1.4.2  Monitoring and Improving Internal Control

Manual Transmittal

December 14, 2012

Purpose

(1) This transmits revised IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.

Material Changes

(1) This revision includes the following new content:

  1. IRM 1.4.2.3, Definitions

  2. IRM 1.4.2.4, Acronyms

  3. IRM 1.4.2.8, Financial and Management Controls Executive Steering Committee Subgroup (FMC ESC-S)

  4. IRM 1.4.2.9, Steps to Downgrade a Material Weakness

  5. IRM 1.4.2.14, Identification of Quality Assurance Reviews and Initiatives

  6. IRM 1.4.2.15, Related Resources

(2) This revision includes minor edits throughout and content updates to:

  1. IRM 1.4.2.1, Management's Responsibility for Internal Control

  2. IRM 1.4.2.2, Overview

  3. IRM 1.4.2.6, Roles and Responsibilities

  4. IRM 1.4.2.7, Financial and Management Controls Executive Steering Committee (FMC ESC)

  5. IRM 1.4.2.10, Internal Control Process

  6. IRM 1.4.2.10.1, Identify Risk

  7. IRM 1.4.2.11, Annual Assurance Review Process

  8. IRM 1.4.2.13, Remediation Plan

Effect on Other Documents

This IRM supersedes IRM 1.4.2, dated August 28, 2009.

Audience

All IRS Managers

Effective Date

(12-14-2012)

Pamela J. LaRue
Chief Financial Officer

1.4.2.1  (12-14-2012)
Management's Responsibility for Internal Control

  1. The Budget and Accounting Procedures Act of 1950 requires the head of each Federal department and agency to establish and maintain adequate systems of management controls. Further, the Federal Managers' Financial Integrity Act (FMFIA) of 1982, as codified at 31 USC 3512 (hereinafter "FMFIA" ), requires each executive agency to establish internal accounting and administrative controls in accordance with standards prescribed by the Comptroller General. These controls will provide reasonable assurance that:

    1. Obligations and costs are in compliance with applicable law.

    2. Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation.

    3. Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts, reliable financial and statistical reports, and to maintain accountability over assets.

  2. The FMFIA also requires that each executive agency:

    1. Resolve audit findings promptly.

    2. Conduct annual evaluations of its systems of internal accounting and administrative control using guidelines established by the Director of the Office of Management and Budget (OMB).

    3. Submit an annual statement to the President and Congress on the status of the agency's system of internal control.

  3. OMB Circular A-123 (revised) dated December 31, 2004, Management's Responsibility for Internal Control requires agencies and individual Federal managers to take systematic and proactive measures to:

    1. Develop and implement appropriate, cost-effective internal control for results-oriented management.

    2. Assess the adequacy of internal control in Federal programs and operations.

    3. Assess and document internal control over financial reporting separately.

    4. Identify needed improvements and take corresponding corrective action.

    5. Report annually on internal control through management assurance statements.

  4. Assessment of internal control can be performed using a variety of information sources. Management has primary responsibility for assessing and monitoring controls, and should use other sources as a supplement to -- not a replacement for -- its own judgment. Sources of information include:

    1. Management knowledge gained from the daily operation of agency programs and systems

    2. Management reviews conducted (i) expressly for the purpose of assessing internal control, or (ii) for other purposes with an assessment of internal control as a by-product of the review

    3. Inspector General (IG) and General Accountability Office (GAO) reports, including audits, inspections, reviews, investigations, outcome of hotline complaints, or other products

    4. Program evaluations

    5. Audits of financial statements conducted pursuant to the Chief Financial Officers (CFO) Act, as amended, including: information revealed in preparing the financial statements; the auditor's reports on the financial statements, internal control, and compliance with laws and regulations; and any other materials prepared relating to the statements

    6. Reviews of financial systems which consider whether the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA) and OMB Circular No. A-127, Financial Management Systems revised, are being met

    7. Annual evaluations and reports pursuant to the Federal Information Security Management Act of 2002 (FISMA) and OMB Circular A-130, Management of Federal Information Resources

    8. Annual performance plans and reports pursuant to Pub. L. 111-352, the Government Performance and Results Act (GPRA) Modernization Act of 2010 (GPRA)

    9. Annual reviews and reports pursuant to Pub. Law 111–204, Improper Payments Elimination and Recovery Act of 2010 (IPERA)

    10. Single Audit reports for grant-making agencies

    11. Reports and other information provided by the Congressional committees of jurisdiction

    12. Other reviews or reports relating to agency operations, e.g. for the Department of Health and Human Services, quality control reviews of the Medicaid and Temporary Assistance for Needy Families programs

    13. Results from tests of key controls performed as part of the assessment of internal control over financial reporting conducted in accordance with OMB Circular A-123, Management Accountability and Control

  5. FFMIA, codified in a note to 31 USC 3512, established in statute the requirement for certain financial management systems. The FFMIA was intended to advance Federal Government financial management by ensuring Federal management systems can and do provide reliable, consistent disclosure of financial data. Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year, by consistently using professionally accepted accounting standards. Specifically, FFMIA section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

    1. Federal Government financial management systems requirements

    2. Applicable Federal Government accounting standards

    3. The United States Standard General Ledger at the transaction level

  6. Under the GPRA and Pub. L.106-531, the Reports Consolidation Act of 2000, the Commissioner is required to provide assurance in the Annual Assurance Statement that the IRS Critical Performance Measures are reliable.

1.4.2.2  (12-14-2012)
Overview

  1. All managers must be committed to implementing effective and efficient internal controls. Internal controls are processes, both administrative and program specific, that ensure programs achieve their intended results, organizations realize their goals, laws and regulations are complied with, assets are safeguarded, and financial and management reports are accurate, complete, and timely. The Department of the Treasury and the Treasury Inspector General for Tax Administration (TIGTA) provide oversight to ensure control strategies are implemented that mitigate risk in program and administrative operations.

  2. Internal controls are the responsibility of every manager. Managers are accountable for and have stewardship of all assigned operations within their organization, including program, administrative, and financial areas, such as:

    1. Designing and using of controls that provide 'reasonable assurance' that programs are being accomplished as intended

    2. Continuing assessments to ensure controls are in place and operating as intended

    3. Identifying risks to program accomplishments, compliance with laws and regulations, and accuracy of reporting

    4. Implementing remedies to mitigate risk and measure the results of these actions

  3. It is beneficial to both the IRS and managers to be proactive in identifying problem areas and taking appropriate corrective actions before external audit sources, such as the GAO and TIGTA, issue findings or before problems escalate into serious control weaknesses. However, there must be an appropriate balance of control in programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled situation may allow problems to go unnoticed and assets to be wasted.

  4. Being focused and aware of internal controls should be an integral part of the daily activities of all managers and employees. By fostering open, honest communications, and promoting problem-solving within an organization, managers create an environment where internal controls are acknowledged as tools to achieving goals.

