Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 1. Organization, Finance and Management

Chapter 4. Resource Guide for Managers

Section 3. IRS Guidance on OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting

1.4.3  IRS Guidance on OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting

1.4.3.1  (08-14-2009)
Background

  1. The passage of the Sarbanes-Oxley Act of 2002 (SOX), served as an impetus for the Federal government to reevaluate its current policies relating to internal control over financial reporting and management’s related responsibilities. SOX requires management of publicly-traded companies to strengthen their processes for assessing and reporting on internal control over financial reporting. While SOX created a new requirement of publicly-traded companies, Federal managers have been subject to similar internal control reporting requirements for many years.

  2. A joint committee of representatives from the Chief Financial Officers Council and the President’s Council on Integrity and Efficiency (PCIE) was formed and tasked with reviewing the SOX requirements for publicly-traded companies, determining how these requirements apply to Federal agencies, and recommending changes to the existing guidance on internal control. The joint committee recommended significant changes to the Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting, which included a requirement for agencies to document and test internal controls to ensure they are in place and working as intended.

  3. Management cannot rely on the internal control testing of external oversight organizations (Government Accountability Office (GAO), Treasury Inspector General for Tax Administration (TIGTA)) to meet the A-123 requirement to test internal control. Also, each reporting entity in the Department of the Treasury is required to include an A-123 Statement of Assurance in their Federal Managers Financial Integrity Act (FMFIA) (31 U.S.C. 3512) and Federal Financial Management Improvement Act (FFMIA) (P.L. 104 - 208) Annual Assurance Statement. The Statement of Assurance can be:

    1. Unqualified statement of assurance (no material weaknesses reported).

    2. Qualified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses reported).

    3. Statement of no assurance (no processes in place or pervasive material weaknesses).

1.4.3.1.1  (08-14-2009)
The Department Of The Treasury’s Five-Part Approach

  1. The Treasury Office of the Chief Financial Officer (TCFO) chartered a work group to address the requirements of OMB Circular A-123, Appendix A, Internal Control Over Financial Reporting. The TCFO Council (TCFOC) Work Group developed the Treasury Catalogue of Risks and Controls, which serves as the transactional universe for testing internal controls over financial reporting. Treasury requires bureaus to:

    1. Test controls over specific financial transactions that are material to Treasury consolidated financial statements. Each year Treasury provides a list of transactions that the Internal Revenue Service (IRS) is required to test.

    2. Identify their key financial reports and review the format, content, accuracy, method of assembly, and usefulness to decision makers. In addition, Treasury requires IRS to review Treasury Information Executive Repository (TIER) reporting, and review eliminations procedures for intergovernmental payments.

    3. Complete GAO’s Abbreviated Internal Control Questionnaire.

    4. Review the implementation of governing regulations and incorporate the results of internal control or management oversight reviews in the overall assessment of internal controls over financial reporting.

    5. Review TIGTA and GAO audits related to financial reporting to determine the adequacy and value of management actions taken.

1.4.3.1.2  (08-14-2009)
References

  1. Department of the Treasury Catalogue of Risks and Control.

  2. Revised OMB Circular A-123, Management’s Responsibility for Internal Control.

  3. GAO/PCIE Financial Audit Manual (FAM).

1.4.3.1.3  (08-14-2009)
Governance

  1. The IRS has adopted a two-tiered governance process to ensure A-123 requirements are consistently executed, documentation is adequate, results are credible, and corrective action plans adequately address problems. The two-tiered governance process consists of the Financial and Management Controls Executive Steering Committee (FMC ESC), and the A-123 Review Board.

  2. The Financial and Management Controls Executive Steering Committee (FMC-ESC) is chaired by the CFO and provides executive level oversight to the A-123 process by:

    1. Reviewing A-123 results.

    2. Approving the interim and final assurance statements.

  3. The A-123 Review Board is an advisory working group composed of senior managers. Members represent CPIC’s Office of Internal Control, Internal Financial Management (IFM), Revenue Financial Management (RFM), and the Office of Program Evaluation and Risk Analysis (OPERA). The A-123 Review Board has two key responsibilities:

    1. Review test plans to ensure test objectives are accurately defined and contains all required internal control procedures.

    2. Review sampling plan to ensure the methodology, type of sample, and samples sizes are appropriate.

    Section 1.4.3.4 shows the governance process.

1.4.3.1.4  (08-14-2009)
Functional Roles and Responsibilities For A-123 Process

  1. A successful A-123 program requires a high level of team work and coordination among CFO organizations and other IRS business units. The following sections describe each organization's roles and responsibilities.

1.4.3.1.4.1  (08-14-2009)
Chief Financial Officer (CFO)

  1. The CFO is responsible for executing A-123 responsibilities in support of Treasury’s assurance statement and ensuring that controls over IRS financial reporting are properly identified, tested, and evaluated.

