oversight

Internal Revenue Service: Results of Fiscal Year 1998 Financial Statement Audit

Published by the Government Accountability Office on 1999-03-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Government Management,
                          Information and Technology, Committee on Government
                          Reform, House of Representatives


For Release on Delivery
Expected at
10 a.m.
                          INTERNAL REVENUE
Monday,
March 1, 1999             SERVICE

                          Results of Fiscal Year 1998
                          Financial Statement Audit
                          Statement of Gregory D. Kutz
                          Associate Director, Governmentwide Accounting and
                          Financial Management Issues
                          Accounting and Information Management Division




GAO/T-AIMD-99-103
    Mr. Chairman and Members of the Subcommittee:

    We are pleased to be here today to discuss the results of our audit of the
    Internal Revenue Service’s (IRS) fiscal year 1998 financial statements, for
    which we are issuing our report today.1 IRS’ financial statements are
    important to the federal government because they report on the nearly
    $1.8 trillion in federal tax revenues, $151 billion in tax refunds, and
    $26 billion in net taxes receivable—referred to as IRS’ custodial activities.
    They also report on IRS’ activities associated with its fiscal year 1998
    appropriations of nearly $8 billion—referred to as IRS’ administrative
    activities.

    The results of our fiscal year 1998 financial audit reveal that serious
    internal control and financial management issues continue to plague the
    agency. Pervasive weaknesses in the design and operation of IRS’ financial
    management systems, accounting procedures, documentation,
    recordkeeping, and internal controls, including computer security
    controls, prevented IRS from reliably reporting on the results of its
    administrative activities. In contrast, IRS was able to report reliably on the
    results of its custodial activities for fiscal year 1998, including tax revenue
    received, tax refunds disbursed, and taxes receivable due from the public.
    This was the second year we have been able to render an unqualified
    opinion with respect to IRS’ financial reporting of its custodial activities.
    This achievement, however, required extensive, costly, and
    time-consuming ad hoc procedures to overcome pervasive internal control
    and systems weaknesses.

    IRS’ major accounting, reporting, and internal control deficiencies include
    the following:

•   an inadequate financial reporting process that resulted in IRS’ inability to
    reliably prepare several of the required principal financial statements and
    financial management systems that do not comply with the requirements
    of the Federal Financial Management Improvement Act (FFMIA) of 1996;
•   the lack of a subsidiary ledger to properly manage taxes receivable and
    other unpaid assessments, resulting in instances of both taxpayer burden
    and lost revenue to the government;
•   deficiencies in preventive controls over tax refunds that have permitted
    the disbursement of millions of dollars of fraudulent refunds;



    1
     See Financial Audit: IRS’ Fiscal Year 1998 Financial Statements (GAO/AIMD-99-75, March 1, 1999).



    Page 1                                                                        GAO/T-AIMD-99-103
•   vulnerabilities in controls over tax receipts and taxpayer data that
    increase the government’s and the taxpayers’ risk of loss or inappropriate
    disclosure of sensitive taxpayer data;
•   a failure to reconcile its fund balance to Treasury records during fiscal
    year 1998 and an inability to provide assurance that its budgetary
    resources are being properly accounted for, reported, and controlled;
•   the inability to properly safeguard or reliably report its property and
    equipment; and
•   vulnerabilities in computer security that may allow unauthorized
    individuals to access, alter, or abuse proprietary IRS programs and data and
    taxpayer information.

    Most of these issues have plagued IRS since we began auditing the agency’s
    financial statements in fiscal year 1992, first under the authority of the
    Chief Financial Officer’s Act of 1990 and later under the authority of the
    Government Management Reform Act of 1994. Since our first audit, we
    have issued reports containing numerous recommendations to assist IRS in
    correcting these deficiencies. IRS has had some success in addressing these
    issues, most notably in the area of computer security, where management
    has taken an aggressive, hands-on approach to fully understanding these
    issues and addressing them. In other instances, IRS has been able to
    compensate for some of these deficiencies through ad hoc computer
    programming and substantial manual intervention to derive reliable
    year-end information on its custodial revenue collection activities.
    However, this continues to be an interim measure and does not provide
    the necessary reliable information on an ongoing basis to assist in
    decision-making.

