oversight

Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Recommendations

Published by the Government Accountability Office on 2012-06-28.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States Government Accountability Office

GAO          Report to the Commissioner of Internal
             Revenue



June 2012
             INTERNAL REVENUE
             SERVICE
             Status of GAO
             Financial Audit and
             Related Financial
             Management
             Recommendations




GAO-12-695
                                                June 2012

                                                INTERNAL REVENUE SERVICE
                                                Status of GAO Financial Audit and Related Financial
                                                Management Recommendations
Highlights of GAO-12-695, a report to the
Commissioner of Internal Revenue




Why GAO Did This Study                          What GAO Found
In its role as the nation’s tax collector,      The Internal Revenue Service (IRS) has made significant progress in improving
IRS has a demanding responsibility to           its internal controls and financial management since its first financial statement
annually collect trillions of dollars in        audit in 1992, as evidenced by 12 consecutive years of clean audit opinions on
taxes, process hundreds of millions of          its financial statements, the resolution of several material control deficiencies,
tax and information returns, and                and actions resulting in the closure of over 300 financial management
enforce the nation’s tax laws.                  recommendations. This progress has been the result of hard work throughout
Each year, as part of the annual audit          IRS and sustained commitment at the top levels of the agency. However, IRS still
of IRS’s financial statements, GAO              faces significant financial management challenges in (1) resolving its remaining
makes recommendations to address                material weaknesses and significant deficiency in internal control, (2) developing
control deficiencies identified during          outcome-oriented performance metrics, and (3) correcting numerous other
the audit and follows up on the status          control deficiencies, especially those relating to safeguarding tax receipts and
of IRS’s efforts to address the control         taxpayer information. At the beginning of GAO’s audit of IRS’s fiscal year 2011
deficiencies GAO identified in previous         financial statements, 77 recommendations from prior audits remained open
years’ audits. The purpose of this              because IRS had not fully addressed the underlying issues. During the fiscal year
report is to (1) provide an overview of         2011 financial audit, IRS took actions that GAO considered sufficient to close
the financial management challenges             38 recommendations. At the same time, GAO identified additional control
still facing IRS, (2) provide the status of     deficiencies resulting in 30 new recommendations. In total, 69 recommendations
financial audit–related                         remain open. GAO has also identified numerous control deficiencies and made
recommendations and the actions
                                                recommendations related to information security that have been reported
needed to address them, and (3)
                                                separately and are not included in this report because of the sensitive nature of
highlight the relationship between
                                                many of those control deficiencies.
GAO’s recommendations and internal
control activities central to IRS’s             To assist IRS in evaluating and improving internal controls, GAO categorized the
mission and goals.                              69 open recommendations by various internal control activities, which, in turn,
                                                were grouped into three broad control categories.
What GAO Recommends
GAO is not making any                           Summary of Recommendations Grouped by Control Category
                                                                             Open at the
recommendations in this report. In                                            beginning  Closed during    New from    Total remaining
commenting on a draft of this report,                                           of 2011     2011 audit   2011 audit             open
the IRS Commissioner stated that the             Safeguarding of assets and
agency is committed to implementing              security activities                  29            12            1                18
appropriate improvements to maintain             Proper recording and
sound financial management practices.            documenting of transactions          30            18           17                29
                                                 Effective management review
                                                 and oversight                        18             8           12                22
                                                 Total                             77              38            30                69
                                                Source: GAO.


                                                The continued existence of control deficiencies that gave rise to these
                                                recommendations represents a serious challenge for IRS. Effective
                                                implementation of GAO’s recommendations could greatly assist IRS in improving
                                                its internal controls and achieving sound financial management, which are
                                                integral to effectively carrying out its tax administration responsibilities.



View GAO-12-695. For more information,
contact Steven J. Sebastian at (202) 512-3406
or sebastians@gao.gov

                                                                                        United States Government Accountability Office
Contents


Letter                                                                                   1
               Background                                                                3
               Scope and Methodology                                                     6
               IRS Faces Continuing Significant Financial Management
                 Challenges                                                              7
               Status of Recommendations Based on the Fiscal Year 2011
                 Financial Statement Audit                                             11
               Open Recommendations Grouped by Internal Control Activity               13
               Concluding Observations                                                 28
               Agency Comments and Our Evaluation                                      29

Appendix I     Status of GAO Recommendations from Internal Revenue Service
               Financial Audits and Related Management Reports                         30



Appendix II    Open Recommendations Arranged by Material Weakness, Significant
               Deficiency, Compliance, or Other Control Deficiencies                   81



Appendix III   Comments from the Internal Revenue Service                              92



Appendix IV    GAO Contact and Staff Acknowledgments                                   93



Tables
               Table 1: Summary of Recommendations Grouped by Control
                        Activity                                                       14
               Table 2: Open Recommendations to Improve IRS’s Physical
                        Controls over Vulnerable Assets                                17
               Table 3: Open Recommendation to Improve IRS’s Segregation of
                        Duties                                                         18
               Table 4: Open Recommendations to Improve IRS’s Access
                        Restrictions to and Accountability for Resources and
                        Records                                                        19
               Table 5: Open Recommendations to Improve IRS’s Documentation
                        of Transactions and Internal Control                           21




               Page i                                  GAO-12-695 Status of Recommendations
Table 6: Open Recommendations to Improve IRS’s Accurate and
         Timely Recording of Transactions and Events                                      22
Table 7: Open Recommendations to Improve IRS’s Proper
         Execution of Transactions and Events                                             23
Table 8: Open Recommendations to Improve IRS’s Reviews by
         Management at the Functional or Activity Level                                   25
Table 9: Open Recommendation to Improve IRS’s Establishment
         and Review of Performance Measures and Indicators                                27
Table 10: Open Recommendations to Improve IRS’s Management
         of Human Capital                                                                 28
Table 11: Status of GAO Recommendations from Internal Revenue
         Service Financial Audits and Related Management Reports                          30
Table 12: Material Weakness: Controls over Unpaid Assessments                             81
Table 13: Significant Deficiency: Tax Refund Disbursements                                83
Table 14: Compliance with Laws and Regulations: Release of
         Federal Tax Liens                                                                84
Table 15: Other Control Deficiencies Not Associated with a
         Material Weakness, Significant Deficiency, or Compliance
         Issue                                                                            86




Abbreviations

CFO               Chief Financial Officer
FMFIA             Federal Managers’ Financial Integrity Act of 1982
FTHBC             First-time Homebuyer Credit
IRM               Internal Revenue Manual
IRS               Internal Revenue Service
OMB               Office of Management and Budget
SCC               service center campus
TAC               Taxpayer Assistance Center




This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.




Page ii                                            GAO-12-695 Status of Recommendations
United States Government Accountability Office
Washington, DC 20548




                                   June 28, 2012

                                   The Honorable Douglas H. Shulman
                                   Commissioner of Internal Revenue

                                   Dear Mr. Shulman:

                                   In its role as the nation’s tax collector, the Internal Revenue Service (IRS)
                                   has a demanding responsibility to collect taxes, process tax returns, and
                                   enforce the nation’s tax laws. In fiscal year 2011, IRS collected about
                                   $2.4 trillion in tax payments, processed hundreds of millions of federal tax
                                   and information returns, and paid about $416 billion in refunds to
                                   taxpayers. Because of its role and overall mission, IRS’s activities affect
                                   virtually all of the nation’s citizens. It is therefore critical that the agency
                                   strive to maintain sound internal control and financial management
                                   practices.

                                   IRS has made significant progress in improving its internal controls and
                                   financial management since it was first required to prepare a set of
                                   financial statements nearly two decades ago. This progress is reflected in
                                   IRS’s 12-year record of clean audit opinions on its financial statements
                                   and its resolution of several material weaknesses 1 and significant
                                   deficiencies 2 in internal controls over the years. At the same time, IRS
                                   continues to face significant financial management challenges in
                                   achieving the overarching goals of effective federal financial
                                   management—accountability and useful management information. To
                                   achieve its goals of effective financial and operational management, IRS



                                   1
                                     A material weakness is a deficiency, or a combination of deficiencies, in internal control
                                   such that there is a reasonable possibility that a material misstatement of the entity’s
                                   financial statements will not be prevented, or detected and corrected on a timely basis. A
                                   deficiency in internal control exists when the design or operation of a control does not
                                   allow management or employees, in the normal course of performing their assigned
                                   functions, to prevent, or detect and correct misstatements on a timely basis. Materiality
                                   represents the magnitude of an omission or misstatement of an item in a financial report
                                   that, when considered in light of surrounding circumstances, makes it probable that the
                                   judgment of a reasonable person relying on the information would have been changed or
                                   influenced by the inclusion or correction of the item.
                                   2
                                    A significant deficiency is a deficiency, or a combination of deficiencies, in internal control
                                   that is less severe than a material weakness, yet important enough to merit attention by
                                   those charged with governance.




                                   Page 1                                                GAO-12-695 Status of Recommendations
needs to (1) address its remaining material weaknesses and its significant
deficiency in internal control, (2) fully integrate cost- and revenue-based
outcome-oriented decision making into its tax collection enforcement
operations, and (3) implement corrective actions to address other
identified control deficiencies.

An agency’s internal control serves as the first line of defense in
safeguarding its assets and in preventing and detecting errors and fraud,
as well as in helping to effectively manage its stewardship over public
resources. 3 For many years, IRS has had control deficiencies in internal
controls over fundamental elements of its operations that leave it
vulnerable to a greater risk of fraud, waste, abuse, and mismanagement.
During our audit of IRS’s fiscal year 2011 financial statements, 4 we found
that IRS continued to be challenged with two long-standing material
weaknesses in internal control that are at the heart of its operations—
weaknesses in internal controls over unpaid tax assessments (unpaid
assessments) 5 and over information systems security. We also found that
IRS continued to have a significant deficiency in internal control over the
processing of manually prepared tax refunds and claims for the First-time
Homebuyer Credit (FTHBC) that led to erroneous refund disbursements.
In addition, as in past years, IRS management faces a challenge in
enhancing and using its financial management capabilities to develop and




3
 Management is responsible for establishing and maintaining internal control to achieve
the objectives of effective and efficient operations, reliable financial reporting, and
compliance with applicable laws and regulations. See 31 U.S.C. § 3512(c), (d), commonly
known as the Federal Managers’ Financial Integrity Act of 1982 (FMFIA); see also, GAO,
Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
(Washington, D.C.: November 1999), 4-5. The actions required by agencies and individual
federal managers includes taking proactive measures to develop and implement
appropriate, cost-effective internal control for results-oriented management; to assess the
adequacy of internal control in federal programs and operations; to identify needed
improvements; and to take corresponding corrective actions.
4
GAO, Financial Audit: IRS’s Fiscal Years 2011 and 2010 Financial Statements,
GAO-12-165 (Washington, D.C.: Nov. 10, 2011).
5
 An unpaid assessment is a legally enforceable claim against a taxpayer and consists of
taxes, penalties, and interest that have not been collected or abated (a reduction in a tax
assessment).




Page 2                                              GAO-12-695 Status of Recommendations
             use outcome-oriented performance metrics 6 critical to providing the
             foundation upon which it can manage its operations for outcomes.

             To assist IRS in strengthening its internal controls and improving its
             operations, over the years we have made numerous recommendations as
             part of our annual financial statement audits and other financial
             management–related work at IRS. This report (1) provides an overview of
             the continuing financial management challenges facing IRS; (2) describes
             the status of financial audit–related recommendations and the actions
             needed to address them, and (3) discusses how the unresolved
             recommendations are integrally related to control activities central to
             IRS’s mission and goals.

             Appendix I provides a summary of the status of GAO recommendations.
             To assist IRS in addressing those control activities, appendix II provides
             summary information regarding the primary control deficiencies to which
             each open recommendation is related. Our recommendations related to
             IRS’s information systems security are reported separately because of
             the sensitive nature of many of the control deficiencies that give rise to
             the recommendations. 7 However, we do provide summary data on the
             number of information security–related recommendations and their
             general makeup. We are not making any new recommendations in this
             report.


             Internal control is not one event, but rather a series of activities that
Background   should occur throughout an entity’s operations and on an ongoing basis.
             Internal control should be an integral part of each system that
             management uses to regulate and guide its operations, rather than as a
             separate system within an agency. In this sense, internal control is
             management control that should be built into the entity as a part of its



             6
              The term “outcome-oriented performance metrics,” refers to the measurement of the end
             result of a work activity or series of activities, such as the taxes collected as a result of a
             tax assessment and the collection actions taken by IRS employees, such as telephone
             calls to tax debtors.
             7
              Although most of our recommendations regarding our information security work are
             sensitive and reported to IRS separately, we have reported our objectives, summary
             results, and nonsensitive recommendations in a publicly available report. See GAO,
             Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and
             Taxpayer Data, GAO-12-393 (Washington, D.C.: Mar. 16, 2012).




             Page 3                                               GAO-12-695 Status of Recommendations
infrastructure to help managers run the entity and achieve their goals on
an ongoing basis.

Section 3512 (c), (d) of Title 31, U.S. Code, commonly known as the
Federal Managers’ Financial Integrity Act of 1982 (FMFIA), requires
agencies to establish and maintain effective internal control. The agency
head must annually evaluate and report on the control and financial
systems that protect the integrity of its federal programs. The
requirements of FMFIA serve as an umbrella under which other reviews,
evaluations, and audits should be coordinated and considered to support
management’s assertion about the effectiveness of internal control over
operations, financial reporting, and compliance with laws and regulations.

Office of Management and Budget (OMB) Circular No. A-123,
Management’s Responsibility for Internal Control, provides the
implementing guidance for FMFIA, and prescribes the specific
requirements for assessing and reporting on internal controls consistent
with the Standards for Internal Control in the Federal Government
(internal control standards) issued by the Comptroller General of the
United States. 8 The circular defines management’s responsibilities related
to internal control and the required process for assessing internal control
effectiveness, and provides specific requirements for conducting
management’s assessment of the effectiveness of internal control over
financial reporting. The circular requires management to annually provide
assurances on internal control and emphasizes the need for integrated
and coordinated internal control assessments that synchronize all internal
control–related activities. 9

FMFIA requires GAO to issue standards for internal control in the federal
government. The internal control standards provide the overall framework
for establishing and maintaining effective internal control and for


8
 GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1, 1999) contains the internal control
standards to be followed by executive agencies in establishing and maintaining systems of
internal control as required by FMFIA.
9
 The circular requires agencies and individual federal managers to take systematic and
proactive measures to (1) develop and implement appropriate, cost-effective internal
control for results-oriented management; (2) assess the adequacy of internal control in
federal programs and operations; (3) separately assess and document internal control
over financial reporting consistent with the process defined in appendix A of the circular;
(4) identify needed improvements; (5) take corresponding corrective action; and (6) report
annually on internal control through management assurance statements.




Page 4                                             GAO-12-695 Status of Recommendations
identifying and addressing major performance and management
challenges and areas at greatest risk of fraud, waste, abuse, and
mismanagement.

As summarized in the internal control standards, internal control in the
government is defined by the following five elements, which also provide
the basis against which internal controls are to be evaluated:

•   Control environment: Management and employees should establish
    and maintain an environment throughout the organization that sets a
    positive and supportive attitude toward internal control and
    conscientious management.

•   Risk assessment: Internal control should provide for an assessment of
    the risks the agency faces from both external and internal sources.

•   Control activities: Internal control activities help ensure that
    management’s directives are carried out. The control activities should
    be effective and efficient in accomplishing the agency’s control
    objectives.

•   Information and communication: Information should be recorded and
    communicated to management and others within the entity who need
    it and in a form and within a time frame that enables them to carry out
    their internal control and other responsibilities.

•   Monitoring: Internal control monitoring should assess the quality of
    performance over time and ensure that the findings of audits and
    other reviews are promptly resolved.

A key objective in our annual audits of IRS’s financial statements is to
obtain reasonable assurance that IRS maintained effective internal
control with respect to financial reporting. While we use all five elements
of internal control, including risk assessment and monitoring, as a basis
for evaluating the effectiveness of IRS’s internal controls, our ongoing
evaluations and tests have focused heavily on control activities, where we
have identified numerous control deficiencies and have provided
recommendations for corrective action. Control activities are the policies,
procedures, techniques, and mechanisms that are intended to enforce
management’s directives. In other words, they are the activities
conducted in the everyday course of business that are intended to
accomplish a control objective, such as ensuring IRS employees
successfully complete background checks prior to being granted access



Page 5                                    GAO-12-695 Status of Recommendations
              to taxpayer information and receipts. Control activities are an integral part
              of an entity’s planning, implementing, reviewing, and accountability for
              stewardship of government resources and achievement of effective
              results.


              To accomplish our objectives, we evaluated the effectiveness of
Scope and     corrective actions IRS implemented during fiscal year 2011 in response to
Methodology   open recommendations as part of our fiscal years 2011 and 2010
              financial audits. To determine the status of the recommendations, we
              (1) obtained IRS’s reported status of each recommendation and
              corrective action taken or planned as of March 2012, (2) compared IRS’s
              reported status to our fiscal year 2011 audit findings to identify any
              differences between IRS’s and our conclusions regarding the status of
              each recommendation, and (3) performed additional follow-up work to
              assess IRS’s actions taken to address the open recommendations.
              Because of the sensitive nature of many of the issues related to our
              recommendations regarding information security, we have reported our
              recommendations for corrective action related to information security
              issues to IRS separately. 10

              In order to determine how IRS’s open recommendations, including those
              identified in our June 2012 management report, 11 fit within the agency’s
              management and internal control structure, we compared the open
              recommendations and the issues that gave rise to them to the (1) control
              activities listed in the internal control standards, (2) list of major factors
              and examples outlined in our Internal Control Management and
              Evaluation Tool, 12 and (3) criteria and objectives for federal financial
              management as discussed in the Chief Financial Officers Act of 1990
              (CFO Act) and the Federal Accounting Standards Advisory Board’s
              (FASAB) Statement of Federal Financial Accounting Concepts No. 1,
              Objectives of Federal Financial Reporting. 13 We also considered whether


              10
                   See GAO-12-393.
              11
               GAO, Management Report: Improvements Are Needed to Enhance the Internal
              Revenue Service’s Internal Controls and Operating Effectiveness, GAO-12-683R
              (Washington, D.C.: June 25, 2012).
              12
                 GAO, Internal Control Standards: Internal Control Management and Evaluation Tool,
              GAO-01-1008G (Washington, D.C.: Aug. 1, 2001).
              13
                 FASAB, Statement of Federal Financial Concepts No. 1: Objectives of Federal Financial
              Reporting, FASAB Handbook, Version 10 (Washington, D.C.: June 30, 2011).




              Page 6                                           GAO-12-695 Status of Recommendations
                        IRS had addressed, in whole or in part, the underlying control deficiencies
                        that gave rise to the recommendations; and other legal requirements and
                        implementing guidance, such as FMFIA and OMB Circular No. A-123.

                        Our work was performed from December 2011 through April 2012 in
                        accordance with generally accepted government auditing standards.


                        IRS continues to make progress in resolving its control deficiencies and
IRS Faces Continuing    addressing outstanding recommendations, but continues to face
Significant Financial   significant financial management challenges. Since we first began
                        auditing IRS’s financial statements in fiscal year 1992, IRS has taken a
Management              significant number of actions that were sufficient to resolve several
Challenges              material weaknesses and significant control deficiencies and to close over
                        300 of our previously reported recommendations. This includes
                        38 recommendations we are closing with this report based on actions IRS
                        took through March 2012.

                        Nevertheless, IRS continues to face challenges in establishing effective
                        controls over its financial and operational management. Specifically, IRS
                        continues to face management challenges in (1) resolving its two material
                        weaknesses and one significant deficiency in internal control and
                        (2) developing performance measures necessary to managing
                        operational performance outcomes. Further, as in previous years’ audits,
                        our fiscal year 2011 audit continued to identify additional internal control
                        deficiencies, resulting in 30 new recommendations for corrective action.
                        These deficiencies and related recommendations are discussed in detail
                        in our June 2012 management report to IRS. 14 In addition, as noted
                        earlier, we also identified control deficiencies related to information
                        security during our fiscal year 2011 audit that we reported separately with
                        limited distribution because of the sensitive nature of many of those
                        control deficiencies. 15




                        14
                             GAO-12-683R.
                        15
                             See GAO-12-393.




                        Page 7                                    GAO-12-695 Status of Recommendations
Challenges in Resolving      As in past years, IRS continued to face significant challenges in resolving
Two Long-standing            its remaining long-standing material weaknesses in internal control
Material Weaknesses and      concerning (1) unpaid assessments 16 and (2) information security in fiscal
                             year 2011.
One Significant Deficiency
in Internal Control          IRS’s continuing challenge in addressing its material weakness in internal
                             control over unpaid assessments results from its (1) inability to rely on its
                             general ledger and underlying subsidiary records to report federal taxes
                             receivable, compliance assessments, and writeoffs in accordance with
                             federal accounting standards without significant compensating
                             procedures; (2) inability to trace reported taxes receivable to supporting
                             transactions and maintain an effective transaction-based subledger for
                             unpaid assessment transactions; and (3) inability to effectively prevent or
                             timely detect and correct errors in taxpayer accounts. These control
                             deficiencies are caused primarily by IRS’s continued reliance on software
                             applications that were not designed to provide accurate, complete, and
                             timely transaction-level financial information, as well as errors in taxpayer
                             accounts. Consequently, IRS management is impaired in its ability to
                             make well-informed decisions and to accumulate and report financial
                             information in accordance with federal accounting standards. These
                             problems are likely to continue to exist until these software applications
                             are either significantly enhanced or replaced, and IRS remedies the
                             control deficiencies that continue to result in significant errors in taxpayer
                             accounts.

                             IRS’s continuing challenge in addressing its material weakness in internal
                             control over information systems security is primarily due to both
                             continuing and newly identified control deficiencies. As in past years, IRS
                             continued to (1) rely on a procurement system that lacks reliable controls
                             due to access control deficiencies and database maintenance that was
                             not performed; (2) use unencrypted protocols for a sensitive tax
                             processing application; and (3) have unresolved physical security control



                             16
                                Unpaid assessments are unpaid taxes. For reporting purposes, federal accounting
                             standards classify unpaid assessments, including assessed penalties and accrued
                             interest, into federal taxes receivables, compliance assessments, and writeoffs. Federal
                             taxes receivable are taxes due from taxpayers for which IRS can support the existence of
                             a receivable through taxpayer agreement or a favorable court ruling. Compliance
                             assessments are assessments where neither the taxpayer nor the court has affirmed that
                             the amounts are owed. Writeoffs represent unpaid tax assessments for which IRS does
                             not expect further collection because of factors such as the taxpayer’s death, bankruptcy,
                             or insolvency.




                             Page 8                                             GAO-12-695 Status of Recommendations
                           deficiencies. Further, in fiscal year 2011, we identified control deficiencies
                           in IRS’s (1) system access and configuration controls and (2) controls
                           intended to compensate and mitigate for known information security
                           deficiencies. As a result of these control deficiencies considered
                           collectively, IRS was (1) unable to rely upon its systems or compensating
                           and mitigating controls to provide reasonable assurance that its financial
                           statements were fairly presented, (2) unable to ensure the reliability of
                           other financial management information produced by its systems, and
                           (3) at increased risk of compromising confidential IRS and taxpayer
                           information.

                           In addition to the continuing challenges posed by the two long-standing
                           material weaknesses concerning unpaid assessments and information
                           security, our audit of IRS’s fiscal year 2011 financial statements 17 also
                           identified a continuing significant deficiency in IRS’s internal control over
                           tax refund disbursements, specifically, controls over the processing of
                           claims for the First-time Homebuyer Credit (FTHBC) 18 and over manual
                           refunds. These control deficiencies related to the documentation of
                           FTHBC claims, monitoring of manual refunds, and training of staff having
                           key roles in refund processing.


Challenges in Developing   As in past years, IRS continues to face challenges in developing and
and Implementing           institutionalizing the use of financial management information to assist it
Performance Metrics to     in making operational decisions and in measuring the effectiveness of its
                           programs. IRS made progress during fiscal year 2011 in developing and
Assist in Managing for     integrating cost-based performance information into its operational
Outcomes                   decision-making processes. However, IRS has not yet fully integrated
                           outcome-oriented cost-based performance data 19 into each business
                           units’ routine decision-making processes. IRS has also not yet integrated
                           outcome-oriented performance data into its externally-reported
                           performance metrics.




                           17
                                GAO-12-165
                           18
                            The FTHBC is codified, as amended, at 26 U.S.C. § 36. For an explanation of the
                           FTHBC, see GAO-12-165, p. 9, footnote 9.
                           19
                            An “outcome” is a measure of the end result of a work activity or series of activities, such
                           as the taxes collected, and is a measure of the results of providing outputs.




                           Page 9                                              GAO-12-695 Status of Recommendations
During fiscal year 2011, IRS continued to add to the number of programs
and activities for which full cost, and applicable return on investment
(ROI), information has been developed. Further, for the past several
years, IRS has annually updated the data for each set of such
information. Additionally during fiscal year 2011, management teams in
several of IRS’s business units began to implement the use of available
full cost information for decision making.

However, this progress in the use of programmatic full cost and ROI
information, and related performance metrics, had not yet extended to
IRS’s primary business unit responsible for developing and directing
IRS’s corporate-wide enforcement activities to collect unpaid taxes. The
integration of such information into both IRS’s strategic and routine
enforcement-related management decisions could greatly enhance IRS’s
ability to manage for outcomes by evaluating the efficiency and cost-
effectiveness of its programs and activities, including comparing the
efficiency and effectiveness of various existing enforcement collection
strategies, staffing levels, and proposed changes.

Developing informative and reliable outcome-oriented performance
metrics based on specific enforcement programs’ costs and revenues
would assist IRS in improving its ability to (1) establish measurable
outcome goals, (2) evaluate the relative merits of various program
options, and (3) highlight opportunities for optimizing the allocation of
resources. They could also assist IRS in more credibly demonstrating to
Congress and the public that it is using its appropriations cost-effectively.

A lack of outcome-oriented performance metrics is inconsistent with
federal financial management concepts as embodied in the Federal
Accounting Standards Advisory Board’s (FASAB) Statement of Federal
Financial Accounting Concepts No. 1, Objectives of Federal Financial
Reporting. 20 Specifically, in its discussion of financial reporting concepts,
FASAB notes that federal financial data should provide accountability and
decision-useful information on the costs of programs and the outputs and
outcomes achieved, and it should provide data for evaluating service
efforts, costs, and accomplishments.




20
 FASAB, Statement of Federal Financial Concepts No. 1: Objectives of Federal Financial
Reporting.




Page 10                                         GAO-12-695 Status of Recommendations
                      The absence of outcome metrics is also inconsistent with the objectives
                      of the CFO Act. A key objective of the act was for agencies to routinely
                      develop and use appropriate financial management information to
                      evaluate program effectiveness, make fully informed operational
                      decisions, and ensure accountability. While obtaining a clean audit
                      opinion on its financial statements is important in itself, it is not the CFO
                      Act’s end goal. Rather, the act’s end goal is modern financial
                      management systems that provide reliable, timely, and useful financial
                      information to support day-to-day decision making and oversight. Such
                      systems and practices should also provide for the systematic
                      measurement of both program outputs and outcomes.

                      We have made several recommendations to IRS over the years to
                      address its financial management challenges in developing internal full
                      cost data for its programs and activities and for outcome-oriented
                      performance measures. Successfully addressing the remaining open
                      recommendations would enhance IRS’s ability to effectively manage for
                      outcomes.


                      In June 2011, we reported on the status of IRS’s efforts to implement
Status of             corrective actions to address recommendations stemming from our fiscal
Recommendations       year 2010 and prior years’ financial statement audits and other financial
                      management–related work. 21 In that report, we identified 77 audit
Based on the Fiscal   recommendations that remained open and thus required corrective action
Year 2011 Financial   by IRS. A significant number of these recommendations had been open
Statement Audit       for several years, either because IRS had not taken corrective action or
                      because the actions taken had not yet effectively resolved the control
                      deficiencies that gave rise to the recommendations.

                      IRS has continued to work to address many of the control deficiencies
                      related to these previously reported open recommendations. In the
                      course of performing our fiscal year 2011 financial audit, we determined
                      IRS took actions sufficient to address 38 of our prior years’
                      recommendations. However, a total of 39 recommendations from prior
                      years remain open, a significant number of which have been outstanding
                      for several years. IRS considers 16 of the prior years’ recommendations



                      21
                       GAO, Internal Revenue Service: Status of GAO Financial Audit and Related Financial
                      Management Report Recommendations, GAO-11-536 (Washington, D.C.: June 22, 2011).




                      Page 11                                       GAO-12-695 Status of Recommendations
to be effectively addressed and therefore closed. However, we consider
them to remain open. For 14 of the 16, in our view, IRS’s actions did not
fully address the control deficiencies that gave rise to the
recommendations. For the remaining two, we have not yet been able to
verify the effectiveness of IRS’s actions. The “Status per IRS” and “Status
per GAO” sections of appendix I provide a summary of both IRS’s and our
assessment of IRS’s actions on each recommendation.

During our audit of IRS’s fiscal year 2011 financial statements, we
identified additional control deficiencies that require corrective action. In
our June 2012 management report to IRS, 22 we discussed these control
deficiencies, and made 30 new recommendations to address them.
Consequently, a total of 69 financial management–related
recommendations need to be addressed—39 from prior years and
30 new recommendations resulting from our fiscal year 2011 audit. We
consider all of the new recommendations to be correctible in the short
term. 23 We also consider the majority of the recommendations
outstanding from prior years to be correctible in the short term. However,
a few, particularly those concerning the functionality of IRS’s automated
systems, are complex and may reasonably require several more years to
fully and effectively address.

