This is the accessible text file for GAO report number GAO-03-562r entitled 'Management Report: Improvements Needed in IRS's Internal Controls' which was released on May 21, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. May 20, 2003: The Honorable Mark W. Everson: Commissioner of Internal Revenue: Subject: Management Report: Improvements Needed in IRS's Internal Controls: Dear Mr. Everson: In November 2002, we issued our report on the results of our audit of the Internal Revenue Service's (IRS) financial statements as of and for the fiscal years ending September 30, 2002 and 2001, and on the effectiveness of its internal controls as of September 30, 2002.[Footnote 1] We also reported our conclusions on IRS's compliance with significant provisions of selected laws and regulations and on whether IRS's financial management systems substantially comply with requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA). A separate report on the implementation status of recommendations from our prior IRS financial audits and related financial management reports will be issued shortly. The purpose of this report is to discuss issues identified during our fiscal year 2002 audit regarding accounting procedures and internal controls that could be improved for which we do not presently have any recommendations outstanding. Although not all of these issues were discussed in our fiscal year 2002 audit report, they all warrant management's attention. Results in Brief: During fiscal year 2002, IRS had a number of internal control issues that affected financial reporting, which includes safeguarding of assets. These issues concern policies and procedures related to (1) employee fingerprint records, (2) enforcement of courier service standards, (3) taxpayer receipt processing areas, (4) candling,[Footnote 2] (5) acceptance of tax payments in cash, and (6) structuring of installment agreements. Each of these control weaknesses posed added risks of losses, nonpayment of taxes, or potential burden to taxpayers. Specifically, we found the following: IRS did not always ensure that fingerprint check results for individuals entering on duty were under the required 180 day expiration period. The fingerprint check results consist of information provided by law enforcement agencies on events that occurred before the fingerprint check results are released. The older the fingerprint check results are, the greater the risk that IRS might hire applicants unsuitable for working with taxpayer receipts and information. IRS did not always ensure that couriers adhered to certain security requirements. We found that (1) at half of IRS's service center campuses, couriers did not undergo the specified background investigations or fingerprint checks and (2) a courier service had not maintained the required insurance coverage for the deposits it transports. IRS did not maintain consistently effective physical security controls over its receipt processing areas. We found (1) instances at service centers where prohibited items were brought into receipt processing areas and where the requirement to carry permitted personal items in clear plastic bags was circumvented and (2) at one of two taxpayer assistance centers[Footnote 3] we visited, employees were allowed to store personal belongings with cash payments and official receipt certificate vouchers. IRS did not always ensure that emptied envelopes were candled twice or that final candling was not performed by a single employee in a remote area.[Footnote 4] At some taxpayer assistance centers, IRS did not accept cash payments from taxpayers as required by IRS policy, thereby imposing an undue burden on certain taxpayers. IRS did not always structure installment agreements with taxpayers to provide for full payment of the tax liability as required by the Internal Revenue Code. At the end of our discussion of each of the first five of these issues, we make recommendations for strengthening IRS's internal controls. In its comments, IRS agreed with our recommendations and described actions it was taking or planned to take to address several of the control weaknesses described in this report. At the end of our discussion of each of the issues in this report where we are making recommendations, we have summarized IRS' related comments and provided our evaluation. We also considered IRS' comments on our findings and have made revisions as appropriate. Scope and Methodology: As part of our audit of IRS's fiscal years 2002 and 2001 financial statements, we evaluated IRS's internal controls and its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls including those for proper authorization, execution, accounting, and reporting of transactions. We conducted our audit in accordance with U.S. generally accepted government auditing standards. We requested comments on a draft of this report from the Acting Commissioner of IRS. We received written comments from the Acting Commissioner and have reprinted the comments in enclosure I to this report. Further details on our scope and methodology are included in our November 2002 report on the results of our fiscal years 2002 and 2001 financial statement audits and are reproduced in enclosure II.[Footnote 5] Enforcement of Expiration Period Policy for Fingerprint Check Results: In previous years, we found that IRS was hiring individuals and allowing them access to cash, checks, and other taxpayer data before it had received satisfactory results of their fingerprint checks, thereby subjecting IRS to an increased risk of theft or misuse of taxpayer receipts and taxpayer data.[Footnote 6] During our fiscal year 2002 audit, we found that IRS had made substantial progress in this area and as a result had significantly reduced its exposure related to the risk of hiring individuals prior to receiving satisfactory fingerprint check results.