Increased Automated Controls Could Further Improve Accountability Over Manual Refunds
September 14, 2009
Reference Number: 2009-40-131
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
September 14, 2009
MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Increased Automated Controls Could Further Improve Accountability Over Manual Refunds (Audit # 200840033)
This report presents the results of our review to determine
if controls over manual refunds are effective in minimizing the risk of issuing
erroneous refunds. The audit scope
included both individual and business manual refunds issued during Calendar
Years 2005, 2006, and 2007. This audit
was initiated at the request of the Commissioner, Wage and Investment Division.
Impact on the Taxpayer
During Calendar Year 2007, the Internal Revenue Service
(IRS) issued approximately 184,000 manual refunds totaling over $1.5
billion to individual taxpayers and approximately 70,000 manual refunds totaling
almost $32 billion to business taxpayers.
Our review identified that electronic data files supporting manual
refund transactions were inaccurate, incomplete, and not always maintained by
the IRS. As a result, neither the IRS nor
its oversight organizations are able to perform systemic analyses to identify erroneous
manual refunds. Given the large dollar
amounts involved with manual refunds, this could result in a significant loss
of Federal Government revenues.
Synopsis
A manual refund is a refund that is not generated through normal Master File[1] computer processing. Manual refunds can be issued within 2 to 3 business days, compared to the 6 to 16 business days for the issuance of a Master File computer-generated refund based on the filing of a tax return. There are two ways IRS employees can initiate a manual refund: 1) via the Integrated Data Retrieval System (IDRS),[2] or 2) a manual refund posting voucher (non-IDRS).[3]
The current process to request and approve manual
refunds is paper driven. Increased automated
controls are needed to improve accountability.
IRS management
acknowledges that the manual refund process presents a higher risk because these
refunds are not handled through its normal systemic process. The majority of the process to request and
approve the billions in manual refunds is a paper-driven manual process.
Our review identified that controls have been implemented in an effort to minimize the risk of issuing erroneous manual refunds. These controls include:
· Ensuring no employee can systemically input and authorize a manual refund payment.
· Requiring the completion of a request form.
· Requiring an Approving Official (front-line manager) to review manual refund request packages and approve via signature the legitimacy of the manual refund transaction.
Nonetheless, increased automated controls could further improve the accountability and efficiency over manual refunds. Our review identified that electronic data files supporting manual refund transactions were inaccurate, incomplete, and not always maintained by the IRS. Furthermore, the managerial approval of manual refunds is a manual, resource-intensive process. Current processes enable IRS employees to electronically request manual refunds, electronically confirm the accuracy of information, and electronically confirm and generate the issuance of the refund. Yet the most significant control in the process, managerial approval, is not recorded electronically. Although a prepared request form is required to initiate a manual refund, and is the only document which provides proof of managerial approval, we were not always able to obtain the request form and related documentation.
The manager is the Approving Official responsible for reviewing the manual refund to ensure the validity of the transaction. This is confirmed via a manual signing of the request form. However, because the managerial approval is only notated on the request form, and not the electronic record, it reduces management’s ability to identify potentially fraudulent manual refunds because of the volume of transactions.
Recommendations
To improve accountability over manual refunds, we recommended that the IRS ensure the identification number of the manual refund Requestor is not overridden on the IDRS electronic data file. For non-IDRS manual refund transactions, the IRS should ensure the Requestor’s employee identification number is captured in electronic data files. Also, the IRS should establish a standardized computer record that includes key information on non‑IDRS manual refunds and establish a process to regularly obtain the electronic data file for use in monitoring the program. To increase accountability, the IRS should develop a process to provide for a systemic managerial approval. In the interim, the IRS should capture the identification number of the Approving Official in the IDRS and Secure Payment System electronic data files.
Response
IRS management agreed with all of our recommendations and is
taking actions to address the recommendations.
The IRS agreed to direct employees not to overlay the Requestor’s IDRS
number with a generic number. The IRS
also plans to submit a Unified Work Request to include an employee identification
number for the originator and approving official for all manual refunds with
the Transaction Code 840 refund record (contingent on funding availability). The information will be retained in an IRS
electronic file. The IRS also indicated
the audit trail information provided by the Unified Work Request will impact the
remaining two recommendations.
The IRS provided comments regarding the missing manual refund
request packages. The IRS stated the
Government Accountability Office (GAO) and the IRS Chief Financial Officer
tested internal controls, including requesting manual refund documents during
the financial statement audit, and that no problems were identified with the
process. Due to concern about the file
retrieval problem we experienced, campus audit coordinators ordered the missing
documents again. According to the IRS,
in 12 business days they were able to account for the documents. IRS management also commented that steps were
being taken to return Files operations to IRS from a contractor during the
audit period, and that the backlogs during this period contributed to delays.
Management’s complete
response to the draft report is included as Appendix VII.