    Many of these problems will take years to fully correct. They represent
    serious agencywide financial and other management challenges that will
    require a substantial commitment of resources, time, effort, and expertise
    to correct. Others, while serious issues, can be effectively addressed in the
    near term through a concerted effort on the part of IRS management. In IRS’
    response to our audit, the agency has acknowledged the issues raised in
    our audit and has pledged to take the corrective actions needed to resolve
    these serious internal control and financial management issues.

    I would now like to summarize the major issues identified in our fiscal
    year 1998 audit, several of which directly affected our opinions on IRS’
    fiscal year 1998 financial statements.




    Page 2                                                      GAO/T-AIMD-99-103
                             IRS does not have internal controls over its financial reporting process
IRS’ Financial               adequate to provide reasonable assurance that its principal financial
Reporting Controls           statements are reliable. As a result, IRS (1) was unable to prepare reliable
Are Inadequate and Its       statements of net cost, changes in net position, budgetary resources, and
                             financing and (2) could not support material amounts reported on its
Financial                    balance sheet, including fund balance with Treasury, accounts payable,
Management Systems           and net position. In addition, we found that property and equipment is
                             likely to be materially understated. We found that
Do Not Comply With
FFMIA                    •   the custodial and administrative general ledger systems which support the
                             principal financial statements are not in conformance with the U.S.
                             Government Standard General Ledger (SGL)2 at the transaction level and
                             do not provide a complete audit trail for recorded transactions,
                         •   material balances reported on IRS’ principal financial statements are not
                             supported by detailed subsidiary records, and
                         •   IRS’ principal financial statements are not subject to management oversight
                             adequate to provide reasonable assurance that significant errors and
                             omissions are identified and corrected before the principal financial
                             statements are issued.

                             In an effort to overcome these deficiencies, IRS employs a costly, labor
                             intensive, and time-consuming process involving extensive and complex
                             analysis and ad hoc procedures to assist in preparing its principal financial
                             statements. IRS continues to utilize specialized computer programs to
                             extract information from databases underlying the administrative and
                             custodial general ledgers to derive and/or support amounts to be reported
                             in the principal financial statements. For example, IRS must use this
                             process to identify the portion of its unpaid assessments that represent
                             taxes receivable for financial reporting purposes. However, as in fiscal
                             year 1997, the amounts produced by this approach needed material audit
                             adjustments totaling tens of billions of dollars to produce reliable balances
                             for custodial activities. With respect to IRS’ administrative activities, this
                             approach was unsuccessful in producing reliable balances.

                             In addition, IRS’ basic approach was designed specifically for the narrowly
                             defined purpose of preparing auditable balances at year-end only. This
                             mechanism is not capable of producing reliable agencywide principal
                             financial statements or financial performance information to measure
                             results throughout the year as a management tool, which is standard
                             practice in private industry and some federal entities.

                             2
                              The SGL establishes the general ledger account structure for federal agencies as well as the rules for
                             agencies to follow in recording financial events.



                             Page 3                                                                           GAO/T-AIMD-99-103
We also found that IRS’ previously separate financial reporting processes
for its custodial and administrative activities3 have not been integrated
under unified supervision at the operational level. This unnecessarily
complicates IRS’ year-end financial reporting process and hampers efforts
to provide interim IRS-wide financial information as a management tool.

IRS’ complex and often manual financial reporting process requires
extensive technical computer and accounting expertise and is highly
vulnerable to human error. It is therefore critical that this process be
adequately staffed and supervised and be subject to adequate management
oversight at each stage as balances and disclosures are developed.
However, IRS’ financial reporting process often lacked these basic controls.
For example, during fiscal year 1998, key personnel with responsibilities
for financial systems and reporting on IRS’ administrative activities left IRS
and had not been replaced by year-end. Consequently, IRS was compelled
to attempt to prepare its financial statements without the necessary staff.
This occurred at the same time as the implementation of new federal
accounting and reporting requirements that required IRS to prepare four
new financial statements. In addition, throughout the process, we found
numerous errors and omissions in financial reporting documentation as
well as in the draft financial statements themselves, which likely would
have been caught and corrected had these records been appropriately
reviewed by management.