[Footnote 7] However, fingerprint results most accurately reflect all the information known by law enforcement authorities on an individual on the date the results are obtained. The usefulness of preemployment fingerprint results in enabling an employer to assess an individual's suitability for employment therefore decreases as the age of the fingerprint results used increases. IRS's hiring policies require that IRS receive and evaluate fingerprint check results before individuals enter on duty and set the expiration period for these results at 180 days. However, in our fiscal year 2002 audit, we found that IRS did not actively track fingerprint results to ensure that they did not exceed the 180-day limit when individuals entered on duty. Specifically, we found 53 instances in which new employees entered on duty at IRS with fingerprint check results over180 days old. Until IRS enforces its policy on the expiration period for fingerprint check results it is exposed to increased risk of hiring applicants with unsuitable backgrounds to handle cash, checks, and sensitive taxpayer information. This, in turn, increases the risk of potential theft and misuse of taxpayer receipts and data. Recommendation: To further reduce IRS's risk of hiring unsuitable employees to handle and process taxpayer receipts and data, we recommend that IRS enforce its policy of a 180-day expiration period for fingerprint check results when an individual enters on duty. IRS's Comments and Our Evaluation: IRS agreed with this issue and indicated in its response that it has already taken action to address the finding. In its comments, IRS stated that it has a policy of 180 days for the expiration period of fingerprint results. IRS had initially informed us that it did not have such a policy. As a result, we modified the report to stress the importance of IRS enforcing this policy. With respect to actions taken to address this finding, IRS stated that it had (1) reemphasized its policy to background investigation coordinators and personnel officers and (2) created and distributed software calculating the fingerprint results expiration date and instructed staff to use this software and note the expiration date on the fingerprint check results documentation. We will evaluate the effectiveness of IRS's efforts during our fiscal year 2003 financial audit. IRS also noted that exceptions could be made to the policy for GS-1811 Criminal Investigation Special Agents and executives from outside the IRS, as they must complete an additional background investigation prior to their entering on duty. However, we had specifically excluded any individual having met these additional requirements from our count of 53 instances in which employees entered on duty with fingerprint check results past the 180-day expiration period. Enforcement of Courier Service Standards: During previous audits of IRS's financial statements, we found that IRS did not have effective controls in place to ensure that its courier service requirements were enforced. Since November 1998, we have reported that IRS lacks effective controls over courier services responsible for transporting taxpayer receipts.[Footnote 8] To address some of these matters, we recommended that IRS (1) clarify that the intent of the requirement for background investigations is meant to apply to personnel being entrusted with taxpayer receipts and information rather than just personnel being granted access to an IRS facility and (2) develop policies intended to ensure that contracts related to courier services do not unduly expose the government or taxpayers to losses in the event that deposits are lost, stolen, or damaged in transit. IRS has made an effort to address courier security weaknesses we identified by adopting more stringent security standards for couriers who transport IRS's daily deposits to depositary institutions. Specifically, as a result of our recommendations, IRS established a policy that couriers requiring access to IRS facilities undergo a limited background investigation, including a fingerprint check. IRS subsequently extended the requirement for background investigations to all personnel entrusted with taxpayer receipts and information. In addition, the courier service standards were revised to include, in particular, a requirement that courier services have and maintain insurance coverage valued at $1 million to cover the costs of reconstructing a lost, stolen, or destroyed deposit. However, during our fiscal year 2002 audit, we identified two issues related to IRS's enforcement of its courier service standards that increased the risk that (1) taxpayer receipts and taxpayer data could be lost, stolen, or misused by couriers who transport these items and (2) taxpayers and the government could be unnecessarily exposed to the risk of financial loss. Specifically, we found that at 5 of IRS's 10 service centers for which agreements for courier services were negotiated by the Department of the Treasury's Financial Management Service (FMS), there was no requirement that couriers undergo background investigations or FBI fingerprint checks.[Footnote 9] Such a requirement does exist for the 5 service center campuses for which courier services agreements were negotiated by IRS. According to FMS, these background check requirements were not incorporated in the FMS- negotiated courier agreements because FMS had been waiting since 2000 for IRS to issue a final revision of its courier service standards--IRS issued revised standards on September 6, 2002. As of the end of our fiscal year 2002 audit fieldwork, FMS-negotiated agreements for couriers had not been revised. As a result, through fiscal year 2002, couriers under FMS-negotiated contracts were not required to undergo background investigations. While IRS relies on FMS to enter into agreements with general depositaries, IRS nonetheless retains the responsibility to ensure that resulting contracts reflect the standards it establishes as necessary for personnel entrusted with taxpayer deposits. Until all couriers who are entrusted with IRS deposits are required to undergo background investigations, including fingerprint checks, IRS runs an increased risk that taxpayer receipts and taxpayer data may