1.4.3  IRS Guidance on OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting

Manual Transmittal

June 28, 2013

Purpose

(1) This transmits revised IRM 1.4.3, IRS Guidance for Implementing OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting.

Material Changes

(1) Added IRM 1.4.3.18 to provide guidance on continuous monitoring.

(2) Revised IRM 1.4.3.4 to add links, new National Institute of Standards and Technology (NIST) publications, and IRM 10.8.1, Information Technology Security, Policy and Guidance as resources.

(3) Revised IRM 1.4.3.5 with definitions related to continuous monitoring.

(4) Revised IRM 1.4.3.6 with acronyms related to continuous monitoring.

Effect on Other Documents

IRM 1.4.3, dated May 25, 2012, is superseded.

Audience

The primary audience is the Chief Financial Officer, Associate Chief Financial Officer for Financial Management Unit, Associate Chief Financial Officer for Corporate Planning and Internal Controls Unit, the Associate Chief Financial Officer for Corporate Budget Unit, the Research Analysis and Statistics Office of Program Evaluation and Risk Analysis and Statistics of Income Division, Agency-Wide Shared Services, and all Operating and Functional Divisions.

Effective Date

(06-28-2013)

Pamela J. LaRue
Chief Financial Officer

1.4.3.1  (05-25-2012)
Overview

  1. This IRM provides IRS guidance on processes and procedures for implementing OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting, in order to support the Operating and Functional Divisions.

  2. The Chief Financial Officer (CFO), Corporate Planning & Internal Control Unit, Office of Internal Controls (CPIC-IC), develops and maintains this IRM.

1.4.3.2  (05-25-2012)
Background

  1. The passage of the Sarbanes-Oxley Act of 2002 (SOX), served as an impetus for the Federal Government to reevaluate its current policies relating to internal control over financial reporting and management’s related responsibilities. SOX requires management of publicly-traded companies to strengthen their processes for assessing and reporting on internal control over financial reporting. While SOX created a new requirement of publicly-traded companies, federal managers have been subject to similar internal control reporting requirements for many years.

  2. A joint committee of representatives from the Chief Financial Officers Council and the President’s Council on Integrity and Efficiency (PCIE) was formed and tasked with reviewing the SOX requirements for publicly-traded companies, determining how these requirements apply to federal agencies, and recommending changes to the existing guidance on internal control. The joint committee recommended significant changes to the Office of Management and Budget (OMB) Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting, which included a requirement for agencies to document and test internal controls to ensure they are in place and working as intended.

  3. Management cannot rely on the internal control testing of external oversight organizations [Government Accountability Office (GAO), Treasury Inspector General for Tax Administration (TIGTA)] to meet the A-123 requirement to test internal control. Also, each reporting entity in the Department of the Treasury is required to include an A-123 Statement of Assurance in their Federal Managers Financial Integrity Act (FMFIA) (31 USC 3512) and Federal Financial Management Improvement Act (FFMIA) (Pub. L. No. 104 - 208) Annual Assurance Statement. The Statement of Assurance can be:

    1. Unqualified statement of assurance (no material weaknesses reported)

    2. Qualified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses reported)

    3. Statement of no assurance (no processes in place or pervasive material weaknesses)

1.4.3.3  (05-25-2012)
Authority

  1. The IRS A-123 internal control program follows the following guidance:

    1. Revised OMB Circular A-123, Management’s Responsibility for Internal Control, December 2004

    2. GAO/President's Council on Integrity and Efficiency (PCIE) Financial Audit Manual (FAM)

    3. Department of the Treasury Annual Guidance and the Treasury Catalogue of Risks and Controls

1.4.3.5  (06-28-2013)
Definitions

  1. Anomaly (Anomalies) – a deviation from the common rule. It is an irregularity that is difficult to explain using existing rules or theory.

  2. Compensating Control – a control that limits the severity of a control deficiency and prevents it from rising to the level of a significant deficiency, or in some cases, a material weakness. It operates at a level of precision, considering the possibility of further undetected misstatements that would result in the prevention or detection of a misstatement that is more than inconsequential or material to the financial statements. Although a compensating control mitigates the effects of a control deficiency, it does not eliminate the control deficiency.

  3. Continuous Monitoring – the process and technology used to detect compliance and risk issues associated with an agency’s financial and operational activities.

  4. Control Deficiency – exists when design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

  5. Corrective Action – an action taken by the audited entity that corrects identified deficiencies, produces recommended improvements, or demonstrates that audit findings are either invalid or do not warrant audited action.

  6. Financial Reporting – consists of an Agency's annual financial statements and other significant internal and external financial reports that could have a material effect on significant spending, budgetary, or other financial decisions of the agency or that are used to determine compliance with laws and regulations.

  7. Financial Statements – provide information about an entity's financial position, performance, and/or changes in financial position that is useful to a wide range of users in making economic decisions. Financial statements should be understandable, relevant, reliable, and comparable. Reported assets, liabilities, equity, income, and expenses are directly related to an organization's financial position.

  8. Internal Controls – an integral part of any organization's financial and business policies and procedures. Internal controls consist of all the measures taken by the organization for the purpose of (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the level of performance in all organizational units of the organization.

  9. Material Weakness – a reportable condition, or combination of reportable conditions, that result in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected.

  10. Methodology – a documented process for applying standards when assessing, documenting, and reporting on internal controls over financial reporting.

  11. Mitigation Control – a type of control used to discover and prevent mistakes that may lead to uncorrected and/or unrecorded misstatements that would generally be related to control deficiencies.

  12. National Institute of Standards and Technology (NIST) – responsible for developing information security standards and guidelines, including minimum requirements for federal information systems based on its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law 107-347.

  13. Opportunity for Improvement (OFI) – situations in which controls are working but could be strengthened through remedial measures.

  14. Planning Phase – the phase in which the auditor researches policies and procedures and conducts walkthroughs in order to adequately gain an understanding of the process being tested. During the planning phase, the auditor will also document the key controls and develop a test plan to execute during the testing phase.

  15. Reporting Phase – the phase in which the auditor must form conclusions on the information in the financial statements, the entity's internal control, the financial management systems’ substantial compliance with the three FFMIA requirements, the entity’s compliance with laws and regulations, and other information (management’s discussion and analysis (or the overview of the reporting entity), required supplementary information (unaudited is considered required supplementary information), and other accompanying information).

