oversight

Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

Published by the Government Accountability Office on 2019-05-09.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

441 G St. N.W.
Washington, DC 20548



May 9, 2019

The Honorable Charles P. Rettig
Commissioner of Internal Revenue

Management Report: Improvements Are Needed to Enhance the Internal Revenue
Service’s Internal Control over Financial Reporting

Dear Mr. Rettig:

On November 9, 2018, we issued our report on our audit of the Internal Revenue Service’s
(IRS) fiscal years 2018 and 2017 financial statements, which included our opinion that although
controls could be improved, IRS maintained, in all material respects, effective internal control
over financial reporting as of September 30, 2018. 1 In that report, we identified two significant
deficiencies in internal control over financial reporting related to (1) unpaid assessments and
(2) financial reporting systems. 2 The purpose of this report is to present continuing and new
control deficiencies that we identified during our fiscal year 2018 testing of IRS’s controls and
our recommendations related to these deficiencies. 3 This report also presents the status, as of
September 30, 2018, of IRS’s corrective actions to address our recommendations detailed in
our previous management reports that remained open as of September 30, 2017. 4 This report is
intended for use by IRS management.

Results in Brief

During our audit of IRS’s fiscal years 2018 and 2017 financial statements, we identified
continuing control deficiencies related to IRS’s accounting for federal taxes receivable and other
unpaid assessments that collectively represent a significant deficiency in IRS’s internal control
over unpaid tax assessments as of September 30, 2018. We also identified new control
deficiencies in IRS’s internal control over financial reporting that although not considered

1
 GAO, Financial Audit: IRS’s Fiscal Years 2018 and 2017 Financial Statements, GAO-19-150 (Washington, D.C.:
Nov. 9, 2018).
2
 A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal
control that is less severe that a material weakness, yet important enough to merit attention be those charged with
governance. An unpaid assessment is a legally enforceable claim against a taxpayer and consists of taxes, penalties,
and interest that have not been collected or abated (i.e., the assessment reduced by IRS). Internal Revenue Manual
§ 1.34.1.2(138), Definitions (June 23, 2009).
3
 In addition to the internal control deficiencies included in this report, we plan to issue a separate report on the
information systems control deficiencies identified during our fiscal year 2018 audit, including the previously
unresolved and new issues that collectively contributed to the significant deficiency in internal control over financial
reporting systems as of September 30, 2018, along with associated new recommendations for corrective actions.
4
 GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control
over Financial Reporting, GAO-18-393R (Washington, D.C.: May 7, 2018).



Page 1                                                                      GAO-19-412R IRS Management Report
material weaknesses or significant deficiencies, nonetheless, warrant IRS management’s
attention. 5 These control deficiencies concern IRS’s

•   nationwide strategy for safeguarding taxpayer receipts and associated information,
•   physical security policies and procedures,
•   review of visitor access logs,
•   transmission of taxpayer receipts,
•   designations of unit security representatives,
•   review of automated tax refund information prior to certification for payment,
•   review of refund schedule numbers for manual refunds, and
•   review of suspicious and questionable tax returns in Examination.

In this report, we are making 12 recommendations to address these control deficiencies. These
recommendations are intended to improve IRS’s internal control over financial reporting as well
as to bring IRS into conformance with its own policies and Standards for Internal Control in the
Federal Government. 6

In addition, for six of the 32 recommendations from our prior reports related to control
deficiencies in IRS’s internal control over financial reporting, we found that IRS implemented
corrective actions during fiscal year 2018 that resolved the deficiencies, and as a result, these
recommendations were closed. We closed one additional recommendation that related to
unpaid assessments, by making a new recommendation that is better aligned with the
remaining deficiencies that collectively represent a significant deficiency in internal control over
this area as of September 30, 2018. As a result, IRS currently has 37 GAO recommendations to
address, which consist of the previous 25 remaining recommendations and the 12 new
recommendations we are making in this report. Enclosure I provides details on the status of
IRS’s actions to address the open recommendations from our prior audits.

In commenting on a draft of this report, IRS stated that it is committed to implementing
appropriate improvements to ensure that it maintains sound financial management practices.
IRS agreed with the 12 new recommendations and described planned actions to address each
recommendation. IRS’s comments are reproduced in enclosure II.

Objectives, Scope, and Methodology

Our objectives were to evaluate IRS’s internal control over financial reporting and to determine
the status of IRS’s corrective actions as of September 30, 2018, to address recommendations in




5
 A material weakness is a deficiency or combination of deficiencies, in internal control over financial reporting, such
that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be
prevented, or detected and corrected, on a timely basis.
6
 GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September
2014), contains the internal control standards to be followed by executive agencies in establishing and maintaining
systems of internal control as required by 31 U.S.C. § 3512 (c), (d) (commonly referred to as the Federal Managers’
Financial Integrity Act).



Page 2                                                                     GAO-19-412R IRS Management Report
our prior years’ reports for which actions were not complete as of September 30, 2017. 7 This
work was performed in connection with our audit of IRS’s financial statements for the fiscal
years ended September 30, 2018, and 2017, to support our opinion on whether effective
internal control over financial reporting was maintained, in all material respects. We designed
our audit procedures to test relevant controls, including those for proper authorization,
execution, accounting, and reporting of transactions and for the safeguarding of assets and
taxpayer information. In conducting the audit, we reviewed applicable IRS policies and
procedures, observed operations, tested statistical and nonstatistical samples of transactions,
examined relevant documents and records, and interviewed IRS management and staff.

During the course of our work, we communicated our findings to IRS management. We
performed our audit in accordance with U.S. generally accepted government auditing standards.
We believe that our audit provides a reasonable basis for our findings and recommendations in
this report.

Internal Control Deficiencies Identified in Our Fiscal Year 2018 Audit

During fiscal year 2018, we identified continuing control deficiencies in IRS’s accounting for
federal taxes receivable and other unpaid assessments that collectively represent a significant
deficiency in IRS’s internal control over unpaid assessments. In addition, we identified new
control deficiencies in IRS’s internal control over financial reporting that although not considered
material weaknesses or significant deficiencies, warrant IRS management’s attention. We are
making 12 recommendations to address the control deficiencies we identified.

Accounting for Federal Taxes Receivable and Other Unpaid Assessments

We have reported a material weakness in IRS’s internal control over unpaid assessments each
year beginning with our first audit of IRS’s financial statements for fiscal year 1992. 8 This
condition was primarily due to significant limitations in the tax transaction systems IRS uses to
account for federal taxes receivable and other unpaid assessment balances, as well as other
control deficiencies that led to errors in taxpayer accounts. As a result of their limitations, the
systems were unable to provide the timely, reliable, and complete transaction-level financial
information necessary to enable IRS to classify and report unpaid assessment balances in




7
 An entity’s internal control over financial reporting is a process effected by those charged with governance,
management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions
are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance
with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized
acquisition, use, or disposition, and (2) transactions are executed in accordance with provisions of applicable laws,
including those governing the use of budget authority, regulations, contracts, and grant agreements, noncompliance
with which could have a material effect on the financial statements.
8
 GAO, Financial Audit: Examination of IRS’ Fiscal Year 1992 Financial Statements, GAO/AIMD-93-2 (Washington,
D.C.: June 30, 1993).



Page 3                                                                   GAO-19-412R IRS Management Report
accordance with federal accounting standards. 9 To compensate for the system limitations and
errors in taxpayer accounts, IRS uses a complex and labor-intensive statistical process to
estimate the fiscal year-end federal taxes receivable balance, consisting of the gross taxes
receivable balance and an associated allowance for uncollectible amounts. 10 Since this process
was implemented in the 1990s, it has entailed IRS recording adjustments totaling tens of billions
of dollars to correct the effects of errors in the underlying data in order to produce an estimated
federal taxes receivable balance that was free of material misstatement at fiscal year-end. IRS
has taken positive steps over the years, including in fiscal year 2018, to address systemic
limitations and errors in taxpayer accounts and to refine the process for estimating the balance
of federal taxes receivable for financial reporting purposes. However, some of these control
deficiencies persisted, as detailed below. We also found that IRS did not clearly document
several key management decisions regarding the design and use of the estimation process,
such as its revised sampling procedures for estimating taxes receivable. IRS officials told us
that they have taken actions to address this issue, which we will review during our fiscal year
2019 audit. Based on the cumulative effects of these and other efforts, GAO no longer
considers the remaining deficiencies to represent a material weakness. However, the remaining
control deficiencies collectively are significant enough to merit attention by those charged with
governance, and therefore represent a significant deficiency in internal control over unpaid
assessments as of September 30, 2018. As a result, we closed a recommendation, by making a
new recommendation that is better aligned with the significant deficiency in internal control over
this area. 11

Condition. During our fiscal year 2018 audit, we found that IRS’s financial management
systems for tax transactions did not maintain readily available and reliable unpaid assessments
information to support appropriate financial reporting and informed management decision-
making throughout the year. Specifically, these systems continued to produce transactions with
classification inaccuracies and that lack traceability to and back from the general ledger. In
addition, taxpayer accounts continued to be adversely affected by erroneous information. For
example, as part of IRS’s process of estimating a balance of federal taxes receivable as of




9
 Federal accounting standards classify unpaid assessments into one of the following three categories for reporting
purposes: federal taxes receivable, compliance assessments, and write-offs. Federal taxes receivable are taxes due
from taxpayers for which IRS can support the existence of a receivable through, for example, taxpayer agreement or
a court ruling determining an assessment. Compliance assessments are proposed tax assessments where neither
the taxpayer (when the right to disagree or object exists) nor a court has affirmed that the amounts are owed. Write-
offs represent unpaid assessments for which IRS does not expect further collections because of factors such as the
taxpayer’s death, bankruptcy, or insolvency. Federal accounting standards require only federal taxes receivable, net
of an allowance for uncollectible taxes receivable, to be reported on the financial statements. See Statement of
Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts
for Reconciling Budgetary and Financial Accounting (May 10, 1996). See also Internal Revenue Manual, § 1.34.1.
10
  The estimation process has evolved over time but currently involves IRS manually testing statistical samples of
unpaid assessments extracted from its master files (the detailed records of taxpayer accounts) and extrapolating the
results to estimate the year-end balances to be reported as (1) federal taxes receivable reported in its financial
statements and in the associated Required Supplemental Information (RSI) and (2) compliance assessments and
write-offs reported in the RSI.
11
    See table 1 in enc. I, number 10-04.