be vulnerable to theft, loss, or misuse. Additionally, at one of two IRS service center campuses we visited, we found that the campus did not verify that the courier service had insurance coverage as required by the courier service standards. According to the courier's insurance agency, it had not provided insurance coverage to the courier service for the last year. Until IRS ensures that courier services are complying with courier service standards, taxpayers and the government will be unnecessarily exposed to the risk of financial loss. Recommendations: We recommend that IRS: confirm with FMS that IRS' requirements for background and fingerprint checks for courier services are met regardless of whether IRS or FMS negotiates the service agreement, and establish procedures to verify that courier services are adhering to the standards established for them by IRS, including the requirement that the courier services have insurance coverage. IRS's Comments and Our Evaluation: IRS agreed with our recommendations. IRS noted that (1) FMS had amended the Courier Memorandum of Understanding to include the requirement that all courier employees under contracts negotiated by FMS satisfy the basic investigation requirements, (2) IRS had established a campus contact at each of its 10 service center campuses to ensure that all required information is submitted to the National Background Investigation Center (NBIC) and that a clearance is granted, and (3) it had requested NBIC to provide it with a monthly report of campus compliance. IRS also noted that its Security Review Team of Receipt and Control reviews compliance with the courier requirements monthly and that it had (1) requested that the 5 campuses where IRS holds the courier contracts produce insurance certificates for the couriers during these reviews and (2) requested FMS to direct the depositary banks holding the courier contracts for the 5 remaining campuses to provide the insurance certificates to IRS. We will evaluate the effectiveness of IRS' efforts during our fiscal year 2003 financial audit. Controls in Receipt Processing Areas: During our fiscal year 2002 audit, we identified weaknesses in IRS's controls over its receipt processing areas that increased the risk that taxpayer receipts and taxpayer information could be lost or stolen. These weaknesses relate to the presence of certain personal belongings that employees bring into receipt processing areas. GAO's Standards for Internal Control in the Federal Government requires agencies to establish controls to secure and safeguard vulnerable assets. In our prior audits, we found that IRS did not have consistent controls over personal belongings brought into receipt processing areas; we recommended that IRS (1) restrict personal items that can be brought into the receipt processing areas, such as handbags, briefcases, and bulky outerwear, (2) provide lockers and require their use for storing personal belongings outside of the receipt processing areas, and (3) expand IRS's review of service center deterrent controls to include similar analyses of controls at IRS field offices in areas such as safeguarding of receipts by storing them in locked containers.[Footnote 10] In response to our recommendations, IRS issued policies requiring that (1) employees display in clear plastic bags certain other personal items that can be kept at their desks and transported in and out of the receipt processing area, (2) employees store such items as purses, backpacks, lunch bags, CD cases, newspapers, and magazines in lockers before they enter the receipt processing area, and (3) taxpayer assistance centers secure cash payments and receipts in locked containers. In each of our fiscal year 2001 and 2002 audits, we found that at one of two service center campuses we visited, many of the clear plastic bags employees used to bring personal belongings into the receipt processing area contained so many items that it would have been easy for employees to use the bags to conceal and remove checks from the area. At one of these campuses, we found that employees carried prohibited items such as CD cases, newspapers, and magazines--all items in which taxpayer receipts could be easily concealed--into the receipt processing area in plastic bags. At another campus, we observed employees using large clear plastic backpacks and tote bags to carry multiple personal belongings such as lunch bags, makeup bags and items of clothing. Such practices are at odds with the purpose intended in IRS's policies----namely limiting personal items allowed into the receipts processing area and requiring that all items allowed in be clearly visible. Until campuses are required to adhere to policies concerning employees' personal belongings in a consistent manner and until these policies are effectively enforced, taxpayer receipts and taxpayer information are vulnerable to theft or loss. Additionally, during our fiscal year 2002 audit, we found that at one of two taxpayer assistance centers we visited, employees were allowed to store cash payments and official receipt certificate vouchers with their personal belongings in desk drawers, overhead cabinets, and lockers. IRS employees could use these personal belongings to conceal and remove funds from the receipt processing area. Unlike service centers, IRS does not have a policy concerning personal belongings at taxpayer assistance centers. Thus, there is nothing preventing employees at taxpayer assistance centers from storing personal belongings with cash payments and receipts. Until IRS ensures that cash payments and receipts are not stored with employees' personal belongings, taxpayer receipts are vulnerable to theft, loss, or misuse. Recommendations: We recommend that IRS: enforce consistent implementation of its policy limiting personal belongings in receipt processing areas at service center campuses and: prohibit the storage of employees' personal belongings with cash payments and receipts at IRS's taxpayer assistance centers. IRS's Comments and Our Evaluation: IRS