  16. Risk Assessment – a process to obtain an understanding of the entity and its environment, including its internal control. It is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.

  17. Sampling Plan – an outline detailing the criteria for sample selection (population size, frequency of control, risk, etc.) from which items within the population/universe will be selected to reach a conclusion representative of the whole population.

  18. Significant Deficiency – a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

  19. Statement of Assurance – a certification included in the annual Agency Financial Report (AFR) that represents the Administrator's (Commissioner) informed judgment as to overall adequacy and effectiveness of internal control. The Commissioner will provide either an unqualified (an effective and efficient system of internal controls exists), a qualified (an overall sound system of internal control exists but one or more material weaknesses have been identified) statement of assurance, or a statement of no assurance on the system of internal control.

  20. Structured Management Review (SMR) – processes undergoing documented continuous monitoring activities such as quality assurance review, or other independent internal reviews during the normal course of operations. These are quality assurance review processes put in place to cover many IRS internal control activities.

  21. TeamMate – a Windows-based Audit Management System, used by the A-123 team to prepare work papers for the review conducted. TeamMate provides a streamlined process for managing the audit process by increasing efficiency and productivity of the entire internal process, including scheduling, planning, execution, review, and report generation.

  22. Test Activities – actions performed over policies and procedures that help ensure that management directives are carried out and that management’s assertions in its financial reporting are valid (that is, gain understanding of a process through interview, walkthrough, observation or re-performance).

  23. Test Objectives – purposes or intended goals stating what the tester wants to accomplish when implementing the specified test activities.

  24. Test Plan – a document which describes the scope of the testing and identifies the methodology used to conduct tests.

  25. Testing – after completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during testing.

  26. Testing Phase – the phase in which the auditor gathers evidence to report on the financial statements, internal control, whether the entity's systems are in substantial compliance with the three requirements of FFMIA, and the entity’s compliance with significant provisions of laws and regulations.

  27. Work Papers – the support of the audit opinion. They connect the entity’s accounting records and financial reporting to the auditor’s opinion. They are comprehensive and serve many functions.

1.4.3.6  (06-28-2013)
Acronyms

  1. This IRM contains the following acronyms and meanings:

    Acronym Meaning
    ACFO Associate Chief Financial Officer
    AWSS Agency-Wide Shared Services
    BFC Beckley Finance Center
    CAP Corrective Action Plan
    CB Corporate Budget
    CPIC-IC Corporate Planning and Internal Control, Office of Internal Control
    FM Financial Management
    FMC ESC Financial and Management Controls Executive Steering Committee
    FMFIA Federal Managers Financial Integrity Act
    FFMIA Federal Financial Management Improvement Act
    GAO Government Accountability Office
    JAMES Joint Audit Management Enterprise System
    NIST National Institute of Standards and Technology
    OFI Opportunity for Improvement
    OMB Office of Management and Budget
    OPERA Office of Program Evaluation and Risk Analysis
    PCIE President's Council on Integrity and Efficiency
    SOX Sarbanes-Oxley Act of 2002
    SMEs Subject Matter Experts
    SMR Structured Management Review
    SOI Statistics of Income Division
    SP Special Publication
    TIGTA Treasury Inspector General for Tax Administration
    TCFO Treasury Office of the Chief Financial Officer
    TIER Treasury Information Executive Repository

1.4.3.7  (05-25-2012)
Responsibilities

  1. A successful A-123 program requires a high level of team work and coordination among CFO organizations and other IRS business units. The following sections describe each organization's roles and responsibilities.

    1. Chief Financial Officer (CFO)

    2. Corporate Planning and Internal Control (CPIC)

    3. Associate Chief Financial Officer for Financial Management (FM)

    4. Associate Chief Financial Officer for Corporate Budget (CB)

    5. Agency-Wide Shared Services (AWSS)

    6. Operating/Functional Divisions

    7. Statistics of Income (SOI) Division

    8. Office of Program Evaluation and Risk Analysis (OPERA)

    9. A-123 Test Teams

    10. Test Team Leader

1.4.3.7.1  (05-25-2012)
Chief Financial Officer (CFO)

  1. The CFO is responsible for executing A-123 responsibilities in support of Treasury’s assurance statement and ensuring that controls over IRS financial reporting are properly identified, tested, and evaluated.

1.4.3.7.2  (05-25-2012)
Corporate Planning and Internal Control (CPIC)

  1. The Associate Chief Financial Officer for Corporate Planning and Internal Control (ACFO for CPIC), Office of Internal Control (CPIC-IC) is responsible for:

    1. Ensuring A-123 assessment objectives are clearly communicated throughout the agency

    2. Developing the assessment methodology and guidance

    3. Coordinating activities and time-lines with Treasury and GAO

    4. Enhancing review to meet structured management review (SMR) requirements (where applicable)

    5. Providing oversight and assistance to ensure the assessment is carried out in a thorough, effective, and timely manner

    6. Administering the Governance process to include: chair the A-123 Review Board and provide scheduling and administrative support; present status and results of A-123 activities to the FMC ESC and the A-123 Review Board; and document key decisions

    7. Communicating with agency management and employees regarding the assessment

    8. Identifying Subject Matter Experts (SMEs) to develop complete and timely test plans

    9. Communicating and coordinating with external oversight groups

    10. Serving as a central repository for all official A-123 records

1.4.3.7.3  (05-25-2012)
Associate Chief Financial Officers, Financial Management (FM) and Corporate Budget (CB)

  1. The Associate Chief Financial Officer for Financial Management (ACFO for FM) and the Associate Chief Financial Officer for Corporate Budget (ACFO for CB) are responsible for:

    1. Designating an A-123 Review Board representative and back-up

    2. Providing SMEs to ensure that test steps can be performed by reviewing the test plans

    3. Gathering requested internal control documentation

    4. Evaluating existing management review procedures

    5. Enhancing review to meet SMR requirements (as applicable)

    6. Supporting transaction testing responsibilities by: identifying and obtaining data (or any other documents needed for tests) from cross-servicing organizations (for example, Department of Labor, National Finance Center), as needed; partnering with CPIC-IC to execute test plans; and reviewing test plans results, as required

    7. Developing and monitoring corrective action plans (CAPs) and opportunities for improvement (OFIs) for identified weaknesses or areas of potential improvement

1.4.3.7.4  (05-25-2012)
Agency-Wide Shared Services (AWSS)