In addition to the 69 open recommendations from our financial audits,
there are 118 additional open recommendations stemming from our
assessment of IRS’s information security controls over key financial
systems, information, and interconnected networks conducted as an
integral part of our annual financial audits. The control deficiencies that
led to our previously reported and our newly identified recommendations
related to information security increase the risk of unauthorized
disclosure, modification, or destruction of financial and sensitive taxpayer
data. Collectively, they constitute material weakness in IRS’s internal
control over information security for its financial and tax processing
systems. As discussed previously, we are reporting our recommendations
resulting from the information security control deficiencies identified in our



22
     GAO-12-683R.
23
  We define short term recommendations as those that we believe could be addressed
within 2 years from the time we made the recommendation. We define long term
recommendations as those we expect to require 2 years or more to implement from the
time we made the recommendation.




Page 12                                         GAO-12-695 Status of Recommendations
                      annual audits of IRS’s financial statements separately because of the
                      sensitive nature of many of these control deficiencies. 24

                      Appendix I presents a summary of the status of IRS actions to address
                      107 GAO non-information security-related recommendations based on
                      our financial audits–77 from our audits prior to fiscal year 2011 and
                      30 new recommendations based on the results of our fiscal year 2011
                      financial audit. Appendix I consists of the (1) recommendation, (2) GAO
                      report in which the recommendation was made, (3) IRS-reported status of
                      corrective actions taken or planned as of March 2012, and (3) our
                      analysis of the status of IRS actions as to whether those actions
                      effectively addressed the deficiencies that gave rise to the
                      recommendation. Appendix I lists the recommendations by the year in
                      which the recommendation was made and by GAO report number.

                      Appendix II presents the 69 open recommendations that remained at the
                      end of our fiscal year 2011 audit as a result of closing the aforementioned
                      38 recommendations and adding 30 new recommendations, grouped by
                      related material weakness, significant deficiency, and compliance issue
                      as described in our audit report on IRS’s financial statements, 25 as well as
                      other control deficiencies we have identified and discussed in our annual
                      management reports to IRS. 26


                      Linking the open recommendations from our financial audits, and the
Open                  control deficiencies that gave rise to them, to internal control activities that
Recommendations       are central to IRS’s tax administration responsibilities provides insight
                      regarding their significance to accomplishing IRS’s mission.
Grouped by Internal
Control Activity      As discussed earlier, internal control standards define internal control as
                      consisting of five elements—control environment, risk assessment,
                      control activities, information and communication, and monitoring. 27 For
                      the control activities element, the internal control standards explain that
                      an agency’s system of internal control should provide for an assessment


                      24
                           See GAO-12-393.
                      25
                           GAO-12-165.
                      26
                           See GAO-12-683R for the recommendations resulting from our fiscal year 2011 audit.
                      27
                           GAO/AIMD-00-21.3.1.




                      Page 13                                            GAO-12-695 Status of Recommendations
                                              of the risks the agency faces from both external and internal sources and
                                              that internal control activities should help ensure that management’s
                                              directives and related control objectives are carried out. The control
                                              activities element identified 11 specific control activities, which we have
                                              grouped into three categories, as shown in table 1. Each of the
                                              unresolved recommendations from our financial audits, and the
                                              underlying control deficiencies that gave rise to them, can be grouped into
                                              one of the 11 specific control activities as shown in table 1.

Table 1: Summary of Recommendations Grouped by Control Activity

                                                             Open at the      Closed                      Total
                                                              beginning       during     New from     remaining
Control activity                                                of 2011    2011 audit   2011 audit        open Percentage
Safeguarding of assets and security activities
    Physical control over vulnerable assets                          22            9            0             13           19
    Segregation of duties                                             1            1            1              1            1
    Controls over information processing                              0            0            0              0            0
    Access restrictions to and accountability for                     6            2            0              4            6
    resources and records
         Subtotal                                                    29           12            1             18           26
Proper recording and documenting of transactions
    Appropriate documentation of transactions and                    13           10            5              8           12
    internal controls
    Accurate and timely recording of transactions and                15            6            7             16           23
    events
    Proper execution of transactions and events                       2            2            5              5            7
         Subtotal                                                    30           18           17             29           42
Effective management review and oversight
    Reviews by management at the functional or                       13            5           10             18           27
    activity level
    Establishment and review of performance                           1            0            0              1            1
    measures and indicators
    Management of human capital                                       4            3            2              3            4
    Top-level reviews of actual performance                           0            0            0              0            0
         Subtotal                                                    18            8           12             22           32
Total                                                                77           38           30             69         100
                                              Source: GAO.



                                              As shown in table 1, 18 (26 percent) of the unresolved recommendations
                                              relate to IRS’s controls over safeguarding of assets and security activities,
                                              29 (42 percent) relate to control deficiencies associated with IRS’s ability



                                              Page 14                                     GAO-12-695 Status of Recommendations
                             to properly record and document transactions, and 22 (32 percent) relate
                             to control deficiencies associated with IRS’s management review and
                             oversight.

                             In the following section, we group the 69 open recommendations under
                             the specific control activity to which the condition that gave rise to each
                             recommendation most appropriately fits. We define each control activity
                             as presented in the internal control standards and briefly identify some of
                             the key IRS operations that fall under that control activity. Although not
                             comprehensive, the descriptions are intended to help explain why actions
                             to strengthen these control activities are important for IRS to efficiently
                             and effectively carry out its overall mission.

                             Each control activity description includes a table of the related open
                             recommendations. The tables list the recommendations by the year in
                             which we made them (ID no.). At the end of our description of each
                             recommendation, we also provide an assessment of whether the
                             recommendation can be addressed in the short term or long term. We
                             judged a recommendation to be correctible in the short term when we
                             believe that IRS had the capability to implement solutions within 2 years
                             of the year in which we first reported the control deficiency and made the
                             recommendations.


Safeguarding of Assets and   Given IRS’s mission, the sensitivity of the data it maintains, and its
Security Activities          responsibility for processing trillions of dollars of tax receipts each year,
                             one of the most important control activities at IRS is safeguarding assets.
                             Internal control in this important area should be designed to provide
                             reasonable assurance regarding prevention or prompt detection of
                             unauthorized acquisition, use, or disposition of an agency’s assets. IRS
                             has outstanding recommendations in the following three control activities
                             related to safeguarding and securing assets: (1) physical control over
                             vulnerable assets, (2) segregation of duties, and (3) access restrictions
                             to, and accountability for, resources and records.




                             Page 15                                    GAO-12-695 Status of Recommendations
Physical Control over    Internal control standard: An agency must establish physical control to
Vulnerable Assets        secure and safeguard vulnerable assets. Examples include security for
                         and limited access to assets such as cash, securities, inventories, and
                         equipment which might be vulnerable to risk of loss or unauthorized
                         use. Such assets should be periodically counted and compared to
                         control records.


                        Of the trillions of dollars in taxes that IRS collects each year, hundreds of
                        billions is collected in the form of checks and cash accompanied by tax
                        returns and related information. 28 IRS collects taxes both at its own
                        facilities as well as at lockbox banks. 29 IRS acts as custodian for (1) tax
                        payments it receives until they are deposited in the General Fund of the
                        U.S. Treasury and (2) tax returns and related information it receives until
                        they are either sent to the Federal Records Center or destroyed. IRS is
                        also charged with controlling many other assets, such as computers and
                        other equipment. IRS’s legal responsibility to safeguard tax returns and
                        the confidential information taxpayers provide on those returns makes the
                        effectiveness of IRS’s internal controls over physical security essential to
                        accomplishing its mission.

                        While effective physical safeguards over receipts should exist throughout
                        the year, such safeguards are especially important during the peak tax
                        filing season. Each year during the weeks preceding and shortly after
                        April 15, an IRS service center 30 or lockbox bank may receive and
                        process daily over 100,000 pieces of mail containing returns, receipts, or
                        both. The dollar value of receipts each service center and lockbox bank
                        processes increases to hundreds of millions of dollars a day during this
                        time frame.

                        The following 13 open recommendations in table 2 are designed to
                        improve IRS’s physical controls over vulnerable assets. They include


                        28
                          The majority of federal tax payments are made for both businesses and individuals
                        through the Electronic Federal Tax Payment System.
                        29
                          Lockbox banks operate under contract with the Department of the Treasury’s (Treasury)
                        Financial Management Service. The three lockbox banks perform processing functions in
                        seven locations throughout the United States.
                        30
                          Five of IRS’s 10 service center campuses (SCC) process tax returns and payments
                        submitted by taxpayers.




                        Page 16                                          GAO-12-695 Status of Recommendations
                                            recommendations for IRS to improve controls over physical security at its
                                            Taxpayer Assistance Centers (TAC) 31 and courier activities. We consider
                                            all of these recommendations to be correctable in the short term.

Table 2: Open Recommendations to Improve IRS’s Physical Controls over Vulnerable Assets

ID no.     Recommendation
06-05      Equip all Taxpayer Assistance Centers (TAC) with adequate physical security controls to deter and prevent unauthorized
           access to restricted areas or office space occupied by other IRS units, including those TACs that are not scheduled to be
           reconfigured to the “new TAC” model in the near future. This includes appropriately separating customer service waiting
           areas from restricted areas in the near future by physical barriers, such as locked doors marked with signs barring
           entrance by unescorted customers. (short-term)
07-04      Develop and implement appropriate corrective actions for any gaps in closed circuit television (CCTV) camera coverage
           that do not provide an unobstructed view of the entire exterior of the service center campus’s (SCC) perimeter, such as
           adding or repositioning existing CCTV cameras or removing obstructions. (short-term)
09-03      Document in the Internal Revenue Manual (IRM) minimum requirements for establishing criteria for time discrepancies or
           other inconsistencies, which if noted as part of the required monitoring of Form 10160, Receipt for Transport of IRS
           Deposit, would require off-site surveillance of couriers. (short-term)
09-06      Establish procedures to ensure that an inventory of all duress alarms is documented for each location and is readily
           available to individuals conducting duress alarm tests before each test is conducted. (short-term)
09-07      Establish procedures to periodically update the inventory of duress alarms at each Taxpayer Assistance Center (TAC)
           location to ensure that the inventory is current and complete as of the testing date. (short-term)
09-08      Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials conducting the test
           (1) document the test results for each duress alarm listed in the inventory, including date, findings, and planned corrective
           action and (2) track the findings until they are properly resolved. (short-term)
09-09      Establish procedures requiring that each physical security analyst conduct a periodic documented review of the
           Emergency Signal History Report and emergency contact list for its respective location to ensure that (1) appropriate
           corrective actions have been planned for all incidents reported by the central monitoring station and (2) the emergency
           contact list for each location is current and includes only appropriate contacts. (short-term)
10-19      Establish procedures to track service center campus (SCC) acknowledgments of unprocessable items with receipts.
           (short-term)
10-20      Establish procedures to monitor the process used by service center campuses (SCC) and lockbox banks to acknowledge
           and track transmittals of unprocessable items with receipts. These procedures should include monitoring discrepancies
           and instituting appropriate corrective actions as needed. (short-term)
11-14      Establish procedures to provide a consistent methodology for calculating and establishing allowable deposit courier trip
           time limits to be used by both service center campuses (SCC) and lockbox banks that would assist in detecting potential
           unauthorized stops or other contractual violations by deposit couriers. Such procedures should include instructions for
           documenting and supporting how the trip limits were determined and require justification and approval for all established
           time limits that exceed the average trip time. (short-term)
11-16      Enforce existing contractual requirements for the cargo doors of contract courier vehicles to be locked after picking up
           taxpayer information. (short-term)



                                            31
                                             IRS’s 398 TACs are small field assistance units located in various cities and towns in
                                            every state, are part of IRS’s Wage and Investment (W&I) operating division, and are
                                            designated to serve taxpayers who choose to seek help from IRS in person.




                                            Page 17                                             GAO-12-695 Status of Recommendations
ID no.    Recommendation
11-17     Establish procedures to prevent or detect unauthorized access to taxpayer information in contract courier vehicles during
          transit. These procedures should detail specific activities to be performed by both the business unit sending and receiving
          the information transported by the contract courier. (short-term)
11-18     Revise the guidance for conducting the periodic reviews of the contract couriers transporting taxpayer information from
          one IRS processing facility to another to include procedures for (1) physically verifying that courier vehicle cargo doors are
          locked after picking up this information and remain locked during transit to the final destination and (2) documenting the
          basis for the reviewer’s conclusions. (short-term)
                                           Source: GAO.




Segregation of Duties                       Internal control standard: Key duties and responsibilities need to be
                                            divided or segregated among different people to reduce the risk of error
                                            or fraud. This should include separating the responsibilities for
                                            authorizing transactions, processing and recording them, reviewing the
                                            transactions, and handling any related assets. No one individual should
                                            control all key aspects of a transaction or event.


                                           As discussed previously, IRS employees process hundreds of billions of
                                           dollars in tax receipts in the form of cash and checks. Consequently, it is
                                           critical that IRS maintain appropriate separation of duties so that no single
                                           individual would be in a position of causing an error or irregularity, or
                                           potentially converting the asset to personal use, and then concealing it.
                                           For example, when an IRS field office receives taxpayer receipts and
                                           returns, it is responsible for depositing the cash and checks in a
                                           depository institution and forwarding the related taxpayer information
                                           received for further processing, including updating the taxpayer’s tax
                                           account records. In order to adequately safeguard receipts from theft, the
                                           person responsible for recording the information from the taxpayer
                                           receipts on a voucher should not also update the taxpayer’s tax records.

                                           Implementing the following recommendation in table 3 would help IRS
                                           improve its separation of duties, which will in turn strengthen controls over
                                           tax receipts. This recommendation is correctible in the short-term.

Table 3: Open Recommendation to Improve IRS’s Segregation of Duties

ID no.     Recommendation
12-10      Update the Internal Revenue Manual (IRM) to specify steps to be followed to prevent campus support clerks as well as
           any other employees who process payments through the electronic check presentment system from making adjustments
           to taxpayer accounts. (short-term)
                                           Source: GAO.




                                           Page 18                                             GAO-12-695 Status of Recommendations
Access Restrictions to and                   Internal control standard: Access to resources and records should be
Accountability for Resources                 limited to authorized individuals, and accountability for their custody
and Records                                  and use should be assigned and maintained. Periodic comparison of
                                             resources with the recorded accountability should be made to help
                                             reduce the risk of errors, fraud, misuse, or unauthorized alteration.


                                           Because IRS is responsible for maintaining accountability over a large
                                           volume of cash and checks, it is imperative that it maintain strong controls
                                           to appropriately restrict access to those assets, the records relied on to
                                           track those assets, and sensitive taxpayer information. Our financial
                                           audits over the years have identified control deficiencies related to
                                           (1) individuals having direct access to cash and checks receiving
                                           appropriate background investigations before being granted access to
                                           taxpayer receipts and information and (2) maintaining effective access
                                           security control. The following four short term recommendations in table 4
                                           are intended to help IRS improve its access restrictions to assets and
                                           records.

Table 4: Open Recommendations to Improve IRS’s Access Restrictions to and Accountability for Resources and Records

ID no.     Recommendation
10-29      Analyze the various contractor access arrangements and establish a policy that requires security awareness training for
           all IRS contractors who are provided unescorted physical access to its facilities or taxpayer receipts and information.
           (short-term)
11-11      Perform a review of all existing contracts under $100,000 that (1) do not have an appointed contracting officer’s technical
           representative (COTR) and (2) do not require that contract employees obtain background investigations to assess
           whether the services performed under each contract warrant a requirement that contract employees obtain background
           investigations. (short-term)
11-12      Based on a review of all existing contracts under $100,000 without an appointed COTR that should require contract
           employees to obtain favorable background investigation results, amend those contracts to require that favorable
           background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised
           physical access to taxpayer information is granted. (short-term)
11-13      Establish a policy requiring collaborative oversight between IRS’s key offices in determining whether potential service
           contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background
           investigations, regardless of contract award amount. This policy should include a process for the requiring business unit
           to communicate to the Office of Procurement and the Human Capital Office the services to be provided under the contract
           and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to
           (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that
           the final contract requires favorable background investigations as applicable, commensurate with the assessed risk.
           (short-term)
                                           Source: GAO.




                                           Page 19                                             GAO-12-695 Status of Recommendations
Proper Recording and           IRS has a number of control deficiencies related to recording
Documenting of                 transactions, documenting events, and tracking the processing of
Transactions                   taxpayer receipts or information. IRS has outstanding recommendations
                               in the following three control activities related to proper recording and
                               documenting of transactions: (1) appropriate documentation of
                               transactions and internal controls, (2) accurate and timely recording of
                               transactions and events, and (3) proper execution of transactions and
                               events.



Appropriate Documentation of    Internal control standard: Internal control and all transactions and other
Transactions and Internal       significant events need to be clearly documented, and the
Control                         documentation should be readily available for examination. The
                                documentation should appear in management directives, administrative
                                policies, or operating manuals and may be in paper or electronic form.
                                All documentation and records should be properly managed and
                                maintained.


                               IRS collects and processes trillions of dollars in taxpayer receipts
                               annually both at its own facilities and at lockbox banks under contract to
                               process taxpayer receipts for the federal government. Therefore, it is
                               important that IRS maintain effective controls to ensure that all
                               documents and records are properly and timely recorded, managed, and
                               maintained both at its facilities and at the lockbox banks. In this regard, it
                               is critical that IRS adequately document and disseminate its procedures
                               to ensure that they are available for IRS employees. IRS must also
                               document its management reviews of controls, such as those regarding
                               refunds and returned checks, document transmittals, and reviews of
                               Taxpayers Assistance Center (TAC) operations. To ensure future
                               availability of adequate documentation, IRS must ensure that (1) its
                               systems, particularly those now being developed and implemented, have
                               appropriate capability to identify and trace individual transactions and (2)
                               all critical steps in its accounting processes are adequately documented.
                               Resolving the following eight recommendations in table 5 would assist
                               IRS in improving its documentation of transactions and related internal
                               control procedures. All of these recommendations are correctible in the
                               short term.




                               Page 20                                     GAO-12-695 Status of Recommendations
Table 5: Open Recommendations to Improve IRS’s Documentation of Transactions and Internal Control

ID no.     Recommendation
05-39      Enforce requirements for documenting monitoring actions and supervisory review for manual refunds. (short-term)
06-02      Enforce compliance with existing requirements that all IRS units transmitting taxpayer receipts and information from one
           IRS facility to another, including service center campuses (SCC), Taxpayer Assistance Centers (TAC), and units within
           the Large Business and International (LB&I) and the Tax-Exempt and Government Entities (TE/GE) business operating
           units, establish a system to track acknowledged copies of document transmittals. (short-term)
11-24      Revise the post orders for the SCC and lockbox bank security guards to include specific procedures for timely reporting
           exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to
           contact to report lighting outages and (2) how to document and track lighting outages until resolved. (short-term)
12-05      Update IRS’s procedures for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions
           recorded in the master files to (1) establish minimum criteria defining a significant or unusual variance and (2) specify the
           steps required to effectively evaluate and resolve these variances. (short-term)
12-06      Update IRS’s procedures for comparing tax revenue recorded in the general ledger to detailed tax revenue transactions
           recorded in the master files to require that management reviews ensure preparers evaluate and resolve unusual or
           significant variances. (short-term)
12-13      Revise existing written procedures to require supervisory review of the Computer-Aided Facilities Management (CAFM)
           Quarterly Review Certifications and Statistics against the Graphic Database Interface system (GDI) validation
           walkthrough sheets. (short-term)
12-14      Establish mechanisms to monitor the implementation of and compliance with the revised policy established in October
           2011 that requires field CAFM program managers to maintain GDI Quarterly Review documentation, including GDI
           validation walkthrough sheets and GDI Quarterly Review certifications. (short-term)
12-15      Establish mechanisms to monitor the implementation of and compliance with the revised policy established in October
           2011 that defines the type of errors that should be captured on the CAFM Quarterly Review Certifications to help ensure
           that field CAFM program managers consistently compile the errors found in their quarterly reviews for compilation in the
           overall CAFM Quarterly Review Statistics. (short-term)
                                            Source: GAO.




Accurate and Timely Recording                Internal control standard: Transactions should be promptly recorded to
of Transactions and Events                   maintain their relevance and value to management in controlling
                                             operations and making decisions. This applies to the entire process or
                                             life cycle of a transaction or event from the initiation and authorization
                                             through its final classification in summary records. In addition, control
                                             activities help to ensure that all transactions are completely and
                                             accurately recorded.



                                            IRS has stewardship responsibility for maintaining sensitive records of
                                            tens of millions of taxpayers in addition to its responsibility for maintaining
                                            its own financial records. To maintain these records, IRS often has to rely
                                            on outdated computer systems or manual work-arounds. Unfortunately,
                                            some of IRS’s recordkeeping difficulties we have reported on over the



                                            Page 21                                             GAO-12-695 Status of Recommendations
                                           years will not be fully addressed until it can replace its aging systems; an
                                           effort that is long term and, in part, dependent on obtaining future funding.

                                           Implementation of the following 16 recommendations in table 6 would
                                           strengthen IRS’s recordkeeping abilities. Fifteen of these
                                           recommendations are short term, and one is long term regarding
                                           requirements for new systems for maintaining taxpayer records. Several
                                           of the recommendations listed deal with financial reporting processes,
                                           such as maintaining subsidiary records, recording budgetary transactions,
                                           and tracking program costs. Some of the control deficiencies that gave
                                           rise to several of our recommendations directly affect taxpayers, such as
                                           those involving duplicate assessments and errors in calculating and
                                           reporting interest and penalties. One of these recommendations has
                                           remained open for over 10 years, reflecting the complex nature of the
                                           underlying systems control deficiencies that must be resolved to fully
                                           address some of these control deficiencies.

Table 6: Open Recommendations to Improve IRS’s Accurate and Timely Recording of Transactions and Events

ID no.    Recommendation
99-01     Manually review and eliminate duplicate or other assessments that have already been paid off to assure that all accounts
          related to a single assessment are appropriately credited for payments received. (short-term)
08-06     In instances where computer programs that control penalty assessments are not functioning in accordance with the intent
          of the Internal Revenue Manual (IRM), take appropriate action to correct the programs so that they function in accordance
          with the IRM. (long-term)
10-01     Review the results of IRS’s unpaid assessments compensating statistical estimation process to identify and document
          instances where systemic limitations in the Custodial Detail Data Base (CDDB) resulted in misclassifications of account
          balances that, in turn, resulted in material inaccuracies in the amounts of reported unpaid assessments. (short-term)
10-02     Research and implement programming changes to allow CDDB to more accurately classify such accounts among the
          three categories of unpaid tax assessments. (short-term)
10-03     Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer accounts that materially affect
          the financial reporting of unpaid tax assessments. (short-term)
10-04     Once IRS identifies the control weaknesses that result in inaccuracies or errors that materially affect the financial reporting
          of unpaid tax assessments, implement control procedures to routinely prevent, or to detect and correct, such errors.
          (short-term)
11-04     Establish formal written procedures requiring staff to review purchase contract terms against the goods and services
          received to date before requesting additional goods or services. (short-term)
11-05     Establish procedures to centrally review and monitor the timeliness of personnel action requests and approvals to help
          ensure compliance with the IRM and applicable Office of Personnel Management (OPM) regulations and guidance.
          (short-term)
11-26     Take steps to effectively implement the procedures requiring property staff to verify that the asset purchase price shown in
          the Asset Management Report agrees with the asset purchase price shown in the lntegrated Financial System (IFS) and
          to resolve any variances before entering the information into the Information Technology Asset Management System
          (ITAMS). (short-term)




                                           Page 22                                              GAO-12-695 Status of Recommendations
ID no.    Recommendation
12-07     Establish and document procedures for ensuring that recorded reimbursable revenue, transfers in without reimbursement,
          and accounts receivable from the Department of the Treasury Forfeiture Fund (TFF) conform to federal accounting
          standards. (short-term)
12-16     Establish procedures to require the Office of Financial Reporting to ensure that extracted Graphic Database Interface
          system (GDI) data used to calculate the leasehold improvement disposal estimate is complete and accurate. (short-term)
12-20     Establish a mechanism to periodically monitor contracting officers and contracting officers’ technical representatives
          (COTR) compliance with the requirement to obtain and document end user confirmation of receipt prior to entering receipt
          and acceptance into the procurement system. (short-term)
12-21     Establish a mechanism for monitoring compliance with the existing requirement for employees and timekeepers to charge
          labor time spent on the Patient Protection and Affordable Care Act (PPACA) projects to the PPACA accounting code,
          such as through issuing periodic alerts, providing training and guidance, and/or having managers perform periodic reviews
          of employee labor time charges. (short-term)
12-22     Design and implement procedures specifying the review steps required to identify and research all transactions identified
          with a PPACA internal order number in the agency’s expense files to confirm that they are PPACA-related expenses and,
          if so, to ensure that they are charged to the PPACA appropriation where appropriate. (short-term)
12-26     Implement an edit control in IRS’s time card system to identify and prevent the processing of timecards that have not been
          electronically signed. (short-term)
12-30     Establish and document procedures for payroll staff to research and correct recycled errors from payroll processing on a
          regular and timely basis. (short-term)
                                          Source: GAO.



Proper Execution of                        Internal control standard: Transactions and other significant events
Transactions and Events                    should be authorized and executed only by persons acting within the
                                           scope of their authority. This is the principal means of ensuring that
                                           only valid transactions to exchange, transfer, use, or commit resources
                                           and other events are initiated or entered into. Authorizations should be
                                           clearly communicated to managers and employees.


                                          IRS has thousands of leases that must be managed and properly
                                          recorded in its property records. IRS also has thousands of employees
                                          whose time and attendance must be properly recorded and approved so
                                          that IRS can appropriately manage its payroll expenditures. The following
                                          five short term recommendations in table 7 would improve IRS’s controls
                                          over those areas.

Table 7: Open Recommendations to Improve IRS’s Proper Execution of Transactions and Events

ID no.    Recommendation
12-17     Implement the revised January 2012 procedures requiring comparison of the leases used in the prior year with the current
          year leases to help ensure that expired leases have not been extended and thus, are only counted once in the disposal
          estimates. (short-term)
12-18     Implement the revised January 2012 procedures requiring preparation and review of leasehold improvement disposal
          calculations quarterly. (short-term)




                                          Page 23                                            GAO-12-695 Status of Recommendations
ID no.   Recommendation
12-23    Revise the payroll standard operating procedures to specify steps that the human resource specialists are required to
         follow to ensure that each electronic time card is signed by an authorized official before the timecard is transmitted to the
         National Finance Center for processing and payment. (short-term)
12-24    Revise the payroll standard operating procedures to require that the designated proxy for a manager required to approve
         time cards be at an equivalent or higher level as the manager, consistent with the Internal Revenue Manual (IRM).
         (short-term)
12-25    Incorporate in the planned 2012 policy change requiring the manager or designated proxy to sign the electronic time card
         before transmitting payroll records to the National Finance Center the requirement that the designated proxy be at an
         equivalent or higher level than the employee’s manager. (short-term)
                                          Source: GAO.




Effective Management                      All personnel within IRS have an important role in establishing and
Review and Oversight                      maintaining effective internal control, but IRS’s managers have additional
                                          review and oversight responsibilities. Management must monitor and
                                          evaluate controls to ensure that they are followed. Without adequate
                                          monitoring by managers, there is a risk that internal control activities may
                                          not be carried out effectively and in a timely manner. IRS has outstanding
                                          recommendations in the following three control activities related to
                                          effective management review and oversight: (1) reviews by management
                                          at the functional or activity level, (2) establishment and review of
                                          performance measures and indicators, and (3) management of human
                                          capital.


Reviews by Management at the                Internal control standard: Managers need to compare actual
Functional or Activity Level                performance to planned or expected results throughout the organization
                                            and analyze significant differences.


                                          IRS is responsible for managing a large, complex organization. It employs
                                          and must oversee the activities of over 100,000 full-time and seasonal
                                          employees, which includes managing related personnel actions. IRS is
                                          also responsible for overseeing lockbox banks that process tens of
                                          thousands of individual receipts totaling hundreds of billions of dollars,
                                          monitoring the work of hundreds of contractors and numerous off-site
                                          processing facilities, issuing tax refunds, managing tax liens, and
                                          preparing financial records.

                                          Effective management oversight of such large, complex operations is
                                          imperative for IRS to effectively and efficiently accomplish its mission.
                                          Implementing the following 17 short term and 1 long term
                                          recommendations in table 8 would improve IRS’s management oversight


                                          Page 24                                              GAO-12-695 Status of Recommendations
                                             of its operations. One of these recommendations has remained open for
                                             over 10 years, reflecting the complexities of the deficiencies involved in
                                             ensuring that tax liens are released timely.

