomplishes this by
depositing all of the taxes collected to various financial institutions, which in turn make daily deposits
via wire transfer or through the Automated Clearing House (an electronic network for financial
transactions) to the Federal Reserve Bank for credit to the Treasury’s general account.



Page 16                                                          GAO-12-683R IRS Management Report
1992.31 These funds represent reimbursements for tax law enforcement
expenditures. In its procedures implementing the act, IRS states that mandatory tax
law enforcement expenditures include costs of activities incurred in seizing assets
from the public for unpaid tax debts; and discretionary tax law enforcement
expenditures include costs of specific projects related to enforcement activities. In
accordance with Treasury’s accounting policy for the recognition of TFF revenue and
related intradepartmental transactions, IRS initially records all reimbursements from
TFF as reimbursable revenue and subsequently reclassifies the portion received for
discretionary expenditures as transfers in without reimbursement for financial
reporting purposes.32 IRS’s Beckley Finance Center (BFC) is responsible for
recording reimbursable revenue, transfers in without reimbursement, and accounts
receivable from TFF. The amounts recorded by BFC are based on expenditures
reported to it by IRS’s Criminal Investigation division (CID), which performs the tax
enforcement services for which TFF reimburses IRS.

During our testing of IRS’s TFF revenue earned during fiscal year 2011, we found
that IRS improperly recorded reimbursable revenue and the related accounts
receivable from the TFF at fiscal year-end based on anticipated (i.e., estimated)
rather than actual revenue earned. Specifically, we found IRS recorded $38 million
in reimbursable revenue for both mandatory and discretionary TFF expenditures in
fiscal year 2011, while actual expenditures totaled $11.3 million, resulting in IRS
overstating reimbursable revenue and accounts receivable by $26.7 million.33
According to the memorandum of understanding between Treasury and IRS, TFF
will reimburse IRS only for actual expenditures. By recording TFF revenue based on
anticipated rather than actual expenditures, IRS overstated the amount of
reimbursable revenue, transfers in without reimbursement, and accounts receivable
reported in its fiscal year 2011 financial statements by the portion of the estimated
expenditures IRS did not actually incur by fiscal year-end. Should IRS not actually
spend the amount estimated, subsequent years’ accounts will be understated when
IRS adjusts for the difference between the estimated and actual expenditures.

According to federal accounting standards, revenue from exchange transactions
should be recognized when services are performed or when costs are incurred from
providing the services.34 IRS’s Reimbursable Operating Guidelines also state that
revenue should not be recognized until costs have been incurred.35 The guidelines

31
 31 U.S.C. § 9703.
32
  Reimbursable revenue is included in “earned revenue” on IRS’s Statement of Net Cost and
“transfers in without reimbursement” is included in “transfers in/out without reimbursement” on IRS’s
Statement of Changes in Net Position.
33
  $18.3 million of reimbursable revenue was subsequently transferred to transfers in without
reimbursement for financial statement reporting purposes.
34
 Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other
Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, par. 36(a) and
37, May 10, 1996, amended June 30, 2011.
35
 IRM § 1.33.3.8.2 (5), Recognition of Earned Reimbursements (rev. Feb. 11, 2011).


Page 17                                                       GAO-12-683R IRS Management Report
also require reimbursable projects to be closed at the end of each fiscal year.
However, IRS officials informed us that because CID had contracts that extended
beyond the end of the fiscal year, CID erroneously reported to BFC total TFF
expenditures for the fiscal year that included both (1) actual expenditures incurred
and (2) expenditures it expected to incur in the future under these contracts, even
though those expenditures had not yet occurred. IRS officials also said BFC was
unaware that CID had not yet incurred all of these expenditures until we brought it to
their attention, and thus, it improperly recorded reimbursable revenue that had not
been earned, contrary to federal accounting standards. This resulted in overstated
amounts being reported in IRS’s financial statements. IRS officials said they have
since discussed this with CID staff and are developing a process to help ensure that
amounts for TFF reimbursable revenue and related accounts are recorded properly.

Recommendation for Executive Action

We recommend that you direct the appropriate IRS officials to establish and
document procedures for ensuring that recorded reimbursable revenue, transfers in
without reimbursement, and accounts receivable from the TFF conform to federal
accounting standards.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and stated that in January 2012 it developed
and implemented a direct charge reimbursable process for mandatory TFF
expenditures. If successfully carried out, this should address the intent of our
recommendation for mandatory TFF expenditures. IRS stated that it is still in
discussions with Treasury to develop related processes for recording discretionary
TFF expenditures that will conform to federal accounting standards. We will evaluate
IRS’s progress and the effectiveness of its actions during future audits.

Physical Security Reviews

During our fiscal year 2011 financial audit, we found that physical security analysts
did not always properly or timely complete the Physical Security and Emergency
Preparedness (PSEP) audit management checklist at the SCCs and field office
locations we visited. In addition, we found that PSEP territory managers did not
always properly or timely document their required reviews of completed checklists.

IRS PSEP analysts at SCCs and field offices are responsible for completing the
audit management checklist, which includes steps to test controls for limiting and
controlling building access, reviewing security guards’ training records and
performance requirements, and validating that surveillance cameras and other
related equipment are properly operating. We previously recommended that IRS
improve its internal controls related to physical security at its processing facilities
and field offices by (1) reviewing the audit management checklist for clarity and
revising the assessment questions as appropriate, (2) issuing written guidance to
accompany the audit management checklist that explains the relevance of the
questions and the methods that should be used to assess and test the related


Page 18                                                GAO-12-683R IRS Management Report
controls, (3) providing training to physical security analysts responsible for
completing the audit management checklist to help ensure that checklist questions
are answered appropriately and accurately, (4) establishing and documenting the
minimum frequency for how often the audit management checklist should be
completed at each SCC and field office, and (5) establishing policies requiring
documented managerial reviews of completed audit management checklists.
Furthermore, we recommended that managerial reviews should document (1) the
time and date of the review, (2) the name of the manager performing the review, (3)
the supporting documentation reviewed, (4) any problems identified with the
responses on the checklists, and (5) corrective actions to be taken.36

IRS implemented corrective actions to address these recommendations. Specifically,
in July 2010, IRS revised the Standard Operating Procedures (SOP) for completing
the audit management checklist to include requirements for PSEP analysts to
complete the audit management checklist quarterly at SCCs and for territory
managers to document their review of completed checklists. In addition, in
December 2010, IRS asserted that PSEP security analysts had received training on
the proper completion of the audit management checklist. However, during our fiscal
year 2011 audit, we found that physical security analysts and territory managers did
not always follow the requirements outlined in the SOP. Specifically, we found the
following:

        At all three SCCs we visited, analysts did not complete the checklist quarterly
         as required. Specifically, at one SCC we visited in April 2011, we found that
         the checklist had not been completed since February 2008, a span of over 2
         years. At a second SCC, we found that analysts did not complete the
         checklist during the first two quarters of fiscal year 2011 or the last two
         quarters of fiscal year 2010. At another SCC, we found that the analyst did
         not complete the checklist during the first two quarters of fiscal year 2011.

        At two field offices, physical security analysts did not use the most recent
         version of the checklist at the time of the most recent review.

        At one field office, the checklist did not include the territory manager’s
         signature indicating that it had been reviewed. At another field office, the
         territory manager signed the checklist but did not indicate the date of the
         review. At two other field offices, the territory manager’s review was dated 5
         months after the checklist was completed.

The PSEP analysts and territory managers we spoke with during our visits all stated
that they were aware of the requirements for completion and review of the audit
management checklist contained in the SOP, but that they had not been followed
due to oversight or other tasks being given higher priority. In addition, we found that
there was no requirement for centralized monitoring to detect whether (1) analysts
were properly completing checklists, and (2) territory managers were timely and

36
 GAO, Management Report: Improvements Are Needed in IRS’s Internal Controls and Compliance
with Laws and Regulations, GAO-10-565R (Washington, D.C.: June 28, 2010).


Page 19                                                GAO-12-683R IRS Management Report
properly documenting their reviews of the completed checklists. Also, the PSEP
SOP did not specify the required timing of the management review to help ensure
that analysts properly completed the checklists and that identified problems were
timely addressed.

Internal control standards state that control evaluations, such as reviews of control
design and tests of internal controls, are useful because they focus directly on the
controls' effectiveness at a specific time.37 These evaluations should be accurately
and promptly recorded to maintain their relevance and value to management in
controlling operations and making decisions. Deficiencies found during such
evaluations should be communicated to individuals at least one level of
management above the individual performing the evaluation. Not properly
completing or timely reviewing the audit management checklist increases the risk
that weaknesses in controls designed to secure and safeguard vulnerable assets will
go undetected and/or uncorrected. This, in turn, increases the risk that IRS will not
properly detect or prevent the theft, loss of, or unauthorized access to taxpayer
receipts and related sensitive information.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Establish requirements specifying a required time frame for territory
         managers to perform the required review and approval of completed audit
         management checklists.

        Establish procedures requiring PSEP headquarters to centrally monitor
         compliance with the audit management checklist process to ensure that (1)
         PSEP analysts timely complete their physical security reviews using the
         proper audit management checklists and (2) territory managers timely review
         and properly document their reviews of completed audit management
         checklists.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that by October 2012 it would
update the audit management checklist SOP to require that territory managers
review and approve completed checklists within 30 days of the PSEP analyst’s
signature date. IRS also stated that the updated SOP would require the Audit
Management Program Office to perform quarterly reviews designed to ensure that
(1) territory offices complete the audit management checklist at campuses on a
quarterly basis and at posts-of-duty on an annual basis using the most current
checklist and (2) territory managers document their review and approval of
completed checklists within 30 days of the PSEP analyst’s signature date. IRS’s
proposed actions, if successfully carried out, should address the intent of our


37
 GAO/AIMD-00-21.3.1.


Page 20                                             GAO-12-683R IRS Management Report
recommendations. We will evaluate IRS’s progress and the effectiveness of its
actions during future audits.