Page 4                                                                   GAO-19-412R IRS Management Report
September 30, 2018, IRS identified 41 errors in its selected sample of 494 taxes receivable
account modules. 12

Criteria. Internal control standards indicate that management should design control activities to
achieve objectives and respond to risks, including designing appropriate types of control
activities for the entity’s control system, such as the proper execution of transactions, accurate
and timely recording of transactions, and controls over information processing. In addition,
management should use quality information, including relevant data obtained from reliable
internal sources in a timely manner that is reasonably free from error. Furthermore, internal
control standards state that management should remediate identified internal control
deficiencies on a timely basis. 13

Cause. IRS’s systems for tax transactions were implemented before federal accounting
standards related to accounting for tax revenues were issued in 1996. Consequently, they were
not designed to meet the standards. Since that time, IRS has made several system
enhancements; however, as of fiscal year 2018, IRS still had not sufficiently adapted its systems
for tax transactions. For example, IRS’s electronic tax records do not contain sufficient
transaction-level detail to allow subsidiary ledger classification programs to accurately identify
and analyze the relevant information required for proper classification of complex taxpayer
accounts. In addition to continued system limitations, IRS has not effectively addressed the
control deficiencies that resulted in its custodial tax processes recording errors in taxpayer
accounts.

Effect. The tax transaction systems IRS uses to account for federal taxes receivable and other
unpaid assessment balances do not provide IRS with the reliable unpaid assessment
information needed throughout the year to support informed management decision-making. In
addition, IRS is still not able to fully rely on its subsidiary ledger for systematically recording or
tracking reliable and complete taxpayer data as management originally intended. Such
inaccurate tax records also place an undue burden on taxpayers who may be compelled to
respond to IRS inquiries caused by errors in their accounts.

Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials implement the necessary actions to effectively
address the two primary causes of the significant deficiency in IRS’s internal control over unpaid
assessments. These actions should (1) resolve the system limitations affecting the recording
and maintenance of reliable and appropriately classified unpaid assessments and related
taxpayer data to support timely and informed management decisions, and enable appropriate
financial reporting of unpaid assessment balances throughout the year, and
(2) identify the control deficiencies that result in significant errors in taxpayer accounts and
implement control procedures to routinely and effectively prevent, or detect and correct, such
errors. (Recommendation 19-01)




12
  A taxpayer account module is a subset of a taxpayer’s account reflecting the transactions for a specific tax year and
tax type (individual income tax, excise tax, estate and gift tax, etc.). Based on IRS’s design and evaluation of its
statistical sample of gross taxes receivable, IRS is 95 percent confident that the errors resulted in $9 billion of
adjustments to correct this balance.
13
 GAO-14-704G.




Page 5                                                                    GAO-19-412R IRS Management Report
New Internal Control Deficiencies Identified in Our Fiscal Year 2018 Audit

     Nationwide Strategy for Safeguarding Taxpayer Receipts and Associated Information

IRS has an important and demanding responsibility for safeguarding its personnel, hundreds of
billions of dollars in taxpayer receipts, and sensitive taxpayer information at its many facilities. 14
Facilities Management and Security Services (FMSS) is the IRS office that oversees the
effectiveness of physical security measures and internal controls at IRS facilities, nationwide, to
deliver a safe, secure, and optimal work environment that promotes effective tax administration.
Specifically, FMSS is responsible for designing and implementing policies and procedures,
internal controls, and security measures to control facility access and reporting incidents in and
around facilities occupied by IRS personnel.

Condition. During our fiscal year 2018 audit, we found that IRS continued to face an ongoing
management challenge in its efforts to safeguard taxpayer receipts and associated
information. 15 Specifically, we continued to find numerous deficiencies in the internal control
over physical security at various IRS facilities. While some of these are new deficiencies, as we
discuss separately in this report, many of the deficiencies we identified in previous audits
continued to exist or have resurfaced. Some examples of previously reported deficiencies that
continue to exist or have resurfaced include

•    noncompliance with policies and procedures, 16
•    weaknesses in perimeter security, 17
•    lack of required training for contractors, 18 and
•    failure to complete incident reports. 19

Criteria. Internal control serves as the first line of defense in safeguarding of assets and helps
promote effective stewardship of public resources, such as taxpayer receipts and the associated
information, and should be designed to provide reasonable assurance that the entity’s
objectives are achieved. Accordingly, internal control standards state that management should
establish an organizational structure to achieve the entity’s objectives and establish and operate

14
  As of September 2018, the IRS facility portfolio consisted of 523 buildings that house personnel and process
taxpayer receipts and sensitive taxpayer information. Taxpayer Assistance Centers were located in 364 of the
buildings, Small Business/Self-Employed had a presence in 432 of the buildings, Tax Exempt & Government Entities
had a presence in 139 buildings, and Large Business & International resided in 261 of the buildings. In addition, there
were five Submission Processing Centers, five lockbox banks, five consolidated campuses, and two computing
centers that occupied buildings in the portfolio.
15
  GAO-19-150. We have been reporting a management challenge over safeguarding taxpayer receipts and
associated information every year since our fiscal year 2008 financial audit (Financial Audit: IRS’s Fiscal Years 2008
and 2007 Financial Statements, GAO-09-119 (Washington, D.C.: Nov. 10, 2008)).
16
 GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control
over Financial Reporting, GAO-16-457R (Washington, D.C.: May 18, 2016).
17
 GAO, Management Report: Improvements Needed in IRS’s Internal Controls, GAO-07-689R (Washington, D.C.:
May 11, 2007).
18
 GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control
over Financial Reporting, GAO-15-480R (Washington, D.C.: May 29, 2015).
19
 GAO, Management Report: Improvements Needed in IRS’s Internal Controls, GAO-06-543R (Washington, D.C.:
May 12, 2006).



Page 6                                                                    GAO-19-412R IRS Management Report
activities to monitor the internal control system and evaluate the results. This includes
performing ongoing monitoring of the design and operating effectiveness of the internal control
system as part of the normal course of operations. Internal control standards also state that
management should remediate identified internal control deficiencies on a timely basis. 20

Cause. IRS does not have a formal documented strategy, which includes monitoring to
reasonably assure that physical security controls are being effectively coordinated and
implemented uniformly and consistently across all of its facilities.

Effect. Because IRS continues to have internal control deficiencies in key areas of physical
security, IRS is at an increased risk of physical threats to its employees as well as loss or theft
of taxpayer receipts or inappropriate disclosure or compromise of taxpayer information that may
occur while taxpayer receipts and information are being processed at IRS facilities.

Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials document and implement a formal
comprehensive strategy to provide reasonable assurance concerning its nationwide
coordination, consistency, and accountability for internal control over key areas of physical
security. This strategy should include nationwide improvements for (1) coordinating among the
functional areas involved in physical security; (2) implementing and monitoring the effectiveness
of physical security policies, procedures, and internal controls; and (3) ongoing communication
in identifying, documenting, and taking corrective action to resolve underlying control issues that
affect IRS’s facilities. (Recommendation 19-02)

     Physical Security Policies and Procedures

IRS has security measures in place to deter and detect unauthorized entry, movement, and
activity at its facilities in order to manage the risk of physical threats to IRS employees and loss
of taxpayer receipts or inappropriate disclosure or compromise of taxpayer information.
Examples of these security measures include use of intrusion detection systems (IDS), duress
alarms, and closed-circuit television (CCTV) cameras. The IDS and duress alarms are linked to
a central security control console (CSCC) at the facilities. Accordingly, when an alarm is set off
in a facility, the CSCC is responsible for notifying a qualified first responder, as documented in
the facility’s emergency contact list. 21 In order to ensure that alarms are operational, IRS’s
FMSS contracts alarm service vendors to annually test and inspect the alarms at each facility. In
addition, IRS uses CCTV cameras to monitor activity inside and outside of its facilities,
discourage criminal or threatening behavior, and aid in investigating incidents. The images from
the CCTV cameras are recorded by a digital video recorder (DVR) to provide video monitoring
and playback.




20
 GAO-14-704G.
21
  Each IRS facility maintains an emergency contact list, which documents the proper individuals the CSCC should
contact during alarm events.



Page 7                                                                 GAO-19-412R IRS Management Report
Condition. During our fiscal year 2018 audit, we identified the following deficiencies in physical
security controls at 11 IRS facilities: 22

•     FMSS physical security specialists and security section chiefs did not maintain the
      emergency contact list at one facility;
•     IRS did not document in the Alarm Maintenance and Testing Certification Report the
      corrective actions for malfunctioning alarms identified in the annual alarm tests at two
      facilities;
•     the time recorded from the CCTV cameras was not correct at nine of the facilities;
•     the activity from three CCTV cameras was not recorded on the DVR at one facility; and
•     the DVR was not secured to prevent unauthorized tampering at one facility.

