GAO Examines IRS Internal Controls

In November 2012, we issued our report on the results of our audit of the financial statements of the Internal Revenue Service (IRS) as of, and for the fiscal years ending, September 30, 2012, and 2011, and on the effectiveness of its internal control over financial reporting as of September 30, 2012.¹ We also reported our conclusions on IRS's compliance with selected provisions of laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996. In March 2013, we issued a report on information security issues identified during our fiscal year 2012 audit, along with associated recommendations for corrective actions.²

In November 2012, we also issued our report on the results of procedures we agreed to perform for the Department of Transportation's Office of Inspector General concerning the amount of excise tax distributions made to the Airport and Airway Trust Fund and the Highway Trust Fund for the fiscal year ended September 30, 2012.³ We performed these procedures in conjunction with our fiscal year 2012 IRS financial statement audit procedures.

The purpose of this report is to present internal control deficiencies identified during our audit of IRS's fiscal year 2012 financial statements and our excise tax agreed-upon procedures work for which we did not already have outstanding recommendations. Although most of these deficiencies were not discussed in our report on the results of our fiscal year 2012 financial statement audit because they were not considered material or significant,⁴ and were not reported in our excise tax agreed-upon procedures report, they nonetheless warrant IRS management's attention. This report provides 14 recommendations to address the internal control issues we identified as part of our fiscal year 2012 IRS financial statement audit and agreed-upon procedures. This report also presents the status, as of September 30, 2012, of IRS corrective actions taken to address our 69 previous recommendations that remained open at the end of the fiscal year 2011 audit. These were detailed in a report we issued in June 2012 on the status of IRS's implementation of the recommendations from our prior IRS financial audits and related financial management reports.⁵

Results in Brief

During our audit of IRS's fiscal year 2012 financial statements, we identified the following new internal control deficiency that contributed to our continuing material weakness in internal control over unpaid tax assessments as of September 30, 2012:

• Unpaid Tax Assessments Estimation Process. IRS's controls over its process for estimating the balances of federal taxes receivable and other unpaid tax assessments were not effectively implemented to ensure the proper accounting classification and dollar amounts.⁶ This deficiency increases the risk that a material misstatement of IRS's financial statements may not be prevented, or detected and corrected, on a timely basis.

• Refunds Disbursed to Deceased Taxpayers. IRS's internal controls were not effectively designed to ensure that deceased taxpayers were timely identified in its taxpayer records and that refunds issued to deceased taxpayers were valid. These deficiencies increase IRS's risk of issuing erroneous refunds to deceased taxpayers and fraudulent refunds to identity thieves.

• Authorization of Manual Refunds. IRS's procedures were not effectively designed to ensure that those individuals allowed to approve the issuance of manual refunds were properly appointed to do so.⁷ This deficiency increases the risk that IRS may disburse erroneous or fraudulent manual refunds.

• Computer System Access Rights of Employees Handling Taxpayer Receipts. IRS's policies and procedures were not effectively designed to appropriately limit remittance perfection technicians' system access to change taxpayer account information.⁸ This deficiency increases the risk that remittance perfection technicians -- who have custody of hard-copy taxpayer receipts and taxpayer information -- could misappropriate tax payments and alter taxpayer accounts to conceal these acts.

• Cost Allocation and User Fee Classification for the Statement of Net Cost. IRS's controls were not effectively designed and implemented to ensure that IRS fully allocated costs or correctly classified all user fee exchange revenue within its Integrated Financial System, which IRS uses to prepare its Statement of Net Cost. This increases the risk of misstatement on its Statement of Net Cost.

• Recording of Obligation of Funds. IRS's policies and procedures were not effectively designed to ensure that IRS staff recorded an obligation for goods and services prior to taking delivery of them from a contractor or a performing federal agency. This increases the risk that IRS may violate the Antideficiency Act, which prohibits federal agencies from obligating or spending in excess of their available funding or accepting voluntary services. It also increases the risk that IRS managers may make operating decisions and allocate resources based on incomplete financial data.

• Excise Tax Receipt Certification Process. IRS's controls were not effectively implemented to ensure that staff properly calculated the quarterly excise tax revenues to be distributed to the Airport and Airway Trust Fund and the Highway Trust Fund. In addition, IRS's existing procedures were not operating effectively to ensure that changes it made to its methodology for calculating the amount of revenues to be distributed were concurred with by all affected parties within the Department of the Treasury (Treasury) prior to implementing the changes.⁹ These deficiencies increase the risk that the amounts IRS certifies for distribution to the trust funds and the amounts that Treasury actually distributes to the trust funds may be incorrect.

As of September 30, 2012, IRS had completed corrective action on 23 of the 69 recommendations from our prior financial audits and other financial management-related work that remained open at the beginning of the fiscal year 2012 financial audit. As a result, IRS currently has 60 recommendations that need to be addressed, which consists of the previous 46 open recommendations as well as the 14 new recommendations we are making in this report.