1.4.3.1.4.2  (08-14-2009)
Corporate Planning and Internal Control (CPIC)

  1. The Associate Chief Financial Officer (ACFO) for Corporate Planning and Internal Control (CPIC), Office of Internal Control (CPIC-IC), has overall responsibility for leading the A-123 process in the IRS, and will:

    1. Ensure A-123 assessment objectives are clearly communicated throughout the agency.

    2. Develop the assessment methodology and guidance.

    3. Coordinate activities and time-lines with Treasury and GAO.

    4. Enhance review to meet structured management review requirements.

    5. Provide oversight and assistance to ensure the assessment is carried out in a thorough, effective, and timely manner to include: establish and manage the schedule of all required activities; ensure adequacy of sampling; lead Test Teams in executing tests of transactions; elevate issues identified during testing to the functional ACFO, when appropriate; determine if a sample must be expanded; review all test packages prior to submission to the ACFO to ensure adequacy of documentation and ensure evidence supports conclusions; coordinate completion of the Self-Assessment Questionnaire; coordinate the assessment of Financial Reporting Compilation and Preparation; perform an assessment of Regulatory Compliance and Internal Reviews; and monitor corrective action plans.

    6. Administer the Governance process to include: chair the A-123 Review Board and provide scheduling and administrative support; present status and results of A-123 activities to the FMC ESC and the A-123 Review Board; and document key decisions.

    7. Communicate with agency management and employees regarding the assessment.

    8. Identify Subject Matter Experts (SMEs) to develop complete and timely test plans.

    9. Communicate and coordinate with external oversight groups.

    10. Serve as a central repository for all official A-123 records.

1.4.3.1.4.3  (08-14-2009)
Functional ACFOs: Internal Financial Management (IFM), Revenue Financial Management (RFM), and Corporate Performance Budgeting (CPB)

  1. Functional ACFOs are responsible for the following A-123 actions:

    1. Designate an A-123 Review Board representative and back-up.

    2. Provide SMEs to participate in development and updating of test plans and testing.

    3. Gather internal control documentation.

    4. Evaluate existing management review procedures to determine whether their findings support their use in lieu of A-123 testing.

    5. Enhance review to meet structured management review requirements.

    6. Support transaction testing responsibilities by: identifying and obtaining data (or any other documents needed for tests) from cross-servicing organizations (Department of Labor, National Finance Center), as needed; partnering with CPIC-IC to execute test plans; and reviewing test plans results as required.

    7. Determine the adequacy of internal controls for each transaction based on test results and CPIC-IC review input.

    8. Develop and monitor corrective action plans for identified weaknesses or areas of potential improvement.

1.4.3.1.4.4  (08-14-2009)
Statistics of Income (SOI)

  1. SOI is responsible for the following actions:

    1. Determine an appropriate sampling method for each internal control.

    2. Use statistical sampling methods to generate random samples.

1.4.3.1.4.5  (08-14-2009)
Office of Program Evaluation and Risk Analysis (OPERA)

  1. OPERA is responsible for the following actions:

    1. Assist in revising test plans based on feedback from test performed.

    2. Perform internal control testing.

    3. Participate on the A-123 Review Board.

1.4.3.1.4.6  (08-14-2009)
A-123 Test Teams

  1. Test Teams are responsible for the following actions:

    1. Execute test plans.

    2. Analyze test results to determine if internal controls are working.

    3. Propose corrective actions to the appropriate functional ACFO if weaknesses are identified.

1.4.3.1.4.7  (08-14-2009)
Test Team Leader

  1. Test Team Leader is responsible for the following actions:

    1. Perform test work in accordance with the relevant standards and A-123 policies.

    2. Elevate significant matters to the functional ACFO for further consideration.

    3. Ensure appropriate consultations have taken place, conclusions have been documented, and appropriate follow-up actions are planned.

    4. Coordinate development of the internal control test plan.

    5. Revise, if appropriate, the nature, timing, and extent of work performed.

1.4.3.1.5  (08-14-2009)
General Guidance for A-123

  1. General guidance for A-123 follows.

1.4.3.1.5.1  (08-14-2009)
A-123 Schedule

  1. CPIC-IC, in coordination with the Functional ACFOs (IFM, RFM and CPB), will develop a detailed A-123 execution schedule to ensure tests are appropriately scheduled and sufficient resources are available. CPIC-IC will monitor the schedule and inform the functional ACFO of execution delays.

1.4.3.1.5.2  (08-14-2009)
Test Planning

  1. In planning, test objectives, as well as the scope and methodology to achieve those objectives, should be defined. Objectives, scope, and methodologies are not determined in isolation. These three elements are planned together, as the considerations in determining each often overlap.

    1. The objectives describe what the test intends to accomplish.

    2. Scope is the boundary of the test and should be directly related to the objectives. For example, the scope defines parameters of the test such as the period of time reviewed, the availability of necessary documentation or records, and the locations at which work will be performed.

    3. The methodology comprises the steps and techniques (such as inspecting sample data or observing controls) involved in gathering and analyzing data to achieve the objectives. Methodology includes both the types and extent of test procedures used to achieve the objectives. Test plans document and provide sufficient, competent, and relevant evidence to achieve the test objectives.

  2. Test planning activities should be documented and include:

    1. Documentation of the internal control process and environment as it relates to the specific transactions to be tested.

    2. Results of previous audits, reviews, and following up on known significant findings (matters for further consideration) and recommendations that directly relate to the objectives of the testing.

    3. Potential sources of data that could be used as evidence.

    4. Relevant management reviews and determining whether structured management reviews or quality assurance reviews may be used to satisfy some of the test objectives.