  1. AWSS is responsible for:

    1. Providing SMEs

    2. Communicating changes to processes

    3. Reviewing control design analysis and identifying key and compensating controls

    4. Providing responses to OFIs and/or CAPs

1.4.3.7.5  (05-25-2012)
Operating/Functional Divisions

  1. The Operating/Functional Divisions are responsible for:

    1. Providing SMEs

    2. Providing responses to OFIs and/or CAPs

    3. Communicating changes to processes

1.4.3.7.6  (05-25-2012)
Statistics of Income (SOI) Division

  1. SOI is responsible for:

    1. Determining an appropriate sampling method and size for each control based on frequency

    2. Using statistical sampling methods to generate random samples

1.4.3.7.7  (05-25-2012)
Office of Program Evaluation and Risk Analysis (OPERA)

  1. OPERA is responsible for:

    1. Participating on the A-123 Review Board

    2. Performing internal control testing

    3. Communicating any deviation from test plan to test team leader

    4. Providing feedback from test performed

1.4.3.7.8  (05-25-2012)
A-123 Test Teams

  1. Test teams are responsible for the following actions:

    1. Executing test plans

    2. Analyzing test results to determine if internal controls are working

    3. Proposing OFIs and/or corrective actions to the appropriate functional ACFO if weaknesses are identified

    4. Communicating any deviation from the test plan to the test team leader

1.4.3.7.9  (05-25-2012)
Test Team Leader

  1. The Test team leader is responsible for:

    1. Seeking understanding of work process as it relates to testing specific transactions

    2. Performing test work in accordance with relevant standards, OMB Circular A-123, and A-123 policies

    3. Coordinating development of the internal control test plan

    4. Revising, if appropriate, the nature, timing, and extent of work performed

    5. Ensuring appropriate consultations have taken place, conclusions have been documented, and appropriate follow-up actions are planned

    6. Elevating significant matters to the functional ACFO for further consideration

    7. Documenting any deviation from test plan reported by test teams

1.4.3.8  (05-25-2012)
The Department of the Treasury’s Five-Part Approach

  1. The Treasury Office of the Chief Financial Officer (TCFO) chartered a work group to address the requirements of OMB Circular A-123, Appendix A, Internal Control Over Financial Reporting. The TCFO Council (TCFOC) Work Group developed the Treasury Catalogue of Risks and Controls, which served as the transactional universe for testing internal controls over financial reporting. Transactions, along with the associated risks and key controls, developed prior to FY 2010 are stored in the original Treasury Catalogue of Risks and Controls, an Access database. In addition, to the Treasury Catalogue which is used as a reference; IRS specific risks and controls are included in the control design analysis. Treasury requires bureaus to use the following five-part approach:

    1. Part One: Core Financial Process: Test controls over specific financial transactions that are material to Treasury consolidated financial statements. Each year, Treasury provides a list of transactions that the IRS is required to test.

    2. Part Two: Financial Reporting: Identify key financial reports and review the format, content, accuracy, method of assembly, and usefulness to decision makers. In addition, Treasury requires IRS to review Treasury Information Executive Repository (TIER) reporting and eliminations procedures for intergovernmental payments.

    3. Part Three: Self Assessment: The Government Accountability Office (GAO) Abbreviated Internal Control Questionnaire will be applied to financial reporting organizations as the method for assessing overall adherence to the five standards of internal control: (1) Control Environment, (2) Risk Assessment, (3) Control Activities, (4) Information and Communications, and (5) Monitoring.

    4. Part Four: Regulatory Compliance and Internal Review: Evaluate the implementation of governing regulations and incorporate the results of internal control or management oversight reviews in the overall assessment of internal controls over financial reporting.

    5. Part Five: Audits: Review TIGTA and GAO audits related to financial reporting to determine potential agency risk and the impact to various processes.

1.4.3.9  (05-25-2012)
Governance

  1. The IRS has adopted a two-tiered governance process to ensure A-123 requirements are consistently executed, documentation is adequate, results are credible, and CAPs adequately address problems. The two-tiered governance process consists of the Financial and Management Controls Executive Steering Committee (FMC ESC) and the A-123 Review Board.

  2. The FMC ESC is chaired by the IRS CFO and provides executive level oversight to the A-123 process by reviewing A-123 results and approving the interim and final assurance statements.

  3. The A-123 Review Board is an advisory working group composed of senior managers. Members represent CPIC-IC, FM, CB, and OPERA. The A-123 Review Board has two key responsibilities:

    1. Review test plans to ensure test objectives are accurately defined and contain all required internal control procedures

    2. Review sampling plan to ensure the methodology, type of sample, and sample sizes are appropriate

  4. IRM 1.4.3.13 shows the governance process.

1.4.3.10  (05-25-2012)
General Guidance for A-123

  1. The A-123 team follows general guidance as outlined in the OMB Circular A-123 as well as the guidance established and provided by the Department of the Treasury. On an annual basis, the A-123 team conducts a training session to kick off the year with A-123 team leads, OPERA, BFC, and SMEs. During the training session, the A-123 team presents topics related to the overview of internal controls, the sampling approach, roles and responsibilities, communication protocol, and how to complete specific templates for each transaction. General guidance for the A-123 process follows.

1.4.3.10.1  (05-25-2012)
A-123 Schedule

  1. CPIC-IC, in coordination with the ACFOs for FM and CB, will develop a detailed A-123 execution schedule to ensure tests are appropriately scheduled and sufficient resources are available. CPIC-IC will monitor the schedule and inform the ACFO of any execution delays.

1.4.3.10.2  (05-25-2012)
Test Planning

  1. In the planning phase, test objectives and the scope and methodology to achieve those objectives should be defined. Objectives, scope, and methodologies are not determined in isolation. These three elements are planned together, as the considerations in determining each often overlap.

    1. The objectives describe what the test intends to accomplish.

    2. Scope is the boundary of the test and should be directly related to the objectives. For example, the scope defines parameters of the test such as the period of time reviewed, the availability of necessary documentation or records, and the locations at which work will be performed.

    3. The methodology comprises the steps and techniques (such as inspecting sample data or observing controls) involved in gathering and analyzing data to achieve the objectives. Methodology includes both the types and extent of test procedures used to achieve the objectives. Test plans document and provide sufficient, competent, and relevant evidence to achieve the test objectives.

  2. Test planning activities should be documented and include:

    1. Documentation of the internal control process and environment as it relates to the specific transactions to be tested. (Control Design Analysis)

    2. Review and follow up on known significant findings and recommendations that directly relate to the objectives of the testing.