Table 8: Open Recommendations to Improve IRS’s Reviews by Management at the Functional or Activity Level

ID no.     Recommendation
01-06      Implement procedures to closely monitor the release of tax liens to ensure that they are released within 30 days of the
           date the related tax liability is fully satisfied. As part of these procedures, IRS should carefully analyze the causes of the
           delays in releasing tax liens identified by our work and prior work by IRS’s former internal audit function and ensure that
           such procedures effectively address these issues. (short-term)
05-33      Enforce the requirement that a document transmittal form listing the enclosed Daily Report of Collection Activity forms be
           included in transmittal packages, using such methods as more frequent inspections or increased reliance on error reports
           compiled by the service center teller units receiving the information. (short-term)
05-38      Enforce requirements for monitoring accounts and reviewing monitoring of accounts for manual refunds. (short-term)
08-14      Revise the Internal Revenue Manual (IRM) to include a requirement that IRS conduct periodic, unannounced inspections
           at off-site contractor facilities entrusted with sensitive IRS information; document the results, including identification of any
           security issues; and verify that the contractor has taken appropriate corrective actions on any security issues observed.
           (short-term)
09-05      Establish procedures to track and routinely report the total dollar amounts and volumes of receipts collected by individual
           Taxpayer Assistance Center (TAC) location, group, territory, area, and nationwide. (long-term)
11-01      Put procedures in place to periodically monitor the effectiveness of the new First-time Homebuyer Credit (FTHBC) validity
           checks for the duration of the filing of FTHBC claims to verify that they are working as intended. (short-term)
11-02      Establish a mechanism to enforce the existing requirement for appropriate managers to immediately notify the manual
           refund units of any personnel changes affecting the approval or processing of manual refunds. This may be accomplished
           through mechanisms such as issuing periodic alerts, providing training or having the manual refund unit perform quarterly
           validations of the list of manual refund approving officials, or a combination of these. (short-term)
11-25      Revise the nature and scope of the service center campuses’ (SCC) and lockbox banks’ physical security reviews to
           include periodic after dark assessments of physical security controls. (short-term)
12-01      Establish and document an inventory of the specific systems involved in IRS’s financial reporting process, including
           (1) describing what role each system plays in the financial reporting process, (2) concluding whether each system is
           considered to be material to financial reporting and why, and (3) denoting whether each system is controlled by IRS or by
           an external service provider and, if the latter, identifying the service provider. (short-term)
12-02      Enhance existing policies and procedures pertaining to monitoring internal control over the automated systems operated
           by IRS personnel to specifically provide for routine, documented monitoring of the specific internal controls within its
           financial reporting systems that are intended to ensure the integrity of the data reported in the financial statements and
           other financial reports. This monitoring process should (1) involve both automated systems specialists and individuals with
           expertise in accounting and reporting, as appropriate, (2) encompass the specific automated internal controls that affect
           the authorizing, processing, transmitting, or reporting of material financial transactions, and (3) be designed to determine
           whether these internal controls are in place and operating effectively. (short-term)
12-03      For any system identified as material to IRS’s financial reporting process which is controlled by an external service
           provider, establish policies and procedures requiring and defining a routine, documented process for coordinating with the
           service provider to appropriately monitor related internal control. This may entail establishing an agreement with each
           service provider to allow IRS personnel the access to either (1) the system concerned, as necessary to perform
           appropriate monitoring of internal control over financial reporting, or (2) periodic reports prepared in accordance with
           Statements on Standards for Attestation Engagements (SSAE) No. 16 documenting the results of monitoring performed
           by the service provider. (short-term)




                                             Page 25                                               GAO-12-695 Status of Recommendations
ID no.   Recommendation
12-04    Establish policies and procedures with respect to any external financial reporting system IRS personnel themselves do not
         directly monitor that specify required steps to routinely review periodic reports prepared by service providers’ auditors in
         accordance with SSAE No. 16, including steps to document (1) an assessment of whether a review’s scope,
         methodology, and timing is appropriate to satisfy IRS’s objectives; (2) any control deficiencies disclosed in the report, and
         an assessment of their materiality to IRS’s financial reporting process and related risks; and (3) any compensating internal
         controls needed to mitigate any actual or potential effects of identified deficiencies upon IRS’s internal and external
         financial reports resulting from any (a) material weakness, or (b) significant shortcoming in the scope, methodology, or
         timing of any SSAE No. 16 report reviewed relative to IRS’s internal control objectives. (short-term)
12-08    Establish requirements specifying a required time frame for territory managers to perform the required review and
         approval of completed audit management checklists. (short-term)
12-09    Establish procedures requiring Physical Security and Emergency Preparedness (PSEP) headquarters to centrally monitor
         compliance with the audit management checklist process to ensure that (1) PSEP analysts timely complete their physical
         security reviews using the proper audit management checklists and (2) territory managers timely review and properly
         document their reviews of completed audit management checklists. (short-term)
12-11    Implement the September 2011 revised policy that requires an independent review of the rent check summary report to
         help ensure that the monthly rent allocation process is properly completed. (short-term)
12-12    Establish a policy requiring an independent review of changes made by the rent processing administrator to non-GSA
         lease data in the Graphic Database Interface system (GDI). (short-term)
12-28    Establish procedures for human resource specialists to track and monitor supervisory actions taken for employees with
         less than fully successful ratings that have a within-grade pay increase due date within 90 days to include specific
         required steps for following-up with managers to ensure the managers properly issue the employees a 60-day notification
         letter providing them an opportunity to improve their performance, make a timely determination on releasing or denying a
         within-grade pay increase, and properly carry out the requirements necessary to support the decision made. (short-term)
12-29    Establish procedures for HR specialists to track and monitor supervisory actions taken for employees with less than fully
         successful ratings that have a within-grade pay increase due date within 90 days to include specific required steps for
         timely granting a within-grade pay increase to such employees who were not given a 60-day notification letter.
         (short-term)
                                          Source: GAO.



Establishment and Review of                Internal control standard: Activities need to be established to monitor
Performance Measures and                   performance measures and indicators. These controls could call for
Indicators                                 comparisons and assessments relating different sets of data to one
                                           another so that analyses of the relationships can be made and
                                           appropriate actions taken. Controls should also be aimed at validating
                                           the propriety and integrity of both organizational and individual
                                           performance measures and indicators.



                                          IRS’s operations include a wide range of activities, including educating
                                          taxpayers, processing taxpayer receipts and data, disbursing hundreds of
                                          billions of dollars in refunds to millions of taxpayers, maintaining extensive
                                          information on tens of millions of taxpayers, and seeking collection from
                                          individuals and businesses that fail to comply with the nation’s tax laws.
                                          Within its compliance function, IRS has numerous activities, including



                                          Page 26                                             GAO-12-695 Status of Recommendations
                                         identifying businesses and individuals that underreport income, collecting
                                         from taxpayers who do not pay taxes, and collecting from those receiving
                                         refunds to which they are not entitled. Consequently, it is vitally important
                                         for IRS to have sound performance measures and related data to assist it
                                         in assessing its performance and targeting resources to maximize the
                                         return on investment.

                                         The following long term recommendation in table 9 is designed to assist
                                         IRS in evaluating its operations and determining which activities are the
                                         most beneficial. This recommendation is directed at improving IRS’s
                                         ability to measure and evaluate program performance costs, benefits, and
                                         operational outcomes—particularly with regard to identifying
                                         its most cost-effective tax collection activities.

Table 9: Open Recommendation to Improve IRS’s Establishment and Review of Performance Measures and Indicators

ID no.     Recommendation
09-16      Develop outcome-oriented performance measures and related performance goals for IRS’s enforcement programs and
           activities that include measures of the full cost of, and the revenue collected from, those programs and activities
           (return on investment) to assist IRS’s managers in optimizing resource allocation decisions and evaluating the
           effectiveness of their activities. (long-term)
                                         Source: GAO.



Management of Human Capital                Internal control standard: Effective management of an organization’s
                                           workforce—its human capital—is essential to achieving results and an
                                           important part of internal control. Management should view human
                                           capital as an asset rather than a cost. Only when the right personnel for
                                           the job are on board and are provided the right training, tools, structure,
                                           incentives, and responsibilities is operational success possible.
                                           Management should ensure that skill needs are continually assessed
                                           and that the organization is able to obtain a workforce that has the
                                           required skills that match those necessary to achieve organizational
                                           goals. Training should be aimed at developing and retaining employee
                                           skill levels to meet changing organizational needs. Qualified and
                                           continuous supervision should be provided to ensure that internal
                                           control objectives are achieved. Performance evaluation and feedback,
                                           supplemented by an effective reward system, should be designed to
                                           help employees understand the connection between their performance
                                           and the organization’s success. As a part of its human capital planning,
                                           management should also consider how best to retain valuable
                                           employees, plan for their eventual succession, and ensure continuity of
                                           needed skills and abilities.



                                         Page 27                                          GAO-12-695 Status of Recommendations
                                           IRS’s operations cover a wide range of technical activities requiring
                                           specific expertise in tax-related matters; financial management; and
                                           systems design, development, and maintenance. Because IRS has tens
                                           of thousands of employees spread throughout the country, it is imperative
                                           that management establish and maintain up-to-date guidance and provide
                                           appropriate training for its staff. Taking action to implement the following
                                           three recommendations in table 10, which are correctible in the short
                                           term, would assist IRS in its management of human capital.

Table 10: Open Recommendations to Improve IRS’s Management of Human Capital

ID no.    Recommendation
07-08     Require that managers or supervisors provide the manual refund initiators in their units with training on the most current
          requirements to help ensure that they fulfill their responsibilities to monitor manual refunds and document their monitoring
          actions to prevent the issuance of duplicate refunds. (short-term)
12-19     Provide training to contracting officers and contracting officers’ technical representatives (COTR) on their specific
          procedural requirements for obtaining and maintaining end user documentation of receipt and acceptance of the good or
          service prior to entering acknowledgment of receipt and acceptance in the procurement system. (short-term)
12-27     Remind managers of their responsibilities, procedures, and required time frames for either granting or denying a within-
          grade pay increase for employees with below fully successful ratings, such as by providing alerts in HR Connect when a
          manager enters a less than fully successful rating or providing training to remind them of their responsibilities. (short-term)
                                           Source: GAO.



                                           Increased budgetary pressures and an increased public awareness of the
Concluding                                 importance of maintaining effective accountability over trillions of dollars
Observations                               of tax receipts and sensitive taxpayer data have served to provide
                                           additional pressure on IRS to carry out its mission more efficiently and
                                           effectively. As such, sound financial management and effective internal
                                           controls are essential if IRS is to efficiently and effectively achieve its
                                           goals.

                                           IRS has made substantial progress in improving its financial management
                                           and internal control since its first financial audit, as evidenced by
                                           unqualified audit opinions on its financial statements for the past
                                           12 years, resolution of several material internal control weaknesses,
                                           significant deficiencies, and other control deficiencies, and actions taken
                                           resulting in the closure of hundreds of financial management
                                           recommendations. This progress has been the result of hard work by
                                           many individuals throughout IRS and sustained commitment of IRS
                                           leadership. Nonetheless, more needs to be done to fully address the
                                           agency’s continuing financial management challenges—resolving
                                           material weaknesses and significant deficiencies in internal control;
                                           developing outcome-oriented performance metrics that can facilitate
                                           managing operations for outcomes; and correcting numerous other


                                           Page 28                                              GAO-12-695 Status of Recommendations
                     control deficiencies. Effective implementation of the recommendations we
                     have made through our financial audits and related work could greatly
                     assist IRS in improving its ability to effectively and efficiently carry out its
                     mission.


                     In commenting on a draft of this report, the IRS Commissioner expressed
Agency Comments      his appreciation for our acknowledgment of the agency’s progress in
and Our Evaluation   addressing its financial management challenges as evidenced by our
                     closure of 38 open financial management recommendations from prior
                     GAO reports. The IRS Commissioner also stated that the agency is
                     committed to implementing appropriate improvements to ensure that it
                     maintains sound financial management practices. We will review the
                     effectiveness of further corrective actions IRS has taken or will take to
                     address all open recommendations as part of our audit of IRS’s fiscal
                     year 2012 financial statements.

                     We are sending copies of this report to the Chairmen and Ranking
                     Members of the Senate Committee on Appropriations; Senate Committee
                     on Finance; Senate Committee on Homeland Security and Governmental
                     Affairs; and Subcommittee on Taxation, IRS Oversight and Long-Term
                     Growth, Senate Committee on Finance. We are also sending copies to
                     the Chairmen and Ranking Members of the House Committee on
                     Appropriations; House Committee on Ways and Means; the Chairman
                     and Vice Chairman of the Joint Committee on Taxation; the Secretary of
                     the Treasury; the Acting Director of OMB; the Chairman of the IRS
                     Oversight Board; and other interested parties. The report is also available
                     at no charge on the GAO website at http://www.gao.gov.

                     If you or your staff have any questions concerning this report, please
                     contact me at (202) 512-3406 or sebastians@gao.gov. Contact points for
                     our Offices of Congressional Relations and Public Affairs may be found
                     on the last page of this report. GAO staff who made major contributions to
                     this report are listed in appendix IV.

                     Sincerely yours,




                     Steven J. Sebastian
                     Managing Director
                     Financial Management and Assurance



                     Page 29                                      GAO-12-695 Status of Recommendations
Appendix I: Status of GAO Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports


from Internal Revenue Service Financial
Audits and Related Management Reports
                                            This appendix presents a summary of (1) the 77 previous GAO
                                            recommendations that were open as of the beginning of our fiscal year
                                            2011 financial audit, (2) Internal Revenue Service (IRS) reported status
                                            and corrective actions taken or planned for such recommendations as of
                                            March 2012, and (3) our analysis of whether the control deficiencies that
                                            gave rise to the recommendations have been effectively addressed. It
                                            also includes a summary of the status of the 30 new recommendations
                                            identified as part of our fiscal year 2011 financial statement audit. Table
                                            11 lists the recommendations by the year and recommendation number
                                            (ID no.) and also identifies the report in which the recommendation was
                                            made.

Table 11: Status of GAO Recommendations from Internal Revenue Service Financial Audits and Related Management Reports

ID no. Recommendation              Source report          Status per IRS                          Status per GAO
99-01 Manually review and          Internal Revenue       Open. IRS continues to conduct          Open. Although IRS has made
      eliminate duplicate or       Service: Immediate     quarterly Trust Fund Recovery           significant progress in this area, its
      other assessments that       and Long-Term          Penalty (TFRP) Quality Assurance        controls remain ineffective. While IRS
      have already been paid       Actions Needed to      Internal Compliance Reviews             implemented the ATFR system, which
      off to assure that all       Improve Financial      (QAICR) to assess the accuracy of       cross-references payments received
      accounts related to a        Management             the TFRP accounts. IRS staff            and automatically reduces the amounts
      single assessment are        (GAO/AIMD-99-16,       performed initial reviews of sampled    owed on all related accounts when a
      appropriately credited for   Oct. 30, 1998),        cases and the results were              payment is received from one related
      payments received.           page 14.               100 percent validated by                party, it is currently unable to process all
      (short-term)                                        headquarters staff. IRS used the        payments related to such cases. ATFR
                                                          review results to prepare quarterly     can only reduce the amounts owed on
                                                          and cumulative analyses of defects      all related accounts for about 56 percent
                                                          and error trends. Based on this, IRS    of TFRP payments that it receives; the
                                                          (1) prepared multiple work requests     remaining ones continue to require
                                                          to improve systemic processing on       manual processing. In 2010, IRS began
                                                          the Automated Trust Fund Recovery       conducting quarterly testing of TFRP
                                                          (ATFR) system and the Integrated        payment processing to identify and
                                                          Data Retrieval System (IDRS),           address the root cause of errors and
                                                          (2) updated and clarified applicable    delays. However, IRS’s actions have
                                                          Internal Revenue Manual (IRM)           not been completely successful, and
                                                          sections, (3) issued “HQ Alerts” to     during our fiscal year 2011 audit we
                                                          clarify procedures and offer advice     continued to find instances in which IRS
                                                          to ATFR system users to improve         did not properly record payments
                                                          the accuracy of TFRP processing,        received on all related taxpayer
                                                          and (4) updated and significantly       accounts. We will continue to monitor
                                                          expanded TFRP training                  IRS’s actions to address this
                                                          publications. IRS’s efforts to close    recommendation in our fiscal year 2012
                                                          this recommendation are dependent       audit to determine whether it
                                                          upon funding for the outstanding        (1) improves controls to ensure
                                                          work requests.                          duplicate assessments are accurately
                                                                                                  and timely credited for all payments
                                                                                                  received and (2) identifies and corrects
                                                                                                  balances of duplicate assessments
                                                                                                  affected by IRS’s failure to credit or
                                                                                                  accurately credit TFRP payments.




                                            Page 30                                              GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation             Source report           Status per IRS                            Status per GAO
01-06 Implement procedures to     Internal Revenue        Open. IRS continues to conduct            Open. IRS has taken a number of
      closely monitor the         Service:                independent semi-annual Quality           actions over the years to improve its lien
      release of tax liens to     Recommendations to      Assurance internal reviews where          release processing, including the
      ensure that they are        Improve Financial and   IRS uses a cross-functional               creation of a comprehensive action plan
      released within 30 days     Operational             approach to examine and resolve           to address the various causes for lien
      of the date the related     Management              systemic and procedural issues for        release delays we identified, as well as
      tax liability is fully      (GAO-01-42, Nov. 17,    any new issues found. During the          those identified through its own reviews.
      satisfied. As part of       2000), page 42.         year, IRS addressed several causes        Over the past several years, IRS has
      these procedures, IRS                               of late lien releases which resulted in   steadily completed actions on this plan
      should carefully analyze                            fewer errors found than in the prior      and identified additional actions to
      the causes of the delays                            year’s internal reviews. IRS will         improve lien release timeliness. For
      in releasing tax liens                              share the results of its Quality          example, it completed various system
      identified by our work                              Assurance internal reviews with           enhancements to improve the
      and prior work by IRS’s                             GAO.                                      timeliness of recognizing when a
      former internal audit                                                                         taxpayer has fully satisfied the
      function and ensure that                                                                      outstanding tax liability. IRS also
      such procedures                                                                               continues to perform targeted reviews of
      effectively address these                                                                     areas where processing delays were
      issues. (short-term)                                                                          identified in the past. However, IRS’s
                                                                                                    actions have not been fully successful in
                                                                                                    addressing this issue. During our fiscal
                                                                                                    year 2011 audit, we continued to find
                                                                                                    that IRS did not always timely release
                                                                                                    liens. In IRS’s own testing of lien
                                                                                                    releases, it estimated that up to
                                                                                                    10.3 percent of liens were not released
                                                                                                    timely. Continued weaknesses in IRS’s
                                                                                                    controls over this area results in its
                                                                                                    noncompliance with Internal Revenue
                                                                                                    Code Section 6325, which requires IRS
                                                                                                    to release its tax liens within 30 days of
                                                                                                    the date the related tax liability is fully
                                                                                                    satisfied. We will continue to monitor
                                                                                                    IRS’s actions to address this
                                                                                                    recommendation during our fiscal year
                                                                                                    2012 audit.




                                           Page 31                                              GAO-12-695 Status of Recommendations
                                         Appendix I: Status of GAO Recommendations
                                         from Internal Revenue Service Financial Audits
                                         and Related Management Reports




ID no. Recommendation           Source report           Status per IRS                           Status per GAO
01-17 Develop a subsidiary      Internal Revenue        Closed. Between 2001 and 2011,           Closed. IRS has made progress in
      ledger for leasehold      Service:                IRS continued to make                    implementing procedures to record
      improvements and          Recommendations to      improvements towards addressing          leasehold improvement costs as they
      implement procedures to   Improve Financial and   this recommendation. IRS                 occur. However, in lieu of developing a
      record leasehold          Operational             implemented the following                subsidiary ledger to determine the
      improvement costs as      Management              procedures to record leasehold           amount of leasehold improvement costs
      they occur. (long-term)   (GAO-01-42, Nov. 17,    improvement costs as they occur:         to post to its financial statements each
                                2000), page 74.         (1) routinely post leasehold             year as we recommended, IRS
                                                        improvement costs directly to asset      developed a methodology to estimate
                                                        accounts using the Integrated            the amount to post. During our fiscal
                                                        Financial System (IFS) and review        year 2011 audit, we identified both
                                                        monthly transactions of $50,000 and      limitations in the estimation
                                                        greater for all property accounts and    methodology as well as errors in
                                                        certain expense accounts to ensure       implementing the methodology. In order
                                                        correct classification of additions,     to provide a recommendation more
                                                        (2) maintain detailed records of         closely aligned with the current status of
                                                        asset purchases with current year        the remaining issues to be resolved, we
                                                        asset and expense database files,        are closing this recommendation and
                                                        and (3) track leased space and           have reported the remaining issues,
                                                        related leasehold improvements           along with a related recommendation for
                                                        using the Electronic Project             corrective action in our June 2012
                                                        Investment Process and Graphic           management report. (See
                                                        Database Interface system (GDI).         recommendation numbers 12-17, 12-18,
                                                                                                 and 12-19 in this report.)
05-32 Establish policies and    Management Report:      Closed. In September 2011, IRS           Closed. IRS published a revision to the
      procedures to require     Improvements            completed a process analysis that        IRM that clarified the segregation of
      appropriate segregation   Needed in IRS’s         included analyzing the risk posed by     duties between revenue officers and
      of duties in Small        Internal Controls       the assignment of duties in the          clerical personnel related to payment
      Business/Self Employed    (GAO-05-247R, April     Collection Field function remittance     posting vouchers, document
      (SB/SE) units of field    27, 2005), page 14.     process. Based on the findings of        transmittals, and transmittal packages.
      offices with respect to                           the process analysis, IRS concluded      We verified that IRS performed a
      preparation of Payment                            that the level of risk posed by the      process analysis of SB/SE remittance
      Posting Vouchers,                                 existing assignment of duties in the     processing practices as outlined in the
      Document Transmittal                              remittance process is low and            IRM.
      forms, and transmittal                            acceptable.
      packages. (short-term)




                                         Page 32                                                GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation             Source report         Status per IRS                            Status per GAO
05-33 Enforce the requirement     Management Report:    Open. IRS conducted its review of         Open. IRS’s actions to date have not
      that a document             Improvements          the Operational Review findings and       been fully effective in addressing the
      transmittal form listing    Needed in IRS’s       the results of the review showed          issues that gave rise to this
      the enclosed Daily          Internal Controls     improvement in group manager              recommendation. During our fiscal year
      Report of Collection        (GAO-05-247R, April   compliance with control review            2011 audit, we observed that clerical
      Activity forms be           27, 2005), page 14.   requirements in all Collection areas      staff at three Small Business/Self
      included in transmittal                           but not to the desired level. IRS         Employed (SB/SE) offices we visited did
      packages, using such                              updated the IRM to further clarify the    not prepare Document Transmittal
      methods as more                                   control review requirements and           forms when transmitting multiple reports
      frequent inspections or                           submitted it to be published in           listing daily collection activity. In
      increased reliance on                             December 2011. IRS will do a              addition, in an internal review, IRS
      error reports compiled by                         follow-up review to ensure                found that group managers did not
      the service center teller                         compliance with the IRM.                  adequately perform or document
      units receiving the                                                                         required reviews of internal control
      information. (short-term)                                                                   procedures for tracking and monitoring
                                                                                                  taxpayer receipts transmitted between
                                                                                                  IRS locations. We will continue to
                                                                                                  evaluate IRS’s actions during our fiscal
                                                                                                  year 2012 audit.
05-38 Enforce requirements for    Management Report:    Open. IRS continues to enforce            Open. During our fiscal year 2011 audit,
      monitoring accounts and     Improvements          requirements to monitor accounts          we continued to find instances in which
      reviewing monitoring of     Needed in IRS’s       related to manual refunds. By March       manual refund initiators or individuals
      accounts for manual         Internal Controls     2012, IRS will update IRM 21.4.4,         responsible for centralized monitoring,
      refunds. (short-term)       (GAO-05-247R, April   Refund Inquiries, Manual Refunds,         or both, did not monitor accounts as
                                  27, 2005), page 20.   with additional guidance on required      required by the IRM, and supervisors
                                                        monitoring activities. IRS is also        did not verify that manual refund
                                                        enhancing its erroneous duplicate         initiators or those responsible for
                                                        manual refunds monthly reports to         centralized monitoring were following
                                                        provide more detail for follow-up         proper procedures for monitoring
                                                        when erroneous refunds are                manual refunds. We will continue to
                                                        identified and has automated the          evaluate the effectiveness of IRS’s
                                                        research portion of its monitoring        actions during our fiscal year 2012
                                                        process. IRS has (1) developed            audit.
                                                        mandatory training for manual
                                                        refund initiators and managers on
                                                        creating and documenting a manual
                                                        refund listing and (2) regularly
                                                        reminds managers to review and
                                                        document the employees’ monitoring
                                                        actions.




                                          Page 33                                                GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
05-39 Enforce requirements for     Management Report:    Open. IRS continues to enforce           Open. During our fiscal year 2011 audit,
      documenting monitoring       Improvements          oversight of requirements to monitor     we continued to find instances in which
      actions and supervisory      Needed in IRS’s       manual refunds. IRS management           manual refund initiators or individuals
      review for manual            Internal Controls     performs weekly reviews of manual        responsible for centralized monitoring,
      refunds. (short-term)        (GAO-05-247R, April   refunds to ensure employees are          or both, did not monitor accounts as
                                   27, 2005), page 20.   monitoring and documenting their         required by the IRM, and supervisors
                                                         reviews as required. During fiscal       did not verify that manual refund
                                                         year 2012, IRS plans to (1) update       initiators or those responsible for
                                                         IRM 21.4.4, Refund Inquiries,            centralized monitoring were following
                                                         Manual Refunds, with additional          proper procedures for monitoring
                                                         guidance on required monitoring          manual refunds. We will continue to
                                                         activities and (2) review IRMs           evaluate the effectiveness of IRS’s
                                                         service-wide to ensure they are          actions during our fiscal year 2012
                                                         consistent with the manual refund        audit.
                                                         monitoring requirements in IRM
                                                         21.4.4.
06-01 Require that Refund          Management Report:    Closed. IRS requires all Refund          Closed. We verified that IRS included
      Inquiry Unit managers or     Improvements          Inquiry unit managers and                requirements in IRM 1.4.16.5 that
      supervisors document         Needed in IRS’s       supervisors to document their            Refund Inquiry Unit managers
      their review of all forms    Internal Controls     reviews of transmittal forms 3210.       document their review of all forms used
      used to record and           (GAO-06-543R, May     During site consistency reviews at       to record and transmit returned refund
      transmit returned refund     12, 2006), page 5.    two service center campuses (SCC)        checks prior to sending them for final
      checks prior to sending                            in June 2011 and August 2011, the        processing.
      them for final processing.                         Refund Inquiry team concluded that
      (short-term)                                       review and documentation
                                                         procedures were being completed
                                                         as required by IRM 1.4.16.5,
                                                         Monitoring and Reviews. As of
                                                         September 2011, IRS completed
                                                         actions to ensure the reviews of all
                                                         forms used to record and transmit
                                                         returned refund checks prior to final
                                                         processing had been completed.




                                           Page 34                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                            Status per GAO
06-02 Enforce compliance with      Management Report:    Closed. IRS has procedures in place       Open. IRS’s actions to date have not
      existing requirements        Improvements          to ensure compliance with tracking        fully addressed the issues that gave rise
      that all IRS units           Needed in IRS’s       acknowledgment of document                to our recommendation. During our
      transmitting taxpayer        Internal Controls     transmittals. In January 2011, IRS        fiscal year 2011 audit, we observed that
      receipts and information     (GAO-06-543R, May     revised the IRM to include guidance       two TACs’ tracking of
      from one IRS facility to     12, 2006), page 6.    on securing returned refund checks        acknowledged/unacknowledged
      another, including                                 and to require supervisory reviews of     document transmittal forms was
      service center campuses                            controls over outgoing remittances.       incomplete. Specifically, some
      (SCC), Taxpayer                                    In August through December 2011,          acknowledged forms were not included
      Assistance Centers                                 IRS conducted and documented the          on the Follow-up Review Log at one of
      (TAC), and units within                            results of internal security reviews at   those TACs and the Follow-up Review
      the Large Business and                             all submission processing (SP) sites      Log listed forms that were not supported
      International (LB&I) and                           to determine if managerial reviews        by control copies. At another TAC we
      the Tax-Exempt and                                 were being performed. IRS also            visited, TAC staff had not followed up
      Government Entities                                revised the IRM to outline                on all document transmittal forms that
      (TE/GE) business                                   procedures managers must follow           had not been acknowledged by the
      operating units, establish                         for maintaining the document              Submission Processing Center within
      a system to track                                  transmittal form review log. IRS          10 days. At all eight TACs we visited,
      acknowledged copies of                             conducted nine onsite TAC reviews         the format of the Follow-up Review Log
      document transmittals.                             in fiscal year 2011 to monitor            in use was not consistent with the IRM.
      (short-term)                                       compliance with the requirements for      At two of the TACs we visited, the
                                                         tracking acknowledged copies of           Follow-up Review Log was not being
                                                         document transmittal forms. A             used to track and follow up on all
                                                         review of the form review log itself      transmittal forms sent from the TACs.
                                                         led to including a lesson on proper       We will continue to evaluate IRS’s
                                                         completion, monitoring and tracking       enforcement of existing requirements to
                                                         of the review log in the fiscal year      track the transmittal of taxpayer receipts
                                                         2012 training for applicable staff and    and information from one facility to
                                                         managers. In January 2011, LB&I           another during our fiscal year 2012
                                                         issued its annual executive               audit.
                                                         memorandum to remind employees
                                                         of their responsibility to adhere to
                                                         the document transmittal procedures
                                                         found in existing IRMs. TE/GE
                                                         reviewed all appropriate IRM
                                                         sections to ensure the IRM
                                                         specifically addressed its system for
                                                         tracking taxpayer remittances and
                                                         the frequency and documentation to
                                                         be prepared during managerial
                                                         reviews. As a result, TE/GE revised
                                                         several IRM sections to strengthen
                                                         requirements for groups to maintain
                                                         a payment/remittance logbook.