1.4.2.3  (12-14-2012)
Definitions

  1. Annual Self-Assessment – when managers review the effectiveness of controls within their own area of responsibility and prepare individual written certifications to support certification. The involvement of each level of management in certifying the control environment within their own sphere of operations is necessary in identifying risks at all levels.

  2. Control Deficiency – exists when design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

  3. Corrective Action – an action taken by the audited entity that corrects identified deficiencies, produces recommended improvements, and demonstrates that audit findings are either invalid or do not warrant audited action.

  4. Internal Controls – are processes, both administrative and program specific, that ensure programs achieve their intended results, organizations realize their goals, and financial and management reports are accurate, complete, and timely.

  5. Material Weakness – a systemic deficiency in the design or operation of a program or system or a lack of controls that poses a significant risk of one or more of the following occurring:

    1. The inability to deliver/execute program/operational services in accordance with the agency’s mission and/or legislation.

    2. Errors, omissions, and/or fraud in performance and other financial information or financial statements that would mislead users and/or management in decision-making processes.

    3. Financial commitments for programs and/or operations that are inconsistent with applicable provisions of law.

    4. The inability to properly safeguard assets.

  6. Qualified Assurance – informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems.

  7. Reasonable Assurance – informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect the resources and ensure mission completion. Reasonable assurance recognizes that the cost of controls should not exceed the benefits derived from them.

  8. Remediation Plan – A plan to achieve FFMIA compliance when an agency's annual review determines their financial management systems cannot prepare required financial statements and reports, cannot provide reliable and timely financial information for managing operations, and cannot account for assets, all in accordance with Federal accounting standards and the United States Standard General Ledger (USSGL).

  9. Significant Deficiency – A significant deficiency is a problem in the design or operation of an internal control that should be reported to the next level of management.

1.4.2.4  (12-14-2012)
Acronyms

  1. This IRM contains the following acronyms and meanings:

    Acronym Meaning
    ACFO Associate Chief Financial Officer
    BOD Business Operating Division
    CPIC Corporate Planning and Internal Control
    CFO Chief Financial Officer
    FISMA Federal Information Security Management Act of 2002
    FMC ESC Financial and Management Controls Executive Steering Committee
    FMC ESC-S Financial and Management Controls Executive Steering Committee Subgroup
    FMFIA Federal Managers Financial Integrity Act
    FFMIA Federal Financial Management Improvement Act
    FTE Full-Time Equivalent
    GAO Government Accountability Office
    GPRA Government Performance Results Act
    IDRS Integrated Data Retrieval System
    IPERA Improper Payments Elimination and Recovery Act of 2010
    JAMES Joint Audit Management Enterprise System
    OIC Office of Internal Control
    OMB Office of Management and Budget
    PED Portable Electronic Devices
    TDCFO Treasury Deputy Chief Financial Officer
    TIGTA Treasury Inspector General for Tax Administration
    Web-CBRS Online Currency and Banking Retrieval System

1.4.2.5  (08-28-2009)
Scope and Objectives

  1. The IRS intends to maintain an effective internal control program that complies with legislative requirements and related regulations and directives, such as the Standards for Internal Control in the Federal Government, commonly known as the "Green Book."

  2. Internal controls are the programs, policies, and procedures established to ensure that:

    1. Mission and program objectives are efficiently and effectively accomplished.

    2. Program and resources are protected from waste, fraud, abuse, mismanagement, and misappropriation of funds.

    3. Laws and regulations are followed.

    4. Financial reporting is reliable.

    5. Reliable information is obtained and used for decision making.

  3. This guidance applies to managers at all levels, who are expected to understand the risks associated with their operations, to ensure that controls are in place and operating effectively to mitigate known risks, and to provide candid, reliable, and supportable annual reports on the status of those controls.

1.4.2.6  (12-14-2012)
Roles and Responsibilities

  1. The Commissioner and Deputy Commissioners have overall responsibility for the IRS system of internal control consisting of:

    1. Taking all necessary steps to create a positive control environment within the IRS to ensure operational efficiency and adherence to all applicable statutory and regulatory standards related to internal controls, including those standards found in the FMFIA and the GAO Standards for Internal Controls in the Federal Government.

    2. Establishing priorities in identifying, correcting, and reporting management control material weaknesses and accounting non-conformances.

    3. Ensuring that adequate funding is requested in the budget process to correct identified deficiencies.

    4. Establishing a quality assurance process that permits the responsible official to provide reasonable assurance to the Secretary of the Treasury that the objectives of the FMFIA are being achieved.

    5. Providing information, data, reports, and assurances, as necessary, to the Department of the Treasury Deputy Chief Financial Officer (TDCFO) that all internal controls and financial management systems within the IRS adhere to applicable statutory and regulatory standards.

    6. Ensuring that the performance plans for each Senior Executive Service (SES) member or equivalent employee having significant responsibilities for internal control contain appropriate performance requirements and expectations for such responsibilities.

    7. Ensuring that all other employees are aware of expectations and are subject to appropriate performance standards related to internal controls.

    8. Ensuring that a commitment to competence is maintained by taking steps to provide staff with necessary guidance and training, and by appropriately rewarding outstanding performance.

    9. Designating an Internal Control Officer to administer the internal control processes for the IRS.

  2. The Chief Financial Officer (CFO) is the IRS Internal Control Officer and has operational responsibility for the IRS internal control program such as:

    1. Chairing the Financial and Management Controls Executive Steering Committee (FMC ESC)

    2. Evaluating all systems of internal control on an ongoing basis and for ensuring that audits, internal control reviews, risk assessments, and other evaluations are coordinated to complement one another with a minimum duplication of effort

    3. Determining on an annual basis which programs or administrative functions should be subject to a formal review in order to supplement management's judgment as to the adequacy of management controls, and allocate adequate resources to evaluate their systems of control

    4. Developing detailed procedures, documentation, training for managers and employees, and reporting requirements necessary to review, establish, maintain, test, improve, and report on control systems within the IRM programs and operations

    5. Reporting to the TDCFO management control deficiencies identified in audit reports, internal reviews, and from other sources that have the potential of meeting the Department of the Treasury material weakness criteria

    6. Ensuring timely correction and validation of all identified program and operations deficiencies whether material or nonmaterial.

    7. Ensuring management control guidelines issued are implemented and specify employee accountability

    8. Maintaining, correcting, and/or updating the Joint Audit Management Enterprise System (JAMES) with specific data on IRS FMFIA deficiencies and audit findings (and related items) contained in audit reports of TIGTA and GAO (see IRM 1.4.24, Monitoring Internal Control Planned Corrective Actions, for information on JAMES).

  3. The Associate CFO for Corporate Planning and Internal Control (CPIC), Office of Internal Control (OIC), on behalf of the CFO, administers the IRS internal control program and is responsible for carrying out the day-to day internal control program by:

    1. Preparing policy and procedures for the internal control program

    2. Implementing OMB's Circular A-123 requirements

    3. Providing administrative support to the FMC ESC

    4. Managing the annual assurance process and preparing the Commissioner's annual assurance letter to the Secretary of the Treasury.