In our previous audit,4 we reported that IRS’ custodial financial
management systems did not substantially comply with Federal Financial
Management Systems Requirements (FFMSR),5 federal accounting
standards, and the SGL at the transaction level, which are the core
requirements of FFMIA. During fiscal year 1998, we found that this
condition continued and that IRS’ administrative financial management
systems also had significant problems. IRS (1) cannot reliably prepare four
of the six principal financial statements required by the Office of

3
 During fiscal year 1998, IRS combined the financial reporting of its administrative and custodial
activities, which had previously been reported and audited separately, into a single set of principal
financial statements. We audited the administrative and custodial activities through fiscal year 1996
and audited the custodial activities in fiscal year 1997. The fiscal year 1997 results of IRS
administrative activities were audited by the Department of the Treasury Office of Inspector General.
See Internal Revenue Service Accountability Report, Fiscal Year 1997, Department of the Treasury
(March 1998).
4
 See Financial Audit: Examination of IRS’ Fiscal Year 1997 Custodial Financial Statements
(GAO/AIMD-98-77, February 26, 1998).
5
 FFMSR are a series of requirements produced by the Joint Financial Management Improvement
Program to improve federal financial management through uniform requirements for financial
information, financial systems, and financial organization.



Page 4                                                                          GAO/T-AIMD-99-103
                        Management and Budget, which prescribes the form and content of federal
                        financial statements, (2) does not have a general ledger(s) that conforms
                        to the SGL, (3) lacks a subsidiary ledger for its unpaid assessments,
                        accounts payable, and undelivered orders, and (4) lacks an effective audit
                        trail from its general ledgers back to subsidiary detailed records and
                        transaction source documents.

                        In addition, IRS does not consistently capture costs as required by federal
                        accounting standards to permit it to (1) routinely prepare reliable
                        cost-based performance measures for inclusion in the management
                        discussion and analysis that accompanies its principal financial statements
                        or (2) prepare the information to be included in its annual performance
                        plan as required by the Government Performance and Results Act (GPRA)
                        of 1993. This deficiency also renders IRS unable to include reliable
                        cost-based performance information in its budget submission to Congress.


                        As we have previously reported,6 IRS does not have a subsidiary ledger
IRS Continues to Lack   which tracks and accumulates unpaid assessments and their status7 on an
a Subsidiary Ledger     ongoing basis, the absence of which adversely affects its ability to
and Adequate            effectively manage and accurately report unpaid assessments. To
                        compensate for this, IRS runs computer programs against its master
Supporting              files—the only detailed record of taxpayer information it maintains—to
Documentation for       identify, extract, and classify the universe of unpaid assessments for
                        financial reporting purposes. However, this approach is only designed for
Unpaid Assessments      the limited purpose of allowing IRS to report auditable financial statement
                        totals at year-end and is not an adequate substitute for a reliable subsidiary
                        ledger which provides an accurate outstanding balance for each taxpayer
                        on an ongoing basis. Additionally, this approach still resulted in the need
                        for tens of billions of dollars of audit adjustments to IRS’ principal financial
                        statements to correct duplicate or otherwise misstated unpaid assessment
                        balances identified by our testing.



                        6
                         See GAO/AIMD-98-77, February 26, 1998.
                        7
                         Unpaid assessments consist of (1) taxes due from taxpayers for which IRS can support the existence
                        of a receivable through taxpayer agreement or a favorable court ruling (federal taxes receivable),
                        (2) compliance assessments where neither the taxpayer nor the court has affirmed that the amounts
                        are owed, and (3) write-offs, which represent unpaid assessments for which IRS does not expect
                        further collections due to factors such as the taxpayer’s death, bankruptcy, or insolvency. Of these
                        three classifications of unpaid assessments, only federal taxes receivable are reported on the principal
                        financial statements. As of September 30, 1998, IRS reported $26 billion (net of an allowance for
                        doubtful accounts of $55 billion), $22 billion, and $119 billion in these three categories, respectively.
                        See the attachment to this statement for a graphic breakdown of IRS’ balance of unpaid assessments at
                        September 30, 1998.



                        Page 5                                                                           GAO/T-AIMD-99-103
                      Without the information an effective subsidiary ledger should provide, IRS
                      cannot ensure that payments and assessments are promptly posted to the
                      appropriate taxpayer accounts. We found in our statistical sample of
                      unpaid assessments that this problem resulted in inaccurate taxpayer
                      account balances and led IRS to pursue collection efforts against taxpayers
                      who had already paid their taxes in full. In addition, in our sample we
                      found that IRS inappropriately issued refunds to taxpayers with
                      outstanding tax assessment balances.