                                           Page 35                                             GAO-12-695 Status of Recommendations
                                         Appendix I: Status of GAO Recommendations
                                         from Internal Revenue Service Financial Audits
                                         and Related Management Reports




ID no. Recommendation            Source report         Status per IRS                           Status per GAO
06-04 Require that managers      Management Report:    Closed. IRS requires all managers        Closed. IRS revised the IRM to require
      or supervisors document    Improvements          and supervisors to document their        that TAC managers use a Follow-up
      their reviews of           Needed in IRS’s       review of the document transmittals      Review Log to document their review of
      document transmittals to   Internal Controls     used to transmit taxpayer receipts       document transmittals.
      ensure that taxpayer       (GAO-06-543R, May     and information from one IRS facility
      receipts and/or taxpayer   12, 2006), page 6.    to another. In January 2011, W&I SP
      information mailed                               updated IRM 3.8.47, Manual Deposit
      between IRS locations                            for Field Office Payment Processing,
      are tracked according to                         to include specific guidance on
      guidelines. (short-term)                         transmitting returned refund checks
                                                       and a requirement for supervisory
                                                       review of controls over outgoing
                                                       remittances. In November 2010,
                                                       W&I FA revised IRM 1.4.11.19.1,
                                                       Maintaining Form 795A/3210 Files,
                                                       to outline managerial procedures for
                                                       maintaining the document transmittal
                                                       form review log. FA included a
                                                       lesson on proper completion,
                                                       monitoring, and tracking of the
                                                       transmittal form review log in its
                                                       fiscal year 2012 training for FA staff
                                                       and managers. In January 2011,
                                                       LB&I issued its annual executive
                                                       memorandum to remind employees
                                                       of their responsibilities to adhere to
                                                       the transmittal form procedures on
                                                       tracking and monitoring returns. The
                                                       memorandum also reminded
                                                       managers to ensure preparation,
                                                       transmittal, and tracking
                                                       requirements are adhered to in the
                                                       annual assurance process and
                                                       oversight reviews. In November
                                                       2010, the Director, TE/GE Exempt
                                                       Organizations (EO), Exam, issued a
                                                       memorandum to all managers
                                                       instructing them to ensure timely and
                                                       accurate remittance processing.
                                                       TE/GE instructed each Exam
                                                       Director to obtain a copy of the
                                                       operational review check-sheet used
                                                       by second-level managers to
                                                       document that the second-level
                                                       manager checked for the existence
                                                       of a transmittal form logbook and
                                                       that they were reviewing it regularly.
                                                       TE/GE also ensured that all
                                                       Government Entities Field Group
                                                       Operational Reviews included
                                                       discussions on the need for retaining
                                                       and reviewing the transmittal form
                                                       logbooks.




                                         Page 36                                            GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                           Status per GAO
06-05 Equip all Taxpayer            Management Report:    Open. IRS continues to identify          Open. IRS’s efforts to address our
      Assistance Centers            Improvements          priority locations for TAC model build   recommendation are ongoing. Because
      (TAC) with adequate           Needed in IRS’s       out by evaluating TAC sites and          of limited construction funding and
      physical security controls    Internal Controls     customer feedback. Priority status       complexity of scheduling, IRS cannot
      to deter and prevent          (GAO-06-543R, May     goes to sites with security, safety      give definitive implementation dates for
      unauthorized access to        12, 2006), page 8.    and environmental health concerns.       all locations. In the interim, IRS
      restricted areas or office                          Of the 401 TAC locations, 270 have       continues to use other solutions to help
      space occupied by other                             the model TAC with another               secure non-model TACs including
      IRS units, including                                16 scheduled for completion prior to     theater rope or other barriers, signage,
      those TACs that are not                             the 2012 filing season. IRS will build   and minor alterations. We will continue
      scheduled to be                                     out all TACs in compliance with the      to evaluate IRS’s actions during our
      reconfigured to the “new                            security guidelines proposed by          fiscal year 2012 audit.
      TAC” model in the near                              IRS’s Physical Security and
      future. This includes                               Emergency Preparedness (PSEP)
      appropriately separating                            office. Due to limited construction
      customer service waiting                            funding and complexity of
      areas from restricted                               scheduling, IRS cannot give
      areas in the near future                            definitive implementation dates for
      by physical barriers,                               all locations. In the interim, IRS
      such as locked doors                                continues to use other solutions to
      marked with signs                                   help secure non-model TACs
      barring entrance by                                 including theater rope or other
      unescorted customers.                               barriers, signage, and minor
      (short-term)                                        alterations.
07-04 Develop and implement         Management Report:    Closed. IRS developed and                Open. IRS’s actions to date have not
      appropriate corrective        Improvements          implemented an action plan               fully addressed the issues that gave rise
      actions for any gaps in       Needed in IRS’s       requiring all SCCs to (1) perform and    to our recommendation. In response to
      closed circuit television     Internal Controls     validate completion of an                this recommendation, IRS required
      (CCTV) camera                 (GAO-07-689R, May     assessment of their CCTV system to       Territory Managers and Area Directors
      coverage that do not          11, 2007), page 7.    ascertain if it provided an              to validate that their SCC CCTV
      provide an unobstructed                             unobstructed view of the exterior of     cameras (1) are compliant with IRM
      view of the entire exterior                         the campus perimeter and                 10.2.14 (Methods of Providing
      of the service center                               (2) identify problems and planned        Protection), (2) are not obstructed,
      campus’s (SCC)                                      corrective actions needed to mitigate    (3) have a clear view of the entire
      perimeter, such as                                  any identified problems. All SCCs        exterior perimeter, and that (4) repairs
      adding or repositioning                             validated completion of the CCTV         are completed timely. However, during
      existing CCTV cameras                               assessment and IRS identified a          the validation process, IRS identified
      or removing                                         total of 16 problems. IRS                numerous gaps and/or obstacles in
      obstructions. (short-term)                          management monitored progress            CCTV coverage at several of its SCCs.
                                                          and received monthly reports on the      During our fiscal year 2011 audit, we
                                                          corrective actions status. All           continued to find problems with SCCs’
                                                          corrective actions have been             CCTV coverage. At one of the three
                                                          addressed. Fourteen problems were        SCCs we visited, we found that the
                                                          corrected and management                 coverage areas for two surveillance
                                                          determined the remaining two met         cameras were obstructed and that one
                                                          an acceptable level of risk. SCCs        of the other cameras was not
                                                          continue to monitor their CCTV           functioning properly. We will evaluate
                                                          systems to ensure an unobstructed        IRS’s corrective actions for gaps in
                                                          view.                                    CCTV coverage during our fiscal year
                                                                                                   2012 audit.




                                            Page 37                                            GAO-12-695 Status of Recommendations
                                               Appendix I: Status of GAO Recommendations
                                               from Internal Revenue Service Financial Audits
                                               and Related Management Reports




ID no. Recommendation                  Source report         Status per IRS                           Status per GAO
07-08 Require that managers            Management Report:    Closed. As of December 2011, each        Open. IRS’s reported actions were
      or supervisors provide           Improvements          Business Operating Division certified    completed subsequent to our fiscal year
      the manual refund                Needed in IRS’s       that all employees who initiate,         2011 audit. We will follow up on IRS’s
      initiators in their units        Internal Controls     approve and/or monitor manual            progress in achieving the objectives of
      with training on the most        (GAO-07-689R, May     refunds have completed the manual        this recommendation during our fiscal
      current requirements to          11, 2007), page 9.    refund training.                         year 2012 audit.
      help ensure that they
      fulfill their responsibilities
      to monitor manual
      refunds and document
      their monitoring actions
      to prevent the issuance
      of duplicate refunds.
      (short-term)
07-20 Establish and maintain           Management Report:    Closed. In March 2009, IRS               Closed. IRS established procedures to
      sufficient secured               Improvements          implemented procedures for               ensure that sufficient secured space
      storage space to                 Needed in IRS’s       requesting secured storage space         was available for all property and
      properly secure and              Internal Controls     through the Employee Resource            equipment not currently in use. During
      safeguard property and           (GAO-07-689R, May     Center (ERC). Requesters initiate an     our fiscal year 2011 audit, we observed
      equipment inventory,             11, 2007), page 20.   ERC ticket requesting a “Property        that IRS implemented these
      including in-stock                                     Consultation” which will engage Real     procedures. Specifically, we observed
      inventories, assets from                               Estate and Facilities Management         that there was adequate storage space
      incoming shipments, and                                (REFM) to work with the requester        and the storage areas were restricted.
      assets that are in the                                 on obtaining the needed secured          In addition, we observed the use of
      process of being                                       storage space. In October 2009, IRS      control logs to track incoming and
      excessed or shipped out,                               published the Asset Management           outgoing assets.
      or both. (short-term)                                  Policy Directive AM044 to improve
                                                             the asset control procedures for all
                                                             in-stock equipment to prevent the
                                                             theft or loss.
08-06 In instances where               Management Report:    Open. IRS formed a cross-functional      Open. While IRS continues to complete
      computer programs that           Improvements          working group that continues to          corrective actions to address the
      control penalty                  Needed in IRS’s       identify and assess penalty and          programming issues identified from its
      assessments are not              Internal Controls     interest issues. Since the group’s       internal review and is continuing to work
      functioning in                   (GAO-08-368R, June    inception, IRS has implemented           on others, it has not yet completed all of
      accordance with the              4, 2008), page 10.    programming corrections for 11 of        its planned programming corrections.
      intent of the IRM, take                                the 19 issues. IRS tested six of         We will continue to review IRS’s
      appropriate action to                                  these programming changes and            corrective actions to address this
      correct the programs so                                determined that they were                recommendation during our fiscal year
      that they function in                                  successful. IRS will continue to work    2012 audit.
      accordance with the                                    these issues until all 19 issues are
      IRM. (long-term)                                       corrected.




                                               Page 38                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
08-07 Develop and provide          Management Report:    Closed. As of September 2011, IRS        Closed. We verified that all of the
      comprehensive guidance       Improvements          had a process in place that              reviews assessing controls over
      to assist Taxpayer           Needed in IRS’s       encompasses the key controls,            taxpayer receipts and information are
      Assistance Center (TAC)      Internal Controls     requirements, field communications,      documented in the TSRRD. IRS also
      managers in conducting       (GAO-08-368R, June    and reviews to assist TAC managers       stated that managers and staff were
      reviews of outlying TACs     4, 2008), page 11.    reviewing outlying TACs. IRM             required to participate in CPE training
      and documenting the                                Exhibit 1.4.11-11, Group Manager         on how to use the TSRRD and certify
      results. This guidance                             Mandatory Reviews, Reports and           completion prior to filing season, and
      should include a                                   Certifications, documents the            that Group Managers in place reviewed
      description of the key                             requirements for TAC Managers,           the Filing Season Readiness Workshop.
      controls that should be in                         including conducting reviews for
      place at outlying TACs,                            outlying TACs. IRS sent quarterly
      specify how often these                            email reminders to group managers
      key controls should be                             of the requirement to complete TAC
      reviewed, and specify                              Security Remittance Review
      how the results of each                            Database (TSRRD) responses.
      review should be                                   During the fiscal year 2011 Filing
      documented, including                              Season Readiness (FSR)
      follow-up on issues                                Workshop, IRS provided a
      identified in previous                             Continuing Professional Education
      TAC reviews.                                       (CPE) lesson on TSRRD reviews.
      (short-term)                                       Additional CPE lessons included a
                                                         description and review of key
                                                         controls. Group Managers
                                                         completed the fiscal year 2011 FSR
                                                         Workshop prior to the filing season.
                                                         In addition, IRS continuously
                                                         conducts TSRRD headquarters’
                                                         remittance reviews and shares the
                                                         results with the Area Directors. IRS
                                                         used responses from the TSRRD in
                                                         planning the After-Hours reviews for
                                                         the first two quarters of 2011 as well
                                                         as on-site physical security reviews
                                                         at two locations in each area and
                                                         provided the results to the Area
                                                         Directors.




                                           Page 39                                            GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                             Status per GAO
08-12 Establish procedures to       Management Report:    Closed. The General Services               Closed. Despite IRS’s long standing
      require documentation         Improvements          Administration (GSA) has taken a           efforts to work with GSA to reach an
      demonstrating that            Needed in IRS’s       risk-based approach to providing           agreement to obtain documentation
      favorable background          Internal Controls     background investigations for lessor       demonstrating favorable background
      checks have been              (GAO-08-368R, June    personnel and contractors with             checks have been completed for
      completed for all             4, 2008), page 16.    routine access to Government               contractors with unescorted access to
      contractors prior to                                leased space in Facility Security          IRS space, GSA informed IRS that they
      allowing them access to                             Level (FSL) IV Government-leased           were unable to provide adjudication
      Taxpayer Assistance                                 facilities or FSL III Government-          service for contractors working in
      Centers (TAC) and other                             leased facilities with 100 percent         Facility Security Level I, II and partial III
      field offices. (short-term)                         government occupancy. GSA stated           facilities. According to IRS, GSA has
                                                          that they were not able to provide         been compliant in performing
                                                          adjudication services for their            background investigations for all
                                                          contractors in FSL I, II, and partially    government-owned locations, and
                                                          occupied FSL III leases. Without           leased facilities for Levels IV and for
                                                          GSA support, IRS cannot provide            100 percent occupied Level IIIs. IRS
                                                          background investigations, issue           took steps to issue new guidance for
                                                          Personal Identity Verification cards,      facilities to enhance physical control to
                                                          and meet certain security                  safeguard assets, including
                                                          requirements. To mitigate, in May          implementation of daytime cleaning in
                                                          2010, IRS issued Cleaning of               all leased facilities. In May 2010, IRS
                                                          Internal Revenue Space policy that         issued a new directive regarding the
                                                          prohibits the following contractors        cleaning of all IRS office space stating
                                                          from receiving alarm codes, access         that IRS offices will be cleaned during
                                                          cards, or keys to IRS space:               normal business hours only unless
                                                          cleaners, building maintenance             appropriate background investigation
                                                          personnel, and lessor employees.           procedures have been completed to
                                                          This provision prevents these              allow staff access. This directive set a
                                                          individuals from accessing IRS             new standard requiring, among other
                                                          space without employees’                   things, that cleaners and other building
                                                          knowledge. IRS amended all leases          maintenance or contractor/lessor
                                                          to reflect the new policy.                 employees should not be provided
                                                                                                     access cards or keys to IRS space that
                                                                                                     would allow them access without IRS
                                                                                                     employees knowing their presence.




                                            Page 40                                                 GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                           Status per GAO
08-14 Revise the IRM to             Management Report:    Open. IRS is revising IRM 10.2.13,       Open. IRS’s actions to address this
      include a requirement         Improvements          Information Protection, to require       recommendation are ongoing.
      that IRS conduct              Needed in IRS’s       periodic and unannounced site            Specifically, IRS is in the process of
      periodic, unannounced         Internal Controls     inspections of IRS vendors               revising the IRM to require periodic and
      inspections at off-site       (GAO-08-368R, June    maintaining personally identifiable      unannounced site inspections of IRS
      contractor facilities         4, 2008), page 17.    information (PII), documentation of      vendors maintaining PII and
      entrusted with sensitive                            findings and follow-up to replace the    documentation of the findings and
      IRS information;                                    interim guidance IRS issued in           follow-up. During our fiscal year 2011
      document the results,                               August 2011. In the meantime, IRS        audit, we found that site inspections of
      including identification of                         modified existing Performance Work       the off-site shredding contractor’s facility
      any security issues; and                            Statements within the Sensitive          servicing four of the eight field offices
      verify that the contractor                          Document Destruction Program to          that we visited had not been performed.
      has taken appropriate                               require periodic and unannounced         We will continue to evaluate IRS’s
      corrective actions on any                           site inspections effective February      actions during our fiscal year 2012
      security issues                                     2009. All vendors doing business         audit.
      observed. (short-term)                              under those contracts now agree to
                                                          IRS periodic and unannounced site
                                                          inspections of locations maintaining
                                                          IRS PII for disposal purposes. To
                                                          date, IRS has conducted on-site
                                                          inspections of 55 vendor sites.
                                                          REFM is tracking the progress of
                                                          inspections to monitor coverage, as
                                                          well as findings. IRS identified only
                                                          minor findings that have been
                                                          corrected or are in the progress of
                                                          being corrected.




                                            Page 41                                               GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                              Status per GAO
08-17 Reinforce existing            Management Report:    Closed. IRS has taken numerous              Closed. During our fiscal year 2011
      policies requiring IRS        Improvements          actions to reinforce existing policies      audit, we found that IRS took corrective
      personnel to use the          Needed in IRS’s       requiring verification of the               action to reinforce existing policies
      revised Form 13094            Internal Controls     information on Form 13094,                  requiring verification of information on
      when hiring juveniles         (GAO-08-368R, June    Recommendation for Juvenile                 Form 13094, including contacting the
      and verify the                4, 2008), page 19.    Employment. IRS has provided                reference directly and documenting the
      information on                                      training for the (1) human resource         details of the contact, by: (1) conducting
      Form 13094 by                                       specialists, (2) external Juvenile          training for the employment offices on
      contacting the reference                            Program Director, (3) Senior                the use of Form 13094 and hiring
      directly and documenting                            Managers, and (4) Front Line                juveniles, (2) developing and
      the details of the contact.                         Managers in the impacted offices.           implementing a centralized quality
      (short-term)                                        IRS implemented controls and                review process to monitor juveniles
                                                          enhanced overall program                    hired, (3) implementing a centralized
                                                          management by (1) designating a             spreadsheet documenting all juvenile
                                                          Senior Human Resource Specialist            hires along with the completion of
                                                          to serve as the agency wide                 required documentation for hiring, and
                                                          program manager, (2) revising               (4) establishing a system to maintain
                                                          existing guidance to ensure dates of        copies of all Form 13094s to support
                                                          birth are checked, (3) revising             monthly audits.
                                                          source documents based on internal
                                                          review results, and (4) requiring 100
                                                          percent validation of source
                                                          documents against the internal
                                                          tracking spreadsheet and Treasury
                                                          Integrated Management Information
                                                          System focus report that monitors
                                                          juvenile hires. These controls
                                                          produced error free reviews for both
                                                          the third and fourth quarters of fiscal
                                                          year 2011.
08-24 Issue a memorandum to         Management Report:    Closed. In seven of the last thirteen       Closed. We verified that IRS published
      employees that                Improvements          Travel Times newsletters since              reminders in their Travel Times
      reiterates IRS policy         Needed in IRS’s       March 2010 and in the November              newsletter and Leader’ Alert notification
      requiring all employees       Internal Controls     2010 issue of Leaders’ Alert, IRS           e-mail to remind employees that they
      to obtain appropriate         (GAO-08-368R, June    published reminders to travelers to         must obtain approvals on travel
      approvals of travel           4, 2008), page 25.    file their authorizations prior to the      authorizations prior to the initiation of
      authorizations prior to                             beginning of their travel. In March         their travel. Furthermore, during our
      the initiation of their                             2010, Agency-Wide Shared Services           fiscal year 2011 audit we identified only
      travel. (short-term)                                (AWSS) Employee Support Services            1 instance out of 41 travel transactions
                                                          Travel Services implemented in              tested where the employee initiated
                                                          GovTrip a system of contacting              travel prior to obtaining approval for
                                                          employees who are scheduled to              travel.
                                                          travel within three days and whose
                                                          authorization is unsigned. If the
                                                          travel is still necessary, the traveler’s
                                                          manager must sign the authorization
                                                          in GovTrip, reducing the instances of
                                                          unauthorized travel.




                                            Page 42                                                 GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                             Status per GAO
09-03 Document in the IRM          Management Report:    Closed. In April 2011, IRS updated         Open. IRS’s actions to date have not
      minimum requirements         Improvements Are      the Statements of Work for all             been effective in addressing the intent
      for establishing criteria    Needed to Enhance     submission Processing sites.               of this recommendation. We reviewed
      for time discrepancies or    IRS’s Internal        Updates reflect the new timeframes         the updated IRM 3.8.45 and found that
      other inconsistencies,       Controls and          that courier service contractors must      IRS did not document criteria that
      which if noted as part of    Operating             follow when delivering deposits to         established what should be considered
      the required monitoring      Effectiveness         the financial institution. The new         as time discrepancies or other
      of Form 10160, Receipt       (GAO-09-513R, June    timeframes allow for courier service       inconsistencies. We will continue to
      for Transport of IRS         24, 2009), page 10.   deliveries to be made in a safe and        evaluate IRS’s efforts to monitor courier
      Deposit, would require                             responsible manner while ensuring          activities during our fiscal year 2012
      off-site surveillance of                           that the deposit will be delivered with    audit.
      couriers. (short-term)                             no unauthorized stops. In April 2011,
                                                         IRS updated IRM 3.8.45, Deposit
                                                         Activity—Manual Deposit Process,
                                                         to reflect responsibilities of
                                                         Submission Processing Receipt &
                                                         Control Operations Managers,
                                                         Contracting Officer Technical
                                                         Representatives, and Headquarters
                                                         Analysts for monitoring Form 10160,
                                                         Receipt for Transport of IRS
                                                         Deposit, and actions to take when
                                                         they find inconsistencies in reported
                                                         time.
09-04 Document in the IRM          Management Report:    Closed. In April 2011, IRS updated         Closed. In April 2011, IRS updated the
      minimum requirements         Improvements Are      the Statements of Work for all             Statement of Work (SOW), as well as
      for conducting off-site      Needed to Enhance     Submission Processing sites as well        IRM 3.8.45.1.9.7(3), “Headquarters
      surveillance of couriers     IRS’s Internal        as IRM 3.8.45.1.9.7(3),                    Deposit Analyst Responsibility,”
      entrusted with taxpayer      Controls and          Headquarters Deposit Analyst               outlining the minimum requirement that
      receipts and information.    Operating             Responsibility, to identify the            headquarters analysts will conduct
      (short-term)                 Effectiveness         minimum requirement that                   courier surveillance during
                                   (GAO-09-513R, June    headquarters deposit analysts will         unannounced security reviews. The IRM
                                   24, 2009), page 10.   conduct courier surveillance during        update also states the time frames for
                                                         unannounced security reviews. The          courier delivery of deposits listed in the
                                                         IRM update also states that                courier contract SOW will be
                                                         timeframes for courier delivery of         reassessed during the unannounced
                                                         deposits listed in the courier contract    internal security reviews by
                                                         Statement of Work will be                  headquarters analysts or whenever the
                                                         reassessed during the unannounced          depository location changes.
                                                         internal security reviews by
                                                         headquarters analysts or whenever
                                                         the depository location changes.
09-05 Establish procedures to      Management Report:    Open. IRS is currently testing an          Open. IRS’s efforts to address our
      track and routinely report   Improvements Are      electronic Form 795A, Remittance           recommendation are ongoing. We will
      the total dollar amounts     Needed to Enhance     and Return Report, to track and            continue to evaluate IRS’s actions
      and volumes of receipts      IRS’s Internal        report the total dollar amounts and        during our fiscal year 2012 audit.
      collected by individual      Controls and          volumes of receipts. IRS will
      Taxpayer Assistance          Operating             mandate use of the revised form to
      Center (TAC) location,       Effectiveness         collect and report data at the
      group, territory, area,      (GAO-09-513R, June    Taxpayer Assistance Center level
      and nationwide.              24, 2009), page 11.   once testing is completed, which is
      (long-term)                                        anticipated to be October 2012.




                                           Page 43                                                 GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                              Status per GAO
09-06 Establish procedures to      Management Report:    Open. In October 2011, IRS                  Open. IRS revised its IRM to require a
      ensure that an inventory     Improvements Are      convened a development team to              readily available inventory of all duress
      of all duress alarms is      Needed to Enhance     improve the alarm testing and               alarms for individuals conducting the
      documented for each          IRS’s Internal        reporting process. IRS will pilot test      alarm tests; however, these actions
      location and is readily      Controls and          an Alarm Testing Form to document           have not been fully effective in
      available to individuals     Operating             testing of the duress alarms at each        addressing the issues that gave rise to
      conducting duress alarm      Effectiveness         facility. The form will list each alarm     this recommendation. During our fiscal
      tests before each test is    (GAO-09-513R, June    at the facility, the status of the alarm    year 2011 audit, an inventory of all
      conducted. (short-term)      24, 2009), page 13.   test and, where necessary, any              duress alarms was not readily available
                                                         corrective action taken. This will          to individuals conducting duress alarm
                                                         provide an update to the alarm              testing at four of the eight field offices
                                                         inventory each time the alarms are          we visited. We will continue to evaluate
                                                         tested. IRS expects to finalize the         IRS’s actions during our fiscal year
                                                         form along with a related Standard          2012 audit.
                                                         Operating Procedure for use by
                                                         each territory office in fiscal year
                                                         2012.
09-07 Establish procedures to      Management Report:    Open. As noted in the response to           Open. IRS’s actions to date have not
      periodically update the      Improvements Are      recommendation 09-06 above, IRS             been fully effective in addressing the
      inventory of duress          Needed to Enhance     will develop an Alarm Testing Form          issues that gave rise to this
      alarms at each Taxpayer      IRS’s Internal        that lists each of the duress alarms        recommendation. During our fiscal year
      Assistance Center (TAC)      Controls and          and will make it available to any           2011 audit, duress alarm testing at
      location to ensure that      Operating             employee who needs it for additional        seven of the eight TACs we visited did
      the inventory is current     Effectiveness         testing, planning future testing or         not include a documented quarterly
      and complete as of the       (GAO-09-513R, June    validating the alarm inventory.             validation of the duress alarm inventory
      testing date. (short-term)   24, 2009), page 13.                                               signed and dated by a PSEP official.
                                                                                                     Additionally, at one of the TACs we
                                                                                                     visited, unused mobile duress alarms
                                                                                                     that were included on the alarm
                                                                                                     inventory were not being tested. We will
                                                                                                     continue to evaluate IRS’s actions
                                                                                                     during our fiscal year 2012 audit.
09-08 Provide instructions for     Management Report:    Open. As noted in the response to           Open. IRS’s actions to date have not
      conducting quarterly         Improvements Are      recommendation 09-06 above, IRS             been fully effective in addressing the
      duress alarm tests to        Needed to Enhance     will publish a standard operating           issues that gave rise to this
      ensure that IRS officials    IRS’s Internal        procedure along with the issuance of        recommendation. During our fiscal year
      conducting the test (1)      Controls and          the Alarm Testing Form. The                 2011 audit, non-TAC duress alarms
      document the test results    Operating             procedure will provide                      were not tested on a quarterly basis at
      for each duress alarm        Effectiveness         recommended steps for conducting            seven of the eight field offices we
      listed in the inventory,     (GAO-09-513R, June    the alarm tests. The steps may vary         visited. Additionally, at three of the field
      including date, findings,    24, 2009), page 13.   due to differing conditions or              offices we visited, local instructions (i.e.,
      and planned corrective                             processes in each territory office or       Standard Operating Procedures [SOP]),
      action and (2) track the                           in the office being tested, but once        outlining necessary steps for properly
      findings until they are                            the form is finalized and adopted, it       completing duress alarm tests, were not
      properly resolved.                                 will be the standard for testing            provided to the individual(s) performing
      (short-term)                                       duress alarms regardless of local           the duress alarm testing. We will
                                                         conditions.                                 continue to evaluate IRS’s actions
                                                                                                     during our fiscal year 2012 audit.




                                           Page 44                                                  GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                            Status per GAO
09-09 Establish procedures          Management Report:    Closed. Beginning in January 2012,        Open. The procedures that IRS
      requiring that each           Improvements Are      IRS will transmit daily all Events        established during fiscal year 2011 in
      physical security analyst     Needed to Enhance     History Reports to each territory         this area have not been fully effective in
      conduct a periodic            IRS’s Internal        manager for the accounts or facilities    addressing the issues that gave rise to
      documented review of          Controls and          in their territory. This will allow the   this recommendation. At all eight field
      the Emergency Signal          Operating             territory specialist to review the        offices that we visited, a quarterly
      History Report and            Effectiveness         alarm events on a daily basis. While      review of the Emergency Signal History
      emergency contact list        (GAO-09-513R, June    the requirement for quarterly             Report to ensure that appropriate
      for its respective location   24, 2009), page 13.   certification remains, daily reviews      corrective actions have been planned
      to ensure that                                      will allow for more immediate             for all deficiencies or incidents requiring
      (1) appropriate corrective                          investigation and resolution of           actions reported by the central
      actions have been                                   events considered to be out of the        monitoring station was not performed,
      planned for all incidents                           ordinary.                                 documented, dated, or signed by a
      reported by the central                                                                       PSEP representative. Additionally, at
      monitoring station and                                                                        seven of the field offices we visited, an
      (2) the emergency                                                                             appropriately qualified individual was
      contact list for each                                                                         not listed as the designated first
      location is current and                                                                       responder during business hours on the
      includes only appropriate                                                                     duress alarm contact list. The
      contacts. (short-term)                                                                        procedures IRS implemented in January
                                                                                                    2012 occurred subsequent to our fiscal
                                                                                                    year 2011 audit. We will continue to
                                                                                                    evaluate IRS’s actions during our fiscal
                                                                                                    year 2012 audit.
09-16 Develop outcome-              Management Report:    Closed. IRS has updated and               Open. IRS has updated and expanded
      oriented performance          Improvements Are      expanded the existing portfolio of        the existing portfolio of cost studies,
      measures and related          Needed to Enhance     cost studies, which include several       which include several outcome-oriented
      performance goals for         IRS’s Internal        outcome-oriented performance              performance measures. During fiscal
      IRS’s enforcement             Controls and          measures. As part of that effort, an      year 2011, some of IRS’s business
      programs and activities       Operating             additional cost study was developed       operating units had begun to implement
      that include measures of      Effectiveness         on the cost/benefit of Balance Due        aspects of performance measurement
      the full cost of, and the     (GAO-09-513R, June    Notices. IRS is continuing to work        into their decision making processes.
      revenue collected from,       24, 2009), page 25.   with its Business Units to expand the     However, such progress has not yet
      those programs and                                  use of notice data information and        extended to IRS’s primary business unit
      activities (return on                               cost information to determine the         responsible for developing and directing
      investment) to assist                               efficiency of notices. IRS has also       IRS’s corporate-wide enforcement
      IRS’s managers in                                   been working to improve the               programs and activities to collect unpaid
      optimizing resource                                 methodology for the cost of the           taxes, about which our recommendation
      allocation decisions and                            different types of Correspondence         is focused. We will continue to evaluate
      evaluating the                                      and Field exams. This methodology         IRS’s actions to develop and implement
      effectiveness of their                              will enable cost to be calculated at a    performance measures for its
      activities. (long-term)                             lower level of detail within these        enforcement programs and activities
                                                          areas. Senior management within           during our fiscal year 2012 audit.
                                                          IRS will continue to look into
                                                          integrating the information into the
                                                          management processes and
                                                          performance metrics at each
                                                          business unit.