Criteria. The Internal Revenue Manual (IRM) 23 policies and procedures require FMSS
personnel to

•     maintain an emergency contact list for each facility; 24
•     synchronize the time being recorded from the CCTV cameras to an authoritative time source
      when the time difference is greater than one minute; 25 and
•     secure DVRs in locked closets accessible only to authorized individuals. 26

Internal control standards state that management should establish and implement control
activities through documented policies and perform ongoing monitoring of the operating
effectiveness of the control activities. 27

Cause. IRS did not effectively follow IRM policies and procedures that require FMSS personnel
to maintain an emergency contact list at all of its facilities. In addition, IRM policies and
procedures do not require that corrective actions for malfunctioning alarms identified in the
annual alarm tests be documented in the Alarm Maintenance and Testing Certification Report.
Further, IRS does not periodically monitor the CCTV cameras and DVRs at IRS facilities to
reasonably assure that the activity from the CCTV cameras is properly recorded at the correct
time and the DVRs are secured.

Effect. By not effectively establishing and implementing physical security policies and
procedures, IRS is at increased risk that it may not respond promptly in an emergency situation

22
  During fiscal year 2018, we performed internal control testing at one Submission Processing Center (Ogden, Utah);
eight field offices that included a Taxpayer Assistance Center or a Small Business/Self-Employed office, or both
(three in Atlanta, Georgia, and one each in Columbus, Georgia; Seattle, Washington; Olympia, Washington; Everett,
Washington; and Tacoma, Washington); one consolidated campus (Memphis, Tennessee); and one computing
center (Martinsburg, West Virginia).
23
  The IRM is IRS’s primary, official compilation of instructions that relate to IRS’s administration and operations. The
IRM is intended to ensure that IRS employees have the approved policy and guidance they need to carry out their
responsibilities in administering the tax laws or other agency obligations. IRM § 1.11.2.2, IRM Standards (Oct. 11,
2018).
24
    IRM § 10.2.14.9.2 (6a), Intrusion Detection System and Duress Alarm System Tests (Aug. 17, 2016).
25
    IRM § 10.8.1.4.3.7.1 (1b), AU-8 Time Stamps – Control Enhancements (Dec. 23, 2013).
26
    IRM § 10.2.14.9.3 (9), Closed Circuit Television (CCTV) (Aug. 17, 2016).
27
    GAO-14-704G.




Page 8                                                                     GAO-19-412R IRS Management Report
to protect its employees and facilities or detect the theft, loss, or unauthorized access to hard-
copy taxpayer receipts and associated information.

Recommendations for Executive Action. We are making the following three
recommendations to IRS:

•     The Commissioner of Internal Revenue should ensure that appropriate IRS officials
      determine the reasons staff did not consistently comply with IRS’s existing requirement for
      maintaining an emergency contact list at all of its facilities and, based on this determination,
      establish a process to enforce compliance with the requirement. (Recommendation 19-03)

•     The Commissioner of Internal Revenue should ensure that appropriate IRS officials
      establish and implement policies and procedures requiring that corrective actions be
      documented in the Alarm Maintenance and Testing Certification Report for malfunctioning
      alarms identified in the annual alarm tests. (Recommendation 19-04)

•     The Commissioner of Internal Revenue should ensure that the appropriate IRS officials
      establish and implement policies or procedures, or both, to provide reasonable assurance
      that the video surveillance systems at all IRS facilities record activity at the correct time and
      are properly secured. The policies or procedures should include periodic checks and
      adjustments, as needed, as part of the annual service and maintenance of security
      equipment and systems. (Recommendation 19-05)

      Review of Visitor Access Logs

IRS collects and maintains a significant amount of taxpayer personal and financial information
each day. Securing this sensitive information is critical in protecting taxpayers’ privacy and
preventing financial loss and damage that could result from identity theft and other financial
crimes. IRM policies and procedures require IRS to store sensitive information in secured areas
to minimize the potential for unauthorized access and utilize visitor access logs to document
and track the individuals who access these secured areas. 28

Condition. During our fiscal year 2018 audit, we found that the visitor access logs in secured
areas at certain facilities were not reviewed annually as required. 29

Criteria. IRM policies and procedures require an annual review of visitor access logs in secured
areas. 30 Internal control standards state that management should design control activities to
achieve objectives and respond to risks, including designing appropriate types of control
activities for the entity’s control system, such as physical controls over vulnerable assets and
appropriate documentation of transactions and internal control. 31




28
    IRM § 10.8.1.4.11.7(1b), PE-8Visitor Access Records (Dec. 23, 2013).
29
 We identified this issue in six facilities located in Austin, Texas; Phoenix, Arizona; Atlanta, Georgia; New Carrollton,
Maryland; New York, New York; and Ogden, Utah.
30
    IRM § 10.8.1.4.11.7 (1b), PE-8Visitor Access Records (Dec. 23, 2013).
31
    GAO-14-704G.




Page 9                                                                      GAO-19-412R IRS Management Report
Cause. While IRS requires an annual review of visitor access logs, IRM policies and procedures
do not specify (1) who is responsible for conducting the review, (2) the date by which the review
should be conducted, and (3) how the review should be documented.

Effect. By not effectively reviewing visitor access logs, IRS is at increased risk that
unauthorized individuals may access secured areas, thereby increasing the vulnerability of
sensitive taxpayer information to theft and misuse.

Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials update and implement policies or procedures,
or both, to clarify (1) who is responsible for conducting the annual review of the visitor access
logs, (2) the date by which the review is to be conducted, and (3) how the review should be
documented. (Recommendation 19-06)

      Transmission of Taxpayer Receipts

IRS’s Small Business/Self-Employed (SB/SE) units receive taxpayer payments and other
documents with sensitive taxpayer information (i.e., receipts) and mail these receipts to other
IRS facilities, such as Submission Processing Centers (SPC), in transmittal packages for further
processing. 32 Each transmittal package mailed includes a transmittal form listing the receipts
being mailed. 33 IRM policies and procedures require the facilities receiving the transmittal
packages to acknowledge receipt by signing the transmittal forms and returning the forms to the
respective SB/SE locations for retention. 34 Managers in the SB/SE units perform periodic
reviews of the transmittal forms to ensure that procedures for transmitting taxpayer receipts are
properly followed.

Condition. During our fiscal year 2018 audit, we found some instances where IRS employees
did not comply with IRM policies and procedures for ensuring that transmittal forms that the
SB/SE units prepared were reviewed, acknowledged, and retained as required. Specifically,
during our visits to seven SB/SE locations, 35 we found the following:

•     transmittal forms on file at two SB/SE locations did not always have acknowledgments of
      receipts from the SPCs;
•     at one SB/SE location, transmittal forms were not retained for the minimum period as
      required; and
•     a group manager from Collection did not perform a review of the transmittal forms.




32
  During fiscal year 2018, there were 432 SB/SE units located throughout the United States and Puerto Rico. These
units are field offices that serve self-employed individuals, individual filers with certain types of nonsalary income, and
small businesses.
33
    Transmittal forms include Forms 795, Daily Report of Collection Activity, and Forms 3210, Document Transmittal.
34
  IRM § 5.1.2.4.5.1, Form 3210 and Form 795/795A Follow Up (Sept. 26, 2014), and IRM § 10.5.1.6.7.3, Shipping
(Mar. 23, 2018).
35
  During fiscal year 2018, we performed internal control testing at seven SB/SE units (three in Atlanta, Georgia, and
one each in Columbus, Georgia; Seattle, Washington; Olympia, Washington; and Tacoma, Washington), which
included six units from Collection and one unit from Examination.



Page 10                                                                     GAO-19-412R IRS Management Report
Criteria. According to IRS’s policies and procedures, SB/SE units are required to (1) follow up
with the other facilities if they do not receive acknowledgments within 14 days 36 and (2) retain
transmittal forms for a minimum of 3 years. 37 The policies and procedures also require that
SB/SE managers perform periodic reviews of the transmittal forms. 38

Cause. Management did not effectively enforce its policies and procedures for transmitting
receipts between IRS locations.

Effect. By not following existing policies and procedures concerning transmittal forms, IRS is at
increased risk that SB/SE units will not adequately track receipts sent from one IRS facility to
another, thus increasing the risk of loss, theft, and misuse of taxpayer receipts and information.

Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials (1) identify the reason IRS’s policies and
procedures related to the transmittal forms were not always followed and (2) design and
implement actions to provide reasonable assurance that SB/SE units comply with these policies
and procedures. (Recommendation 19-07)

      Designations of Unit Security Representatives

Unit security representatives (USR) are responsible for maintaining security over the Integrated
Data Retrieval System (IDRS), one of the key systems IRS uses to process taxpayer data. 39
USRs monitor each IDRS user’s access codes, update user profiles for changes in access
rights, issue temporary passwords, review security reports, and take appropriate action to
address security weaknesses and breaches. USR approvals and authorizations are
documented on the IDRS Security Personnel Designation Form (USR designation form),
indicating that the employee has met the requirements to perform USR duties. 40

Condition. During our fiscal year 2018 audit, we found instances where employees were given
access to IDRS security command codes to perform USR duties even though their USR
designation forms were incomplete or they had not met all requirements to qualify to be USRs.
Specifically, during our review of USR designation forms and IRS processes for approving and
authorizing the forms, we found the following:

•     for eight employees, the USR designation forms did not indicate whether the employees met
      the requirements to be USRs;


36
    IRM § 5.1.2.4.4(2g), Procedures for Mailing Form 795/795A to Submission Processing (Jan. 24, 2012).
37
    IRM § 5.1.2.4.5.1, Form 3210 and Form 795/795A Follow Up (Sept. 26, 2014).
38
  IRM § 1.4.50.11.1(1), Remittance Control Reviews (Sept. 12, 2014); and IRM Exhibit § 1.4.50-9, Remittance
Processing Transmission Control Review Template (Mar. 21, 2013).
39
  IDRS is an IRS computer system that enables employees to research taxpayer account information; request tax
returns and account transcripts; input transactions, such as adjustments and entity changes; input collection
information for storage and processing in the system; generate notices, collection documents, and other outputs; and
initiate refund disbursements.
40
    IRM § 10.8.34.3.2.8, and IRM § 10.8.34.3.2.5(4), IDRS Security Account Administrator (Apr. 1, 2014).




Page 11                                                                   GAO-19-412R IRS Management Report
•     for 27 employees, the USR designation forms did not indicate that current background
      investigations were completed; 41
•     for two employees, their second-level managers approved the USR designation forms
      before the employees completed initial training;
•     for two employees, the USR designation forms were approved and authorized even though
      the employees had not completed annual refresher training;
•     the IDRS security account administrator authorized the USR designation form for one
      employee without verifying the authority of the individual approving the form as a second-
      level manager; and
•     the IDRS security account administrator gave one employee access to IDRS security
      command codes to perform USR duties before the USR designation form was approved and
      authorized.

Criteria. According to IRS policies and procedures, to be designated as a USR, an employee is
required to (1) have a completed background investigation, (2) complete initial USR training
prior to performing USR duties, and (3) complete refresher USR training at least annually. 42
USR designations must first be approved by a second-level or higher manager in direct chain of
command of the USR designee, and then IDRS security account administrators must authorize
the USR’s access to IDRS security command codes.

Internal control standards state that management should design control activities to achieve
objectives and respond to risks and implement control activities through policies, including
determining and documenting policies in the appropriate level of detail necessary to operate
processes based on objectives and related risks. 43

Cause. Although IRS has IRM policies and procedures requiring that employees meet certain
requirements before becoming USRs, the policies and procedures do not clearly define who is
responsible for validating the information on USR designation forms. In addition, IRS’s policies
and procedures do not specify how the information reported on the USR designation forms
should be validated (e.g., validating against the records or systems, or both, from which the
information is derived).

Effect. By not properly approving and authorizing employees to serve as USRs, IRS is at
increased risk that individuals may inappropriately access IDRS and perform unauthorized
activity, such as processing fraudulent refunds.

Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials update and implement policies or procedures,
or both, to clearly define the roles and responsibilities of second-level managers and IDRS
security account administrators for validating the information on USR designation forms,
including specifying how the information should be validated. (Recommendation 19-08)




41
  The background investigation completion dates reported on the USR designation forms were more than five years
old.
42
    IRM § 10.8.34.3.2.8(6)-(7), Unit Security Representative (USR) (Apr. 1, 2014).
43
    GAO-14-704G.




Page 12                                                                    GAO-19-412R IRS Management Report
       Review of Automated Tax Refund Information Prior to Certification for Payment

In fiscal year 2018, IRS issued approximately $365 billion in automated tax refunds. IRS’s systems
generate most tax refunds automatically after taxpayers’ returns are recorded to their master file
accounts. 44 In order to disburse the tax refunds, data entry operators from the Processing
Validation Section (PVS) import the tax refund data elements from the master files into the Bureau
of the Fiscal Service’s (Fiscal Service) Secure Payment System (SPS), an automated system used
to certify tax refunds for payment. 45 Data entry operators then submit the tax refunds to the
certifying officers (CO) for certification in SPS. After the COs certify the automated tax refunds,
Fiscal Service disburses the tax refunds to the taxpayers.

Condition. During our fiscal year 2018 audit, we found that a PVS CO certified tax refunds
without effectively verifying the accuracy of the data elements. Specifically, the PVS CO certified
tax refunds in SPS even though there were some errors in the tax refund data elements, such
as the total number and amounts of tax refund payments.

Criteria. Internal control standards state that management should design control activities to
achieve objectives and respond to risks, including designing controls over information
processing, such as a review process that includes edit checks of data entered. In addition,
management should implement control activities through policies, including determining and
documenting policies in the appropriate level of detail necessary to operate the process based
on objectives and related risk. 46

Cause. While IRS’s procedures require that PVS COs review the tax refund information in SPS
before certifying the tax refunds, the procedures do not clearly specify all of the tax refund data
elements the PVS COs are required to verify for accuracy.

Effect. By allowing inaccurate tax refund data elements to be certified for payment in SPS, IRS
is at increased risk that (1) duplicate or erroneous tax refunds will be disbursed to taxpayers,
(2) tax refunds will not be disbursed to taxpayers, or (3) the disbursement of tax refunds will be
delayed.

Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials update and implement procedures to clearly
specify the tax refund data elements that PVS COs are required to verify before certifying the
tax refunds in SPS. (Recommendation 19-09)

       Review of Refund Schedule Numbers for Manual Refunds

IRS’s systems generate most tax refunds automatically after taxpayers’ returns are recorded to
their master file accounts. However, IRS requires that refunds meeting certain criteria, such as

44
  Tax refunds include overpayments made by taxpayers and payments for certain tax credits, including the Earned
Income Tax Credit and the Premium Tax Credit. IRS’s master files contain detailed electronic records of taxpayer
accounts. IRS uses information in the master files for tax administration purposes and to support information
reported on its financial statements. IRS also uses the information in the master files in its interactions with
taxpayers, such as discussing account inquiries and sending notices to taxpayers.
45
  The tax refund data elements imported into SPS include the refund schedule number, total refund amount, and
number of tax refunds for each of the 10 service center campuses. The same refund schedule number can be
assigned to multiple tax refunds. PVS performs the certification process for automated tax refunds.
46
     GAO-14-704G.




Page 13                                                                GAO-19-412R IRS Management Report
those related to certain hardship conditions or those exceeding $100 million, be manually
reviewed and approved before disbursement. 47 When manual refunds are processed, they
bypass most of the system validity checks that occur with automated refunds. In fiscal year 2018,
IRS disbursed approximately $49 billion in manual refunds. When a manual refund is warranted,
IRS personnel initiate, approve, and forward manual refunds to the manual refund units in
Accounting Operations (manual refund units) at the SPCs. 48 After the manual refunds are
approved, they are assigned a refund schedule number (RSN) consisting of 14 digits. 49 For
certain manual refunds processed outside of the master files, manual refund units manually
assign the RSNs 50 and send the manual refund forms to the Data Conversion unit. 51 The key
entry operators in the Data Conversion units manually enter information from the manual
refund forms, including the RSNs, into the Integrated Submission and Remittance Processing
(ISRP) system for posting to the master files. 52

Condition. During our fiscal year 2018 audit, we found that IRS did not always properly post
RSNs to the master files. Specifically, we found instances where Data Conversion key entry
operators entered RSNs into the ISRP system that were fewer than the required 14 digits or
did not correspond to the RSNs assigned by manual refund units.

Criteria. Internal control standards state that management should design control activities to
achieve objectives and respond to risks, including designing appropriate types of control
activities for the entity’s control system, such as accurate and timely recording of transactions
and reviews by management at the functional or activity level. 53

Cause. IRS does not require a review of the manual refund information, including the RSNs
that Data Conversion key entry operators enter into the ISRP system. Further, the ISRP
system does not include a validity check to confirm that RSNs that Data Conversion key
entry operators entered have the required 14 digits.

Effect. Because manual refunds bypass most of the system validity checks that occur with
automated refunds, the risk of erroneous or fraudulent refunds being disbursed is increased.
Therefore, by not posting correct RSNs to the taxpayer account, IRS is at increased risk that it
may not be able to track tax refund payments, causing undue burdens on taxpayers.




47
 IRM § 21.4.4.3, Why Would A Manual Refund Be Needed? (Oct. 1, 2017).
48
 IRM § 3.17.79.3.2, Processing Manual Refunds (Nov. 13, 2017).
49
  IRM Exhibit § 3.17.79-4, Refund Schedule Number Format (Mar. 25, 2016). IRS uses RSNs to submit tax refund
payment information to the Fiscal Service, which then disburses the tax refund payments to taxpayers. RSNs can
also be matched to transmission records, check volume, amount, and date certified. IRM § 3.17.79.1.2(5), Refund
Types and Methods – Treasury Disbursing Bureau of the Fiscal Service (Nov. 19, 2015).
50
 IRM § 3.17.79.6.4.2, Certifying Automated Clearing House (ACH)/Direct Deposit Hardship Refunds (Oct. 4, 2017).
51
 IRM § 3.17.79.5(13), Accounting Review of Manual Refund Requests, Form 3753 (June 18, 2015).
52
  IRS uses the ISRP system to transcribe and format data from paper tax returns, documents, and vouchers so that
key entry operators in Data Conversion can post them to the master files and other systems. IRM § 3.17.79.6.1(5),
Scheduling Refunds (June 18, 2015).
53
 GAO-14-704G.