We provided IRS with a draft of this report and obtained its written comments. In its comments, IRS agreed with all 14 of our new recommendations and described the actions it had taken, had under way, or planned to take to address the control deficiencies described in this report. In addition to its written comments, IRS provided technical comments on a draft of this report, which we incorporated as appropriate. At the end of our discussion of each of the issues in this report, we have summarized IRS's related comments and provided our evaluation. We have reprinted IRS's comments in their entirety in enclosure II.

Scope and Methodology

This report addresses internal control deficiencies we identified during our audit of IRS's fiscal years 2012 and 2011 financial statements and during our agreed-upon procedures work concerning excise tax distributions to the Airport and Airway Trust Fund and the Highway Trust Fund. As part of our financial statement audit, we tested IRS's internal control over financial reporting.¹¹ We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions and for the safeguarding of assets and taxpayer information. In conducting the audit, we reviewed applicable IRS policies and procedures, observed operations, tested samples of transactions, examined relevant documents and records, and interviewed management and staff. Further details on our audit scope and methodology are provided in our November 2012 report on the results of our audit of IRS's fiscal years 2012 and 2011 financial statements.¹²

Our procedures also involved checking the accuracy of the amounts IRS certified for distribution to the Airport and Airway Trust Fund and the Highway Trust Fund and determining whether excise tax transactions recorded in IRS's systems matched supporting documents. Further details on the procedures we performed are provided in our November 2012 report on the results of our agreed-upon procedures work.¹³

We performed our audit of IRS's fiscal years 2012 and 2011 financial statements and our agreed-upon procedures engagement on excise taxes in accordance with U.S. generally accepted government auditing standards. We believe that our work provides a reasonable basis for our findings and conclusions in this report.

Unpaid Tax Assessments Estimation Process

During our fiscal year 2012 audit, we identified errors in IRS's unpaid tax assessments estimation process that its internal review procedures did not detect. Specifically, IRS made errors in determining the accounting classification and dollar amounts of individual taxpayer accounts with unpaid tax assessments that are used to derive the taxes receivable balance reported in IRS's financial statements.¹⁴ Further, these errors were not detected by IRS's supervisory review process. Because of the magnitude of these errors, this deficiency contributed to the material weakness in internal control over unpaid tax assessments that we reported in our report on the results of our audit of IRS's fiscal year 2012 financial statements.¹⁵

As we have reported in our fiscal year 2012 financial audit and in prior years, IRS does not have a detailed listing, or subsidiary ledger, that accurately tracks and accumulates unpaid tax assessments and their status on an ongoing basis. Specifically, IRS's master files are not designed to provide the accurate, complete, and timely transaction-level financial information necessary to enable IRS to reliably classify and report unpaid tax assessment balances for financial reporting.¹⁶ The amount of taxes receivable recorded in the general ledger is determined by computer programs that analyze taxpayer accounts with unpaid tax assessments and classify the accounts into various financial reporting categories in accordance with federal standards.¹⁷ However, the results of this analysis contain material inaccuracies because IRS has not written sufficient details into the classification computer programs to allow them to sort through, identify, and analyze all the relevant transaction-level information required for proper classification. Errors in IRS's manual recording of data into taxpayer accounts also contribute to the computer programs' incorrect determination of the classification and amount of unpaid tax assessments. These system limitations and manual processing errors are the primary reasons we have been reporting a long-standing material internal control weakness with respect to IRS's unpaid tax assessments.

To compensate for these deficiencies, IRS applies a statistical sampling and estimation process to the computer-generated classifications of unpaid tax assessments to estimate the dollar amounts for taxes receivable, compliance assessments, and write-offs to be included in its financial statements and related reports. As part of this compensating process, IRS selected statistical samples of taxpayer accounts from the populations of taxes receivable, compliance assessments, and write-offs as classified by its computer programs. For each sampled account, IRS compares information recorded in the taxpayer's account with various supporting documentation such as tax returns, court documents, and IRS examination files. IRS uses this information to either validate the classification and dollar amount determined by its computer programs or record adjustments to the dollar amount of sampled accounts when IRS's manual analysis of the account determines that the computer-classified amount is incorrect. IRS then statistically projects the extent of any such individual adjustments to determine the gross taxes receivable balance to be used for financial reporting. In fiscal year 2012, the process resulted in $14 billion of adjustments to arrive at the gross taxes receivable balance shown on IRS's financial statements. Because of the significance of the dollar amounts involved and the complexity of IRS's compensating estimation process, it is critical that IRS's controls are effective to help ensure the reliability of the process and the accuracy of the results.