    5. Preparation of a test plan.

    6. Identification of appropriate and sufficient staff and other resources necessary to adequately perform the testing.

    7. Communication of general information concerning the planning and performance of the testing to officials responsible for the controls being tested and others as applicable.

1.4.3.1.5.3  (08-14-2009)
Work Paper Documentation

  1. Through inspection, observation, inquiries, or confirmations, testers obtain sufficient, competent evidential matter to afford a reasonable basis for an opinion regarding the internal controls that were tested. Also, when IRS controls are not exactly the same as those identified in the Treasury Catalogue of Risks and Controls, crosswalks to the catalogue must be documented to show the differences. Documentation related to planning, conducting, and reporting on A-123 activities should contain sufficient information to enable an individual who has had no previous connection with the testing to understand what was tested, how the test was conducted, test results, and verify the reviewer’s judgments and conclusions.

  2. All aspects of testing activities require a high-level of documentation (see Section 1.4.3.3 for more information on work paper documentation). Documentation provides the principal support for the A-123 process, aids those conducting and supervising the testing, and allows for quality review and oversight reviews.

  3. Determining the quantity, type, and content of documentation requires sound judgment. Documentation should be detailed enough to provide a clear understanding of the internal control test’s purpose, data sources, and conclusions. Documentation should be logically organized to provide a clear link to the conclusions and recommendations. A-123 test documentation must contain the following items:

    1. Objectives, scope, and methodology for each A-123 test.

    2. Support for each test conducted and conclusions reached: rationale for key decisions and deviations from guidance; sampling decisions and methodology to include information on the definition of the sampling universe and rationale for any deviations from the approved sampling methodology; testing time period; nature of documents or processes examined; testing results, analysis, and conclusions, to include copies of documents examined and a clear and concise summary of results, cross referenced to supporting documents; and resolution of anomalies or other issues.

    3. Evidence of supervisory review of the work performed that supports conclusions and recommendations about the controls tested.

1.4.3.1.5.4  (08-14-2009)
Testing

  1. Test Teams execute the test plans, and draw conclusions regarding the adequacy of internal control. Testing is performed by individuals who are:

    1. Adequately trained to execute the test plan.

    2. Aware of documentation requirements.

    3. Properly supervised.

    4. Not responsible for the controls or transactions in the test plan (independent).

    5. Not an employee who reports to the manager directly responsible for the internal control being tested.

  2. The Test Teams may be composed of CPIC-IC staff, OPERA staff, and functional SMEs.

1.4.3.2  (08-14-2009)
Transaction Test Plan Development and Test Execution

  1. A-123 requires internal controls be documented and tested independent of testing by outside groups such as GAO and TIGTA. This section describes the IRS processes for test plan development, test execution, and internal control documentation.

1.4.3.2.1  (08-14-2009)
Document Internal Controls

  1. Internal controls are documented policies and procedures used by management to ensure transactions are accurate, properly recorded, and executed in accordance with management’s directives. SMEs will work with CPIC-IC to ensure current documentation (described below) is available for each transaction.

  2. Financial reporting process documentation includes:

    1. A description of key processes including examples of the processing documents (flowcharts, cycle memos, desk guides).

    2. Process relationship to financial statement line items, significant accounts, group of accounts, and major classes of transactions.

    3. Inputs, activities, and outputs in place to accomplish the processes control objectives.

    4. Key financial reporting controls.

    5. Information systems used to support the process.

    6. Description and results of monitoring activities in place to ensure controls are functioning properly.

    7. Relationships to other financial reporting processes.

    8. Policies and procedures governing transactions such as laws and regulations, IRMs, policy and procedure manuals, desk procedures, etc.

    9. External financial reporting assessments (reports issued by GAO or TIGTA).

    10. Internal financial reporting assessments (FMFIA and FFMIA).

1.4.3.2.2  (08-14-2009)
Document Crosswalk

  1. Ensure there is an adequate crosswalk between the risks and controls in the Treasury Catalogue of Transactions and the risks and controls in the IRS-specific templates. (Note, not all transactions Treasury assigns to the IRS have IRS-specific risks and control templates.) The Treasury Catalogue of Risks and Controls is maintained by Treasury and used by all bureaus and offices in developing their test plans. In some cases, however, IRS controls are not exactly the same as those identified in the Treasury catalogue. In those cases, IRS-specific risks and controls must be crosswalked to the Treasury Catalogue. This crosswalk documents each of the IRS risks and controls and matches it with the associated Treasury Catalogue of Risks and Control (see example below).

    AC-XY
    Transaction Posting Setup
    Treasury Catalogue   IRS-Specific Template
    Major Step 1.Bureau identifies a new type of transaction or reassesses current posting logic setup   Step 1.Identify new transaction requirement or update to existing posting logic and forward change request to IFS Master Data team
    Control Set: Training plan ensures Bureau staff recognize new transactions   Control: Treasury reporting requirements and guidance issued in its manual
        Control: TIER edit checks
        Control: IFM review

1.4.3.2.3  (08-14-2009)
Evaluate Structured Management Review

  1. Quality review and quality assurance processes that are already in place and covering many IRS activities may be considered Structured Management Reviews. As part of the A-123 process, Structured Management Reviews may serve as assurance of testing of internal controls but the review must meet specific criteria. The template in Section 1.4.3.5 is used to evaluate the adequacy of the Structured Management Review, and for quality review and oversight reviews of the A-123 process. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and verify the reviewer’s judgments and conclusions.