Page 14                                                                GAO-19-412R IRS Management Report
Recommendations for Executive Action. We are making the following two
recommendations to IRS:

•     The Commissioner of Internal Revenue should ensure that the appropriate IRS officials
      establish and implement a review process to provide reasonable assurance that the RSNs
      that Data Conversion key entry operators enter into the ISRP system and post to the master
      files are correct. (Recommendation 19-10)
•     The Commissioner of Internal Revenue should ensure that the appropriate IRS officials
      implement a validity check in the ISRP system to confirm that RSNs that Data Conversion
      key entry operators enter into the system have the required 14 digits.
      (Recommendation 19-11)

      Review of Suspicious and Questionable Tax Returns in Examination

During the processing of tax returns, any tax return that IRS’s systems identify as suspicious or
questionable is assigned as a case to IRS’s examination units for review. 54 Tax examiners in
the examination units work each case to validate the information reported on the tax return.
Reviewers are responsible for reviewing two cases for each tax examiner each month to ensure
the accuracy of the cases worked. 55

Condition. During our fiscal year 2018 audit, we noted that while the reviewers provided
feedback to the tax examiners about errors identified as part of their reviews, not all reviewers
followed up on whether the tax examiners had corrected the errors identified.

Criteria. Internal control standards state that management should implement control activities
through policies, including documenting in policies for each unit its responsibility for an
operational process’s objectives and related risks, and control activity design, implementation,
and operating effectiveness. Also, those in key roles for the unit may define policies through
day-to-day procedures. Procedures may include the timing of when a control activity occurs and
any follow-up corrective actions to be performed by competent personnel if deficiencies are
identified. 56

Cause. IRM policies and procedures do not require the reviewers to follow up on whether the
errors that they identified while reviewing tax examiner-prepared cases related to suspicious or
questionable tax returns have been corrected.

Effect. Because IRS does not have clear IRM policies or procedures that require the reviewers
to follow up on corrective actions made by the tax examiners on suspicious or questionable tax
returns, IRS is at increased risk that inaccurate information may be applied to taxpayer accounts
or invalid or inaccurate refunds may be disbursed.



54
   IRS uses system checks during tax returns processing to identify potential suspicious or questionable returns.
These system checks include the Return Review Program and the Dependent Database. IRS systems use internal
and external data to verify taxpayer-provided information against (1) taxpayer information from its systems, (2) child
custody information provided by the Department of Health and Human Services, (3) the dependent and child birth
information provided by the Social Security Administration, and (4) prisoner information from the National Prisoner
File to determine the validity of the claims on tax credits and refunds.
55
    Reviewers are managers or lead tax examiners.
56
    GAO-14-704G.




Page 15                                                                   GAO-19-412R IRS Management Report
Recommendation for Executive Action. We recommend that the Commissioner of Internal
Revenue ensure that the appropriate IRS officials update and implement policies or procedures,
or both, to require that reviewers follow up with tax examiners to verify the errors that tax
examiners made in working on cases related to suspicious or questionable tax returns are
corrected. (Recommendation 19-12)

Status of Prior Audit Recommendations

IRS has continued to work to address many of the control deficiencies related to open
recommendations from our prior financial audits. As of September 30, 2017, there were 32
recommendations to improve IRS’s financial operations and internal controls from prior year
audits that we reported as open in our status of recommendations in the management report
issued in May 2018. 57 During our fiscal year 2018 financial audit, we determined that IRS had
completed corrective actions to address previously identified control deficiencies for six of the
32 recommendations that remained open as of September 30, 2017. In addition, as discussed
above, based on the cumulative effects of IRS efforts over the years, we determined that the
remaining deficiencies related to unpaid assessments collectively represented a significant
deficiency, rather than a material weakness, as of September 30, 2018. As a result, we also
closed one additional recommendation that related to this area, by making a new
recommendation that is better aligned with the significant deficiency. As a result, a total of 37
recommendations need to be addressed—25 remaining from our prior years’ audits and the 12
new recommendations we are making in this report. See enclosure I for more details on our
assessment of the status of IRS’s actions to address prior audit recommendations that
remained open as of September 30, 2017.

Agency Comments

We provided a draft of this report to IRS for comment. In its comments, reproduced in enclosure
II, IRS agreed with the 12 new recommendations and described planned actions to address
each recommendation. IRS stated that it is committed to implementing appropriate
improvements to ensure that it maintains sound financial management practices. IRS’s actions,
if effectively implemented, should address the issues that gave rise to our recommendations.
We will evaluate the effectiveness of IRS’s efforts during our audit of its fiscal year 2019
financial statements.

                                            -------

This report contains recommendations to you. The head of a federal agency is required by 31
U.S.C. § 720 to submit a written statement on action taken or planned on our recommendations
to the Senate Committee on Homeland Security and Governmental Affairs, the House
Committee on Oversight and Reform, the congressional committees with jurisdiction over the
programs and activities that are the subject of our recommendations, and GAO not later than
180 days after the date of this report. A written statement must also be sent to the Senate and
House Committees on Appropriations with the agency’s first request for appropriations made
more than 180 days after the date of this report. Please send your statement of actions to me at
clarkce@gao.gov or Nina Crocker, Assistant Director, at crockern@gao.gov.




57
 GAO-18-393R.




Page 16                                                      GAO-19-412R IRS Management Report
We are sending copies of this report to the Chairmen and Ranking Members of the Senate
Committee on Appropriations, Senate Committee on Finance, Senate Committee on Homeland
Security and Governmental Affairs, House Committee on Appropriations, House Committee on
Ways and Means, and House Committee on Oversight and Reform, and to the Chairman and
Vice Chairman of the Senate Joint Committee on Taxation. We are also sending copies to the
Secretary of the Treasury, the Director of the Office of Management and Budget, and other
interested parties. In addition, the report is available at no charge on the GAO website at
http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance from IRS officials and staff
during our audit of IRS’s fiscal years 2018 and 2017 financial statements. If you or your staff
have any questions about this report, please contact me at (202) 512-9377 or clarkce@gao.gov.
Contact points for our Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. GAO staff who made major contributions to this report are listed in
enclosure III.

Sincerely yours,




Cheryl E. Clark
Director
Financial Management and Assurance

Enclosures – 3




Page 17                                                     GAO-19-412R IRS Management Report
Enclosure I: Status of Recommendations from Prior Audits Reported as Open in GAO’s
2017 Management Report

Table 1 shows the status of recommendations reported as open in our 2017 management
report. 58 We will continue to evaluate the Internal Revenue Service’s actions to address
recommendations that remain open during future audits. The abbreviations used are defined in
the legend at the end of the table.

Table 1: Status of Recommendations Reported as Open in GAO’s 2017 Management Report

 ID       Recommendation per audit area                                                       Source report   Status
 Unpaid assessments
 08-06    In instances where computer programs that control penalty assessments are           GAO-08-368R     Closed
          not functioning in accordance with the intent of the IRM, take appropriate
          action to correct the programs so that they function in accordance with the
          IRM.

          Action taken:
          IRS completed an internal assessment of its penalty computation programs
          and identified 19 programming issues that caused its financial system to
          record erroneous penalty assessments in taxpayer accounts. As of
          September 30, 2018, IRS provided us with supporting documentation
          validating that it had addressed and corrected all 19 of the identified
          programming issues. IRS’s actions sufficiently address our recommendation.
 10-04    Once IRS identifies the control weaknesses that result in inaccuracies or           GAO-10-565R     Closed
          errors that materially affect the financial reporting of unpaid assessments,
          implement control procedures to routinely prevent, or to detect and correct,
          such errors.

          Action taken:
          Over the years, IRS has devoted significant resources to addressing internal
          control weaknesses that result in inaccuracies or errors and materially affect
          the financial reporting of unpaid assessments, and IRS has implemented
          control procedures to routinely prevent or detect and correct such errors.
          Specifically, IRS has taken steps to address the causes of data errors,
          including (1) enhancing its capability to accurately report balances owed that
          arise as a result of complex assessment situations and (2) implementing a
          number of quality control reviews to timely monitor, identify, and correct
          errors that affect taxpayer accounts at the transaction level. During fiscal year
          2018, IRS continued to improve internal controls over the management and
          reporting of unpaid assessments, including implementing the
          recommendations of an internal task force to address related data quality
          concerns. In addition, IRS made progress in completing its long-term
          corrective action plan for resolving these control weaknesses by employing
          several programming changes for systemically classifying unpaid
          assessments more accurately. These efforts have yielded positive results
          over the years, and the magnitude of errors identified through IRS’s unpaid
          assessments statistical estimation process has materially decreased.
          Furthermore, during our fiscal year 2018 testing of unpaid assessments, we
          did not find errors substantial enough to cause material inaccuracies in the
          reported balances. IRS’s actions sufficiently address the intent of our
          recommendation. To provide a recommendation that is better aligned with the

58
  GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control
over Financial Reporting, GAO-18-393R (Washington, D.C.: May 7, 2018).