                                            Page 45                                             GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation              Source report           Status per IRS                          Status per GAO
10-01 Review the results of        Management Report:      Open. IRS has an established            Open. During our fiscal year 2011 audit,
      IRS’s unpaid                 Improvements Are        process in place to annually review     we and IRS continued to identify
      assessments                  Needed in IRS’s         the identified errors on the sampled    misclassified unpaid assessments
      compensating statistical     Internal Controls and   cases selected for the unpaid           account modules resulting from CDDB
      estimation process to        Compliance with         assessment statistical estimation       systemic limitations. As part of its
      identify and document        Laws and Regulations    process to identify where               unpaid assessments estimation
      instances where              (GAO-10-565R, June      misclassifications of account           process, IRS identified 27 cases in its
      systemic limitations in      28, 2010), page 10.     balances were caused by systemic        taxes receivable sample that were
      the Custodial Detail Data                            limitations in CDDB. In November        either misclassified in whole or in part
      Base (CDDB) resulted in                              2011, IRS completed its review and      due to CDDB systemic limitations and
      misclassifications of                                identified programming changes to       recorded adjustments to these accounts
      account balances that, in                            improve the business rules used by      to reflect the correct classification or
      turn, resulted in material                           CDDB to accurately classify unpaid      value at the point in time that IRS
      inaccuracies in the                                  tax assessments.                        sampled the account information. On
      amounts of reported                                                                          the basis of a statistical projection of
      unpaid assessments.                                                                          these and other individual adjustments,
      (short-term)                                                                                 IRS had to make a multibillion dollar
                                                                                                   adjustment to the year-end balance of
                                                                                                   gross taxes receivable generated by
                                                                                                   CDDB in order to produce a reliable
                                                                                                   taxes receivable balance for external
                                                                                                   reporting on its balance sheet for fiscal
                                                                                                   year 2011. While IRS identified and
                                                                                                   documented specific account modules
                                                                                                   that were misclassified as a result of
                                                                                                   systemic limitations, it has not compiled
                                                                                                   a listing of these systemic limitations in
                                                                                                   order to track and monitor the status of
                                                                                                   programming changes aimed at
                                                                                                   addressing these limitations. We will
                                                                                                   continue to monitor IRS’s actions to
                                                                                                   address this recommendation during
                                                                                                   our fiscal year 2012 audit.
10-02 Research and implement       Management Report:      Open. In November 2011, IRS             Open. IRS is in the process of
      programming changes to       Improvements Are        requested programming changes in        implementing numerous programming
      allow CDDB to more           Needed in IRS’s         CDDB to accurately classify unpaid      changes to improve CDDB’s accuracy
      accurately classify such     Internal Controls and   tax assessments, including modules      in classifying accounts among the three
      accounts among the           Compliance with         for individuals with split              categories of unpaid tax assessments.
      three categories of          Laws and Regulations    classifications between taxes           We will continue to monitor IRS’s
      unpaid tax assessments.      (GAO-10-565R, June      receivable, compliance                  corrective actions to address this
      (short-term)                 28, 2010), page 10.     assessments, and Memo. These            recommendation as part of our fiscal
                                                           changes are scheduled to be             year 2012 audit.
                                                           implemented in June 2012.




                                            Page 46                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation             Source report           Status per IRS                            Status per GAO
10-03 Research and identify       Management Report:      Open. IRS has an established              Open. During our fiscal year 2011 audit,
      control weaknesses          Improvements Are        process in place to annually review       we and IRS continued to identify
      resulting in inaccuracies   Needed in IRS’s         the identified errors on the sampled      misclassified unpaid assessments
      or errors in taxpayer       Internal Controls and   and unsampled cases selected for          accounts resulting from IRS processing
      accounts that materially    Compliance with         the unpaid assessment statistical         errors or delays. As part of its unpaid
      affect the financial        Laws and Regulations    estimation process, and the IRM           assessments estimation process, IRS
      reporting of unpaid tax     (GAO-10-565R, June      procedures to ensure proper internal      identified 12 cases in its taxes
      assessments.                28, 2010), page 10.     controls are in place to avoid future     receivable sample that were
      (short-term)                                        errors. In November 2011, IRS             misclassified in whole or in part due to
                                                          completed the fiscal year 2011            errors in the taxpayer accounts, and
                                                          review and continued to identify          recorded adjustments to these accounts
                                                          misclassifications of account             to reflect the correct classification or
                                                          balances requiring corrections. IRS       value at the point in time that IRS
                                                          distributed this report to its Business   sampled the account information. On
                                                          Operating Divisions to take               the basis of a statistical projection of
                                                          appropriate corrective actions. IRS is    these and other individual adjustments,
                                                          looking at ways to identify control       IRS had to make a multibillion dollar
                                                          weaknesses and inaccuracies in            adjustment to the year-end balance of
                                                          taxpayer accounts that materially         gross taxes receivable generated by
                                                          affect the financial reporting of         CDDB in order to produce a reliable
                                                          unpaid tax assessments for other          taxes receivable balance for external
                                                          than sampled cases.                       reporting on its balance sheet for fiscal
                                                                                                    year 2011. While IRS compiled a report
                                                                                                    listing the errors identified in its unpaid
                                                                                                    assessment estimation process and
                                                                                                    attempted to identify the IRS unit where
                                                                                                    the error occurred, IRS did not identify
                                                                                                    the underlying control deficiencies that
                                                                                                    resulted in the errors or delays. IRS
                                                                                                    cannot implement appropriate corrective
                                                                                                    actions unless it identifies the specific
                                                                                                    control deficiency or deficiencies that
                                                                                                    resulted in the errors or delays. We will
                                                                                                    monitor IRS’s actions during our fiscal
                                                                                                    year 2012 audit to determine whether it
                                                                                                    is identifying the underlying control
                                                                                                    weaknesses that result in inaccuracies
                                                                                                    or errors in taxpayer accounts that
                                                                                                    materially affect its financial reporting of
                                                                                                    unpaid tax assessments.




                                           Page 47                                              GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation             Source report           Status per IRS                           Status per GAO
10-04 Once IRS identifies the     Management Report:      Open. In November 2011, IRS              Open. During our fiscal year 2011 audit,
      control weaknesses that     Improvements Are        distributed the annual report with the   we and IRS continued to identify
      result in inaccuracies or   Needed in IRS’s         identified errors to the Business        misclassified unpaid assessments
      errors that materially      Internal Controls and   Operating divisions (BODs) for           accounts resulting from IRS processing
      affect the financial        Compliance with         corrective actions, and revisions to     errors or delays. As part of its unpaid
      reporting of unpaid tax     Laws and Regulations    IRM procedures where necessary.          assessments estimation process, IRS
      assessments, implement      (GAO-10-565R, June      The BODs are required to provide         identified 12 cases in its taxes
      control procedures to       28, 2010), page 10.     an annual status of the corrective       receivable sample that were
      routinely prevent, or to                            actions taken. IRS will continue to      misclassified in whole or in part due to
      detect and correct, such                            identify and validate corrective         errors in the taxpayer accounts, and
      errors. (short-term)                                actions that were completed. IRS will    recorded adjustments to these accounts
                                                          continue to monitor appropriate          to reflect the correct classification or
                                                          procedures, controls, and program        value at the point in time that IRS
                                                          modifications.                           sampled the account information. On
                                                                                                   the basis of a statistical projection of
                                                                                                   these and other individual adjustments,
                                                                                                   IRS had to make a multibillion dollar
                                                                                                   adjustment to the year-end balance of
                                                                                                   gross taxes receivable generated by
                                                                                                   CDDB in order to produce a reliable
                                                                                                   taxes receivable balance for external
                                                                                                   reporting on its balance sheet for fiscal
                                                                                                   year 2011. While IRS compiled a report
                                                                                                   listing the errors identified in its unpaid
                                                                                                   assessment estimation process and
                                                                                                   attempted to identify the IRS unit where
                                                                                                   the error occurred, IRS did not
                                                                                                   implement corrective actions to routinely
                                                                                                   prevent, or detect and correct similar
                                                                                                   errors in taxpayer accounts. We will
                                                                                                   monitor IRS’s actions during our fiscal
                                                                                                   year 2012 audit to determine whether
                                                                                                   IRS implements appropriate corrective
                                                                                                   actions to routinely prevent, or detect
                                                                                                   and correct, errors in taxpayer
                                                                                                   accounts.




                                           Page 48                                             GAO-12-695 Status of Recommendations
                                             Appendix I: Status of GAO Recommendations
                                             from Internal Revenue Service Financial Audits
                                             and Related Management Reports




ID no. Recommendation               Source report           Status per IRS                           Status per GAO
10-05 Revise the IRM to             Management Report:      Closed. In November 2011, IRS            Closed. We verified that IRS revised the
      provide specific              Improvements Are        published a new IRM 5.19.14 on           IRM to provide specific requirements for
      requirements for              Needed in IRS’s         TFRPs that includes requirement          supervisors to review the accuracy of
      supervisors to review the     Internal Controls and   5.19.14.5 (3), Manager Reports, that     credit transactions related to TFRP
      accuracy of credit            Compliance with         supervisors review 100 percent of        payments processed through the ATFR
      transactions related to       Laws and Regulations    the payment cross-references prior       system.
      Trust Fund Recovery           (GAO-10-565R, June      to account posting.
      Penalty (TFRP)                28, 2010), page 15.
      payments processed
      through the Automated
      Trust Fund Recovery
      (ATFR) system. This
      guidance should provide
      specific areas to review
      and list the ATFR system
      reports that can facilitate
      supervisory reviews.
      (short-term)
10-06 Formalize and                 Management Report:      Closed. In March, June, September        Closed. We verified that IRS formalized
      implement the quarterly       Improvements Are        and December 2011, IRS conducted         and implemented quarterly reviews of
      reviews of Trust Fund         Needed in IRS’s         its quarterly Quality Assurance          TFRP payment transactions to monitor
      Recovery Penalty              Internal Controls and   Internal Compliance Review process       compliance with the IRM requirements.
      (TFRP) payment                Compliance with         and monitored compliance with IRM
      transactions to monitor       Laws and Regulations    requirements by reviewing a
      compliance with the IRM       (GAO-10-565R, June      statistically valid sample of
      requirements.                 28, 2010), page 15.     payments and credits that it selected
      (short-term)                                          from a Master File extract for the
                                                            specified periods of time. IRS also
                                                            incorporated the quarterly review
                                                            process in its Standard Operating
                                                            Procedures, Trust Fund Recovery
                                                            Penalty Quality Assurance Internal
                                                            Compliance Review, published in
                                                            December 2011.
10-07 Develop procedures to         Management Report:      Closed. In December 2011, IRS            Closed. We verified that IRS developed
      analyze the results of the    Improvements Are        completed its formal Standard            procedures to analyze the results of its
      quarterly reviews of          Needed in IRS’s         Operating Procedures for both            quarterly TFRP payment transaction
      TFRP payment                  Internal Controls and   Campus and Headquarters to               reviews to identify specific factors
      transactions so that          Compliance with         identify and analyze error trends        causing errors.
      specific factors causing      Laws and Regulations    based on the findings from each
      the errors are identified.    (GAO-10-565R, June      quarterly review and the cumulative
      (short-term)                  28, 2010), page 15.     review results. IRS continues to
                                                            monitor the results of quarterly
                                                            reviews.




                                             Page 49                                                GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation             Source report           Status per IRS                          Status per GAO
10-08 Develop procedures to       Management Report:      Closed. In 2011, IRS analyzed the       Closed. We verified that IRS developed
      address the factors         Improvements Are        results from its quarterly reviews of   procedures to address the factors
      causing errors in the       Needed in IRS’s         TFRP payment transactions and           causing errors in the processing of
      processing of TFRP          Internal Controls and   developed various procedures to         TFRP payment transactions.
      payment transactions        Compliance with         address the factors causing errors.
      identified through the      Laws and Regulations    IRS’s actions included updating its
      analyses of the quarterly   (GAO-10-565R, June      IRM and initiating programming
      review results.             28, 2010), page 15.     changes to its ATFR system. IRS
      (short-term)                                        continues to monitor and analyze the
                                                          results of its quarterly TFRP
                                                          payment reviews to identify the root
                                                          cause of processing errors.
10-15 Revise the IRM to           Management Report:      Closed. In April 2011, IRS revised      Closed. We verified that IRS revised the
      require IRS’s Central       Improvements Are        the IRM to include a provision that     IRM to include procedures for CIO to
      Insolvency Operation        Needed in IRS’s         requires receipt acknowledgments        timely provide acknowledgment of
      (CIO) to timely provide     Internal Controls and   for Form 3210 to be returned timely     receipt for Form 3210 related to
      service center campuses     Compliance with         to the originator.                      duplicate refund transcripts to the
      (SCC) an                    Laws and Regulations                                            SCCs.
      acknowledgment of           (GAO-10-565R, June
      receipt for each Form       28, 2010), page 21.
      3210 transmittal related
      to a duplicate refund
      transcript sent to them
      by an SCC for review.
      (short-term)
10-16 Revise the IRM to           Management Report:      Closed. In January 2011, IRS            Closed. We verified that IRS revised the
      require service center      Improvements Are        updated the table in IRM                IRM to include procedures for verifying
      campuses (SCC) to           Needed in IRS’s         3.17.79.4.1.2, Duplicate Refund         acknowledgments received from CIO for
      verify that an              Internal Controls and   Transcript, to instruct accounting      duplicate refund transcripts at SCCs.
      acknowledgment of           Compliance with         employees to route duplicate refund
      receipt has been            Laws and Regulations    transcripts to the required function
      received from IRS’s         (GAO-10-565R, June      within 24 to 48 hours of review and
      Central Insolvency          28, 2010), page 21.     to verify acknowledgment of receipt.
      Operation (CIO) for                                 IRS will be ensuring compliance with
      100 percent of the Form                             the successful acknowledgments of
      3210 transmittals related                           the 3210s and will have quarterly
      to duplicate refund                                 statistics available in May 2012.
      transcripts that have
      been forwarded to CIO
      for review. (short-term)
10-17 Revise the IRM to           Management Report:      Closed. In November 2011, IRS           Closed. We verified that IRS revised the
      require service center      Improvements Are        updated IRM 3.17.79.4.1.2,              IRM to include procedures to resolve
      campuses (SCC) to           Needed in IRS’s         Duplicate Refund Transcript, to         instances in which acknowledgment of
      resolve any instances in    Internal Controls and   instruct employees on actions to        receipt for a Form 3210 has not been
      which an                    Compliance with         take when a Form 3210 has not           received.
      acknowledgment of           Laws and Regulations    been acknowledged by the CIO
      receipt for a Form 3210     (GAO-10-565R, June      function.
      transmittal related to      28, 2010), page 21.
      duplicate refund
      transcripts is not
      received. (short-term)




                                           Page 50                                               GAO-12-695 Status of Recommendations
                                         Appendix I: Status of GAO Recommendations
                                         from Internal Revenue Service Financial Audits
                                         and Related Management Reports




ID no. Recommendation           Source report           Status per IRS                           Status per GAO
10-18 Require service center    Management Report:      Closed. In January 2011, IRS             Closed. We verified that IRS updated
      campuses (SCC) to         Improvements Are        published IRM 3.10.73, Campus            the IRM and the Lockbox Document
      acknowledge               Needed in IRS’s         Mail and Work Control—Batching           Transmittal form instructions to require
      unprocessable items       Internal Controls and   and Numbering, and IRM 3.8.44,           SCCs to acknowledge unprocessable
      with receipts received    Compliance with         Deposit Activity—Campus Deposit          items with receipts received from
      from lockbox banks.       Laws and Regulations    Activity, to include the requirement     lockbox banks.
      (short-term)              (GAO-10-565R, June      for service center campuses to
                                28, 2010), page 23.     acknowledge unprocessable items
                                                        with receipts received from lockbox
                                                        banks. Submission Processing
                                                        Centers (SPC) are required to fax
                                                        the Lockbox Document Transmittal
                                                        (LDT) form daily to the lockbox bank.
                                                        SPC receiving areas perform daily
                                                        LDT reviews and track discrepancies
                                                        on a Lockbox Performance
                                                        Measures Data Collection
                                                        Instrument. Lockbox Field
                                                        Coordinators (LFC) conduct on-site
                                                        lockbox bank reviews as part of the
                                                        Processing Internal Control review.
                                                        These on-site reviews track and
                                                        record whether the center is
                                                        completing LDT acknowledgments
                                                        correctly and if internal controls are
                                                        in place to ensure documents are
                                                        returned from the SPC to the bank
                                                        daily. The LFCs then retain copies of
                                                        the LDTs and sign
                                                        acknowledgments.
10-19 Establish procedures to   Management Report:      Closed. In January 2011, IRS             Open. Although IRS implemented
      track service center      Improvements Are        published IRM 3.10.73, Campus            procedures in the IRM for service center
      campus (SCC)              Needed in IRS’s         Mail and Work Control—Batching           personnel to track acknowledgments for
      acknowledgments of        Internal Controls and   and Numbering, and IRM 3.8.44,           unprocessable items with receipts, the
      unprocessable items       Compliance with         Deposit Activity—Campus Deposit          updates do not include procedures for
      with receipts.            Laws and Regulations    Activity, to require IRS to track        lockbox banks to track whether service
      (short-term)              (GAO-10-565R, June      service center campuses                  centers are timely acknowledging the
                                28, 2010), page 23.     acknowledgments for unprocessable        receipt of unprocessable items. We will
                                                        items with receipts. In addition,        continue to evaluate IRS’s efforts to
                                                        Submission Processing (SP)               establish procedures for lockbox banks
                                                        Lockbox established procedures to        to track whether service centers are
                                                        track service center campus              timely acknowledging the receipt of
                                                        acknowledgments of unprocessable         unprocessable items during our fiscal
                                                        items. SP receiving areas                year 2012 audit.
                                                        responsible for returning the LDT
                                                        daily to the banks perform daily
                                                        reviews. In December 2011, SP
                                                        developed a process to track the
                                                        daily submission of the LDT
                                                        acknowledgments back to the
                                                        banks.




                                         Page 51                                             GAO-12-695 Status of Recommendations
                                         Appendix I: Status of GAO Recommendations
                                         from Internal Revenue Service Financial Audits
                                         and Related Management Reports




ID no. Recommendation           Source report           Status per IRS                             Status per GAO
10-20 Establish procedures to   Management Report:      Closed. IRS developed, and                 Open. IRS has not yet demonstrated
      monitor the process       Improvements Are        provided detailed instructions for the     whether its procedures are effectively
      used by service center    Needed in IRS’s         preparation and verification of, the       designed. IRS designed procedures to
      campuses (SCC) and        Internal Controls and   Lockbox Document Transmittal               monitor this process that would be
      lockbox banks to          Compliance with         (LDT) form to Lockbox banks and            undertaken by Lockbox Field
      acknowledge and track     Laws and Regulations    Submission Processing Centers              Coordinators (LFC) during their routine
      transmittals of           (GAO-10-565R, June      (SPC). These procedures were               on-site quality reviews, which have
      unprocessable items       28, 2010), page 23.     incorporated into IRM sections in          been conducted quarterly. However,
      with receipts. These                              January 2011. In fiscal year 2011,         IRS has reduced the frequency of those
      procedures should                                 SPCs conducted daily reviews that          quality reviews to an annual review
      include monitoring                                showed minor remittance count              during fiscal year 2012. We will evaluate
      discrepancies and                                 discrepancies at most lockbox              the effect of this frequency decrease
      instituting appropriate                           banks, but overall they showed             during our fiscal year 2012 audit to
      corrective actions as                             improvement in package mail-out            determine if IRS’s procedures provide
      needed. (short-term)                              preparation and addressing the LDT         adequate monitoring of the process.
                                                        Listing of items remitted with the
                                                        receipts that the lockbox cannot
                                                        process. LFCs also conducted on-
                                                        site lockbox bank reviews as part of
                                                        the Processing Internal Control
                                                        Performance Measure Reviews.
                                                        These on-site reviews track and
                                                        record whether the center is
                                                        completing LDT acknowledgments
                                                        correctly and if internal controls are
                                                        in place to ensure documents are
                                                        returned from the SPC to the bank
                                                        daily. The LFCs then retain copies of
                                                        the LDTs and sign
                                                        acknowledgments. In fiscal year
                                                        2011, on-site lockbox bank reviews
                                                        indicated that all required Internal
                                                        Control Reviews related to LDT
                                                        preparation, acknowledgment, and
                                                        retention, were met. LFCs provide
                                                        additional training and clarification to
                                                        banks and SPCs that have difficulty
                                                        meeting guidance or have higher
                                                        error rates.




                                         Page 52                                               GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation            Source report           Status per IRS                            Status per GAO
10-26 Review the Taxpayer        Management Report:      Closed. In January 2011, IRS              Closed. We verified that IRS reviewed
      Assistance Center          Improvements Are        reviewed the TSRRD and revised            the TSRRD questions for clarity and as
      Security and Remittance    Needed in IRS’s         the questions for clarification. IRM      a result revised several of them in
      Review Database            Internal Controls and   Exhibit 1.4.11-15, Taxpayer               January 2011.
      (TSRRD) for clarity and    Compliance with         Assistance Center/Payment
      revise review questions    Laws and Regulations    Processing Checklist, revised in
      as appropriate.            (GAO-10-565R, June      January 2011, now reflects the
      (short-term)               28, 2010), page 28.     revised TSRRD remittance
                                                         questions. In addition, IRS continued
                                                         to provide training that emphasized
                                                         when and how the key controls
                                                         should be reviewed. IRS also
                                                         continued the headquarters-led
                                                         TSRRD remittance reviews and is
                                                         sharing the results with the Area
                                                         Directors.
10-27 Provide training to        Management Report:      Closed. IRS continues to provide          Closed. IRS included guidance on how
      Taxpayer Assistance        Improvements Are        training to help TAC Group                to use the TSRRD in the 2010 and 2011
      Center (TAC) group         Needed in IRS’s         Managers execute their                    Filing Season Readiness Workshop and
      managers to assist with    Internal Controls and   responsibilities regarding the            TAC managers certified to their Territory
      their understanding of     Compliance with         TSRRD. The 2011 Filing Season             Managers on January 14, 2011, that
      the TAC Security and       Laws and Regulations    Readiness (FSR) training contained        they had completed this training. In
      Remittance Review          (GAO-10-565R, June      two lessons for Group Manager             addition, we did not identify any TAC
      Database (TSRRD)           28, 2010), page 28.     reviews of remittance and data            managers during our fiscal year 2011
      review questions and                               security; one on Payment                  internal control testing visits who had
      related objectives. This                           Processing Reviews and the other          not received this training.
      training should be                                 on Understanding TSRRD Reviews.
      provided on an ongoing                             By January 2011, Group Managers
      basis to account for                               reviewed the FSR Workshop and
      changes in TSRRD                                   certified their completion of the
      questions and for newly                            training. The fiscal year 2011
      hired or appointed TAC                             training materials are available at the
      group managers.                                    group level for managers to review.
      (short-term)                                       The fiscal year 2012 training will be
                                                         delivered during the first quarter to
                                                         frontline and administrative
                                                         employees and includes a lesson on
                                                         Form 795/3210 and the proper
                                                         completion, monitoring and tracking
                                                         of the 795/3210 review log. Field
                                                         Assistance continues to focus on
                                                         issues arising from TSRRD reviews.




                                          Page 53                                              GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation              Source report           Status per IRS                            Status per GAO
10-29 Analyze the various          Management Report:      Open. In December 2011, IRS               Open. IRS’s actions to date have not
      contractor access            Improvements Are        performed an assessment of the            been fully effective in addressing the
      arrangements and             Needed in IRS’s         existing contractor access                issues that gave rise to this
      establish a policy that      Internal Controls and   arrangements to determine whether         recommendation. Specifically, at four of
      requires security            Compliance with         medical, cafeteria, landscaping,          the eight field offices and two of the
      awareness training for all   Laws and Regulations    janitorial, building maintenance and      three SCCs we visited, contractors with
      IRS contractors who are      (GAO-10-565R, June      other repair maintenance personnel        staff-like access to IRS space did not
      provided unescorted          28, 2010), page 29.     should be required to take security       receive security awareness training
      physical access to its                               awareness training, and if so, what       covering (1) authorized and
      facilities or taxpayer                               the content should include. The           unauthorized disclosures of taxpayer
      receipts and information.                            assessment resulted in                    information, (2) basic protection policies
      (short-term)                                         recommendations for future actions        concerning taxpayer receipts and
                                                           to mitigate risks associated with         information, and (3) federal penalties for
                                                           inadvertent access to sensitive but       not protecting this information. We will
                                                           unclassified (SBU) data. By January       continue to evaluate IRS’s actions
                                                           2012, IRS will finalize decisions that    during our fiscal year 2012 audit.
                                                           will include implementing a new
                                                           training module to mitigate risks
                                                           associated with inadvertent access
                                                           to SBU data in buildings that have
                                                           exemptions to the clean desk policy.
                                                           The training will be delivered on or
                                                           after July 2012.
10-30 Designate management         Management Report:      Closed. In December 2010, IRS             Closed. We verified that IRS
      responsibility and           Improvements Are        designated management                     established a process for monitoring
      establish a process for      Needed in IRS’s         responsibility and established a          compliance with USR training
      monitoring compliance        Internal Controls and   process for monitoring compliance         requirements and designated
      with and enforcing the       Compliance with         with and enforcing the IRM training       management to enforce compliance.
      IRM requirement for all      Laws and Regulations    requirement for all service center
      service center campus        (GAO-10-565R, June      campus USRs. IRS completed its
      (SCC) Unit Security          28, 2010), page 31.     review of the initial and refresher
      Representatives (USR)                                USR training course content and
      to complete (1) the                                  implemented a revised refresher
      required initial USR                                 course on the Enterprise Learning
      training prior to                                    Management System for all USRs.
      assuming their                                       IRS also developed and
      responsibilities, and                                implemented a reporting capability to
      (2) annual refresher                                 identify USRs that fail to comply with
      training each year                                   the initial and annual training
      thereafter. (short-term)                             requirements. In January 2011, IRS
                                                           began distributing the monthly
                                                           reports on non-compliance to the
                                                           USR managers.
10-32 Establish a process to       Management Report:      Closed. IRS performs a review of          Closed. We verified that IRS included
      periodically review and      Improvements Are        USR training courses at least             language in the IRM that requires
      update service center        Needed in IRS’s         annually and, if required, updates        review of the USR training materials at
      campus (SCC) Unit            Internal Controls and   the training course and materials. In     least annually by the end of each
      Security Representatives     Compliance with         December 2010, IRS completed its          calendar year to ensure they reflect
      (USR) training materials     Laws and Regulations    review of the initial and refresher       current security policies and
      as appropriate.              (GAO-10-565R, June      USR training course content and           procedures.
      (short-term)                 28, 2010), page 31.     implemented a revised refresher
                                                           course on the Enterprise Learning
                                                           Management System for all USRs.