Integrated Data Retrieval System Access

During our fiscal year 2011 audit, we found that IRS’s controls did not provide for
effective segregation of duties for processing of hard-copy taxpayer receipts at
consolidated SCCs. Specifically, during our visit to the campus support unit at one
SCC, we identified two clerks who had the ability to make adjustments to a
taxpayer’s account through the Integrated Data Retrieval System (IDRS),38 and who
also maintained physical possession of hard-copy taxpayer receipts in the course of
their payment processing duties. Consequently, they had the potential to
misappropriate a payment and alter the taxpayer’s account to conceal the theft.

Internal control standards state that key duties and responsibilities should be
segregated among different people to reduce the risk of error or fraud.39 The
standards further state that this segregation of duties should include dividing the
responsibilities for authorizing, recording, and reviewing transactions, as well as
handling any related assets. No one individual should be in a position to both cause
and conceal an error or irregularity by controlling certain key aspects of a transaction
or event. Internal control standards also state that internal control should generally
be designed to assure that ongoing monitoring occurs in the course of normal
operations, and includes regular management and supervisory activities,
comparisons, reconciliations, and other actions people take in performing their
duties. IRS’s IRM states that the first line manager of IDRS users is responsible for
day-to-day implementation and administration of IDRS security in his or her unit,
which includes ensuring the command code usage of employees with sensitive
command codes are reviewed at least monthly.40 A lack of sufficient segregation of
duties over campus support activities increases the risk of unauthorized access to
taxpayer information, which can lead to the loss, theft, or misuse of this information.

In campus support units, IRS clerks process hard-copy taxpayer receipts through an
electronic check presentment system by manually feeding checks into a scanner.41
The scanned image of the check is then electronically transmitted to the bank for
deposit. Clerks also use IDRS, which allows them to access taxpayer account
38
 IDRS is an IRS computer system that provides employees with the ability to research taxpayer
account information, request tax returns and account transcripts, input transactions such as
adjustments and entity changes, input collection information for storage and processing in the
system, and generate notices, collection documents, and other outputs.
39
 GAO/AIMD-00-21.3.1.
40
  IRM § 10.8.34.3.1.3 (1), (2), Front/First Line Manager (Oct. 14, 2011). Each employee who uses
IDRS is assigned a command code profile that determines the types of transactions he or she can
process.
41
  During fiscal year 2009, IRS implemented the electronic check presentment systems in its
consolidated SCCs. The system was implemented in selected taxpayer assistance centers during a
pilot program in fiscal year 2011. As of March 2012, IRS has expanded the program to include 383 of
its existing 398 taxpayer assistance centers.


Page 21                                                     GAO-12-683R IRS Management Report
information. Each employee’s level of access to IDRS is determined by his or her
specific role and responsibilities and is controlled by a command code profile that
determines the type of transactions he or she can process. A Unit Security
Representative (USR) assigns IDRS command code profiles to each employee. In
some cases, the group manager is designated as the USR, while in other cases, the
group manager is not the USR but coordinates with the USR to help ensure that
IDRS security is effectively implemented for the group.

In reviewing the IDRS command code profiles of clerks at the campus support unit
we visited, we noted two clerks’ profiles included command codes that allowed them
to make adjustments to a taxpayer’s account. IRM section 10.8.34, which contains
universal security policies for all IRS units, prohibits certain types of employees from
having command codes that allow them to make adjustments to the balance of a
taxpayer’s account, but it does not explicitly prohibit such command codes for
campus support clerks who process payments through the electronic check
presentment system. Furthermore, the campus support managers we spoke with
stated they primarily relied upon IRM section 21, Customer Account Services, for
guidance over campus support operations, which also does not explicitly prohibit
such command codes for campus support clerks who process payments through the
electronic check presentment system. In addition, while IRM section 10.8.34.3.1.3
requires front line IDRS group managers to review the command code profiles of
employees with sensitive command code combinations at least monthly, neither IRM
section 10, Security, Privacy, and Assurance, nor IRM section 21 explicitly identified
campus support clerks who processed payments through the electronic check
presentment system as an IDRS user class for which certain sensitive command
codes were prohibited, and thus the managers we spoke with did not perform the
monitoring activities required by IRM section 10.8.34.3.1.3. By not ensuring that
computer access rights of campus support employees responsible for processing
hard-copy taxpayer receipts through the electronic check presentment system have
been appropriately restricted, IRS increases the risk of loss, theft, or
misappropriation of such receipts.

Recommendation for Executive Action

We recommend that you direct the appropriate IRS officials to update the IRM to
specify steps to be followed to prevent campus support clerks as well as any other
employees who process payments through the electronic check presentment system
from making adjustments to taxpayer accounts.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and stated that by July 2012 it would update
the IRM to require managers to use the Automated Command Code Access Control
System to ensure that all campus support employees who process payments
through the electronic check presentment system have the appropriate command
code restriction in their IDRS profile to prevent them from having the ability to adjust
taxpayer accounts. IRS’s proposed actions, if successfully carried out, should
address the weaknesses we identified related to campus support employees who


Page 22                                              GAO-12-683R IRS Management Report
process payments through the electronic check presentment system. We will
evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012
financial statements.

Monthly Rent Bill Allocation

During our fiscal year 2011 financial audit, we found that IRS did not have effective
segregation of duties or supervisory review over its process for allocating costs from
the monthly rent bill to IRS’s business units. In order to properly allocate building
rent and other building occupancy costs to the occupying business units, IRS links
each room in a building to the employee who occupies the space using its Graphic
Database Interface system (GDI). Once linked, GDI attributes the square footage to
the employee as well as to the employee’s business unit. Conference rooms and
other shared spaces are allocated among business units based on each unit’s share
of the total occupancy of a given building. Ultimately, the allocation of space-related
costs, which in fiscal year 2011 totaled $747 million, is included in IRS’s Statement
of Net Cost.

Staff from IRS’s Real Estate and Facilities Management division (REFM), specifically
the rent processing administrator and the delegated lease administrator, are
responsible for maintaining rent data in GDI. The rent processing administrator
receives and uploads into GDI monthly the bill from the General Services
Administration (GSA) detailing the square footage and rent charges for buildings
owned by GSA.42 The delegated lease administrator maintains lease data and rent
charges for buildings not owned by GSA by inputting into GDI monthly the square
footage and cost data for buildings owned by private landlords.43 Following the
completion of the data input, the delegated lease administrator informs the rent
processing administrator that the lease data for the non-GSA owned buildings in GDI
are complete and accurate. The rent processing administrator is responsible for
reviewing rent data from both GSA and non-GSA leases to ensure the completeness
of the data within GDI; if he/she finds discrepancies, he/she can edit the data in the
system to correct the discrepancies. Consequently, the rent processing administrator
is the key person who manages virtually all aspects of the space assignments which,
in turn, affects the allocation of rent and other building costs.

Each month, the rent processing administrator schedules automated processes
within GDI to allocate total rent costs among the business units based on square
footage using the linkage between employees and rooms. This allocation provides
information to IRS on the total space usage and cost of occupancy for each
business unit for management purposes. It also determines the allocation of rent to
operating business units, and ultimately each program area, for reporting on IRS’s
Statement of Net Cost. To help ensure that the GDI automated processes properly
assigned rent costs to the business units, the rent processing administrator

42
 GSA is the government’s landlord, providing office and other workspace services for the federal
government. In fiscal year 2011, GSA leased approximately 705 buildings to IRS, consisting of 28.6
million square feet of space.
43
 In fiscal year 2011, IRS leased space in 19 non-GSA owned buildings.


Page 23                                                     GAO-12-683R IRS Management Report
generates a rent check summary report from GDI, which identifies any remaining
rent costs not allocated to business units. The rent processing administrator is
responsible for reviewing this report and resolving any errors to ensure all rent costs
are ultimately allocated.

During a walkthrough conducted during the fiscal year 2011 audit, we noted IRS did
not properly segregate duties or require supervisory review for certain key activities
performed by the rent processing administrator when allocating costs from the
monthly rent bill in GDI. Specifically, we found the following:

        The rent processing administrator was responsible for performing essential
         steps when allocating costs from the rent bill, such as loading the rent bills
         received by e-mail from GSA into GDI and ensuring that rooms are properly
         assigned to occupant employees. The rent processing administrator was also
         the only individual reviewing the rent check summary report, which serves as
         the key control in ensuring that all rent costs were properly allocated. There
         was no independent review of the rent check summary report or any
         supervisory review over the process.

        The delegated lease administrator was responsible for inputting non-GSA
         lease information to GDI and verifying its accuracy before releasing it to the
         rent processing administrator. However, the rent processing administrator had
         the ability to edit the non-GSA lease data after input without any subsequent
         supervisory review.

In both cases, we found that IRS did not have policies or procedures that required a
supervisory review or proper segregation of duties over the rent allocation process.
Internal control standards state that key duties and responsibilities need to be
divided or segregated among different people to reduce the risk of error or fraud.44
This should include separating the responsibilities for processing transactions and
for reviewing them. Additionally, internal control should generally be designed to
assure that ongoing monitoring occurs in the course of normal operations. By
conducting the monthly rent processing without effective segregation of duties and
monitoring in place, IRS increases the risk of the misallocation of rent and space-
related expenses which use square footage as a basis for allocation on the
Statement of Net Cost. It also increases the risk of management making decisions
based on inaccurate information about its space and rent costs.