    3. Potential sources of data that could be used as evidence.

    4. Relevant management reviews and determining whether SMRs or quality assurance reviews may be used to satisfy some of the test objectives.

    5. Preparation of a test plan.

    6. Identification of appropriate and sufficient staff and other resources necessary to adequately perform the testing.

    7. Communication of general information concerning the planning and performance of the testing officials responsible for the controls being tested and others, as applicable.

1.4.3.10.3  (05-25-2012)
Work Paper Documentation

  1. Through inspection, observation, inquiries, or confirmations, testers obtain sufficient, competent, and evidential matter to afford a reasonable basis for an opinion regarding the internal controls that were tested. Documentation related to planning, conducting, and reporting on A-123 activities should contain sufficient information to enable an individual who has had no previous connection with the testing to understand what was tested, how the test was conducted, test results, and verify the reviewer’s judgments and conclusions.

  2. All aspects of testing activities require a high-level of documentation (see IRM 1.4.3.12 for more information on work paper documentation). Documentation provides the principal support for the A-123 process, aids those conducting and supervising the testing, and allows for quality review and oversight reviews.

  3. Determining the quantity, type, and content of documentation requires sound judgment. Documentation should be detailed enough to provide a clear understanding of the internal control test’s purpose, data sources, and conclusions. Documentation should be logically organized to provide a clear link to the conclusions and recommendations. A-123 test documentation must contain the following items:

    1. Objectives, scope, and methodology for each A-123 test.

    2. Support for each test conducted and conclusions reached; rationale for key decisions and deviations from guidance; sampling decisions and methodology to include information on the definition of the sampling universe and rationale for any deviations from the approved sampling methodology; testing time period; nature of documents or processes examined; testing results, analysis, and conclusions, to include copies of documents examined and a clear and concise summary of results cross referenced to supporting documents; and resolution of anomalies or other issues.

    3. Evidence of supervisory review of the work performed that supports conclusions and recommendations about the controls tested.

1.4.3.10.4  (05-25-2012)
Testing

  1. Test teams execute the test plans and draw conclusions regarding the adequacy of internal control. Testing is performed by individuals who are:

    1. Adequately trained to execute the test plan.

    2. Aware of documentation requirements.

    3. Properly supervised.

    4. Not responsible for the controls or transactions in the test plan (independent).

    5. Not an employee who reports to the manager directly responsible for the internal control being tested.

  2. Test teams may be comprised of CPIC-IC staff, OPERA staff, FM staff, and SMEs.

1.4.3.11  (08-14-2009)
Transaction Test Plan Development and Test Execution

  1. A-123 requires internal controls be documented and tested independent of testing by outside groups such as GAO and TIGTA. This IRM describes the IRS processes for test plan development, test execution, and internal control documentation.

1.4.3.11.1  (08-14-2009)
Document Internal Controls

  1. Internal controls are documented policies and procedures used by management to ensure transactions are accurate, properly recorded, and executed in accordance with management’s directives. SMEs will work with CPIC-IC to ensure current documentation (described below) is available for each transaction.

  2. Financial reporting process documentation includes:

    1. A description of key processes including examples of the processing documents (flowcharts, cycle memos, desk guides).

    2. Process relationship to financial statement line items, significant accounts, group of accounts, and major classes of transactions.

    3. Inputs, activities, and outputs in place to accomplish the processes control objectives.

    4. Key financial reporting controls.

    5. Information systems used to support the process

    6. Description and results of monitoring activities in place to ensure controls are functioning properly.

    7. Relationships to other financial reporting processes.

    8. Policies and procedures governing transactions such as laws, regulations, and IRMs.

    9. External financial reporting assessments (reports issued by GAO or TIGTA).

    10. Internal financial reporting assessments (FMFIA and FFMIA).

1.4.3.11.2  (08-14-2009)
Document Crosswalk

  1. Ensure there is an adequate crosswalk between the risks and controls in the Treasury Catalogue of Transactions and the risks and controls in the IRS specific templates. (Note: not all transactions Treasury assigns to the IRS have IRS-specific risks and control templates.) The Treasury Catalogue of Risks and Controls is maintained by Treasury and may be used as a template by all bureaus and offices in developing their test plans. IRS controls may not be identical to the Treasury catalogue used as a reference. In that case, IRS specific risks and controls are included in the control design analysis. See example of crosswalk in the table below.

    AC-XY
    Transaction Posting Setup
    Treasury Catalogue (used as a reference) IRS-Specific Template
    Major Step 1.Bureau identifies a new type of transaction or reassesses current posting logic setup Step 1.Identify new transaction requirement or update to existing posting logic and forward change request to IFS Master Data team
    Control Set: Training plan ensures Bureau staff recognize new transactions Controls:
    • Treasury reporting requirements and guidance issued in its manual

    • TIER edit checks

    • FM review

     
     

1.4.3.11.3  (05-25-2012)
Evaluate Structured Management Review (SMR)

  1. Quality review and quality assurance processes that are already in place and cover many IRS activities, may be considered SMRs. As part of the A-123 process, SMRs may serve as assurance of testing of internal controls, but the review must meet specific criteria. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and verify the reviewer’s judgments and conclusions.

  2. A SMR should have the following elements:

    1. Documented procedures that guide the SMR.

    2. Reviews performed at regular intervals.

    3. Documented and independent review of results.

    4. Documented process to resolve noted deficiencies.

  3. If the SMR does not meet the standards necessary for A-123, then testers should include recommendations in the work papers for changes to the SMR so results can be substituted for A-123 testing.

  4. The following Template for Evaluating a Structured Management Review is used to evaluate the adequacy of the SMR and for quality review and oversight reviews of the A-123 process.

