Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to require, in all shredding service contracts, provisions requiring (1) completed background investigations for contractor employees before they are granted access to sensitive IRS information, and (2) periodic, unannounced inspections at off-site shredding facilities by IRS to verify ongoing compliance with IRS safeguards and security requirements.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS implemented a National Document Destruction Contract with the National Institute for the Severely Handicapped (NISH) who services 552 (95%) of the 584 facilities needing shredding services. All NISH contracts require that the (1) contractor shall perform background investigations on all employees involved in IRS document destruction and (2) provisions of the contract must allow for, at a minimum, an annual IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information. For the remaining 32 (5%) facilities not covered under the NISH nationwide contract, IRS provided a Performance Work Statement for Secured Document Destruction Services which has the same requirements as the NISH contract.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to revise the IRM to include a requirement that IRS conduct periodic, unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information, document the results, including identification of any security issues, and verify that the contractor has taken appropriate corrective actions on any security issues observed.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: IRS's update to the IRM specifies that off-site shredding contracts contain provisions for periodic IRS inspections, however, the IRM language does not include specific provisions requiring that IRS: (1) conduct periodic unannounced inspections at off-site contractor facilities entrusted with sensitive IRS information; (2) document the results, including identification of any security issues; and (3) verify that the contractor has taken appropriate corrective actions on any security issues observed. During GAO's fiscal year 2011 audit, it found that the off-site shredding contracts contained appropriate language, such as stipulations for unannounced compliance reviews, however; site inspections were not always being performed by IRS personnel. GAO will continue to evaluate IRS's corrective actions during its fiscal year 2011 audit.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish procedures to require obtaining and reviewing documentation of completed background investigations for all shredding contractors before granting them access to taxpayer or other sensitive IRS information.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO confirmed that IRS included language in the National Document Destruction contract with the National Institute for the Severely Handicapped (NISH) and non-NISH contract, Performance Work Statement for Secured Document Destruction Services, requiring that shredding contractor companies report to IRS on a quarterly basis the start date and background investigation completion date for each contractor involved in the destruction of IRS information. IRS established procedures to perform annual random reviews of contractor records to ensure compliance.

Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to reinforce existing policies requiring IRS personnel to use the revised Form 13094 when hiring juveniles.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO confirmed that IRS sends monthly reminders to its Employment Offices. Also, GAO verified the Human Capital Office issued an alert to clarify guidance in its suitability standards for hiring juveniles, and conducted an oversight review of the Juvenile Employment Program in September 2009. GAO believes that these actions met the intent of its recommendation by enforcing the requirement to receive and make direct contact with character references when hiring juveniles.

Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to reinforce existing policies requiring IRS personnel to verify the information on Form 13094 by contacting the reference directly and documenting the details of this contact.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: During the fiscal year 2010 IRS financial statement audit, GAO identified instances in which IRS employment office staff did not (1) obtain a correctly completed Form 13094 and (2) document required verification of the information on Form 13094 by contacting the reference directly. IRS's Employment, Talent, and Security (ETS) division conducted training for Employment offices on contacting appropriate references and documenting the results accordingly. ETS developed a centralized quality review of forms for juveniles hired during fiscal year 2011 and completed an internal program audit for the first and second quarters of fiscal year 2011. GAO will review IRS's corrective actions during its audit of IRS's fiscal year 2011 financial statements.