However, our audit tests of unpaid tax assessments during this year's audit found several instances involving complex multimillion-dollar accounts in which our calculation of the sampled taxpayer account balance did not agree with IRS's calculation for the same account. Specifically, we reviewed all 86 of IRS's sampled taxpayer accounts classified as taxes receivable with balances equal to or exceeding $32 million and found errors totaling $829 million in 10 of these accounts.¹⁸ Although IRS's evaluation and calculation of each sampled taxpayer account underwent at least one level of supervisory review, IRS's review process did not identify these errors. IRS subsequently made the necessary corrections so that the errors we identified did not affect IRS's statistical projections and the resulting taxes receivable balance shown in its fiscal year 2012 financial statements.

Internal control standards require agencies to implement internal control procedures to provide reasonable assurance of the accurate and timely recording of transactions and events.¹⁹ In addition, the standards require agencies to provide qualified and continual supervision to provide reasonable assurance that internal control objectives are achieved.

The errors we identified occurred in situations involving complex transactions that necessitated certain legal and accounting interpretations in order to properly classify and value the unpaid tax assessment. While IRS has documented guidance for its staff to follow in evaluating the accounting classification and determining the dollar amounts of the sampled accounts, the guidance is not detailed or specific enough to address scenarios in which taxpayer accounts include more complex transactions. Furthermore, IRS's procedures do not require that the sampled accounts be reviewed by management officials above the unit manager, even when the cases are complex. Consequently, in the sample items for which we identified errors, neither the staff performing the account evaluations nor the supervisors reviewing the work were aware that additional factors should have been considered in determining the proper accounting classification and dollar amount of the sampled account. The lack of sufficient guidance and higher levels of management review for evaluating taxpayers accounts that include more complex transactions increases the risk that IRS staff may make errors in determining the classification and dollar amounts of unpaid tax assessments that are used in IRS's compensating statistical estimation process to derive its reported taxes receivable balance. This, in turn, increases the risk that a material misstatement of IRS's taxes receivable balance may be made and not be timely detected and corrected.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to take the following actions with respect to IRS's compensating statistical estimation process for unpaid tax assessments:

• Update the existing guidance for classifying and determining the dollar amount of individual unpaid assessments to provide additional guidance or specific procedures to follow when evaluating taxpayer accounts that involve complex legal and accounting interpretations. In updating the guidance, consider whether additional levels of management review should be performed on such complex cases.

• Provide training on the new guidance to help staff evaluate and determine the proper accounting classification and amount of unpaid tax assessments, and to help with supervisory review of the sampled taxpayer accounts.

IRS agreed with our recommendations and stated that in March 2013, it updated the guidance for classifying and determining the dollar amount of unpaid assessments to provide additional guidance for evaluating taxpayer accounts that involve complex legal and accounting interpretations and to include additional levels of review for such cases. IRS also stated it provided training on the new guidance in March 2013. If effectively implemented, IRS's actions should address the issue that gave rise to our recommendations. We will evaluate the effectiveness of IRS's actions during our audit of its fiscal year 2013 financial statements.

Refunds Disbursed to Deceased Taxpayers

During our fiscal year 2012 financial audit, we found numerous instances in which IRS erroneously disbursed invalid refunds to deceased taxpayers. Specifically, based on a selected sample of 74 refunds disbursed to deceased taxpayers during fiscal year 2012, we found that 65, or approximately 88 percent, were invalid.²⁰ For example, we found instances in which IRS issued refunds based on an improper tax form; an improper filing status; or unallowable exemptions, standard deductions, or tax credits (such as the Earned Income Tax Credit).²¹ We provided these invalid refunds to IRS for investigation and based on its review, IRS concluded that 31 of the 65 invalid refunds appeared to be the result of identity theft.

A surviving spouse or a court-appointed representative is permitted to request a tax refund on behalf of a deceased taxpayer. However, the filing process and required tax form is different after the year of death. For example, a request for a refund for a deceased taxpayer after the year of death must be claimed by filing a Form 1041, U.S. Income Tax Return for Estates and Trusts, rather than filing a Form 1040, U.S. Individual Income Tax Return.

The Social Security Administration (SSA) provides IRS with weekly updates on individual deaths. However, IRS did not have effective controls in place to reasonably ensure that this information was used to reflect the taxpayers' deceased status in its master files. At the time of our review, IRS's procedures for processing refunds to deceased taxpayers relied on the receipt of a final tax return or valid proof of death documentation for staff to manually record an indicator in the taxpayer's master file account to reflect the taxpayer's deceased status. However, until or unless IRS received such documentation validating a taxpayer's death, the taxpayer's account in the master files would show that the taxpayer was not deceased. As a result, IRS was not able to identify invalid tax returns filed against these deceased taxpayer accounts because the master files were not yet updated to reflect their deceased status. This deficiency in controls resulted in the disbursement of invalid refunds to deceased taxpayers and potentially to identity thieves.

Internal control standards state that internal controls should be designed to provide reasonable assurance regarding the prevention of or prompt detection of unauthorized use or disposition of agency assets. This includes providing reasonable assurance that invalid or fraudulent refund disbursements will be prevented or detected. The standards further state that internal controls should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations. Monitoring should be performed continually and be ingrained in the agency's operations. It includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties.