    Template for Evaluating a Structured Management Review
    Date of Review:
    Transaction Number:
    Major Step(s):
    Control Set(s):
     
    When observing the SMR, test teams should look for the following key aspects of review:
     
    1) Does the SMR contain the controls that are described for the transaction in the Treasury Catalogue? (YES or NO)
    Explain:
    2) Is the SMR actually being used as designed? (YES or NO)
    Explain:
    3) Is the SMR meeting the internal control objectives? (YES or NO)
    Explain:
    4) Do the personnel executing the SMR have adequate skills and receive sufficient training to complete review? (YES or NO)
    Explain:
    5) Are adequate procedures in place for the SMR? (YES or NO)
    Explain:
    6) Is the guidance for the SMR adhered to? (YES or NO)
    Explain:
    7) Were issues/errors/concerns adequately and consistently addressed and documented? (YES or NO)
    Explain:
    8) Is the guidance for the SMR consistently followed for error determination and documentation requirements? (YES or NO)
    Explain:
    9) Do the personnel have adequate time, resources, etc. to competently execute the SMR? (YES or NO)
    10) Are the sample sizes and sample methodologies appropriate for the internal control? (YES or NO)
    11) Is a documented SMR in place and is it being monitored by an appropriate level of management? (YES or NO)
    Explain:
    12) Was the SMR performed an appropriate number of times per year to fulfill the internal control function? (YES or NO)
    Explain:
    13) Are the SMRs performed at an appropriate time in the process to allow for error correction and prevention of similar errors/failures? (YES or NO)
    Explain:
    14) Is management using the results of the SMRs to correct the item, process, or procedures? Is management using the SMRs' results in managers’/employees’ performance appraisals or to improve training? (YES or NO)
    Explain:

1.4.3.11.4  (05-25-2012)
Develop and Document Test Plan

  1. Testing controls involves ensuring the controls are in place, operating as intended, and meeting control objectives. Test plans are designed to test control effectiveness and consider test objective(s), control risk, control strengths, and control weaknesses. A transaction is a discrete financial activity that produces information in Treasury’s Consolidated Financial Statements. Each transaction has a series of major steps, risks, and controls that further describe the process; each key control must be tested. Use the outline in IRM 1.4.3.14 to develop the internal control test plan.

  2. Procedures when evaluating controls include:

    1. Description of the control test objective.

    2. Methods that will be used to test effectiveness of the controls are (a) Inspection: looking at evidence of a given control (signatures of a reviewing official or reviewing past reconciliations); (b) Observation: observing actual controls in operation (observing a physical inventory or watching a reconciliation occur); (c) Reconciliation: checking whether two items are consistent; and/or (d) Re-performance: re-performing a given control.

    3. Size of samples to be tested.

    4. Sample methodology (simple random sample and non-statistical sample).

    5. Universe from which the sample will be drawn

    6. Parameters that constitute a failed test

    7. Specific tests and documents to be reviewed

1.4.3.11.5  (05-25-2012)
Document Sample Universe and Obtain Sample from Statistics of Income (SOI)

  1. SOI will determine the most appropriate sample method for each internal control (where applicable). Sampling methodologies must be:

    1. Reliable: Will a particular technique, applied repeatedly to the same object, yield similar results?

    2. Consistent: Is the test plan’s scope and depth appropriate and consistent with other test plans?

    3. Valid: Does the test plan measure what it is intended to measure?

  2. Use the template in IRM 1.4.3.15 to develop the sample.

  3. Acceptable Sampling Methods for A-123: Under A-123 there is no requirement to do statistically valid, random sampling. At IRS, the preference is to use one of the following two methods.

    1. Non-Statistical Sample: A subset of a defined population, randomly selected, but not valid to make statistical inferences within a defined level of confidence and precision.

    2. Simple Random Sample: A subset of a defined population also selected using a statistically valid methodology in which every member of the population has an equal, nonzero probability of being selected. This method can be used to make inferences about the population within a defined level of confidence and precision. In general, the larger the sample size, the higher the level of confidence and precision.

  4. Sampling Guidelines:

    1. In some cases, seasonal fluctuations (such as periods of limited availability) early in the fiscal year for obligations or tax return filing patterns may require selecting samples from several periods throughout the year to ensure a representative sample. The test team should fully explain such work patterns to SOI and have SOI recommend an appropriate sample methodology.

    2. If one of the sample items is cannot be reviewed (for example, transaction was reversed and is no longer there), the tester should not use that item. Instead select the very next item from the population to review. For example, if testers are reviewing a sample of invoices and one invoice cannot be used, then select the very next invoice from the population. However, the reason the sampled item could not be reviewed must be fully documented in the work papers. If testers have any questions about how to proceed, they must confer with the test team leader.

  5. In defining the population, test team leaders should identify the entire set of items from which the sample should be drawn. This includes:

    1. Describing the population or sub-population, if large-dollar-only requirements are set, and tie the population to the trial balance.

    2. Ensuring the entire population is accounted for when the sample is drawn.

    3. Determining the source document or the transaction documents to be tested.

    4. Defining the period covered by the test.

    5. Stratifying the population (if appropriate) to ensure the sample is taken from appropriate strata(s) of the sample, such as only high-dollar value items.

  6. The sample items selected for testing purposes must be those from the current fiscal year, with one exception. When transactions occur only at the end of the fiscal year, selection from the previous fiscal year is permissible.

  7. If any changes in internal controls over financial reporting are made or if financial systems change, test transactions should be selected after such changes have been implemented.

  8. When multiple locations are involved, all or several locations may be considered one population for sampling if the controls at each location are performing essentially the same function and using the same internal controls that are based on the same IRMs, procedures, etc. Before combining locations into one population, management and test team leaders should consider such factors as:

    1. The extent of uniformity of the controls and their applications at each location

    2. Whether significant changes can be made to the controls or their application at the local level

    3. The amount and nature of centralized oversight or control over local operations

    4. Whether there could be a need for separate conclusions for each location. If it is concluded that the locations should be separate populations, then test team leaders should select separate samples at each location, and testers and management should evaluate the results of each sample separately.

  9. The number of locations where the control is performed will dictate the number of sites to be visited. When controls are being performed at several sites, SOI will assist test teams to ensure coverage and rotation schedules are appropriate to ensure adequate control testing.

1.4.3.11.6  (05-25-2012)
A-123 Review Board Reviews Test Plan

  1. After the test plan update is completed and reviewed by the CPIC-IC test team leader, the test plan is approved by the CPIC-IC Director and forwarded to the A-123 Review Board for its approval.

1.4.3.11.7  (10-01-2010)
Transaction Testing Sequence

  1. The following chart documents the A-123 Test Sequence.

      First Stage Second Stage Third Stage
    Responsible Party Test Team Test Team Leader/CPIC ACFO
    Responsibility Complete work paper documentation and forward work papers to CPIC-IC/Test Team Leader. CPIC-IC reviews test package. ACFO has seven days to review the test packages and certify that the A-123 results are reflective of the procedures performed.

  2. When work papers are completed and signed off by the CPIC-IC/Test Team Leader or the CPIC-IC Director, the tests are considered completed.

