HOME Tax Notes Research Federal Other Documents gao reports

IRS Needs to Improve Financial Reporting Controls, GAO Says

MAY 1, 2020

GAO-20-480R

DATED MAY 1, 2020

DOCUMENT ATTRIBUTES

Institutional Authors
Government Accountability Office
Subject Area/Tax Topics
Tax system administration
Jurisdictions
United States
Tax Analysts Document Number
2020-16962
Tax Analysts Electronic Citation
2020 TNTF 86-19

Citations: GAO-20-480R

May 1, 2020

The Honorable Charles P. Rettig
Commissioner of Internal Revenue

Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

Dear Mr. Rettig:

On November 8, 2019, we issued our report on our audit of the Internal Revenue Service's (IRS) fiscal years 2019 and 2018 financial statements, which included our opinion that although controls could be improved, IRS maintained, in all material respects, effective internal control over financial reporting as of September 30, 2019.¹ In that report, we identified two significant deficiencies² in internal control over financial reporting related to (1) unpaid assessments and (2) financial reporting systems.³ The purpose of this report is to present new control deficiencies that we identified during our fiscal year 2019 testing of IRS's controls and our recommendations related to these deficiencies.⁴ This report also presents the status, as of September 30, 2019, of IRS's corrective actions to address our recommendations detailed in our previous management reports that remained open as of September 30, 2018.⁵ This report is intended for use by IRS management.

Results in Brief

During our audit of IRS's fiscal years 2019 and 2018 financial statements, we identified new control deficiencies in IRS's internal control over financial reporting that although not considered material weaknesses or significant deficiencies, nonetheless warrant IRS management's attention.⁶ These new control deficiencies concern IRS's

transporting taxpayer receipts,
reviewing taxpayers' accounts for duplicate refunds,
recording acceptance of goods and services, and
calculating future lease payments for non-cancellable operating leases.

In this report, we are making four recommendations to address these control deficiencies. These recommendations are intended to improve IRS's internal controls over financial reporting as well as to bring IRS into conformance with its own policies and Standards for Internal Control in the Federal Government.⁷

In addition, we found that IRS took action sufficient for us to close 11 of the 37 recommendations from our prior reports related to control deficiencies in IRS's internal control over financial reporting that remained open at the beginning of our audit. Therefore, IRS currently has 30 GAO recommendations to address, which consist of the previous 26 remaining recommendations and the four new recommendations we are making in this report. Enclosure I provides details on the status of IRS's actions to address the open recommendations from our prior audits.

In commenting on a draft of this report, IRS stated that it is committed to implementing appropriate improvements to ensure that it maintains sound financial management practices. IRS agreed with the four new recommendations and described planned actions to address each recommendation. IRS's comments are reproduced in enclosure II.

Objectives, Scope, and Methodology

Our objectives were to evaluate IRS's internal control over financial reporting and to determine the status of IRS's corrective actions as of September 30, 2019, to address recommendations in our prior years' reports for which actions were not complete as of September 30, 2018.⁸ This work was performed in connection with our audit of IRS's financial statements for the fiscal years ended September 30, 2019, and 2018, to support our opinion on whether effective internal control over financial reporting was maintained, in all material respects. We designed our audit procedures to test relevant controls, including those for proper authorization, execution, accounting, and reporting of transactions and for the safeguarding of assets and taxpayer information. In conducting the audit, we reviewed applicable IRS policies and procedures, observed operations, tested statistical and nonstatistical samples of transactions, examined relevant documents and records, and interviewed IRS management and staff.

During the course of our work, we communicated our findings to IRS management. We performed our audit in accordance with U.S. generally accepted government auditing standards. We believe that our audit provides a reasonable basis for our findings and recommendations in this report.

New Internal Control Deficiencies Identified in Our Fiscal Year 2019 Audit

During our fiscal year 2019 audit, we identified new control deficiencies in IRS's internal control over financial reporting that although not considered material weaknesses or significant deficiencies, warrant IRS management's attention. We are making four recommendations to address the control deficiencies we identified.

Transporting Taxpayer Receipts

Each year, IRS receives and processes millions of hard-copy tax returns and hundreds of billions of dollars in associated taxpayer payments (i.e., taxpayer receipts). The Receipt and Control Operation at the IRS Submission Processing Centers (SPC) is responsible for the receipt, safeguard, accuracy, and timely deposit of all hard-copy taxpayer receipts. Employees from the Receipt and Control Deposit function perform critical duties to prepare taxpayer receipts for deposit (e.g., sorting, counting, and balancing the taxpayer receipts and creating deposit tickets).⁹ IRS contracts with courier companies to transport these deposits to financial institutions. IRS policies and procedures direct each SPC to develop a courier contingency plan for use when couriers either fail to arrive at the SPC to transport deposits or have allowed required insurance to expire or in other circumstances when courier services are not available.¹⁰ Further, the policies and procedures for developing a courier contingency plan direct that staff at the manager level transport the taxpayer receipts deposits to the financial institutions.¹¹

Condition. During our fiscal year 2019 audit, we found that IRS did not maintain segregation of duties between the preparation of taxpayer receipts for deposit and the transportation of these receipts to the financial institution when courier services were not available. Specifically, while operating under a courier contingency plan because of the lapse of courier insurance, managers responsible for overseeing the taxpayer receipt deposits preparation at the SPC that we visited also transported three daily deposits to the financial institution.

Criteria. Internal control standards state that management considers segregation of duties in designing control activity responsibilities so that incompatible duties are segregated and, where such segregation is not practical, designs alternative control activities to address the risk.¹²

Cause. While IRS's policies and procedures for developing a courier contingency plan direct managers to transport the taxpayer receipt deposits to the financial institutions, the policies and procedures do not preclude these managers from also overseeing the preparation of taxpayer receipt deposits to maintain appropriate segregation of duties.¹³

Effect. By allowing managers responsible for overseeing the preparation of taxpayer receipt deposits at SPCs to also transport them to financial institutions, IRS is at an increased risk of managers circumventing internal controls designed to safeguard taxpayer receipts from potential theft.