After we identified these issues, REFM revised its policy in September 2011 to
require an independent review of the monthly rent totals from both GSA and non-
GSA leases. This action should help address this issue, provided IRS appropriately
implements the new requirement. However, additional requirements are needed to
address the ability of the rent processing administrator to edit the non-GSA lease
data after input, since those changes would not be evident by reviewing the
summarized monthly totals.


44
 GAO/AIMD-00-21.3.1.


Page 24                                               GAO-12-683R IRS Management Report
Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Implement the September 2011 revised policy that requires an independent
         review of the rent check summary report to help ensure that the monthly rent
         allocation process is properly completed.

        Establish a policy requiring an independent review of changes made by the
         rent processing administrator to non-GSA lease data in GDI.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that it implemented the policy
requiring independent review of the rent check summary report in October 2011. IRS
stated that the process now includes independent verification by three IRS
representatives and correction of any errors as they are identified during the
reviews. IRS also stated that it issued a revised policy in March 2012 requiring an
independent review of changes made by the rent processing administrator to non-
GSA lease data in GDI, and implemented the policy the following month. IRS’s
stated actions, if successfully carried out, should address the intent of our
recommendations. We will evaluate the effectiveness of IRS’s efforts during our
audit of IRS’s fiscal year 2012 financial statements.

GDI Quarterly Reviews

During our fiscal year 2011 financial statement audit, we found that IRS did not
sufficiently document or accurately summarize the results of its GDI quarterly
reviews. IRS’s REFM division conducts a quarterly review of employee locations
recorded in GDI to verify the accuracy of employee location data, which, as
discussed previously, is used by IRS to allocate building rent and other occupancy
costs to the occupying business units for reporting in IRS’s Statement of Net Cost.

IRS verifies approximately one-eighth of its total building space each quarter so that
by the end of a 2-year cycle, 100 percent of its space will have been reviewed.45 To
complete the quarterly review, the field Computer-Aided Facilities Management
(CAFM) program manager in each geographic territory is required to (1) conduct a
walkthrough of the space selected for verification that quarter to verify the accuracy
of employee room assignments recorded in GDI, (2) complete GDI validation
walkthrough sheets documenting the results of the walkthroughs, and (3) correct the
data in GDI if found to be incorrect.46 After completing the walkthroughs and the GDI
validation walkthrough sheets, the field CAFM program managers are to record the
total number of rooms reviewed and errors found in each building onto GDI

45
 Total building space includes both GSA and non-GSA owned space.
46
  A field CAFM program manager is assigned to each of IRS’s 14 territories, which are major regions
throughout the United States in which IRS’s offices are located.



Page 25                                                     GAO-12-683R IRS Management Report
Quarterly Review Certifications and forward the certifications to the National CAFM
Program Manager. The National CAFM Program Manager assigns the GDI program
analyst the task of summarizing the results of all of the GDI Quarterly Review
Certifications into the CAFM Quarterly Review Statistics, which is a high-level
summary of the findings from all of the reviewed territories that REFM management
uses to help monitor how well field CAFM program managers are keeping GDI data
up to date.

We reviewed the results of IRS’s fiscal year 2011 third quarter GDI review, which
covered 41 buildings across 13 territories.47 Of the 41 buildings reviewed, we found
reporting errors or insufficient documentation for 18 of the buildings, as well as
inconsistencies in reported results across territories.48 Specifically, we found the
following:

        For six buildings, field CAFM program managers did not correctly record the
         number of occupancy errors from the individual GDI validation walkthrough
         sheets onto the GDI Quarterly Review Certifications, which caused the GDI
         program analyst to roll-up incorrect data onto the CAFM Quarterly Review
         Statistics.

        For five buildings, field CAFM program managers did not correctly record the
         number of rooms reviewed from the individual GDI validation walkthrough
         sheets onto the GDI Quarterly Review Certifications, which caused the GDI
         program analyst to roll-up incorrect data onto the CAFM Quarterly Review
         Statistics.

        For nine buildings, field CAFM program managers did not maintain sufficient
         documentation to support the number of rooms reviewed. Specifically, they
         did not use the GDI validation walkthrough sheets—which document a
         complete listing of the rooms reviewed—or otherwise document all of the
         rooms reviewed.

        Field CAFM program managers were inconsistent in how they counted and
         recorded occupant errors on the GDI Quarterly Review Certifications. For
         example, many field CAFM program managers did not include instances in
         which a room was noted as vacant in GDI, but was actually occupied by an
         employee, or when a room was noted as occupied in GDI but was actually
         vacant. Instead, they only included instances in which the employee listed as
         occupying a room in GDI was not the actual occupant. The National CAFM
         Program Manager informed us that occupant errors should include all of
         these errors. Since the GDI program analyst used the field managers’


47
 IRS only reviewed 13 of its 14 territories in the third quarter due to travel budget reductions. IRS
postponed the quarterly review for 1 territory until the fourth quarter.
48
 We identified errors with 18 buildings. However, 2 buildings each had 2 different types of errors
associated with them, resulting in a total of 20 exceptions identified.



Page 26                                                         GAO-12-683R IRS Management Report
         occupant error totals on their certifications to compile the overall results, the
         CAFM Quarterly Review Statistics were inaccurate.

We found that at the time of our review, REFM written policy did not require
supervisory review to ensure that the field CAFM program managers correctly
transferred data from the GDI validation walkthrough sheets to the GDI Quarterly
Review Certifications. Further, REFM written policy did not detail what types of
errors were required to be included on the CAFM Quarterly Review Certifications or
Statistics, and did not require staff to use the GDI validation walkthrough sheets to
document their review of individual buildings.

Internal control standards require that agencies (1) implement internal control
procedures to ensure the accurate and timely recording of transactions and events,
(2) promptly record transactions to maintain their relevance and value to
management in controlling operations and making decisions, (3) have reliable
communications and accurate data in order to achieve their control objectives and
help management ensure the effective and efficient use of resources, and (4) clearly
document internal control and all transactions and have the documentation readily
available for examination.49 From our review, we found that the field CAFM program
managers did not record data correctly or consistently when recording the data from
the GDI validation walkthrough sheets onto the GDI Quarterly Review Certifications,
which resulted in inaccurate CAFM Quarterly Review Statistics data. While these
internal control issues did not result in misstatements to IRS’s financial statements,
without accurate data on the CAFM Quarterly Review Statistics, REFM
management’s ability to use the statistics as a tool for monitoring and assessing the
performance of its territories in keeping GDI data up to date is hindered.

After we identified these issues, REFM established a policy in October 2011 to
provide further guidance to staff conducting the quarterly GDI reviews. The policy
now requires supervisory review of the GDI Quarterly Review documentation.
Furthermore, it requires all staff to use a consistent template for their reviews and it
clearly defines what constitutes an error. However, while the new policy is a good
first step, it doesn’t go far enough to help ensure that the CAFM Quarterly Review
Statistics are accurate. Specifically, while the new policy requires a supervisory
review of documentation, it does not clearly require a comparison of the CAFM
Quarterly Review Certifications and Statistics against the GDI validation walkthrough
sheets.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Revise existing written procedures to require supervisory review of the CAFM
         Quarterly Review Certifications and Statistics against the GDI validation
         walkthrough sheets.


49
 GAO/AIMD-00-21.3.1.


Page 27                                                 GAO-12-683R IRS Management Report
      Establish mechanisms to monitor the implementation of and compliance with
       the revised policy established in October 2011 that

             requires field CAFM program managers to maintain GDI Quarterly
              Review documentation, including GDI validation walkthrough sheets
              and GDI Quarterly Review certifications, and

             defines the type of errors that should be captured on the CAFM
              Quarterly Review Certifications to help ensure that field CAFM
              program managers consistently compile the errors found in their
              quarterly reviews for compilation in the overall CAFM Quarterly Review
              Statistics.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that it revised its written
procedures in April 2012 to require supervisory review of the CAFM Quarterly
Review Certifications and Statistics against the GDI validation walkthrough sheets,
provided training to staff on the revised procedure in May 2012, and plans to
implement the procedure in June 2012. IRS also stated that in April 2012, it updated
and implemented the October 2011 policy, which now requires CAFM program
managers to submit electronic versions of the GDI validation walkthrough sheets
and GDI Quarterly Review Certifications for territory manager review and approval,
and for the territory manager to forward this documentation to the GDI program
analyst and the National CAFM Program Manager for receipt, compilation, and
retention. Finally, IRS stated that it updated its policy in October 2011 to clarify the
types of errors and the process for reporting them on the CAFM quarterly reviews
and subsequently developed a reviewers’ aid for collecting and tallying the statistics,
provided training, and added a formal review of the GDI quarterly review
documentation to the annual GDI program review process. IRS’s actions, if
successfully carried out, should address the intent of our recommendations. We will
evaluate the effectiveness of IRS’s efforts during our audit of IRS’s fiscal year 2012
financial statements.

Leasehold Improvement Disposal Estimate

During our fiscal year 2011 financial audit, we found that IRS’s Office of Financial
Reporting (OFR) made errors in its leasehold improvements (LHI) disposal estimate.
The estimate represents LHI that were disposed of during the fiscal year; thus, it
reduces the book value of LHI reported on IRS’s balance sheet, statement of net
cost, and notes to the financial statements. In developing its fiscal year 2011 LHI
disposal estimate, we found that OFR (1) did not include all of the leases extracted
from its lease database, (2) erroneously included five leases that had been disposed
of in fiscal year 2010 and thus had already been included in its fiscal year 2010
estimate, and (3) made an error in one of the formulas used in the LHI disposal
estimate that OFR staff and supervisors did not detect. IRS’s Corporate Planning
and Internal Controls group also identified the first issue in October 2011 as a result
of its A-123 review.