    5. Monitoring the completion of corrective actions for material weaknesses, significant deficiencies (a problem in the design or operation of an internal control that should be reported to the next level of management), and for auditing corrective actions and providing periodic reports to Treasury

    6. Providing advice and assistance to managers and their coordinators, as needed

    7. Maintaining JAMES, Treasury’s web-based internal control tracking system

  4. The Director, Office of Legislative Affairs, is responsible for advising the CFO of recent or planned GAO or TIGTA audits.

  5. The Division Commissioners, Chief Officers, National Taxpayer Advocate, Chief Counsel, and Director, Office of Research, Analysis, and Statistics are responsible for:

    1. Establishing adequate and effective controls for all operations and activities in their area of mission responsibility

    2. Ensuring that established controls are followed throughout their organization

    3. Conducting a self-assessment and reporting on the status of internal control in their organization to the FMC ESC annually (Managers throughout the IRS are responsible for participating in this annual assessment in accordance with the annual guidance issued.)

    4. Evaluating reports of significant deficiencies and providing comments to the FMC ESC

    5. Providing adequate resources to correct identified material weaknesses and significant deficiencies

    6. Designating an Internal Control Coordinator to serve as a single point of contact for the assurance process and for FMFIA corrective actions and audit follow-up for their organization

  6. Managers At All Levels are responsible for:

    1. Providing a positive control environment

    2. Identifying potential risk areas

    3. Ensuring that adequate and effective controls are in place

    4. Reporting results of reviews to the next level of management

    5. Ensuring reports are supportable, accurate, and candid

    6. Providing adequate resources to correct identified problems

    7. Implementing corrective actions timely

    8. Validating outcomes

  7. Internal Control Coordinators are responsible for assisting management in developing and maintaining its management control program and serve as the primary liaison with the OIC. Their responsibilities include:

    1. Managing their organization's annual assurance review process and preparing its assurance certification memorandum

    2. Providing technical assistance to management and review teams in the evaluation of controls

    3. Preparing and submitting verification of completion of corrective actions for significant deficiencies, material weaknesses, and GAO and TIGTA audit reports to the Director, OIC

    4. Monitoring the status of corrective actions for material weaknesses, significant deficiencies, and audits, as well as reporting the status to the OIC

    5. Ensuring that data contained within JAMES is updated and accurate

1.4.2.7  (12-14-2012)
Financial and Management Controls Executive Steering Committee (FMC ESC)

  1. The Financial and Management Controls Executive Steering Committee (FMC ESC) is an advisory committee to the Commissioner and Deputy Commissioners who have overall responsibility for ensuring that the IRS has an effective internal control program in place. It oversees the internal control programs, policies, and procedures which are established to achieve the goals stated in IRM 1.4.2.5 (2). The FMC ESC provides policy guidance and oversight for the IRS internal control program and makes recommendations to the Commissioner on the contents of the IRS Annual Assurance Statement to the Secretary of the Treasury.

  2. The FMC ESC fulfills a critical management and integration function for financial and management controls. The FMC ESC is comprised of senior executives from the Business Operating Divisions (BODs) and provides a top leadership perspective and addresses important cross-functional issues, such as:

    1. Financial Statement Audit

    2. Remediation Plans

    3. Material Weaknesses and Significant Deficiencies

    4. Issues of Noncompliance with Laws and Regulations

    5. Federal Managers’ Financial Integrity Act (FMFIA)

    6. Federal Financial Management Improvement Act (FFMIA)

    7. OMB Circular A-123, Management’s Responsibility for Internal Control

    8. Annual Assurance Process

    9. GAO and TIGTA audit findings and other identified risk

  3. The FMC ESC meets quarterly to discuss the status of material weaknesses, significant deficiencies, issues of noncompliance with laws and regulations, and service-wide progress made in closing open GAO and TIGTA audit recommendations. The FMC ESC focus is to achieve sustainable results on high impact initiatives, including remediation plan actions and actions to correct material weaknesses and significant deficiencies. The following are general responsibilities of the FMC ESC:

    1. Ensuring cross-functional coordination

    2. Ensuring that root causes of problems are identified and the corrective actions resolve the root causes

    3. Reviewing and validating cost-benefit analysis to prioritize, make informed decisions, and measure results

    4. Providing for early detection and management of risks

    5. Ensuring that cross-functional corrective actions are timely and adequately taken

    6. Ensuring that essential resources and expertise are available

    7. Commissioning, as necessary, reviews of particular matters

  4. The FMC ESC‘s more specific responsibilities are:

    1. Ensuring Division Commissioners' and Chief Officers' commitment to ensuring timely closure of actions to correct material weaknesses and significant deficiencies

    2. Declaring new material weaknesses and significant deficiencies as appropriate

    3. Approving new and revised corrective actions/corrective action plans to correct material weaknesses and significant deficiencies

    4. Reviewing issues identified during the year by Division Commissioners and Chief Officers, or during management reviews or GAO and TIGTA audits to determine if the resolution of these issues should be monitored by the FMC ESC

    5. Monitoring the resolution of issues identified by GAO in the Financial Statement Audit and High Risk reports

    6. Approving closure of those material weaknesses and significant deficiencies that have validated the achievement of their results indicators and obtained GAO and TIGTA concurrence, as appropriate, on implemented corrective actions

    7. Recommending downgrading of material weaknesses upon taking recommended steps for seeking closure

    8. Recommending the FMFIA annual level of assurance to the Commissioner

    9. Serving as a point of coordination and cross-reference to the activities of other steering committees to assure proper linkage of related activities and to avoid duplication of effort and reporting systems

    10. Ensuring that the IRS meets its OMB Circular A-123 responsibilities related to internal control and assessing internal control effectiveness

    11. Approving the OMB Circular A-123 level of assurance the IRS will provide to Treasury

    12. Ensuring that the IRS meets its reporting and certifying obligations under FMFIA, FFMIA, Treasury Directives, and the Annual Assurance Review Process

  5. The FMC ESC has the following permanent voting members:

    1. Deputy Commissioner for Operations Support

    2. Chief Financial Officer (Chairperson)

    3. Treasury Deputy Chief Financial Officer

    4. Commissioner, Small Business/Self-Employed Division

    5. Commissioner, Wage and Investment Division

    6. Chief Technology Officer

    7. Director, Office of Research, Analysis, and Statistics

    8. Associate Chief Counsel (Finance/Management)

  6. The FMC ESC also has three rotating voting members, each serving for a one-year term. The rotating voting members will be Division Commissioner(s) and Chief(s) selected at the fourth quarter meeting for the next fiscal year from the following list:

    1. Commissioner, Large Business and International Division

    2. Commissioner, Tax Exempt and Government Entities Division

    3. IRS Human Capital Officer

    4. Chief, Communications and Liaison

    5. Chief, Agency-Wide Shared Services

    6. Chief, Criminal Investigation

    7. Chief, Appeals

  7. Each member must designate an executive alternate to act in their place to fulfill quorum requirements. A quorum of at least 51% of members is required for a meeting to be held.