  2. A Structured Management Review should have the following elements:

    1. Documented procedures that guide the structured management review.

    2. Reviews performed at regular intervals.

    3. Documented and independent review of results.

    4. Documented process to resolve noted deficiencies.

  3. If the Structured Management Review does not meet the standards necessary for A-123, then testers should include recommendations in the work papers for changes to the Structured Management Review so results can be substituted for A-123 testing.

1.4.3.2.4  (08-14-2009)
Develop and Document Test Plan

  1. Testing controls involves ensuring the controls are in place, operating as intended, and meeting control objectives. Test Plans are designed to test control effectiveness and consider test objective(s), control risk, control strengths, and control weaknesses. A transaction is a discrete financial activity that produces information in Treasury’s Consolidated Financial Statements. Each transaction has a series of major steps, risks, and controls that further describe the process; each key control must be tested. Use the outline, Template in section 1.4.3.6, to develop the internal control test plan.

  2. IRS procedures when evaluating controls include:

    1. Description of the control test objective.

    2. Methods (inspection, observation) that will be used to test effectiveness of the controls: (a) Inspection: looking at evidence of a given control (for example, looking for signatures of a reviewing official or reviewing past reconciliations); (b) Observation: observing actual controls in operation (observing a physical inventory or watching a reconciliation occur); (c) Reconciliation: checking whether two items are consistent; and/or (d) Re-performance: re-performing a given control. Note: IRS should use re-performance in limited situations such as re-performing a reconciliation.

    3. Size of samples to be tested.

    4. Sample methodology (simple random sample and non-statistical sample).

    5. Universe the sample will be drawn from.

    6. Parameters that constitute a failed test.

    7. Specific tests and documents to be reviewed.

1.4.3.2.5  (08-14-2009)
Document Sample Universe and Obtain Sample from Statistics of Income (SOI)

  1. SOI will determine the most appropriate sample method for each internal control. Use the template in Section 1.4.3.7 to document the population. Sampling methodologies must be:

    1. Reliable: will a particular technique, applied repeatedly to the same object, yield similar results?

    2. Consistent: is the test plan’s scope and depth appropriate and consistent with other test plans?

    3. Valid: does the test plan measure what it is intended to measure?

  2. Acceptable Sampling Methods for A-123: Under A-123 there is no requirement to do statistically valid, random sampling. At IRS, the preference is to use one of the following two methods.

    1. Non-Statistical Sample: A subset of a defined population, randomly selected, but not valid to make statistical inferences within a defined level of confidence and precision.

    2. Simple Random Sample: A subset of a defined population also selected using a statistically valid methodology in which every member of the population has an equal, nonzero probability of being selected. This method can be used to make inferences about the population within a defined level of confidence and precision. In general, the more confident and precise you wish your sample estimate to be, the larger the required sample.

  3. Sampling Guidelines:

    1. In some cases, seasonal fluctuations, such as periods of limited availability, early in the fiscal year for obligations or tax return filing patterns may require selecting samples from several periods throughout the year to ensure a representative sample. The Test Team should fully explain such work patterns to SOI, and have SOI recommend an appropriate sample methodology.

    2. If one of the sample items is not reviewable (for example, transaction was reversed and is no longer there), the tester should not use that item. Instead select the very next item from the population to review. For example, if testers are reviewing a sample of invoices and one invoice cannot be used, then select the very next invoice from the population. However, the reason the sampled item could not be reviewed must be fully documented in the work papers. If testers have any questions about how to proceed, they must confer with the Test Team Leader.

  4. In defining the population, test plan authors should identify the entire set of items from which the sample should be drawn. This includes:

    1. Describing the population or sub-population if large-dollar-only requirements are set, and tie the population to the trial balance.

    2. Ensuring the entire population is accounted for/included in the population from which the sample is drawn.

    3. Determining the source document or the transaction documents to be tested.

    4. Defining the period covered by the test. In addition, if appropriate, stratify the population to ensure sample is taken from appropriate strata(s) of the sample, such as only high-dollar value items.

  5. The sample items selected for testing purposes must be those from the current fiscal year, with one exception. When transactions occur only at the end of the fiscal year, selection from the previous fiscal year is permissible.

  6. If any changes in internal controls over financial reporting are made or if financial systems change, test transactions should be selected after such changes have been implemented.

  7. When multiple locations are involved, all or several locations may be considered one population for sampling if the controls at each location are performing essentially the same function and using the same internal controls that are based on the same IRMs, procedures, etc. Before combining locations into one population, management and test plan authors should consider such factors as:

    1. The extent of uniformity of the controls and their applications at each location.

    2. Whether significant changes can be made to the controls or their application at the local level.

    3. The amount and nature of centralized oversight or control over local operations.

    4. Whether there could be a need for separate conclusions for each location.

    If it is concluded that the locations should be separate populations, then test plan authors should select separate samples at a sample of locations; and testers and management should evaluate the results of each sample separately.