1.4.3.11.8  (05-25-2012)
Evaluating Errors Discovered During Testing

  1. Evaluating Errors: Test teams must be conscious of the sequential nature of the internal control process. Often errors detected in one internal control will be found and corrected in another step in the process. Therefore, when testers find internal control problems, before reporting the problem as an error for A-123 purposes, they must ensure that a subsequent internal control is not mitigating the problem before it impacts the financial statement. One failure in one of several tests would not necessarily indicate an internal control weakness exists. The testers must consider the error in the context of the entire transaction. The ultimate goal of internal control over financial reporting is to ensure accurate information is reported in the financial statements.

  2. Identifying and Documenting Errors: An error exists when a control for a given financial activity does not exist, does not adequately address the relevant risk and control, or is not operating effectively. Control errors may relate to the operation of a control or the design of a control. A control error also exists when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively. When a control error is encountered, it should be evaluated to consider the extent of the error, the effect the error will have on the control, and determine whether compensating controls exist that mitigate the risk. A compensating control is a technique, or other effort(s), designed to mitigate a control design deficiency, an ineffective operation, or a simple lack of control over a financial process. If compensating controls are mitigating the risk posed by internal control errors, then the test team must document and explain how the mitigating control is working.

  3. Supporting Documentation for Errors: Mistakes must be completely documented to support the evaluation of internal controls. The factors below are considered in determining the importance of the error:

    1. The complexity of the transactions (Will one error at the early stages of a process create errors later in the process?).

    2. The volume of transactions (Is the volume of transactions so large that one or two errors will not have an impact?).

    3. The potential risk of fraud (Is this error an indication of fraud, which should be pursued?).

    4. The extent to which the controls have been subjected to on-going monitoring activities throughout the year (Are the controls monitored throughout the year, and errors possibly caught at a later time in the year?).

  4. Magnitude of Errors: The testers must ensure errors are not a condition that is so irregular and extraordinary that it does not indicate potential for a recurring problem. Therefore, testers must analyze the error to determine all significant factors that may cause the expectation to differ from the actual results.

    Note:

    If the test team leader determines the errors warrant the immediate attention of the functional ACFO, the ACFO for CPIC and/or the CPIC-IC Director should be contacted to raise the concerns.

  5. Evaluating the Impact: At the completion of testing, the test team members will evaluate the results. The test team members should have a strong understanding of the errors and decide if the errors are anomalies (an anomaly is an abnormal or peculiar event that does not follow a pattern). In most cases, when errors follow a pattern, they are of greater interest than simple anomalies.

  6. Determining What Constitutes the Errors: If an error is due to a failure in internal controls, it requires judgment and an understanding of the relative importance of the errors. Providing absolute error rate thresholds is one approach, but absolute error rates tend to ignore the complexity and diversity of the test environment(s). For example, in a small sample (less than 14) one error may constitute an internal control failure. On the other hand, for medium size samples (15-45), one error may not constitute a failed test, but two errors may constitute a failed test.

  7. Defining the population, the team lead will identify the whole set of items needed to reach a conclusion and from which the sample will be drawn. This includes:

    1. Describing the population

    2. Determining the source document or the transaction documents to be tested

    3. Defining the period covered by the test

  8. The team lead will submit a request to SOI to select a sample representing the population for the transaction to be tested.

  9. The team lead will clearly identify the objectives of the specific transaction and define the error conditions. The team lead will define the criteria for the control deviations (errors) in terms of control activities not followed. For example, the team lead may define the deviation in the Refunds 6652 Reconciliation as:

    1. A difference which has not been identified and cleared after 90 days

    2. A reconciliation was not signed by the appropriate person by the designated date

  10. Using the Error Rate Table: In defining the error rate, team leads will use judgment in applying Tables I and II. Tables I and II show various sample sizes and the maximum number of errors that may be detected to rely on the controls. The use of each table is encouraged for population sizes over 2,000 items. However, according to the GAO/President's Council on Integrity and Efficiency (PCIE) Financial Audit Manual, if the population size is smaller, the auditor may ask the statistician to calculate a reduced sample size. Team leads will use judgment to evaluate the existence and significance of errors.

    Sample Sizes and Acceptable Number of Deviations (90% Confidence Level)


    Table I (Tolerable Rate of 5%)
    Sample Size Acceptable Number of Deviations
    45 0
    78 1
    105 2
    132 3
    158 4
    209 6

    Note:

    Table I is used for determining sample sizes in all cases.


    Table II (Tolerable Rate of 10%)
    Sample Size Acceptable Number of Deviations
    45 1
    78 4
    105 6
    132 8
    158 10
    209 14

    Note:

    Table II is used for evaluating sample results only if preliminary assessment of financial reporting control risk is low and deviations exceed Table I.

  11. Documentation: This must support the test team leader’s judgment on whether a control is functioning adequately or not. Exceptions noted in tests of properly designed internal controls may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a control deficiency, significant deficiency, or a material weakness.

  12. Recommend Development of Corrective Actions: The IRS will track corrective actions for material problems and OFIs (See IRM 1.4.3.17).

    1. Corrective actions are required when a test reveals material internal control problems (probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the inclusion or correction of the item) that are serious enough to conclude the internal controls are not working.

    2. OFIs are situations in which the controls are working but they could be strengthened through remedial measures.

  13. Corrective Action Plans: Action plans addressing material problems will be tracked in the Joint Audit Management Enterprise System (JAMES) by both the IRS and Treasury. Opportunities for improvement plans will be tracked by CPIC-IC and the office responsible for the internal control.

1.4.3.12  (05-25-2012)
Work Papers

  1. Work papers document the A-123 review and record information obtained and analyses made during the A-123 process. The A-123 team uses CCH TeamMate®, a Windows-based audit management system, for work paper documentation. CCH TeamMate® maintains all work papers recorded directly into the system, as well as work papers scanned and uploaded into the system. Work papers are prepared from the time the A-123 team first launch their transactions until they complete their review of the CAPs and/or OFIs. The test team documents the following in CCH TeamMate®:

    1. Plans for the review, including the test plans

    2. Examination and the evaluation of the adequacy and effectiveness of the systems of internal control

    3. Test procedures followed, the information obtained, and the conclusions reached

    4. Compensating controls

    5. Management reviews

    6. Audit reports

    7. CAPs and OFIs

  2. Work papers must be sufficient to:

    1. Enable an experienced tester having no previous connection with the test to understand the nature, timing, extent, and results of testing procedures performed, evidence obtained, and conclusions reached

    2. Indicate the test team member(s) who performed the work and the date such work was completed, as well as the person who reviewed the work and the date of such review

    3. Enable oversight groups to assess adequacy of the test and conclusions

  3. Documentation Guidance for the Test Team Leader: The test team leader will have the responsibility for determining which documents to include in the work papers. If the test team leader determines "exception only documentation" will provide sufficient support for the test results, the work papers must include the following:

    1. A lead sheet identifying all items, attributes, and findings (x = exception, check mark = no exception). See Sample Lead Sheet below.