agreed with our recommendations and stated it would (1) issue a memorandum requiring managers in receipt processing areas at service center campuses to ensure that employees are adhering to the established security procedures and (2) require unit managers in these areas to conduct random reviews of employee compliance with all security policies. IRS also stated it would review managerial adherence to this direction on a monthly basis as well as have its security review team perform unannounced reviews. We will evaluate the effectiveness of IRS' efforts in future audits. Candling Procedures: During our fiscal year 2002 financial audit, we found that IRS's candling procedures were not adequate to minimize the risk that taxpayer receipts and information could be destroyed, lost, or stolen. GAO's Standards for Internal Control in the Federal Government requires agencies to establish physical controls to secure and safeguard vulnerable assets. IRS receives mail of different dimensions and separates and uses different methods to extract the contents depending on their dimensions. The extraction methods IRS employs to separate the envelopes from their contents are not always fully effective. To help ensure that items that were not removed from envelopes during extraction are not subsequently destroyed with the envelopes, IRS established a candling process. The candling procedures are documented in two separate sections of IRS's Internal Revenue Manual (IRM). The first section addresses the extraction of envelope contents and requires that envelopes be candled after their contents have been removed. The second section states that "those envelopes to be destroyed shall be reviewed again before destruction." However, these procedures do not provide sufficient guidance as to what specific candling procedures need to be followed in each of the two candlings. During our fiscal year 2002 audit, as well as in our previous audits, we observed instances where taxpayer receipts or taxpayer data were not removed from envelopes during the extraction phase and would have been destroyed had they not been discovered through a final candling just prior to destruction of the envelopes and using a light source to illuminate the envelopes. Yet, in fiscal year 2002, we found that at one of two IRS service center campuses we visited, some envelopes were not candled at the point of extraction. Thus, these envelopes received, at most, one candling prior to destruction. Until IRS clarifies its candling requirements to ensure that emptied envelopes are candled twice and to specify the precise candling methods to be used based on the dimensions of the mail processed and the extraction method used for each of the two candlings, IRS's risk of loss of taxpayer receipts and information is increased. We also found that at one of the two IRS service center campuses we visited, a single employee performed the final candling of envelopes in an area removed from other ongoing work in the receipts processing area - -a procedure not prohibited by IRS's policies and procedures. The initial candling, because it is performed immediately upon extraction, generally occurs in the presence of other employees in the receipt processing area. However, final candling often occurs in a less- populated area of receipt processing. By not prohibiting a single employee in a remote location from performing the final candling, IRS's risk of theft of taxpayer receipts and information increases. Recommendations: We recommend that IRS: revise its candling procedures to specify the precise candling methods to be used based on the dimensions of the mail processed and the extraction method used for both the first and the final candling and establish and implement procedures prohibiting a single employee from performing the final candling in a remote location. IRS's Comments and Our Evaluation: IRS agreed with our recommendations and stated it would provide us with copies of the procedures developed to address these recommendations by May 30, 2003. Cash Acceptance Procedures at Taxpayer Assistance Centers: During our fiscal year 2002 audit, we found that IRS did not have controls in place to ensure that its taxpayer assistance centers adhere to its cash payment acceptance requirement. IRS policy states that IRS must accept cash payments from taxpayers who do not have a check or money order, are unable to obtain one, or insist on paying in cash. However, during our fiscal year 2002 audit, we found that the taxpayer assistance center at one of two IRS field offices we visited, as well as other taxpayer assistance centers in the area, did not accept cash payments. At the taxpayer assistance center we visited, employees would direct taxpayers to a nearby financial institution where they could obtain a money order, but that institution did not maintain the same hours as the center and was regularly closed during parts of the day. These centers' refusal to accept cash payments could place undue burden on taxpayers who do not have a check or money order or are unable to obtain one. To obtain a money order, they must find an open financial institution and then pay a fee. The burden associated with these extra efforts and costs could adversely impact IRS's collection of taxes owed. Recommendations: We recommend that IRS: determine which taxpayer assistance centers do not accept payment of taxes in cash and issue a memorandum reminding them of the requirement that cash be accepted and establish a mechanism to periodically review adherence to this policy. IRS's Comments and Our Evaluation: IRS agreed with our recommendations. In its comments, IRS noted that (1) it had included guidelines in its Fiscal Year 2003 Field Assistance Office Operating Procedures stating that all taxpayer assistance centers (TACs) would accept all standard forms of payment including checks, money orders, and cash, (2) signs are to be posted in all TACs, specifying that exact change must be remitted as IRS cannot make change, and (3) it will be reviewing adherence to these procedures. Structuring of Installment Agreements: During our fiscal year 2002 financial audit, we found that IRS did not always structure installment agreements to provide for full payment of the tax liability as required by section 6159 of the Internal Revenue Code. As we noted in our fiscal year 2002 audit report, the presence of cases in fiscal year 2002 that were not structured to obtain full payment indicates that IRS was not in compliance with the Internal Revenue Code.