Page 18                                                                    GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                     Source report   Status
          remaining control deficiencies in this area that represent a significant
          deficiency as of September 30, 2018, we have closed this recommendation
          and included a new recommendation in this report under Accounting for
          Federal Taxes Receivable and Other Unpaid Assessments.
17-01     Develop and implement a process to reasonably assure that IRS operating           GAO-17-454R     Open
          divisions and the IT organization effectively coordinate with the CFO
          organization when making programming changes to information systems
          affecting financial reporting.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. In July 2018,
          IRS’s IT, Strategy, and Planning organization developed a process intended
          to ensure that the operating divisions and IT and CFO organizations
          effectively coordinate when making programming changes to information
          systems affecting financial reporting. This process requires operating
          divisions to coordinate with the CFO organization to determine whether
          proposed programming changes could affect financial reporting. In addition,
          each quarter, the IT organization will provide the CFO with a list of requested
          programming changes, which allows for the CFO to review programs and flag
          those that may affect financial reporting. Any flagged programming changes
          denoted may require additional coordination between the operating divisions
          to prevent future changes from adversely affecting financial reporting. IRS
          also issued a memorandum informing the operating divisions that the CFO
          organization will be reviewing all programming changes to flag those deemed
          impactful. However, the CFO organization has not documented and finalized
          the procedures to support this coordination process.
17-02     Research and determine the reason the IT organization did not follow IRS          GAO-17-454R     Closed
          policy to thoroughly test programming changes related to the automation of
          specific penalty abatement procedures to reasonably assure that they worked
          as intended before implementation. Based on this determination, establish a
          process to better ensure compliance with existing policies for testing
          programming changes, including the use and review of the Applications
          Development transmittal checklist when developing program changes and
          retention of test results.

          Action taken:
          As of September 30, 2018, IRS’s Business Master File Office of the IT
          organization researched and determined the reasons its staff did not follow
          IRS policy to thoroughly test programming changes related to the automation
          of specific penalty abatement procedures to reasonably assure that they
          worked as intended before implementation. According to the IT organization,
          these reasons included lack of (1) clear and consistent communication
          between stakeholders, (2) compliance with existing standards and policies,
          and (3) oversight to ensure quality programming changes. Based on this
          determination, the IT organization implemented weekly stakeholder meetings,
          created additional training to increase understanding of and compliance with
          existing standards and policies, and developed a new Applications
          Development transmittal checklist for required use when developing program
          changes and ensured the retention of test results. IRS’s actions sufficiently
          address our recommendation.
18-01     Research and determine why IRS’s existing policies and procedures intended        GAO-18-393R     Open
          to timely follow up on, resolve, and record unpostable transactions were not
          fully effective in achieving these objectives.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. As of
          September 30, 2018, three of the five operating divisions involved in
          addressing this recommendation researched and determined the reasons
          that the existing policies and procedures intended for follow-up resolution and



Page 19                                                                  GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                    Source report   Status
          recording unpostable transactions were not fully effective. Based on their
          determinations, three operating divisions have taken corrective actions
          intended to resolve the identified unpostable transactions.
18-02     Based on IRS’s research and determination, design and implement the              GAO-18-393R     Open
          corrective actions necessary to reasonably assure that IRS effectively
          resolves and records unpostable transactions in a timely manner, including
          establishing clearly defined time frames in the IRM by which the IRS
          operating divisions should correct unpostable transactions and appropriate
          related oversight and review processes.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. As of
          September 30, 2018, two of the five operating divisions involved in
          addressing this recommendation designed and implemented the corrective
          actions they considered necessary to reasonably assure that IRS effectively
          resolves and records unpostable transactions in a timely manner.
Safeguarding
11-12     Based on a review of all existing contracts under $100,000 without an            GAO-11-494R     Open
          appointed contracting officer's technical representative that should require
          contract employees to obtain favorable background investigation results,
          amend those contracts to require that favorable background investigations be
          obtained for all relevant contract employees before routine, unescorted,
          unsupervised physical access to taxpayer information is granted.
          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that it
          is working on identifying an approach for providing the necessary supporting
          contract documentation to close this recommendation.
11-13     Establish a policy requiring collaborative oversight between IRS’s key offices   GAO-11-494R     Open
          in determining whether potential service contracts involve routine,
          unescorted, unsupervised physical access to taxpayer information, thus
          requiring background investigations, regardless of contract award amount.
          This policy should include a process for the requiring business unit to
          communicate to the Office of Procurement and the HCO the services to be
          provided under the contract and any potential exposure of taxpayer
          information to contract employees providing the services, and for all three
          units to (1) evaluate the risk of exposure of taxpayer information prior to
          finalizing and awarding the contract and (2) ensure that the final contract
          requires favorable background investigations, as applicable, commensurate
          with the assessed risk.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that
          during fiscal year 2019, several internal organizations plan to partner to
          identify the remaining actions needed to address this recommendation.
          Proposed actions include refining policies and procedures to ensure that
          (1) oversight between IRS’s key offices is conducted to determine whether
          potential service awards that IRS enters into involve routine, unescorted,
          unsupervised physical access to taxpayer information by contractors, thus
          requiring background investigations, and (2) the resulting processes clarify
          who is responsible for completing the various steps, as well as who should
          maintain documentation of the approved access determination prior to the
          contractor providing services.
11-24     Revise the post orders for the SCCs and lockbox bank security guards to          GAO-11-494R     Open
          include specific procedures for timely reporting exterior lighting outages to
          SCCs or lockbox bank facilities management. These procedures should
          specify (1) whom to contact to report lighting outages and (2) how to
          document and track lighting outages until resolved.




Page 20                                                                    GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                       Source report   Status


          Action taken:
          During fiscal year 2018, IRS completed an analysis of the campus post
          orders (i.e., Armed Security Officer (ASO) contract post orders and Federal
          Protective Services (FPS) contract post orders) and relevant IRM
          requirements to identify the actions necessary to address this
          recommendation. IRS stated that in October 2018, it updated the ASO
          contract post orders to include guidance for documenting, reporting, and
          tracking lighting deficiencies by contract guards. As it relates to the FPS
          contract post orders, IRS stated that FPS did not agree to make changes to
          address lighting outage procedures and that IRS did not have authority,
          control, or responsibility over the FPS post orders. IRS also noted that it is in
          the process of transitioning all guard service protection to FPS for all IRS
          facilities nationwide. In addition, IRS stated that by December 2019, it will
          update the IRM to reflect the necessary guidance for service center guards
          and FMSS physical security specialists to know (1) whom the guards are to
          contact to report lighting outages and (2) how lighting outages are to be
          documented and tracked until resolved.
12-10     Update the IRM to specify steps to be followed to prevent campus support            GAO-12-683R     Closed
          clerks as well as any other employees who process payments through the
          electronic check presentment system from making adjustments to taxpayer
          accounts.

          Action taken:
          In May 2016, IRS reassessed the risks at its Taxpayer Assistance Centers
          (TAC) where employees process taxpayer remittances through the electronic
          check presentment system and adjust taxpayer accounts. In January 2018,
          IRS updated the relevant IRM sections to reflect the conclusions from its risk
          assessment, including specifying the appropriate level of access allowed for
          TAC employees who process payments. IRS’s actions sufficiently address
          the intent of our recommendation.
13-05     Perform a risk assessment to determine the appropriate level of IDRS access         GAO-13-420R     Open
          that should be granted to employee groups that handle hard-copy taxpayer
          receipts and related sensitive taxpayer information as part of their job
          responsibilities.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. During fiscal year
          2018, the Large Business and International (LB&I) and the Tax Exempt and
          Government Entities (TE/GE) organizations, in coordination with the IT
          organization, performed risk assessments to determine the appropriate level
          of IDRS access that should be granted to the employees who handle hard-
          copy taxpayer receipts and related sensitive taxpayer information as part of
          their job responsibilities, and developed action plans accordingly. In addition,
          IRS stated that by October 2019, the Taxpayer Advocate Service (TAS) and
          Small Business/Self-Employed (SB/SE) organizations, in coordination with its
          IT organization, will complete a risk assessment of all employee groups that
          handle hard-copy taxpayer receipts and related sensitive taxpayer
          information to determine the most appropriate level of IDRS access. IRS also
          stated that based on the results of the assessments, these organizations plan
          to develop follow-up actions to mitigate or, where appropriate, accept the
          related risks from incompatible job duties of affected employee groups.
13-06     Based on the results of the risk assessment, update the IRM accordingly to          GAO-13-420R     Open
          specify the appropriate level of IDRS access that should be allowed for
          (1) remittance perfection technicians and (2) all other employee groups with
          IDRS access that handle hard-copy taxpayer receipts and related sensitive
          information as part of their job responsibilities.




Page 21                                                                     GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                     Source report   Status
          Action taken:
          IRS’s actions to address this recommendation are ongoing. In January 2018,
          IRS updated the IRM to reflect the conclusions from its risk assessment of
          the TACs, including specifying the appropriate level of access allowed for
          TAC employees who process payments. In addition, during fiscal year 2018,
          the LB&I organization performed a risk assessment. Based on the results, it
          revised procedures and desk guides to include specific measures that
          implement separation of duties and create limitations on the use of IDRS
          command codes. IRS stated that by October 2020, the TAS, TE/GE, and
          SB/SE organizations will work with the IT organization to ensure that the
          applicable IRM section(s) are revised for any policy changes on (1) risk
          mitigation, including specifying the appropriate level of IDRS access that
          should be allowed, and (2) risk acceptance for affected employee groups, as
          needed.
13-07     Establish procedures to implement the updated IRM, including required steps       GAO-13-420R     Open
          to follow to prevent (1) remittance perfection technicians and (2) all other
          employee groups that handle hard-copy taxpayer receipts and related
          sensitive information as part of their job responsibilities from gaining access
          to command codes not required as part of their designated job duties.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. In January 2018,
          IRS updated the IRM to reflect the conclusions from its risk assessment of
          the TACs, including specifying the appropriate level of access allowed for
          TAC employees who process payments. IRS stated that in November 2018,
          the LB&I organization developed tools to track and monitor the assignment of
          IDRS command codes, and it developed procedures for completing monthly
          validations of IDRS command codes for all users and for requiring a
          manager’s authorization prior to adding IDRS command codes to any user’s
          profile. IRS also stated that by October 2020, its TAS, TE/GE, and SB/SE
          organizations will work with the IT organization to establish procedures to
          prevent affected employees from gaining access to command codes not
          required as part of their designated job duties, as needed.
15-06     Establish a process to ensure that the requirement for unauthorized access        GAO-15-480R     Open
          awareness training is explicitly communicated to non-IRS contractors who
          have unescorted access to IRS facilities.