  8. The ACFO for CPIC is the FMC ESC program executive and the Director, OIC, is the FMC ESC program manager. The OIC provides management and administrative support to the ACFO for the FMC ESC meetings, as well as analytical support in reviewing planned presentations. The responsibilities of the OIC program staff include:

    1. Providing an early alert system for risks, obstacles, and barriers in completing actions for material weaknesses, significant deficiencies, and remediation plans

    2. Assisting BODs with developing mitigating strategies for identified risks, obstacles, and barriers

    3. Leading the Annual Assurance Review Process

    4. Developing agendas for FMC ESC meetings, obtaining and reviewing the materials that will be presented in advance, releasing the pre-read meeting materials to all participants, recording meeting notes and creating minutes to be circulated for comment, and keeping track of decisions and action items

    5. Supporting the FMC ESC in meeting its reporting and certifying obligations under FMFIA, FFMIA, OMB Circulars, Treasury Directives, and the Annual Assurance Review Process

    6. Coordinating issues with Treasury, GAO, and TIGTA

1.4.2.8  (12-14-2012)
Financial and Management Controls Executive Steering Committee Subgroup (FMC ESC-S)

  1. The Financial and Management Controls Executive Steering Committee Subgroup (FMC ESC-S) is a working group serving in an advisory/support role to the FMC ESC, which fulfills a critical management and integration function for financial and management controls.

  2. The FMC ESC-S is responsible for monitoring the status of business owner planned corrective actions (PCAs) that address GAO and TIGTA audit-finding recommendations. It reviews progress made to close or add actions to the IRS internal control programs and validates, as needed, the policies and procedures which are established to achieve the goals stated in IRM 1.4.2.5(2).

  3. The FMC ESC-S focuses on the review and validation of:

    1. Material weaknesses

    2. Significant deficiencies

    3. Control deficiencies

    4. Issues of noncompliance with laws and regulations

  4. The Subgroup is comprised of senior executives primarily from the BODs, Strategy and Finance staff. The FMC ESC-S makes recommendations for FMC ESC briefings and/or other matters for consideration by the committee. The Associate Chief Financial Officer, Corporate Planning and Internal Control (ACFO for CPIC) is the FMC ESC-S Chairperson.

  5. IRM 1.4.2.5(2) provides the general responsibilities of the FMC ESC-S; however, the more specific responsibilities are:

    1. Working with the business owners in developing action plans and results indicators for material weaknesses, significant deficiencies, control deficiencies, and issues of noncompliance with laws and regulations corrective actions

    2. Ensuring that key executives timely close actions in the open material weaknesses, significant deficiencies, control deficiencies, and issues of noncompliance with laws and regulations corrective action plans

    3. Reviewing issues identified during the year by Division Commissioners and Chief Officers during management reviews or GAO and TIGTA audits to determine if the resolution of these issues should be monitored by the FMC ESC through a corrective action plan

    4. Confirming that business owner recommendations to downgrade a material weakness or to close a significant deficiency are supported by accurate validation of the achievement of results indicators justifying the action

    5. Recommending to the FMC ESC the closure/downgrading of material weaknesses and/or significant deficiencies that have validated the achievement of results indicators and that the implemented actions have received concurrence, as appropriate, by GAO or TIGTA

    6. Reviewing progress toward achieving the results indicator for open material weaknesses, significant deficiencies, control deficiencies, and issues of noncompliance with laws and regulations corrective action plans

    7. Monitoring discussions with GAO and TIGTA to close/downgrade material weaknesses

    8. Reviewing Treasury Planned Corrective Action scorecard results

    9. Reviewing GAO and TIGTA corrective actions due during the next quarter to ensure timely completion

    10. Resolving issues that may delay completion of corrective actions

    11. Recommending to the FMC ESC, as necessary, reviews of particular matters and/or corrective action plans.

  6. The FMC ESC-S has the following permanent members:

    1. ACFO for CPIC (Chairperson)

    2. Director, OIC - Program Manager

    3. Key BOD Executives, primarily from Strategy and Finance

    4. Program Owner of each material weakness, significant deficiency, control deficiency, and issues of noncompliance with laws and regulations

  7. Each member must designate an executive alternate to act in his/her place.

  8. The ACFO for CPIC, is the FMC ESC-S Program Chairperson. The Director, OIC supports the ACFO for CPIC. The responsibilities of the OIC program staff include:

    1. Providing an early alert system for risks, obstacles, and barriers in completing actions for material weaknesses, significant deficiencies, control deficiencies, and remediation plans

    2. Assisting BODs in developing mitigating strategies for identified risks, obstacles, and barriers

    3. Leading the Annual Assurance Review Process

    4. Developing agendas for FMC ESC-S meetings, obtaining and reviewing the materials that will be presented in advance, releasing the pre-read meeting materials to all participants, recording meeting notes and creating minutes to be circulated for comment, and keeping track of decisions and action items

    5. Supporting the FMC ESC-S in meeting its directives from the FMC ESC advisory committee that directly pertain to reporting and certifying obligations under FMFIA, FFMIA, OMB Circulars, Treasury Directives, and the Annual Assurance Review Process

    6. Coordinating issues with Treasury, GAO, and TIGTA

1.4.2.9  (12-14-2012)
Steps to Downgrade a Material Weakness

  1. The IRS is responsible for correcting material weaknesses. The steps to downgrade a material weakness to a significant deficiency are:

    1. Identify/clarify issues that contribute to material weakness through discussion with external auditors in an effort to identify and understand issues/weaknesses that should be resolved in order to downgrade and/or eliminate material weakness.

    2. Verify planned actions will reduce the level of materiality as expected.

    3. Informally meet with GAO on plan of action, current matters, controls being implemented to mitigate risk, and results, as applicable.

    4. Finalize the action plan based on internal review and GAO comments.

    5. Ensure that results have been achieved verifying that the conditions which led to the issue being originally classified as a material weakness have been eliminated.

    6. Document the process for continuous monitoring to ensure controls are in place and continue to operate effectively to mitigate continued risk, identifying the level of risk (i.e., Control Deficiency, Significant Deficiency, etc.). Forward to CPIC for review.

    7. Meet with auditors (GAO/TIGTA) for support in closure/downgrade.

    8. Obtain approval of closure/downgrade by the FMC ESC.

    9. Prepare a memorandum (prepared by the BOD and reviewed by CPIC) from the Commissioner to the Assistant Secretary for Management and Chief Financial Officer requesting Treasury concurrence for the closure/downgrade; the memorandum also provides the background and summary of accomplishments and results.

    10. Report the material weakness closure/downgrade in the assurance statement.

1.4.2.10  (12-14-2012)
Internal Control Process

  1. The internal control process is ongoing and encompasses all aspects of IRS operations. The internal control process steps are:

    1. Identify risk

    2. Determine existing controls

    3. Establish new controls or revise existing controls

    4. Document results of reviews

    5. Document, report, and correct significant deficiencies

    6. Validate outcomes

    7. Develop indicators and goals

1.4.2.10.1  (12-14-2012)
Identify Risk

  1. Risk is the probability of a negative, unanticipated occurrence. Risk is inherent in every activity; therefore, it is essential that managers identify the probability of risk within the operation and activity. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining internal control.