                      We previously reported that IRS had significant problems locating
                      supporting documentation for unpaid assessment transactions. To address
                      this issue, we worked closely with IRS and identified various forms of
                      documentation to support these items, and we requested these documents
                      in performing our fiscal year 1998 testing. While we did note some
                      improvement, we continued to find that IRS experienced difficulties in
                      providing supporting documentation. The lack of adequate supporting
                      documentation made it difficult to assess the classification and
                      collectibility of unpaid assessments reported in the principal financial
                      statements as federal taxes receivable and may make it difficult for IRS to
                      readily identify and focus collection efforts.


                      As in prior years, we continued to find that IRS does not have sufficient
Vulnerabilities in    preventive controls over refunds to reduce to an acceptable level the risk
Controls Over         that inappropriate payments for tax refunds will be disbursed.
Refunds Continue to   Inappropriate refund payments continued to be issued in fiscal year 1998
                      due to (1) IRS comparing the information on tax returns and third party
Exist                 data such as W-2s (Wage and Tax Statement) too late to identify and
                      correct discrepancies between these documents, (2) significant levels of
                      invalid Earned Income Tax Credit (EITC) claims, and (3) deficiencies in
                      controls that allowed duplicate refunds to be issued. We also found
                      instances of erroneous refunds being issued as a result of errors or delays
                      in posting assessments to taxpayer accounts. Errors and posting delays
                      such as these impair IRS’ ability to effectively offset refunds due taxpayers
                      against amounts owed by the same taxpayers on another account.

                      Although IRS has detective (post-refund) controls in place, the lack of
                      sufficient preventive controls exposes the government to potentially
                      significant losses due to inappropriate disbursements for refunds.
                      According to IRS’ records, IRS investigators identified over $17 million in
                      alleged fraudulent refunds that had been disbursed during the first 9
                      months of calendar year 1998 and prevented the disbursement of an



                      Page 6                                                       GAO/T-AIMD-99-103
additional $65 million in alleged fraudulent refund claims. During calendar
year 1997, IRS’ records indicate that intervention by IRS investigators
prevented the disbursement of additional alleged fraudulent refund claims
totaling over $1.5 billion. However, the full magnitude of invalid refunds
disbursed by IRS is unknown.

In addition, rates of invalid EITC claims have historically been high.8 During
fiscal year 1998, IRS reported that it processed EITC claims totaling over
$29 billion, including over $23 billion (79 percent) in refunds.9 In an effort
to minimize losses due to invalid EITC claims, IRS electronically screens tax
returns claiming EITC to identify those exhibiting characteristics
considered indicative of potentially questionable claims based on past
experience and then selects those claims considered most likely to be
invalid for detailed examination. During fiscal year 1998, IRS examiners
reviewed over 290,000 tax returns claiming $662 million in EITC of which
$448 million (68 percent) was found to be invalid. These examinations are
an important control mechanism for detecting questionable claims and
providing a deterrent to future invalid claims. However, because
examinations are often performed after any related refunds are disbursed,
they cannot substitute for effective preventive controls designed to
identify invalid claims before refunds are disbursed.

In fiscal year 1998, IRS began implementing a 5-year EITC compliance
initiative intended to expand customer service to increase taxpayers’
awareness of their rights and responsibilities related to EITC, strengthen
enforcement of EITC requirements, and enhance research into the sources
of EITC noncompliance. However, most of IRS’ efforts under that initiative
had not progressed far enough at the time we completed our audit for us
to make any judgment about their effectiveness.

While we were able to substantiate the amounts of refunds disbursed as
reported on IRS’ fiscal year 1998 principal financial statements, IRS
nevertheless lacks effective preventive controls to minimize its
vulnerability to payment of inappropriate refunds. Once an inappropriate
refund has been disbursed, IRS is compelled to expend both the time and
expense to attempt to recover it, with dubious prospects of success.




8
 High-Risk Series: An Update (GAO/HR-99-1, January 1999) and Major Management Challenges and
Program Risks: Department of the Treasury (GAO/OCG-99-14, January 1999).
9
 EITC claims do not always result in refunds. They may also reduce tax assessments.