Recommendation for Executive Action. We recommend that the Commissioner of Internal Revenue update and implement policies and procedures for developing a courier contingency plan to prohibit managers responsible for overseeing the preparation of taxpayer receipts for deposits from also transporting them to financial institutions. (Recommendation 20-01)

Reviewing Taxpayers' Accounts for Duplicate Tax Refunds

IRS's systems generate most tax refunds automatically after taxpayers' returns are recorded to their master file accounts.¹⁴ However, IRS policies and procedures state that tax refunds meeting certain criteria, such as those related to certain hardship conditions or those exceeding $100 million, be manually prepared and approved before disbursement.¹⁵ In fiscal year 2019, IRS disbursed approximately $39 billion in manual refunds. When manual refunds are processed, they bypass most of the system validity checks that occur with automated refunds. Instead, when a manual refund is warranted, a manual refund initiator (initiator) uses the Integrated Automation Technologies (IAT) tool, which simplifies manual refund processing by assisting the initiator with research and preparation of a manual refund form.¹⁶ As one of its functions, the IAT tool researches the taxpayer's account for duplicate tax refunds. If duplicate tax refund conditions are found, the IAT tool provides a warning to the initiator cautioning about the potential issuance of duplicate tax refunds on the taxpayer's account. The initiator is directed to resolve such conditions before completing and forwarding the manual refund form to a manager, or designated individual, for review and approval.¹⁷

Condition. During our fiscal year 2019 audit, we found that IRS's manual refund initiators did not always follow policies and procedures related to addressing duplicate tax refund conditions, resulting in the issuance of 18 duplicate tax refunds. Specifically, when preparing the manual refund forms, initiators bypassed the warning on the IAT tool cautioning about the potential issuance of duplicate tax refunds on the taxpayers' accounts without resolving the duplicate tax refund conditions.

Criteria. IRS's policies and procedures direct initiators to prepare manual refund forms using the IAT tool and to resolve any duplicate tax refund conditions before bypassing the related warnings on the tool and completing the forms.¹⁸

Internal control standards state that management should design control activities to achieve objectives and respond to risks, including designing appropriate types of control activities for the entity's control system, such as accurate and timely recording of transactions.¹⁹

Cause. Although IRS policies and procedures direct initiators to resolve duplicate tax refund conditions before completing manual refund forms, they do not direct initiators to document (e.g., record on the taxpayers' accounts or annotate on the related manual refund forms) the justification for bypassing the IAT tool warnings related to potential duplicate tax refunds on taxpayers' accounts. Further, the policies and procedures do not direct managers to monitor whether IAT tool warnings are bypassed by initiators and to review justifications for doing so as part of their review and approval of manual refund forms.

Effect. By allowing initiators to bypass the IAT tool warning related to potential duplicate tax refunds without documenting the justification for doing so, and without directing managers to identify instances in which the warning was bypassed and to review related justifications for doing so, IRS is at an increased risk that duplicate tax refunds will be disbursed to taxpayers.

Recommendation for Executive Action. We recommend that the Commissioner of Internal Revenue establish and implement manual refund procedures to direct (1) initiators to document (e.g., record on the taxpayers' accounts or annotate on the related manual refund forms) the justification for bypassing the IAT tool warning related to potential duplicate tax refunds on taxpayers' accounts and (2) managers to monitor whether such warnings were bypassed and review the justifications for reasonableness prior to approving manual refund forms. (Recommendation 20-02)

Recording Acceptance of Goods and Services

Receipt signifies IRS's acknowledgment that goods were received and services were rendered, while acceptance signifies that IRS assumes ownership of the goods or approves of the services rendered. IRS has documented policies and procedures for business units to follow for recording receipt and acceptance in its Integrated Financial System (IFS) to support payment to vendors. Receipt and acceptance do not always occur on the same date; however, invoices cannot be processed for payment until both have been recorded in IFS. Recording the receipt date in IFS triggers the recording of an expense and an accrued liability to the vendor. The accrued liability remains in IFS until payments are processed.

Condition. During our fiscal year 2019 audit, we identified several instances in which IRS business units did not record acceptance of goods and services within 7 calendar days of receiving a proper invoice, in accordance with IRS policies and procedures. In addition, contract requirements related to the acceptance of these goods and services did not explicitly permit an acceptance period in excess of IRS's policy.

Criteria. According to IRS policies and procedures, acceptance of goods and services should be annotated as soon as the quality assurance inspection is completed and meets contractual obligation standards, but no later than 7 calendar days after receipt of a proper invoice unless the contract specifies a longer acceptance period.²⁰ Any deviation from IRS policies and procedures related to the recording of receipt and acceptance must be annotated within the obligating documentation, clearly stating the contractual requirements for receipt and acceptance standards, as agreed to by IRS and the vendor.²¹ IRS policies and procedures also direct that the recording of the receipt and acceptance dates and the related activity should be monitored and reviewed for accuracy and timeliness.²²

Internal control standards require that agencies establish control activities that ensure management's directives are enforced and carried out.²³

Cause. Although IRS has policies and procedures in place concerning the timely recording of acceptance of goods and services and monitoring the accuracy of the acceptance dates, management did not effectively enforce them.

Effect. By not following existing policies and procedures concerning timely acceptance of goods and services, IRS is at an increased risk that its financial records are not accurate or complete, thus increasing the risk that its financial statements are misstated.

Recommendation for Executive Action. We recommend that the Commissioner of Internal Revenue establish and implement actions to provide reasonable assurance that business units record the acceptance of goods and services in a timely manner in accordance with IRS policies and procedures. (Recommendation 20-03)

Calculating Future Lease Payments for Non-Cancellable Operating Leases

IRS leases office space from the General Services Administration (GSA) and commercial entities under non-cancellable operating leases. Per Office of Management and Budget Circular No. A-136, Financial Reporting Requirements, IRS is required to disclose in the notes to its financial statements a description of these lease arrangements and a summary of future payments due for all non-cancellable operating leases with terms longer than 1 year.²⁴ For certain leases, IRS also has occupancy agreements with GSA that contain a baseline termination date but may also include an ad hoc clause specifying a lease cancellation date that overrides the baseline termination date. In response to deficiencies we previously reported in this area,²⁵ in October 2016, IRS established and implemented procedures for calculating future lease payments for non-cancellable operating leases that are reported in the notes to its financial statements.²⁶ These procedures (1) include steps for considering any ad hoc clauses that may have specific termination dates, and (2) direct supervisory review of the calculations to reasonably assure the accuracy of future lease payment amounts for non-cancellable operating leases.

Condition. During our fiscal year 2019 audit, we identified five instances where IRS did not accurately calculate future lease payments for its non-cancellable operating leases. Specifically, for four occupancy agreements, IRS did not follow its procedures for determining the number of the future lease payments, and for one occupancy agreement, IRS did not identify the ad hoc clause included with the lease occupancy agreement, and therefore used the wrong lease termination dates in its calculation of future lease payments.

Criteria. IRS policies and procedures direct IRS to review non-cancellable operating leases annually to ensure that (1) the terms of prior year leases for which rent is scheduled in the fiscal year did not change and (2) any new, active non-cancellable operating leases were properly identified and their terms (i.e., lease start and end dates, and non-cancellable period ends dates) were properly documented in schedules used to calculate future lease payments due. IRS policies further direct management to review these schedules and underlying support for accuracy.²⁷

Internal control standards require that agencies establish control activities that ensure management's directives are enforced and carried out.²⁸

Cause. Although IRS has policies and procedures in place to determine lease termination dates for non-cancellable leases, calculate the future lease payments due on the non-cancellable leases with terms greater than 1 year, and review the calculations for accuracy and support, IRS did not ensure effective implementation of its policies and procedures.

Effect. By not following existing policies and procedures, IRS is at an increased risk that the reported amount of future lease payments for non-cancellable operating leases presented in the notes to its financial statements is misstated.

Recommendation for Executive Action. We recommend that the Commissioner of Internal Revenue establish and implement actions to provide reasonable assurance that the future lease payment amounts for non-cancellable operating leases are calculated correctly. (Recommendation 20-04)

Status of Prior Audit Recommendations

IRS has continued to work to address many of the control deficiencies related to open recommendations from our prior financial audits. As of September 30, 2018, there were 37 recommendations to improve IRS's financial operations and internal controls from prior year audits that we reported as open in our status of recommendations in the management report issued in May 2019.²⁹ During our fiscal year 2019 financial audit, we determined that IRS had completed corrective actions to address previously identified control deficiencies for 11 of the 37 recommendations that remained open as of September 30, 2018. As a result, a total of 30 recommendations need to be addressed — 26 remaining from our prior years' audits and the four new recommendations we are making in this report. See enclosure I for more details on our assessment of the status of IRS's actions to address prior audit recommendations that remained open as of September 30, 2018.

Agency Comments

We provided a draft of this report to IRS for comment. In its comments, reproduced in enclosure II, IRS agreed with the four new recommendations and described planned actions to address each recommendation. IRS stated that it is committed to implementing appropriate improvements to ensure that it maintains sound financial management practices. We will evaluate the effectiveness of IRS's efforts during our audit of its fiscal year 2020 financial statements.

* * *

This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on action taken or planned on our recommendations to the Senate Committee on Homeland Security and Governmental Affairs, the House Committee on Oversight and Reform, the congressional committees with jurisdiction over the programs and activities that are the subject of our recommendations, and GAO not later than 180 days after the date of this report. A written statement must also be sent to the Senate and House Committees on Appropriations with the agency's first request for appropriations made more than 180 days after the date of this report. Please send your statement of actions to me at clarkce@gao.gov or Estelle Tsay-Huang, Assistant Director, at tsayhuange@gao.gov.

We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Appropriations, Senate Committee on Finance, Senate Committee on Homeland Security and Governmental Affairs, House Committee on Appropriations, House Committee on Ways and Means, and House Committee on Oversight and Reform, and to the Chairman and Vice Chairman of the Joint Committee on Taxation. We are also sending copies to the Secretary of the Treasury, the Director of the Office of Management and Budget, and other interested parties. In addition, the report is available at no charge on the GAO website at https://www.gao.gov.

We acknowledge and appreciate the cooperation and assistance from IRS officials and staff during our audit of IRS's fiscal years 2019 and 2018 financial statements. If you or your staff have any questions about this report, please contact me at (202) 512-3406 or clarkce@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in enclosure III.

Sincerely yours,

Cheryl E. Clark
Director, Financial Management and Assurance
U.S. Government Accountability Office

Enclosures — 3

Enclosure I: Status of Recommendations from Prior Audits Reported as Open in GAO's 2018 Management Report

Table 1 shows the status of recommendations reported as open in our 2018 management report.¹ We will continue to evaluate the Internal Revenue Service's actions to address recommendations that remain open during future audits. The abbreviations used are defined in the legend at the end of the table.