  2. Some areas or occurrences with higher potential for risk include:

    1. Cash-handling activities

    2. Procurement activities

    3. Refunds and refundable credits

    4. Security

    5. Level of reliance on automated processes

    6. Changes in organizational structure, processes, procedures, personnel, and systems

    7. Level of reliance on contractors

  3. The assessment of risk is based on the manager's organizational knowledge and communication with employees. To identify risk, the manager should:

    1. Review findings from previous reviews and reports, such as management reviews and GAO and TIGTA audit reports.

    2. Ensure that organizational processes are performed in accordance with written policies and procedures, such as legislation, OMB Circulars, Department of Treasury directives, GAO's Standards for Internal Control in the Federal Government and IRMs.

    3. Involve employees in identifying risk.

  4. Examples of actions a manager might take to identify risks include:

    1. Verify Form 809, Receipt for Payment of Taxes.

    2. Post review of case files (e.g., seizure and sale files) to ensure conformity with statutes, regulations, and the IRM.

    3. Consider Disclosure/Privacy Act implications in all activities, including review of files and personnel folders.

    4. Perform risk assessments.

    5. Conduct quality assurance reviews.

    6. Initiate timely background and security investigations and take appropriate action based on the outcome of the investigation.

    7. Monitor telephone traffic volumes to ensure timely customer service.

    8. Review access to sensitive command codes for the Integrated Data Retrieval System (IDRS).

    9. Review assigned Portable Electronic Devices (PEDs) that include, but are not limited to, laptop computers, cellular/personal communications system devices, audio/video/data recording or playback devices, scanning devices, and messaging devices, to ensure these devices and the data they contain are safeguarded.

    10. Conduct reviews to ensure laptops are locked.

    11. Periodic review of use of sensitive information, including Suspicious Activity Reports (SARs), in the online Currency and Banking Retrieval System (Web-CBRS).

1.4.2.10.2  (08-28-2009)
Determine Existing Controls

  1. Once risk areas have been identified, determine what management controls exist for those areas. An internal control is the method by which an organization governs its activities. Controls provide 'reasonable assurance' that programs and administrative activities are efficient, effective, and pose an acceptable level of potential risk.

  2. Internal controls are not separate systems or processes; they are tools routinely used by managers to manage their operations. The focus is not to have more controls but to have effective controls that mitigate risks. Some examples of internal controls are:

    1. Separation of duties (e.g., Managers authorized to approve funding must not be involved in the payment or procurement processes. Individuals (contracting officers) authorized to obligate the government must not be involved in the commitment, receipt/acceptance, or payment process)

    2. Adequate supervision (e.g., Purchase card approving officials monitor purchase cardholder activities to ensure purchases are appropriate and approved, funding is secured prior to the order being placed, and statements are processed timely)

    3. Reconciliation of records from two sources (e.g., matching travel receipts against the travel vouchers)

    4. Reconciliation of records against physical inventories

    5. Limited access (e.g., passwords on data systems)

    6. Verification of data entry

    7. Documentation of processes and procedures, such as the IRM

    8. Written delegations of authority

    9. Logs and checklists

  3. To determine existing controls, begin by comparing current practices and processes against existing procedures, policies, and guidelines. Some "red flags" that may indicate a need for assessing existing controls are:

    1. Costs incorrectly charged

    2. One or a small group of employees handling all steps of a process

    3. Inadequate training

    4. Infrequent reviews

    5. New or old automated systems

    6. Security incidents

    7. Adverse publicity

    8. Inadequate reports

    9. Increase in errors

    10. Customer dissatisfaction.

    11. Recent (or frequent) change in management or key functions (see the Internal Control Management and Evaluation Tool).

  4. Examples of control techniques and methods are listed below.

    Control Technique Control Method
    Separation of Duties Duties are separated to avoid having one employee or a small group of employees handling all steps of a process.
    Appropriate documentation of transactions and internal control Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination.
    Supervision Adequate supervision to ensure organizational goals are achieved.
    Data Security Sensitive information is protected from unauthorized access.
    Physical Asset Security Assets (such as laptops) secured to protect against theft.

  5. If controls are needed and none currently exist, the manager may be responsible for establishing them (see IRM 1.4.2.10.3). In cases where the manager determines that the level of risk does not justify establishing a formal control mechanism, the manager should still document his/her findings and decisions for future reference and use in the Annual Assurance Review Process (see IRM 1.4.2.11).

1.4.2.10.3  (08-28-2009)
Establish New Controls or Revise Existing Controls

  1. Once the manager has decided that a process needs a control, he/she should determine the process owner. If the manager does not own the process at risk but it impacts his/her operation, he/she should take proactive measures to coordinate with the process owner or other stakeholders to encourage them to improve management controls. It may be necessary to elevate the issue to higher levels. The control being used may be a standardized control for the organization. However, if it is not working properly, the manager should inform the next higher organizational level if the manager does not have the authority to change the control. A lack of controls in one process may be impacting other processes, and a change to procedures may benefit several parts of the organization. Once the manager has determined what controls exist or has established new controls, the next step is to assess their effectiveness (see IRM 1.4.2.10.4). The assessment and review of internal control is an ongoing process. If a manager does not own the process, determine the appropriate method of control to mitigate the risk (see IRM 1.4.2.10.2.). In selecting control methods, use the following criteria:

    • The control must be consistent with operational or legislative requirements.

    • The control must be cost effective.

1.4.2.10.4  (12-14-2012)
Review/Assess Internal Control

  1. Because organizational conditions are constantly changing, managers need to assess their internal controls continuously. Managers should be alert to the potential impact of changing organizational structure, objectives, processes and procedures, personnel, and systems on operations and initiate required reviews as necessary. Circumstances that should cause managers to initiate a review are:

    1. External sources (e.g., taxpayers, Congress, GAO, TIGTA) have identified concerns

    2. Current controls do not appear to be effective or cost beneficial

    3. Conditions indicate a reduced level of quality or customer satisfaction

    4. Conditions have changed (e.g., reorganization, phase-out of operations, personnel turnover)

    5. The office has a new responsibility or program

  2. When conducting control reviews, managers should determine the dependencies or effects the controls have on other areas of the organization. Identifying dependencies often reflects a need for input from other organizations.

  3. To test the adequacy of internal control, managers should determine if the controls are:

    1. Implemented as designed and meet the control objectives of mitigating risk to an acceptable level

    2. Performed by competent personnel

    3. Consistent with operational objectives or legislative requirements

    4. Efficient and cost effective

  4. Techniques for testing the adequacy of internal control include:

    1. A walk-through of operations to observe how the control functions in actual practice. During the walk-through, managers should determine how the control is meeting the objective. Problems identified should be further analyzed to determine if a significant deficiency exists.