Page 7                                                                        GAO/T-AIMD-99-103
                       As we have previously reported,10 IRS’ controls over cash, checks, and
Physical Security      related hardcopy taxpayer data it manually receives from taxpayers are
Over Manual Tax        not adequate to reduce to an acceptably low level the risk that these
Receipts and           payments will not be properly credited to taxpayer accounts and
                       deposited in the Treasury or that proprietary taxpayer information will not
Taxpayer Information   be properly safeguarded. Strong physical security is critical to ensure that
Is Inadequate          receipts are not lost or stolen or that sensitive taxpayer data are not
                       compromised, and is thus critical to IRS’ customer service goals.

                       However, we found that (1) unattended checks and tax returns were often
                       stored in open and easily accessible areas, (2) hundreds of millions of
                       dollars of receipts in the form of checks, and in one case cash, were
                       transported from IRS field offices to financial institutions by unarmed
                       couriers who often used unmarked civilian vehicles including, in one
                       instance, a bicycle, and (3) individuals were hired and entrusted with
                       access to cash, checks, and sensitive taxpayer data before completion of
                       background or fingerprint checks. This problem is particularly acute
                       during peak filing season when IRS typically hires thousands of temporary
                       employees. IRS’ investigations of 80 thefts at service centers between
                       January 1995 and July 1997 found that 15 percent of these were committed
                       by individuals who had previous arrest records or convictions that were
                       not identified prior to their employment. At commercial lockbox banks IRS
                       contracts with to process tax receipts, we found similar weaknesses,
                       including the use of unarmed couriers and the hiring of temporary
                       employees before background checks are completed.

                       In fiscal years 1997 and 1998, IRS identified 56 actual or alleged cases of
                       employee theft of receipts at IRS field offices and lockbox banks totaling
                       about $1 million. An additional 100 cases were opened during the period in
                       which the amount potentially stolen was not quantified. Further, the
                       magnitude of thefts not identified by IRS is unknown. The weaknesses we
                       identified also expose taxpayers to increased risk of losses due to financial
                       crimes committed by individuals who inappropriately gain access to
                       confidential information entrusted to IRS. For example, this information —
                       which includes names, addresses, social security and bank account
                       numbers, and details of financial holdings —may be used to commit
                       identity fraud. Although receipts and taxpayer information will always be
                       vulnerable to theft, IRS has a responsibility to protect the government and
                       taxpayers from such losses.

                       10
                        See Internal Revenue Service: Physical Security Over Taxpayer Receipts and Data Needs
                       Improvement (GAO/AIMD-99-15, November 30, 1998); Internal Revenue Service: Immediate and
                       Long-Term Actions Needed to Improve Financial Management (GAO/AIMD-99-16, October 30, 1998);
                       and GAO/AIMD-98-77, February 26, 1998.



                       Page 8                                                                   GAO/T-AIMD-99-103
                            Throughout fiscal year 1998, IRS did not reconcile its administrative fund
IRS Did Not Reconcile       balance with Treasury accounts. Such reconciliations are required by
Its Fund Balance With       Treasury policy and are analogous to companies or individuals reconciling
Treasury                    their checkbooks to monthly bank statements.

                            When in January 1999, IRS’ contractor provided what it considered to be
                            reconciliations of IRS’ Treasury fund balance for the 12 months of fiscal
                            year 1998, we found

                        •   amounts on the reconciliations for Treasury and IRS balances did not agree
                            with Treasury and IRS records and
                        •   reconciling items listed on the reconciliations were not investigated and
                            resolved.

                            Similarly, IRS has not been investigating and resolving amounts in its
                            administrative suspense accounts. As of September 30, 1998, IRS had items
                            totaling a net credit balance of over $100 million in its fund balance with
                            Treasury suspense account, including some items dating back to 1989
                            appropriations.

                            The lack of timely, thorough reconciliations makes it difficult if not
                            impossible for IRS to determine if operating funds have been properly
                            spent or if reported amounts for operating expenses, assets, and liabilities
                            are reliable. Without performing such reconciliations, IRS has no assurance
                            that its fund balance with Treasury is accurate. The lack of appropriate
                            reconciliations also impacts IRS’ ability to ensure that it complies with the
                            law governing the use of its budget authority. Because this fundamental
                            internal control was not followed, we were unable to conclude whether
                            IRS’ fund balance with Treasury account was reliable at September 30,
                            1998. Additionally, we were unable to test to determine whether IRS had
                            complied with the Anti-Deficiency Act, as amended.