  8. The number of locations where the control is performed will dictate the number of sites to be visited. When controls are being performed at several sites, SOI will assist test teams to ensure coverage and rotation schedules are appropriate to ensure adequate control testing.

1.4.3.2.6  (08-14-2009)
A-123 Review Board Reviews Test Plan

  1. After the test plan update is completed by the SME, the CPIC-IC Test Team Leader will review and approve the plan, and forward test plan to A-123 Review Board for its approval.

1.4.3.2.7  (08-14-2009)
Ensure Test Team is Prepared to Conduct the Test

  1. The Test Team should be well prepared so that the testing process will be efficient and effective. The Test Team should understand the test plan, sample population, and A-123 Guidance.

1.4.3.2.8  (08-14-2009)
Transaction Testing Sequence

  1. The following chart documents the A-123 Test Sequence.

      First Stage Second Stage Third Stage Fourth Stage
    Responsible Party Test Team Test Team Leader CPIC ACFO
    Time Frame 7 Business Days   5 Business Days 5 Business Days
    Responsibility Complete documentation and review within 7 days of finishing testing. See definition of completed test below. (Exceptions may be made for complex transactions and must be approved by the Director, Internal Control). Test Team leader will forward work papers to CPIC-IC. CPIC-IC reviews test package. ACFO has 5 days to review the test packages and make a determination regarding control effectiveness.

  2. Tests are considered completed when the following actions have been taken:

    1. Work papers are completed.

    2. Work papers are indexed according to guidance in Section 1.4.3.3(7).

    3. A-123 Test Summarization Form is completed in Section 1.4.3.8.

    4. Transmittal form in Section 1.4.3.9 is completed.

    5. Test package is delivered to CPIC-IC.

1.4.3.2.9  (08-14-2009)
Evaluating Errors Discovered During Testing

  1. When evaluating errors, Test Teams must be conscious of the sequential nature of the internal control process. Often errors detected in one internal control will be found and corrected in another step in the process. Therefore, when testers find internal control problems, before reporting the problem as an error for A-123 purposes, they must ensure that a subsequent internal control is not mitigating the problem before it impacts the financial statement. One failure in one of several tests would not necessarily indicate an internal control weakness exists. The testers must consider the error in the context of the entire transaction. The ultimate goal of internal control over financial reporting is to ensure accurate information is reported in the financial statements.

  2. Identify and Document Errors: An error exists when a control for a given financial activity does not exist, does not adequately address the relevant risk and control, or is not operating effectively. Control errors may relate to the operation of a control or the design of a control. A control error also exists when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively. When a control error is encountered, it should be evaluated to consider the extent of the error, the effect the error will have on the control, and determine whether compensating controls exist that mitigate the risk. A compensating control is a technique, or other effort(s), designed to mitigate a control design deficiency, an ineffective operation, or a simple lack of control over a financial process. If compensating controls are mitigating the risk posed by internal control errors, then the Test Team must document and explain how the mitigating control is working.

  3. Errors must be completely documented to support the evaluation of internal controls. The factors below are considered in determining the importance of the error:

    1. The complexity of the transactions (Will one error at the early stages of a process create errors later in the process?).

    2. The volume of transactions (Is the volume of transactions so large that one or two errors will not have an impact?).

    3. The potential risk of fraud (Is this error an indication of fraud, which should be pursued?).

    4. The extent to which the controls have been subjected to on-going monitoring activities throughout the year (Are the controls monitored throughout the year, and errors possibly caught at a later time in the year?).

  4. The testers must ensure errors are not a condition that is so irregular and extraordinary that it does not indicate potential for a recurring problem. Therefore, testers must analyze the error to determine all significant factors that may cause the expectation to differ from the actual results.

    NOTE: If the Test Team Leader determines the errors warrant the immediate attention of the functional ACFO, the ACFO for CPIC and/or CPIC's Director of Internal Control should be contacted to raise the concerns to the functional ACFO.

  5. Evaluating the Impact of Errors: After completion of testing and evaluation of results, the Test Team members should have a strong understanding of the errors and decide the errors are not anomalies (an anomaly is an abnormal or peculiar event that does not follow a pattern). In most cases, when errors follow a pattern, they are of greater interest than simple anomalies.

  6. The next step in determining if errors constitute a failure in internal controls requires judgment and an understanding of the relative importance of the errors. Providing absolute error rate thresholds is one approach, but absolute error rates tend to ignore the complexity and diversity of the test environment(s). For example, in a small sample (less than 14) one error may constitute an internal control failure. On the other hand, for medium size samples (15-45), one error may not constitute a failed test, but two errors may constitute a failed test.

  7. The table below, used by GAO, shows various sample sizes and the maximum number of errors that may be detected to rely on the controls. Use of the table is encouraged but not mandatory. Use judgment to evaluate the existence and significance of errors.

    Error Rate Table
    Tolerable Rate of 10%
    Sample Size Acceptable Number of Deviations
    45 1
    78 4
    105 6
    132 8
    Source: GAO/PCIE Federal Audit Manual

  8. Documentation must support the Test Team Leader’s judgment on whether a control is functioning adequately or not. Exceptions noted in tests of properly designed internal controls may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a simple deficiency, significant deficiency, or a material weakness.