                                            Page 54                                                 GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation             Source report           Status per IRS                            Status per GAO
10-33 Establish procedures        Management Report:      Closed. IRS HCO established               Closed. We verified that IRS has
      requiring the Director of   Improvements Are        procedures for business units to          established procedures for business
      IRS’s Human Capital         Needed in IRS’s         monitor progress in complying with        units to monitor their progress in
      Office, Leadership,         Internal Controls and   mandatory briefing requirements. In       complying with mandatory briefing
      Education and Delivery      Compliance with         August 2011 these procedures were         requirements. In addition, we verified
      Services (HCO LEADS)        Laws and Regulations    distributed by e-mail to all embedded     that in fiscal year 2011, IRS distributed
      or designee to              (GAO-10-565R, June      Human Resource directors, their           various completion statistics of
      periodically monitor each   28, 2010), page 33.     points of contact, and subsequently       mandatory briefing requirements to
      business unit’s progress                            posted on the Mandatory Briefing          designated business unit points of
      in complying with                                   website. By October 2011, HCO             contact, including Human Resource
      mandatory briefing                                  implemented all reports to monitor        directors.
      requirements.                                       the progress of employee
      (short-term)                                        completion of the mandatory briefing
                                                          requirements. HCO runs weekly
                                                          reports during the mandatory
                                                          briefing cycle to obtain the status for
                                                          existing employees and quarterly
                                                          reports thereafter, and runs quarterly
                                                          reports to obtain the status for new
                                                          employees. HCO provides the
                                                          reports electronically to the business
                                                          units with instructions to monitor
                                                          completion of the briefings and
                                                          follow up as needed. HCO LEADS
                                                          monitors the reports to ensure that
                                                          business units are making progress
                                                          in completing their briefings.
11-01 Put procedures in place     Management Report:      Open. IRS continued monitoring the        Open. We will continue to evaluate the
      to periodically monitor     Improvements Are        effectiveness of return processing        effectiveness of IRS’s ongoing efforts to
      the effectiveness of the    Needed to Enhance       validity checks and controls,             address this recommendation during
      new First-time              Internal Revenue        including FTHBC claims. IRS               our fiscal year 2012 audit.
      Homebuyer Credit            Service’s Internal      continues to review and resolve the
      (FTHBC) validity checks     Controls and            unpostable code reports daily to
      for the duration of the     Operating               monitor the effectiveness of return
      filing of FTHBC claims to   Effectiveness           processing validity checks.
      verify that they are        (GAO-11-494R, June
      working as intended.        21, 2011), page 9.
      (short-term)




                                           Page 55                                              GAO-12-695 Status of Recommendations
                                             Appendix I: Status of GAO Recommendations
                                             from Internal Revenue Service Financial Audits
                                             and Related Management Reports




ID no. Recommendation                Source report         Status per IRS                            Status per GAO
11-02 Establish a mechanism          Management Report:    Closed. In August 2011, IRS               Open. The steps IRS has taken to
      to enforce the existing        Improvements Are      incorporated a procedural change          address the issues related to this
      requirement for                Needed to Enhance     into the IRM that requires all Service    recommendation were implemented
      appropriate managers to        Internal Revenue      Center Accounting functions to            after our fiscal year 2011 audit’s
      immediately notify the         Service’s Internal    provide a list of manual refund           completion. We will evaluate the
      manual refund units of         Controls and          authorizers to the Head of Office in      effectiveness of IRS’s corrective actions
      any personnel changes          Operating             each Business Operating Division to       to address this recommendation during
      affecting the approval or      Effectiveness         validate individuals who are still        our fiscal year 2012 audit.
      processing of manual           (GAO-11-494R, June    authorized to sign manual refunds.
      refunds. This may be           21, 2011), page 10.   This listing will be required on a
      accomplished through                                 quarterly basis starting at the end of
      mechanisms such as                                   January 2012.
      issuing periodic alerts,
      providing training or
      having the manual
      refund unit perform
      quarterly validations of
      the list of manual refund
      approving officials, or a
      combination of these.
      (short-term)
11-03 Send out a reminder to         Management Report:    Closed. In August 2011, IRS sent a        Closed. During our fiscal year 2011
      all staff to follow policies   Improvements Are      reminder to all employees to follow       audit, we verified that IRS sent out a
      and procedures for             Needed to Enhance     policies and procedures for obtaining     reminder to staff to obtain approval and
      obtaining approval and         Internal Revenue      approval and funding of proposed          funding prior to entering into an
      funding of proposed            Service’s Internal    purchases prior to entering into an       agreement with vendors. Furthermore,
      purchases prior to             Controls and          agreement with vendors. IRS also          we did not identify any instances in
      entering into an               Operating             placed the reminder on the IRS            which IRS entered into an agreement
      agreement with vendors.        Effectiveness         Intranet site.                            without first obtaining approval and
      (short-term)                   (GAO-11-494R, June                                              funding for the purchase during our
                                     21, 2011), page 13.                                             detailed testing of fiscal year 2011
                                                                                                     nonpayroll expenses.
11-04 Establish formal written       Management Report:    Closed. In June 2011, IRS updated         Open. During our fiscal year 2011 audit,
      procedures requiring           Improvements Are      its Office of Procurement web site to     we verified that IRS updated the
      staff to review purchase       Needed to Enhance     address the requirement to                reference guide on the office of
      contract terms against         Internal Revenue      (1) review contract terms and status      procurement’s website; however, the
      the goods and services         Service’s Internal    of deliverables and (2) ensure that       update did not explicitly require a review
      received to date before        Controls and          all related ordering activity is in       of the contract for goods and services
      requesting additional          Operating             compliance with the terms and             received to date before requesting
      goods or services.             Effectiveness         conditions of the contract. The web       additional goods or services. Further,
      (short-term)                   (GAO-11-494R, June    site was developed as on online tool      the reference guide is used only as
                                     21, 2011), page 13.   to assist the business operating          supplemental information to the policy
                                                           divisions with guidance on the            framework, which also does not contain
                                                           procurement process. It is intended       such a requirement.
                                                           to be used as supplemental
                                                           information to the policy framework
                                                           and provides another tool for IRS
                                                           employees to navigate the
                                                           procurement process.




                                             Page 56                                                GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation             Source report         Status per IRS                            Status per GAO
11-05 Establish procedures to     Management Report:    Open. As of September 2011, IRS           Open. During our fiscal year 2011 audit,
      centrally review and        Improvements Are      (1) issued clarifying guidance for        we continued to find instances in which
      monitor the timeliness of   Needed to Enhance     personal action requests (PAR),           the employee’s request for personnel
      personnel action            Internal Revenue      (2) established a centralized quality     action was approved after the effective
      requests and approvals      Service’s Internal    review program to monitor the             date of the action. While we verified that
      to help ensure              Controls and          timeliness of PARs, and                   IRS established the Quality Assurance
      compliance with the IRM     Operating             (3) developed new reports to assist       and Measures branch to help ensure
      and applicable Office of    Effectiveness         in monitoring PAR timeliness. During      compliance with the IRM and OPM
      Personnel Management        (GAO-11-494R, June    fiscal year 2012, IRS will (1) finalize   regulations and guidance, IRS
      (OPM) regulations and       21, 2011), page 15.   the Closeout Report that will assist      continues to implement new processes
      guidance. (short-term)                            in identifying pain points within the     to improve the timeliness of personnel
                                                        process to identify where to focus        action requests and approvals. We will
                                                        training and follow-up, (2) conduct       continue to assess IRS’s actions during
                                                        training for HR specialists on the        our fiscal year 2012 audit.
                                                        newly implemented standardized
                                                        PAR process, and (3) issue
                                                        communications to managers to
                                                        ensure PARs are initiated timely.
11-06 Adopt the local field       Management Report:    Closed. In August 2011, IRS               Closed. The revised SOP states that
      office’s timekeeping        Improvements Are      modified Standard Operating               business units may develop local office
      procedures or similar       Needed to Enhance     Procedure (SOP) MPC-02, Time &            timekeeping procedures for entering
      procedures for entering     Internal Revenue      Attendance Reporting, Approval and        and verifying the accuracy of time and
      and verifying the           Service’s Internal    Maintenance Requirements, placed          attendance information entered into
      accuracy of time and        Controls and          the revised SOP on the IRS internal       SETR if employees do not enter their
      attendance information      Operating             web site, and forwarded it to all         own time; however, regardless of the
      entered into the Single     Effectiveness         SETR Business Unit points of              specific procedures established,
      Entry Time Reporting        (GAO-11-494R, June    contact that are currently able to        managers are now responsible for
      System (SETR)               21, 2011), page 17.   approve time sheets in SETR to            ensuring that the time entered in SETR
      throughout IRS for use                            disseminate.                              for both weeks of the pay period for
      by all units in which                                                                       employees that do not enter their own
      employees do not enter                                                                      time into SETR matches the source
      their own time charges                                                                      document prior to validating and
      directly to SETR.                                                                           electronically signing the employee’s
      (short-term)                                                                                SETR timecard.




                                          Page 57                                             GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                           Status per GAO
11-07 Further revise the            Management Report:    Closed. In November 2011, IRS            Closed. We reviewed IRS’s revised
      detailed procedures for       Improvements Are      updated and published the SOP on         SOP and verified that it clarifies the
      implementing the              Needed to Enhance     National Finance Center Change           criteria for determining which program
      requirement to validate       Internal Revenue      Requests. The SOP clarifies the          changes are subject to validation and
      the appropriateness of        Service’s Internal    criteria for determining which           identifies the officials responsible for
      the National Finance          Controls and          program changes will be subject to       making these determinations.
      Center (NFC)                  Operating             validation, identifies officials         Furthermore, the revised SOP
      programming changes           Effectiveness         responsible for making and               establishes guidelines for postvalidation
      after such changes are        (GAO-11-494R, June    documenting these determinations,        random sample testing from the
      made. These revisions         21, 2011), page 20.   and outlines post-implementation         population affected by the programming
      should (1) clarify the                              testing that will be performed to        change.
      criteria for determining                            validate the changes.
      which programming
      changes will be subject
      to validation, (2) identify
      officials responsible for
      making and documenting
      these determinations,
      and (3) require
      postimplementation
      statistical sampling from
      a targeted population
      that consists of
      employees who are most
      likely to be affected by
      the NFC programming
      changes. (short-term)
11-08 Take steps to effectively     Management Report:    Closed. In 2011, IRS conducted a         Closed. During our fiscal year 2011
      implement procedures at       Improvements Are      review of the cash receipt deposit       audit, we verified that IRS effectively
      the Beckley Finance           Needed to Enhance     process using the process revised in     implemented procedures at the Beckley
      Center requiring cash         Internal Revenue      August 2010 and determined that          Finance Center requiring cash receipts
      receipts to be                Service’s Internal    cash receipts were being logged          to be immediately logged under dual
      immediately logged            Controls and          under dual control. In addition, the     control when first discovered in the mail
      under dual control when       Operating             contractor responsible for the mail      room.
      first discovered in the       Effectiveness         room employees implemented a
      mail room. (short-term)       (GAO-11-494R, June    quality review process to ensure that
                                    21, 2011), page 22.   those employees follow the revised
                                                          check deposit process.
11-09 Take steps to effectively     Management Report:    Closed. In 2011, IRS conducted a         Closed. During our fiscal year 2011
      implement procedures at       Improvements Are      review of the cash receipt deposit       audit, we verified that IRS effectively
      the Beckley Finance           Needed to Enhance     process using the process revised in     implemented procedures at the Beckley
      Center requiring mail         Internal Revenue      August 2010 and determined that          Finance Center requiring mail room staff
      room staff to maintain        Service’s Internal    the control log was properly             to maintain custody of the control log at
      custody of the control log    Controls and          maintained by mail room staff. In        all times.
      at all times. (short-term)    Operating             addition, the contractor responsible
                                    Effectiveness         for the mail room employees
                                    (GAO-11-494R, June    implemented a quality review
                                    21, 2011), page 22.   process to ensure that those
                                                          employees follow the revised check
                                                          deposit process.




                                            Page 58                                               GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                             Status per GAO
11-10 Take steps to effectively     Management Report:    Closed. In 2011, IRS conducted a           Closed. During our fiscal year 2011
      implement procedures at       Improvements Are      review of the cash receipt deposit         audit, we verified that IRS effectively
      the Beckley Finance           Needed to Enhance     process using the process revised in       implemented procedures at the Beckley
      Center requiring the          Internal Revenue      August 2010 and determined that            Finance Center requiring the amount of
      amount of cash receipts       Service’s Internal    cash receipts in the mail room were        cash receipts initially discovered in the
      initially discovered in the   Controls and          being independently reconciled to          mail room to be independently
      mail room to be               Operating             the amount deposited and recorded          reconciled to the amount deposited and
      independently reconciled      Effectiveness         in the general ledger. In addition, the    recorded in the general ledger.
      to the amount deposited       (GAO-11-494R, June    contractor responsible for the mail
      and recorded in the           21, 2011), page 22.   room employees implemented a
      general ledger.                                     quality review process to ensure that
      (short-term)                                        those employees follow the revised
                                                          check deposit process.
11-11 Perform a review of all       Management Report:    Open. In December 2012, IRS will           Open. IRS plans to determine whether
      existing contracts under      Improvements Are      issue the Contractor Security              the services performed under these
      $100,000 that (1) do not      Needed to Enhance     Lifecycle Program Office policy            contracts under review warrant
      have an appointed             Internal Revenue      specifying that IRS will review all        obtaining background investigations on
      contracting officer’s         Service’s Internal    existing service contracts under           the contract employee(s) by June 2013
      technical representative      Controls and          $100,000 by June 2013 and                  and will ensure all existing service
      (COTR) and (2) do not         Operating             determine if they need to be               contracts under $100,000 identified in
      require that contract         Effectiveness         modified to include additional             the review contain the necessary
      employees obtain              (GAO-11-494R, June    background investigation                   security requirements by September
      background                    21, 2011), page 24.   requirements.                              2013. Given the potential risk related to
      investigations to assess                                                                       this recommendation, the estimated
      whether the services                                                                           dates of IRS’s corrective actions leave
      performed under each                                                                           IRS exposed to a significant risk of
      contract warrant a                                                                             allowing unauthorized access to IRS
      requirement that contract                                                                      facilities or sensitive information, or
      employees obtain                                                                               both, for an extended period of time. We
      background                                                                                     will continue to evaluate IRS’s actions
      investigations.                                                                                during our fiscal year 2012 audit.
      (short-term)




                                            Page 59                                                 GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation             Source report         Status per IRS                          Status per GAO
11-12 Based on a review of all    Management Report:    Open. By September 2012, IRS will       Open. IRS’s efforts to address this
      existing contracts under    Improvements Are      ensure all existing service contracts   recommendation are ongoing. IRS
      $100,000 without an         Needed to Enhance     under $100,000, identified in the       stated that by September 2012, it will
      appointed contracting       Internal Revenue      above-mentioned review, contain the     ensure that all existing service contracts
      officer’s technical         Service’s Internal    necessary security requirements.        under $100,000 will contain the
      representative (COTR)       Controls and                                                  necessary security requirements. We
      that should require         Operating                                                     will continue to evaluate IRS’s actions
      contract employees to       Effectiveness                                                 during our fiscal year 2012 audit.
      obtain favorable            (GAO-11-494R, June
      background investigation    21, 2011), page 24.
      results, amend those
      contracts to require that
      favorable background
      investigations be
      obtained for all relevant
      contract employees
      before routine,
      unescorted,
      unsupervised physical
      access to taxpayer
      information is granted.
      (short-term)




                                          Page 60                                           GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                          Status per GAO
11-13 Establish a policy           Management Report:    Open. By December 2012, IRS will        Open. IRS’s efforts to address our
      requiring collaborative      Improvements Are      establish a policy and associated       recommendation are ongoing. We will
      oversight between IRS’s      Needed to Enhance     procedures requiring business units     continue to evaluate IRS’s actions
      key offices in               Internal Revenue      to (1) identify service contracts       during our fiscal year 2012 audit.
      determining whether          Service’s Internal    where contractors will have routine,
      potential service            Controls and          unescorted, unsupervised, physical
      contracts involve routine,   Operating             access to taxpayer information;
      unescorted,                  Effectiveness         (2) document the risk of exposure to
      unsupervised physical        (GAO-11-494R, June    taxpayer data; and (3) ensure that
      access to taxpayer           21, 2011), page 24.   the requirements of the Internal
      information, thus                                  Revenue Service Acquisition
      requiring background                               Procedures 1052.204-9005,
      investigations,                                    Submission of Security Forms and
      regardless of contract                             Related Materials, are included in
      award amount. This                                 the contract, as applicable.
      policy should include a
      process for the requiring
      business unit to
      communicate to the
      Office of Procurement
      and the Human Capital
      Office the services to be
      provided under the
      contract and any
      potential exposure of
      taxpayer information to
      contract employees
      providing the services,
      and for all three units to
      (1) evaluate the risk of
      exposure of taxpayer
      information prior to
      finalizing and awarding
      the contract and
      (2) ensure that the final
      contract requires
      favorable background
      investigations as
      applicable,
      commensurate with the
      assessed risk.
      (short-term)




                                           Page 61                                              GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                            Status per GAO
11-14 Establish procedures to      Management Report:    Closed. In April 2011, IRS updated        Open. The procedures that IRS
      provide a consistent         Improvements Are      the SOWs for all of its SP sites to       established in this area during fiscal
      methodology for              Needed to Enhance     reflect new delivery timeframes for       year 2011 would not have been
      calculating and              Internal Revenue      daily deposits to the financial           effective in detecting potential
      establishing allowable       Service’s Internal    institution drop-off location based on    unauthorized stops or other contractual
      deposit courier trip time    Controls and          data gathered during courier              violations by deposit couriers. For
      limits to be used by both    Operating             surveillance. In January 2011, IRS        example, the documented allowable
      service center campuses      Effectiveness         updated the Lockbox Security              time limit at one of the lockbox banks
      (SCC) and lockbox            (GAO-11-494R, June    Guidelines (LSG) 2.16, Establishing       we visited was 22 minutes; however,
      banks that would assist      21, 2011), page 27.   Courier Timeframes, which serves          bank policy allowed for an additional
      in detecting potential                             as the SOW for Lockbox banks, to          15 minutes beyond the documented
      unauthorized stops or                              include procedures to provide a           time limit before couriers were asked to
      other contractual                                  consistent methodology to calculate       provide an explanation for the delay. At
      violations by deposit                              and establish allowable time limits       another lockbox bank we visited, we
      couriers. Such                                     for courier deliveries to Lockbox         found that the bank allowed 36 minutes
      procedures should                                  banks. The LSG procedures                 for deposit trips before the couriers
      include instructions for                           document and support how the trip         were questioned. Based on a 3-month
      documenting and                                    limits are determined and require         analysis performed by the bank, the
      supporting how the trip                            justification and approval for            average deposit trip time was
      limits were determined                             deviations from established time          21 minutes. It is unclear why the bank
      and require justification                          limits. IRS and FMS program offices       allowed for an additional 15 minutes
      and approval for all                               completed their review of alternative     (over 70 percent of the average time)
      established time limits                            solutions to mitigate deposit courier     before deposit couriers are questioned.
      that exceed the average                            travel time deficiencies in December      We will continue to evaluate IRS’s
      trip time. (short-term)                            2011. Based on this, Real-Time            corrective actions, including use of
                                                         Global Positioning System                 Real-Time Global Positioning System
                                                         technology will be installed on all       Technology on courier vehicles, during
                                                         lockbox deposit courier service           our fiscal year 2012 audit.
                                                         vehicles starting in March 2012.
11-15 Establish procedures to      Management Report:    Closed. In April 2011, IRS updated        Closed. In response to our
      require periodic             Improvements Are      the IRM section on the Manual             recommendation, IRS took action to
      reassessments of and         Needed to Enhance     Deposit Process to reflect                update IRM 3.8.45 Manual Deposit
      updates to deposit           Internal Revenue      established timeframes that will be       Process, to include procedures to
      courier allowable trip       Service’s Internal    re-evaluated each year during the         reassess SCC deposit courier trip times
      time limits to account for   Controls and          annual unannounced security               during unannounced security reviews or
      changes in courier           Operating             reviews or whenever changes occur         whenever there is a change in
      routes or other              Effectiveness         in the drop-off location. In November     depository location. In addition, IRS
      conditions that may          (GAO-11-494R, June    2011, IRS updated this IRM section        updated the LSG to require that lockbox
      affect trip times.           21, 2011), page 27.   to establish procedures that require      banks perform an annual detailed
      (short-term)                                       periodic reassessments of, and            analysis to establish acceptable courier
                                                         updates to, deposit courier allowable     time frames.
                                                         trip limits to account for changes in
                                                         courier routes or other conditions
                                                         that may affect trip times.




                                           Page 62                                                GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                        Status per GAO
11-16 Enforce existing             Management Report:    Closed. IRS strengthened its          Open. During our March 2012 internal
      contractual requirements     Improvements Are      enforcement by conducting monthly     control testing at an SCC, we found that
      for the cargo doors of       Needed to Enhance     random reviews of contractor          IRS did not apply these procedures to
      contract courier vehicles    Internal Revenue      adherence to the secure transport     instances where contract couriers were
      to be locked after picking   Service’s Internal    requirements, including the           transporting items including taxpayer
      up taxpayer information.     Controls and          requirement for cargo doors of        information to multiple IRS locations.
      (short-term)                 Operating             contract courier vehicles to be       We will evaluate the effectiveness of
                                   Effectiveness         locked after picking up taxpayer      IRS’s enforcement actions in this area
                                   (GAO-11-494R, June    information. To date, the monthly     during our fiscal year 2012 audit
                                   21, 2011), page 29.   random reviews indicate that the      fieldwork.
                                                         contractor is complying with the
                                                         requirements to lock the vehicle
                                                         cargo doors after picking up
                                                         taxpayer information. The
                                                         contractors have been in compliance
                                                         with secure transport requirements
                                                         since April 2011. In addition, the
                                                         contractor implemented its own
                                                         internal review process and reports
                                                         the results to the Contracting
                                                         Officer’s Technical Representative
                                                         (COTR).




                                           Page 63                                          GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation             Source report         Status per IRS                             Status per GAO
11-17 Establish procedures to     Management Report:    Closed. In December 2011, IRS              Open. While IRS established
      prevent or detect           Improvements Are      established procedures in IRM              procedures to help prevent and detect
      unauthorized access to      Needed to Enhance     3.13.62, Campus Document                   unauthorized access to taxpayer
      taxpayer information in     Internal Revenue      Services—Media Transport and               information in contract courier vehicles,
      contract courier vehicles   Service’s Internal    Control, to prevent and detect             these procedures are currently only
      during transit. These       Controls and          unauthorized access to taxpayer            directed at the Wage and Investment
      procedures should detail    Operating             information in contract courier            (W&I) business unit. We were unable to
      specific activities to be   Effectiveness         vehicles during transit to and from        identify similar procedures directed at
      performed by both the       (GAO-11-494R, June    offsite processing facilities. The IRM     the other IRS business units that may
      business unit sending       21, 2011), page 29.   directs Submission Processing (SP)         also transport taxpayer information from
      and receiving the                                 personnel to ensure the                    one IRS location to another, including
      information transported                           transportation truck is secured when       Large Business and International
      by the contract courier.                          it leaves the site with taxpayer           (LB&I), Small Business/Self Employed
      (short-term)                                      material. When the material is             (SB/SE), and Tax Exempt/Government
                                                        delivered to the SP site, SP               Entities (TE/GE). We will continue to
                                                        personnel will ensure the truck is still   evaluate IRS’s actions during our fiscal
                                                        secured and will immediately report        year 2012 audit.
                                                        any discrepancies. The IRM also
                                                        states that a random monthly
                                                        managerial review must be
                                                        conducted and documented with
                                                        actions taken to alert headquarters
                                                        to any issues. In addition, IRS
                                                        continues its monthly random review
                                                        of contractor adherence to the
                                                        secure transport requirements
                                                        started in April 2011. To date, the
                                                        monthly random reviews confirm that
                                                        the contractor is complying with the
                                                        requirement to lock the vehicle cargo
                                                        doors after picking up taxpayer
                                                        information.




                                          Page 64                                              GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                             Status per GAO
11-18 Revise the guidance for      Management Report:    Closed. In December 2011, IRS              Open. We found that IRS’s revised
      conducting the periodic      Improvements Are      revised the guidance for conducting        guidance for conducting periodic
      reviews of the contract      Needed to Enhance     periodic reviews of the contract           reviews of the contract couriers
      couriers transporting        Internal Revenue      couriers transporting taxpayer             transporting taxpayer information does
      taxpayer information         Service’s Internal    information to include physically          not include the use of contract couriers
      from one IRS processing      Controls and          verifying that courier vehicle cargo       transporting taxpayer information to
      facility to another to       Operating             doors are locked after pick-up and         non-Wage and Investment (W&I)
      include procedures for       Effectiveness         remain locked during transit to the        business units, nor does it take into
      (1) physically verifying     (GAO-11-494R, June    final destination. IRM 3.16.62,            account instances where contract
      that courier vehicle cargo   21, 2011), page 29.   Campus Document Services—                  couriers are making multiple stops to
      doors are locked after                             Media Transport and Control, directs       various business units. We will continue
      picking up this                                    Submission Processing (SP)                 to evaluate IRS’s efforts during our
      information and remain                             personnel to ensure the                    fiscal year 2012 audit.
      locked during transit to                           transportation truck is secured when
      the final destination and                          it leaves the site with taxpayer
      (2) documenting the                                material. When the material is
      basis for the reviewer’s                           delivered to the SP site, SP
      conclusions. (short-term)                          personnel will ensure the truck is still
                                                         secured and will immediately report
                                                         any discrepancies. The IRM also
                                                         states that a random monthly
                                                         managerial review of the process
                                                         must be conducted and documented
                                                         with actions taken to alert
                                                         headquarters to any issues. Starting
                                                         in January 2012, Submission
                                                         Processing will conduct monthly
                                                         reviews and document the results. In
                                                         October 2011, IRS revised the
                                                         Logistics Services contract sub-
                                                         COTR desk guide to include
                                                         guidance for conducting the periodic
                                                         reviews of the contract couriers
                                                         transporting taxpayer information
                                                         from one IRS processing facility to
                                                         another. The guidance outlines the
                                                         procedures for physically verifying
                                                         and documenting that courier vehicle
                                                         cargo doors are locked. In addition,
                                                         IRS continues its monthly random
                                                         review of contractor adherence to
                                                         the secure transport requirements
                                                         started in April 2011. To date, the
                                                         monthly random reviews confirm that
                                                         the contractor is complying with the
                                                         requirement to lock the vehicle cargo
                                                         doors after picking up taxpayer
                                                         information.




                                           Page 65                                              GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                          Status per GAO
11-19 Revise the IRM to            Management Report:    Closed. In December 2011, IRS           Closed. In response to our
      include a comprehensive      Improvements Are      published an update to IRM 1.4.50,      recommendation, in December 2011,
      process that Small           Needed to Enhance     Collection Group Manager, Territory     IRS published the update to IRM 1.4.50-
      Business / Self-             Internal Revenue      Manager and Area Director               Collection Group Manager, Territory
      Employed (SBSE) unit         Service’s Internal    Operational Aid. The update clarified   Manager and Area Director Operational
      managers should follow       Controls and          the actions management should take      Aid. This revision includes provisions
      when performing reviews      Operating             to determine whether staff are (1)      that management should take to
      of the document              Effectiveness         maintaining control copies of           determine whether their staff are:
      transmittal process for      (GAO-11-494R, June    document transmittal forms, (2)         (1) maintaining control copies of
      determining whether          21, 2011), page 31.   reconciling all document transmittal    document transmittal forms,
      staff are (1) maintaining                          forms on a bi-weekly basis to ensure    (2) reconciling all document transmittal
      control copies of                                  that all transmittals are               forms on a biweekly basis to ensure that
      document transmittal                               acknowledged, and (3) performing        all transmittals were received, and
      forms, (2) reconciling all                         the follow-up procedures required in    (3) following up on transmittals that are
      document transmittal                               IRM 5.1.2.4.4(1)9, Collection Field     not timely acknowledged.
      forms on a biweekly                                Clerical Staff Procedures for Form
      basis to ensure that all                           795/795A Processing.
      transmittals were
      received, and
      (3) following up on
      transmittals that are not
      timely acknowledged.
      (short-term)
11-20 Revise the IRM to            Management Report:    Closed. In December 2011, IRS           Closed. In response to our
      include specifying           Improvements Are      published the update to IRM 1.4.50,     recommendation, IRS updated IRM
      minimally acceptable         Needed to Enhance     Collection Group Manager, Territory     1.4.50, Collection Group Manager,
      steps the Small              Internal Revenue      Manager and Area Director               Territory Manager, and Area Manager
      Business/Self-Employed       Service’s Internal    Operational Aid. The update clarified   Director Operational Aid, in December
      (SB/SE) unit managers        Controls and          the minimally acceptable                2011. This includes minimum steps for
      should follow in             Operating             documentation that SB/SE                SBSE unit managers to follow in their
      documenting the results      Effectiveness         managers should complete when           reviews of the document transmittal
      of required reviews of       (GAO-11-494R, June    conducting the reviews and reporting    process.
      the document transmittal     22, 2011), page 31.   the results.
      process. (short-term)
11-21 Define and specify in the    Management Report:    Closed. In October 2011, IRS            Closed. We verified that the IRM was
      IRM which types of IRS       Improvements Are      updated and published IRM 10.2.2,       updated to reflect the inclusion of off-
      facilities constitute a      Needed to Enhance     Physical Security Compliance            site campus locations with Receipt and
      processing facility.         Internal Revenue      Reviews, to require recurring           Control and submission processing type
      (short-term)                 Service’s Internal    compliance reviews every 2 years at     functions under the 2-year compliance
                                   Controls and          off-site campus locations that          review requirement.
                                   Operating             perform Receipt and Control or
                                   Effectiveness         Submission Processing activities. As
                                   (GAO-11-494R, June    a result, off-site campus locations
                                   21, 2011), page 33.   now undergo compliance reviews at
                                                         the same frequency as processing
                                                         and computing center facilities.