                            As we have reported in prior year audits,11 IRS’ controls over its property
Controls Over               and equipment (P&E) records are not adequate to ensure that these records
Property and                provide a complete and reliable record of P&E assets. Without current and
Equipment Are               accurate records, IRS cannot ensure that the P&E items it owns are not lost
                            or stolen, that new purchases of equipment are appropriately capitalized in
Deficient                   its accounting records, or that related principal financial statement
                            balances are reliable.

                            11
                             Financial Audit: Examination of IRS’ Fiscal Year 1996 Administrative Financial Statements
                            (GAO/AIMD-97-89, August 29, 1997).



                            Page 9                                                                        GAO/T-AIMD-99-103
IRS does not have policies and procedures in place to ensure that material
P&E  are recorded in IRS’ financial statements. For example, IRS’ computer
systems information shows substantial funding available and used for
computer systems, such as mainframe consolidation and a new receipts
processing system. IRS’ computer systems information also shows
evidence of contractor services related to design, plans, and specifications
for computer hardware and software projects—costs required to be
capitalized under federal accounting standards. Finally, IRS’ financial
records show equipment-related expenses of $339 million in fiscal year
1998.

Although this significant P&E activity occurred, only about $30 million was
recognized as P&E additions in fiscal year 1998. We also saw evidence of
substantial unrecorded capital expenditures in fiscal year 1997. These
problems are compounded by IRS’ use of a $50,000 minimum financial
statement cost capitalization threshold, which is permitted by Treasury
policy. This amount far exceeds the cost of most of the P&E items IRS
purchases and results in a material distortion of IRS’ reported P&E in its
financial statements. Based on assets included in IRS’ property systems, we
found that $1.2 billion, or 69 percent of IRS’ gross P&E, was not included as
property and equipment in the financial statements because of the use of
this threshold to capitalize P&E assets. Consequently, P&E balances are
likely to be materially understated.

In addition to the P&E completeness problem, IRS’ policies and procedures
for recording P&E transactions impede its ability to reconcile the general
ledger to related P&E subsidiary records. IRS’ field offices record individual
property acquisitions and dispositions on site throughout the year.
However, IRS’ accounting system expenses property purchases during the
year, then records adjustments at year-end to reflect P&E dispositions and
to move property purchases from expenses to P&E based on field office
subsidiary records. As a result, IRS has no assurance that the amounts it
records in its general ledger and underlying P&E subsidiary systems,
respectively, are complete and agree with each other. IRS is compelled to
manually adjust the general ledger at year-end to force it to agree with its
P&E subsidiary records.


However, the reliability of these subsidiary P&E records is highly
questionable. In many cases, the items in the records that we selected for
testing could not be located by IRS, including a Chevrolet Blazer motor
vehicle and a laser printer costing over $300,000. Additionally, a significant
number of items that we selected from the floor of IRS’ field offices were



Page 10                                                      GAO/T-AIMD-99-103
                    not included in IRS’ detailed property records. Physical inventories we
                    observed being performed by IRS personnel at two IRS field offices
                    produced similar results. We also found instances where different IRS field
                    offices had recorded substantially identical items at significantly different
                    costs.

                    These discrepancies and reported problems reflect weaknesses in IRS
                    property management controls that impair its ability to ensure that P&E are
                    used only in accordance with IRS policy and that related records are
                    accurate. It is important to note that IRS has itself reported deficiencies in
                    its property management controls for the last 17 consecutive years.