  9. Recommend Development of Corrective Action Plan. IRS will track corrective measures for two types of errors/problems: Material problems and opportunities for improvement (see section 1.4.3.10). Corrective actions are required when a test reveals material (probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the inclusion or correction of the item) internal control problems that are serious enough to conclude the internal controls are not working. On the other hand, opportunities for improvement are situations in which the controls are working but they could be strengthened through remedial measures.

  10. Corrective action plans addressing material problems will be tracked in the Joint Audit Management Enterprise System (JAMES) by both IRS and Treasury. Opportunities for improvement plans will be tracked by CPIC-IC and the office responsible for the internal control.

1.4.3.3  (08-14-2009)
Work Papers

  1. Work papers document the A-123 review. They record the information obtained and the analyses made during the A-123 process. Work papers are prepared from the time the A-123 Functional Team and A-123 Test Team first launch their assignment until they review corrective action plans and related follow-up. They document the following steps in the process:

    1. Plans for the review, including the test plans.

    2. Examination and the evaluation of the adequacy and effectiveness of the systems of internal control.

    3. Test procedures followed, the information obtained, and the conclusions reached.

    4. Compensating controls.

    5. Management reviews.

    6. Audit reports.

    7. Corrective action plans and related follow-ups.

  2. Work papers must be sufficient to:

    1. Enable an experienced tester having no previous connection with the test to understand the nature, timing, extent, and results of testing procedures performed, evidence obtained, and conclusions reached.

    2. Indicate the Test Team member(s) who performed the work and the date such work was completed as well as the person who reviewed the work and the date of such review.

    3. Enable oversight groups to assess adequacy of the test and conclusions.

  3. Documentation Guidance for Test Team Leader: The Test Team Leader will have the responsibility for determining which documents to include in the work papers. If the Test Team Leader determines "exception only documentation" will provide sufficient support for the test results, the work papers must include the following:

    1. A lead sheet identifying all items, attributes, and findings (x = exception, check mark = no exception, see Figure 1.4.3-2, Sample Lead Sheet.

    2. For one sample, the work papers must include one complete example that clearly identifies and documents all attributes tested.

    3. For samples that contain exceptions, a complete set of supporting documents must be provided.

    4. Any documents that may not be retrievable in their exact form at a later date. For example, if a screen print is necessary to support a number/dollar amount that may change in the future, that screen print should be retained to verify that figure as of the test date.

    In addition, testers should initial and date the work papers they prepared and Test Team Leaders should initial and date the work papers they reviewed. Test Team Leaders should review 100 percent of the testers' work.

  4. Documentation: Among other things, work papers may include:

    1. Planning documents and review plans.

    2. Control questionnaires, flowcharts, checklists, and the results of control evaluations.

    3. Documentation of interviews.

    4. Organization charts, policy and procedures statements, and job descriptions.

    5. Copies of important contracts and agreements.

    6. Letters of confirmation and representation.

    7. Photographs, diagrams, and other graphic displays.

    8. Tests and analyses of transactions.

    9. Results of analytical review procedures.

    10. Audit reports and management replies.

    11. Relevant correspondence.

    12. Corrective action plans, if appropriate and available.

  5. Preparing Work Papers: The documentation within the work papers must be appropriately organized to provide a clear link to the significant findings or issues. Work papers must be sufficient to show that:

    1. Guidance in understanding of internal control has been obtained to plan the test and determine the nature, timing, and extent of tests to be performed.

    2. Work has been adequately planned and supervised.

    3. Standards of test work have been observed.

    4. Sufficient competent documentation has been obtained through the test procedures applied to afford a reasonable conclusion.

  6. Notation: Notate in red pen the specific attribute in the work papers the tester verified, such as a signature indicating managerial approval. For example, the tester should put an A1 (attribute A, sample item #1) in red ink next to the evidence the tester confirmed for A1 (for example, a signature indicating managerial approval).

  7. Indexing: Work papers should be properly indexed to ensure test plan results are properly referenced and can be easily traced to supporting documentation. When indexing the work papers, use the format shown below. Reference each individual step separately.

    Figure 1.4.3-1
    This image is too large to be displayed in the current screen. Please click the link to view the image.

  8. Each work paper will generally contain the reference number of the work papers. Work papers should be referenced as they are prepared and should be kept in logical groupings. Every page in the work papers should be numbered and referenced.

  9. In addition, all documentation should identify the transaction, the major step, the test that was performed (such as test plans), and the work papers that show the test being performed.

    Test Documentation Tracking
    Transaction Major Step Test Performed Work Papers

  10. A descriptive heading: The heading should identify the organization or function, indicate the nature of the data contained in the paper, and show the date or period of review.

  11. The date of preparation and reviewer’s initials: The date should indicate when the worksheet was completed. The reviewer’s initials should appear on each work paper. The work papers should list the names and initials of the preparer and all the reviewers.

  12. Sources of data: Clearly identify sources of information appearing on a worksheet. An independent reviewer should be able to retrace the reviewer’s steps, from basic schedules to summaries and comments. Work papers should describe the specific data reviewed, and document the person that provided data and the date it was received. Worksheets should be cross-referenced to other related work papers and to the test plans. Effective cross-referencing often reduces the need to duplicate data. Critical areas such as, column totals, cross-referenced totals, and computations should be independently verified by someone not assigned to work on the review project.