    2. For one sample, the work papers must include one complete example that clearly identifies and documents all attributes tested.

    3. For samples that contain exceptions, a complete set of supporting documents must be provided.

    4. Any documents that may not be retrievable in their exact form at a later date. For example, if a screen print is necessary to support a number/dollar amount that may change in the future, that screen print should be retained to verify that figure as of the test date.

    In addition, testers and the test team leader should use TeamMate to initial and date the work papers prepared and reviewed.

    SAMPLE LEAD SHEET

    Transaction: MA -X
    Control Set: Control Set Y
    Purpose: To monitor controls over fixed assets
    Source: Joe Smith, Operating Accountant
    Scope: Active Fixed assets with addition in First Quarter
    Procedures: Report #3 List of Active Assets for October, November, and December 20XX was obtained from Joe Smith. The asset file was also obtained, which contained the project invoices from XYZ: Authorization for Fixed Assets and Related Services. See testing performed and results below.
      GL Account Property Number Project Number Cost Center Description Beg Balance Addition Ending Balance Est. Life (years) Attributes
    A B C D E
    1 16210 471 01–44000 1074 Grenser Sheet $3,537,649 $3,466 $3,541,115 18/10 Y Y Y Y Y
    2 16160 15008 04–10740 1074 Forensic System $55,000 $8,654 $63,654 7 Y Y Y Y Y
    3 16210 1438 99–06205 6205 Upgrade Elevator $1,179,369 $3,987 $1,183,356 22/18 Y X X Y Y
    4 16150 19958 04–45000 4500 Magnetic Sensor $34,567 $23,459 $58,026 10 Y Y X Y Y
    5 16110 12958 00–31100 5200 Spare Punching $934,545 $5,437 $939,982 11 Y Y X Y Y
    Attributes:

    Test objective 1: XYZ reconciliation should be submitted timely and accurately.
    A. Review sample of XYZ reconciliation to determine whether it was submitted in accordance with Treasury guidelines.
    B. Review the XYZ reconciliation to ensure the accuracy of the XYZ submission.
    Test objective 2: Identify, research, and reconcile differences.
    C. Review sample of ABC reconciliation and supporting documentation for items identified as reconciling differences after researching the summary reports.
    D. Ensure the reconciling items on the IRS ABC agree to the ABC 6652 (Statement if Difference) reports from GWA.
    Test objective 3: Post corrective entries.
    Review subsequent reconciliations of ZXC 6652 reports to ensure correcting entries were posted for differences.
    Attribute Source:
    Attribute A - Supported by XYZ reconciliation, Statement of Transactions, date transmitted to STAR, Pages D.1.2.
    Attribute B - Supported by comparison of XYZ sub-sample items listed on XYZ report, Statement of Transactions, Pages D.2.3, to IFS ERXY reports showing monthly activity to Treasury Account Symbol used in the XYZ reconciliation, Pages D.2.5.
    Attribute C - Supported by Disbursement Tie Out Sheet, Page D.3.4 and the individual transactions listed on the ABC Transaction Log, Pages D.3.8, and the ABC Z224 DISB report, Pages D.2.13.
    Attribute D - Supported by the comparison of ABC 6652 total, Page D. 4.18, to GWA ABC total, Page 5.18.
    Attribute E - Supported by ZXC 6652, Page D. 6.23, showing all reconciling differences posted in the month of November 20XX. Test was to review subsequent ZXC 6652 - See 3A Note, Page D. 6.34 - No ZXC (Nov. 0X) printed for the file if there is no activity, i.e. reconciling items.
    Tick Marks:
    Y Attribute met without exception
    X Attribute met with exception
    Conclusion*:

    Note:

    * Describe conclusions based on the attributes tested and documented in this sample lead sheet. All testers preparing and reviewing work papers outside the TeamMate environment should initial and date the work papers prior to uploading them in TeamMate.

  4. Documentation: Among other things, work papers may include:

    1. Planning documents and review plans

    2. Control questionnaires, flowcharts, checklists, and the results of control evaluations

    3. Documentation of interviews

    4. Organization charts, policy and procedures statements, and job descriptions

    5. Copies of important contracts and agreements

    6. Letters of confirmation and representation

    7. Photographs, diagrams, and other graphic displays

    8. Tests and analyses of transactions

    9. Results of analytical review procedures

    10. Audit reports and management replies

    11. Relevant correspondence

    12. CAPs, if appropriate and available

    13. Opportunities for improvement, if appropriate and available

  5. Preparing Work Papers: The documentation within the work papers must be appropriately organized to provide a clear link to the significant findings or issues. Work papers must be sufficient to show that:

    1. Guidance in understanding the internal control has been obtained to plan the test and determine the nature, timing, and extent of tests to be performed

    2. Work has been adequately planned and supervised

    3. Standards of test work have been observed

    4. Sufficient competent documentation has been obtained through the test procedures applied to afford a reasonable conclusion

  6. Notation: Highlight the specific attribute in the work papers that the tester verified, such as a signature indicating managerial approval.

  7. Indexing: Work papers will be automatically indexed once loaded into TeamMate to ensure test plan results are properly referenced and can be easily traced to supporting documentation. When referring to reports in TeamMate, use the reference number and page number. TeamMate will automatically assign the reference number based on the associated step to the work paper. For example, see the referencing table below.

    Phase Reference
    Planning Phase A
    Testing Phase B
    Reporting Phase C

  8. Based on the associated test objective and step to the work paper, TeamMate will automatically assign each work paper a reference number and a page number.

  9. Sources of data: Clearly identify sources of information appearing on a worksheet. An independent reviewer should be able to retrace the reviewer’s steps, from basic schedules to summaries and comments. Work papers should describe the specific data reviewed, document the person that provided data, and the date it was received. Worksheets should be cross-referenced to other related work papers and to the test plans. Effective cross-referencing often reduces the need to duplicate data. Critical areas such as, column totals, cross-referenced totals, and computations should be independently verified by someone not assigned to work on the review project.