Based on our findings and inquiries concerning invalid tax refunds to deceased taxpayers, IRS subsequently performed a detailed review of the status of taxpayer accounts in its master files to properly identify deceased taxpayers using the SSA information. IRS informed us that based on its review, it identified approximately 11.5 million taxpayer accounts in its master files that had not been updated to show that the taxpayers were deceased. IRS officials informed us that IRS has since recorded an identifier in the affected master file accounts of these taxpayers to indicate their deceased status in order to prevent the improper filing of tax returns and issuance of invalid refunds in the future.

Further, IRS officials stated that IRS is in the process of establishing a computer program that will routinely perform a comparison of date of death information between SSA and the master files. If there is a discrepancy, the computer program will automatically record an indicator to the taxpayer's account in the master files to reflect the deceased status. According to these officials, after the computer program is implemented, tax returns submitted using a deceased taxpayer's Social Security number will be rejected by IRS's automated tax processing system and subjected to further review. If effectively implemented, the computer program should decrease the number of invalid refunds disbursed to deceased taxpayers including those involving identity theft. We plan to review the effectiveness of the design and implementation of the new computer program during our audit of IRS's fiscal year 2013 financial statements.

Recommendation for Executive Action

We recommend that you direct the appropriate IRS officials to finalize implementation of the automated process for (1) routinely updating date of death information and deceased status in the master files using SSA data and (2) preventing automatic processing of a tax return submitted using a deceased taxpayer's Social Security number.

Agency Comments and Our Evaluation

IRS agreed with our recommendation and stated that in January 2013, it implemented programming to provide weekly updates to the master files using data on dates of death provided by the Social Security Administration. These updates cause any tax returns received under the decedent's Social Security number to undergo additional review to ensure any refund claims are appropriate. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendation. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2013 financial statements.

Authorization of Manual Refunds

During our fiscal year 2012 financial audit, we found that a program director delegated to a second official the authority to appoint individuals to approve manual refunds; however, the program director did not properly document this delegation of authority. Specifically, we found that the program director did not document the delegation of authority to the second official until after the second official had appointed 29 individuals to sign and approve manual refunds. As a result, the second official appointed these individuals without having the proper documented authority to do so.

IRS disburses most refunds to taxpayers automatically after their tax returns are posted to their master file accounts and any overpayments to IRS are identified and calculated. However, IRS's Internal Revenue Manual (IRM) requires that proposed refunds meeting certain criteria, such as those exceeding $10 million, be manually reviewed and approved before disbursement.²² IRS refers to these refunds as manual refunds. Because these manual refunds bypass most of the automated validity checks, it is important that those individuals approving such refunds be appropriately appointed and authorized to do so to reduce the risk of approving and disbursing invalid refunds.

The IRM states that heads of office, which IRS defines as executives or directors of program areas, are responsible for appointing authority to specific individuals to sign and authorize manual refunds.²³ The program executives and directors are to document these appointments on a manual refund signature authorization form and forward them to the manual refund unit located at a service center campus (SCC).²⁴ The IRM also allows a program executive or director to delegate the authority to appoint individuals to serve as approvers of manual refunds to another director or equivalent by completing a designation to act form which is to be maintained on file in the manual refund unit along with the manual refund signature authorization form.²⁵ Therefore, those who approve manual refunds must be both properly appointed and authorized.

According to the IRM, before processing a manual refund, the manual refund unit is required to verify that the individual who signed and approved the manual refund is authorized to do so by comparing the signature on the manual refund to the signature authorization form. However, at the time of our review IRS did not require the manual refund unit to review the designation to act form where applicable to ensure that the person approving the manual refund had been properly appointed. We found that the manual refund unit at one SCC accepted the manual refund signature authorization forms for 29 individuals to serve as manual refund approvers without a proper designation to act form attached or on file. These 29 individuals had all been appointed by the same delegated official; however, the program director did not sign the designation to act form delegating authority to the second official until after the official had appointed the 29 individuals.

Internal control standards state that transactions and other significant events should be authorized and executed only by persons acting in the scope of their authority to provide reasonable assurance that only valid transactions are authorized, approved, and processed. Authorizations should be clearly communicated to managers and employees.²⁶ The lack of policies and procedures for ensuring proper delegation of authority for IRS officials appointing individuals to approve manual refunds diminishes the effectiveness of IRS's internal controls over manual refunds, and increases the risk that erroneous or potentially fraudulent refunds may be disbursed.

In January 2013, IRS revised its IRM to require the manual refund unit to ensure that a designation to act form is submitted with the signature authorization form when it is signed by a delegated official, and to review each designation to act form to ensure that the designation date is prior to the signature authorization form's approval date.²⁷ We will assess the effectiveness of IRS's revised policy during our fiscal year 2013 audit.

Recommendation for Executive Action

We recommend that you direct the appropriate IRS officials to implement the policies and procedures that require the manual refund unit to verify that (1) any manual refund signature authorization forms that are signed by a delegated official are accompanied by a designation to act form, and (2) the designation to act form is dated prior to the approval date on the manual refund signature authorization form.