                                           Page 66                                              GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                            Status per GAO
11-22 Perform an assessment         Management Report:    Closed. In October 2011, after            Closed. IRS performed an assessment
      of off-site processing        Improvements Are      performing an assessment of the off-      of the off-site processing facilities. As a
      facilities to determine the   Needed to Enhance     site processing facilities, IRS           result of that assessment and our
      frequency with which          Internal Revenue      updated and published IRM 10.2.2,         recommendation, IRS determined that
      compliance reviews            Service’s Internal    Physical Security Compliance              compliance reviews for off-site campus
      should be performed for       Controls and          Reviews, that requires recurring          locations with Receipt and Control and
      these locations               Operating             compliance reviews every 2 years at       submission processing type functions
      commensurate with the         Effectiveness         off-site processing facilities.           should be performed on a recurring
      specific operational          (GAO-11-494R, June                                              basis every 2 years, which is the same
      activities performed and      21, 2011), page 34.                                             frequency as processing and computing
      the assessed level of risk                                                                    center facilities.
      associated with the
      facility. (short-term)
11-23 Based on the results of       Management Report:    Closed. In October 2011, IRS              Closed. IRS performed an assessment
      an assessment of off-site     Improvements Are      updated and published IRM 10.2.2,         of the off-site processing facilities. As a
      processing facilities that    Needed to Enhance     Physical Security Compliance              result of that assessment and our
      process taxpayer              Internal Revenue      Reviews, that requires recurring          recommendation, IRS updated IRM
      receipts and related          Service’s Internal    compliance reviews every 2 years at       10.2.2 to require recurring compliance
      taxpayer information,         Controls and          off-site processing facilities.           reviews every 2 years for off-site
      revise the IRM to specify     Operating                                                       campus locations with Receipt and
      the frequency with which      Effectiveness                                                   Control and submission processing type
      compliance reviews            (GAO-11-494R, June                                              functions.
      should be performed at        21, 2011), page 34.
      these facilities.
      (short-term)
11-24 Revise the post orders        Management Report:    Open. In November 2011, IRS               Open. IRS’s efforts to address our
      for the service center        Improvements Are      updated IRM 10.2.12, Security             recommendation are ongoing. We will
      campuses (SCC) and            Needed to Enhance     Guard and Explosive Detector Dog          continue to evaluate IRS’s actions
      lockbox bank security         Internal Revenue      Services and Programs, to include         during our fiscal year 2012 audit.
      guards to include             Service’s Internal    the requirements for reporting
      specific procedures for       Controls and          lighting outages and specify
      timely reporting exterior     Operating             (1) whom to contact to report lighting
      lighting outages to SCC       Effectiveness         outages and (2) how to document
      or lockbox bank facilities    (GAO-11-494R, June    and track lighting outages until
      management. These             21, 2011), page 35.   resolved. In fiscal year 2012, IRS will
      procedures should                                   update the IRM to require after-dark
      specify (1) whom to                                 reviews in the lockbox security
      contact to report lighting                          guards’ post orders, and will update
      outages and (2) how to                              LSG section 2.3.4.1 (6) (c) and
      document and track                                  2.3.4.1.3, and Exhibit 13 of LSG 2.3,
      lighting outages until                              for consistency.
      resolved. (short-term)




                                            Page 67                                             GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
11-25 Revise the nature and        Management Report:    Closed. In November 2011, the IRS        Open. While IRS included requirements
      scope of the service         Improvements Are      updated IRM 10.2.12, Security            in the post orders for security guards to
      center campuses’ (SCC)       Needed to Enhance     Guard and Explosive Detector Dog         report lighting outages for repair, it has
      and lockbox banks’           Internal Revenue      Services and Programs, to require        not included requirements for periodic
      physical security reviews    Service’s Internal    that physical security reviews of the    after-dark assessments of physical
      to include periodic after    Controls and          Service Center Campuses include          security controls, or verification that
      dark assessments of          Operating             periodic, after-dark assessments of      guards are properly reporting light
      physical security            Effectiveness         physical security. In January 2012,      outages in the routine SCC physical
      controls. (short-term)       (GAO-11-494R, June    the IRS updated the Lockbox              security reviews. We will continue to
                                   21, 2011), page 35.   Security Guidelines, Post Orders,        evaluate IRS’s actions during our fiscal
                                                         and Patrol and Event/Incident            year 2012 audit.
                                                         Reporting to include requirements
                                                         for the guards to conduct patrols of
                                                         the exterior of the lockbox site to
                                                         include periodic after-dark physical
                                                         security assessments and to report
                                                         lighting outages with specific
                                                         procedures for timely reporting of
                                                         exterior lighting outages to the
                                                         Lockbox facilities management.
11-26 Take steps to effectively    Management Report:    Closed. In February 2011, IRS            Open. IRS revised its operating
      implement the                Improvements Are      revised its internal standard            procedures to require that property staff
      procedures requiring         Needed to Enhance     operating procedures to require that     conduct research to ensure that the
      property staff to verify     Internal Revenue      Asset Management personnel               price of an asset on the ARM report
      that the asset purchase      Service’s Internal    conduct appropriate research to          agrees with the price listed in IFS. In
      price shown in the Asset     Controls and          validate the price data supplied on      addition, IRS is required to research
      Management Report            Operating             the Asset Management Report              and resolve any variances before
      agrees with the asset        Effectiveness         (ARM) against the pricing                uploading an asset in ITAMS. IRS has
      purchase price shown in      (GAO-11-494R, June    information in webRTS, prior to          replaced ITAMS with Knowledge
      the lntegrated Financial     21. 2011), page 37.   uploading the data in ITAMS.             Incident/Problem Service Asset
      System (IFS) and to                                                                         Management (KISAM); however, similar
      resolve any variances                                                                       to ITAMS, KISAM is not integrated with
      before entering the                                                                         IFS. We will evaluate the effectiveness
      information into the                                                                        of IRS’s actions and the new inventory
      Information Technology                                                                      system during our fiscal year 2012
      Asset Management                                                                            audit.
      System (ITAMS).
      (short-term)
11-27 Finalize procedures          Management Report:    Closed. In March 2011, the National      Closed. During our fiscal year 2011
      requiring that copier hard   Improvements Are      Copier Contract COTR published           audit, IRS finalized procedures requiring
      drives be removed and        Needed to Enhance     written procedures to the REFM field     that copier hard drives be removed and
      destroyed or otherwise       Internal Revenue      offices requiring that copier hard       destroyed or properly cleaned prior to
      appropriately cleaned        Service’s Internal    drives be removed and destroyed          disposal.
      before disposing of          Controls and          prior to disposing of copiers.
      copiers. (short-term)        Operating
                                   Effectiveness
                                   (GAO-11-494R, June
                                   21, 2011), page 39.




                                           Page 68                                               GAO-12-695 Status of Recommendations
                                             Appendix I: Status of GAO Recommendations
                                             from Internal Revenue Service Financial Audits
                                             and Related Management Reports




ID no. Recommendation                Source report         Status per IRS                           Status per GAO
11-28 Revise the IRM to              Management Report:    Closed. IRS revised two IRM              Closed. During our fiscal year 2011
      incorporate the new            Improvements Are      sections in 2011 to include the          audit, IRS revised its IRM to incorporate
      copier disposal                Needed to Enhance     proper handling procedures of copier     the new copier disposal procedures.
      procedures that require        Internal Revenue      hard drives prior to copier disposal.    The IRM now includes guidance for
      that copier hard drives        Service’s Internal                                             removing and destroying or otherwise
      be removed and                 Controls and                                                   appropriately cleaning copier hard
      destroyed or otherwise         Operating                                                      drives before disposing of copiers.
      appropriately cleaned          Effectiveness
      before disposing of            (GAO-11-494R, June
      copiers. (short-term)          21, 2011), page 39.
11-29 Issue a memorandum to          Management Report:    Closed. In July 2011, the Director,      Closed. During our fiscal year 2011
      all business units             Improvements Are      REFM, issued a memorandum to all         audit, IRS issued a memorandum to all
      reminding them that only       Needed to Enhance     business units reminding them that       business units. The memorandum
      designated Real Estate         Internal Revenue      only designated REFM staff are           reminds business units that the disposal
      Facilities Management          Service’s Internal    authorized to dispose of copiers.        of copiers must be coordinated through
      (REFM) staff are               Controls and          This information was also referenced     REFM.
      authorized to dispose of       Operating             in the updates to the IRM.
      copiers. (short-term)          Effectiveness
                                     (GAO-11-494R, June
                                     21, 2011), page 39.
12-01 Establish and document         Management Report:    Because this is a new                    Open. This is a recent recommendation.
      an inventory of the            Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      specific systems               Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      involved in IRS’s              Internal Revenue      addressing it.                           audits.
      financial reporting            Service’s Internal
      process, including             Controls and
      (1) describing what role       Operating
      each system plays in the       Effectiveness
      financial reporting            (GAO-12-683R, June
      process, (2) concluding        25, 2012), page 13.
      whether each system is
      considered to be
      material to financial
      reporting and why, and
      (3) denoting whether
      each system is
      controlled by IRS or by
      an external service
      provider and, if the latter,
      identifying the service
      provider. (short-term)




                                             Page 69                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-02 Enhance existing             Management Report:    Because this is a new                    Open. This is a recent recommendation.
      policies and procedures      Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      pertaining to monitoring     Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      internal control over the    Internal Revenue      addressing it.                           audits.
      automated systems            Service’s Internal
      operated by IRS              Controls and
      personnel to specifically    Operating
      provide for routine,         Effectiveness
      documented monitoring        (GAO-12-683R, June
      of the specific internal     25, 2012), page 13.
      controls within its
      financial reporting
      systems that are
      intended to ensure the
      integrity of the data
      reported in the financial
      statements and other
      financial reports. This
      monitoring process
      should (1) involve both
      automated systems
      specialists and
      individuals with expertise
      in accounting and
      reporting, as appropriate,
      (2) encompass the
      specific automated
      internal controls that
      affect the authorizing,
      processing, transmitting,
      or reporting of material
      financial transactions,
      and (3) be designed to
      determine whether these
      internal controls are in
      place and operating
      effectively. (short-term)




                                           Page 70                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-03 For any system identified    Management Report:    Because this is a new                    Open. This is a recent recommendation.
      as material to IRS’s         Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      financial reporting          Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      process which is             Internal Revenue      addressing it.                           audits.
      controlled by an external    Service’s Internal
      service provider,            Controls and
      establish policies and       Operating
      procedures requiring and     Effectiveness
      defining a routine,          (GAO-12-683R, June
      documented process for       25, 2012), page 13.
      coordinating with the
      service provider to
      appropriately monitor
      related internal control.
      This may entail
      establishing an
      agreement with each
      service provider to allow
      IRS personnel access to
      either (1) the system
      concerned, as necessary
      to perform appropriate
      monitoring of internal
      control over financial
      reporting, or (2) periodic
      reports prepared in
      accordance with
      Statements on
      Standards for Attestation
      Engagements (SSAE)
      No. 16 documenting the
      results of monitoring
      performed by the service
      provider. (short-term)




                                           Page 71                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-04 Establish policies and       Management Report:    Because this is a new                    Open. This is a recent recommendation.
      procedures with respect      Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      to any external financial    Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      reporting system IRS         Internal Revenue      addressing it.                           audits.
      personnel themselves do      Service’s Internal
      not directly monitor that    Controls and
      specify required steps to    Operating
      routinely review periodic    Effectiveness
      reports prepared by          (GAO-12-683R, June
      service providers’           25, 2012), page 13.
      auditors in accordance
      with SSAE No. 16,
      including steps to
      document (1) an
      assessment of whether a
      review’s scope,
      methodology, and timing
      is appropriate to satisfy
      IRS’s objectives; (2) any
      control deficiencies
      disclosed in the report,
      and an assessment of
      their materiality to IRS’s
      financial reporting
      process and related
      risks; and (3) any
      compensating internal
      controls needed to
      mitigate any actual or
      potential effects of
      identified deficiencies
      upon IRS’s internal and
      external financial reports
      resulting from any
      (a) material weakness,
      or (b) significant
      shortcoming in the
      scope, methodology, or
      timing of any SSAE No.
      16 report reviewed
      relative to IRS’s internal
      control objectives.
      (short-term)




                                           Page 72                                               GAO-12-695 Status of Recommendations
                                         Appendix I: Status of GAO Recommendations
                                         from Internal Revenue Service Financial Audits
                                         and Related Management Reports




ID no. Recommendation            Source report         Status per IRS                           Status per GAO
12-05 Update IRS’s procedures    Management Report:    Because this is a new                    Open. This is a recent recommendation.
      for comparing tax          Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      revenue recorded in the    Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      general ledger to          Internal Revenue      addressing it.                           audits.
      detailed tax revenue       Service’s Internal
      transactions recorded in   Controls and
      the master files to        Operating
      (1) establish minimum      Effectiveness
      criteria defining a        (GAO-12-683R, June
      significant or unusual     25, 2012), page 16.
      variance and (2) specify
      the steps required to
      effectively evaluate and
      resolve these variances.
      (short-term)
12-06 Update IRS’s procedures    Management Report:    Because this is a new                    Open. This is a recent recommendation.
      for comparing tax          Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      revenue recorded in the    Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      general ledger to          Internal Revenue      addressing it.                           audits.
      detailed tax revenue       Service’s Internal
      transactions recorded in   Controls and
      the master files to        Operating
      require that management    Effectiveness
      reviews ensure             (GAO-12-683R, June
      preparers evaluate and     25, 2012), page 16.
      resolve unusual or
      significant variances.
      (short-term)
12-07 Establish and document     Management Report:    Because this is a new                    Open. This is a recent recommendation.
      procedures for ensuring    Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      that recorded              Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      reimbursable revenue,      Internal Revenue      addressing it.                           audits.
      transfers in without       Service’s Internal
      reimbursement, and         Controls and
      accounts receivable from   Operating
      the Department of the      Effectiveness
      Treasury Forfeiture Fund   (GAO-12-683R, June
      (TFF) conform to federal   25, 2012), page 18.
      accounting standards.
      (short-term)
12-08 Establish requirements     Management Report:    Because this is a new                    Open. This is a recent recommendation.
      specifying a required      Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      time frame for territory   Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      managers to perform the    Internal Revenue      addressing it.                           audits.
      required review and        Service’s Internal
      approval of completed      Controls and
      audit management           Operating
      checklists. (short-term)   Effectiveness
                                 (GAO-12-683R, June
                                 25, 2012), page 20.




                                         Page 73                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-09 Establish procedures         Management Report:    Because this is a new                    Open. This is a recent recommendation.
      requiring Physical           Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      Security and Emergency       Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      Preparedness (PSEP)          Internal Revenue      addressing it.                           audits.
      headquarters to centrally    Service’s Internal
      monitor compliance with      Controls and
      the audit management         Operating
      checklist process to         Effectiveness
      ensure that (1) PSEP         (GAO-12-683R, June
      analysts timely complete     25, 2012), page 20.
      their physical security
      reviews using the proper
      audit management
      checklists and
      (2) territory managers
      timely review and
      properly document their
      reviews of completed
      audit management
      checklists. (short-term)
12-10 Update the IRM to            Management Report:    Because this is a new                    Open. This is a recent recommendation.
      specify steps to be          Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      followed to prevent          Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      campus support clerks        Internal Revenue      addressing it.                           audits.
      as well as any other         Service’s Internal
      employees who process        Controls and
      payments through the         Operating
      electronic check             Effectiveness
      presentment system           (GAO-12-683R, June
      from making adjustments      25, 2012), page 22.
      to taxpayer accounts.
      (short-term)
12-11 Implement the                Management Report:    Because this is a new                    Open. This is a recent recommendation.
      September 2011 revised       Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      policy that requires an      Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      independent review of        Internal Revenue      addressing it.                           audits.
      the rent check summary       Service’s Internal
      report to help ensure that   Controls and
      the monthly rent             Operating
      allocation process is        Effectiveness
      properly completed.          (GAO-12-683R, June
      (short-term)                 25, 2012), page 25.
12-12 Establish a policy           Management Report:    Because this is a new                    Open. This is a recent recommendation.
      requiring an independent     Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      review of changes made       Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      by the rent processing       Internal Revenue      addressing it.                           audits.
      administrator to non-        Service’s Internal
      GSA lease data in the        Controls and
      Graphic Database             Operating
      Interface system (GDI).      Effectiveness
      (short-term)                 (GAO-12-683R, June
                                   25, 2012), page 25.




                                           Page 74                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-13 Revise existing written      Management Report:    Because this is a new                    Open. This is a recent recommendation.
      procedures to require        Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      supervisory review of the    Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      Computer-Aided               Internal Revenue      addressing it.                           audits.
      Facilities Management        Service’s Internal
      (CAFM) Quarterly             Controls and
      Review Certifications        Operating
      and Statistics against the   Effectiveness
      Graphic Database             (GAO-12-683R, June
      Interface system (GDI)       25, 2012), page 27.
      validation walkthrough
      sheets. (short-term)
12-14 Establish mechanisms to      Management Report:    Because this is a new                    Open. This is a recent recommendation.
      monitor the                  Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      implementation of and        Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      compliance with the          Internal Revenue      addressing it.                           audits.
      revised policy               Service’s Internal
      established in October       Controls and
      2011 that requires field     Operating
      CAFM program                 Effectiveness
      managers to maintain         (GAO-12-683R, June
      GDI Quarterly Review         25, 2012), page 28.
      documentation, including
      GDI validation
      walkthrough sheets and
      GDI Quarterly Review
      certifications.
      (short-term)
12-15 Establish mechanisms to      Management Report:    Because this is a new                    Open. This is a recent recommendation.
      monitor the                  Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      implementation of and        Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      compliance with the          Internal Revenue      addressing it.                           audits.
      revised policy               Service’s Internal
      established in October       Controls and
      2011 that defines the        Operating
      type of errors that should   Effectiveness
      be captured on the           (GAO-12-683R, June
      CAFM Quarterly Review        25, 2012), page 28.
      Certifications to help
      ensure that field CAFM
      program managers
      consistently compile the
      errors found in their
      quarterly reviews for
      compilation in the overall
      CAFM Quarterly Review
      Statistics. (short-term)




                                           Page 75                                               GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation             Source report         Status per IRS                           Status per GAO
12-16 Establish procedures to     Management Report:    Because this is a new                    Open. This is a recent recommendation.
      require the Office of       Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      Financial Reporting to      Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      ensure that extracted       Internal Revenue      addressing it.                           audits.
      Graphic Database            Service’s Internal
      Interface system (GDI)      Controls and
      data used to calculate      Operating
      the leasehold               Effectiveness
      improvement disposal        (GAO-12-683R, June
      estimate is complete and    25, 2012), page 31.
      accurate. (short-term)
12-17 Implement the revised       Management Report:    Because this is a new                    Open. This is a recent recommendation.
      January 2012                Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      procedures requiring        Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      comparison of the leases    Internal Revenue      addressing it.                           audits.
      used in the prior year      Service’s Internal
      with the current year       Controls and
      leases to help ensure       Operating
      that expired leases have    Effectiveness
      not been extended and       (GAO-12-683R, June
      thus, are only counted      25, 2012), page 31.
      once in the disposal
      estimates. (short-term)
12-18 Implement the revised       Management Report:    Because this is a new                    Open. This is a recent recommendation.
      January 2012                Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      procedures requiring        Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      preparation and review      Internal Revenue      addressing it.                           audits.
      of leasehold                Service’s Internal
      improvement disposal        Controls and
      calculations quarterly.     Operating
      (short-term)                Effectiveness
                                  (GAO-12-683R, June
                                  25, 2012), page 31.
12-19 Provide training to         Management Report:    Because this is a new                    Open. This is a recent recommendation.
      contracting officers and    Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      contracting officers’       Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      technical representatives   Internal Revenue      addressing it.                           audits.
      (COTR) on their specific    Service’s Internal
      procedural requirements     Controls and
      for obtaining and           Operating
      maintaining end user        Effectiveness
      documentation of receipt    (GAO-12-683R, June
      and acceptance of the       25, 2012), page 33.
      good or service prior to
      entering
      acknowledgment of
      receipt and acceptance
      in the procurement
      system. (short-term)




                                          Page 76                                               GAO-12-695 Status of Recommendations
                                            Appendix I: Status of GAO Recommendations
                                            from Internal Revenue Service Financial Audits
                                            and Related Management Reports




ID no. Recommendation               Source report         Status per IRS                           Status per GAO
12-20 Establish a mechanism         Management Report:    Because this is a new                    Open. This is a recent recommendation.
      to periodically monitor       Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      contracting officers and      Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      contracting officers’         Internal Revenue      addressing it.                           audits.
      technical representatives     Service’s Internal
      (COTR) compliance with        Controls and
      the requirement to obtain     Operating
      and document end user         Effectiveness
      confirmation of receipt       (GAO-12-683R, June
      prior to entering receipt     25, 2012), page 33.
      and acceptance into the
      procurement system.
      (short-term)
12-21 Establish a mechanism         Management Report:    Because this is a new                    Open. This is a recent recommendation.
      for monitoring                Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      compliance with the           Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      existing requirement for      Internal Revenue      addressing it.                           audits.
      employees and                 Service’s Internal
      timekeepers to charge         Controls and
      labor time spent on the       Operating
      Patient Protection and        Effectiveness
      Affordable Care Act           (GAO-12-683R, June
      (PPACA) projects to the       25, 2012), page 36.
      PPACA accounting
      code, such as through
      issuing periodic alerts,
      providing training and
      guidance, and/or having
      managers perform
      periodic reviews of
      employee labor time
      charges. (short-term)
12-22 Design and implement          Management Report:    Because this is a new                    Open. This is a recent recommendation.
      procedures specifying         Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      the review steps required     Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      to identify and research      Internal Revenue      addressing it.                           audits.
      all transactions identified   Service’s Internal
      with a PPACA internal         Controls and
      order number in the           Operating
      agency’s expense files to     Effectiveness
      confirm that they are         (GAO-12-683R, June
      PPACA-related                 25, 2012), page 37.
      expenses and, if so, to
      ensure that they are
      charged to the PPACA
      appropriation where
      appropriate. (short-term)




                                            Page 77                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-23 Revise the payroll           Management Report:    Because this is a new                    Open. This is a recent recommendation.
      standard operating           Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      procedures (SOP) to          Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      specify steps that the       Internal Revenue      addressing it.                           audits.
      human resource               Service’s Internal
      specialists are required     Controls and
      to follow to ensure that     Operating
      each electronic time card    Effectiveness
      is signed by an              (GAO-12-683R, June
      authorized official before   25, 2012), page 39.
      the timecard is
      transmitted to the
      National Finance Center
      for processing and
      payment. (short-term)
12-24 Revise the payroll           Management Report:    Because this is a new                    Open. This is a recent recommendation.
      standard operating           Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      procedures (SOP) to          Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      require that the             Internal Revenue      addressing it.                           audits.
      designated proxy for a       Service’s Internal
      manager required to          Controls and
      approve time cards be at     Operating
      an equivalent or higher      Effectiveness
      level as the manager,        (GAO-12-683R, June
      consistent with the IRM.     25, 2012), page 40.
      (short-term)
12-25 Incorporate in the           Management Report:    Because this is a new                    Open. This is a recent recommendation.
      planned 2012 policy          Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      change requiring the         Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      manager or designated        Internal Revenue      addressing it.                           audits.
      proxy to sign the            Service’s Internal
      electronic time card         Controls and
      before transmitting          Operating
      payroll records to the       Effectiveness
      National Finance Center      (GAO-12-683R, June
      the requirement that the     25, 2012), page 40.
      designated proxy be at
      an equivalent or higher
      level than the
      employee’s manager.
      (short-term)
12-26 Implement an edit            Management Report:    Because this is a new                    Open. This is a recent recommendation.
      control in IRS’s time card   Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      system to identify and       Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      prevent the processing       Internal Revenue      addressing it.                           audits.
      of time cards that have      Service’s Internal
      not been electronically      Controls and
      signed. (short-term)         Operating
                                   Effectiveness
                                   (GAO-12-683R, June
                                   25, 2012), page 40.




                                           Page 78                                               GAO-12-695 Status of Recommendations
                                           Appendix I: Status of GAO Recommendations
                                           from Internal Revenue Service Financial Audits
                                           and Related Management Reports




ID no. Recommendation              Source report         Status per IRS                           Status per GAO
12-27 Remind managers of           Management Report:    Because this is a new                    Open. This is a recent recommendation.
      their responsibilities,      Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      procedures, and required     Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      time frames for either       Internal Revenue      addressing it.                           audits.
      granting or denying a        Service’s Internal
      within-grade pay             Controls and
      increase for employees       Operating
      with below fully             Effectiveness
      successful ratings, such     (GAO-12-683R, June
      as by providing alerts in    25, 2012), page 44.
      HR Connect when a
      manager enters a less
      than fully successful
      rating or providing
      training to remind them
      of their responsibilities.
      (short-term)
12-28 Establish procedures for     Management Report:    Because this is a new                    Open. This is a recent recommendation.
      human resource               Improvements Are      recommendation, GAO did not              We will verify IRS’s corrective actions
      specialists to track and     Needed to Enhance     obtain information on IRS’s status in    during our fiscal year 2012 and future
      monitor supervisory          Internal Revenue      addressing it.                           audits.
      actions taken for            Service’s Internal
      employees with less than     Controls and
      fully successful ratings     Operating
      that have a within-grade     Effectiveness
      pay increase due date        (GAO-12-683R, June
      within 90 days to include    25, 2012), page 44.
      specific required steps
      for following-up with
      managers to ensure the
      managers properly issue
      the employees a 60-day
      notification letter
      providing them an
      opportunity to improve
      their performance, make
      a timely determination on
      releasing or denying a
      within-grade pay
      increase, and properly
      carry out the
      requirements necessary
      to support the decision
      made. (short-term)




                                           Page 79                                               GAO-12-695 Status of Recommendations
                                          Appendix I: Status of GAO Recommendations
                                          from Internal Revenue Service Financial Audits
                                          and Related Management Reports




ID no. Recommendation             Source report             Status per IRS                           Status per GAO
12-29 Establish procedures for    Management Report:        Because this is a new                    Open. This is a recent recommendation.
      HR specialists to track     Improvements Are          recommendation, GAO did not              We will verify IRS’s corrective actions
      and monitor supervisory     Needed to Enhance         obtain information on IRS’s status in    during our fiscal year 2012 and future
      actions taken for           Internal Revenue          addressing it.                           audits.
      employees with less than    Service’s Internal
      fully successful ratings    Controls and
      that have a within-grade    Operating
      pay increase due date       Effectiveness
      within 90 days to include   (GAO-12-683R, June
      specific required steps     25, 2012), page 44.
      for timely granting a
      within-grade pay
      increase to such
      employees who were not
      given a 60-day
      notification letter.
      (short-term)
12-30 Establish and document      Management Report:        Because this is a new                    Open. This is a recent recommendation.
      procedures for payroll      Improvements Are          recommendation, GAO did not              We will verify IRS’s corrective actions
      staff to research and       Needed to Enhance         obtain information on IRS’s status in    during our fiscal year 2012 and future
      correct recycled errors     Internal Revenue          addressing it.                           audits.
      from payroll processing     Service’s Internal
      on a regular and timely     Controls and
      basis. (short-term)         Operating
                                  Effectiveness
                                  (GAO-12-683R, June
                                  25, 2012), page 45.
                                          Source: GAO and IRS.




                                          Page 80                                                   GAO-12-695 Status of Recommendations
Appendix II: Open Recommendations Arranged
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control


by Material Weakness, Significant Deficiency,
                                             Deficiencies




Compliance, or Other Control Deficiencies
                                             For several years, we have reported material weaknesses, significant
                                             deficiencies, noncompliance with laws and regulations, and other control
                                             deficiencies in our annual financial statement audits and related
                                             management reports. 1 Appendix II provides summary information
                                             regarding the primary issue to which each open recommendation is most
                                             closely related. To compile this summary, we analyzed the nature of the
                                             open recommendations to relate them to the material weaknesses,
                                             significant deficiency, compliance issue, or other control deficiencies (not
                                             associated with a material weakness, significant deficiency, or
                                             compliance issue) identified as part of our financial statement audit.


                                             The Internal Revenue Service (IRS) has a material weakness in its
Material Weakness:                           internal control over the management of unpaid assessments resulting
Unpaid Assessments                           from the agency’s (1) inability to rely on its general ledger for tax
                                             transactions and underlying subsidiary records to report federal taxes
                                             receivable, compliance assessments, and writeoffs in accordance with
                                             federal accounting standards without significant compensating
                                             procedures, (2) lack of transaction traceability for the reported balance in
                                             taxes receivable that comprises over 80 percent of IRS’s total assets as
                                             of September 30, 2011, and an effective transaction-based subledger for
                                             unpaid tax assessment transactions, and (3) inability to effectively prevent
                                             or timely detect and correct errors in taxpayer accounts. The
                                             recommendations in table 12 address our related findings.

Table 12: Material Weakness: Controls over Unpaid Assessments

ID no.   Recommendation                                                                               Control activity
99-01    Manually review and eliminate duplicate or other assessments that have already been          Accurate and timely recording of
         paid off to assure that all accounts related to a single assessment are appropriately        transactions and events
         credited for payments received. (short-term)
08-06    In instances where computer programs that control penalty assessments are not                Accurate and timely recording of
         functioning in accordance with the intent of the IRM, take appropriate action to correct     transactions and events
         the programs so that they function in accordance with the IRM. (long-term)




                                             1
                                              See GAO, Financial Audit: IRS’s Fiscal Years 2011 and 2010 Financial Statements,
                                             GAO-12-165 (Washington, D.C.: Nov. 10, 2011); and Management Report: Improvements
                                             Are Needed to Further Enhance the Internal Revenue Service’s Internal Controls and
                                             Operating Effectiveness, GAO-12-683R (Washington, D.C.: June 25, 2012) for the fiscal
                                             year 2011 reports.




