Summary: In November 2007, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of, and for the fiscal years ending, September 30, 2007, and 2006, and on the effectiveness of its internal controls as of September 30, 2007. We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). The purpose of this report is to discuss issues identified during our audit of IRS's financial statements as of, and for the fiscal year ending, September 30, 2007, regarding internal controls that could be improved for which we currently do not have a specific recommendation outstanding. Although not all of these issues were discussed in our fiscal year 2007 audit report, they all warrant management's consideration. This report contains 24 recommendations that we are proposing IRS implement to improve its internal controls. We will issue a separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports, including this one. We conducted our audit in accordance with U.S. generally accepted government auditing standards.
During our audit of IRS's fiscal year 2007 financial statements, we identified several internal control matters not addressed by previous recommendations. These matters concern the following: summary information reported in the Interim Revenue Accounting Control System (IRACS), IRS's general ledger system for tax-related transactions, could not be traced to the underlying detailed transaction records. Supervisory review procedures for IRS's unpaid assessments estimation process were not effective in preventing or detecting errors. Controls over computer programs affecting penalty assessments did not ensure that the programs always functioned in accordance with IRS's policies and procedures. Documentation of off-site Taxpayer Assistance Center (TAC) managers' reviews was not always readily available and, when provided, lacked the information needed to effectively assess the internal control environment at 5 of the 10 TACs we visited. In addition, these managers lacked clear, comprehensive, and up-to-date guidance for conducting and documenting TAC reviews. Computer access rights of employees responsible for processing cash deposits were not properly restricted to prevent unauthorized adjustments to certain taxpayer account information at 4 of the 10 TACs we visited. First responders to duress alarms were not always qualified or located to effectively respond to emergencies at 5 of the 10 TACs we visited. Documentary evidence demonstrating that background investigations--with favorable results--had been completed for contractors before they were given unescorted access to the facilities was not obtained at six TACs and three field offices we visited. Documentary evidence that background investigations--with favorable results--had been completed for contractors working at off-site shredding facilities was not obtained before they were given access to taxpayer and sensitive information. IRS also was not performing periodic, unannounced inspections of these facilities. New policies and procedures for hiring juveniles were not fully implemented. Evidence of supervisory reviews of documentation demonstrating compliance with key controls related to the processing of Tax Exempt/Government Entity (TE/GE) user fees was lacking. Key controls over IRS's purchase card program were not adequate. Information on new assets was not always recorded in IRS's property and equipment inventory system within required time frames. Travel authorizations for employees were not always approved before travel was initiated. These internal control matters increase the risk that IRS may fail to prevent or timely detect (1) errors in financial data and reporting, computer-generated penalty assessments, and user fee processing; (2) the loss, theft, or misuse of taxpayer receipts, information, and government property; (3) improper or fraudulent procurement; and (4) unauthorized travel.