Page 28                                              GAO-12-683R IRS Management Report
In accordance with federal accounting standards, IRS is to capitalize costs for
nonroutine repairs and alterations to leased property that extend the useful life of
leased space.50 These capitalized costs are to be recorded as LHI. Because IRS
does not have a subsidiary ledger for LHI, it cannot associate dollar values for
specific LHI in the capitalized property and equipment balance. We previously
recommended that IRS develop a subsidiary ledger for LHI and implement
procedures to record LHI costs as they occur.51 While IRS implemented procedures
to record LHI costs as they occur, OFR had not developed a subsidiary ledger
because of other system priorities. Lacking a subsidiary ledger, OFR developed a
methodology in fiscal year 2009 to calculate an estimate of the LHI to be disposed of
for the year and recorded in the property and equipment accounting records.
Specifically, OFR extracts lease information from GDI, which contains details on all
of IRS’s leased properties, and calculates the percentage of leases that expired in
the current year. OFR then applies the percentage to the LHI balance for the
respective fiscal year to calculate the disposal estimate, which it records in the
general ledger.

During our review of IRS’s fiscal year 2011 LHI disposal estimate, we found that
OFR made several errors in calculating the estimate. These included the following:

        Of the 2,104 leases recorded in GDI, 969 or 46 percent did not have start
         dates and/or expiration dates which are used to calculate the LHI disposal
         estimate. OFR staff did not know whether these leases should have been
         included in the disposal estimate and therefore, excluded them. Not
         determining whether these leases should have been included in calculating
         the LHI disposal estimate increased the potential for misstatement in the LHI
         disposal amount and accumulated depreciation reported on IRS’s statement
         of net cost and balance sheet. In addition, we found that OFR did not perform
         any procedures to determine the completeness or accuracy of the extracted
         GDI data fields. OFR officials stated that they relied on REFM, which
         manages GDI data, to ensure that the data were complete and accurate.
         Because OFR did not perform any procedures to determine whether the
         extraction from the GDI system was complete and accurate, the data
         extracted may not have been reliable to properly calculate the LHI disposal
         estimate.

        We identified five instances in which the same leases were used in the
         leasehold improvement disposal calculation for both fiscal years 2010 and
         2011. These errors occurred because these lease agreements were due to
         expire in fiscal year 2010 but were extended into fiscal year 2011 and OFR
         was not aware of the lease extensions. Because these expired leases were
         counted twice in the disposal estimate, IRS understated LHI and understated

50
 Statement of Federal Financial Accounting Standards No. 6, Accounting for Property, Plant, and
Equipment, par. 37, November 30, 1995.
51
 GAO, IRS Financial and Operational Management: Recommendations to Improve Financial and
Operational Management, GAO-01-42 (Washington, D.C.: Nov. 17, 2000).


Page 29                                                     GAO-12-683R IRS Management Report
         accumulated depreciation by approximately $3.5 million at September 30,
         2010.

        We also found that OFR used an incorrect formula to calculate the projected
         accumulated depreciation associated with the disposed LHI. This resulted in
         understatements of accumulated depreciation and the loss on disposals of
         approximately $4.7 million, which are reported on IRS’s balance sheet and
         statement of net cost. OFR staff informed us that the disposal calculations
         and supervisory reviews were performed at year-end when the agency faced
         other competing work demands, which limited the time that supervisors were
         able to devote to the review. As a result, neither the staff nor managers
         caught the formula error until we brought it to their attention.

Internal control standards require that control activities ensure that all transactions
are complete and accurately recorded.52 The standards also require that ongoing
monitoring, such as supervisory review, occurs in the normal course of operations.
While the IRM specifies how the LHI disposal estimate should be calculated, it did
not require OFR to test or verify the completeness and accuracy of the data
extracted from GDI nor compare prior year expired leases used in the estimate in
order to reduce the likelihood of leases being used more than once in the disposal
estimates.53 OFR performed supervisory review of the disposal calculations, but did
not detect the errors we found in the disposal estimate. By not ensuring that (1) the
data used in the LHI disposal estimate was complete and accurate, including
identifying leases that may have been counted more than once; and (2) all estimates
were thoroughly reviewed for accuracy, the resulting LHI disposal estimates were
incorrect. Therefore, IRS is at increased risk of relying on inaccurate data for
management decision making and of reporting errors in its financial statements.

IRS began taking corrective actions to address these issues after they were brought
to its attention. For example, OFR modified its procedures in January 2012 to
compare current year lease data to prior year lease data to identify expired leases
that may erroneously appear in both databases, and to verify that leases due to
expire in the current fiscal year were not extended. The revised procedures also
require preparing quarterly disposal estimates rather than just one estimate at year-
end, which should provide more time for supervisory review and identification of
potential errors. While these are positive steps to address the errors we identified,
the procedures do not include steps to help ensure the reliability of the data
extracted from GDI that are used to calculate the LHI disposal estimate.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:



52
 GAO/AIMD-00-21.3.1.
53
 IRM § 1.35.6.13, Administrative Accounting, Property and Equipment Accounting: Disposals (Oct. 1,
2010).


Page 30                                                    GAO-12-683R IRS Management Report
        Establish procedures to require OFR to ensure that extracted GDI data used
         to calculate the leasehold improvement disposal estimate is complete and
         accurate.

        Implement the revised January 2012 procedures requiring

               comparison of the leases used in the prior year with the current year
                leases to help ensure that expired leases have not been extended and
                thus, are only counted once in the disposal estimates; and,

               preparation and review of leasehold improvement disposal calculations
                quarterly.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that in January 2012 it (1)
implemented procedures to review the extracted GDI data for accuracy, and would
continue to monitor the leasehold improvement disposal estimate for completeness
and accuracy; (2) implemented the revised procedures requiring comparison of prior
year to current year leases to ensure that expired leases are only counted once in
the disposal estimates; and (3) implemented the revised procedures requiring
preparation and review of leasehold improvement disposal calculations on a
quarterly basis. IRS’s proposed actions, if successfully carried out, should address
the intent of our recommendations. We will evaluate IRS’s progress and the
effectiveness of its actions during our audit of IRS’s fiscal year 2012 financial
statements.

Verification of End-user Receipt of Goods and Services

During our fiscal year 2011 financial audit, we found that IRS staff did not always
confirm, or obtain documentation of confirmation, with the end user of a purchased
product or service that the item was satisfactorily received before entering receipt
and acceptance of the good/service into IRS’s procurement system. This
confirmation is essential because in many instances, the end user of the product
(i.e., the requestor who physically receives the good or service) is at a different
geographic location than the staff responsible for entering receipt and acceptance
into the system. As a result, without following up with the end user, the staff cannot
ensure that the good or service met contractual requirements before authorizing
payment to the vendor.

All purchase requisitions that go through IRS’s procurement department are
assigned to a contracting officer (CO).54 A contracting officer may assign a
contracting officer’s technical representative (COTR) to perform certain tasks,
including maintaining documentation of the receipt and acceptance of purchased

54
  Other transactions, such as micropurchases up to $3,000, are processed by business units rather
than by the Office of Procurement.



Page 31                                                     GAO-12-683R IRS Management Report
goods or services in the Web Request Tracking System (WebRTS), IRS’s
procurement system.55 Staff use this system to create, route, approve, track, and
fund requisitions, and record the receipt and acceptance of the items purchased.
Receipt signifies IRS’s acknowledgment that supplies were received or services
were rendered, while acceptance signifies that IRS assumes ownership of the
supplies or approves of the services rendered. Consequently, prior to entering
receipt and acceptance into WebRTS, the CO/COTR is to ensure the good or
service conforms to the contract requirements. In addition, IRS’s accounting
technicians who process payments rely on the assertion of the COs/COTRs that
goods or services have been received and accepted as a basis for authorizing
payment.

During our audit of IRS’s fiscal year 2009 financial statements, we found that the
COTRs did not always obtain or maintain documentation of confirmation with the
end user of a purchased product or service prior to entering receipt and acceptance
in WebRTS. We recommended that IRS establish procedures requiring COs/COTRs
to obtain and retain documentation to support receipt and acceptance prior to
entering acknowledgement of receipt and acceptance in WebRTS. IRS subsequently
modified its Receipt and Acceptance Handbook in March 2010 to specifically require
COs/COTRs to obtain and retain documentation to support receipt and acceptance
before entering the acknowledgement in WebRTS. IRS reinforced this requirement
through presentations at conferences held in March and May, 2010. However,
following the issuance and announcement of the policy, we continued to identify
instances in which the CO/COTR did not confirm or obtain documentation of
confirmation of receipt from the end user prior to entering receipt and acceptance in
WebRTS. During our fiscal year 2011 audit, we tested a statistical sample of 86
expense transactions (excluding payroll and travel expenses) processed between
October 1, 2010, and May 31, 2011, and identified 11 instances where the COTRs
could not provide documentation showing they had confirmed that the end users
received and accepted the goods or services before the COTRs entered receipt and
acceptance into WebRTS.56 This marks an increase from the 8 instances we
identified during the fiscal year 2010 financial audit, during which the requirement to
obtain and maintain documentation of confirmation was established. Furthermore,
we found at least 2 of the COTRs responsible for the 11 exceptions identified in
fiscal year 2011 were unaware of the policy requiring them to obtain written
confirmation of receipt from the end user prior to entering receipt and acceptance in
WebRTS.