                                             Page 81                                                GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




ID no.   Recommendation                                                                             Control activity
10-01    Review the results of IRS’s unpaid assessments compensating statistical estimation        Accurate and timely recording of
         process to identify and document instances where systemic limitations in the Custodial transactions and events
         Detail Data Base (CDDB) resulted in misclassifications of account balances that, in turn,
         resulted in material inaccuracies in the amounts of reported unpaid tax assessments.
         (short-term)
10-02    Research and implement programming changes to allow the Custodial Detail Data Base Accurate and timely recording of
         (CDDB) to more accurately classify such accounts among the three categories of     transactions and events
         unpaid tax assessments. (short-term)
10-03    Research and identify control weaknesses resulting in inaccuracies or errors in taxpayer Accurate and timely recording of
         accounts that materially affect the financial reporting of unpaid tax assessments.       transactions and events
         (short-term)
10-04    Once IRS identifies the control weaknesses that result in inaccuracies or errors that      Accurate and timely recording of
         materially affect the financial reporting of unpaid tax assessments, implement control     transactions and events
         procedures to routinely prevent, or to detect and correct, such errors. (short-term)
                                             Source: GAO.




                                             IRS has control deficiencies over information security that result primarily
Material Weakness:                           from IRS not having fully implemented key components of its information
Information Security                         security program. These weaknesses, collectively, represent a material
                                             weakness. For example, (1) IRS’s testing did not detect many of the
                                             vulnerabilities we identified and did not assess a key application in its
                                             current environment, and (2) IRS did not effectively validate corrective
                                             actions reported to resolve previously identified control deficiencies.
                                             Although IRS has made some progress in addressing previous control
                                             deficiencies we identified in its information systems and physical security
                                             controls, as of March 2012, there were 118 open recommendations
                                             designed to help IRS improve its information systems security controls.
                                             Those recommendations are reported separately and are not included in
                                             this report primarily because of the sensitive nature of some of the
                                             issues. 2




                                             2
                                              Although most of our recommendations regarding our information security work are
                                             sensitive and reported to IRS separately, we have reported our objectives, summary
                                             results, and nonsensitive recommendations in a publicly available report. See GAO,
                                             Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and
                                             Taxpayer Data, GAO-12-393 (Washington, D.C.: Mar. 16, 2012).




                                             Page 82                                              GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




                                             IRS has several control deficiencies over its tax refund disbursements. In
Significant                                  our audit of IRS’s fiscal year 2011 financial statements, 3 we reported a
Deficiency: Tax                              significant deficiency in IRS’s internal control over tax refund
Refund                                       disbursements that resulted from (1) IRS not having effectively addressed
                                             the deficiencies in internal control over manual tax refunds that we have
Disbursements                                reported in previous years, 4 (2) additional deficiencies in internal control
                                             over manual tax refunds we identified during our fiscal year 2011 audit,
                                             and (3) continued deficiencies in IRS’s internal control over processing of
                                             claims for the First-time Homebuyer Credit (FTHBC). These control
                                             deficiencies related to the monitoring of manual refunds, training of staff
                                             having key roles in refund processing, and documentation of FTHBC
                                             claims. The recommendations in table 13 address our related findings.

Table 13: Significant Deficiency: Tax Refund Disbursements

ID no.   Recommendation                                                                              Control activity
05-38    Enforce requirements for monitoring accounts and reviewing monitoring of accounts for Reviews by management at the
         manual refunds. (short-term)                                                          functional or activity level
05-39    Enforce requirements for documenting monitoring actions and supervisory review for          Appropriate documentation of
         manual refunds. (short-term)                                                                transactions and internal controls
07-08    Require that managers or supervisors provide the manual refund initiators in their units Management of human capital
         with training on the most current requirements to help ensure that they fulfill their
         responsibilities to monitor manual refunds and document their monitoring actions to
         prevent the issuance of duplicate refunds. (short-term)
11-01    Put procedures in place to periodically monitor the effectiveness of the new First-time     Reviews by management at the
         Homebuyer Credit (FTHBC) validity checks for the duration of the filing of FTHBC            functional or activity level
         claims to verify that they are working as intended. (short-term)
11-02    Establish a mechanism to enforce the existing requirement for appropriate managers to Reviews by management at the
         immediately notify the manual refund units of any personnel changes affecting the           functional or activity level
         approval or processing of manual refunds. This may be accomplished through
         mechanisms such as issuing periodic alerts, providing training or having the manual
         refund unit perform quarterly validations of the list of manual refund approving officials,
         or a combination of these. (short-term)
                                             Source: GAO.




                                             3
                                                 GAO-12-165.
                                             4
                                               GAO, Management Report: Improvements Are Needed to Enhance IRS’s Internal
                                             Controls and Operating Effectiveness, GAO-11-494R (Washington, D.C.: June 21, 2011);
                                             Management Report: Improvements Needed in IRS’s Internal Controls, GAO-07-689R
                                             (Washington, D.C.: May 11, 2007); Management Report: Improvements Needed in IRS’s
                                             Internal Controls, GAO-06-543R (Washington, D.C.: May 12, 2006); and Management
                                             Report: Improvements Needed in IRS’s Internal Controls, GAO-05-247R (Washington,
                                             D.C.: Apr. 27, 2005).




                                             Page 83                                               GAO-12-695 Status of Recommendations
                                           Appendix II: Open Recommendations
                                           Arranged by Material Weakness, Significant
                                           Deficiency, Compliance, or Other Control
                                           Deficiencies




                                           IRS continues to be noncompliant with the laws and regulations
Compliance with                            governing the release of federal tax liens. 5 We found IRS did not always
Laws and Regulations:                      release applicable federal tax liens within 30 days of tax liabilities being
Release of Federal                         either paid off or abated, as required by the Internal Revenue Code
                                           (section 6325). The Internal Revenue Code grants IRS the power to file a
Tax Liens                                  lien against the property of any taxpayer who neglects or refuses to pay
                                           all assessed federal taxes. The lien serves to protect the interest of the
                                           federal government and as a public notice to current and potential
                                           creditors of the federal government’s interest in the taxpayer’s property.
                                           The recommendation in table 14 addresses our related finding.

Table 14: Compliance with Laws and Regulations: Release of Federal Tax Liens

ID no.   Recommendation                                                                  Control activity
01-06    Implement procedures to closely monitor the release of tax liens to ensure that    Reviews by management at the
         they are released within 30 days of the date the related tax liability is fully    functional or activity level
         satisfied. As part of these procedures, IRS should carefully analyze the causes of
         the delays in releasing tax liens identified by our work and prior work by IRS’s
         former internal audit function and ensure that such procedures effectively address
         these issues. (short-term)
                                           Source: GAO.



                                           IRS’s actions over the years to resolve control deficiencies enabled us to
Other Control                              close over 300 internal control–related recommendations. However, IRS
Deficiencies                               also continues to face a challenge in addressing numerous other
                                           unresolved control deficiencies in several aspects of its operations that,
                                           while neither individually nor collectively representing a material
                                           weakness or significant deficiency, nonetheless merit management
                                           attention to ensure they are fully and effectively addressed. IRS now has
                                           a total of 57 open audit recommendations resulting from control
                                           deficiencies that we report in table 15. While most were identified during
                                           our recent financial audits, some were identified in our audits since 2005.
                                           It is incumbent upon IRS to effectively address these open
                                           recommendations and to improve its system of internal controls so that
                                           IRS can identify and correct potential control deficiencies before they can
                                           grow into more serious problems.

                                           Twenty-five —over 40 percent—of the 57 “other” open recommendations
                                           address control deficiencies related either directly or indirectly to physical


                                           5
                                            GAO-12-165.




                                           Page 84                                          GAO-12-695 Status of Recommendations
Appendix II: Open Recommendations
Arranged by Material Weakness, Significant
Deficiency, Compliance, or Other Control
Deficiencies




safeguarding of tax receipts and taxpayer information, a critical element
of IRS’s responsibilities. 6

IRS processes billions of dollars annually in checks and currency, which it
must safeguard and account for to prevent theft, fraud, and misuse. To do
so, IRS has established physical security, accountability, and accounting
policies, processes, and procedures to manage its activities involving
transporting and accounting for tax receipts and for handling and storing
taxpayer information. Although IRS has made substantial improvements
in safeguarding taxpayer receipts and information since our financial
audits first began identifying serious control deficiencies in this area, the
task of ensuring ongoing control over such critical responsibilities for IRS
is a difficult one and requires constant vigilance. Each year, we continue
to identify control deficiencies related to IRS’s safeguarding of taxpayer
receipts and information. For example, our fiscal year 2011 audit
identified new control deficiencies, and we made additional
recommendations that related either directly or indirectly to physically
safeguarding taxpayer receipts and information. The control deficiencies
encompassed in our open recommendations cover critical physical
security functions, such as

•   transporting taxpayer receipts and sensitive taxpayer information
    among IRS facilities and lockbox banks 7 and maintaining physical
    security at IRS facilities to prevent loss, theft, or the potential for fraud
    regarding tax receipts and taxpayer information;

•   conducting inspections and audits of the design and operation of
    IRS’s physical security processes and controls designed to safeguard
    tax receipts and taxpayer information; and




6
 IRS’s need to safeguard tax receipts and taxpayer information extends beyond the
control activity of safeguarding assets, as reflected in tables 1 through 4 of this report. For
our analysis in this section, we included recommendations related directly to guarding tax
information and receipts, such as the transportation of information between IRS facilities,
and those indirectly related, such as IRS’s need to obtain background investigations on
individuals with access to tax receipts or information.
7
 Lockbox banks are financial institutions designated as depositories and financial agents
of the U.S. government to perform certain financial services, including processing tax
documents, depositing the receipts, and forwarding the documents and data to the IRS
service center campuses (SCC) that process tax returns and payments.




Page 85                                              GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




                                             •    conducting appropriate background investigations and screening of
                                                  personnel, including contractors, with access to taxpayer information.
                                             In light of the volume of taxpayer receipts and sensitive taxpayer files that
                                             IRS is responsible for safeguarding, and the implications for IRS’s
                                             mission if they are lost, stolen, or the subject of fraud or misuse, it is
                                             critical that IRS fully and effectively resolve the control deficiencies we
                                             have identified and work toward continually improving its internal controls
                                             to prevent new issues from arising.

Table 15: Other Control Deficiencies Not Associated with a Material Weakness, Significant Deficiency, or Compliance Issue

ID no. Recommendation                                                                                   Control activity
05-33   Enforce the requirement that a document transmittal form listing the enclosed Daily Report Reviews by management at the
        of Collection Activity forms be included in transmittal packages, using such methods as    functional or activity level
        more frequent inspections or increased reliance on error reports compiled by the service
        center teller units receiving the information. (short-term)
06-02   Enforce compliance with existing requirements that all IRS units transmitting taxpayer          Appropriate documentation of
        receipts and information from one IRS facility to another, including service center             transactions and internal controls
        campuses (SCC), Taxpayer Assistance Centers (TAC), and units within the Large
        Business and International (LB&I) and the Tax-Exempt and Government Entities (TE/GE)
        business operating units, establish a system to track acknowledged copies of document
        transmittals. (short-term)
06-05   Equip all TACs with adequate physical security controls to deter and prevent unauthorized Physical control over vulnerable
        access to restricted areas or office space occupied by other IRS units, including those    assets
        TACs that are not scheduled to be reconfigured to the “new TAC” model in the near
        future. This includes appropriately separating customer service waiting areas from
        restricted areas in the near future by physical barriers, such as locked doors marked with
        signs barring entrance by unescorted customers. (short-term)
07-04   Develop and implement appropriate corrective actions for any gaps in closed circuit      Physical control over vulnerable
        television (CCTV) camera coverage that do not provide an unobstructed view of the entire assets
        exterior of the SCC perimeter, such as adding or repositioning existing CCTV cameras or
        removing obstructions. (short-term)
08-14   Revise the Internal Revenue Manual (IRM) to include a requirement that IRS conduct              Reviews by management at the
        periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive    functional or activity level
        IRS information; document the results, including identification of any security issues; and
        verify that the contractor has taken appropriate corrective actions on any security issues
        observed. (short-term)
09-03   Document in the IRM minimum requirements for establishing criteria for time                  Physical control over vulnerable
        discrepancies or other inconsistencies, which if noted as part of the required monitoring of assets
        Form 10160, Receipt for Transport of IRS Deposit, would require off-site surveillance of
        couriers. (short-term)
09-05   Establish procedures to track and routinely report the total dollar amounts and volumes of      Reviews by management at the
        receipts collected by individual TAC location, group, territory, area, and nationwide. (long-   functional or activity level
        term)
09-06   Establish procedures to ensure that an inventory of all duress alarms is documented for         Physical control over vulnerable
        each location and is readily available to individuals conducting duress alarm tests before      assets
        each test is conducted. (short-term)




                                             Page 86                                              GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




ID no. Recommendation                                                                                   Control activity
09-07   Establish procedures to periodically update the inventory of duress alarms at each TAC          Physical control over vulnerable
        location to ensure that the inventory is current and complete as of the testing date. (short-   assets
        term)
09-08   Provide instructions for conducting quarterly duress alarm tests to ensure that IRS officials Physical control over vulnerable
        conducting the test (1) document the test results for each duress alarm listed in the         assets
        inventory, including date, findings, and planned corrective action and (2) track the findings
        until they are properly resolved. (short-term)
09-09   Establish procedures requiring that each physical security analyst conduct a periodic          Physical control over vulnerable
        documented review of the Emergency Signal History Report and emergency contact list            assets
        for its respective location to ensure that (1) appropriate corrective actions have been
        planned for all incidents reported by the central monitoring station and (2) the emergency
        contact list for each location is current and includes only appropriate contacts. (short-term)
09-16   Develop outcome-oriented performance measures and related performance goals for                 Establishment and review of
        IRS’s enforcement programs and activities that include measures of the full cost of, and        performance measures and
        the revenue collected from, those programs and activities (return on investment) to assist      indicators
        IRS’s managers in optimizing resource allocation decisions and evaluating the
        effectiveness of their activities. (long-term)
10-19   Establish procedures to track service center campus (SCC) acknowledgments of                    Physical control over vulnerable
        unprocessable items with receipts. (short-term)                                                 assets
10-20   Establish procedures to monitor the process used by service center campuses (SCC) and Physical control over vulnerable
        lockbox banks to acknowledge and track transmittals of unprocessable items with       assets
        receipts. These procedures should include monitoring discrepancies and instituting
        appropriate corrective actions as needed. (short-term)
10-29   Analyze the various contractor access arrangements and establish a policy that requires         Access restrictions to and
        security awareness training for all IRS contractors who are provided unescorted physical        accountability for resources and
        access to its facilities or taxpayer receipts and information. (short-term)                     records
11-04   Establish formal written procedures requiring staff to review purchase contract terms           Accurate and timely recording of
        against the goods and services received to date before requesting additional goods or           transactions and events
        services. (short-term)
11-05   Establish procedures to centrally review and monitor the timeliness of personnel action         Accurate and timely recording of
        requests and approvals to help ensure compliance with the IRM and applicable Office of          transactions and events
        Personnel Management (OPM) regulations and guidance. (short-term)
11-11   Perform a review of all existing contracts under $100,000 that (1) do not have an           Access restrictions to and
        appointed contracting officer’s technical representative (COTR) and (2) do not require that accountability for resources and
        contract employees obtain background investigations to assess whether the services          records
        performed under each contract warrant a requirement that contract employees obtain
        background investigations. (short-term)
11-12   Based on a review of all existing contracts under $100,000 without an appointed COTR            Access restrictions to and
        that should require contract employees to obtain favorable background investigation             accountability for resources and
        results, amend those contracts to require that favorable background investigations be           records
        obtained for all relevant contract employees before routine, unescorted, unsupervised
        physical access to taxpayer information is granted. (short-term)




                                             Page 87                                              GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




ID no. Recommendation                                                                                   Control activity
11-13   Establish a policy requiring collaborative oversight between IRS’s key offices in          Access restrictions to and
        determining whether potential service contracts involve routine, unescorted, unsupervised accountability for resources and
        physical access to taxpayer information, thus requiring background investigations,         records
        regardless of contract award amount. This policy should include a process for the
        requiring business unit to communicate to the Office of Procurement and the Human
        Capital Office the services to be provided under the contract and any potential exposure
        of taxpayer information to contract employees providing the services, and for all three
        units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and
        awarding the contract and (2) ensure that the final contract requires favorable background
        investigations as applicable, commensurate with the assessed risk. (short-term)
11-14   Establish procedures to provide a consistent methodology for calculating and establishing Physical control over vulnerable
        allowable deposit courier trip time limits to be used by both service center campuses           assets
        (SCC) and lockbox banks that would assist in detecting potential unauthorized stops or
        other contractual violations by deposit couriers. Such procedures should include
        instructions for documenting and supporting how the trip limits were determined and
        require justification and approval for all established time limits that exceed the average trip
        time. (short-term)
11-16   Enforce existing contractual requirements for the cargo doors of contract courier vehicles      Physical control over vulnerable
        to be locked after picking up taxpayer information. (short-term)                                assets
11-17   Establish procedures to prevent or detect unauthorized access to taxpayer information in        Physical control over vulnerable
        contract courier vehicles during transit. These procedures should detail specific activities    assets
        to be performed by both the business unit sending and receiving the information
        transported by the contract courier. (short-term)
11-18   Revise the guidance for conducting the periodic reviews of the contract couriers                Physical control over vulnerable
        transporting taxpayer information from one IRS processing facility to another to include        assets
        procedures for (1) physically verifying that courier vehicle cargo doors are locked after
        picking up this information and remain locked during transit to the final destination and
        (2) documenting the basis for the reviewer’s conclusions. (short-term)
11-24   Revise the post orders for the SCC and lockbox bank security guards to include specific         Appropriate documentation of
        procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities     transactions and internal controls
        management. These procedures should specify (1) whom to contact to report lighting
        outages and (2) how to document and track lighting outages until resolved. (short-term)
11-25   Revise the nature and scope of the SCC and lockbox banks’ physical security reviews to          Reviews by management at the
        include periodic after dark assessments of physical security controls. (short-term)             functional or activity level
11-26   Take steps to effectively implement the procedures requiring property staff to verify that      Accurate and timely recording of
        the asset purchase price shown in the Asset Management Report agrees with the asset             transactions and events
        purchase price shown in the lntegrated Financial System (IFS) and to resolve any
        variances before entering the information into the Information Technology Asset
        Management System (ITAMS). (short-term)
12-01   Establish and document an inventory of the specific systems involved in IRS’s financial         Reviews by management at the
        reporting process, including (1) describing what role each system plays in the financial        functional or activity level
        reporting process, (2) concluding whether each system is considered to be material to
        financial reporting and why, and (3) denoting whether each system is controlled by IRS or
        by an external service provider and, if the latter, identifying the service provider.
        (short-term)




                                             Page 88                                                GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




ID no. Recommendation                                                                                   Control activity
12-02   Enhance existing policies and procedures pertaining to monitoring internal control over the Reviews by management at the
        automated systems operated by IRS personnel to specifically provide for routine,            functional or activity level
        documented monitoring of the specific internal controls within its financial reporting
        systems that are intended to ensure the integrity of the data reported in the financial
        statements and other financial reports. This monitoring process should (1) involve both
        automated systems specialists and individuals with expertise in accounting and reporting,
        as appropriate, (2) encompass the specific automated internal controls that affect the
        authorizing, processing, transmitting, or reporting of material financial transactions, and
        (3) be designed to determine whether these internal controls are in place and operating
        effectively. (short-term)
12-03   For any system identified as material to IRS’s financial reporting process which is         Reviews by management at the
        controlled by an external service provider, establish policies and procedures requiring and functional or activity level
        defining a routine, documented process for coordinating with the service provider to
        appropriately monitor related internal control. This may entail establishing an agreement
        with each service provider to allow IRS personnel the access to either (1) the system
        concerned, as necessary to perform appropriate monitoring of internal control over
        financial reporting, or (2) periodic reports prepared in accordance with Statements on
        Standards for Attestation Engagements (SSAE) No. 16 documenting the results of
        monitoring performed by the service provider. (short-term)
12-04   Establish policies and procedures with respect to any external financial reporting system       Reviews by management at the
        IRS personnel themselves do not directly monitor that specify required steps to routinely       functional or activity level
        review periodic reports prepared by service providers’ auditors in accordance with SSAE
        No. 16, including steps to document (1) an assessment of whether a review’s scope,
        methodology, and timing is appropriate to satisfy IRS’s objectives; (2) any control
        deficiencies disclosed in the report, and an assessment of their materiality to IRS’s
        financial reporting process and related risks; and (3) any compensating internal controls
        needed to mitigate any actual or potential effects of identified deficiencies upon IRS’s
        internal and external financial reports resulting from any (a) material weakness, or (b)
        significant shortcoming in the scope, methodology, or timing of any SSAE No. 16 report
        reviewed relative to IRS’s internal control objectives. (short-term)
12-05   Update IRS’s procedures for comparing tax revenue recorded in the general ledger to             Appropriate documentation of
        detailed tax revenue transactions recorded in the master files to (1) establish minimum         transactions and internal controls
        criteria defining a significant or unusual variance and (2) specify the steps required to
        effectively evaluate and resolve these variances. (short-term)
12-06   Update IRS’s procedures for comparing tax revenue recorded in the general ledger to             Appropriate documentation of
        detailed tax revenue transactions recorded in the master files to require that management       transactions and internal controls
        reviews ensure preparers evaluate and resolve unusual or significant variances. (short-
        term)
12-07   Establish and document procedures for ensuring that recorded reimbursable revenue,              Accurate and timely recording of
        transfers in without reimbursement, and accounts receivable from the Department of the          transactions and events
        Treasury Forfeiture Fund (TFF) conform to federal accounting standards. (short-term)
12-08   Establish requirements specifying a required time frame for territory managers to perform       Reviews by management at the
        the required review and approval of completed audit management checklists. (short-term)         functional or activity level
12-09   Establish procedures requiring Physical Security and Emergency Preparedness (PSEP)              Reviews by management at the
        headquarters to centrally monitor compliance with the audit management checklist                functional or activity level
        process to ensure that (1) PSEP analysts timely complete their physical security reviews
        using the proper audit management checklists and (2) territory managers timely review
        and properly document their reviews of completed audit management checklists. (short-
        term)




                                             Page 89                                                GAO-12-695 Status of Recommendations
                                             Appendix II: Open Recommendations
                                             Arranged by Material Weakness, Significant
                                             Deficiency, Compliance, or Other Control
                                             Deficiencies




ID no. Recommendation                                                                                  Control activity
12-10   Update the IRM to specify steps to be followed to prevent campus support clerks as well Segregation of duties
        as any other employees who process payments through the electronic check presentment
        system from making adjustments to taxpayer accounts. (short-term)
12-11   Implement the September 2011 revised policy that requires an independent review of the         Reviews by management at the
        rent check summary report to help ensure that the monthly rent allocation process is           functional or activity level
        properly completed. (short-term)
12-12   Establish a policy requiring an independent review of changes made by the rent                 Reviews by management at the
        processing administrator to non-GSA lease data in the Graphic Database Interface               functional or activity level
        system (GDI). (short-term)
12-13   Revise existing written procedures to require supervisory review of the Computer-Aided         Appropriate documentation of
        Facilities Management (CAFM) Quarterly Review Certifications and Statistics against the        transactions and internal controls
        GDI validation walkthrough sheets. (short-term)
12-14   Establish mechanisms to monitor the implementation of and compliance with the revised          Appropriate documentation of
        policy established in October 2011 that requires field Computer-Aided Facilities               transactions and internal controls
        Management (CAFM) program managers to maintain GDI Quarterly Review
        documentation, including GDI validation walkthrough sheets and GDI Quarterly Review
        certifications. (short-term)
12-15   Establish mechanisms to monitor the implementation of and compliance with the revised          Appropriate documentation of
        policy established in October 2011 that defines the type of errors that should be captured     transactions and internal controls
        on the CAFM Quarterly Review Certifications to help ensure that field CAFM program
        managers consistently compile the errors found in their quarterly reviews for compilation
        in the overall CAFM Quarterly Review Statistics. (short-term)
12-16   Establish procedures to require the Office of Financial Reporting to ensure that extracted     Accurate and timely recording of
        GDI data used to calculate the leasehold improvement disposal estimate is complete and         transactions and events
        accurate. (short-term)
12-17   Implement the revised January 2012 procedures requiring comparison of the leases used          Proper execution of transactions
        in the prior year with the current year leases to help ensure that expired leases have not     and events
        been extended and thus, are only counted once in the disposal estimates. (short-term)
12-18   Implement the revised January 2012 procedures requiring preparation and review of              Proper execution of transactions
        leasehold improvement disposal calculations quarterly. (short-term)                            and events
12-19   Provide training to contracting officers and contracting officers’ technical representatives   Management of human capital
        (COTR) on their specific procedural requirements for obtaining and maintaining end user
        documentation of receipt and acceptance of the good or service prior to entering
        acknowledgment of receipt and acceptance in the procurement system. (short-term)
12-20   Establish a mechanism to periodically monitor contracting officers and contracting officers’ Accurate and timely recording of
        technical representatives (COTR) compliance with the requirement to obtain and               transactions and events
        document end user confirmation of receipt prior to entering receipt and acceptance into
        the procurement system. (short-term)
12-21   Establish a mechanism for monitoring compliance with the existing requirement for              Accurate and timely recording of
        employees and timekeepers to charge labor time spent on the Patient Protection and             transactions and events
        Affordable Care Act (PPACA) projects to the PPACA accounting code, such as through
        issuing periodic alerts, providing training and guidance, and/or having managers perform
        periodic reviews of employee labor time charges. (short-term)
12-22   Design and implement procedures specifying the review steps required to identify and           Accurate and timely recording of
        research all transactions identified with a PPACA internal order number in the agency’s        transactions and events
        expense files to confirm that they are PPACA-related expenses and, if so, to ensure that
        they are charged to the PPACA appropriation where appropriate. (short-term)




                                             Page 90                                              GAO-12-695 Status of Recommendations
                                            Appendix II: Open Recommendations
                                            Arranged by Material Weakness, Significant
                                            Deficiency, Compliance, or Other Control
                                            Deficiencies




ID no. Recommendation                                                                                 Control activity
12-23   Revise the payroll standard operating procedures to specify steps that the human              Proper execution of transactions
        resource specialists are required to follow to ensure that each electronic time card is       and events
        signed by an authorized official before the timecard is transmitted to the National Finance
        Center for processing and payment. (short-term)
12-24   Revise the payroll standard operating procedures to require that the designated proxy for     Proper execution of transactions
        a manager required to approve time cards be at an equivalent or higher level as the           and events
        manager, consistent with the IRM. (short-term)
12-25   Incorporate in the planned 2012 policy change requiring the manager or designated proxy Proper execution of transactions
        to sign the electronic time card before transmitting payroll records to the National Finance and events
        Center the requirement that the designated proxy be at an equivalent or higher level than
        the employee’s manager. (short-term)
12-26   Implement an edit control in IRS’s time card system to identify and prevent the processing Accurate and timely recording of
        of time cards that have not been electronically signed. (short-term)                       transactions and events
12-27   Remind managers of their responsibilities, procedures, and required time frames for either Management of human capital
        granting or denying a within-grade pay increase for employees with below fully successful
        ratings, such as by providing alerts in HR Connect when a manager enters a less than
        fully successful rating or providing training to remind them of their responsibilities.
        (short-term)
12-28   Establish procedures for human resource specialists to track and monitor supervisory          Reviews by management at the
        actions taken for employees with less than fully successful ratings that have a within-       functional or activity level
        grade pay increase due date within 90 days to include specific required steps for
        following-up with managers to ensure the managers properly issue the employees a
        60-day notification letter providing them an opportunity to improve their performance,
        make a timely determination on releasing or denying a within-grade pay increase, and
        properly carry out the requirements necessary to support the decision made. (short-term)
12-29   Establish procedures for HR specialists to track and monitor supervisory actions taken for    Reviews by management at the
        employees with less than fully successful ratings that have a within-grade pay increase       functional or activity level
        due date within 90 days to include specific required steps for timely granting a within-
        grade pay increase to such employees who were not given a 60-day notification letter.
        (short-term)
12-30   Establish and document procedures for payroll staff to research and correct recycled          Accurate and timely recording of
        errors from payroll processing on a regular and timely basis. (short-term)                    transactions and events
                                            Source: GAO.




                                            Page 91                                             GAO-12-695 Status of Recommendations
Appendix III: Comments from the Internal
              Appendix III: Comments from the Internal
              Revenue Service



Revenue Service




              Page 92                                    GAO-12-695 Status of Recommendations
Appendix IV: GAO Contact and Staff
                  Appendix IV: GAO Contact and Staff
                  Acknowledgments



Acknowledgments

                  Steven J. Sebastian, (202) 512-3406 or sebastians@gao.gov
GAO Contact
                  In addition to the contact named above, the following individuals made
Staff             major contributions to this report: William J. Cordrey, Assistant Director;
Acknowledgments   Crystal Alfred; Ray B. Bush; Sunny Chang; Stephanie Chen; Jeremy
                  Choi; Nina Crocker; Doreen Eng; Charles Fox; Ted Hu; Tuan Lam;
                  Delores Lee; Jenny Li; Cynthia Ma; Joshua Marcus; Marc Oestreicher;
                  Julie Phillips; James Rinaldi; John Sawyer; Christopher Spain; Cynthia
                  Teddleton; Lien To; LaDonna Towler; Cherry Vasquez; and Gary
                  Wiggins.




(196248)
                  Page 93                                    GAO-12-695 Status of Recommendations
GAO’s Mission         The Government Accountability Office, the audit, evaluation, and
                      investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.