[Footnote 11] IRS's failure to properly structure taxpayer installment agreements could result in the loss to the federal government of legally collectible tax revenue. Section 6159 of the Internal Revenue Code grants IRS the power to enter into written agreements with certain taxpayers to allow them to pay their full tax liability (along with additional interest) in installments. Both the Internal Revenue Code and IRS's procedures require that installment agreements fully satisfy the tax debt (including future accruals of interest and penalties) before the statutorily allowed period for collection on the liability expires.[Footnote 12] However, in our testing of a statistical sample of 59 installment agreements entered into during fiscal year 2002, we found 4 instances in which the terms of the agreements did not require full satisfaction of the tax liability. Based on the results of our work, we estimate that nearly 7 percent of the new installment agreements entered into during fiscal year 2002 had payment terms that would not fully satisfy the tax liability within the statutory collection period.[Footnote 13] In each of these cases, we found that the installment agreements did not fully satisfy the tax debt because IRS did not consider accruals of interest and penalties in calculating the total amount to be paid under the installment agreements. This occurred for two reasons. First, customer service representatives relied on IRS's Integrated Data Retrieval System (IDRS) to determine the amount of the taxpayer's liability in structuring the terms of the installment agreement. However, IDRS includes only assessed balances rather than the total amount of tax owed, which must also include interest and penalties. While IRS procedures require that its customer service representatives use a special command function that takes various accruals into account when entering into installment agreements, these procedures were not followed in these cases. Second, taxpayers may apply for an installment agreement through the Telephone Routing Interactive System. However, the balance due amounts in this system, like those in the IDRS, do not include accrued interest and penalties, and thus understate the total amount of tax owed. After we discussed these findings with IRS, management reinforced the current installment agreement guidance, provided additional training, and issued a memo to the customer service representatives that stressed the importance of following this guidance. In addition, IRS revised the Telephone Routing Interactive System to include both interest and penalty accruals in its calculation of installment agreement: balances. We commend IRS for its prompt action to develop and implement corrections to the installment agreement controls and will evaluate the effectiveness of these corrective actions during our fiscal year 2003 financial audit. - - - --: This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. 720 to submit a written statement on actions taken on these recommendations. You should submit your statement to the Senate Committee on Governmental Affairs and the House Committee on Government Reform within 60 days of the date of this report. A written statement must also be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of the report. This report is intended for use by the management of IRS. We are sending copies to Chairmen and Ranking Minority Members of the Senate Committee on Appropriations; Senate Committee on Finance; Senate Committee on Governmental Affairs; Senate Committee on the Budget; Subcommittee on Transportation, Treasury, and General Government, Senate Committee on Appropriations; Subcommittee on Taxation and IRS Oversight, Senate Committee on Finance; and the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia, Senate Committee on Governmental Affairs. We are also sending copies to the Chairmen and Ranking Minority Members of the House Committee on Appropriations; House Committee on Ways and Means; House Committee on Government Reform; House Committee on the Budget; Subcommittee on Transportation, Treasury, and Independent Agencies, House Committee on Appropriations; Subcommittee on Government Efficiency and Financial Management, House Committee on Government Reform; and the Subcommittee on Oversight, House Committee on Ways and Means. In addition, we are sending copies of this report to the Chairman and Vice-Chairman of the Joint Committee on Taxation, the Secretary of the Treasury, the Director of the Office of Management and Budget, the Chairman of the IRS Oversight Board, and other interested parties. Copies will be made available to others upon request. The report is also available free on GAO's web site at http://www.gao.gov. We acknowledge and appreciate the cooperation and assistance provided by IRS officials and staff during our audit of IRS's fiscal years 2002 and 2001 financial statements. If you have any questions or need assistance in addressing these matters, please contact Paul Foderaro, Assistant Director, at (202) 512-2535. Sincerely yours, Steven J. Sebastian: Director: Financial Management and Assurance: Signed by Steven J. Sebastian: Comments from the Internal Revenue Service: See comment 1. See comment 2. See comment 3. DEPARTMENT OF THE TREASURY INTERNAL REVENUE SERVICE WASHINGTON, D C 20224: April 28, 2003: Mr. Steven J. Sebastian Director: Financial Management and Assurance U.S. General Accounting Office: 441 G Street, NW Washington, DC 20548: Dear Mr. Sebastian: I am responding to your draft of the FY 2002 management report tried, Improvements