Office of Audit Comment
As we reported, we
were unable to obtain 336 manual refund case files. In our attempt to retrieve these documents,
we followed IRS procedures. Management
does not specify the process that it used to retrieve these files. In discussions subsequent to our fieldwork,
management advised us that it uses a special retrieval process to obtain these
documents. To obtain these documents, IRS
management suggested that we should have provided a listing of case files to
sample to the IRS for retrieval. However,
because of the nature of the risks associated with manual refunds, we wanted to
reduce the potential for manipulation of the case files and would not have used
such a process. We requested the case
files using the IDRS, which is the process specified in the IRS’ own internal
procedures and is the process used by IRS employees requesting case files. The IRS’ subsequent retrieval of the case
files was by a special process outside of the process IRS employees would
follow. We remain concerned that, using
its normal procedures, a significant number of case files were not received.
Copies of this
report are also being sent to the IRS managers affected by the report
recommendations. Please contact
me at (202) 622-6510 if you have questions or Michael E. McKenney, Assistant
Inspector General for Audit (Returns Processing and Account Services), at (202)
622-5916.
Recording Managerial
Approval Electronically Could Increase Accountability
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Relationship and Location Tests
Appendix
V – Examples of Manual Refund Request Forms
Appendix VI – Comparison by Type of Manual Refund Request – Calendar
Years 2005 Through 2007
Appendix
VII – Management’s Response to the Draft Report
Abbreviations
|
FMS |
Financial Management Service |
|
IDRS |
Integrated Data Retrieval System |
|
IRS |
Internal Revenue Service |
|
TIGTA |
Treasury Inspector General for Tax
Administration |
A manual refund is a refund that is not generated through normal Master File[4] computer processing. During Calendar Year 2007, the Internal Revenue Service (IRS) issued approximately 184,000 manual refunds totaling over $1.5 billion to individual taxpayers and approximately 70,000 manual refunds totaling almost $32 billion to business taxpayers. Figure 1 provides a comparison of individual and business taxpayers receiving manual refunds during Calendar Years 2005 through 2007.
Figure 1 – Individual and Business Taxpayers Receiving Manual
Refunds
Calendar Years 2005 Through 2007
|
|
Calendar Year |
||
|
2005 |
2006 |
2007 |
|
|
Individual Taxpayers |
177,768 |
191,323 |
183,764 |
|
Manual Refund Dollar Amount |
$1,313,639,918 |
$1,607,039,598 |
$1,516,216,443 |
|
Business Taxpayers |
62,703 |
69,228 |
69,729 |
|
Manual Refund Dollar Amount |
$26,356,360,765 |
$30,819,398,979 |
$31,859,403,659 |
Source: Treasury Inspector General for Tax
Administration (TIGTA) analysis of IRS manual refund data.
Manual refunds can be issued within 2 to 3 business days, compared to the 6 to 16 business days for the issuance of a Master File computer-generated refund based on the filing of a tax return. Manual refunds can be issued to any person and to any address. The name and address do not have to match the name and address on the taxpayer account from which the manual refund was generated. Most IRS functions (e.g., Accounts Management, Compliance, and the Taxpayer Advocate Service) can request the issuance of a manual refund.
Common reasons manual refunds are issued are to:
· Save the Federal Government interest.
· Help taxpayers who are experiencing a hardship.
· Prevent offsets[5] during processing of injured spouse claims.
· Enable special processing of refunds over $1 million or under $1.
· Provide refunds to claimants on deceased taxpayer accounts.
There are two ways IRS employees can initiate a manual refund: 1) via the Integrated Data Retrieval System (IDRS),[6] or 2) a manual refund posting voucher (non-IDRS).[7]
Manual refunds requested via the IDRS:
A total of
729,684 manual refunds totaling almost $19 billion were requested via the IDRS
for Calendar Years 2005 through 2007.
·
The Requestor prepares a Request for IDRS Generated Refund (Form 5792).[8] Information
from the request form is entered into the IDRS computer system by the IDRS
Input Employee,[9] and required supporting documentation (e.g.,
forms related to claims for injured spouse, carryback losses, death
certificates, etc.) is attached to the Form 5792. The manual refund request package is then
forwarded for approval to the Approving Official (front-line business unit manager).
·
The Approving
Official reviews the manual refund request package to ensure the validity of the
transaction and confirms this by signing the Form 5792. The Approving Official then sends the manual
refund request package to the Manual Refund Unit for processing.
·
An employee
in the Manual Refund Unit visually matches the Approving Official’s signature
on Form 5792 to a book of approval signatures.
If the approval signature is accepted as being a match, the employee (the
IDRS Verifying Employee) then rekeys information from the Form 5792 into the IDRS
to confirm the accuracy of the information input by the Requestor. If the information agrees, the transaction is
forwarded systemically to the FMS[10] Secure Payment System.[11] The
manual refund request package is then forwarded to a Certifying Officer.