55
  According to IRS’s policy, a CO must assign a COTR for any contract over $150,000. For contracts
of $150,000 or less, a CO has the option of assigning a COTR. If a COTR is not assigned to a
contract, then the CO assumes the duties otherwise performed by the COTR.
56
  For these 11 transactions, a COTR was assigned the responsibility of confirming receipt with the
end user. Of the 86 transactions we tested, 52 were transactions that were processed through the
procurement department. However, because our sample was designed to test all expense
transactions (excluding payroll and travel expenses), including transactions such as printing, rent, and
training that do not go through the procurement department, we are unable to project the exceptions
that only applied to procurement transactions to the entire population.



Page 32                                                        GAO-12-683R IRS Management Report
Internal control standards require all personnel to possess and maintain a level of
competence that allows them to accomplish their assigned duties, as well as
understand the importance of developing and implementing good internal control.57
This is one of several factors that affect the control environment, which provides
discipline and structure, as well as the climate which influences the quality of internal
control. In addition, the standards state that management should ensure that skill
needs are continually assessed and that the organization is able to obtain a
workforce that has the required skills that match those necessary to achieve
organizational goals. Training should be aimed at developing and retaining
employee skill levels to meet changing organizational needs. Additionally, the
standards require that internal controls should generally be designed to assure that
ongoing monitoring occurs in the course of normal operations. Such monitoring is
performed continually, is ingrained in the agency’s operations, and includes regular
management and supervisory activities, comparisons, reconciliations, and other
actions people take in performing their duties.

IRS’s procurements undergo various levels of review to assess compliance with
laws, regulations, and IRS policy. However, these required reviews do not include an
assessment of the CO’s/COTR’s adherence to the policy requiring documentation
from the end user of receipt and acceptance of the good or service. In addition,
although IRS notified employees of the new policy through presentations at two
conferences, some COs/COTRs were still unaware of the requirement at the time of
our testing. Without a proper review process in place to monitor compliance with its
revised policy, IRS officials did not recognize the need for additional staff training to
effectively implement the policy. By not obtaining and documenting confirmation that
the end user actually received the good or service before entering receipt and
acceptance, there is an increased risk that a CO/COTR could enter an invalid receipt
and acceptance into WebRTS, which would result in IRS issuing payments to
vendors or contractors for goods or services that were not received or did not fully
conform to contractual requirements.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Provide training to COs/COTRs on their specific procedural requirements for
         obtaining and maintaining end user documentation of receipt and acceptance
         of the good or service prior to entering acknowledgement of receipt and
         acceptance in the procurement system.

        Establish a mechanism to periodically monitor CO/COTR compliance with the
         requirement to obtain and document end user confirmation of receipt prior to
         entering receipt and acceptance to the procurement system.




57
 GAO/AIMD-00-21.3.1.


Page 33                                               GAO-12-683R IRS Management Report
IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that it has (1) revised its policy
and procedures to provide specific procedural requirements for obtaining and
maintaining end user documentation of receipt and acceptance of goods and
services prior to entering receipt and acceptance in the procurement system; (2)
developed and disseminated a user guide and a manager guide to assist business
units in properly performing and monitoring receipt and acceptance; (3) conducted
four receipt and acceptance workshops for COs, contracting officer representatives
(CORs, formerly COTRs), managers of CORs, and end users; and (4) implemented
a process to conduct at least three separate reviews of receipt and acceptance
transactions annually to monitor compliance with the requirement to obtain and
document end user confirmation prior to entering receipt and acceptance in the
procurement system. IRS also stated that by December 2012 it plans to develop and
administer training via the Enterprise Learning Management System—IRS’s online
training system—to everyone profiled to enter receipt and acceptance into the
procurement system. IRS’s actions, if successfully carried out, should address the
intent of our recommendations. We will evaluate the effectiveness of IRS’s efforts
during our audit of IRS’s fiscal year 2012 financial statements and future audits.

Patient Protection and Affordable Care Act Expenses

During our fiscal year 2011 financial audit, we found that IRS did not always identify
expenses related to the Patient Protection and Affordable Care Act and the Health
Care and Education Reconciliation Act of 2010 (collectively referred to as PPACA)
and timely determine the appropriation to which it would charge individual PPACA-
identified expenses.58 Congress enacted PPACA in March 2010 and assigned IRS a
role in its implementation. Furthermore, PPACA established the Health Insurance
Reform Implementation Fund (the PPACA appropriation) within the Department of
Health and Human Services (HHS), providing $1 billion of no-year funding for federal
administrative expenses to be incurred in carrying out PPACA.59 HHS subsequently
made defined amounts of the PPACA appropriation available to IRS and other
agencies by asking the Department of the Treasury’s Financial Management Service
to establish an allocation account for each agency, from which the agencies could
then obligate funds for appropriate PPACA-related purposes.60 IRS established a
58
 See Patient Protection and Affordable Care Act, Pub. L. No. 111-148, 124 Stat. 119 (Mar. 23,
2010); Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029
(Mar. 30, 2010). PPACA consists of provisions intended to reform the private insurance market and
expand health insurance coverage to the uninsured.
59
  Section 1005 of the Health Care and Education Reconciliation Act, which is codified at 42 U.S.C. §
18121, established the Health Insurance Reform Implementation Fund. No-year funding represents
budget authority that remains available for obligation for an indefinite period of time.
60
  After HHS had established the PPACA Fund allocation accounts for IRS and other agencies, GAO
issued a legal opinion, concluding that amounts in the fund are available to pay federal administrative
expenses to finance the immediate implementation of PPACA, whether such expenses are incurred
by HHS or by other federal agencies. B-321823, Dec. 6, 2011 (Department of Health and Human
Services—Administrative Expenses).



Page 34                                                       GAO-12-683R IRS Management Report
process for identifying and tracking its PPACA-related expenses to determine which
expenses to charge to the PPACA appropriation and for internal management
purposes. Specifically, IRS required each business unit to determine if an expense,
including both labor expenses and purchases of goods and services, was related to
the PPACA implementation. IRS required that the business units code such
expenses with a PPACA internal order number so that IRS could identify which
expenses to charge to the PPACA appropriation and which to charge to IRS’s own
appropriations. Because expenses that were charged to the PPACA appropriation
would not be funded by IRS and thus, should not appear on IRS’s financial
statements, it was important for IRS to make this determination prior to compiling its
year-end financial statements.

During the fiscal year 2011 audit, we identified (1) one instance in which IRS did not
properly identify PPACA expenses and (2) multiple expenses coded as PPACA in
IRS’s general ledger for which IRS had not determined whether they could have
been charged to the PPACA appropriation prior to preparing its financial statements.
Specifically:

        During our interim testing of a sample of payroll expense transactions, we
         found an instance in which an IRS employee was detailed to work on PPACA-
         related projects from January 2011 through March 2011.61 However, the
         employee did not assign a PPACA internal order number to his/her time
         charges. In addition, the employee’s supervisor did not identify or correct the
         error during his/her review and approval of the employee’s time cards. IRS
         agreed that this employee’s time was incorrectly coded and subsequently
         made an adjustment to charge the appropriate time to a PPACA code.

        During our interim testing, IRS acknowledged that because PPACA was
         enacted relatively recently, it was still educating staff on identifying and
         coding these expenses and was in the process of manually reviewing its
         expenses to ensure that all expenses that could be charged to the PPACA
         appropriation would be identified and transferred by year-end. However,
         subsequently, at fiscal year-end we identified over $3.2 million in expenses
         coded to PPACA internal order numbers but not charged to the PPACA
         appropriation. When we brought these expenses to IRS’s attention, IRS
         officials informed us it would not have time to review them and determine
         whether they could be charged to the PPACA appropriation before year-end,
         so they remained on IRS’s books.62 We noted that $3.1 million of the total
         related to eight payments under a single contract that was in support of
61
  We identified this error during our interim testing of a statistical sample of 108 payroll transactions
that occurred from October 1, 2010, through June 30, 2011. We did not propose an audit adjustment
of the projected error at that point because IRS was in the process of making significant adjustments
to identify and reclassify PPACA expense transactions prior to year-end. At year-end, we reviewed
IRS’s reclassifications and performed data analysis on IRS’s fiscal year 2011 payroll database and
determined no further adjustments were needed for the projected error.
62
 We proposed an audit adjustment of over $3.2 million for the expenses with a PPACA internal order
number that was included in IRS’s year-end trial balance.



Page 35                                                         GAO-12-683R IRS Management Report
         PPACA implementation which the business unit had correctly coded to a
         PPACA internal order number. Following the end of the fiscal year, we
         inquired with IRS’s legal counsel as to why IRS did not fund these expenses
         from the PPACA appropriation. IRS’s legal counsel informed us that since the
         time HHS made PPACA appropriation amounts available to IRS, it was IRS’s
         intent to pay for costs such as these out of the PPACA appropriation and that
         IRS should have funded the entire contract against those funds. IRS’s
         counsel added that IRS would address this issue by deobligating the $3.1
         million obligated under the contract, as well as an additional $500,000
         obligated but not yet spent at fiscal year-end from the agency’s own
         appropriations, and obligating the $3.6 million total against the PPACA
         appropriation instead.63

In both cases, we found that IRS did not have adequate procedures to ensure that
PPACA expenses were properly identified and timely reviewed. In the first instance,
IRS officials informed us that they were aware employees were not always charging
labor time spent on PPACA projects to the PPACA internal order codes, and that
they made several attempts to instruct employees and timekeepers on the proper
coding. In the second instance, IRS lacked a review process to periodically identify
and timely review expenses assigned a PPACA internal order number in order to
determine if these expenses were in fact related to PPACA implementation and
could be funded by the PPACA appropriation.