Agency Comments and Our Evaluation

IRS agreed with our recommendation and stated that, in January 2013, it updated the IRM to require the manual refund unit to verify (1) any manual refund signature authorization forms that are signed by a delegated official are accompanied by a designation to act form, and (2) the designation to act form is dated prior to the approval date on the manual refund signature authorization form. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendation. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2013 financial statements.

Computer System Access Rights of Employees Handling Taxpayer Receipts

During our fiscal year 2012 audit, we found that IRS did not appropriately limit the computer access rights of certain employees who had custody of hard-copy receipts and sensitive information from taxpayers.²⁸ Specifically, we found that remittance perfection technicians at all three SCCs we visited who had custody of hard-copy taxpayer receipts and taxpayer information were also provided unrestricted access to the Integrated Data Retrieval System (IDRS) which can be used to alter taxpayer accounts.²⁹

Remittance perfection technicians at SCCs are responsible for researching taxpayer receipts that are unaccompanied by supporting documents such as tax returns, vouchers, or other instructions needed to ensure that the receipts are credited to the proper taxpayer, tax period, and tax class. To obtain the information needed to process these taxpayer receipts, remittance perfection technicians need limited access to IDRS to allow them to research taxpayer account information. However, we found that remittance perfection technicians instead had unrestricted access to IDRS. Such unrestricted access could also allow them to make unauthorized changes in IDRS to (1) adjust a taxpayer's account balance, (2) change the status of a tax module or taxpayer's account, or (3) change a taxpayer's liability.

We have found similar issues in prior year audits. For example, during our fiscal year 2007 audit, we found that IRS did not always appropriately restrict sensitive IDRS command codes from taxpayer assistance center employees who had the authority to accept cash payments from taxpayers.³⁰ In addition, during our fiscal year 2011 audit, we found that clerks in the campus support unit had the ability to make adjustments to taxpayer accounts through IDRS while also maintaining physical possession of hard-copy receipts in the course of their payment processing duties.³¹ In each of these cases, IRS responded to our findings by updating the IRM and implementing controls to restrict the level of IDRS access for these specific types of employees, but did not undertake a global review of the level of IDRS access provided to all employees who handle hard-copy taxpayer receipts and related sensitive information to ensure their level of IDRS access was appropriate. Consequently, we continue to find classes of employees who both handle hard-copy taxpayer receipts and have the access rights in IDRS to alter taxpayer accounts.

The IRM identifies certain employee groups, such as revenue agents and employees responsible for accepting cash payments, that are to be restricted from having access to sensitive IDRS command codes based on the nature of their work and the risks involved, and provides a list of specific codes that should be restricted from their IDRS profiles.³² However, at the time of our visits to the SCCs, the IRM did not address any required access restrictions for remittance perfection technicians. In response to our finding, IRS updated the IRM in August 2012 to restrict remittance perfection technicians from having access to all sensitive command codes.³³ However, we found that IRS had not performed a risk assessment to determine the appropriate level of IDRS access required by remittance perfection technicians prior to revising the IRM. Consequently, IRS management later informed us that there were instances where some remittance perfection technicians needed access to certain sensitive command codes as part of their normal job duties, but the IRM did not provide for such exceptions. Further, while IRS updated the IRM, it had not established controls to prevent remittance perfection technicians from gaining access to restricted command codes not needed to perform their assigned duties.

Internal control standards require controls to protect systems from inappropriate access. Internal control standards also require restrictions that only allow users access to functions that they need to perform their duties. No one individual should have access to a system that allows him or her to both cause and conceal an error or irregularity by controlling certain key aspects of a transaction or event.³⁴ Without (1) an understanding of the risks posed by allowing remittance perfection technicians to have access to sensitive IDRS command codes or (2) controls that prevent remittance technicians from gaining access to prohibited command codes, IRS cannot be assured that it has properly limited remittance perfection technicians' access to IDRS. This, in turn, increases the risk that remittance perfection technicians could misappropriate tax payments and alter taxpayer accounts to conceal these acts.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to take the following actions:

• Perform a risk assessment to determine the appropriate level of IDRS access that should be granted to employee groups that handle hard-copy taxpayer receipts and related sensitive taxpayer information as part of their job responsibilities.

• Based on the results of the risk assessment, update the IRM accordingly to specify the appropriate level of IDRS access that should be allowed for (1) remittance perfection technicians and (2) all other employee groups with IDRS access that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities.

• Establish procedures to implement the updated IRM, including required steps to follow to prevent (1) remittance perfection technicians and (2) all other employee groups that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities from gaining access to command codes not required as part of their designated job duties.

