Images de page
PDF
ePub

patch panels was not physically protected and could be accessed and damaged by unauthorized personnel. Additionally, communications devices intended to be used only to monitor data flow can also be used to alter data and for browsing.

DISASTER RECOVERY

Effective disaster recovery plans and procedures enable organizations to continue operations or to reestablish operations in a backup facility after disruptions caused by events such as earthquakes, floods, fires, and electrical power failures. Cyberfile does not have a backup computer facility, nor does it have alternate power sources to maintain computer operations during a power outages.

CONTINGENCY PLANNING

Contingency planning provides specific procedures that need to be taken during various emergencies to restore critical operations and identifies the key individuals responsible for carrying out the procedures. While NTIS has a draft contingency plan that provides some high level instructions on maintaining continuous Cyberfile system operations, the draft does not have specific procedures to be followed in an emergency nor does it identify the key individuals responsible for carrying them out.

RISK ANALYSIS

A risk analysis identifies and determines the severity of security threats and, for each threat, formulates safeguards, and estimates their cost. The risk analysis conducted for Cyberfile was incomplete and did not adequately address physical, operational, and communications security threats to the data center. For example, the analysis does not address the threat of data center employees compromising taxpayer data. Without a comprehensive risk analysis, system vulnerabilities may not be identified and cost effective controls may not be implemented to mitigate them.

SECURITY AWARENESS

A security awareness program communicates to employees the importance of security measures and emphasizes their responsibility for protecting assets. We found that there was no security awareness program for Cyberfile. During our review, we found a note, written on a white board in the data center, instructing employees to hand off passwords to employees on the next shift. Because employees share passwords, system and data accesses and the use of system resources cannot be traced to individuals, and, therefore, cannot be effectively controlled. Cyberfile Contractual Issues Warrant Further Review

Our review of the acquisition process raised several issues that warrant further explanation by IRS or NTIS. In this regard, we plan to review these issues during our continuing review of Cyberfile.

NTIS implemented its interagency agreement with IRS chiefly through means of a contract awarded to a contractor under the "Section 8(a)" program. The "Section 8(a)" program permits the award of a contract to the Small Business Administration, which then subcontracts with a firm owned by economically and socially disadvantaged individuals. This type of contract can be awarded with limited or no competition. In this case, NTIS awarded a contract under “Section 8(a)” on a sole source basis. The selected contractor then subcontracted a significant part of its work to other firms. Information obtained indicates that the selection of some of these subcontractors may have been directed by NTIS or IRS. These actions may have resulted in the complete elimination of competition for a significant amount of government business.

Also, numerous actions were conducted quickly and information obtained to date does not provide a clear understanding of what transpired. For example, in rushing to implement Cyberfile, it appears that IRS contracted for services that NTIS was tasked with providing under their interagency agreement. In addition, procurement officials at both IRS and Commerce told us that they believe they followed procurement rules, but said they received instructions from superiors to proceed with various contracting actions, in some cases without the government receiving the benefit of the traditional independent judgment accorded contracting officials. In this regard, we identified over $2 million in 33 purchases where exemptions to normal purchasing requirements were justified based on 41 U.S.C. 253(c)(2), which states the following.

"The executive agency's need for the property or services is of such an unusual and compelling urgency that the Government would be seriously in

23-595 97-2

jured unless the executive agency is permitted to limit the number of sources from which it solicits bids or proposals."

Our preliminary review of these purchases raises issues concerning the urgency and appropriateness of some of these purchases. For example, four cellular phones were purchased in August 1995, at $1,099 each to provide 24-hour accessibility to key personnel who operate Cyberfile. However, Cyberfile is still not operational and documentation obtained from NTIS indicates that $842 was spent in August and September 1995 on usage charges-with no clear indication on subsequent usage charges. Similar purchases were made for three nationwide pagers costing about $175 each, with documentation indicating that over $4,100 has been budgeted for pager services in 1996. However, as we mentioned earlier more work is needed to assess the appropriateness of all such actions.

FINANCIAL MANAGEMENT WEAKNESSES PERSIST

Our fiscal year 1994 financial audit of IRS, entitled Financial Audit: Examination of IRS' Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141, August 4, 1995),

(1) highlighted a number of serious managerial problems that IRS must directly address to make greater progress in this area,

(2) discussed actions being taken by IRS to strengthen its operations, and (3) presented numerous specific GÃO recommendations for needed additional improvements.

IRS agreed with all our recommendations and committed itself to taking the corrective measures necessary to improve its financial management operations. We currently are in the process of auditing IRS' fiscal year 1995 financial statements.