Internal control standards state that financial information is needed for both external
and internal uses.64 It is required to develop financial statements for periodic external
reporting, and, on a day-to-day basis, to make operating decisions, monitor
performance, and allocate resources. Pertinent information should be identified,
captured, and distributed in a form and time frame that permits people to perform
their duties efficiently. Furthermore, IRS has recognized the importance of
managerial cost accounting by issuing its own policy on cost accounting. The policy
states that the purpose of accumulating and tracking costs is to enhance managers’
ability to measure the costs of activities within their areas of control and to identify
operational trends and variances and optimize the use of IRS’s resources. By not
properly identifying and timely reviewing its PPACA expenses, IRS risks being
unaware of the true cost of its PPACA activities.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Establish a mechanism for monitoring compliance with the existing
         requirement for employees and timekeepers to charge labor time spent on
         PPACA projects to the PPACA accounting code, such as through issuing

63
  A deobligation is an agency’s cancellation or downward adjustment of previously obligated funds,
enabling the agency to use those deobligated funds to acquire other goods or services within those
funds’ period of availability.
64
 GAO/AIMD-00-21.3.1.


Page 36                                                      GAO-12-683R IRS Management Report
         periodic alerts, providing training and guidance, and/or having managers
         perform periodic reviews of employee labor time charges.

        Design and implement procedures specifying the review steps required to
         identify and research all transactions identified with a PPACA internal order
         number in the agency’s expense files to confirm that they are PPACA-related
         expenses and, if so, to ensure that they are charged to the PPACA
         appropriation where appropriate.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that it implemented several
corrective actions in October 2011, including issuing periodic reminders of the
procedures for proper coding of PPACA labor charges, communicating at monthly
division finance officer meetings the importance of correctly charging time spent on
PPACA activities, monitoring PPACA expenses as part of the monthly execution
report process, and reemphasizing the need for business units to conduct monthly
reviews of PPACA labor charges. Additionally, IRS stated that it has implemented
procedures to identify, review, and validate all PPACA expenses as part of its
monthly execution report process and will conduct a review at year-end to ensure
the accuracy of PPACA charges. IRS’s actions, if successfully carried out, should
address the intent of our recommendations. We will evaluate the effectiveness of
IRS’s efforts during our audit of IRS’s fiscal year 2012 financial statements.

Time Card Approvals

During our fiscal year 2011 financial audit, we found that employee time cards were
not always approved by a manager before being transmitted to the National Finance
Center (NFC) for processing and payment.65 The IRM requires that all time and
attendance records include evidence of approval by an authorized official, and that
the validated and signed Pay Period 3081 Listing from IRS’s Single Entry Time
Reporting System (SETR) is the official time and attendance document from which
employees are paid.66 IRS employees record their time and attendance information
either directly in SETR—IRS’s electronic time and attendance system—on the Pay
Period 3081 Listing (electronic time card) or on other forms or formats that are
subsequently input into SETR, such as a manual time card. Managers are required
to review, validate, and electronically sign their employees’ time cards in SETR
every pay period. The manager must, if expected to be away from the office
temporarily, designate a proxy to validate and electronically sign his/her employees’
time cards in SETR.67 However, if a designated proxy validates and signs the time
65
 NFC is a component of the U.S. Department of Agriculture that provides administrative and financial
services to many federal agencies, including IRS, on a reimbursable basis. IRS forwards personnel
and payroll data to the NFC to process its payroll.
66
 IRM § 6.630.1.27(3.j), (5) Time and Attendance Records (Mar. 12, 2010).
67
 Managers may designate an authorized proxy to sign time cards in SETR for the manager for up to
180 days.



Page 37                                                     GAO-12-683R IRS Management Report
cards in SETR, the manager must manually sign a printed copy of the electronic
time card or other manual time card.68 According to IRS’s payroll standard operating
procedures in effect during the period covered by our review, regardless of who
signs the time card, the manager is responsible for ensuring that all time and
attendance data entered in SETR—including organization codes, internal order
codes, and appropriation fund codes—are accurate and match the manual time card
if used.

We tested a statistical sample of 108 payroll transactions covering payroll expenses
recorded from October 1, 2010, through June 30, 2011, and found three cases in
which IRS did not electronically or manually approve the employee’s time and
attendance prior to payroll processing.69

        In one case, a manager’s designated proxy electronically signed an
         employee’s time card in SETR; however, the manager did not sign the
         manual time card until the week before we performed our payroll transaction
         testing, 38 weeks after the pay period.

        In two cases, the employees’ time cards were not electronically signed in
         SETR by either the manager or a proxy; consequently, SETR automatically
         printed “not signed” in the signature field of the SETR printout. In the first
         case, the manager did not sign the manual time card until after the employee
         was paid. In the second case, the manager signed a manual time card, but
         did not date the approval.

These weaknesses were caused by several factors. First, managers did not follow
proper IRM procedures to electronically or manually approve employees’ time cards
before employees were paid. IRS payroll officials told us they were aware of this
problem and even maintained a “repeat offenders” list of managers that frequently
did not comply with the requirements, but the problem persisted. Second, neither the
IRM nor IRS’s SOP defines when the managers are required to sign the manual time
card when a designated proxy signs the electronic time card in SETR.70 Third,
neither the IRM nor IRS’s SOP requires the human resource specialists, who are
responsible for reviewing the time cards before processing, to ensure that all time
cards were signed by a manager or proxy before processing pay. Finally, there was
no edit check in SETR to prevent an unsigned time card from being processed.

Internal control standards state that transactions should be accurately and timely
recorded to maintain their relevance and value to management in controlling
68
 IRM § 6.630.1.1.2, Administration of the Federal Leave System – Manager Responsibilities (Mar.
12, 2010).
69
 Based on our payroll testing, we estimated that the value of such expenses that could have the
same control error could be as high as $359.4 million (i.e., the net upper error limit at an 86 percent
confidence level) out of a population of $6.4 billion.
70
  The SOP provides detailed procedures and guidance to staff for carrying out specific
responsibilities.



Page 38                                                         GAO-12-683R IRS Management Report
operations and making decisions.71 By not ensuring time and attendance was
approved by the employee’s manager before payment, IRS risks overpaying for
hours employees did not work, underpaying for hours worked but not recorded, and
charging incorrect fund codes, internal order codes, and other accounting codes that
affect the proper funding and classification of expenses.

During the week of our payroll testing in August 2011, IRS revised its SOP to specify
that the manager or designated proxy is accountable for the validity of all time card
data, rather than just the manager. However, the updated procedures do not
specifically state that the designated proxy be an equivalent official or higher level
manager as required in the IRM. For example, payroll officials informed us a
designated proxy may be a lead secretary. However, this is inconsistent with the
IRM which states that the manager, equivalent official, or higher level manager is
responsible for the approval of the time and attendance record, and that only these
individuals may certify a subordinate’s hours worked and leave taken in SETR.72 A
lower level proxy, who could be lower graded than the employee whose time card
they are approving, may not have the knowledge to verify that the time charges are
accurate, meet applicable legal requirements, and were charged to the correct fund
codes, organization codes, and projects. A lower level proxy may also be less
inclined to question or prevail in a disagreement with a higher level employee over
the number of hours worked.

To address the problem with unsigned time cards, IRS officials informed us that they
were aware that managers were not always in compliance with validating and
signing their employees’ time cards and stated they will implement a new policy in
June 2012, to be documented in the IRM, that will (1) require the manager, or the
manager’s designated proxy, to electronically sign each employee’s time card in
SETR before transmitting employee’s pay records to NFC; and, (2) eliminate the use
of manual time cards, making the electronic time card in SETR the only official time
and attendance record. Thus, if an employee’s electronic time card in SETR is not
signed, the employee will not be paid. However, the new policy will not require the
designated proxy to be equivalent or at a higher level than the employee’s manager;
thus, there may continue to be lower level proxies verifying and approving time and
attendance data for higher graded employees. Implementing such a policy without
this requirement would put IRS at greater risk of improperly over or underpaying
employees, charging payroll expenses to the incorrect appropriation, and of
misclassifying payroll expenses for both internal and external reporting purposes.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

        Revise the payroll standard operating procedures to specify steps that the
         human resource specialists are required to follow to ensure that each

71
 GAO/AIMD-0021.3.1.
72
 IRM § 6.630.1.27(11), Time and Attendance Records (Mar. 12, 2010).


Page 39                                                  GAO-12-683R IRS Management Report
         electronic time card is signed by an authorized official before the time card is
         transmitted to NFC for processing and payment.

        Revise the payroll standard operating procedures to require that the
         designated proxy for a manager required to approve time cards be at an
         equivalent or higher level as the manager, consistent with the IRM.

        Incorporate in the planned 2012 policy change requiring the manager or
         designated proxy to sign the electronic time card before transmitting payroll
         records to NFC the requirement that the designated proxy be at an equivalent
         or higher level than the employee’s manager.

        Implement an edit control in IRS’s time card system to identify and prevent
         the processing of time cards that have not been electronically signed.

IRS Comments and Our Evaluation

IRS agreed with our first and fourth recommendations in this area. With respect to
these two recommendations, IRS stated that by July 2012, it plans to (1) update its
payroll SOP to specify steps that human resource specialists will be required to take
to ensure that all electronic time cards are signed by an authorized official before
they are transmitted and (2) implement an edit that will require an electronic
signature for all time cards. If fully and effectively implemented, these actions should
address the related deficiencies. We will monitor IRS’s progress on these efforts
during our audit of its fiscal year 2012 financial statements. With respect to our
remaining two recommendations in this area, while IRS disagreed with our
recommendations, we continue to believe that additional action is warranted.
Consequently, we are reaffirming both recommendations.