Recommendation: The Commissioner of Internal Revenuse should issue a memorandum to Receipt and Control Operations (RCO) Unit staff reiterating existing requirements for (1) supervisory reviews of the processing of TE/GE user fee deposits, and (2) key documentation to be signed and dated by the supervisor as evidence of that review.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO verified that IRS issued a memorandum to its operations manager of Receipt and Control to reinforce procedures in its Internal Revenue Manual (IRM) requiring signed supervisory review of user fee deposits. Additionally, during GAO's audit of IRS's fiscal year 2008 financial statements, it did not identify any instances where IRS did not document supervisory review of the user fee deposits tested.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase card approving officials and purchase cardholders sign and date monthly account statements attesting to their review and completion of the required reconciliation process.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO confirmed that IRS modified its existing guidelines and fully implemented the Purchase Card Module. However, during GAO's audit of IRS's fiscal year 2008 financial statements, it noted that the purchase card approving official's signature attesting to the review and reconciliation of the monthly statement is now captured electronically by the Purchase Card Module. GAO also noted that the purchase card approving officials were not always electronically reconciling and approving transactions within the required timeframes documented in IRS's existing guidelines. Timely reconciliation and approval of transactions is necessary to help ensure that purchase card transactions are valid and appropriate. GAO issued a new recommendation to address the additional issue in GAO-09-513R, which it subsequently closed (see GAO-10-597) based on further corrective actions taken by IRS.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase cardholders obtain funding approval or verify that funds are available for the intended purpose prior to making a purchase.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO confirmed that IRS modified its existing guidelines and fully implemented the Purchase Card Module. During GAO's audit of IRS's fiscal year 2008 financial statements, it noted that purchase cardholders obtained funding approval electronically through the Purchase Card Module prior to making a purchase. The Purchase Card Module directly interfaces with the funding requisition function of IRS's Web-based Requisition Tracking System to verify funds availability.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase card approving officials update and maintain appropriate supporting documentation.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: Even though IRS did not modify its existing guidelines to require the purchase card approving official to maintain copies of the purchase cardholder's supporting documentation, GAO confirmed that IRS developed compensating internal control procedures. IRS's existing guidelines require the purchase cardholder to maintain the supporting documentation and for approving officials to ensure that the cardholders have all required documentation. During GAO's audit of IRS's fiscal year 2008 financial statements, it noted that the purchase cardholders maintained appropriate supporting documentation.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify existing guidelines to require documentation and implementation of detailed internal control procedures for IRS's purchase card program. Specifically, existing guidelines should be modified to provide for detailed internal control procedures requiring that purchase cardholders and purchase card approving officials retain copies of all supporting documents for a reasonable period of time, such as 3 years.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: Even though IRS did not modify its existing guidelines, GAO confirmed that the current guidelines require cardholders to maintain supporting documentation for 3 years. IRS's existing guidelines require the purchase cardholder to maintain the supporting documentation and for approving officials to ensure that the cardholders have all required documentation. During GAO's audit of IRS's fiscal year 2008 financial statements, it noted that the purchase cardholders maintained appropriate supporting documentation.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to issue a memorandum addressed to all personnel responsible for updating inventory records that reiterates IRS existing policy requiring that new assets be inputted into the inventory system within 10 days after receipt.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS issued a memorandum to all personnel responsible for updating inventory dated September 5, 2008. The memorandum reiterated IRS's existing policy requiring that new assets be input into the inventory system within 10 days of receipt and provides additional clarification regarding the timely update of asset inventory records.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish procedures to require documentation demonstrating that favorable background checks have been completed for all contractors prior to allowing them access to TAC and other field offices.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: IRS continues to work with the General Services Administration (GSA) to complete janitorial background investigations. IRS requested background investigations for contractors working in all IRS facilities including those where GSA controls the lease arrangements; however, GSA only agreed to perform background investigations for those contractors working in level III and IV facilities. GSA has completed background investigations for approximately 96% of GSA contractors within Level III and Level IV buildings and is expected to complete the remainder of all GSA contractor background investigations for all Level III and Level IV buildings by June 15, 2011. As an interim measure, IRS has asked GSA to arrange for daytime janitorial cleaning in order for IRS employees to observe janitorial staff in buildings where background investigations have not been conducted. GAO will continue to evaluate IRS's corrective actions during the fiscal year 2011 audit.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to modify the IRM to specify qualifications and geographical proximity requirements for individuals designated as first responders to duress alarms at IRS facilities, and to require that the responsibilities and qualifications of all designated first responders be periodically reviewed to verify that over time, they continue to be qualified and appropriately located, and to make any necessary adjustments.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS revised the Internal Revenue Manual to specify the qualifications and geographical proximity requirements for individuals designated as first responders and included a provision to require quarterly reviews of this issue.