IRS agreed with our recommendations and stated that by October 2014, it will perform a risk assessment to determine the appropriate level of IDRS access that should be granted to employees who handle hard-copy taxpayer receipts and related sensitive taxpayer information. IRS also stated that by December 2015, it will update the IRM to specify the appropriate levels of IDRS access based on the risk assessment results, evaluate existing controls that prevent employees from gaining access to command codes not required for their job duties, and establish additional procedures as necessary. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during future audits of IRS's financial statements.

Cost Allocation and User Fee Classification for the Statement of Net Cost

During our fiscal year 2012 financial audit, we found that IRS did not fully allocate costs or correctly classify user fees within its Integrated Financial System (IFS), which IRS uses to prepare its Statement of Net Cost.³⁵ The Statement of Net Cost, one of the basic federal financial statements, is designed to show the net cost of operations for the reporting entity as a whole, by major program. Certain costs, such as the salaries of staff members who work directly for those programs, are easily identified by program. However, many costs, such as costs of rent and facilities, technology support, and payroll operations, support multiple programs and must therefore be allocated in order to fairly report all relevant program costs on the Statement of Net Cost.

IRS uses a combination of monthly automated and manual processes to collect and prepare cost data, including over 600 computerized commands to allocate indirect costs to its direct business units.³⁶ To help ensure that all costs were properly allocated, IRS cost accountants are required to run and review edit checks within IFS to detect any support costs that were not allocated to the direct business units. If any unallocated costs remain, the cost accountants are to design and execute additional actions to allocate them. The cost accountants then run a report that IRS uses either to verify that all costs were allocated as intended or, if they were not, to take additional action as needed to allocate the remaining unallocated costs.

User fees do not go through the allocation process. Instead, they are classified on the Statement of Net Cost by major program based on the functional area (for example, Media and Publications or Submission Processing) to which they are assigned.³⁷ Consequently, the accurate classification of user fees on the Statement of Net Cost depends, in part, on IRS staff assigning the correct functional area codes in IFS when posting user fee transactions.

In our review of IRS's draft Statement of Net Cost, we noted the following two instances in which costs were not fully allocated or user fees were incorrectly classified.

• IRS did not allocate about $2.3 million of costs to any of the direct business units during the year-end cost allocation process as required. This occurred because two controls did not detect these unallocated costs. First, an edit check showed zero unallocated costs remained because IRS erroneously included a revenue account in the cost allocation process that when offset against the $2.3 million of unallocated costs, resulted in a $0 net balance. Had the revenue account not been included to erroneously offset the unallocated costs, the edit check would have identified the problem. Second, IRS staff ran a report at the end of the allocation that showed that there were unallocated costs remaining, but IRS staff were unaware that any unallocated costs existed until we brought this issue to their attention. IRS staff informed us that although they had reviewed the report, which they call the Presentation 1.1 report, they did not notice the unallocated costs during their review.³⁸ IRS's written procedures require reviewing this report to compare total costs to the trial balance and other financial reports, but do not require reviewing it to verify that all indirect costs were allocated to the direct business units. Because the total costs on the report included the $2.3 million of unallocated costs, IRS's total costs still reconciled. IRS should have allocated these costs to the Criminal Investigation Division; by not doing so, this resulted in that business unit's total costs being understated. Nevertheless, because the $2.3 million of unallocated costs was aligned with IRS's compliance program, for which Criminal Investigation Division costs are also aligned, no adjustment to the Statement of Net Cost was necessary. However, had the unallocated costs aligned to a different program, IRS's program costs reported on its Statement of Net Cost would have been misstated.

• IRS did not correctly classify Special Enrollment Exam User Fee revenue collected during at least the first 6 months of fiscal year 2012. Specifically, we reviewed IRS's user fee classifications as of March 31, 2012, and found almost $123,000 of the nearly $159,000 collected to date from this user fee was assigned an incorrect accounting code. This occurred because staff from IRS's Office of Cost Accounting changed the functional area code assigned to the user fee but did not notify staff from the Debt Collection Unit, who record user fee transactions, of the change. IRS did not have procedures requiring that Debt Collection Unit staff be timely notified of any changes to assigned codes. Consequently, the error went undetected until August 2012. This error caused Compliance program revenues to be understated and Taxpayer Assistance and Education program revenues to be overstated by over $122,000. IRS corrected the error so that it did not affect its year-end Statement of Net Cost.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to take the following actions:

• Establish and implement written procedures to ensure that only costs are included in the cost allocation process.

• Revise existing procedures to require staff responsible for monitoring the cost allocation to review the Presentation 1.1 report to determine if costs were fully allocated to the direct business units and if not, to allocate the remaining costs.

• Establish and implement written procedures to require that the Office of Cost Accounting inform the Debt Collection Unit of any changes to assigned functional area codes to be used for posting user fee transactions in IFS.

IRS agreed with our recommendations and stated that by June 2013, it will establish and implement written procedures to ensure that only costs are included in the cost allocation process, and will revise existing procedures to require the review of Presentation 1.1 to include identifying that all costs are fully allocated. Additionally, IRS stated it revised its User Fee procedures in November 2012 to require timely notification to the Debt Collection Unit of any changes to the functional area codes and established a procedure to provide a functional area certification listing to the Debt Collection Unit annually. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2013 financial statements.