    2. Interviews are an important testing technique to facilitate an understanding of how controls are functioning. Often, the best sources of information are personnel performing the operation. Combining inquiry and observation can often provide valuable insights into problem areas, such as a lack of financial and personnel resources necessary to effectively meet control objectives.

    3. If there are a considerable number of documents or transactions performed, the manager may review a sample of them. If no discrepancies are noted, then a reasonable conclusion is that the control is adequate. If discrepancies are identified, the manager should examine additional documents/transactions to confirm whether the control is functioning as designed.

    4. The manager may select a sample of source documents and follow them through each step of the process. Source document analysis can often disclose improper procedures, failure to follow procedures, or breakdowns among processing steps.

    5. The manager may chose to combine several methods of review to ensure the adequacy of the controls.

  5. At the conclusion of the review, the manager will decide if the existing controls provide reasonable assurance that the objectives are being achieved in an efficient and effective manner or a significant deficiency exists and should be corrected. A significant deficiency is a problem in the design or operation of an internal control that should be reported to the next level of management. The manager should prepare a Report of Significant Deficiency (see IRM 1.4.2.10.6).

1.4.2.10.5  (08-28-2009)
Document Results of Reviews

  1. If no significant deficiencies were identified during the review, document the review results and retain them for use in preparing the Annual Assurance Certification Letter (see IRM 1.4.2.11). The documentation can be as simple as a memorandum explaining the review methods and results. It normally does not require a separate formal report. The documentation may also be incorporated into other management reports as long as it is identified as the results of an internal control review.

  2. If deficiencies were identified and the manager has corrected them, the manager should retain the documentation for the Annual Assurance Certification Letter.

1.4.2.10.6  (08-28-2009)
Document, Report, and Correct Significant Deficiencies

  1. All significant deficiencies should be reported as soon as identified on a Report of Significant Deficiency. A significant deficiency is a problem in the design or operation of an internal control that should be reported to the next level of management. The Report of Significant Deficiency provides management with the information necessary to clearly understand the problem and assess the level of risk.

  2. In some instances, the manager may identify a significant deficiency but have no control over the actions necessary to correct it. In this case, the manager should elevate the issue to the next level of management for possible action and review. Managers should submit Part I of the Report of Significant Deficiency to the next level of management with as much information as is available.

  3. The manager may not have the expertise to provide all the information in detailed, technical terms. Once the issue is shared with the appropriate program area, they may request additional information. If the significant deficiency requires a corrective action plan, the process owner will be responsible for finalizing Part I and preparing Part II of the Report of Significant Deficiency.

  4. If it is appropriate to develop a corrective action plan, the manager should include in the plan all the actions needed to correct the significant deficiency. When preparing the corrective action plan:

    1. Develop actions that are specific and describe the end result. For example, the action should be: "Revise and issue procedures to the field," not "Review current procedures."

    2. Ensure commitment of other stakeholders before establishing any action that requires activity outside the manager's control.

    3. Set realistic due dates. Successful plan completion may be dependent upon available resources, functional interdependencies, labor negotiations, legislation, or modernization issues. Therefore, consult with others as necessary in establishing realistic completion dates. Do not use "ongoing" as a completion date; always set a specific due date, e.g., MM/DD/YYYY. If completion date is long term, it may be necessary to establish interim milestone dates.

  5. The manager should identify goals and establish performance measures that will serve as progress indicators for correcting the significant deficiency.

  6. The manager should describe the validation process (a description of how to collect data supporting the performance measure(s) that will determine if the deficiency has been successfully corrected). The manager should describe the type and quantity of data to be gathered, the method of collection, and the source of the data.

  7. Once the Report of significant deficiency is completed, the manager should forward it to his/her manager, and provide a copy to the Internal Control Coordinator. The manager at the next level is responsible for reviewing the report and determining the validity of the issue. The next level manager will decide which one of the following actions is appropriate:

    1. Return the report to the preparer if the issue is not valid or if additional information/clarification is needed.

    2. Develop a corrective action plan, if appropriate, and obtain approval.

    3. Approve the corrective actions for implementation.

    4. Elevate the issue to the next higher level of management or to the process owner.

  8. Approved plans will be returned to the appropriate level manager for implementation. The manager must then monitor and regularly report progress to the approving official. Periodically, the manager must:

    1. Assess whether the corrective action plan is achieving the desired goal(s) and continues to be relevant under current operational conditions.

    2. Document and obtain the appropriate level of approval to complete or revise an action or reschedule a target date.

    3. Provide a copy of all approved documentation to the Internal Control Coordinator for tracking purposes.

  9. The FMC ESC identifies new material weaknesses. The fields in a material weakness plan are the same as the significant deficiency plan (see the CFO website for the Annual Assurance Process).


    REPORT OF SIGNIFICANT DEFICIENCY (Part 1)
    Material Weakness Field Field Description
    Title Enter a short but descriptive title.
    Responsible Official This will normally be a Head of Office, Division Commissioner, or Chief Officer.
    Description Describe the significant deficiency in terms of its effect on mission accomplishment, lost revenue, error rates, or impact on compliance, taxpayer burden, operating efficiency. Be quantitative, if possible. Be specific about what undesirable consequences could occur if the significant deficiency is not corrected.
    Source of Discovery How was the significant deficiency identified? Sources usually include, but are not limited to, the Annual Assurance Review, a control review, an operational review, an event that occurred during the year, or audit reports.
    Correction Strategy Briefly summarize the proposed approach or course of action to correct the significant deficiency.
    Results Indicator/Effectiveness Measures Briefly describe what indicators will be used to evaluate whether the actions taken have corrected the underlying cause of the significant deficiency. Indicators should be specifically related to the significant deficiency and be based on performance measures, either qualitative or quantitative.
    Validation Process Describe how data will be collected to support the results indicator. Some possible methods include using existing management information or performance statistics, special surveys, sampling and analyzing data, management control reviews, etc.
    Target Correction Date Enter the date by which all corrective actions are expected to be completed and validated.
    Other Issues Use this space to briefly explain anything else that requires management's assistance or attention, including any related concerns such as resource needs, dependencies with other organizations, cross-functional ownership, etc.
      Prepared by: Name, Organizational Code
    Telephone Number
    Date of Preparation
    Include the name, organizational code and phone number of the manager who has identified the significant deficiency. (The submitting official is not necessarily the Responsible Official for correcting the significant deficiency)

    REPORT OF SIGNIFICANT DEFICIENCY (Part 2)
    Significant Deficiency Title –Enter the title of each page of the Corrective Action Plan.
    Major Milestones Completion Dates
      Original Plan Revised Plan Actual Date
    Completed Actions - List actions that have already been completed and show the completion date in the Actualcolumn.      
    Short-Term Actions - List each action that will take place within the next twelve months and give the target completion date in the Original column.      
    Longer-Term Actions - List each action that will be completed more than twelve months from now and show the target completion date in the Original column.      
    Prepared by: Name, Organizational Code
    Phone Number
    Date of Preparation

1.4.2.10.7  (08-28-2009)
Indicators and Goals

  1. Results indicators (or performance measures) assist in determining how well the process is working compared to past performance. They can also identify positive/negative factors affecting program and administrative performance/effectiveness. In developing an appropriate results indicator, first consider the problem you are trying to correct or improve, such as timeliness of certain actions or reduction in the error rate of a particular process. If the results indicator selected does not directly tie to the specific deficiency, the corrective actions may fix the problem but may not be reflected in the performance results. Therefore, ensure that the results indicator is relevant to the problem being fixed and is based on observable performance measures, either quantitative or qualitative.