Recommendation: The Commission of Internal Revenue should direct appropriate IRS officials to verify that when it becomes fully operational, Custodial Detail Data Base (CDDB), when used in conjunction with IRACS, will provide IRS with the direct transaction traceability for all of its tax-related transactions as required by the U.S. Government Standard General Ledger (SGL) and Federal Financial Management Systems Requirements (FFMSR), and thus FFMIA.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: During GAO's fiscal year 2010 audit, it concluded that IRS's revenue and refund transactions provide adequate transaction traceability. For unpaid assessments, the reported gross taxes receivable in RRACS could be traced to individual transactions in CDDB; however, once the gross amount is adjusted by statistical estimation, the adjustments, and consequently the resultant adjusted federal gross taxes receivable balance is not traceable to individual underlying transactions and consequently constitutes a deficiency in internal control over unpaid assessments. GAO will continue to review IRS's corrective actions to address this recommendation during its fiscal year 2011 audit.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to document and implement the specific procedures to be performed by the statistician in each step of the unpaid assessments estimation process.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: During fiscal year 2010, IRS finalized documentation detailing the specific procedures to be performed by IRS's statistician in each step of the unpaid assessment estimation process. GAO confirmed that IRS implemented these detailed steps as part of its formal unpaid assessments estimation process during fiscal year 2010.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to document and implement specific detailed procedures for reviewers to follow in their review of unpaid assessments statistical estimates. Specifically, IRS should require that a detailed supervisory review be performed to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: During fiscal year 2010, IRS finalized documentation detailing the specific procedures to be performed by supervisors in reviewing the work of its statistician in preparing IRS's unpaid assessments statistical estimates. The guidance includes specific procedures to ensure: (1) the statistical validity of the sampling plans, (2) data entered into the sample selection programs agree with the sampling plans, (3) data entered into the statistical projection programs agree with IRS's sample review results, (4) data on the spreadsheets used to compile the interim projections and roll-forward results trace back to supporting statistical projection results, and (5) the calculations on these spreadsheets are mathematically correct. GAO confirmed that IRS implemented these detailed steps as part of its formal unpaid assessments estimation process during fiscal year 2010.

Recommendation: To address the inconsistency in assigning the effective date of an accuracy penalty, the Commissioner of Internal Revenue should direct the appropriate IRS officials to modify the Business Master File (BMF) computer program so that the date of the deficiency assessment is used as the effective date of any related accuracy penalty.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS changed the computer program for calculating accuracy related penalties in its Business Master File to assign the effective date of the accuracy penalty to match the date of the related deficiency assessment. The change makes the assessment of accuracy related penalties in its Business Master File consistent with how IRS calculates accuracy-related penalties in its Individual Master File. GAO reviewed IRS's documentation showing the implementation of the programming change as well as the results of its internal tests and verified that the programming change functioned as intended.

Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to complete and document the review of existing programs in the master files that affect penalty calculations to identify any instances in which programs are not functioning in accordance with the intent of the Internal Revenue Manual (IRM).

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO confirmed that IRS completed its review of existing master file computer programs that affect penalty calculations and documented a listing of instances in which programs are not functioning in accordance with the intent of the Internal Revenue Manual.