Needed in IRS's Internal Controls. Over the last several years, IRS has adopted numerous improvements to ensure the adequacy of its accounting procedures and internal controls. We have a robust program in place to keep improving our performance in these areas. As examples, we: * Began conducting periodic security reviews of receipt processing areas, implemented many of our new hiring and courier standards, and updated relevant polices and procedures to safeguard taxpayer receipts and data Issued Lockbox Processing Guidelines to improve the safeguarding of taxpayer receipts and data at lockbox facilities: * Established a Peer Review Program to ensure adequacy and compliance with internal access control guidelines: * Published guidance to all field offices to assure that a "controlled access environment" is implemented in every Taxpayer Assistance Center, to the maximum extent possible within space and funding constraints: We agree the issues presented in the draft report will help us continue to improve our accounting procedures and internal controls. As evidenced in our response to the recommendations we have already taken actions to correct some of these matters. The following comments address your recommendations separately. Recommendation: We recommend that the IRS establish e policy setting an appropriate expiration period for fingerprint check results required when an individual enters on duty. In establishing such a policy, IRS may wish to consider, among other factors, the standards used by OPM and other agencies as further guidance and justification, and the risks associated with the age of the fingerprint check results in addition to its own workforce management needs. Comments: Our existing fingerprint expiration policy is 180 days. While the report references a 90-day expiration period for fingerprint check results, the OPM standard is 120 days.[NOTE 1] IRS thoroughly examined its recruiting and hiring processes and practices, including the fingerprint expiration period, security issues, OPM guidance, and the costs associated with background checks. As a result, we determined that 180 days is a reasonable expiration period for fingerprint check results. OPM agreed by waiving the 120-day standard due to our unique hiring cycles and conditions.[NOTE 2] IRM 1.23.3.4.23 (6) documents this requirement, and we re-emphasized this policy by e-mail to Background Investigations Coordinators and Personnel Officers on September 30, 2002, and during a conference call on October 9, 2002. Additionally, the Personnel Security and Investigations staff created and distributed an Excel file that calculates the date when fingerprint results expire. Staff received instructions to use the Excel file and to annotate Case Closing Transmittal documentation when the 180-day expiration date is to occur. We have an additional requirement when hiring GS-1811 Criminal Investigation Special Agents and executives from outside the IRS. A background investigation must be completed before these individuals can enter on duty (EOD). Fingerprint checks are only part of a complete background investigation that may take more than 180 days, and result in an EOD after the fingerprint expiration date. Because a more comprehensive background investigation was completed for these individuals (including checks of local law enforcement files and FBI fingerprint check), we do not fingerprint them again. These individuals are added to the Security Entry Tracking System (SETS) after the fingerprint expiration date. Risk is mitigated because the individual could not EOD without a favorable decision on the comprehensive background investigation. Recommendation: We recommend that IRS confirm with Financial Management Services (FMS) that IRS' requirements for background and fingerprint checks for courier services are met regardless of whether IRS or FMS negotiates the service agreement. Comments: We agree with this recommendation. The IRS is responsible for ensuring that all courier contracts reflect the standards we established. On October 7, 2002, FMS issued Amendment II to the Courier Memorandum of Understanding (MOU). The amendment included the requirement that all courier employees satisfy the basic investigation, which includes an FBI fingerprint and name check. A conference call was held on January 29, 2003, with all 10 campuses and the National Background Investigation Center (NBIC) to establish a campus contact to ensure all required paperwork is submitted to NBIC and clearance is granted. On April 10, 2003, we requested that NBIC provide a monthly status report of the campus compliance to the Headquarters Wage and Investment Division. Recommendation: We recommend that IRS establish procedures to verify that courier services are adhering to the standards established for them by IRS, including the requirement that the courier service have insurance coverage. Comments: We agree with this recommendation. The Security Review Team of Receipt and Control reviews compliance with the courier requirements monthly, using the Campus Security Checklist. For the five campuses where IRS holds the courier contract, we required that the monthly Security Review Team of Receipt and Control verify the campus has a valid insurance certificate valued at $1 million. The campuses are required to produce a file copy for the monthly reviews. For the five campuses with FMS negotiated agreements, we sent a written request, on April 17, 2003, to the FMS financial analyst and the Director, Financial Services Division, requesting them to direct the banks to issue a copy of the insurance certificate to their aligned campus. FMS agreed to draft a memorandum to the financial institutes advising them to regularly provide a copy of the insurance certificates to IRS Headquarters (HQ) instead of the aligned campus. HQ will then forward a copy of the insurance certificate to each of the Submission Processing Service Centers. Recommendation: We recommend that the IRS enforce consistent implementation of its policy limiting personal