·
The Certifying
Officer reviews the package and certifies the transaction on the Secure
Payment System, which results in the refund
being issued.
·
The Form
5792, along with any original supporting documentation, is sent to Files Management
for storage and retention.
Manual refunds requested via manual refund posting voucher
(non-IDRS):
A total of 24,831 manual refunds totaling $74.5
billion were requested via a manual refund posting voucher (non-IDRS) for Calendar
Years 2005 through 2007.
·
The Requestor
prepares a Manual Refund Posting Voucher (Form
3753),[12] attaches required supporting documentation,
and forwards the manual refund request package for approval to an Approving
Official (front-line business unit manager).
·
The Approving
Official reviews the manual refund request package to ensure the validity of the
transaction and confirms this by signing the Form 3753. The Approving Official then sends
the manual refund request package to the Manual Refund Unit for processing.
·
An employee
in the Manual Refund Unit visually matches the Approving Official’s signature
on the Form 3753 to a book of approval signatures. If the approval signature is accepted as
being a match, the manual refund request package is then forwarded to a Data
Entry Operator.
·
The Data
Entry Operator enters information directly into the Secure Payment
System, bypassing the IDRS. The manual refund package is then forwarded
to a Certifying Officer.
·
The Certifying
Officer reviews the request and certifies the transaction on the Secure
Payment System, which results in the
refund being issued.
·
The
Form 3753 and supporting documentation are sent to be recorded via a journal
entry into IRS computers (this needs to be done because the refund was not
initiated through the IDRS). The Form
3753 and supporting documentation are then returned to the Manual Refund
Unit. A copy of the Form 3753 and supporting
documentation are to be retained for 18 months after the end of the processing
year. The original Form 3753 and
supporting documentation are retained in the Manual Refund Unit or sent to
Files Management for storage and retention.
Figure 2 provides a high-level overview of the request, approval, and refund issuance process.
Figure 2 – Employee Roles in Processing Manual Refunds
Figure 2 was removed due to its size.
To see Figure 2, please go to the Adobe PDF version of the report on the
TIGTA Public Web Page.
Manual refunds present a high risk
of fraud
IRS management
acknowledges that the manual refund process presents a higher risk because these
refunds are not processed through its normal systemic process (i.e., refunds
issued based on the filing and processing of tax returns). The majority of the process to request and
approve the billions of dollars in manual refunds is based on a paper-driven
manual process. As such, the risk for
potential issuance of fraudulent refunds is increased.
An example from
another government agency illustrates the risk involved in manual refund
payments. An employee of the
This audit was conducted at the request of the Commissioner,
Wage and Investment Division. This
review was performed in coordination with FMS staff in
Controls have been implemented in an effort to minimize the risk of issuing erroneous manual refunds. These controls include:
· Ensuring no employee can systemically input and authorize payment on the same manual refund.
· Requiring the completion of either Form 5792 or Form 3753.
· Requiring an Approving Official (front-line manager) to review manual refund request packages and approve, via signature, the legitimacy of the manual refund transaction.
· Capturing some key transactional information in an electronic audit trail[14] and other data files.
The current process to request and approve manual
refunds is paper driven. Increased
automated controls are needed to improve accountability.
However, increased automated controls could further improve accountability and efficiency over manual refunds. Our review identified that electronic data files were either incomplete or contained inaccurate information; others were not always maintained by the IRS. Furthermore, the managerial approval of manual refunds is only notated on the request form and not the electronic record. Although a prepared request form is required to initiate a manual refund, and is the only document which provides proof of managerial approval, we were not always able to obtain the request form and related documentation.
Adequate information should be captured in electronic data files[15] to enable IRS management and its external oversight organizations to perform computer analyses in an attempt to identify potentially erroneous manual refunds. The conditions cited above reduce management’s ability to identify potentially fraudulent or erroneous manual refunds because of the lack of access to adequate reliable information and the volume of transactions. Given the dollar amounts involved with manual refunds, this could result in a significant loss of Federal Government revenues.
Electronic Data Files Supporting Manual Refund Transactions Were Inaccurate, Incomplete, and Not Always Maintained
The IRS has
implemented some controls, such as separation of duties, over the manual refund
process that ensure the same individual cannot systemically both request and
approve a manual refund. However, the
IRS does not consistently capture and retain key information relative to manual
refund transactions in its electronic data files. Additionally, although prepared request forms
are required to initiate a manual refund, we were not always able to obtain the
request forms and related documentation.
The inaccurate, incomplete, and unretained electronic data files
indicate that IRS management does not have the necessary information and has
not included the use of electronic data files in its process to monitor the
effectiveness of internal controls in reducing the risk of issuing erroneous
manual refunds. Standards for Internal Control in the Federal Government[16]
require that information be recorded and communicated to management and others
within the entity who need it and in a form and within a period that enables
them to carry out their internal controls and other responsibilities. If improvements are not made, both the IRS and its oversight organizations
will be unable to effectively assess a multibillion dollar high-risk process.