Recommendation: To address other issues that may exist in IRS's master files that affect penalty calculations, the Commissioner of Internal Revenue should direct appropriate IRS officials to, in instances where programs are not functioning in accordance with the intent of the IRM, take appropriate action to correct the programs so that they function in accordance with the IRM.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: While IRS completed corrective actions to address some of the programming issues and is continuing work on others identified from its internal review, it has not yet completed all of its planned programming corrections. GAO will continue to review IRS's corrective actions to address this recommendation during its fiscal year 2011 audit.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to develop and provide comprehensive guidance to assist TAC managers in conducting reviews of outlying TACs and documenting the results. This guidance should include a description of the key controls that should be in place at outlying TACs, specify how often these key controls should be reviewed, and specify how the results of each review should be documented, including follow-up on issues identified in previous TAC reviews.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: According to IRS, its Wage and Investments (W&I) business division's Field Assistance unit continues to use the Taxpayer Assistance Center (TAC) Security Remittance Review Database (TSRRD) to document supervisory reviews. Managers are required to conduct and document their reviews to ensure the protection of data and compliance with remittance and security procedures. However, during GAO's audit of IRS's fiscal year 2010 financial statements, it found that certain questions in the TSRRD were unclear or ambiguous, contributing to incorrect responses entered by group managers completing the reviews. IRS's efforts to address this recommendation are ongoing. For example, at the time of GAO's TAC internal control visits in mid-March 2011 conducted as part of the fiscal year 2011 financial audit, IRS Field Assistance had not yet received the results of the semi-annual TSRRD submission and thus GAO was unable to validate IRS's corrective actions. GAO will continue to evaluate IRS's corrective actions during its fiscal year 2011 audit.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish a process to periodically update and communicate the specific required reviews for all off-site TAC managers.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: GAO confirmed that IRS established a process to periodically update and communicate the specific required reviews for all off-site Taxpayer Assistance Center (TAC) managers through quarterly reminders and reviewing and monitoring the status of corrective actions noted during operational reviews. In addition, IRS outlined the reviews that TAC managers are required to conduct in its Internal Revenue Manual.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish a mechanism to monitor compliance with the existing requirement that TAC employees responsible for accepting taxpayer payments in cash have their computer system access appropriately restricted to limit their ability to adjust taxpayer accounts.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS mandated the use of the restrict command codes to Taxpayer Assistance Center (TAC) employees accepting cash payments to limit their system access rights and ability to adjust taxpayer accounts. These procedures are monitored during operational reviews conducted by area and territory managers, at which time group managers are reminded of the existing requirements to restrict command codes.

Recommendation: The Commissioner of Internal Revenue should direct appropriate IRS officials to establish procedures requiring periodic verification that all individuals designated as first responders to TAC duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Closed - Implemented

Comments: IRS established procedures in its Internal Revenue Manual requiring quarterly verification that individuals designated as first responders to Taxpayer Assistance Center (TAC) duress alarms are appropriately qualified and geographically located to respond to the potentially dangerous situations in an effective and timely manner.

Recommendation: The Commissioner of Internal Revenue should direct the appropriate IRS officials to issue a memorandum to employees that reiterates IRS policy requiring all employees to obtain appropriate approval of travel authorizations prior to the initiation of their travel.

Agency Affected: Department of the Treasury: Internal Revenue Service

Status: Open

Comments: According to IRS, it implemented GovTrip requiring all travelers to use the new system. Travelers are required to create an authorization before travel begins, and GovTrip will not allow a voucher to be created without a signed/approved authorization. IRS officials stated they also continue to issue communications to all employees reiterating the policy requiring all employees to obtain approval of travel authorizations before the initiation of travel through periodic notices on the IRS intranet, and said they plan to continue to monitor compliance with this requirement. While GAO confirmed that IRS implemented its GovTrip system and that GovTrip does not allow a voucher to be created without an approved authorization entered into the system, GAO found that GovTrip allows an authorization to be created after the date of travel and thus, cannot ensure that travel is authorized before it begins. Also, IRS could not provide an example of its communications that mentioned the requirement to obtain approval of a travel authorization prior to the initiation of travel. In addition, during GAO's fiscal years 2009 and 2010 audits of IRS's financial statements, it continued to find instances where IRS staff did not obtain approval of travel authorizations in advance of travel. GAO will continue to review IRS's progress in implementing this recommendation during future audits.