          Action taken:
          During fiscal year 2018, IRS took various actions to address this
          recommendation. Specifically, in July 2018, IRS established a process within
          the IRM requiring the documented completion of designated training for IRS
          contractors and non-IRS contractors before they are granted unescorted
          facility access. In August 2018, FMSS also established standard operating
          procedures to further define the roles and responsibilities related to these
          training requirements. In September 2018, FMSS communicated in an IRS
          Headline News article the rules for non-IRS contractors requesting
          unescorted access, including the requirement for unauthorized access
          awareness training. Since IRS completed these actions after we had already
          performed our fiscal year 2018 internal control testing, we will evaluate IRS’s
          actions to address this recommendation during our fiscal year 2019 audit.
15-07     Establish procedures to monitor whether non-IRS contractors with                  GAO-15-480R     Open
          unescorted physical access to IRS facilities are receiving unauthorized
          access awareness training.
          Action taken:
          In August 2018, FMSS established standard operating procedures to further
          define the roles and responsibilities related to the training requirements for
          non-IRS contractors. In addition, in September 2018, FMSS notified its
          employees of the requirements in the standard operating procedures,
          including the requirement to verify that all unescorted access requirements



Page 22                                                                   GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                     Source report   Status
          have been met before unescorted access is permitted. Since IRS completed
          these actions after we had already performed our fiscal year 2018 internal
          control testing, we will evaluate IRS’s actions to address this
          recommendation during our fiscal year 2019 audit.
15-08     Determine the reasons why staff did not consistently comply with IRS’s            GAO-15-480R     Open
          existing requirements for the final candling of receipts at SCCs and lockbox
          banks, including logging remittances found during final candling on the final
          candling log at the time of discovery, safeguarding the remittances at the time
          of discovery, transferring the remittances to the deposit unit promptly, and
          passing one envelope at a time over the light source, and based on this
          determination, establish a process to better enforce compliance with these
          requirements.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that
          during fiscal year 2017, it held a face-to-face meeting with Submission
          Processing executives, staff, and the Receipt and Control Operation
          managers from all five SCCs to identify and analyze the residual risks
          associated with candling at the SCCs, develop ways to mitigate those risks,
          and improve the effectiveness of the Campus Security Scorecard Review.
          IRS also stated that as a result of the meeting, it developed an action plan to
          resolve the residual risks associated with candling at the SCCs, which it
          plans to complete by December 2019.
16-02     Establish a process to prevent Employment Operations staff from allowing          GAO-16-457R     Open
          potential employees to enter on duty without favorable determinations of
          suitability by Personnel Security adjudicators.

          Action taken:
          In September 2018, IRS completed an analysis to determine what, if any,
          next steps needed to be taken to prevent Employment Operations staff from
          allowing potential employees to enter on duty without approved adjudication
          determinations. Based on its review, and the procedural revisions it made in
          August 2018 related to the determinations of suitability, IRS determined that
          no additional actions were required to address this recommendation. Since
          IRS completed these actions near the end of fiscal year 2018, we will
          evaluate IRS’s actions to address this recommendation during our fiscal year
          2019 audit.
16-03     Establish a policy and procedures requiring IRS officials to review and           GAO-16-457R     Open
          address situations in which it is later discovered that an employee deemed
          unsuitable for employment during the prescreening process was erroneously
          allowed to enter on duty.

          Action taken:
          In fiscal year 2018, IRS completed an analysis of the procedures related to
          unsuitable hires that were erroneously allowed to enter on duty, and it
          determined that the procedures needed improvement. In August 2018, IRS
          revised the procedures to include five detailed steps; timelines; and a
          decision chart, which describes the options for addressing suitability or
          conduct concerns arising out of an investigation. Since IRS revised these
          procedures near the end of fiscal year 2018, we will evaluate IRS’s actions to
          address this recommendation during our fiscal year 2019 audit.
16-04     Develop and provide training, on a recurring basis, to all FMSS specialists       GAO-16-457R     Open
          and managers involved in the duress alarm validation and testing process to
          reinforce the related policies and procedures.




Page 23                                                                   GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                      Source report   Status
          Action taken:
          During fiscal year 2018, the FMSS organization developed a mandatory
          annual training course for all physical security specialists and managers
          involved in the duress alarm validation and testing process to reinforce
          related alarm policies and procedures. In addition, in August 2018, IRS
          issued standard operating procedures to provide guidance for the notification,
          testing, and maintenance of the intrusion detection system and duress alarms
          at IRS locations. However, during our fiscal year 2018 audit, we identified an
          instance where a physical security specialist involved in the duress alarm
          validation and testing process did not complete required training. We also
          found instances where employees did not follow procedures related to the
          duress alarm validation and testing process.
17-03     Strengthen the process for reasonably assuring that the IRM is reviewed            GAO-17-454R     Open
          annually to align with the current control procedures and guidance being
          implemented by agency personnel. This should include a mechanism for
          reasonably assuring that program owner directors (1) review their respective
          program control activities and related guidance annually and timely update
          the IRM as needed, (2) document their reviews, and (3) utilize interim
          guidance and supplemental guidance correctly for their intended purposes.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. During fiscal year
          2018, the Research, Applied Analytics and Statistics organization created an
          IRM review and certification requirement to reasonably assure that all IRM
          sections are reviewed annually to align with the current control procedures
          and guidance that IRS personnel are implementing. In addition, the SB/SE
          and TE/GE organizations reviewed and analyzed the results of their
          involvement in the annual IRM certification process. Based on the results of
          their analysis, the organizations developed an action plan to allow their
          organizations to achieve substantial compliance with the requirement. IRS
          stated that by December 2019, the SB/SE and TE/GE organizations will
          complete their action plans. IRS also stated that in fiscal year 2019, the LB&I
          organization will review and analyze the results of its involvement in the
          annual IRM certification process. Based on the results of its analysis, it will
          develop an action plan that will allow the organization to achieve substantial
          compliance with the requirement.
17-05     Update the respective (1) Privacy, Governmental Liaison and Disclosure and         GAO-17-454R     Closed
          (2) CFO IRM sections related to the definition of the tax gap to align with the
          current understanding followed by IRS personnel.

          Action taken:
          In April 2017, IRS updated the CFO IRM section to align the definition of tax
          gap with the current understanding that IRS personnel follow. In addition, in
          December 2017, the Privacy, Governmental Liaison and Disclosure
          organization removed the tax gap definition from its IRM section. IRS’s
          actions sufficiently address our recommendation.
18-03     Develop and implement policies in the IRM for conducting and monitoring the        GAO-18-393R     Open
          Submission Processing internal control review. These policies should include
          or be accompanied by procedures to (1) assess and update the review
          questions and cited IRM criteria to reasonably assure they align with the
          controls under review; (2) periodically evaluate and document a review of the
          error threshold methodology to assess its current validity based on changes
          to the operating environment; (3) report findings identified in the Findings and
          Corrective Actions Report; and (4) assess and monitor (a) safeguarding of
          internal control activities across all work shifts, particularly during peak
          seasons, (b) safeguarding of internal control activities for the appropriate use
          and destruction of hard-copy taxpayer information, and (c) the results of
          relevant functional level reviews.




Page 24                                                                   GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                       Source report   Status
          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that in
          fiscal year 2019, it will develop and implement policies in the IRM for
          conducting and monitoring the Submission Processing internal control
          review.
18-04     Develop and implement policies in the IRM for conducting and monitoring the         GAO-18-393R     Open
          AMC review. These policies should include or be accompanied by
          procedures for IRS management responsible for establishing policies related
          to safeguarding controls to (1) periodically monitor the results of the review;
          (2) clarify the minimum requirements for how frequently the review should be
          completed at its various facilities while considering factors that may affect the
          most appropriate timing of these reviews, such as changes in personnel,
          operational processes, or information technology; and (3) reasonably assure
          that corrective actions for all identified deficiencies are tracked until fully
          implemented.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. In August 2018,
          IRS developed and issued interim guidance establishing policy for
          (1) conducting and monitoring the AMC review, (2) review frequency by
          facility, (3) developing the Corrective Action Report, and (4) tracking the
          status of the corrective actions until fully implemented. IRS stated that by
          July 2020, it will add guidance to the applicable IRM establishing policy for
          conducting and monitoring the AMC reviews as described in the interim
          guidance.
18-05     Develop and implement policies in the IRM for conducting and monitoring the         GAO-18-393R     Open
          AEHR review. These policies should include or be accompanied by
          procedures for IRS management responsible for establishing policies related
          to safeguarding controls to (1) periodically monitor the results of the review
          and (2) reasonably assure that corrective actions for all identified deficiencies
          are tracked until fully implemented.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. In August 2018,
          IRS (1) developed and issued interim guidance establishing requirements for
          conducting the AEHR review and how it should be performed, results
          monitoring, and ensuring that corrective actions for deficiencies are tracked
          until fully implemented and (2) established standard operating procedures
          providing further clarification of the process. IRS stated that by August 2020,
          it will update the applicable IRM establishing policy for conducting the AEHR
          reviews as described in the interim guidance.
Refunds
16-07     Determine the reason(s) why staff did not always comply with IRS’s                  GAO-16-457R     Open
          established policies and procedures related to initiating, monitoring, and
          reviewing the monitoring of manual refunds and, based on this determination,
          establish a process to better enforce compliance with these requirements.