belongings in receipt processing areas at service center campuses. Comments: We agree with this recommendation. We require employees in receipt processing areas at service center campuses to limit personal belongings brought into the restricted areas of Receipt and Control. Employees who want to keep items at their desks must transport them in and out of receipt processing areas in clear plastic bags. Each employee is provided a locker to store personal belongings (e.g., handbags, briefcases, bulky outerwear, backpacks, lunch bags, newspapers, etc.). The Director, W&I CAS Submission Processing, will issue a memorandum to all Submission Processing Field Directors, requiring managers in receipt processing areas to ensure employees are adhering to established security procedures. This memorandum will be issued before May 15, 2003, and will require unit managers in receipt processing areas to conduct random reviews of employee compliance with all security policies. Starting no later than June 30, 2003, we will verify managerial adherence to this direction during the monthly Campus Security Reviews. The IRS Headquarters Security Review Team will also conduct unannounced Campus Security Reviews at the campuses. Recommendation: We recommend that the IRS prohibit the storage of employees' personal belongings with cash payments and receipts at IRS' taxpayer assistance centers. Comments: We agree that employee's personal belongings should be stored separately from cash payments and receipts. We will include a requirement in the Internal Revenue Manual (IRM) guidelines to be issued June 30, 2003, stating that cash payments and Form 809 - Receipt for Payment of Taxes must be stored separately from personal belongings. We have also included this issue in our operational reviews of the Taxpayer Assistance Centers. Recommendation: We recommend that IRS revise its candling procedures to specify the precise candling methods to be used based on the dimensions of the mail processed and the extraction method used for both the first and the final candling. Comments: We agree with this recommendation. The IRM candling procedures are being revised to specify precise first and final candling methods. We will provide GAO a copy of the procedures no later than May 30, 2003. Recommendation: We recommend that IRS establish and implement procedures prohibiting a single employee from performing the final candling in a remote location. Comments: We agree with this recommendation. We will work with the service center campuses to incorporate the new requirements in the IRM by May 30, 2003. Recommendation: We recommend that IRS determine which taxpayer assistance centers do not presently accept payment of taxes in cash and issue a memorandum reminding them of the requirement that cash be accepted. In addition, we recommend that IRS establish a mechanism to periodically review adherence to this policy. Comments: We included guidelines in our Fiscal Year 2003 Field Assistance Operating Procedures (FAOPs) stating that all Taxpayer Assistance Centers (TAC) will accept all standard forms of payments from customers including checks, money orders, and cash. Document 10161, posted in all TACs, states, "Make all cash payments in the exact amount due only, as we cannot make change." Additionally, this procedure will be included in our operational reviews of the TACs, to ensure compliance with FAOP guidelines. Managers in the TACs are also required to complete an annual review to address this issue. Recommendation: We recommend that IRS establish a supervisory mechanism to monitor the effectiveness of the additional guidance and training in addressing the issues associated with the structuring of installment agreements. Comments: Currently managers must approve installment agreements when the aggregate unpaid balance of assessment exceeds $25,000 or when the balance is $25,000 or less and cannot be fully paid within 60 months. Installment agreements that: require collection statute extensions require mid-level management review. Managers review installment agreements as part of their mandatory employee workload and quality reviews. I appreciate your input and will continue to take the necessary steps to improve our financial management. With the continued dedication and cooperation of both our staffs, we will further enhance the IRS' accounting procedures and internal controls. Sincerely, Bob Wenzel Acting Commissioner: Signed by Bob Wenzel: NOTES: [1] Refer to OPM Publication IS-15, Requesting OPM Personnel Investigations, dated May 2001, page 25. [2] OPM issues its waiver letter in June 1999 to the Associate Director, Personnel Security Division. The following are GAO's comments on the Internal Revenue Service's letter dated April 28, 2003. GAO Comments: IRS stated it has a policy of 180 days for the expiration period of fingerprint results. IRS had initially informed us that it did not have such a policy. As a result, we modified our report to stress the importance of IRS enforcing its policy and modified our recommendation accordingly. : IRS had previously informed us of these exceptions. As a result, we had specifically excluded any individual having met these additional requirements from our count to arrive at the total of 53 instances in which employees entered on duty with fingerprint check results over the 180 day expiration period. : In our draft report, we initially recommended that IRS establish a supervisory mechanism to monitor the effectiveness of the additional guidance and training in addressing the deficiencies noted in the structuring of installment agreements. In its comments, IRS stated that its policy is to require managers to approve installment agreements where the unpaid assessment balance exceeds $25,000 or where the balance cannot be fully paid within 5 years, regardless of the size of the balance. We do not find that this policy is unreasonable at this time and have thus revised our report accordingly. Details on Audit Methodology: To fulfill our responsibilities as the auditor of IRS's