  13. Each source of data (report/document) should include a Data Source Cover Page that describes the data used to test the internal control. The example below is an acceptable format:

    Data Source Cover Page
    IT-XY Section H
    Item: Title of Report
    Test Objectives: Test Objective #
    Purpose: Briefly describe the purpose of the reports/documentation (What do these reports/documents show? What are they used for?).
    Source: Who provided the reports/documentation?
    Scope: What time period do the reports/documents cover?
    Appropriate: Explain how these reports/documents provide evidence that relates to the test objectives?

  14. Work paper summaries: The process of summarizing provides an objective overview and puts findings in perspective. Summaries should focus on key information and data, and they should not include trivial information or editorial comments not supported by testing. Periodically summarizing findings helps ensure firm control over the test.

  15. Summaries are also beneficial in tying together groups of work papers that relate to a particular point. Summaries can provide an orderly and logical flow for the various related papers and can facilitate review of a particular work segment. The following is an example of a summary sheet (testers should modify to include relevant information) that should be used to summarize samples:

    Figure 1.4.3-2
    This image is too large to be displayed in the current screen. Please click the link to view the image.

  16. Record Key Meetings and Interviews: All key meetings and interviews used as support for key decisions (testing decisions/conclusions) or test evidence must be recorded and included in the work papers. Key decisions and conclusions are often a result of meetings and interviews. Without a record, important information will be lost. Use the format below.

    Record of Discussion
    Date: Time:
    Type of Contact: In Person: By Telephone:
         
    Location of Discussion
    Philadelphia Service Center
    Roosevelt Blvd.    
    Bensalem, PA 19003  
         
    Person(s) Contacted:
    Mr. X, Position/Title, Office, Telephone Number
    Mrs Y, Position/Title, Office, Telephone Number
         
    Initiator(s):  
    Mr. Z, Position, Office, Telephone Number
         
    Purpose:    
    (Provide a brief description of meeting objective.)
         
    Discussion:    
    (Provide notes from meeting.)
         

  17. Keep the Writing Simple: Work papers should be easily understandable to an uninitiated reviewer. Jargon should be avoided or be explained in a separate part of the work papers (glossary of terms) along with all technical terms and acronyms used in the work papers.

  18. Keep Papers Understandable: Work papers should be clear and understandable and must stand on their own. They should need no supplementary information. Anyone reading the papers should be able to determine what the reviewer set out to do, what they did, what they found, and what they concluded. Conciseness is important, of course; however, clarity should not be sacrificed to save time and paper.

  19. Keep Most Current Version: Use version date on document to ensure most recent version of document is being used.

  20. Keep Papers Free of Taxpayer/Personal Data: The work paper documentation should not contain taxpayer, employee, vendor data, etc. All information must be protected according to the guidelines in IRM 1.26.13 and Operation R.E.D. (Read, Encryption, Decide). All Service personnel must take care to ensure they recognize information which requires protection, regardless of the media on which that information is contained.

  21. Keep Papers Neat: All names and titles should be printed clearly and legibly. Only one side of a worksheet should be used; material on the reverse side can be easily overlooked.

  22. Keep Papers Uniform: All work papers should be prepared on paper of uniform size and appearance. Three-ringed binders are helpful for organizing and storing work papers because they allow papers to be sorted, re-sorted, added to, or removed without difficulty. Dividers can be inserted to separate segments of the work paper documents.

  23. Keep Papers Relevant: Work papers should be restricted to matters that are relevant and material; they should be directly related to the review’s objectives. Well-organized test plans and effective supervisory instructions can help ensure the inclusion of relevant documents only. Editorial comments and observations not supported by testing should not be included in work papers. It is important that all conclusions are put in context and related to specific evidence.

  24. Reviewing Work Papers: After the Test Team Leader has reviewed the work papers, all work papers are reviewed by a CPIC-IC team member that was not involved in the review. The purpose of the review is to ensure the work papers and test work comply with requirements.

1.4.3.4  (08-14-2009)
A-123 Work Product Approval Process

  1. A-123 TEST PLAN APPROVAL PROCESS: The flowchart below shows the process through which the test plans will progress. The bottom of the chart shows the Functional Teams (i.e. SMEs) will be working with the A-123 Test Teams to develop the internal control test plans. The test plans will then be reviewed by management and sent to the Test Team Leader for review and approval. Next, the test plans will be sent to the A-123 Review Board for review and approval. Finally, the tests plans will be sent to the Department of the Treasury.

    Figure 1.4.3-3
    This image is too large to be displayed in the current screen. Please click the link to view the image.

  2. A-123 TEST WORK PAPER APPROVAL PROCESS:The flowchart below shows the process through which the completed work papers will progress. The Test Team Leader will be the first level of review. Next, the work papers will be reviewed by CPIC-IC. Finally, the work paper packages will be sent to the appropriate ACFO for approval.

    Figure 1.4.3-4
    This image is too large to be displayed in the current screen. Please click the link to view the image.