Recording of Obligation of Funds

During our fiscal year 2012 financial audit, we found that IRS did not always record an obligation for goods or services in its accounting system prior to taking delivery of them from a contractor or a performing federal agency.⁴⁰ The Antideficiency Act prohibits federal employees from making or authorizing an obligation or expenditure in excess of the appropriated funds available or from accepting voluntary services.⁴¹ Federal agencies are required to properly record a valid obligation, which serves, in part, to help ensure compliance with the Antideficiency Act.

During our testing of a statistical sample of 86 nonpayroll expenses, we identified seven instances in which IRS did not record an obligation in IFS prior to taking delivery of services from a contractor or a performing federal agency.⁴² In four of these instances, IRS began receiving services from contractors before recording an obligation in IFS. In the three remaining instances, IRS received services from a performing federal agency and paid for those services before recording an obligation in IFS. Failure to record an obligation prior to taking delivery of services increases IRS's risk that it will not have sufficient funds available to pay the contractor or the performing federal agency and thereby increases IRS's risk of violating the Antideficiency Act. However, IRS did not have a policy requiring staff to record an obligation before receiving goods or services.

Internal control standards state that transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. This applies to the entire process or life cycle of a transaction or event from the initiation and authorization through its final classification in summary records. The standards further state that program managers need both operational and financial data to determine whether they are meeting their agencies' strategic and annual performance plans and meeting their goals for accountability for effective and efficient use of resources. Financial information is required to develop financial statements and, on a day-today basis, to make operating decisions and allocate resources.⁴³ Recording obligations after taking delivery of goods and services increases the risk that managers may make operating decisions and allocate resources based on incomplete financial data.

Recommendation for Executive Action

We recommend that you direct the appropriate IRS officials to establish and implement written policies or procedures that require the agency to record the obligation of funds when a contract or agreement is entered into and prior to taking delivery of goods or services.

Agency Comments and Our Evaluation

IRS agreed with our recommendation and stated that by August 2013, it will update its policies and procedures to require staff to timely record the obligation of funds. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendation. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2013 financial statements.

Excise Tax Receipt Certification Process

During fiscal year 2012, we found that IRS made errors in calculating and certifying the amount of quarterly excise tax revenues to be distributed to the Airport and Airway Trust Fund (AATF) and the Highway Trust Fund (HTF), which are administered by the Department of Transportation (Transportation). IRS and other components of Treasury are responsible for collecting and distributing excise tax receipts to these government trust funds. Specifically, Treasury's Office of Tax Analysis (OTA) prepares semimonthly estimates of the amount of excise taxes that should be distributed to the trust funds based on historical IRS certification data and actual total current excise tax revenue collections. Treasury's Financial Management Service uses these estimates to make initial distributions to the trust funds. Subsequent to this initial distribution, IRS certifies quarterly the amounts that should have been distributed to the trust funds based on the tax returns it received, and the Financial Management Service then adjusts the initial distributions to match the certified amount. Consequently, IRS plays a critical role in this process by determining and certifying the amount of excise tax collections that should be distributed to the trust funds each quarter. In addition, IRS must effectively coordinate with the other Treasury agencies that are involved in order to ensure that correct amounts are distributed to the trust funds. Transportation relies on Treasury's procedures and controls to ensure that these billions of dollars in excise taxes are appropriately distributed.

For fiscal year 2012, the HTF received about $42.5 billion in excise tax revenues and the AATF received about $12.5 billion. However, in reviewing IRS's excise tax certifications to these trust funds for fiscal year 2012, we found the following.

• Errors in excise tax calculations. IRS staff made multiple errors in calculating the excise tax amounts certified to the trust funds that were not detected by supervisory reviews. For example, for the quarter ended March 31, 2012, IRS added $138 million in kerosene credits to the amount certified to the HTF when it should have subtracted $166 million. In another example, IRS erroneously omitted $3 million in collections from its certification to the AATF for the quarter ended June 30, 2012. IRS did not identify or correct these errors until after we or Transportation officials brought them to its attention. These errors occurred in part because IRS did not provide the staff assigned responsibility for performing the excise tax certifications with any comprehensive formal training on the excise tax certification process, despite the complex combination of manual and automated procedures to be followed. Additionally, while IRS had procedures requiring supervisory review of its excise tax certifications and documented that the reviews were performed, the reviewers did not detect the errors we found.