                    IRS places extensive reliance on its computer information systems to
Controls Over       perform basic functions, such as processing tax returns, maintaining
Computer Security   sensitive taxpayer data, calculating interest and penalties, and generating
Are Inadequate      refunds. Consequently, weaknesses in controls over its computer
                    information systems could render IRS unable to perform these vital
                    functions or result in the unauthorized disclosure, modification, or
                    destruction of taxpayer data. In December 1998, we reported that while
                    significant weaknesses in computer information controls remain, IRS had
                    made significant progress in improving its computer security.12 For
                    example, IRS has centralized responsibility for its security and privacy
                    issues in its Office of Systems Standards and Evaluation. This Office is
                    implementing a servicewide security program to manage risk and has led
                    IRS’ efforts in mitigating about 75 percent of the weaknesses identified in
                    one of our previous reports.13

                    Serious weaknesses, however, continue to exist in (1) security program
                    management, (2) access control, (3) application software development and
                    change controls, (4) system software, (5) segregation of duties, and
                    (6) service continuity. Continued weaknesses in these areas can allow
                    unauthorized individuals access to critical hardware and software where
                    they may intentionally or inadvertently add, alter, or delete sensitive data
                    or programs. Such individuals can also obtain personal taxpayer
                    information and use it to commit financial crimes in the taxpayers’ name
                    (identity fraud), such as fraudulently establishing credit, running up debts,
                    and taking over and depleting banks accounts.

                    12
                     IRS Systems Security: Although Significant Improvements Made, Tax Processing Operations and
                    Data Still at Serious Risk (GAO/AIMD-99-38, December 14, 1998).
                    13
                     See IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious
                    Weaknesses (GAO/AIMD-97-49, April 8, 1997).



                    Page 11                                                                       GAO/T-AIMD-99-103
                         IRS continues to be plagued by serious internal control and systems
Significant Efforts      deficiencies that hinder its ability to achieve lasting financial management
Will Be Needed to        improvements. IRS has acknowledged the issues and concerns identified in
Resolve IRS’ Financial   our fiscal year 1998 audit and the Commissioner and Deputy
                         Commissioner of Operations have pledged their commitment to
Management Issues        addressing these long-standing issues. IRS already has a number of
                         initiatives underway to try to address continued weaknesses with respect
                         to its unpaid assessments. Additionally, significant progress continues to
                         be made on the serious computer security issues we have reported for
                         several years.

                         Most recently, IRS has established a corrective action team under the
                         direction of the Chief Financial Officer to formulate a detailed plan for
                         addressing the issues identified in our audit. IRS expects to complete the
                         formulation of this plan by March 31, 1999. IRS also plans to bring in
                         outside experts to assist its staff in resolving the issues relating to its
                         administrative operations. IRS has stated that while its financial
                         management systems were not designed to meet current systems and
                         financial reporting standards, it is in the process of planning and
                         implementing interim solutions until enhanced systems are available over
                         the next several years.

                         We have assisted IRS in formulating corrective actions to address its
                         serious internal control and financial management issues by providing
                         numerous recommendations over the years. We will continue to provide
                         such assistance as necessary as IRS faces its significant financial and other
                         management challenges. We recognize that IRS’ financial management
                         systems were not designed to meet current systems and financial reporting
                         standards, that these problems did not occur overnight, and that the task
                         ahead of IRS to fully correct its systems-related deficiencies will take years
                         to achieve. We do, however, believe that serious internal control issues
                         can be addressed in the near term through a dedicated effort on the part of
                         IRS management.


                         We realize that IRS’ ability to successfully meet the financial management
                         challenges it faces must be balanced with the competing demands placed
                         on its resources by its customer service and tax law compliance
                         responsibilities. However, it is critical that IRS rise to the challenges posed
                         by these financial management issues, because its success in achieving all
                         aspects of its strategic objectives depends in part upon reliable financial
                         management information and effective internal controls. It is also
                         important to recognize that several of the financial management issues we



                         Page 12                                                       GAO/T-AIMD-99-103
have raised in our financial audits directly or indirectly affect IRS’ ability to
meet its customer service and tax law compliance responsibilities.

Mr. Chairman, this concludes my prepared statement. I would be pleased
to answer any questions.




Page 13                                                        GAO/T-AIMD-99-103
Attachment

Components of IRS’ $222 Billion of Unpaid
Assessments (Dollars in Billions)



                                        11% •                       Taxes Receivable - Collectible
                                                                    ($26)




                                                25% •               Taxes Receivable - Uncollectible
                     54%                                            ($55)
                       •


                                           10% •                    Compliance Assessments ($22)




                                                                    Write-offs ($119)




               Note: Excludes over $20 billion of duplicate assessments and errors.




(919360)       Page 14                                                                   GAO/T-AIMD-99-103
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested