Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Internal Control over Financial Reporting

GAO-19-412R: Published: May 9, 2019. Publicly Released: May 9, 2019.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Does the IRS get audited, too?

Every year we audit the IRS's financial statements. Our FY 2018 audit found new and continuing problems related to its internal controls over its financial reporting.

For instance, we found issues with how the IRS:

Accounts for taxes receivable—the money it estimates it will collect from taxes owed

Safeguards taxpayer information

Reviews suspicious and questionable tax returns

Problems like these could lead to misstatements in IRS's financial statements, as well as unauthorized access to taxpayer information.

We made 12 additional recommendations in this report to address these issues.

 

The sign outside of the Internal Revenue Service building.

The sign outside of the Internal Revenue Service building.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified continuing control deficiencies related to IRS's accounting for federal taxes receivable and other unpaid assessments that collectively represent a significant deficiency in IRS's internal control over unpaid tax assessments as of September 30, 2018. GAO also identified new control deficiencies in IRS's internal control over financial reporting that although not considered a material weakness or significant deficiency, nonetheless, warrant IRS management's attention. These control deficiencies concern IRS's

  • nationwide strategy for safeguarding taxpayer receipts and associated information,
  • physical security policies and procedures,
  • review of visitor access logs,
  • transmission of taxpayer receipts,
  • designations of unit security representatives,
  • review of automated tax refund information prior to certification for payment,
  • review of refund schedule numbers for manual refunds, and
  • review of suspicious and questionable tax returns in Examination.

In addition, for six of the 32 recommendations from GAO's prior reports related to control deficiencies in IRS's internal control over financial reporting, GAO found that IRS implemented corrective actions during fiscal year 2018 that resolved the deficiencies, and as a result, these recommendations were closed. GAO closed one additional recommendation that related to unpaid assessments, by making a new recommendation that is better aligned with the remaining deficiencies that collectively represent a significant deficiency in internal controls over this area as of September 30, 2018. As a result, IRS currently has 37 GAO recommendations to address—the previous 25 open recommendations and the 12 new recommendations GAO is making in this report.

Why GAO Did This Study

The purpose of this report is to present those internal control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements for which GAO did not already have any recommendations outstanding. This report provides new recommendations to address these internal control deficiencies and also presents the status, as of September 30, 2018, of IRS's corrective actions taken to address GAO's recommendations from its prior financial audits that remained open as of September 30, 2017.

What GAO Recommends

GAO is making 12 recommendations to address the identified control deficiencies. These recommendations are intended to improve IRS's internal controls over financial reporting as well as to bring IRS into conformance with its own policies and Standards for Internal Control in the Federal Government. IRS stated that it is committed to implementing appropriate improvements to ensure that it maintains sound financial management practices. IRS agreed with GAO's 12 new recommendations and described planned actions to address each recommendation.

For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The IRS agreed with this recommendation. The Chief Financial Officer organization agrees that actions need to occur to address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments through (1) resolving the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and taxpayer data in accordance with federal accounting standards, and (2) implementing control procedures to correct significant errors in taxpayer accounts routinely and effectively; however, the IRS is unable to commit to implementing a corrective action due to budgetary constraints. This recommendation will be placed on hold until funds are available. When resources become available, the IRS will complete a long-term strategy and plan for modernizing the information technology components of the unpaid assessments deficiency and establish a timeframe for completing full implementation.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials implement the necessary actions to effectively address the two primary causes of the significant deficiency in IRS's internal control over unpaid assessments. These actions should (1) resolve the system limitations affecting the recording and maintenance of reliable and appropriately classified unpaid assessments and related taxpayer data to support timely and informed management decisions, and enable appropriate financial reporting of unpaid assessment balances throughout the year, and (2) identify the control deficiencies that result in significant errors in taxpayer accounts and implement control procedures to routinely and effectively prevent, or detect and correct, such errors. (Recommendation 19-01)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: The IRS agreed with this recommendation. By March 2020, the Facilities Management and Support Services (FMSS) organization will create and document a strategy to provide reasonable assurance concerning its nationwide coordination, consistency and accountability for internal control over key areas of physical security. This strategy will include nationwide improvements for (1) coordinating among all the functional areas involved in FMSS physical security programs; (2) implementing and monitoring the effectiveness of physical security policies, procedures and internal controls; and (3) ongoing communication in identifying, documenting and taking corrective action to resolve underlying control issues that impact IRS's facilities. By March 2021, the FMSS organization will implement the nationwide strategy throughout the organization to address (1) coordination amongst all the functional areas involved in FMSS physical security programs; (2) implementation and monitoring of the effectiveness of physical security policies, procedures and internal controls; and (3) ongoing communications in identifying, documenting and taking corrective action to resolve underlying control issues that impact IRS's facilities.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials document and implement a formal comprehensive strategy to provide reasonable assurance concerning its nationwide coordination, consistency, and accountability for internal control over key areas of physical security. This strategy should include nationwide improvements for (1) coordinating among the functional areas involved in physical security; (2) implementing and monitoring the effectiveness of physical security policies, procedures, and internal controls; and (3) ongoing communication in identifying, documenting, and taking corrective action to resolve underlying control issues that affect IRS's facilities. (Recommendation 19-02)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: The IRS agreed with this recommendation. By September 2019, the Facilities Management and Support Services (FMSS) organization will obtain feedback from its operations management staff to determine the reasons staff did not consistently comply with IRS's existing requirement to maintain an emergency contact list at all IRS facilities. By December 2019, the FMSS organization will establish a process to better enforce compliance with the requirement to maintain an emergency contact list at all IRS facilities based on the results of the feedback obtained.

    Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials determine the reasons staff did not consistently comply with IRS's existing requirement for maintaining an emergency contact list at all of its facilities and, based on this determination, establish a process to enforce compliance with the requirement. (Recommendation 19-03)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: The IRS agreed with this recommendation. By October 2019, the Facilities Management and Support Services (FMSS) organization will update Internal Revenue Manual 10.2.14.9.2, Methods of Providing Protection, and Standard Operating Procedure 19-007, Alarm Notification, Testing and Maintenance, to reflect the requirement to use the Alarm Maintenance and Testing Certification Report to document alarm testing results, including any malfunctioning alarms and related corrective actions taken, as appropriate. By October 2019, the FMSS organization will review the Alarm Maintenance and Testing Certification Report Form and add any additional instructions and fields to document the specific alarms tested, the testing results and related corrective actions taken, as appropriate.

    Recommendation: The Commissioner of Internal Revenue should ensure that appropriate IRS officials establish and implement policies and procedures requiring that corrective actions be documented in the Alarm Maintenance and Testing Certification Report for malfunctioning alarms identified in the annual alarm tests. (Recommendation 19-04)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Open

    Comments: The IRS agreed with this recommendation. By November 2019, the Facilities Management and Support Services organization will develop, document and implement protocols (policies and/or procedures) to provide reasonable assurance for the accuracy and physical security of the video surveillance systems at all IRS facilities by including periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment.

    Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement policies or procedures, or both, to provide reasonable assurance that the video surveillance systems at all IRS facilities record activity at the correct time and are properly secured. The policies or procedures should include periodic checks and adjustments, as needed, as part of the annual service and maintenance of security equipment and systems. (Recommendation 19-05)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Open

    Comments: The IRS agreed with this recommendation. By October 2019, the Information Technology (IT) organization will update and implement policies and/or procedures to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. By October 2019, the Criminal Investigation (CI)organization, based on IT guidance, will update and implement CI policies and/or procedures to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clarify (1) who is responsible for conducting the annual review of the visitor access logs, (2) the date by which the review is to be conducted, and (3) how the review should be documented. (Recommendation 19-06)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Open