Table 1: Status of Recommendations Reported as Open in GAO's 2018 Management Report
ID	Recommendation per audit area	Source report	Status
Unpaid assessments
17-01	Develop and implement a process to reasonably assure that IRS operating divisions and the IT organization effectively coordinate with the CFO organization when making programming changes to information systems affecting financial reporting. Action taken: As of September 30, 2019, all operating divisions involved with this recommendation developed and implemented a process to reasonably assure that IRS operating divisions and the IT organization effectively coordinate with the CFO organization when making programming changes to information systems affecting financial reporting. IRS's actions sufficiently address our recommendation.	GAO-17-454R	Closed
18-01	Research and determine why IRS's existing policies and procedures intended to timely follow up on, resolve, and record unpostable transactions were not fully effective in achieving these objectives. Action taken: As of September 30, 2019, all operating divisions involved with this recommendation researched and determined the reasons why existing policies and procedures intended to follow up on, resolve, and record its unpostable transactions were not fully effective in achieving these objectives and have taken corrective actions to resolve the identified unpostable transactions. IRS's actions sufficiently address our recommendation.	GAO-18-393R	Closed
18-02	Based on IRS's research and determination, design and implement the corrective actions necessary to reasonably assure that IRS effectively resolves and records unpostable transactions in a timely manner, including establishing clearly defined time frames in the IRM by which the IRS operating divisions should correct unpostable transactions and appropriate related oversight and review processes. Action taken: IRS's actions to address this recommendation are ongoing. As of September 30, 2019, three of the four operating divisions involved in this recommendation designed and implemented the corrective actions necessary to reasonably assure that IRS effectively resolved and recorded unpostable transactions in a timely manner. In March 2019, one operating division determined that based on the research performed, no actions needed to be taken by the operating division to effectively resolve and record unpostable transactions in a timely manner. We will continue to evaluate IRS's actions to address this recommendation during our audit of IRS's fiscal year 2020 financial statements.	GAO-18-393R	Open
19-01	Implement the necessary actions to effectively address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments. These actions should (1) resolve the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and related taxpayer data to support timely and informed management decisions, and enable appropriate financial reporting of unpaid assessment balances throughout the year, and (2) identify the control deficiencies that result in significant errors in taxpayer accounts and implement control procedures to routinely and effectively prevent, or detect and correct, such errors. Action taken: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS documented the key management decisions in the design and use of the estimation process. This step should reduce the risk that IRS may perform sampling procedures inconsistent with management intent or plans. Continued management commitment and sustained efforts are necessary to build on the progress made to date and to fully address IRS's remaining unresolved issues concerning the management and reporting of unpaid assessments. We will assess IRS's progress in addressing these issues during our audit of IRS's fiscal year 2020 financial statements.	GAO-19-412R	Open
Safeguarding
11-12	Based on a review of all existing contracts under $100,000 without an appointed contracting officer's technical representative that should require contract employees to obtain favorable background investigation results, amend those contracts to require that favorable background investigations be obtained for all relevant contract employees before routine, unescorted, unsupervised physical access to taxpayer information is granted. Action taken: During fiscal year 2019, we reviewed IRS contracts meeting the criteria of our recommendation and determined that IRS required all relevant contract employees to obtain favorable background investigations before routine, unescorted, unsupervised physical access to taxpayer information was granted. IRS's actions sufficiently address our recommendation.	GAO-11-494R	Closed
11-13	Establish a policy requiring collaborative oversight between IRS's key offices in determining whether potential service contracts involve routine, unescorted, unsupervised physical access to taxpayer information, thus requiring background investigations, regardless of contract award amount. This policy should include a process for the requiring business unit to communicate to the Office of Procurement and the HCO the services to be provided under the contract and any potential exposure of taxpayer information to contract employees providing the services, and for all three units to (1) evaluate the risk of exposure of taxpayer information prior to finalizing and awarding the contract and (2) ensure that the final contract requires favorable background investigations, as applicable, commensurate with the assessed risk. Action taken: During fiscal year 2019, the Office of Procurement, HCO, and FMSS established a policy requiring collaborative oversight for ensuring any individuals who require routine, unescorted physical access to taxpayer information obtain favorably adjudicated background investigation results. Specifically, the policy designates responsibilities for (1) identifying and communicating the need for individuals to be given routine, unescorted physical access to taxpayer information; (2) assessing applicable position related risks; (3) completing investigative background screening procedures applicable to determined position-related risk; (4) adjudicating background investigation results; and (5) maintaining documentation to support granting access to taxpayer information, as necessary. IRS's actions sufficiently address our recommendation.	GAO-11-494R	Closed
11-24	Revise the post orders for the SCCs and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCCs or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, FMSS will update the IRM to reflect the necessary guidance for service center guards and FMSS physical security specialists to know (1) whom the guards are to contact to report lighting outages and (2) how lighting outages are to be documented and tracked until resolved.	GAO-11-494R	Open
13-05	Perform a risk assessment to determine the appropriate level of IDRS access that should be granted to employee groups that handle hard-copy taxpayer receipts and related sensitive taxpayer information as part of their job responsibilities. Action taken: IRS's actions to address this recommendation are ongoing. In October 2019, the functions within the SB/SE organization completed risk assessments to determine the appropriate level of IDRS access that should be granted to the employees who handle hard-copy taxpayer receipts and related sensitive taxpayer information as part of their job responsibilities. In addition, IRS officials stated that during fiscal year 2020, the TAS organization, in coordination with the IT organization, as necessary, will complete a risk assessment of all employee groups that handle hard-copy taxpayer receipts and related sensitive taxpayer information to determine the most appropriate level of IDRS access.	GAO-13-420R	Open
13-06	Based on the results of the risk assessment, update the IRM accordingly to specify the appropriate level of IDRS access that should be allowed for (1) remittance perfection technicians and (2) all other employee groups with IDRS access that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that by October 2020, the SB/SE, TAS, and TE/GE organizations will work with the IT organization, as necessary, to ensure that the applicable IRM section(s) are revised for any policy changes on (1) risk mitigation, including specifying the appropriate level of IDRS access that should be allowed, and (2) risk acceptance for affected employee groups, as needed.	GAO-13-420R	Open
13-07	Establish procedures to implement the updated IRM, including required steps to follow to prevent (1) remittance perfection technicians and (2) all other employee groups that handle hard-copy taxpayer receipts and related sensitive information as part of their job responsibilities from gaining access to command codes not required as part of their designated job duties. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that by October 2020, the SB/SE, TAS, and TE/GE organizations will work with the IT organization, as necessary, to establish procedures to prevent affected employees from gaining access to command codes not required as part of their designated job duties, as needed.	GAO-13-420R	Open
15-06	Establish a process to ensure that the requirement for unauthorized access awareness training is explicitly communicated to non-IRS contractors who have unescorted access to IRS facilities. Action taken: During fiscal year 2019, we verified that IRS established policies and procedures to (1) require the documented completion of designated training for IRS contractors and non-IRS contractors before they are granted unescorted facility access and (2) define the roles and responsibilities for communicating this training requirement to IRS contractors and non-IRS contractors. IRS's actions sufficiently address our recommendation.	GAO-15-480R	Closed
15-07	Establish procedures to monitor whether non-IRS contractors with unescorted physical access to IRS facilities are receiving unauthorized access awareness training. Action taken: During fiscal year 2018, FMSS established training requirements for non-IRS contractors with unescorted physical access to IRS facilities and communicated these requirements to its employees. However, FMSS did not establish procedures to monitor whether these non-IRS contractors receive the required unauthorized access awareness training. In addition, during our fiscal year 2019 audit, we found instances in which non-IRS contractors with unescorted physical access to an IRS facility did not complete the required training.	GAO-15-480R	Open
15-08	Determine the reasons why staff did not consistently comply with IRS's existing requirements for the final candling of receipts at SCCs and lockbox banks, including logging remittances found during final candling on the final candling log at the time of discovery, safeguarding the remittances at the time of discovery, transferring the remittances to the deposit unit promptly, and passing one envelope at a time over the light source, and based on this determination, establish a process to better enforce compliance with these requirements. Action taken: IRS's actions to address this recommendation are ongoing. During fiscal year 2017, IRS held a meeting with Submission Processing executives, staff, and the Receipt and Control Operation managers from all five SCCs, and as a result of the meeting, IRS developed an action plan to resolve the residual risks associated with candling at the SCCs. IRS officials stated that during fiscal year 2020, it will complete the developed action plan.	GAO-15-480R	Open
16-02	Establish a process to prevent Employment Operations staff from allowing potential employees to enter on duty without favorable determinations of suitability by Personnel Security adjudicators. Action taken: During fiscal year 2019, we verified that the determinations of suitability procedures IRS established in fiscal year 2018 included an enhanced quality review process for Employment Operations staff to ensure that all new hires are cleared and approved before being allowed to enter on duty. IRS's actions sufficiently address our recommendation.	GAO-16-457R	Closed
16-03	Establish a policy and procedures requiring IRS officials to review and address situations in which it is later discovered that an employee deemed unsuitable for employment during the prescreening process was erroneously allowed to enter on duty. Action taken: During fiscal year 2019, we verified that the guidance IRS established in fiscal year 2018 details procedures for IRS officials to address situations where employees deemed unsuitable for employment during the hiring prescreening process were erroneously allowed to enter on duty. IRS's actions sufficiently address our recommendation.	GAO-16-457R	Closed
16-04	Develop and provide training, on a recurring basis, to all FMSS specialists and managers involved in the duress alarm validation and testing process to reinforce the related policies and procedures. Action taken: During fiscal year 2018, FMSS developed a mandatory annual training course for all physical security specialists and managers involved in the duress alarm validation and testing process to reinforce related alarm policies and procedures. During fiscal year 2019, we reviewed training records of FMSS physical security specialists and managers involved in the duress alarm validation and testing process and verified that the employees completed the required alarm training. IRS's actions sufficiently address our recommendation.	GAO-16-457R	Closed
17-03	Strengthen the process for reasonably assuring that the IRM is reviewed annually to align with the current control procedures and guidance being implemented by agency personnel. This should include a mechanism for reasonably assuring that program owner directors (1) review their respective program control activities and related guidance annually and timely update the IRM as needed, (2) document their reviews, and (3) utilize interim guidance and supplemental guidance correctly for their intended purposes. Action taken: IRS's actions to address this recommendation are ongoing. During fiscal year 2018, IRS created an annual IRM review and certification requirement to reasonably assure that all IRM sections align with the current control procedures and guidance that IRS personnel are implementing. In addition, the SB/SE and TE/GE organizations developed action plans to achieve substantial compliance with this requirement. During fiscal year 2019, the SB/SE organization completed its action plan; however, IRS officials stated that the TE/GE organization will complete its action plan during fiscal year 2020. Further, in fiscal year 2019, the Large Business & International organization reviewed and analyzed the results of its involvement in the annual IRM certification process. Based on the results of its analysis, the organization developed an action plan to achieve substantial compliance with the IRM review and certification requirement, which IRS officials stated it will complete by December 2021.	GAO-17-454R	Open
18-03	Develop and implement policies in the IRM for conducting and monitoring the Submission Processing internal control review. These policies should include or be accompanied by procedures to (1) assess and update the review questions and cited IRM criteria to reasonably assure they align with the controls under review; (2) periodically evaluate and document a review of the error threshold methodology to assess its current validity based on changes to the operating environment; (3) report findings identified in the Findings and Corrective Actions Report; and (4) assess and monitor (a) safeguarding of internal control activities across all work shifts, particularly during peak seasons, (b) safeguarding of internal control activities for the appropriate use and destruction of hard-copy taxpayer information, and (c) the results of relevant functional level reviews. Action taken: During fiscal year 2019, IRS developed policies in the IRM for conducting and monitoring the Submission Processing internal control review. Specifically, the IRM addresses the (1) designated roles and responsibilities among IRS business units for ensuring the review questions and associated criteria are assessed and updated to align with internal controls under review; (2) requirements for periodically evaluating the error threshold methodology used in the review; and (3) procedures for the review to assess and monitor (a) internal control activities across work shifts and (b) internal control activities for appropriate use and destruction of hard-copy taxpayer information. However, the IRM did not include requirements for reporting findings identified during all components of the internal control review and for assessing and monitoring results of relevant functional level reviews. Since IRS developed the relevant IRM policies and procedures after we had already performed our fiscal year 2019 internal control testing, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.	GAO-18-393R	Open
18-04	Develop and implement policies in the IRM for conducting and monitoring the AMC review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review; (2) clarify the minimum requirements for how frequently the review should be completed at its various facilities while considering factors that may affect the most appropriate timing of these reviews, such as changes in personnel, operational processes, or information technology; and (3) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. Action taken: In September 2019, IRS notified stakeholders of the added procedures to the IRM for (1) conducting the AMC reviews, including how frequently the reviews should be completed; (2) developing corrective actions for deficiencies; and (3) tracking the status of the corrective actions until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.	GAO-18-393R	Open
18-05	Develop and implement policies in the IRM for conducting and monitoring the AEHR review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review and (2) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. Action taken: In September 2019, IRS notified stakeholders of the added procedures to the IRM for conducting the AEHR reviews, including developing and monitoring corrective actions for deficiencies until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.	GAO-18-393R	Open
19-02	Document and implement a formal comprehensive strategy to provide reasonable assurance concerning its nationwide coordination, consistency, and accountability for internal control over key areas of physical security. This strategy should include nationwide improvements for (1) coordinating among the functional areas involved in physical security; (2) implementing and monitoring the effectiveness of physical security policies, procedures, and internal controls; and (3) ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect IRS's facilities. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that FMSS is in the process of developing and documenting a formal, comprehensive strategy. According to IRS officials, this strategy will include different overarching goals, such as improving workforce effectiveness, ensuring appropriate monitoring functions and employee accountability, and improving coordination and communication of policies and procedures. IRS plans to complete the formal, comprehensive strategy during fiscal year 2020 and finalize the implementation of this strategy by March 2021.	GAO-19-412R	Open
19-03	Determine the reasons staff did not consistently comply with IRS's existing requirement for maintaining an emergency contact list at all of its facilities and, based on this determination, establish a process to enforce compliance with the requirement. Action taken: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, IRS used a questionnaire survey and obtained feedback from security section chiefs and physical security specialists to determine the reasons staff did not consistently comply with IRS's existing requirement to maintain an emergency contact list at all IRS facilities. IRS officials stated that during fiscal year 2020, FMSS will establish a process to better enforce compliance with the requirement based on the results of the feedback obtained.	GAO-19-412R	Open
19-04	Establish and implement policies and procedures requiring that corrective actions be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, FMSS will (1) update the IRM to reflect the requirement to use the Alarm Maintenance and Testing Certification Report to document alarm testing results, including any malfunctioning alarms and related corrective actions taken, as appropriate, and (2) review the Alarm Maintenance and Testing Certification Report Form and incorporate any additional instructions and fields to document the specific alarms tested, the testing results, and related corrective actions taken, as appropriate.	GAO-19-412R	Open
19-05	Establish and implement policies or procedures, or both, to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured. The policies or procedures should include periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment and systems. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, FMSS will develop, document, and implement policies or procedures, or both, to provide reasonable assurance of the accuracy and physical security of the video surveillance systems at all IRS facilities by including periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment.	GAO-19-412R	Open