financial statements, we: Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. This included testing selected statistical samples of unpaid assessment, revenue, refund, accounts payable, accrued expenses, payroll, nonpayroll, property and equipment, and undelivered order transactions. These statistical samples were selected primarily to substantiate balances and activities reported in IRS's financial statements. Consequently, dollar errors or amounts can and have been statistically projected to the population of transactions from which they were selected. In testing these samples, certain attributes were identified that indicated either significant deficiencies in the design or operation of internal control or compliance with provisions of laws and regulations. These attributes, where applicable, can be and have been statistically projected to the appropriate populations. : Assessed the accounting principles used and significant estimates made by management. : Evaluated the overall presentation of the financial statements. : Obtained an understanding of internal control related to financial reporting (including safeguarding assets), compliance with laws and regulations (including the execution of transactions in accordance with budget authority), and performance measures reported in the Management's Discussion and Analysis. : Tested relevant internal control over financial reporting (including safeguarding assets) and compliance, and evaluated the design and operating effectiveness of internal control. : Considered the process for evaluating and reporting on internal control and financial management systems under the Federal Managers' Financial Integrity Act of 1982. : Tested compliance with selected provisions of the following laws and regulations: Anti-Deficiency Act, as amended (31 U.S.C. §1341(a)(1) and 31 U.S.C. §1517(a)); Agreements for payment of tax liability in installments (26 U.S.C. §6159); Purpose Statute (31 U.S.C. §1301); Release of lien or discharge of property (26 U.S.C. §6325); Interest on underpayment, nonpayment, or extensions of time for payment of tax (26 U.S.C. §6601); Interest on overpayments (26 U.S.C. §6611); Determination of rate of interest (26 U.S.C. §6621); Failure to file tax return or to pay tax (26 U.S.C. §6651); Failure by individual to pay estimated income tax (26 U.S.C. §6654); Failure by corporation to pay estimated income tax (26 U.S.C. §6655); Prompt Payment Act (31 U.S.C. §3902 (a), (b), and (f), and 31 U.S.C. §3904) ; Fair Labor Standards Act of 1938, as amended (29 U.S.C. §206); Civil Service Retirement Act of 1930, as amended (5 U.S.C. §§5332, 5343); Federal Employees' Retirement System Act of 1986, as amended (5 U.S.C. §§8422 and 8423); Social Security Act, as amended (26 U.S.C. §3101 and 3121, and 42 U.S.C. §430); and Federal Employees Health Benefits Act of 1959, as amended (5 U.S.C. §§8905, 8906, and 8909). : Tested whether IRS's financial management systems substantially comply with the three FFMIA requirements. GAO Contacts and Staff Acknowledgments: GAO Contacts: Paul Foderaro, (202) 512-2535: Alain Dubois, (202) 512-6365: Acknowledgments: Staff making key contributions to this report were: William Cordrey, Laurie King, Yola Lewis, and J. Lawrence Malenich. (196001): FOOTNOTES [1] U.S. General Accounting Office, Financial Audit: IRS's Fiscal Years 2002 and 2001 Financial Statements, GAO-03-243 (Washington D.C.: Nov. 15, 2002). [2] Candling is a process used by IRS to determine whether any contents remain in open envelopes before their destruction. Candling is generally performed by placing open envelopes in front of a light source. [3] Taxpayer assistance centers handle questions and accept payments from taxpayers who choose to conduct business with IRS in person. They are located in field offices. [4] Final candling occurs at the end of the mail extraction process to ensure that all the contents have been removed from each envelope. [5] GAO-03-243. [6] U.S. General Accounting Office, Internal Revenue Service: Progress Made, but Further Actions Needed to Improve Financial Management, GAO- 02-35 (Washington D.C.: Oct. 19, 2001). [7] GAO-03-243. [8] U.S. General Accounting Office, Internal Revenue Service: Physical Security Over Taxpayer Receipts and Data Needs Improvement, GAO/AIMD- 99-15 (Washington D.C.: Nov. 30, 1998); Internal Revenue Service: Custodial Financial Management Weaknesses, GAO/AIMD-99-193 (Washington D.C.: Aug. 4, 1999); Internal Revenue Service: Recommendations to Improve Financial and Operational Management, GAO-01-42 (Washington D.C.: Nov. 17, 2000); Management Report: Improvements Needed in IRS's Accounting Procedures and Internal Controls, GAO-02-746R (Washington D.C.: July 18, 2002); and GAO-02-35. [9] Courier service agreements for IRS service center campuses are negotiated by either IRS or FMS, depending on the type of depositary institution IRS uses to deposit campus receipts. IRS has the option of depositing campus receipts into a Federal Reserve Bank or into a general depositary. General depositaries are designated commercial banks that have been specifically authorized by Treasury to maintain a Treasury General Account for the purpose of accepting deposits for Treasury. When receipts are to be deposited to an FRB, IRS contracts for the courier services. When receipts are to be deposited to a general depositary, FMS negotiates an agreement with the depositary to perform services for FMS. There are five service center campuses with FMS-negotiated agreements and five service center campuses with IRS- negotiated agreements. [10] U.S. General Accounting Office, Internal Revenue Service: Immediate and Long-Term Actions Needed to Improve Financial Management, GAO/AIMD-99-16 (Washington D.C.: Oct. 30, 1998) and GAO/AIMD-99-193. [11] GAO-03-243. [12] The statutory collection period for taxes is generally 10 years from the date of the tax assessment. However, this period can be extended by agreement with the taxpayer. [13] We are 95 percent confident that the error rate could be as high as 15 percent.