For the last 3 fiscal years, 15 we have been unable to express an opinion on IRS' financial statements because of the pervasive nature of its financial management problems. We were unable to express an opinion on IRS' financial statements for fiscal year 1994 for the following five primary reasons.

-One, the amount of total revenue of $1.3 trillion reported in the financial statements could not be verified or reconciled to accounting records maintained for individual taxpayers in the aggregate.

-Two, amounts reported for various types of taxes collected, for example, social security, income, and excise taxes, could also not be substantiated.

-Three, we could not determine from our testing of IRS' gross and net accounts receivable estimates of over $69 billion and $35 billion, respectively, which include delinquent taxes, whether those estimates were reliable.

-Four, IRS continued to be unable to reconcile its Fund Balance With Treasury

accounts.

-Five, we could not substantiate a significant portion of IRS' $2.1 billion in nonpayroll expenses included in its total operating expenses of $7.2 billion, primarily because of lack of documentation. However, we could verify that IRS properly accounted for and reported its $5.1 billion of payroll expenses.

To help IRS resolve these issues, we have made dozens of recommendations in our financial audit reports dating back to fiscal year 1992. In total, we have made 59 recommendations on issues covering such areas as tax revenue, administrative costs, and accounts receivable. While IRS has begun to take action on many of our recommendations, as of the date of our last report-August 4, 1995-it had fully implemented only 13 of our 59 recommendations.

IRS has made some progress in responding to the problems we identified in our previous audits. However, IRS needs to intensify its efforts in this area. In a September 12, 1994, letter to the Commissioner, we explained that IRS needed to develop a detailed plan with explicit, measurable goals and a set timetable for action, to attain the level of financial reporting and controls needed to effectively manage its massive operations and to reliably measure its performance. On March 21, 1996, we received a copy of that plan and are now reviewing it. The sections below discuss these issues in greater detail.

15 Financial Audit: Examination of IRS' Fiscal Year 1992 Financial Statements (GAO/AIMD93-2, June 30, 1993); Financial Audit: Examination of IRS' Fiscal Year 1993 Financial Statements (GAO/AIMD-94-120, June 15, 1994); and Financial Audit: Examination of IRS' Fiscal Year 1994 Financial Statements (GAO/AIMD-95-141, August 4, 1995).

Issues With Revenue

IRS' financial statement amounts for revenue, in total and by type of tax, were not derived from its revenue general ledger accounting system (RACS) or its master files of detailed individual taxpayer records. This is because RACS did not contain detailed information by type of tax, such as individual income tax or corporate tax, and the master file cannot summarize the taxpayer information needed to support the amounts identified in RACS. As a result, IRS relied on alternative sources, such as Treasury schedules, to obtain the summary total by type of tax needed for its financial statement presentation.

IRS asserts that the Treasury amounts were derived from IRS records; however, neither IRS nor Treasury's records maintained any detailed information that we could test to verify the accuracy of these figures. As a result, to substantiate the Treasury figures, we attempted to reconcile IRS' master files-the only detailed records available of tax revenue collected-with the Treasury records. We found that IRS' reported total of $1.3 trillion for revenue collections, which was taken from Treasury schedules, was $10.4 billion more than what was recorded in IRS' master files. Because IRS was unable to satisfactorily explain, and we could not determine the reasons for this difference, the full magnitude of the discrepancy remains uncertain.

In addition to the difference in total revenues collected, we also found large discrepancies between information in IRS' master files and the Treasury data used for the various types of taxes reported in IRS' financial statements. Some of the larger reported amounts for which IRS had insufficient support were $615 billion in individual taxes collected-this amount was $10.8 billion more than what was recorded in IRS' master files; $433 billion in social insurance taxes (FICA) collected-this amount was $5 billion less than what was recorded in IRS' master files; and $148 billion in corporate income taxes-this amount was $6.6 billion more than what was recorded in IRS' master files. Thus, IRS did not know and we could not determine if the reported amounts were correct. These discrepancies also further reduce our confidence in the accuracy of the amount of total revenues collected.

Despite these problems, we were able to verify that IRS' reported total revenue collections of $1.3 trillion agreed with tax collection amounts deposited at the Department of the Treasury. However, we did find $239 million of tax collections recorded in IRS' RACS general ledger that were not included in reported tax collections derived from Treasury data.

In addition to these problems, we could not determine from our testing the reliability of IRS' projected estimate for accounts receivable. As of September 30, 1994, IRS reported an estimate of valid receivables of $69.2 billion, 16 of which_$35 billion 17 was deemed collectible. However, in our random statistical sample of accounts receivable items IRS tested, we disagreed with IRS on the validity of 19 percent 18 of the accounts receivable and the collectibility of 17 percent 19 of them. Accordingly, we cannot verify the reasonableness of the accuracy of the reported accounts receivable.