Systemic controls provide for adequate separation
of duties
Both the IDRS and the non-IDRS processes systemically prevent the same employee from inputting and forwarding a request for payment for the same manual refund:
·
The IDRS does not allow the same employee to
both input a manual refund request and forward a request for payment for the same
manual refund. We observed that the IDRS
Input Employee is systemically prevented from also acting as the IDRS Verifying
Employee for IDRS-generated refunds. In
addition, audit trail data of IDRS command codes used to input and approve
payment are kept by the IRS and contain information on who input the
transaction, what taxpayer account was accessed, and when the action occurred. Our analysis of the IDRS audit trails
confirmed that no employee acted as both the IDRS Input Employee and the IDRS
Verifying Employee for the same manual refund.
· For the non-IDRS requests, the Secure Payment System prevents the same employee from inputting and approving payment for the same manual refund. Representatives from the FMS confirmed that Secure Payment System systemic controls prevent the same person from having Data Entry Operator access (ability to input a manual refund request) and Certifying Officer access (ability to approve the issuance of a manual refund) for the same manual refund transaction. The FMS has implemented access and password security controls over the system. Our analysis of transactional information we obtained from the FMS verified that none of the manual refund records were input and approved by the same employee.
Electronic data files capture
certain manual refund transactional information, but improvements are needed to
increase accuracy and completeness
Both
the IRS and the FMS are capturing certain transactional information relating to
manual refunds issued via the IDRS and non-IDRS (directly through the Secure
Payment System) methods. For IDRS
requests, the audit trail file captures the identity of the employees who input
and approve payment for IDRS manual refunds.
For most IDRS transactions, the employee number for the employee who
requested the manual refund, although not captured on the audit trail file, is
input to the IDRS along with other information on the Form 5792. For non-IDRS
requests, the FMS Secure Payment System data file includes the identities of the IRS employees who input the
manual refund transactions, along with the IRS employees who certified the
refunds for payment.
However, electronic data files did not always accurately reflect the IRS employee initiating a manual refund. Specifically, we identified that:
· Invalid Requestor employee numbers[17] for thousands of IDRS manual refund transactions have been recorded in the IDRS.
· The Requestor identity for non-IDRS transactions is never recorded in an electronic data file.
Our review identified over 58,000 manual refund transactions for which the electronic data files did not accurately identify the Requestor. Specifically, from 2005 through 2007:
Over 58,000
manual refund transactions did not have accurate Requestor information on the
electronic record.
·
Over 33,000
manual refund transactions initiated via the IDRS had an invalid employee
identification number for the Requestor.
The IRS sometimes overlaid the employee number with a non-employee number
to generate a single listing of manual refund posting activity from the
requesting unit. Instead of the
Requestor’s employee number being used as the employee needing to monitor the
account, a unit employee number is used to help ensure at least one employee in
the unit monitors the account. The
purpose is to facilitate oversight and address a known internal control
weakness that allowed erroneous refunds to be issued.[18] Nevertheless,
omitting the Requestor identity from the electronic records has reduced the
ability to trace transactions to requesting employees and to detect suspicious
employee activity.
·
Almost
25,000 non-IDRS manual refund requests did not have the Requestor identity captured
in an electronic data file. This results
from non-IDRS manual refund requests being input directly to the Secure
Payment System by a Manual Refund Unit
Data Entry Operator, rather than by the requesting employee. Again, omitting the Requestor identity from
the electronic records has reduced the ability to trace transactions to
requesting employees and to detect suspicious employee activity. Adding to this concern, all manual refunds of
$10 million and over must be requested via a non-IDRS manual refund
request.
The lack of data to identify the Requestor of the manual
refund reduced our ability to identify potentially fraudulent manual refund
transactions because we were unable to perform data analysis (see Appendix IV)
to determine if a relationship exists between the recipient of the manual
refund and the Requestor. See Figure 3 for a summary of the manual
refunds for which the electronic data file did not accurately reflect the
Requestor initiating the refund.
Figure 3 – Manual Refunds for Which Electronic Data
Did Not Accurately Reflect the Requestor Initiating the Refund
|
|
Calendar Year |
||
|
2005 |
2006 |
2007 |
|
|
IDRS refunds with invalid employee number |
573 |
13,863 |
19,272 |
|
$867,764 |
$25,056,087 |
$42,363,542 |
|
|
Non-IDRS refunds for |
508 |
540 |
623 |
|
$19,278,461,025 |
$23,200,977,589 |
$22,512,915,253 |
|
|
Non-IDRS refunds
for less than
$10 million |
7,293 |
7,235 |
8,632 |
|
$2,780,225,593 |
$3,125,151,411 |
$3,646,794,375 |
|
|
Totals |
8,374 |
21,638 |
28,527 |
|
$22,059,554,382 |
$26,351,185,087 |
$26,202,073,170 |
|
Source: TIGTA
analysis of IRS manual refund data.
The IRS did not maintain Secure Payment System transactional
files and the format of data captured was not consistent, which reduces the
ability to perform data analysis
The IRS does not retain Secure
Payment System electronic data files
from the FMS (these are the files that capture information relating to non-IDRS
manual refunds). IRS management noted
that the paper trail is adequate for historic purposes and that the FMS retains
the non-IDRS manual refund file information.
However, discussions with FMS personnel identified that it would be
difficult for the IRS to access historic Secure Payment System files because they are stored in archives
that are not readily accessible to the FMS as part of routine operations. It took the FMS almost 2 months to provide us
our requested Secure Payment System data output.
In addition, the Secure Payment
System file with non-IDRS transactions
we obtained from the FMS was difficult to work with due to the different
formats used in the description fields where taxpayer information (e.g., who the
refund was issued to, type of tax return, or tax period) is located. For example:
·
The type
of tax return was not consistently identified.
Either a code or a form number could be used to indicate to what tax
return the refund related (e.g., Master File Tax Code 30 or Form 1040).
·
The tax
year was not consistently documented.
The tax year could be indicated by a format with 4 or 6 digits for the
month and year (e.g., 0612 or 200612 to indicate December 2006).
·
The
location (starting character number) of this information varied within the
field.
Examples of actual descriptions include:
·
200512 F
1040 IRS
·
RMT*TN*F1040
TY9912*03/79.26*04/3.65
·
F1040 TY9412
·
30
200512 82
Consequently, even
if the IRS was to retain copies of the data, analysis would be very
difficult. While the meaning could
usually be determined by a visual examination of the field contents, it was
extremely difficult to extract by a computer program. By developing a standardized description
format, the IRS would be able to conduct computerized analyses of these manual
refunds.
Request forms are required to be prepared, but some
were missing
The IRS was unable to provide us with 336 (39 percent) of the
851 manual refund request packages we requested. Specifically, IRS procedures require either a
Form 5792 or Form 3753 to be prepared
by an employee requesting a manual refund.
The IRS noted that the request forms and attachments are the key support
for manual refund transactions. The
request forms are the only source of information that can be used to identify
the Approving Official who approved the request information.
Standards for Internal Control in the Federal Government state that transaction documentation, whether paper or electronic, should be readily available for examination and all documentation and records should be properly managed and maintained. The unavailability of both paper and electronic records increases the risk that fraud could occur and remain undetected.
Transactions having certain characteristics have been referred to the Office of Investigations
Because the Requestor of the manual refund could not be identified from the data file, we were unable to perform tests (see Appendix IV) to determine if a relationship exists between the recipient of a manual refund and the Requestor. However, based on our risk assessment, we have identified individual and business manual refund transactions that we consider to have characteristics that increase the potential that the refund could have been inappropriately issued. We have referred these transactions to our Office of Investigations. These manual refund transactions include refunds to taxpayers or addresses that are different from the owner of the tax account. We will continue to work jointly with our Office of Investigations to identify IRS employees that may have inappropriately issued a manual refund.
Recommendations
The Commissioner, Wage and Investment
Division, should:
Recommendation 1: Ensure the Requestor’s employee identification number is not overridden on the IDRS electronic data file.
Management’s Response: IRS management agreed with this recommendation. The Internal Revenue Manual 21.4.4 has been
revised to require that a separate control be established in the IDRS for
monitoring all manual refunds. An
interim procedural update will direct employees not to overlay the Requestor’s IDRS
number with a generic number when initiating IDRS manual refunds.
Recommendation 2: Ensure the Requestor’s employee identification number is captured in electronic data files for non-IDRS manual refunds.
Management’s Response: IRS management agreed with this recommendation. A Unified Work Request will be submitted by October 1, 2009, to include the Standard Employee Identification number of the Requestor and Approving Official for all manual refunds. This information will be included in the Transaction Code 840 refund record that displays on the Master File and Non-Master File. Form 3753 and Form 5792 will be updated to capture the Requestor’s and Approving Official’s Standard Employee Identification number. Implementation is contingent upon Modernization and Information Technology Services funding.
Recommendation 3: Establish a process to regularly obtain the electronic data file that includes key information relative to those non-IDRS manual refunds for use in monitoring the manual refund program.
Management’s Response: IRS management agreed with this recommendation. The Unified Work Request that the IRS is submitting for corrective action to Recommendation 2 (to update the Transaction Code 840 refund record for manual refunds) will give the IRS the required information that can be maintained as an electronic file. This file will be supported by Modernization and Information Technology Services and available on request.
Recommendation 4: Establish input procedures for non-IDRS manual refund requests entered into the Secure Payment System to include a standardized computer record. The standardized record format with key information will allow for easy data analysis.
Management’s Response: IRS management agreed with the need for an audit trail and computer records. Although the IRS will not be changing the Secure Payment System, the Unified Work Request to update the Transaction Code 840 refund record for manual refunds will allow the Master File to store an electronic audit trail for easy data analysis. Implementation is contingent upon Modernization and Information Technology Services funding.
Recording Managerial Approval Electronically Could Increase Accountability
The managerial approval process is manual,
vulnerable to circumvention, and difficult to evaluate because of the volume of
transactions.
The managerial approval process is a manual, resource‑intensive process. Current processes enable IRS employees to electronically request manual refunds, electronically confirm the accuracy of information, and electronically confirm and generate the issuance of the refund. Yet the most significant control in the process, managerial approval, is not recorded electronically. The manager is the Approving Official responsible for reviewing the manual refund to ensure the validity of the transaction. This is confirmed via the manager’s written signature on the manual refund request form. However, the volume of manual refund transactions, combined with the fact that managerial approval is only notated on the paper request form (and not the electronic record), reduces management’s ability to identify potentially fraudulent manual refunds.
Each time a new
Approving Official is added or there is a change to the status of an Approving Official,
new signature sheets need to be obtained and maintained in the signature verification
log (or removed from the log). Additionally,
current signature sheets should be updated at least annually. Manual Refund Units are located at seven IRS
campuses, and each campus maintains its own book of applicable managers’
signatures. As of June 2008, there were a total of almost
2,200 Approving Official signature sheets throughout the 7 IRS campuses. This paper process presents the risk that someone can circumvent the approval
control by forging a manager’s signature.
The IRS already
uses automated authentication processes.
Both the IDRS and the Non-IDRS manual refund request methods include automated processes that record the
individuals who input (the IDRS Input Employee or the Data Entry Operator) and
approve payment (the Certifying Officer) on manual refunds. This process also includes programming that
prevents issuance if the data does not match for the two commands that are
used. These commands are captured in the
audit trail data along with dozens of other types of system access commands. However, although the review and approval by
a manager is the key control to ensure the legitimacy of a manual refund
request, no electronic process has been established to systemically capture the
Approving Official on the electronic record of the transaction.
One way to capture
Approving Official identity for manual refunds requested via the IDRS would be
to have an additional command added to the IDRS for an Approving Official
entry, similar to the two commands that already exist for input by the IDRS
Input Employee and payment approval by the IDRS Verifying Employee. This would allow for the Approving Official
identity to be included in the audit trail files automatically for the existing
system. Including this information in
electronic files could enable the IRS and its external oversight organizations
to efficiently review the data to ensure management is approving each transaction. Establishing such a process to replace the
current paper signature approval process would increase the efficiency of the
approval process and help minimize the potential of a manager’s signature being
forged.
IRS management
believes that the preparation of the manual refund request form, along with the
Approving Official’s signature, provides an adequate audit trail supporting the
initiation and approval of a manual refund.
IRS management stated that the current manual system is adequate, such
changes would not be a high priority, and programming changes required for an electronic
approval would be too expensive.
However, they did not provide information to show that such a
programming change would be a significant expense.
The IRS has
recently begun to scan and store manual refund documentation from the
Centralized Insolvency Unit in
Recommendation
The Commissioner, Wage and Investment
Division, should:
Recommendation 5: Develop a process to provide for a systemic managerial approval to increase accountability. In the interim, the IRS should capture the identification number of the Approving Official in the IDRS and Secure Payment System electronic data files.
Management’s Response: With regard to this recommendation, implementation of
Recommendation 2 will result in the IDRS capturing the identification number of
the Approving Official. The IRS does not
own or control the Secure Payment System and cannot change the files in this FMS
system. The proposed changes to the IDRS
will provide the necessary electronic audit trail.
Appendix I
Detailed
Objective, Scope, and Methodology
The overall audit
objective of this review was to determine if controls over manual refunds are
effective in minimizing the risk of issuing erroneous refunds. Our audit scope included both individual and
business manual refunds of $400 or more issued during Calendar Years 2005,
2006, and 2007. To determine if the
controls over manual refunds are effective we:
I.
Researched
prior manual refund issues and previously reported control breakdowns.
A.
Requested information from the TIGTA Office
of Investigations relating to manual refund investigations.[19]
B.
Obtained and reviewed audit report findings
reported by the Government Accountability Office.
C.
Reviewed Internal Revenue Manual guidelines
to identify procedures followed for initiating, approving, and issuing manual
refunds.
II.
Analyzed
electronic manual refund data files (Individual and Business Master File[20] and Manual Refund IDRS[21] Processing files) from the TIGTA Data
Center Warehouse to identify potential fraud cases. We relied on data validity and reliability checks
routinely done by the Data Center Warehouse staff for these files. Our analysis included:
A.
Identifying employees who initiated and
approved a manual refund for Calendar Years 2005 through 2007.
1.
Obtaining refund
transaction files for both individual and business manual refunds.
2.
Querying electronic
files to identify employees initiating and approving a manual refund.
3.
Reviewing
supporting paper manual refund packages for selected transactions of interest
to determine if any evidence of fraud, wrongdoing, or other suspicious
transactions should be referred to the TIGTA Office of Investigations.
III.
Analyzed IDRS security
profiles to identify IRS employees who have the ability to initiate and approve
manual refunds. These files were
obtained from the TIGTA Data Center Warehouse.
Reliability was assessed with respect to cases reviewed, and no errors came
to our attention during the review. In
addition, we reviewed security controls over FMS‑issued manual refunds.
A.
Obtained IDRS security profiles for all IRS
employees.
B.
Identified IRS
employees having command codes to both initiate and approve a manual refund and
determined whether any of those employees improperly initiated and approved a
manual refund.
C.
Contacted the FMS[22] to obtain a listing of all IRS employees
having Secure Payment System[23] access.
D.
Analyzed the security profile data to determine
if IRS employees had the ability to input and certify payment of manual
refunds.
IV.
Analyzed audit
trail data files obtained from the TIGTA Data Center Warehouse to identify
indications of IRS employees that may have fraudulently obtained manual
refunds. We relied on the data validity and
reliability checks routinely done by the TIGTA Data Center Warehouse staff for
these files. Specific tests included:
A.
Obtained audit trail files containing IRS employee
accesses to accounts from which manual refunds were issued during Calendar Years
2005 through 2007.
B.
Analyzed audit
trail data files to determine if IRS employees have initiated and approved a
manual refund for the same taxpayer.
C.
Analyzed audit
trail data files to determine if IRS employees initiated and approved manual
refunds to identify potential indications of fraud.
1.
Identified
manual refunds issued to an IRS employee.
2.
Identified
manual refunds that were mailed to addresses near the initiating or approving IRS
employees’ addresses.
Appendix II
Major Contributors to This Report
Michael
E. McKenney, Assistant Inspector General for Audit (Returns Processing and
Account Services)
Russell
Martin, Director
Richard
J. Calderon, Audit Manager
Mary
Jankowski, Lead Auditor
Sharon
A. Buford, Senior Auditor
Kenneth L. Carlson, Senior Auditor
Karen
C. Fulte, Senior Auditor
Glory
Jampetero, Senior Auditor
John
Mansfield, Senior Auditor
Steven
Stephens, Senior Auditor
Jennie
Choo, Auditor
Jane
Lee, Auditor
Appendix III
Commissioner C
Office of the Commissioner –
Attn: Chief of Staff C
Deputy Commissioner for
Operations Support OS
Deputy Commissioner for
Services and Enforcement SE
Commissioner,
Large and Mid-Size Business Division
SE:LM
Commissioner,
Small Business/Self-Employed Division
SE:S
Commissioner,
Tax Exempt and Government Entities Division
SE:T
Deputy
Commissioner, Large and Mid-Size Business Division SE:LM
Deputy
Commissioner, Small Business/Self-Employed Division SE:S
Deputy
Commissioner, Tax Exempt and Government Entities Division SE:T
Deputy
Commissioner, Wage and Investment Division
SE:W
Chief,
Appeals AP
Chief Technology Officer OS:CTO
Director,
Communications and Liaison, Tax Exempt and Government Entities Division SE:T:CL
Director,
Communications, Liaison, and Disclosure, Small Business/Self-Employed
Division SE:S:CLD
Director,
Customer Account Services, Wage and Investment Division SE:W:CAS
Director,
Examination, Small Business/Self-Employed Division SE:S:E
Director,
Exempt Organizations, Tax Exempt and Government Entities Division SE:T:EO
Director,
Field Specialists, Large and Mid-Size Business Division SE:LM:FS
Director,
Communication and Liaison, Large and Mid-Size Business Division SE:LM:M:CL
Chief,
Program Evaluation and Improvement
SE:W:S:PRA:
Chief
Counsel CC
National
Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit
Liaisons:
Commissioner, Large and Mid-Size Business
Division SE:LM:CL
Commissioner, Small
Business/Self-Employed Division SE:COM
Commissioner, Tax Exempt and Government
Entities Division SE:T:CL
Chief, Program Evaluation and
Improvement SE:W:S:PRA:
Chief, Appeals AP:TP:SS
Appendix IV
Relationship and Location Tests
2.
Manual refunds issued to taxpayers with an
IRS employee relationship to the Requestor.
3.
Large dollar manual refunds issued by
employees less than 2 weeks before or after an employee separates from the IRS.
4.
Manual refunds issued to address near
address of requesting employee, such as a neighbor or relative.
5.
Manual refunds requested by same requesting
employee to same taxpayer in different years.
Appendix V
Examples of Manual Refund Request Forms
Form 5792
The Form was removed due to its size. To see the Form, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Form 3753
The Form was removed due to its size. To see the Form, please go to the Adobe PDF
version of the report on the TIGTA Public Web Page.
Appendix VI
Comparison by Type of Manual Refund Request Calendar
Years 2005 Through 2007
|
Individual
Taxpayers |
Calendar Year |
||
|
2005 |
2006 |
2007 |
|
|
IDRS |
171,839 |
185,686 |
178,045 |
|
Manual Refund Dollar
Amount |
$ 898,113,002 |
$ 938,161,114 |
$ 1,036,229,311 |
|
Manual Posting |
5,929 |
5,637 |
5,719 |
|
Manual Refund Dollar
Amount |
$ 415,526,916 |
$ 668,878,484 |
$ 479,987,132 |
|
|
|
|
|
|
Business Taxpayers |
Calendar Year |
||
|
2005 |
2006 |
2007 |
|
|
IDRS |
60,831 |
67,090 |
66,193 |
|
Manual Refund Dollar
Amount |
$ 4,713,201,063 |
$ 5,162,148,463 |
$ 6,179,681,163 |
|
Manual Posting |
1,872 |
2,138 |
3,536 |
|
Manual Refund Dollar
Amount |
$ 21,643,159,702 |
$ 25,657,250,516 |
$ 25,679,722,496 |
Source:
TIGTA analysis of IRS manual refund data.
Appendix VII
Management’s Response to the Draft Report
The response was removed due to its size. To see the response, please go to the Adobe
PDF version of the report on the TIGTA Public Web Page.
[1] The IRS database that stores various types of taxpayer account information. This database includes individual, business, and employee plans and exempt organizations data.
[2] IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.
[3] A manual refund initiated via the non-IDRS process is used when manual refunds are over $10 million, are to be paid via direct deposit, or are for hardship cases. A table with counts and dollar amounts by manual refund request type can be found in Appendix VI.
[4] The IRS database that stores various types of taxpayer account information. This database includes individual, business, and employee plans and exempt organizations data.
[5] Internal Revenue Code Section 6402 (a), (c), (d), and (e) requires a taxpayer’s overpayment to be applied to any outstanding Federal tax, non-tax child support, Federal agency non-tax debt, or State income tax obligation prior to crediting the overpayment to a future tax or making a refund. This application of a tax overpayment is called a refund offset. Refunds offset to child support, Federal agency non-tax debts, and State income tax obligations are handled by the Financial Management Service (FMS) through the Treasury Offset Program. This occurs after a refund is certified by the IRS for payment by the FMS, but before the refund check is issued or the direct deposit is transferred to the taxpayer’s bank account.
[6] IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.
[7] A manual refund initiated via the non-IDRS process is used when manual refunds are over $10 million, are to be paid via direct deposit, or are for hardship cases. A table with counts and dollar amounts by manual refund request type can be found in Appendix VI.
[8] See Appendix V for an example of a Form 5792.
[9] The Input Employee may be the actual Requestor or another employee, such as a clerk. The Input Employee information, along with other systemic information, is captured in an electronic file.
[10] The FMS provides centralized payment, collection, and reporting services for Federal Government agencies.
[11] The Secure Payment System is an application that allows Government agencies to create payment schedules in a secure fashion.
[12] See Appendix V for an example of a Form 3753.
[13] Campuses are the data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.
[14] Electronic audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. Audit trails help managers maintain individual accountability. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit trail. Although audit trails are essential to auditors, they are also important to agencies in their day-to-day operation of a system. Audit trails provide agencies with information necessary to reconcile accounts, research document history, and query the data stored in the system.
[15] Electronic data files capture transactional data from the IDRS or other application programs.
[16] Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, dated November 1999).
[17] The IDRS employee number is a unique number that identifies each employee on the IDRS.
[18] Government Accountability Office reviews have found that the IRS has not provided sufficient monitoring of manual refund transaction postings. Refund Requestors are required to monitor taxpayer accounts for which they have requested a manual refund until the manual refund transactions have posted. In some cases, this monitoring process was not successful, and duplicate refunds were issued to taxpayers because both a manual refund and a computer-generated refund were issued, resulting in erroneous duplicate refunds to taxpayers. See Management Report: Improvements Needed in IRS’ Internal Controls (GAO-07-689R, dated May 11, 2007) and Management Report: Improvements Needed in IRS’ Internal Controls (GAO-05-247R, dated April 27, 2005).
[19] There were no proven cases of employee manual refund thefts.
[20] The IRS database that stores various types of taxpayer account information. This database includes individual, business, and employee plans and exempt organizations data.
[21] IRS computer system capable of retrieving or updating stored information; it works in conjunction with a taxpayer’s account records.
[22] The FMS provides centralized payment, collection, and reporting services for Federal Government agencies.
[23] The Secure Payment System is an application that allows Government agencies to create payment schedules in a secure fashion.