IRS disagreed with our recommendations that it revise both its current payroll
standard operating procedures and its planned 2012 payroll policy to require that a
designated proxy authorized to approve time cards be at an equivalent level to or
higher level than the manager. In its comments, IRS cited IRM 1.11.4.3.4, which
states that “an acting official assumes the full authority vested in or delegated to that
position.”73 IRS used this to support its position that once a manager designates a
staff member as his or her proxy, the staff member becomes the equivalent of the
manager. IRS further stated that it is not practical for IRS to establish a minimum
grade standard for those who may be designated as acting managers.

Consequently, based on IRS’s comments, any of IRS’s approximately 100,000 staff
members can be designated as an acting supervisor for time card approval. Such
unrestricted delegation is inconsistent with other IRM policies and related IRS
delegation orders. Specifically, as prescribed by IRM 6.630.1.1.2, managers have a
fundamental responsibility to ensure that government resources are used efficiently

73
 IRM § 1.11.4.3.4, Internal Management Documents System, Delegation Orders, Related
Management Matters (Oct. 10, 2008).



Page 40                                                 GAO-12-683R IRS Management Report
and effectively, with minimum potential for waste, fraud, and mismanagement, and
are accountable for (1) ensuring that all leave charges are properly recorded; (2)
counseling employees on policies, regulations, and procedures related to leave and
absence; and (3) identifying and correcting leave abuse and potential abuse.74
Consequently, relying on nonmanagers to perform important responsibilities, such
as time card approval, when they may not have received the proper training to do
so, increases the risk that errors or violations may go undetected. Similarly, because
of the high volume of IRS’s workload during tax season and the nature of its tax law
enforcement work, many IRS employees may earn overtime, night differentials, law
enforcement differentials, or a combination of these. Unless a designated proxy has
been properly trained on related legal and regulatory requirements for these various
types of pay, including who is eligible to earn them, when they may be earned, and
any limitations, that proxy may not have the knowledge to ensure that what
employees record on their time cards meets all legal and regulatory requirements.

Further, allowing non-supervisory-level employees to serve as designated proxies
for time card approval is inconsistent with related IRS procedural requirements for
approval of leave and overtime. Specifically, Delegation Order 6-12 provides that
authority to approve absences and charges to leave may only be delegated to
employees in supervisory positions.75 Similarly, Delegation Order 6-14 provides that
authority for approving the performance of paid overtime and work on holidays may
only be delegated to a second-level supervisor or above.76 Consequently, allowing a
nonsupervisor to approve a time card containing recorded leave, overtime, or
holiday work violates these delegation orders.

Finally, internal control standards state that an agency’s control environment is
affected by the manner in which the agency delegates authority and responsibility
throughout the organization, and that good human capital policies should include
providing a proper amount of supervision.77 For all of the reasons discussed above,
we believe that IRS’s current procedures do not establish adequate internal control
over the payroll approval process and do not comply with IRS’s own requirements.
Until IRS takes our recommended actions to establish appropriate levels of approval
both in its current procedures and planned 2012 policy change, IRS will continue to
be at increased risk of improperly over- or underpaying employees, not meeting pay-
related legal and regulatory requirements, and charging payroll expenses to
incorrect appropriation and other accounting codes.




74
  IRM § 6.630.1.1.2, Administration of the Federal Leave System - Manager Responsibilities (Mar.
12, 2010).
75
     IRM § 1.2.45.13, Delegation Order 6-12 (Oct. 23, 1998).
76
     IRM § 1.2.45.15, Delegation Order 6-14 (Oct. 23, 1998).
77
 GAO/AIMD-00.21.3.1.



Page 41                                                        GAO-12-683R IRS Management Report
Employee Within-Grade Pay Increases

During our fiscal year 2011 financial audit, we found that IRS managers did not
always (1) make timely decisions on granting or denying within-grade increases
(WGI) in pay to employees with below fully successful performance ratings, and (2)
timely grant WGIs to such employees if warranted. Managers prepare annual
performance appraisals and enter them in Human Resources (HR) Connect, the
personnel processing system used by IRS.78 The performance ratings in HR
Connect are linked to NFC, which automatically processes WGIs in preparing IRS’s
payroll for all employees who received a fully successful or higher rating based on
the applicable waiting period and step.79 WGIs for employees who received a less
than fully successful rating are not granted automatically and must be decided by
each employee’s manager on a case-by-case basis. Each pay period, HR specialists
send notifications to all managers listing their employees with less than fully
successful ratings who have a WGI due within 90 days. Each manager must then
provide each listed employee with a 60-day notification letter giving the employee an
opportunity to improve his/her performance. If the employee’s performance does not
sufficiently improve within the 60 days, the manager, in consultation with IRS Labor
Relations, must notify the employee that the WGI is being denied before the due
date of the WGI. If the employee sufficiently improves, the manager must provide a
WGI release to the IRS payroll center. If the manager fails to (1) send the employee
a 60-day notification letter in time or (2) notify the employee prior to the due date that
the WGI is being denied, IRS payroll officials told us that they determined IRS must
grant the employee a WGI.80

During our testing of payroll transactions, we found one instance where the manager
did not properly follow IRS’s required procedures for granting or denying a WGI to
an employee with a below fully successful rating.81 Specifically, the manager failed
to send the employee a 60-day notification letter and provide the employee an
opportunity to improve his/her performance. IRS did not become aware that the WGI
was not processed until 1 year later, when the HR specialists sent the 90-day notice
to the manager for a subsequent WGI. According to IRS officials, this occurred

78
  HR Connect is a web-based personnel processing system owned by Treasury which IRS uses to
record all personnel actions, including performance appraisals.
79
  For IRS employees compensated under the General Schedule, each pay grade has 10 steps. WGIs
are periodic pay increases in a graded employee's pay from one step to the next higher step of that
grade and are due based on the employee’s current step. Specifically, if employees are advancing to
steps 2, 3, or 4, they must wait 1 year to be qualified for a WGI. For employees advancing to steps 5,
6, or 7, they must wait 2 years; and for employees advancing to steps 8, 9, 10, they must wait 3 years
to be qualified for a WGI.
80
  IRM § 6.500.1.3.8, Acceptable Level of Competence Determinations – Denying Within-Grade
Increases (July 1, 2003).
81
  During our audit, we did not specifically test for within-grade increases. This exception was
identified after reviewing adjustments for retroactive pay that were processed in the same pay period
as our sample transaction. Therefore, we cannot project the results for the substantive error because
we selected our sample from IRS’s entire population, and not just from employees who received a
within-grade increase.


Page 42                                                       GAO-12-683R IRS Management Report
because the manager was not fully aware of his WGI responsibilities for employees
with less than fully successful ratings, and thus did not carry out the actions he
needed to take for this employee. In addition, IRS did not have a process in place
requiring HR specialists to track and follow up with the managers they notified to
ensure the managers followed required procedures and made timely determinations
to deny or release the WGIs. IRS’s payroll staff stated that they consulted with IRS’s
Labor Relations Policy office, which advised them that since the manager did not
provide the employee a 60-day notification letter giving the employee the opportunity
to improve his/her performance, the employee was entitled to receive a WGI
retroactive to the employee’s WGI due date. Because IRS did not have a process in
place to track whether managers of employees with below fully successful ratings
took the required WGI actions, IRS also lacked a means of ensuring that employees
whose managers failed to take such actions received a retroactive WGI.

Subsequent to our bringing this issue to their attention, IRS payroll officials informed
us that they were aware of this problem and had conducted a study in 2009 to
investigate the causes for past due WGIs for employees with less than fully
successful ratings. A March 2010 summary of the study results reported that the
study found that managers were not aware of their responsibilities and the correct
steps they were required to take to either release or withhold WGIs for their
employees. The study found that most managers believed that a less than fully
successful rating was sufficient to deny a WGI and thus, had not taken the required
actions. Consequently, by not issuing these employees a 60-day notification letter,
assessing their resulting performance, and making a determination to release or
deny a WGI, IRS was required under its procedures to grant these employees
retroactive pay increases. The study team made several recommendations to
improve the WGI process, such as (1) sending notification and instructions to
managers informing them of the WGI process 90 days in advance of the projected
WGI date for those employees with a less than fully successful rating; (2) along with
the 90-day advance notice, providing the managers a response form to complete
indicating the date the 60-day notification letter to the employee was issued and a
due date for the manager to provide the information to a central unit for tracking; (3)
updating the HR Connect system to send an alert or ‘pop-up’ window to the manager
that would provide additional information and instruction at the time a less than fully
successful rating is entered; and (4) providing assistance to managers so that labor
relations specialists can guide managers through the steps they need to take. IRS
officials informed us that they started corrective actions to address the
recommendations but had not fully implemented or documented these
improvements in procedures or in the IRM. In particular, IRS had not yet
implemented procedures to centrally track and follow up to ensure key WGI steps
were performed; thus, IRS was continuing to rely on individual managers to carry out
the necessary steps timely and correctly and could not ensure that all employees
entitled to a WGI, received one. Without central monitoring and follow-up to ensure
managers are carrying out their duties, IRS is at increased risk of granting WGIs to
employees who may not have earned them and of failing to pay employees WGIs
they are—through management’s inaction—entitled to receive.




Page 43                                              GAO-12-683R IRS Management Report
Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to do the following:

      Remind managers of their responsibilities, procedures, and required time
       frames for either granting or denying a within-grade pay increase for
       employees with below fully successful ratings, such as by providing alerts in
       HR Connect when a manager enters a less than fully successful rating or
       providing training to remind them of their responsibilities.