1.4.3.5  (08-14-2009)
Template for Evaluating a Structured Management Review

  1. See the following Template for Evaluating a Structured Management Review.

    Template for Evaluating a Structured Management Review
    Date of Review:
    Transaction Number:
    Major Steps:
    Controls Sets:
    When observing the Structured Management Review (SMR), Test Teams should look for the following key aspects of review:
    1) Does the SMR contain all the controls that are described for the transaction in the Treasury Catalogue? (YES or NO) Explain:
    2) Is the SMR actually being used as designed? (YES or NO) Explain:
    3) Is the SMR meeting the internal control objectives? (YES or NO) Explain:
    4) Do the personnel executing the SMR have adequate skills and receive sufficient training to complete review? (YES or NO) Explain:
    5) Are adequate procedures in place for the SMR? (YES or NO) Explain:
    6) Is the guidance for the SMR adhered to? (YES or NO) Explain:
    7) Were issues/errors/concerns adequately and consistently addressed and documented? (YES or NO) Explain:
    8) Is the guidance for the SMR consistently followed for error determination and documentation requirements? (YES or NO) Explain:
    9) Do the business unit analysts and managers have adequate time, resources, etc. to competently execute the SMR? (YES or NO)
    10) Are the sample sizes and sample methodologies appropriate for the internal control? (YES or NO)
    11) Is a documented SMR in place and is it being monitored by an appropriate level of management? (YES or NO) Explain:
    12) Was the SMR performed an appropriate number of times per year to fulfill the internal control function? (YES or NO) Explain:
    13) Are the SMRs performed at an appropriate time in the process to allow for error correction and prevention of similar errors/failures? (YES or NO) Explain:
    14) Is management using the results of the SMRs to correct the item, process, or procedures? Is management using the SMRs results in managers’/employees’ performance appraisals or to improve training? (YES or NO)

1.4.3.6  (08-14-2009)
Internal Control Test Plan Outline

  1. INTRODUCTION

    1. Test objective (Purpose of the test)

    2. Expected results (What is the expected outcome)

    3. Controls Tested (Identify IRS controls tested in this test plan, and state whether they include all controls in the Treasury Catalogue.)

    4. Contact name (Name of person to contact for explanation of issues/problems)

  2. SCOPE OF THE TEST

    1. Delineate the scope of the test based on the nature, frequency, and timing of the control (Are all transactions included or only a specific subset and at what frequency will they be tested?)

    2. Resource capabilities required to perform testing (What degree of knowledge is needed by those performing the test?)

    3. Resources to be used to perform control test (Is there separation between individuals who test and individuals who perform the control?)

    4. Determination of the type of relevant reporting assertion provided by the control (What type of assertion do the controls provide?) Rights or Obligations; Completeness or Accuracy; Presentation or Disclosure; Existence or Occurrence; and Valuation or Allocation

    5. Type of test (Inspection, Observation, or Re-Performance )

    6. Sample size and basis (What method was used to select the sample and what is the sample size?)

    7. GAO and TIGTA Findings (Are there outstanding GAO or TIGTA findings related to the Transaction?) and relevance of Finding to Control Test (How will the findings of those studies/audits being addressed in the evaluation approach, i.e., what effect they had on the scope and nature of its work.)

  3. CONTROL TEST

    1. Steps for testing transaction controls (What are the steps to perform the test against the sample?)

    2. Documentation requirements (Describe how the conduct and results of the test will be documented.)

    3. Sample Size (If the testing team decides to expand the sample, describe the rationale and method used to choose addition sample items.)

  4. RESULTS OF TESTING

    1. Evaluate results to determine Control Effectiveness (Who reviews the results of the test and how will effectiveness be determined? )

  5. SUMMARIZE THE RESULTS

    1. Evaluate Control Effectiveness (Effective or Ineffective )

    2. Corrective actions required (If a control weakness exists, summarize the corrective actions that will be taken)

1.4.3.7  (08-14-2009)
Template To Develop Sample

  1. Description of Population for Sample Selection

    Figure 1.4.3-5
    This image is too large to be displayed in the current screen. Please click the link to view the image.

1.4.3.8  (08-14-2009)
A-123 Test Summarization Form

  1. Title: A-123 Test Summarization Form

    Figure 1.4.3-6
    This image is too large to be displayed in the current screen. Please click the link to view the image.

    Figure 1.4.3-7
    This image is too large to be displayed in the current screen. Please click the link to view the image.

1.4.3.9  (08-14-2009)
A-123 Work Paper Transmittal Form

  1. Title: A-123 Work Paper Transmittal Form

    Figure 1.4.3-8
    This image is too large to be displayed in the current screen. Please click the link to view the image.

1.4.3.10  (08-14-2009)
Corrective Action Plan Template

  1. Corrective actions are needed when 1) a test reveals material internal control problems that are serious enough to conclude the internal controls are not working in that transaction, and 2) situations in which the controls are working but they could be strengthened through remedial measures. Corrective action plans addressing material problems will be tracked in JAMES by both IRS and Treasury unless all corrective actions are completed by August 31. Plans addressing non-material issues will be tracked by CPIC-IC and the office responsible for the internal control. The Test Team Leader will lead corrective action plan development. The corrective action plans must be submitted to CPIC by June 30th.

    Figure 1.4.3-9
    This image is too large to be displayed in the current screen. Please click the link to view the image.

  2. Note: The final objective for each issue should be to validate that the corrective action plan resolved the problem.


More Internal Revenue Manual