Inadequate internal controls, especially the lack of proper documentation of transactions, resulted in IRS continuing to report unsupported revenue information. In some cases, IRS did not maintain documentation to support reported balances. In other cases, it did not perform adequate analysis, such as reconciling taxpayer transactions to the general ledger, to ensure that reported information was reliable. We found several internal control problems that contributed to our inability to express an opinion on IRS' financial statements. To illustrate,

-IRS was unable to provide adequate documentation for 111 items, or 68 percent, in our random sample of 163 transactions from IRS' nonmaster file. The nonmaster file is a database of taxpayer transactions that cannot be processed by the two main master files or are in need of close scrutiny by IRS personnel. These transactions relate to tax years dating as far back as the 1960s. During

16 The range of IRS' confidence interval, at a 95-percent confidence level, is that the actual amount of valid accounts receivable as of September 30, 1994, was between $66.1 billion and $72.3 billion. 17 The range of IRS' confidence interval, at a 95-percent confidence level, is that the actual amount of collectible accounts receivable as of September 30, 1994, was between $34 billion and $36 billion.

18 The range for our confidence interval, at a 95-percent confidence level, is that the actual amount of the validity exceptions as of September 30, 1994, was between 14.5 percent and 24.2 percent.

19 The range for our confidence interval, at a 95-percent confidence level, is that the actual amount of the collectibility exceptions as of September 30, 1994, was between 13.1 percent and 22.5 percent.

fiscal year 1994, approximately 438,000 transactions valued at $7.3 billion were processed through the nonmaster file. Because of the age of many of these cases, the documentation is believed to have been destroyed or lost. -We sampled 4,374 statistically projectable transactions posted to taxpayer accounts. However, IRS was unable to provide adequate documentation, such as a tax return, for 524 transactions, or 12 percent. Because the documentation was lost, physically destroyed or, by IRS policy, not maintained, some of the transactions supporting reported financial balances could not be substantiated, impairing IRS' ability to research any discrepancies that occur.

-IRS is authorized to offset taxpayer refunds with certain debts due to IRS and other government agencies. Before refunds are generated, IRS policy requires that reviews be performed to determine if the taxpayer has any outstanding debts to be satisfied. For expedited refunds, IRS must manually review various master files to identify outstanding debts. However, out of 358 expedited refunds tested, we identified 10 expedited refunds totaling $173 million where there were outstanding tax debts of $10 million, but IRS did not offset the funds. Thus, funds owed could have been collected but were not. -IRS could not provide documentation to support $6.5 billion in contingent liabilities reported as of September 30, 1994. Contingent liabilities represent taxpayer claims for refunds of assessed taxes which IRS management considers probable to be paid. These balances are generated from stand-alone systems, other than the master file, that are located in two separate IRS divisions. Because these divisions could not provide a listing of transactions for appropriate analysis, IRS did not know, and we could not determine, the reliability of these balances.

-An area that we identified where the lack of controls could increase the likelihood of loss of assets and possible fraud was in the reversal of refunds. Refunds are reversed when a check is undelivered to a taxpayer, an error is identified, or IRS stops the refund for further review. In many cases, these refunds are subsequently reissued. If the refund was not actually stopped by Treasury, the taxpayer may receive two refunds. In fiscal year 1994, IRS stopped 1.2 million refunds totaling $3.2 billion. For 183 of 244, or 75 percent of our sample of refund reversals, IRS was unable to provide support for who canceled the refund, why it was canceled, and whether Treasury stopped the refund check. Service center personnel informed us that they could determine by a code whether the refund was canceled by an internal IRS process or by the taxpayer, but, as a policy, no authorization support was required, nor did procedures exist requiring verification and documentation that the related refund was not paid. With regard to controls over the processing of returns, we also found weaknesses. During fiscal year 1994, IRS processed almost 1 billion information documents and 200 million returns. In most cases, IRS processed these returns correctly. However, we found instances where IRS' mishandling of taxpayer information caused additional burden on the taxpayer and decreased IRS' productivity. In many cases, the additional taxpayer burden resulted from IRS' implementation of certain enforcement programs it uses to ensure taxpayer compliance, one of which is the matching program. This program's problems in timely processing cause additional burden when taxpayers discover 15 months to almost 3 years after the fact that they have misreported their income and must pay additional taxes plus interest and penalties. Issues With Administrative Operations

IRS has made progress in accounting for its appropriated funds, but there were factors in this area that prevented us from being able to render an opinion. Specifically, IRS was unable to fully reconcile its Fund Balance with Treasury accounts, nor could it substantiate a significant portion of its $2.1 billion in nonpayroll expenses-included in its $7.2 billion of operating expenses-primarily because of lack of documentation.