  2. Goals are used to tie the results indicator to the improvement of a particular product or process. Goals can be qualitative or quantitative.

    1. Qualitative goals are general in nature and suggest a desired direction but do not establish a specific numeric target. Qualitative goals may be appropriate for new processes or processes for which no baseline data exists. However, without baseline data and quantitative measures, it will be difficult to assess whether your goals have been met.

    2. Quantitative goals are more focused and establish a specific numeric target (e.g., "Travel Vouchers will be filed within five business days after the end of the month" ). Quantitative goals should be based on statistically valid results of previous reviews or a compilation of information or numerical/quantitative recordation. In establishing quantitative goals, consider the anticipated level of available resources to implement the corrective action plan, organizational priorities and initiatives, and the interaction between multiple organizational goals.

    See IRM 1.5.1, Managing Statistics in a Balanced Measurement System, The IRS Balanced Performance Measurement System.

1.4.2.10.8  (08-28-2009)
Validate Outcomes

  1. When all corrective actions are completed, apply the plan's validation process to evaluate whether the actions taken achieved the desired outcome as indicated by the results indicator. If the measure or the results indicator implies that the deficiency has not been corrected, examine whether the corrective actions were effective and/or the validation process was appropriate. If the corrective action plan was not effective, review, revise, and implement a new plan.

  2. Once a results indicator validates that corrective actions have effectively cured the significant control deficiency, forward the Report of Significant Deficiency to the approving official for concurrence. This concurrence represents management's assurance that the problem/deficiency has been corrected. A copy should be submitted to the Internal Control Coordinator and retained for use in preparing the Annual Assurance Certification Memorandum (see IRM 1.4.2.11).

  3. Under no circumstances should management concur that a deficiency has been corrected until they are certain the risk has been mitigated to an acceptable level. This process is continuous; management must periodically reassess risks against current conditions to ensure that controls are effective.

1.4.2.11  (12-14-2012)
Annual Assurance Review Process

  1. The Annual Assurance Review Process focuses on the adequacy of internal controls within each organization. Internal Controls are processes, both administrative and program specific, that ensure programs achieve their intended results, organizations realize their goals, and financial and management reports are accurate, complete, and timely. Managers assess risks (i.e., the probability of a negative, unanticipated occurrence) of operations, determine if controls mitigate those risks, and certify that those controls are effective. If not, managers identify significant deficiencies found in the internal control procedures.

  2. Each Spring, the CFO issues guidance to the Deputy Commissioners, Division Commissioners, Chiefs, Directors, National Taxpayer Advocate, and Chief Counsel on the annual self-assessment of internal controls and on preparing the annual assurance memorandum for their organization.

  3. Through the Annual Assurance Review process, all managers conduct an annual self-assessment whereby they must review the effectiveness of controls within their own area of responsibility and prepare individual written certifications to support certification. The involvement of each level of management in certifying the control environment within their own sphere of operations is necessary in identifying risks at all levels. Managers must address in their assurance memorandum financial management systems compliance with the provisions of FFMIA.

  4. First-line managers should use the Self-Assessment Tool for Managers as part of their self-assessment. Function-specific questions may be added to this document to further enhance its usefulness.

  5. A problem in the design or operation of an internal control should be reported to the next level of management as a significant deficiency. The FMC ESC will determine if the significant deficiencies rise to the level of material weaknesses (i.e., a significant deficiency reported to Treasury and, potentially, through Treasury to OMB).

  6. Material internal control weaknesses (material weakness) are systemic deficiencies in the design or operation of programs or systems, or a lack of controls that pose a significant risk of one or more of the following occurring:

    1. The inability to deliver/execute program/operational services in accordance with the agency’s mission and/or legislation

    2. Errors, omissions, and/or fraud in performance and other financial information or financial statements that would mislead users and/or management in decision-making processes

    3. Financial commitments for programs and/or operations that are inconsistent with applicable provisions of law

    4. The inability to properly safeguard assets

  7. The assurance memorandum should be a one or two-page certification containing a specific statement on the status of your internal control. There are two types of assurance:

    1. Reasonable Assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect the resources and ensure mission completion. Reasonable assurance recognizes that the cost of controls should not exceed the benefits derived from them.

    2. Qualified Assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems.

  8. The assurance memorandum should briefly describe the process used to verify that adequate management controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. Consider the information systems environment operated or used by your organizations and issues identified by GAO, TIGTA, and IRS management reviews in preparing the certification.

  9. Corrective action plans for newly identified significant deficiencies should be included with the assurance memorandum (see IRM 1.4.2.10.6). Managers should execute actions necessary to resolve significant deficiencies, regardless of whether or not the FMC ESC deems them material. Corrective action plans for significant deficiencies identified in the previous fiscal year will be updated. Significant deficiencies that have been corrected will be submitted with a certificate of completion describing the validation process and the Results Indicator data that verifies that the significant deficiency has been corrected.

  10. The FMC ESC will evaluate these reports and, based on this and other relevant information, recommend to the Commissioner what level of assurance should be submitted in the IRS's Annual Assurance Statement, and any newly-identified material weaknesses.

  11. As required by FMFIA, the Commissioner signs and submits an Annual Assurance Statement to Treasury by November 1st of each year.

1.4.2.12  (08-28-2009)
Servicewide Tracking of Material Weaknesses and Significant Deficiencies

  1. JAMES tracks issues, findings, recommendations and the current status of corrective actions plans for all material weaknesses, significant deficiencies, remediation plans and the Office of the Inspector General, GAO, and TIGTA audit reports for all Treasury Bureaus. Tracking these plans is mandatory to comply with the intent of FMFIA and with OMB and Treasury Circulars and Directives. The information contained in JAMES is used by Treasury to assess the effectiveness and progress that bureaus are making in implementing audit recommendations and correcting their internal control material weaknesses and significant deficiencies.

1.4.2.13  (12-14-2012)
Remediation Plan

  1. FFMIA requires agency heads to annually assess whether their financial management systems can prepare required financial statements and reports, can provide reliable and timely financial information for managing operations, and can account for assets, all in accordance with Federal accounting standards and the United States Standard General Ledger (USSGL).

  2. Agencies that are not in compliance with FFMIA must develop a remediation plan to achieve compliance.

  3. Agencies that are not in substantial compliance with FFMIA must bring their financial management systems into substantial compliance within three years; if this cannot be achieved, a waiver for a longer period must be requested from OMB.