    Comments: The IRS agreed with this recommendation. By December 2019, the Small Business/Self-Employed (SB/SE) Examination organization will identify the reason that IRS's policies and procedures for transmittal forms were not followed. By June 2020, the SB/SE Examination organization will add guidance to its Examination field Internal Review Manaus, based on research conducted, to clarify and supplement the Servicewide guidance for the appropriate control, monitoring and review of Forms 3210, Document Transmittal, used to transmit packages containing Personally Identifiable Information. By January 2020, the SB/SE Collection organization will identify the reason that IRS's policies and procedures for transmittal forms were not always followed and will design and implement actions to assure that SB/SE Collection units comply with these policies and procedures.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials (1) identify the reason IRS's policies and procedures related to the transmittal forms were not always followed and (2) design and implement actions to provide reasonable assurance that SB/SE units comply with these policies and procedures. (Recommendation 19-07)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Open

    Comments: The IRS agreed with this recommendation. By June 2019, the Information Technology (IT) organization will update IRS's Integrated Data Retrieval System (IDRS) security policy to ensure that the IDRS account administration process complies with IRS's personnel security policy outlined in Internal Review Manual 10.23.3, Personnel Security, Contractor Investigations. By November 2019, the IT organization will update Form 13230, IDRS Unit Security Designation, to define clearly the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on Unit Security Representative (USR) designation forms, including how the information should be validated. By November 2019, the IT organization will update and/or implement policies and procedures to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including how the information should be validated.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to clearly define the roles and responsibilities of second-level managers and IDRS security account administrators for validating the information on USR designation forms, including specifying how the information should be validated. (Recommendation 19-08)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Open

    Comments: The IRS agreed with this recommendation. By July 2019, the Information Technology organization will update and implement procedures to specify clearly the tax refund data elements that processing validation section certifying officers are required to verify before certifying the tax refunds in the Secure Payment System (SPS).

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement procedures to clearly specify the tax refund data elements that PVS COs are required to verify before certifying the tax refunds in SPS. (Recommendation 19-09)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Open

    Comments: The IRS agreed with this recommendation. By December 2019, the Wage & Investment (W&I) organization will establish and implement a review process to provide reasonable assurance that the Refund Schedule Numbers (RSN) on Form 3753, Manual Refund Posting Voucher, are transcribed accurately into the Integrated Submission and Remittance Processing (ISRP) system.

    Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials establish and implement a review process to provide reasonable assurance that the RSNs that Data Conversion key entry operators enter into the ISRP system and post to the master files are correct. (Recommendation 19-10)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  11. Status: Open

    Comments: The IRS agreed with this recommendation. The Wage and Investment (W&I) organization will develop business requirements for the programming changes needed to validate systemically the refund schedule number (RSN) inputs to the Integrated Submission and Remittance Processing (ISRP) system and will submit those requirements to the Information Technology organization through the Unified Work Request (UWR) process. The W&I organization agrees that implementation of the UWR for programming changes needed to validate systemically the RSNs input into the ISRP system needs to occur, however, the IRS is unable to commit to implementing a corrective action due to budgetary constraints. This recommendation will be placed on hold until funds are available.

    Recommendation: The Commissioner of Internal Revenue should ensure that the appropriate IRS officials implement a validity check in the ISRP system to confirm that RSNs that Data Conversion key entry operators enter into the system have the required 14 digits. (Recommendation 19-11)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  12. Status: Open

    Comments: The IRS agreed with this recommendation. By April 2020, the Wage and Investment organization will update and implement policies and/or procedures requiring that reviewers follow up with tax examiners to verify that the errors made by the tax examiners in working a case related to suspicious or questionable tax returns are corrected.

    Recommendation: We recommend that the Commissioner of Internal Revenue ensure that the appropriate IRS officials update and implement policies or procedures, or both, to require that reviewers follow up with tax examiners to verify the errors that tax examiners made in working on cases related to suspicious or questionable tax returns are corrected. (Recommendation 19-12)

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Aug 15, 2019

Jul 24, 2019

Jun 28, 2019

May 21, 2019

May 15, 2019

May 7, 2019

Mar 29, 2019

Mar 28, 2019

Mar 26, 2019

Looking for more? Browse all our products here