With regard to its Fund Balance With Treasury, we found that, at the end of fiscal year 1994, unreconciled cash differences netted to $76 million. After we brought this difference to the CFO's attention, an additional $89 million in adjustments were made. These adjustments were attributed to accounting errors dating back as far as 1987 on which no significant action had been taken until our inquiry. IRS was researching the remaining $13 million in net differences to determine the reasons for them. These net differences, which span an 8-year period, although a large portion date from 1994, consisted of $661 million of increases and $674 million of decreases. IRS did not know and we could not determine the financial statement impact or what other problems may become evident if these accounts were properly reconciled.

To deal with its long-standing problems in reconciling its Fund Balance with Treasury accounts, during fiscal year 1994, IRS made over $1.5 billion in unsupported adjustments (it wrote off these amounts) that increased cash by $784 million and decreased cash by $754 million, netting to $30 million. In addition, $44 million of unidentified cash transactions were cleared from cash suspense accounts 20 and included in current year expense accounts because IRS could not determine the cause of the cash differences. These differences suggest that IRS did not have proper controls over cash disbursements as well as cash receipts.

In addition to its reconciliation problems, we found numerous unsubstantiated amounts. These unsubstantiated amounts occurred because IRS did not have support for when and if certain goods or services were received and, in other instances, IRS had no support at all for the reported expense amount. These unsubstantiated amounts represented about 18 percent of IRS' $2.1 billion in total nonpayroll expenses and about 5 percent of IRS' $7.2 billion in total operating expenses.

Most of IRS' $2.1 billion in nonpayroll related expenses are derived from interagency agreements with other Federal agencies to provide goods and services in support of IRS' operations. For example, IRS purchases printing services from the Government Printing Office; phone services, rental space, and motor vehicles from the General Services Administration; and photocopying and records storage from the National Archives and Records Administration.

Not having proper support for if and when goods and services are received made IRS vulnerable to receiving inappropriate interagency charges and other misstatements of its reported operating expenses, without detection. Not knowing if and/or when these items were purchased seriously undermines any effort to provide reliable, consistent cost or performance information on IRS' operations. As are result of these unsubstantiated amounts, IRS has no idea and we could not determine, when and, in some instances, if the goods or services included in its reported operating expenses were correct or received.

Some Improvements Made But Overall Computer Systems Security Remained Weak In our prior year reports, we stated that IRS' computer security environment was inadequate. Our fiscal year 1994 audit found that IRS had made some progress in addressing and initiating actions to resolve prior years' computer security issues; however, some of the fundamental security weaknesses we previously identified continued to exist in fiscal year 1994.

These weaknesses were primarily IRS' employees' capacity to make unauthorized transactions and activities without detection. IRS has taken some actions to restrict account access, review and monitor user profiles, provide an automated tool to analyze computer usage, and install security resources. However, we found that IRS still lacked sufficient safeguards to prevent or detect unauthorized browsing of taxpayer information and to prevent staff from changing certain computer programs to make unauthorized transactions without detection.

The deficiencies in financial management and internal controls that I have discussed throughout this testimony demonstrate the long-standing, pervasive nature of the weaknesses in IRS' systems and operations-weaknesses which contributed to our inability to express a more positive opinion on IRS' financial statements. The erroneous amounts discussed would not likely have been identified if IRS' financial statements had not been subject to audit. Further, the errors and unsubstantiated amounts highlighted throughout this testimony suggest that information IRS provides during the year is vulnerable to errors and uncertainties as to its completeness and that reported amounts may not be representative of IRS' actual operations.

IRS HAS TAKEN STEPS TO IMPROVE ITS FINANCIAL OPERATIONS

IRS has made some progress in responding to the problems we have identified in previous reports. It has acknowledged these problems, and the Commissioner has committed to resolving them. These actions represent a good start in IRS' efforts to more fully account for its operating expenses. For example, IRS has

-successfully implemented a financial management system for its appropriated funds to account for its day-to-day operations, which should help IRS to correct some of its past transaction processing problems that diminished the accuracy and reliability of its cost information; and

-successfully transferred its payroll processing to the Department of Agriculture's National Finance Center and, as a result, properly accounted for and reported its $5.1 billion of payroll expenses for fiscal year 1994.

20 Suspense accounts include those transactions awaiting posting to the appropriate account or those transactions awaiting resolution of unresolved questions.

« PrécédentContinuer »