19-06	Update and implement policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the IT and the Criminal Investigation organizations will update and implement their policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented.	GAO-19-412R	Open
19-07	(1) Identify the reason IRS's policies and procedures related to the transmittal forms were not always followed and (2) design and implement actions to provide reasonable assurance that SB/SE units comply with these policies and procedures. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that the SB/SE Field Collection organization determined that the reasons the policies and procedures were not always followed were either a lack of understanding of the requirements or a lack of consistency in adhering to them. In order to address this, in October 2019, Field Collection distributed a memorandum to its area directors, territory managers, and group managers, reminding them of the required remittance processing procedures, emphasizing the importance of following the procedures, and requesting that they distribute the information in the memorandum within their organization. IRS officials stated that the memorandum will help assure that SB/SE Field Collection units comply with the applicable policies and procedures. Since this memorandum was issued after the end of our fiscal year 2019 audit, we will review the implementation of this action during our fiscal year 2020 audit. Further, IRS officials stated that during fiscal year 2020, the SB/SE Examination organization will identify the reason that IRS's policies and procedures for transmittal forms were not followed, and based on this, it will add guidance to the applicable IRM sections to clarify and supplement the service-wide guidance for the appropriate control, monitoring, and review of the forms used to transmit packages containing personally identifiable information.	GAO-19-412R	Open
Refunds
16-07	Determine the reason(s) why staff did not always comply with IRS's established policies and procedures related to initiating, monitoring, and reviewing the monitoring of manual refunds and, based on this determination, establish a process to better enforce compliance with these requirements. Action taken: During fiscal year 2019, we identified instances where staff did not comply with IRS's policies and procedures related to monitoring and reviewing the monitoring of manual refunds. IRS officials stated that the W&I organization determined that a fully automated process to perform monitoring of manual refunds is the optimal solution to address, at an enterprise level, deficiencies associated with reliance on employees to monitor refunds in process and take appropriate action when potential duplicate or erroneous refund conditions are encountered. In addition, IRS officials indicated that the W&I organization will develop business requirements and request programming through the UWR process; however, limited resources and competing priorities prevent the identification of an implementation date. As a result, IRS will place this recommendation on hold until an implementation date is known.	GAO-16-457R	Open
16-08	Enhance the training program provided to COs to address all the job responsibilities related to certifying manual refunds for payment, including the required review of supporting documentation for manual refunds. Action taken: During fiscal year 2019, IRS (1) developed and delivered a mandatory training course to COs on their roles and responsibilities, which includes the requirement to review manual refund supporting documentation, and (2) updated the IRM to require that COs complete this training annually. IRS's actions sufficiently address our recommendation.	GAO-16-457R	Closed
16-10	Identify the cause of and implement a solution for dealing with the periodic backlogs of ICO inventory that is hampering the performance of quality reviews. Action taken: During fiscal year 2019, the W&I organization determined that periodic backlogs of ICO inventory were caused by a combination of factors, such as systemic issues, fluctuations in projected filings, and hiring challenges. IRS officials stated that the W&I organization has also identified and implemented several strategies to address ICO backlogs and mitigate the impact on the quality review program, including hiring more staff in ICO functions, using seasonal employees, cross-training, overtime, transferring of work, and updating the IRM. Since IRS provided us with this information near the end of our fiscal year 2019 audit in September 2019, we will evaluate IRS's actions to address this recommendation during our fiscal year 2020 audit.	GAO-16-457R	Open
17-06	Revise the applicable IRM sections pertaining to manual refunds to require employees to verify the validity of the digital signatures on the manual refund request forms and the manual refund signature authorization forms. Action taken: During fiscal year 2019, IRS updated the applicable IRM sections to require employees to verify the validity of the digital signatures on manual refund request forms and the manual refund signature authorization forms. IRS's actions sufficiently address our recommendation.	GAO-17-454R	Closed
19-08	Update and implement policies or procedures, or both, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including specifying how the information should be validated. Acton taken: IRS's actions to address this recommendation are ongoing. During fiscal year 2019, the IT organization updated IRS's IDRS security policy contained in the IRM to ensure that the IDRS account administration process complies with IRS's personnel security policy regarding background investigation completion dates. In addition, IRS officials stated that by November 2020, the IT organization will update the USR designation form, as well as policies and procedures, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including how the information should be validated.	GAO-19-412R	Open
19-09	Update and implement procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. Action taken: During fiscal year 2019, the IT organization updated its standard operating procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. Since IRS completed this action after we had already performed our fiscal year 2019 testing related to the certification of tax refunds, we will evaluate IRS's actions to address this recommendation during our fiscal year 2020 audit.	GAO-19-412R	Open
19-10	Establish and implement a review process to provide reasonable assurance that the RSNs that Data Conversion key entry operators enter into the ISRP system and post to the master files are correct. Action taken: IRS actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, the W&I organization will establish and implement a review process to provide reasonable assurance that the RSNs on manual refund forms are transcribed accurately into the ISRP system.	GAO-19-412R	Open
19-11	Implement a validity check in the ISRP system to confirm that RSNs that Data Conversion key entry operators enter into the system have the required 14 digits. Action taken: IRS officials stated that the W&I organization agrees that developing and implementing a UWR for programming changes is needed to systemically validate the RSNs input into the ISRP system; however, IRS officials indicated that the organization is unable to commit to implementing a corrective action because of budgetary constraints. As a result, IRS will place this recommendation on hold until funds are available.	GAO-19-412R	Open
Tax credits
19-12	Update and implement policies or procedures, or both, to require that reviewers follow up with tax examiners to verify the errors that tax examiners made in working on cases related to suspicious or questionable tax returns are corrected. Action taken: IRS's actions to address this recommendation are ongoing. IRS officials stated that by April 2020, IRS will update and implement policies or procedures, or both, requiring that reviewers follow up with tax examiners to verify that the errors tax examiners made in working a case related to suspicious or questionable tax returns are corrected.	GAO-19-412R	Open
Property and equipment
16-13	Establish and implement monitoring procedures designed to reasonably assure that the key detailed information for tangible capitalized P&E is properly recorded and updated in the KISAM system. Action taken: IRS established the Asset Management Program Monitoring and Review procedure, effective October 1, 2016, for performing quarterly sample reviews of IT assets in KISAM. In September 2017, IRS also revised the IRM to require FMSS territory managers or section chiefs to review KISAM key data elements for non-IT assets to verify that they are correct and updated. However, during our fiscal year 2018 floor-to-book inventory testing, we identified exceptions where (1) a key detailed information element (e.g., building code) for P&E assets was not properly recorded in KISAM and (2) P&E assets found on the floor did not have asset records in KISAM. We will conduct inventory testing and follow-up to determine the status of this issue during our audit of IRS's fiscal year 2020 financial statements.	GAO-16-457R	Open
17-10	Provide clear guidelines as to what events constitute removal from IRS premises and the disposal date that should be recorded in its inventory system, either through an update of the IRM or other property and equipment-related desk guides. Action taken: Effective April 2018, IRS established the FMSS Property and Asset Management Desk Guide, which contains guidelines as to what events constitute removal from IRS premises and the disposal date that should be recorded in its inventory system. IRS's actions sufficiently address our recommendation.	GAO-17-454R	Closed
Legend: AEHR: All Events History Report AMC: Audit Management Checklist CFO: Chief Financial Officer CO: certifying officer FMSS: Facilities Management and Security Services HCO: Human Capital Office ICO: Input Correction Operation IDRS: Integrated Data Retrieval System IRM: Internal Revenue Manual IRS: Internal Revenue Service ISRP: Integrated Submission and Remittance Processing IT: Information Technology KISAM: Knowledge, Incident/Problem, Service Asset Management P&E: property and equipment PVS: Processing Validation Section RSN: refund schedule number SB/SE: Small Business/Self-Employed SCC: service center campus SPS: Secure Payment System TAS: Taxpayer Advocate Service TE/GE: Tax Exempt & Government Entities USR: unit security representative UWR: Unified Work Request W&I: Wage and Investment Source: GAO evaluation of the status of recommendations to IRS as of September 30, 2019. \| GAO-20-480R

Enclosure II: Comments from the Internal Revenue Service

April 20, 2020

Ms. Cheryl E. Clark
Director, Financial Management and Assurance
U.S. Government Accountability Office
441 G Street, NW
Washington, DC 20548

Dear Ms. Clark:

I am writing in response to the Government Accountability Office (GAO) draft report titled. Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting (GAO-20-480R). We are pleased that GAO acknowledged our progress in addressing our financial management challenges and agreed to close eleven prior year financial management recommendations. We continue to implement processes to prevent or mitigate internal control deficiencies and improve financial management.

As noted by GAO in the opinion report (GAO-20-159), IRS continued to make progress in addressing the unpaid assessments significant deficiency and accurately reported on the large increase in taxes receivable related to the repatriation of foreign earnings. During FY 2019, the IRS also continued to strengthen internal control over financial reporting systems and accounting for property, plant and equipment. The enclosed response addresses each of your new recommendations, all of which we accept.

We are committed to implementing appropriate improvements to ensure that the IRS maintains sound financial management practices. If you have any questions, please contact me, or a member of your staff may contact Ursula Gillis, Chief Financial Officer, at 202-317-6400.

Sincerely,

Charles P. Rettig

Enclosure

Enclosure

GAO Recommendations and IRS Responses to
GAO FY 2019 Management Report
“Improvements Are Needed to Enhance the Internal Revenue Service's
Internal Control over Financial Reporting”
GAO-20-480R

Recommendation #1: We recommend that the Commissioner of Internal Revenue update and implement policies and procedures for developing a courier contingency plan to prohibit managers responsible for overseeing the preparation of taxpayer receipts for deposits from also transporting them to financial institutions. (Recommendation 20-01)

Comments: The IRS agrees with this recommendation. The Wage & Investment organization will update the Courier Contingency Plan policies and procedures to provide for appropriate segregation of duties or other curative measures.

Due date: October 15, 2020

Recommendation #2: We recommend that the Commissioner of Internal Revenue establish and implement manual refund procedures to direct (1) initiators to document (e.g., record on the taxpayers' accounts or annotate on the related manual refund forms) the justification for bypassing the lAT tool warning related to potential duplicate tax refunds on taxpayers' accounts, and (2) managers to monitor whether such warnings were bypassed and review the justifications for reasonableness prior to approving manual refund forms. (Recommendation 20-02)

Comments: The IRS agrees with this recommendation. The Wage & Investment organization agrees that actions need to occur to address duplicate tax refund conditions through improved manual refund procedures to require (1) initiators to document the justification for bypassing the Integrated Automated Technologies (lAT) tool warning related to potential duplicate tax refunds on taxpayers' accounts and (2) managers to review the justification documented for bypassing the lAT tool warning for reasonableness prior to approving manual refund forms. However, we are unable to commit to implementing a corrective action at this time due to budgetary constraints on systemic enhancements. Therefore, this recommendation will be placed on Hold in JAMES, pending the availability of required funding.

Recommendation #3: We recommend that the Commissioner of Internal Revenue establish and implement actions to provide reasonable assurance that business units record the acceptance of goods and services in a timely manner in accordance with IRS policies and procedures. (Recommendation 20-03)

Comments: The IRS agrees with this recommendation. The Chief Financial Officer organization will determine the reasons for business unit(s) non-compliance with established policies and procedures related to timely recording of receipt and acceptance of goods and services and, based on this evaluation, develop an action plan that once completed will provide additional tools to aid the business units in reasonably ensuring compliance with established requirements.

Due date August 15, 2020

Recommendation #4: We recommend that the Commissioner of Internal Revenue establish and implement actions to provide reasonable assurance that the future lease payment amounts for non-cancelable operating leases are calculated correctly. (Recommendation 20-04)

Comments: The IRS agrees with this recommendation.

The Chief Financial Officer organization will update the policies and procedures to include additional instructions needed to calculate the future lease payments due on the non-cancelable leases with terms greater than one year.++
Due date: October 15, 2020
The Chief Financial Officer organization will create an automated calculation to determine the number of remaining months of lease payments.
Due date: October 15, 2020

Enclosure III: GAO Contact and Staff Acknowledgments

GAO Contact

Cheryl E. Clark at (202) 512-3406 or clarkce@gao.gov

Staff Acknowledgments

In addition to the contact named above, the following individuals made major contributions to this report: Estelle Tsay-Huang (Assistant Director), Stephanie Chen, Liliam Coronado, Joseph Crays, Nina Crocker, Charles Fox, Matthew Frideres, Eric Stalcup, Erika Szatmari, and Monasha Thompson.

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website (https://www.gao.gov). Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to https://www.gao.gov and select “E-mail Updates.”

Order by Phone

The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on Facebook, Flickr, Twitter, and YouTube.

Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.

Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Website: https://www.gao.gov/fraudnet/fraudnet.htm

Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800

U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548

Strategic Planning and External Liaison

James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707 U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington, DC 20548

FOOTNOTES

¹GAO, Financial Audit: IRS's FY 2019 and FY 2018 Financial Statements, GAO-20-159 (Washington, D.C.: Nov. 8, 2019).

²A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

³An unpaid assessment is a legally enforceable claim against a taxpayer and consists of taxes, penalties, and interest that have not been collected or abated (i.e., the assessment reduced by IRS). See, for example, implementing guidance in the Internal Revenue Manual (IRM) § 1.34.4.1.6(1.p), Terms/Definitions (Aug. 25, 2015).

⁴In addition to the internal control deficiencies included in this report, we plan to issue a separate report on the information systems control deficiencies identified during our fiscal year 2019 audit, along with associated new recommendations for corrective actions.

⁵GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting, GAO-19-412R (Washington, D.C.: May 9, 2019).

⁶A material weakness is a deficiency or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

⁷GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September 2014), contains the internal control standards to be followed by executive agencies in establishing and maintaining systems of internal control as required by 31 U.S.C. § 3512(c), (d) (commonly referred to as the Federal Managers' Financial Integrity Act).

⁸An entity's internal control over financial reporting is a process effected by those charged with governance, management, and other personnel, the objectives of which are to provide reasonable assurance that (1) transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in accordance with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and (2) transactions are executed in accordance with provisions of applicable laws, including those governing the use of budget authority, regulations, contracts, and grant agreements, noncompliance with which could have a material effect on the financial statements.

⁹IRM § 3.8.44, Deposit Activity — Campus Deposit Activity (Nov. 9, 2018).

¹⁰IRM § 3.8.45.1.9.1(13), Courier Service Requirements and Responsibilities (Sept. 18, 2017), directs courier companies to maintain insurance coverage valued at $1 million to cover the costs to reconstruct a lost, stolen, or destroyed deposit made payable to IRS.

¹¹IRM § 3.8.45.1.9.3.1(4), Courier Contingency Plan Development (Nov. 13, 2017).

¹²GAO-14-704G.

¹³IRM § 3.8.45.1.9.3.1, Courier Contingency Plan Development (Nov. 13, 2017).

¹⁴IRS's master files contain detailed electronic records of taxpayer accounts. IRS uses information in the master files for tax administration purposes and to support information reported in its financial statements.

¹⁵IRM § 21.4.4.3, Why Would A Manual Refund Be Needed? (Oct. 1, 2017).

¹⁶IRM § 21.2.2.4.4.14, Integrated Automation Technologies (Sept. 16, 2015).

¹⁷IRM § 21.4.4.5, Preparation of Manual Refund Forms (Oct. 1, 2018).

¹⁸IRM § 21.4.4.5 (6a, 6b, 7a, and 7b), Preparation of Manual Refund Forms (Oct. 1, 2018).

¹⁹GAO-14-704G.

²⁰Interim Guidance Memorandum Control No. CFO-01-0918-40 that affects IRM § 1.35.3, Financial Accounting, Receipt and Acceptance Guidelines — § 1.35.3.9(1)a, Receipt and Acceptance Processes (Sept. 25, 2018).

²¹Interim Guidance Memorandum Control No. CFO-01-0918-40 that affects IRM § 1.35.3, Financial Accounting, Receipt and Acceptance Guidelines — § 1.35.3.9(2), Receipt and Acceptance Processes (Sept. 25, 2018).

²²IRM § 1.35.3.8.7(1)f, Director, Office of Procurement, Agency-Wide Shared Services (July 21, 2015).

²³GAO-14-704G.

²⁴Office of Management and Budget, Financial Reporting Requirements, OMB Circular No. A-136 (Washington, D.C.: June 28, 2019).

²⁵GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting, GAO-16-457R (Washington, D.C.: May 18, 2016).

²⁶GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting, GAO-18-393R (Washington, D.C.: May 7, 2018).

²⁷Internal Revenue Service, Methodology to Identify Operating Leases and Prepare Note Disclosure For Financial Statement Notes, IRS Memorandum (Oct. 18, 2019).

²⁸GAO-14-704G.

²⁹GAO-19-412R.

¹GAO, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting, GAO-19-412R (Washington, D.C.: May 9, 2019).

END FOOTNOTES