          Action taken:
          IRS stated that during the Wage and Investment (W&I) organization’s site
          visits, it determined that a major reason staff did not always comply with
          IRS’s established policies and procedures related to initiating, monitoring,
          and reviewing the monitoring of manual refunds was insufficient training
          when new managers or leads are hired. As a result, IRS said that the W&I
          organization will host monthly meetings on all campuses to focus on manual
          refund issues. According to IRS, by holding these meetings, along with its
          annual site visits, it will better ensure that the applicable guidelines are
          understood and followed. However, during our fiscal year 2018 audit, we
          identified instances where staff did not comply with IRS’s policies and



Page 25                                                                    GAO-19-412R IRS Management Report
ID        Recommendation per audit area                                                      Source report   Status
          procedures related to monitoring and reviewing the monitoring of manual
          refunds. We will continue to evaluate IRS’s actions to address this
          recommendation during our fiscal year 2019 audit.
16-08     Enhance the training program provided to COs to address all the job                GAO-16-457R     Open
          responsibilities related to certifying manual refunds for payment, including the
          required review of supporting documentation for manual refunds.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that in
          fiscal year 2018, it developed and provided interim training to COs on their
          roles and responsibilities related to certifying manual refunds for payment,
          including requirements to review supporting documentation. In addition, IRS
          stated that by August 2019, it plans to develop a training course for COs that
          will be provided annually.
16-10     Identify the cause of and implement a solution for dealing with the periodic       GAO-16-457R     Open
          backlogs of ICO inventory that is hampering the performance of quality
          reviews.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that in
          fiscal year 2019, it plans to identify the cause of and implement a solution for
          dealing with the periodic backlogs of ICO inventory.
17-06     Revise the applicable IRM sections pertaining to manual refunds to require         GAO-17-454R     Open
          employees to verify the validity of the digital signatures on the manual refund
          request forms and the manual refund signature authorization forms.

          Action taken:
          IRS’s actions to address this recommendation are ongoing. IRS stated that in
          fiscal year 2019, it plans to revise the applicable IRM sections pertaining to
          manual refunds to require that employees validate the digital signatures on
          manual refund request forms and manual refund signature authorization
          forms.
Net cost presentation
17-09     Establish and implement procedures to periodically review the process for          GAO-17-454R     Closed
          determining the intragovernmental costs and costs with the public for each
          major program reported in the notes to the financial statements to provide
          reasonable assurance that these amounts are reliable and fairly presented.

          Action taken:
          The CFO organization documented the existing procedures to periodically
          review the process for determining the intragovernmental and public costs for
          each program. These procedures will be used if OMB Circular A-136 is
          revised to reinstate the requirement to report the intragovernmental and
          public costs for each major program in the notes to the financial statements.
          IRS’s actions sufficiently address our recommendation.
Property and equipment
16-13     Establish and implement monitoring procedures designed to reasonably               GAO-16-457R     Open
          assure that the key detailed information for tangible capitalized P&E is
          properly recorded and updated in the KISAM system.

          Action taken:
          IRS established the Asset Management Program Monitoring and Review
          procedure, effective October 1, 2016, for performing quarterly sample
          reviews of IT assets in KISAM. In September 2017, IRS also revised the IRM
          to require FMSS territory managers or section chiefs to review KISAM key



Page 26                                                                   GAO-19-412R IRS Management Report
 ID         Recommendation per audit area                                                                Source report   Status
            data elements for non-IT assets to verify that they are correct and updated.
            However, during our fiscal year 2018 floor-to-book inventory testing, we
            identified exceptions where (1) a key detailed information element (e.g.,
            building code) for P&E assets was not properly recorded in KISAM and
            (2) P&E assets found on the floor did not have asset records in KISAM.
 16-14      Design a process to reasonably assure the adequacy of detailed supporting                    GAO-16-457R     Closed
            information for tangible P&E amounts recorded in the general ledger.

            Action taken:
            As of December 2017, IRS implemented an Asset Accounting Module (AAM)
            as part of the Integrated Financial System, which functions as a subsidiary
            ledger containing asset records supporting the amounts recorded in the
            general ledger for the various P&E asset classes. During our fiscal year 2018
            walk-throughs, we observed and confirmed with IRS officials that AAM had
            been fully implemented. During our interim testing, we verified that IRS
            conducts (1) reconciliations between all P&E asset balances in its general
            ledger and the AAM P&E balances and (2) reviews to reasonably assure that
            the current year tangible P&E acquisitions recorded in the general ledger are
            also recorded in AAM and KISAM. In addition, we reviewed AAM and KISAM
            asset records for tangible P&E selected during our acquisitions interim testing
            and did not identify any exceptions. IRS’s actions sufficiently address our
            recommendation.
 17-10      Provide clear guidelines as to what events constitute removal from IRS                       GAO-17-454R     Open
            premises and the disposal date that should be recorded in its inventory
            system, either through an update of the IRM or other property and
            equipment-related desk guides.

            Action taken:
            Effective April 2018, IRS established the FMSS Property and Asset
            Management Desk Guide, which contains guidelines as to what events
            constitute removal from IRS premises and the disposal date that should be
            recorded in its inventory system. However, during our fiscal year 2018 book-
            to-floor inventory testing and disposals testing, we identified exceptions
            where the disposal dates were not timely updated in KISAM.

Legend:
AEHR:     All Events History Report
AMC:      Audit Management Checklist
CFO:      Chief Financial Officer
CO:       certifying officer
FMSS:     Facilities Management and Security Services
HCO:      Human Capital Office
ICO:      Input Correction Operation
IDRS:     Integrated Data Retrieval System
IRM:      Internal Revenue Manual
IRS:      Internal Revenue Service
IT:       Information Technology
KISAM:    Knowledge, Incident/Problem, Service Asset Management
OMB:      Office of Management and Budget
P&E:      property and equipment
SCC:      service center campus
Source: GAO evaluation of the status of recommendations to IRS as of September 30, 2018. | GAO-19-412R




Page 27                                                                               GAO-19-412R IRS Management Report
Enclosure II: Comments from the Internal Revenue Service




Page 28                                              GAO-19-412R IRS Management Report
Page 29   GAO-19-412R IRS Management Report
Page 30   GAO-19-412R IRS Management Report
Page 31   GAO-19-412R IRS Management Report
Page 32   GAO-19-412R IRS Management Report
Page 33   GAO-19-412R IRS Management Report
Page 34   GAO-19-412R IRS Management Report
Enclosure III: GAO Contact and Staff Acknowledgments

GAO Contact

Cheryl E. Clark, (202) 512-9377 or clarkce@gao.gov

Staff Acknowledgments

In addition to the contact named above, the following individuals made major contributions to
this report: Nina Crocker (Assistant Director), Kareen Borhaug, Ricky Cavazos, Stephanie
Chen, Kristen Collins, Liliam Coronado, Joseph Crays, Charles Fox, Michael Reed, Kevin Scott,
Sunny Stanley, and Monasha Thompson.




(103166)




Page 35                                                   GAO-19-412R IRS Management Report
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
                         The Government Accountability Office, the audit, evaluation, and
GAO’s Mission            investigative arm of Congress, exists to support Congress in meeting its
                         constitutional responsibilities and to help improve the performance and
                         accountability of the federal government for the American people. GAO
                         examines the use of public funds; evaluates federal programs and
                         policies; and provides analyses, recommendations, and other assistance
                         to help Congress make informed oversight, policy, and funding
                         decisions. GAO’s commitment to good government is reflected in its core
                         values of accountability, integrity, and reliability.

                         The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of      cost is through GAO’s website (http://www.gao.gov). Each weekday
GAO Reports and          afternoon, GAO posts on its website newly released reports, testimony,
                         and correspondence. To have GAO e-mail you a list of newly posted
Testimony                products, go to http://www.gao.gov and select “E-mail Updates.”

Order by Phone           The price of each GAO publication reflects GAO’s actual cost of
                         production and distribution and depends on the number of pages in the
                         publication and whether the publication is printed in color or black and
                         white. Pricing and ordering information is posted on GAO’s website,
                         http://www.gao.gov/ordering.htm.
                         Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                         TDD (202) 512-2537.
                         Orders may be paid for using American Express, Discover Card,
                         MasterCard, Visa, check, or money order. Call for additional information.

                         Connect with GAO on Facebook, Flickr, LinkedIn, Twitter, and YouTube.
Connect with GAO         Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                         Visit GAO on the web at www.gao.gov and read The Watchblog.

                         Contact:
To Report Fraud,
                         Website: http://www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470

                         Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202)
Congressional            512-4400, U.S. Government Accountability Office, 441 G Street NW,
Relations                Room 7125, Washington, DC 20548

                         Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs           U.S. Government Accountability Office, 441 G Street NW, Room 7149
                         Washington, DC 20548

                         James-Christian Blockwood, Managing Director, spel@gao.gov, (202)
Strategic Planning and   512-4707
External Liaison         U.S. Government Accountability Office, 441 G Street NW, Room 7814,
                         Washington, DC 20548




                           Please Print on Recycled Paper.