• Lack of concurrence with change in methodology. IRS made a significant procedural change without documenting agreement with the various agencies involved within Treasury. Specifically, IRS accelerated the recognition of heavy vehicle use taxes in its certification to the HTF by 3 months. IRS officials stated that they made this change to better match the availability of information needed to classify this type of tax. According to IRS, it had discussed the change with OTA and obtained its concurrence before implementation. However, IRS did not document this concurrence and OTA did not adjust its calculations accordingly, which could have resulted in Treasury erroneously transferring about $800 million more than it should to the HTF during the fourth quarter of fiscal year 2012. Because we brought this to IRS's and OTA's attention before the transfers occurred, there was no effect on excise tax distributions to the HTF for fiscal year 2012. IRS subsequently changed its procedures for certifying heavy vehicle use taxes back to the previous approach.

Recommendations for Executive Action

We recommend that you direct the appropriate IRS officials to take the following actions:

• Develop and implement a formal training program for staff assigned to perform and review excise tax certifications, including a comprehensive step-by-step description of the excise tax certification process.

• Review existing supervisory review procedures to identify and implement additional needed actions to better ensure that certification errors do not continue to go undetected.

• Develop and implement written procedures requiring IRS to obtain documented concurrence from the other Treasury agencies involved in the excise tax collection and distribution process of any changes affecting how IRS calculates the amount of excise taxes it certifies to trust funds before IRS implements the change to its excise tax certification process.

IRS agreed with our recommendations and stated that by May 2013, it will develop and implement formal training for all staff assigned to prepare and review excise tax certifications and implement expanded certification check sheets to enable a more comprehensive supervisory review. Additionally, IRS stated that by January 2014, it will update the IRM to require the agency to obtain documented concurrence from affected Treasury organizations before implementing any changes to how IRS calculates the amount of excise taxes it certifies to the trust funds. IRS's actions, if effectively implemented, should address the issue that gave rise to our recommendations. We will evaluate the effectiveness of IRS's efforts during our audit of IRS's fiscal year 2013 financial statements.

Status of Open Recommendations

IRS has continued to work to address many of the control deficiencies related to open recommendations from our prior financial audits and other financial management-related work.⁴⁵ At the beginning of our fiscal year 2012 financial audit, there were 69 recommendations to improve IRS's financial operations and internal controls from prior year audits that we reported as open in our status of recommendations report issued in June 2012.⁴⁶ In the course of performing our fiscal year 2012 financial audit, we identified numerous actions IRS took to address many of its previously identified control deficiencies. On the basis of IRS's actions, which we were able to substantiate through our audit, we are closing 23 of these recommendations. Consequently, a total of 60 financial management-related recommendations need to be addressed -- 46 remaining from our prior years' audits and the 14 new recommendations we are making in this report. See enclosure I for more details on our assessment of the status of IRS's actions to address our prior year recommendations.

This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Homeland Security and Governmental Affairs and to the House Committee on Oversight and Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of this report. Furthermore, to ensure that GAO has accurate, up-to-date information on the status of your agency's actions on our recommendations, we request that you also provide us with a copy of your agency's statement of actions taken on open recommendations. Please send your statement of actions to me or Doreen Eng, Assistant Director, at engd@gao.gov.

This report is intended for use by the management of IRS. We are sending copies to the Chairmen and Ranking Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Homeland Security and Governmental Affairs; House Committee on Appropriations; House Committee on Ways and Means; and House Committee on Oversight and Government Reform, and to the Chairman and Vice-Chairman of the Senate Joint Committee on Taxation. We are also sending copies to the Secretary of the Treasury, the Acting Director of the Office of Management and Budget, and the Chairman of the IRS Oversight Board. In addition, the report is available at no charge on GAO's website at http://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audits of IRS's fiscal years 2012 and 2011 financial statements. Please contact me at (202) 512-9377 or clarkce@gao.gov if you or your staff have any questions concerning this report. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III.

I am writing in response to the Government Accountability Office (GAO) draft report titled Management Report: Improvements Are Needed to Enhance the IRS's Internal Controls (GAO-13-420R). We are pleased that GAO acknowledged our progress in addressing our financial management challenges and agreed to close 23 prior year financial management recommendations. We continue to make significant progress in addressing internal control deficiencies and financial management as evidenced by 13 consecutive years of clean audit opinions on our financial statements.

During fiscal year 2012, IRS strengthened controls over information security, refund disbursements, and release of federal tax liens. The enclosed response addresses each of your recommendations.

We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact me, or a member of your staff may contact Pamela LaRue, Chief Financial Officer, at (202) 622-6400.

The following individuals made major contributions to this report: William J. Cordrey, Assistant Director; Doreen Eng, Assistant Director; Joshua Marcus, Auditor-in-Charge; Crystal Alfred; Sharon Byrd; Stephanie Chen; Nina Crocker; Melanie Darnell; Ryan Guthrie; Ted Hu; Tuan Lam; Delores Lee; Jenny Li; John Sawyer; Christopher Spain; Sunny Stanley; Chevalier Strong; and Gary Wiggins.

GAO's Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website (www.gao.gov). Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to www.gao.gov and select "E-mail Updates."

Order by Phone

The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, http://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on Facebook, Flickr, Twitter, and YouTube.

Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.

Visit GAO on the web at www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact: