- 4.47.2 CAS Technical and Procedural Information
- 220.127.116.11 Overview
- 18.104.22.168 CAS System Security
- 22.214.171.124.1 Responsibilities
- 126.96.36.199.2 Procedures and Requirements
- 188.8.131.52 Record Retention and Evaluation Guidelines
- 184.108.40.206.1 Record Evaluations and Revaluations Objectives
- 220.127.116.11.1.1 Procedures
- 18.104.22.168.1.1.1 Record Retention Limitation Agreements
- 22.214.171.124.1.2 Methods
- 126.96.36.199.1.3 ADP Evaluation
- 188.8.131.52.1.3.1 Information Useful in an Evaluation
- 184.108.40.206.2 Notification Letters and Agreements
- 220.127.116.11.2.1 Confirmation Letter
- 18.104.22.168.2.2 CAS Program Notice
- 22.214.171.124.2.3 Other
- 126.96.36.199.2.4 Affiliated Corporations
- 188.8.131.52.3 Form 6149 Examination Record Retention
- 184.108.40.206 Application and Other Assignment Documentation
- 220.127.116.11 CAS Program Monitoring
- 18.104.22.168.1 Sources of Information
- 22.214.171.124 Computer Audit Specialist Training
- 126.96.36.199 Obtaining Computerized Data
- 188.8.131.52.1 Rev. Rul.7120 and Rev. Proc. 9825: Scope
- 184.108.40.206 Procuring Data Processing Resources
Part 4. Examining Process
Chapter 47. Computer Audit Specialist
Section 2. CAS Technical and Procedural Information
This section provides detailed technical and procedural information needed by computer audit specialists.
This information has been prepared to assist computer audit specialists (CASs) and CAS team managers in the performance of their official duties and provide detailed technical and procedural information relating to the Computer Audit Specialist Program (CAS).
The LMSB Office of Field Specialists and the National Program Manager has responsibility for this handbook and the Computer Audit Specialist Program (CAS). All inquiries, correspondence, etc., pertaining to any of the materials in this handbook or CAS, should be directed to the office of the National Program Manager.
This section presents the responsibilities, duties, and procedures to be followed by security personnel in maintaining systems security for the Computer Audit Specialists.
Commercially developed system software is utilized and application software is developed, maintained, and modified by the CASs as required, to meet the unique needs of each examination.
The most significant ongoing items in these security procedures are the security breach detection procedures and password integrity. Particular attention should be given to these areas.
The Security Officer for all CAS Program equipment will be the CAS Team Manager. This person will:
Ensure user accounts are assigned only to authorized users.
Ensure individuals no longer requiring access to the system are removed from the list of authorized users.
Ensure physical security of hardware and data is maintained and access to the computer room or area is controlled.
Conduct functional security reviews of each site at least annually.
Prepare an annual functional security review report.
Ensure that new personnel are made aware of security requirements.
Ensure that magnetic tapes, removable disk packs, and printed output, containing taxpayer data or sensitive system files, are properly secured, labeled, stored, and/or discarded.
Ensure that backups are made and stored properly.
Established procedures and requirements are followed to ensure the security of the CAS equipment.
All systems and peripheral equipment must be kept in a controlled area, which can be monitored by authorized users during working hours and locked after hours.
Whenever a non-IRS person, such as a maintenance service employee, enters the controlled area, at least one IRS employee knowledgeable of the system will accompany the person and monitor his or her activity.
All users must be cleared to handle taxpayer data, but access to files will be limited, to those with a need to know. For example, data entry clerks will be permitted access only to those files which are necessary to their job.
Taxpayer data which is on magnetic media will be afforded appropriate security. Printed data will be kept secured until distributed or destroyed. Hard copy to be destroyed should be shredded, burned or otherwise rendered unreadable. Magnetic media containing taxpayer data which are to be discarded should be degaussed, shredded, burned or completely written over (zero filled).
Backups of application files will be taken as frequently as is prudent for a particular site, but at least monthly. A systems file backup and an application files backup will be stored away from the computer room so as to preclude total loss of data from a localized fire or other disaster. Original backups may be used for this purpose; duplicate backups are not required. All backups must be stored in locked containers to which keys and combinations are controlled.
The volume and complexity of accounting records being produced by automated data processing systems has made necessary the use of special auditing techniques to deal with computer output.
Rev. Rul. 71–20 and Rev. Proc. 98–25 set forth the conditions under which machine-sensible records are to be considered books and records under section 6001 of the Code and retained by taxpayers for IRS use. To promote cooperation, provisions are made for the establishment of record retention agreements between taxpayers and the IRS.
It is expected that taxpayers will identify and retain machine-sensible records as required by law, even if a record evaluation has never been conducted.
Recommendations resulting from record evaluations are made to permit a taxpayer to limit the volume of records otherwise required to be retained, yet ensure that adequate information will be available for future tax examinations.
In some examinations, use of computer assisted techniques may not be the best audit approach. Some of the reasons are:
The volume of transactions is not large enough to warrant computerized sampling and analysis.
The potential time savings do not justify performing an application.
The taxpayer can produce or reproduce the books and records in a form easily audited by examiners.
The computer audit specialist (CAS) may be able to pinpoint records where analyses and samples can be obtained which are presently available only through a detailed search of subdivided records. Through the use of computer retrieval programs, it may be possible to:
Prepare databases to allow the examiners to more effectively analyze account data.
Produce applications dealing with unique industry issues.
Produce trial balance with accounts grouped according to lines on the tax return.
Produce summaries, comparatives and stratifications of accounts, groups of accounts and other accounting data.
Perform mathematical computations needed for investment credit, depreciation, depletion and inventory verification and adjustment.
Identify fragmented invoices by consolidating detailed transaction records resorted in invoice number sequence.
CASs will conduct evaluations of taxpayer’s computerized accounting systems. Initial evaluations will only be conducted when requested by the taxpayer. Reevaluations may be initiated by the CAS Territory Manager at times other than during an examination, if deemed appropriate.
Taxpayers whose records are processed by ADP service bureaus or time-sharing services are responsible for record retention the same as any other taxpayer.
During the course of every record evaluation, the evaluator shall inquire as to whether the taxpayer has considered filing returns and wage or information documents on magnetic tape or disk. All taxpayers who express an interest in this program should be referred to the appropriate magnetic tape coordinator.
In most cases, the record evaluation will show that audit efficiency can be increased using machine-sensible records. Discussions should be held with taxpayers or their representatives to gain cooperation in the use of computer assisted audit techniques and taxpayer computer facilities. After the discussions are concluded, the taxpayer must be furnished with either a confirmation letter or a notice, depending on whether the taxpayer agrees to comply, setting forth the specific record retention requirements resulting from the evaluation.
The group manager, team manager and/or territory manager with responsibility for the case must concur with the provisions incorporated in the agreement or notification. All speciality team managers involved should also review and approve the list of records identified for retention. All concurrences are to be in writing.
When an evaluation of a taxpayer’s records results in the need for changes to arrangements or record requirements previously agreed to, or set forth in a notification to the taxpayer, a new notification or agreement reflecting the changes or requirements will be issued.
Internal controls affecting record retention.
The CAS should evaluate and document the system of internal controls used by the taxpayer to ensure that the records needed will actually be retained.
The taxpayer’s internal controls should be capable of ensuring that records are retained in spite of changes that may occur in tax department or data processing department personnel, to the computerized accounting system, or to the computer files management system.
Such a system will typically provide a regular report to the company official responsible for the record retention limitation agreement identifying the records actually retained and the periods covered.
Serious deficiencies detected in the taxpayer’s system of internal controls must be discussed with the taxpayer. If the taxpayer fails to take corrective action within a reasonable period of time, consideration should be given to issuing a notification letter.
The CAS should discuss the requirements in Rev. Proc. 98–25 with all taxpayers who have entered into record retention limitation agreements.
Requirements of Rev. Proc. 98–25.
Label retained records and periodically check the data.
Notify the CAS Territory Manager if any records identified for retention are lost or destroyed.
Retain all records for new systems added or subsidiaries acquired after the record evaluation was conducted.
Retain evidence that the retained records reconcile to the books and to the tax return.
Document the controls used to prevent the unauthorized addition, alteration, or deletion of retained records.
Evaluators should review examination historical files and consult with the examining agent, other specialists (engineer, international, economists, employment and excise), and the group or case manager to determine what records were used. The CAS should also review audit trails and record formats, and hold discussions with responsible officials, including representatives from the taxpayer’s data processing department.
Taxpayers should be asked to identify files which they deem appropriate not to retain.
Certain printed reports produced by a taxpayer are often critical to an examination and continually used by examiners. Since the taxpayer may change company policy and no longer produce a key report in the same format or media, consideration should be given to retaining machine-sensible records, which would permit the re-creation of such reports.
The following is a brief outline of some basic information useful in the evaluation of a taxpayer’s ADP system.
Names and Telephone number:
Authorized signature on legal documents
Others as necessary
Organization Chart and Chart of Accounts.
A list of all records processed within the ADP system and volume, such as:
job costing systems
oil & gas reserves
The name(s) given to the computer application(s) or file(s) containing the details of the daily transactions.
Equipment and operating system information, such as:
name of manufacturer
series or model
system utilities and compilers
Peripheral equipment available, such as:
magnetic tape unit (how many) (tape density, number of tracks, and recording mode(s))
disk units (how many)
Computer output microfilm.
Obtain Systems Flowcharts, catalogue of reports and sample of output.
Documentation relative to files to be retained such as:
tape or disk dump.
Current retention policies.
Review audit trails with emphasis placed on individual detail items to General Ledger and return.
Determine if generalized retrieval programs are available.
Review extent of retention agreement if already existing.
Use of taxpayer’s computer facilities and extent of taxpayer’s assistance during application.
Future changes planned for system.
Letters should be tailored to the needs of the situation. Letters should be used that are appropriate for the situation. Letters that can serve as patterns will be shared within the program.
When discussions with the taxpayer result in an agreement to retain machine-sensible records, and cooperate in the use of computer-assisted techniques, or to use alternative procedures acceptable to the Service, a confirming letter will be issued to the taxpayer by the CAS territory manager setting forth what has been agreed to. This letter will be issued over the signature of the CAS territory manager.
When a taxpayer, after the records have been evaluated by the Service, is orally advised of record retention requirements but does not agree to comply or enter into an agreement, the CAS territory manager must issue a letter notifying the taxpayer that retention of the records specified therein is required. This letter is applicable only to those taxpayers whose records are acceptable under the guidelines in Rev. Proc. 98–25. Others will be handled under normal inadequate records procedures.
This notice will also be issued in cases where the taxpayer’s willingness to comply with the terms of a signed record retention limitation agreement is seriously questioned. This may be evidenced by the taxpayer’s failure to implement adequate internal controls to ensure that records identified in the agreement will actually be retained.
When it is determined that the accounting records processed by computer are not sufficiently voluminous or complex to warrant their retention in machine-sensible form, a letter will be issued to the taxpayer to confirm that a record evaluation has been made and that their present record retention practices will be adequate. This letter should be signed by the CAS Team Manager.
When a taxpayer agrees to comply with the requirements of Rev. Proc. 98–25 and the taxpayer has adequate internal controls, a letter will be issued to the taxpayer to confirm that a record evaluation has been made and that their present record retention practices will be adequate. This letter should be signed by the CAS Team Manager.
Consolidated Returns—One notice or confirmation letter to the common parent will serve as a notice to all members of the group. It may, of course, provide different retention requirements for different group members, as audit needs dictate.
Coordinated Industry Cases.
The CIC group to which the case is assigned will be responsible for the evaluation and determination of record retention requirements for all CIC components. A notice or confirmation letter to any member of a CIC will be issued upon the advice and direction of the primary CAS Team Manager. However, that CIC group may request an evaluation by a support CAS group. Requests for support evaluations may be made by telephone but should be followed by a completed Form 4485, Coordinated Examination Support Request.
A copy of the notice or letter will be made a part of the case historical file.
Other Affiliated Corporations—Notice or confirmation letter should be issued only after coordination action consistent with the provisions of the former IRM 4225.
Form 6149, Examination Record Retention Agreement—Establish/Delete, is to be used to establish the TIN on the AIMS file for taxpayers who have signed ADP record retention limitation agreements with the Service. It will also be used to delete previously established information in the event an agreement no longer exists. This form will be prepared by the CAS with primary responsibility for the CIP case.
Once the data from Form 6149 is established on the AIMS file, the Examination Return Charge-Out, Form 5546, will state "Record Retention Agreement on File." This will alert examiners that a CAS must be called in if the return is examined.
The Form 6149 will be submitted to the CAS's immediate manager who will sign and date it. The form will be forwarded to the terminal operator for input to the AIMS file via the terminal.
After the information has been entered via the terminal, the terminal operator will return the form to the CAS team manager.
Command Code AMIDIS-TIN search only—will display the fact that a record retention limitation agreement has been entered on the AIMS data base via Form 6149. Even when no returns are in open inventory, the relevant information can be obtained by terminal display.
Command Code AMIDISA will display the fact that a record retention limitation agreement has been entered on the AIMS data base via Form 6149 for the specific year being accessed.
Form 6149 will be destroyed at the discretion of Territory Manager.
Complete and proper documentation of computer applications developed and/or used by the CAS in case work is very important. As a minimum, this documentation should be in a format to allow others needing to determine work performed on a case assignment to be able to review the trail of work performed.
Complete and proper documentation of technical issue development including involvement in statistical sampling by the CAS in case work is very important. As a minimum, this documentation should be in a format to allow others needing to determine work performed on a case assignment to be able to review the trail of work performed.
Upon completion of the work assignment, the CAS should complete the Form titled “Computer Assisted Audit Program Closed Case Documentation” available from the team manager.
In order to provide for an exchange of information, the CASs are encouraged to submit information through the CAS team manager for inclusion on the CAS website.
Items for submission may relate to any phase of computer related work including ADP evaluations, computer applications, audit planning, training assignments, or special projects. They may include information on new computer programs written, interesting on-the-job experiences, new techniques, or new approaches to old problems.
The information should be written in conversational language. These items should be stated in general terms in the body of the article and a full discussion added as an attachment. Information submitted should include a statement of the problem, techniques used and benefits derived. Taxpayer names are not to be used.
The National Program Manager has the responsibility for coordinating the development of programs for nationwide application, testing them for operational readiness, and for preparing full documentation. Originators of proposed applications may, however, be called upon to assist in this task.
The information gathered is to be used to evaluate the effectiveness of the Computer Audit Specialist Program. It is not to be used to evaluate individual computer audit specialists. All levels of management will ensure that Policy Statement P–1–20 is not violated.
This information is used to evaluate and monitor the main CAS Program objective: to provide quality and comprehensive computer support to LMSB, with primary emphasis on CIC examinations.
Table 37, Examination Program Monitoring. This report reflects time applied by all revenue agents, including Computer Audit Specialists, in direct and indirect examination time categories. Although it is generated monthly, only the report issued at the end of each quarter reflects the detail time of Computer Audit Specialists.
Coordinated Examination Management Information System (CEMIS). The tools available within CEMIS include the following:
Statistics on Record Retention Limitation Agreements
CAS Start Date Validation Reports
Comparisons between CAS and Team Coordinator Start Dates
Non-CIC Referral Information
Issue Tracking Reports–6 Report Options. It is the responsibility of the CAS assigned to a CIP case to inform the TC of the correct code to be input for any particular issue. Each issue which meets the "significant issue" criteria stated in the CEMIS User’s Manual is input into CEMIS with a CAS Code. Significant issues include all issues on which statistical sampling auditing techniques are utilized by the CAS.
CAS Participation Beyond Planning is a report that lists cases and the significant issues in which the CAS participated beyond planning. For purposes of this system, "beyond planning" means other than stratifications, comparative analysis, and account reconciliations. "Systems Analysis" means information obtained by the CAS which enables a team member to better understand the taxpayer’s records, accounting system(s), financial records or computations in the current cycle.
CAS Assigned and Developed Issues is a report that lists cases and the significant issues which were actually assigned to a CAS for issue development.
Number of Statistical Sampling RAR Adjustments is a report that lists cases and the significant issues which resulted in an RAR adjustment resulting from the CAS use of statistical sampling auditing techniques.
CIC Cases Where Statistical Sampling Techniques Used by CAS is a report that lists cases and the significant issues on which statistical sampling auditing techniques were used by CASs.
CIC TP’s Using Statistical Sampling on Their Tax Return, is a report that lists cases and significant issues on which the taxpayer utilized statistical sampling in reporting those issues on their tax returns.
CIC TP’s Using Statistical Sampling Incorrectly on Their Tax Return, is a report that allows us to monitor the issue(s) on which taxpayers use statistical sampling incorrectly when reporting items on their tax returns.
The CAS is first and foremost a Revenue Agent. It is essential that the CAS maintain technical and auditing skills to allow for issue identification and development. In addition to maintaining the Revenue Agent skills, the CAS should develop application development skills.
It is the responsibility of the CAS, CAS Team Manager, CAS Territory Manager, and the CAS National Program Manager to identify emerging trends in technology. This will foster the timely identification and development of training in these emerging areas. Early identification of technology issues with timely training is essential to the efficiency of CAS Program and the audit teams.
All CASs are expected to complete the technical training provided to all LMSB team members. This would be the traditional five phases of training including the Advanced Corporate training. If any of this training has not been completed at the time of selection into the program, the training should be completed within the first twenty-four months.
Within the first twelve months, the CAS should receive the four phases of CAS training, Training Course 3160, including the on the job training for each phase. In addition they should receive Training Course 3172, Statistical Sampling for Examination Personnel, during that same period.
Within eighteen to twenty-four months after the completion of Phase IV CAS training, the CAS should receive Training Course 3174, Advanced Statistical Sampling for Examination Personnel. At the conclusion of this training, the CAS should receive some exposure to statistical sampling. This should include coordination with one of the Territory Statistical Sampling Coordinators.
It is essential that the CASs develop specialized applications for not only the domestic agents on cases, but also specialists working on the cases. Specialized technical training should be provided to better assist the CASs in developing these applications for the audit teams. This would include areas such as International, Financial Products, Insurance, Oil and Gas etc.
Out service training, including outside vendors and the School of IT, should be considered when it is determined to be the best method of training delivery. This should be considered for both hardware and software training.
Consideration should be given to including CASs in Industry CPEs and Technical Advisory meetings/training.
The volume and complexity of accounting records being produced by automated data processing systems has made necessary the use of special auditing techniques to deal with computer output.
Rev. Rul. 71–20 and Rev. Proc. 98–25 set forth the conditions under which machine-sensible records are to be considered books and records under section 6001 of the Code and retained by taxpayers for IRS use. To promote cooperation, provisions are made for the establishment of record retention limitation agreements between taxpayers and the CAS Territory Manager.
All machine-sensible records retained by a taxpayer, whether retained under the provisions of a record retention limitation agreement or for other reasons, may be used for computer assisted auditing techniques so long as the data is relevant or material to the determination of tax liability. (See U.S. vs Davey, 543 F.2d 996 (1976).)
Taxpayers with assets of $10 million or more must comply with the mandatory record retention requirements of Rev. Rul. 71-20 or Rev. Proc. 98-25. For this purpose, a controlled group of corporations will be considered to be one corporation and the assets of all members of the group will be aggregated.
Taxpayers not subject to the mandatory record retention requirements of Rev. Rul. 71-20 or Rev. Proc. 98-25 may voluntarily retain machine-sensible records for IRS use.
Taxpayers subject to the mandatory record retention requirements must retain all machine-sensible records generated by all automated data processing systems unless the CAS Territory Manager has consented to limit the retention to certain specific records.
The limitation on machine-sensible records to be retained pursuant to a retention limitation agreement does not apply to subsidiary companies acquired, or to accounting and tax systems added, subsequent to the completion of the record evaluation or reevaluation upon which the agreement is based. All machine-sensible records produced by these companies or systems must be retained until such time as a reevaluation is conducted by the CAS Territory Manager.
Unless otherwise specifically agreed to by the CAS Territory Manager, taxpayers are required to:
periodically test records retained for Internal Revenue Service use.
maintain system documentation relating to retained records.
retain the capability to process the records at the time of an examination.
provide evidence that the retained records reconcile to the books and the tax return.
convert the records if a new incompatible computer system is installed.
notify the CAS Territory Manager if files identified for retention are lost or destroyed.
The CAS Territory Manager may consent to limit the retention of records by entering into a record retention limitation agreement with a taxpayer. These agreements usually require the taxpayer to notify the CAS Territory Manager if changes are made to its ADP accounting systems or record formats that will affect the ability of the taxpayer to comply with the terms of the agreement.
The intent of the notification provision is to permit a taxpayer to make changes to an ADP system without influencing the agreement, provided the content of the files specified in the agreement has not changed. Changes which add or rearrange fields within a data record will not be considered to have changed the substance of an agreement if all fields that were in the records covered by the agreement are retained. Under these circumstances, the files created by the revised system may be retained in lieu of those specified in the agreement. Notification is not required.
A taxpayer who is unable to comply with the provisions of a record retention limitation agreement because of system changes has, in substance, created a new system. All records created by the replacement system must be retained until such time as a reevaluation is conducted by the CAS Territory Manager.
As the information specialist to the audit team, the CAS is responsible for obtaining accurate and complete computerized records that meet the requirements of Revenue Procedure 98-25.
Failure to comply with the provisions of Rev. Rul. 71–20 or Rev. Proc. 98–25 may result in the issuance of a Notice of Inadequate Records or the assertion of civil and/or criminal penalties. Refer to Rev. Proc. 98–25 and Rev. Rul. 81–205 for additional information.
If records are lost, destroyed, damaged, incomplete or materially inaccurate, the following steps should be followed by the CAS to the extent necessary to correct the noncompliance.
Secure a letter from the taxpayer fully explaining the events leading to the situation, and any effort taken to recreate the file within a reasonable amount of time. This letter must be signed by a responsible officer of the company.
Issue a letter signed by the CAS Territory Manager stating the situation and putting the taxpayer on notice that any further problems can result in civil or criminal penalties.
Recommend to the Industry Team Manager the issuance of a Notice of Inadequate Records when the facts and taxpayer actions support such an issuance.
Recommend appropriate civil or criminal penalties provided by IRC section 7203 if considered to be applicable. Form 2797, Referral Report for Potential Fraud Cases, must be submitted through channels to the Criminal Investigation Division. This recommendation will be made through the CAS team manager, Industry team manager, and Industry Territory Manager. The application of penalties is the responsibility of the Industry Team Manager.
Careful consideration should be given to the issuance of an Inadequate Records Notice pursuant to Section 12 of Revenue Procedure 98-25 when the required records are either incomplete or non-existent. The taxpayer should be offered the opportunity to explain the reason for the missing records and to reconstruct the records.
If the taxpayer provides the necessary records or delivers an alternative that is acceptable to the audit team, the events and actions should be documented in a memorandum to be included in the historical file.
If the taxpayer is unable or refuses to provide the needed information, serious consideration should be given by the CAS and CAS team manager to recommending the issuance of the Inadequate Records Notice.
It is the responsibility of the Industry Team Manager to issue an Inadequate Notice; however, it is the responsibility of the CAS and CAS Team Manager to make recommendations. If there is a disagreement between the Team Managers, the appropriate Territory Managers or other management officials should be involved to resolve the disagreement.
The computer audit specialist must have adequate equipment in order to complete any computer assisted audit application. Equipment resources should be used, when feasible, in the following order: taxpayer facilities, CAS Program, IRS service centers, other government owned equipment, local service bureaus, commercial time-sharing services. In all instances CAS Program equipment should be used to the maximum extent possible to compile, test, and debug programs prior to execution.
All CASs and their managers must solicit voluntary use of necessary computer facilities from taxpayers under examination where computer assisted audit techniques will be used. It is desirable to use the taxpayer’s computer for computer assisted auditing techniques since the equipment is compatible with the records, and the taxpayer’s ADP staff is familiar with the data.
Taxpayer facilities shall not be used for other purposes or for longer than is necessary to complete the examination.
On occasion, another government agency may permit CASs to use its computer facilities. When such facilities are used, even if provided without charge, Area and Territory Security and Disclosure functions must be notified to ensure that appropriate security is maintained.
The CAS Program secures time-sharing systems and local off-site data processing facilities for use by CASs. These services should be used only when the use of taxpayer computer facilities, IRS facilities, or other Commercial government owned equipment is not possible. The most cost effective system should be selected for the intended application.
Funds for securing ADP services are provided in accordance with regular fiscal procedures.
The CAS Program Manager must approve all applications using local service bureaus or commercial time-sharing services that will exceed $10,000 in cost.
The requirement to file GSA Form 2068A, Quarterly Report of ADP Services, has been eliminated by GSA.
Area and Territory Security and Disclosure functions should be contacted and all security requirements shall be adhered to.