  4. As a condition of OMB’s waiver to the three-year requirement for completing FFMIA remediations, the IRS is required to provide a quarterly status review of performance for all remedies that were open during the quarter. The CFO has overall responsibility for the IRS remediation plan. The FMC ESC monitors the plan and it is tracked in JAMES.

  5. The responsible organization updates the executive summary of the remediation plan with significant accomplishments achieved during the quarter and significant obstacles identified.

  6. FFMIA requires that estimated and actual resources to implement action plans be identified by fiscal year. The responsible organization provides all costs to implement the recommendations and indicates the dollar amount approved by project. The responsible organization is also required to:

    1. Describe the methodology to calculate costs.

    2. Identify the phase if the estimated resources apply to a particular phase of implementation.

    3. Identify the resources associated with the primary recommendation and any subsequent recommendations if the resources apply to more than one recommendation.

    4. Identify the cost in dollars for Full-Time Equivalents (FTEs).

    5. State any costs that will be absorbed by normal business practices.

    6. Report costs associated with contractor support, technical requirements (include hardware, software, infrastructure build-out and data storage), and any other cost category associated with implementation of the remedial action.

  7. The responsible organization identifies the source used to document estimated and approved resources.

    1. Owners of all remediation actions identify resources for all years covered by the actions, and the owners maintain work paper documentation to support the identified resources. The documentation includes a breakdown and explanation of estimated costs for FTEs, hardware, software, and contractor support costs, as well as dates indicating when the last estimates were calculated. The TIGTA audit team will validate that the current and out-years resource estimates reflect the date of reassessment. The OIC will determine if the documentation should be submitted.

    2. Supporting documentation identifies the material weakness area and associated project/component area (corrective action) covered in the analysis. In addition, the preparer’s name and date of preparation must be clearly shown on the documentation.

    3. Supporting documentation identifies the same category break-outs (e.g. FTE, contractors, hardware) as those reported in the actual remediation plan in order to map/trace reported dollar figures with corresponding supporting documentation.

    4. Non-FTE incurred costs such as those for contractors, hardware, and software are supported by billing statements or requisitions.

    5. Non-FTE estimates comprised of multi-organizational requirements (i.e., sustaining infrastructure) and pooled funding should reflect spending priorities. Provide time deadlines for the various phases/equipment purchases and identify those that need approved funding in order for the remedial action to meet their target due dates.

  8. The responsible organization updates the status where appropriate. This includes any change in the current status, issues, completed actions, rescheduled due dates, or revised actions. If the action is not due yet and does not need to be rescheduled, the responsible organization indicates “On schedule.”

    1. For completed remedies, give a brief description of the action taken and the date completed.

    2. For rescheduled remedies, provide the new date and the justification for the delay.

    3. For revised remedies, give a concise but brief description of the revised action, anticipated completion date or date completed, and the justification for the revision. The OIC will coordinate the approval process.

    4. For new remedies, identify the related GAO finding and recommendation for the new remedy. Give a concise but complete description of the action to be taken and the anticipated completion date or date completed, and the resources required for implementation of any open remedy.

    5. For new remedies, identify duplicate actions contained in a material weakness or audit report. This crosswalk will allow you to report any update to the status simultaneously for all reports and eliminate the need for duplicate reporting.

  9. Annually, TIGTA reviews the IRS FFMIA remediation plan. TIGTA performs the review to meet its requirement under the FFMIA that states, in general, that each Inspector General shall report to the Congress instances and reasons when an agency has not met the intermediate target dates established within its FFMIA remediation plans.

  10. TIGTA’s overall objective is to determine any instances of and reasons for missed intermediate target dates established in the current IRS Fiscal Year FFMIA Remediation Plan and to determine whether the IRS has taken adequate corrective actions on its prior year’s audit findings related to the FFMIA remediation plan. To achieve its overall objective, TIGTA will determine whether:

    1. The IRS FFMIA remediation plan was consistent with GAO recommendations from prior IRS financial statement audits and related financial management reports.

    2. The IRS missed any intermediate target dates established in its FFMIA remediation plan, whether any intermediate target dates were extended without sufficient documentation to support the revised dates, and if proper approval was obtained for remedial actions extending more than three years.

    3. The IRS FFMIA remediation plan had established resource needs for remedial actions and whether the resources presented were consistent with supporting documentation.

    4. The IRS took adequate corrective actions on its prior year’s audit findings related to the FFMIA remediation plan.

1.4.2.14  (12-14-2012)
Identification of Quality Assurance Reviews and Initiatives

  1. In FY 2012, the IRS Annual Assurance Process was expanded to identify key Management Reviews, Program Evaluations, and Quality Assurance Reviews (“reviews”) conducted by the BODs to assess the effectiveness of IRS operational controls. These organizational reviews are extremely important to the IRS and can result in saved resources, enhanced mission accomplishments, and more effective responses to issues identified by GAO and TIGTA.

  2. When identifying Management, Program, and Quality Assurance reviews, the following examples should be considered:

    1. Quality Assurance Auditing by the BODs to objectively and independently evaluate adherence to processes and work products in applicable directives, processes, standards, procedures, and guidelines (e.g., TFRP Quality and Assurance Reviews and Reviews to Determine Lien Release Timeliness in Scope)

    2. Compliance IDRS Adjustment Reviews to help prevent unpostables and ensure correction of errors

    3. Quality Review of data to provide a basis for measuring and improving program effectiveness which generate corrective actions (e.g., quarterly announced and unannounced reviews of couriers; receipt and control at lockbox banks, campuses and Taxpayer Assistance Centers)

    4. Quality Review process that provides a method to monitor, measure, and improve the quality of work and identify trends, problem areas, training needs, and opportunities for process improvement (e.g., random testing of guard response to alarms at all campuses and computing centers)

  3. The CFO issues the BODs a questionnaire and the results are used to determine an inventory of IRS internal control activities.

1.4.2.15  (12-14-2012)
Related Resources

  1. The following statutes and regulations are the most significant congressional acts that affect the management controls program at the IRS:

    1. Federal Managers' Financial Integrity Act (FMFIA) of 1982,

    2. Federal Financial Management Improvement Act of 1996

    3. Chief Financial Officers Act of 1990

    4. OMB Circular A-123, Management Accountability and Control

    5. Treasury Directive 40-04, issued January 4, 2001

    6. Inspector General Act 1978, as amended

    7. OMB Circular A-127, Financial Management Systems, revised January 9, 2009

    8. Standards for Internal Control in the Federal Government

    9. Government Performance and Results Act (GPRA) Modernization Act of 2010

    10. IRM 1.4.24, Monitoring Internal Control Planned Corrective Actions

    11. IRM 1.4.3, IRS Guidance for Implementing OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting

    12. IRM 1.5.1, Managing Statistics in a Balanced Measurement System, The IRS Balanced Performance Measurement System


More Internal Revenue Manual