      Establish procedures for HR specialists to track and monitor supervisory
       actions taken for employees with less than fully successful ratings that have a
       within-grade pay increase due date within 90 days to include specific required
       steps for:

             following-up with managers to ensure the managers properly issue the
              employees a 60-day notification letter providing them an opportunity to
              improve their performance, make a timely determination on releasing
              or denying a within-grade pay increase, and properly carry out the
              requirements necessary to support the decision made; and

             timely granting a within-grade pay increase to such employees who
              were not given a 60-day notification letter.

IRS Comments and Our Evaluation

IRS agreed with our recommendations and stated that in April 2012 it issued an
SOP outlining procedures for the suppression and release of WGIs, and plans to
issue an alert in July 2012 to remind managers of their responsibilities and where to
locate appropriate procedures. IRS also stated it will include links or regulatory
references in the notices it sends to managers of employees with less than fully
successful ratings with projected WGIs due in 90 days. By August 2012, IRS stated
that it plans to establish a specific process for human resource specialists to track
and monitor timely actions required by managers when employees have less than
fully successful ratings. IRS’s actions, if successfully carried out, should address the
intent of our recommendations. We will evaluate IRS’s progress and the
effectiveness of its actions during our audit of IRS’s fiscal year 2012 financial
statements and future audits.

Recycled Payroll Errors

During our fiscal year 2011 financial statement audit, we found that IRS did not
timely research and resolve recycled payroll transaction errors. Recycled errors are
rejected payroll transactions that contained erroneous or invalid accounting data,
such as incorrect fund codes, that prevented the transactions from posting
automatically to IRS’s general ledger. IRS sends its biweekly time and attendance
(i.e., payroll) information and personnel actions to be processed—such as promotion
pay increases—to NFC, which processes the biweekly paychecks issued to IRS


Page 44                                              GAO-12-683R IRS Management Report
employees. After processing and issuing the paychecks, NFC provides IRS with
data files containing the payroll and personnel transactions processed. IRS uses its
Automated Interface to the National Finance Center system (AINFC) to integrate the
payroll and personnel accounting data and generate extract files which IRS uses to
record the payroll expenses to its general ledger. Prior to recording the transactions,
AINFC performs a series of edit checks to ensure that the accounting data in the
payroll transactions are valid and that the accounting data between related payroll
and personnel transactions are consistent. Payroll transactions that do not pass the
edit checks cannot be validated by AINFC and thus, do not automatically post to the
general ledger. These transactions end up in the recycled errors file.

During our fiscal year 2011 audit, we found that as of March 2011, IRS’s recycled
errors file contained $4.8 million of payroll transactions that had accumulated for
over 7 years without being resolved. These recycled errors represented actual
amounts processed and paid to employees by NFC and thus did not affect employee
pay; however, they had not been recorded in IRS’s general ledger. These
accumulated for so long because IRS did not have procedures for payroll staff to
research the cause of these errors on a regular basis and make the appropriate
corrections. By not researching and correcting the errors on a timely basis to ensure
the related payroll transactions were timely posted to its general ledger, IRS’s payroll
expenses and liabilities were understated in its financial statements.

Internal control standards require that transactions be accurately and timely
recorded to maintain their relevance and value to management in controlling
operations and making decisions.82 After we brought this issue to the attention of
IRS officials, they began researching the errors and made two system changes to
AINFC late in fiscal year 2011 that resolved all but $1.2 million of the accumulated
errors. IRS officials informed us that they will continue researching and resolving
these errors into fiscal year 2012. While these are positive steps to address the long-
standing errors, IRS has not yet established procedures requiring that the recycled
errors file be reviewed on a regular basis so that any new errors can be timely
researched and corrected.

Recommendation for Executive Action

We recommend that you direct the appropriate IRS officials to establish and
document procedures for payroll staff to research and correct recycled errors from
payroll processing on a regular and timely basis.

IRS Comments and Our Evaluation

IRS agreed with our recommendation and stated that by September 2012 it will
identify, document, and implement procedures for addressing and correcting
recycled errors going forward. IRS’s proposed actions, if successfully carried out,


82
 GAO/AIMD-00-21.3.1.



Page 45                                              GAO-12-683R IRS Management Report
should address the intent of our recommendations. We will evaluate IRS’s progress
and the effectiveness of its actions during future audits.

                                        ----

This report contains recommendations to you. The head of a federal agency is
required by 31 U.S.C. § 720 to submit a written statement on actions taken on these
recommendations. You should submit your statement to the Senate Committee on
Homeland Security and Governmental Affairs and to the House Committee on
Oversight and Government Reform within 60 days of the date of this report. A written
statement must also be sent to the House and Senate Committees on
Appropriations with the agency’s first request for appropriations made more than 60
days after the date of this report. Furthermore, to ensure that GAO has accurate, up-
to-date information on the status of your agency’s actions on our recommendations,
we request that you also provide us with a copy of your agency’s statement of
actions taken on open recommendations. Please send your statement of action to
me or Doreen Eng, Assistant Director, at engd@gao.gov.

This report is intended for use by the management of IRS. We are sending copies to
the Chairmen and Ranking Members of the Senate Committee on Appropriations;
Senate Committee on Finance; Subcommittee on Taxation and IRS Oversight,
Senate Committee on Finance; Senate Committee on Homeland Security and
Governmental Affairs; House Committee on Appropriations; House Committee on
Ways and Means; and House Committee on Oversight and Government Reform,
and to the Chairman and Vice-Chairman of the Senate Joint Committee on Taxation.
We are also sending copies to the Secretary of the Treasury, the Acting Director of
the Office of Management and Budget, and the Chairman of the IRS Oversight
Board. The report is available at no charge on GAO’s website at http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided by IRS
officials and staff during our audits of IRS’s fiscal years 2011 and 2010 financial
statements. Please contact me at (202) 512-3406 or sebastians@gao.gov if you or
your staff have any questions concerning this report. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last page of this
report. GAO staff who made major contributions to this report are listed in enclosure
III.

Sincerely yours,




Steven J. Sebastian
Managing Director
Financial Management and Assurance

Enclosures – 3



Page 46                                             GAO-12-683R IRS Management Report
Enclosure I: Details on Audit Methodology

To fulfill our responsibilities as the auditor of the Internal Revenue Service’s (IRS)
financial statements, we did the following.

        Examined, on a test basis, evidence supporting the amounts and disclosures
         in the financial statements; this included selecting statistical samples of
         unpaid assessments, revenue, refunds, payroll and nonpayroll expenses,
         property and equipment, and undelivered order transactions.83

        Assessed the accounting principles used and significant estimates made by
         management.

        Evaluated the overall presentation of the financial statements.

        Obtained an understanding of IRS and its operations, including its internal
         control over financial reporting.

        Considered IRS’s process for evaluating and reporting on internal control and
         financial systems under 31 U.S.C. § 3512 (c), (d), commonly referred to as
         the Federal Managers’ Financial Integrity Act of 1982, and Office of
         Management and Budget Circular No. A-123, Management’s Responsibility
         for Internal Control.

        Assessed the risk of (1) material misstatement in the financial statements and
         (2) material weakness in internal control over financial reporting.

        Tested relevant internal control over financial reporting.

        Evaluated the design and operating effectiveness of internal control over
         financial reporting based on the assessed risk.

        Tested compliance with selected provisions of the following legal provisions:
         Internal Revenue Code; Anti-Deficiency Act, as amended; Purpose Statute;
         Prompt Payment Act; Pay and Allowance System for Civilian Employees;
         Federal Employees’ Retirement System Act of 1986, as amended; Social
         Security Act of 1935, as amended; Federal Employees Health Benefits Act of
         1959, as amended; Full-Year Continuing Appropriations Act, 2011, which
         incorporates, by reference, certain provisions of the Financial Services and
         General Government Appropriations Act, 2010; Federal Employees’
         Compensation Act; Civil Service Retirement Act; and the Tax Relief,
         Unemployment Insurance Reauthorization, and Jobs Creation Act of 2010.


83
  These statistical samples were selected primarily to determine the validity of balances and activities
reported in IRS’s financial statements. We projected any errors in dollar amounts to the population of
transactions from which they were selected. In testing some of these samples, certain attributes were
identified that indicated deficiencies in the design or operation of internal control. These attributes,
where applicable, were statistically projected to the appropriate populations.


Page 47                                                        GAO-12-683R IRS Management Report
Enclosure I: Details on Audit Methodology

      Tested whether IRS’s financial management systems substantially complied
       with the three requirements of the Federal Financial Management
       Improvement Act of 1996.

      Performed such other procedures as we considered necessary in the
       circumstances.




Page 48                                          GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 49                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 50                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 51                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 52                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 53                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 54                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 55                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 56                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 57                                      GAO-12-683R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 58                                      GAO-12-683R IRS Management Report
Enclosure III: GAO Contact and Staff Acknowledgments


GAO Contact: Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov.


Staff Acknowledgments       The following individuals made major contributions to
                            this report: Doreen Eng, Assistant Director; Oliver
                            Culley, Auditor-in-Charge; Crystal Alfred; Laura
                            Bednar; Sharon Byrd; Mark Canter; Lauren S.
                            Fassler; Chuck Fox; Jennifer Franks; Mickie Gray;
                            Mary Ann Hardy; David Hayes; Jeff Knott; Tuan Lam;
                            Cynthia Ma; Joshua Marcus; Julie Phillips; Jim
                            Rinaldi; John Sawyer; Christopher Spain; Chevalier
                            Strong; Cynthia Teddleton; Lien To; LaDonna Towler;
                            Cherry Vasquez; and Gary Wiggins.




(196249)



Page 59                                         GAO-12-683R IRS Management Report
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
                      The Government Accountability Office, the audit, evaluation, and
GAO’s Mission         investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.