  10. Each source of data should be captured in the Program Box within TeamMate, describing the data used to test the internal control. See Exhibit 1.4.3-1 for an example of the TeamMate Program Box.

  11. Work paper summaries: The process of summarizing provides an objective overview and puts findings in perspective. Summaries should focus on key information and data, and should not include trivial information or editorial comments not supported by testing. Periodically summarizing findings helps ensure firm control over the test.

  12. Summaries are also beneficial in tying together groups of work papers that relate to a particular point. Summaries can provide an orderly and logical flow for the various related papers and can facilitate review of a particular test objective and/or step segment. See IRM 1.4.3.12 (3) above for an example of a Sample Lead Sheet used to summarize samples (testers should modify to include relevant information).

  13. Record Key Meetings and Interviews: All key discussions (meetings and interviews) used as support for key decisions (testing decisions/conclusions) or test evidence must be recorded and included in the work papers. Key decisions and conclusions are often a result of meetings and interviews. Without a record, important information will be lost. Use the format below.

    Record of Discussion
    Date: Time:
    Type of Contact: In Person: By Telephone:
         
    Location of Discussion:
    Conference Call
         
    Person(s) Contacted/Interviewed:(Please list all participants):
    Name, Position/Title, Office, Telephone Number
    Name, Position/Title, Office, Telephone Number
         
    Initiator(s)/Interviewer(s):  
    Name, Position/Title, Office, Telephone Number
         
    Purpose:    
    (Provide a brief description of meeting objective.)
         
    Discussion:    
    (Provide notes from meeting.)
         
    Other Matters Discussed:
    (Provide detail notes of other matters discussed outside of the general purpose meeting.)
         
    Follow-up Actions:
    (List follow-up actions from meeting.)
         
    Documents to Obtain:
    (List documents to obtain related to meeting discussion.)

  14. Keep the Writing Simple: Work papers should be easily understandable to an uninitiated reviewer. Jargon should be avoided or be explained in a separate part of the work papers (glossary of terms) along with all technical terms and acronyms used in the work papers.

  15. Keep Papers Understandable: Work papers should be clear and understandable and must stand on their own. They should need no supplementary information. Anyone reading the papers should be able to determine what the reviewer set out to do, what they did, what they found, and what they concluded. Conciseness is important, of course; however, clarity should not be sacrificed to save time and paper.

  16. Keep Papers Free of Taxpayer/Personal Data: The work paper documentation should not contain taxpayer, employee, vendor data, etc. All information must be protected according to the guidelines in IRM 10.8.1 and IRM 10.8.8. All Service personnel must take care to ensure they recognize information which requires protection, regardless of the media on which that information is contained.

  17. Keep Papers Relevant: Work papers should be restricted to matters that are relevant and material; they should be directly related to the review’s objectives. Well-organized test plans and effective supervisory instructions can help ensure the inclusion of relevant documents only. Editorial comments and observations not supported by testing should not be included in work papers. It is important that all conclusions are put in context and related to specific evidence.

  18. Reviewing Work Papers: After the test team leader has reviewed the work papers, all work papers are reviewed by CPIC-IC team management not involved in the testing process. The purpose of the review is to ensure the work papers and test work comply with requirements.

1.4.3.13  (05-25-2012)
A-123 Work Product Approval Process

  1. A-123 TEST PLAN APPROVAL PROCESS: The flowchart below shows the process through which the test plans will progress. The bottom of the chart shows that the A-123 test team leader develops the internal control test plans. The test plans will be forwarded for internal review by CPIC-IC. Next, the test plans will be sent to the A-123 Review Board for review and approval. Finally, the tests plans will be sent to the Department of the Treasury.

    A-123 STRUCTURE FOR TEST PLAN APPROVAL
     
    Department of Treasury
    A-123 Review Board
    CPIC-IC Review
    A-123 Test Team Leader
     

  2. A-123 TEST WORK PAPER APPROVAL PROCESS: The flowchart below shows the process through which the completed work papers will progress. The test team leader will be the first level of review. Next, the work papers will be reviewed by CPIC-IC. Finally, the work paper packages will be sent to the appropriate ACFO for review and sign-off.

    A-123 STRUCTURE FOR WORK PAPERS APPROVAL PROCESS
     
    Brief FMC ESC and A-123 Review Board
    ACFOs
    CPIC-IC Review
    A-123 Test Team Leader
     

1.4.3.14  (10-01-2010)
Internal Control Test Plan Outline

  1. INTRODUCTION

    1. Test objective (Purpose of the test)

    2. Expected results (What is the expected outcome)

    3. Controls tested (Identify IRS controls tested in this test plan, and state whether they include all controls in the Treasury Catalogue.)

  2. SCOPE OF THE TEST

    1. Delineate the scope of the test based on the nature, frequency, and timing of the control (Are all transactions included or only a specific subset, and at what frequency will they be tested?)

    2. Resource capabilities required to perform testing (What degree of knowledge is needed by those performing the test?)

    3. Resources to be used to perform control test (Is there separation between individuals who test and individuals who perform the control?)

    4. Determination of the type of relevant reporting assertion provided by the control (What type of assertion do the controls provide?) Rights or Obligations; Completeness or Accuracy; Presentation or Disclosure; Existence or Occurrence; and Valuation or Allocation

    5. Type of test (Inspection, Observation, or Re-Performance)

    6. Sample size and basis (What method was used to select the sample and what is the sample size?)

    7. GAO and TIGTA findings (Are there outstanding GAO or TIGTA findings related to the transaction?) and relevance of finding to control test (How will the findings of those studies/audits being addressed in the evaluation approach, i.e., what effect they had on the scope and nature of its work.)

    8. Assess SMR potential of transaction (Determine if transaction meets the criteria to be deemed an SMR as discussed in IRM 1.4.3.11.3.)

  3. CONTROL TEST

    1. Steps for testing transaction controls (What are the steps to perform the test against the sample?)

    2. Additional procedures (If the testing team decides to perform additional procedures and expand the sample, describe the rationale and method used to choose additional sample items.)

    3. Documentation requirements (Describe how the conduct and results of the test will be documented.)

  4. RESULTS OF TESTING

    1. Determine results of test steps by selecting whether the control appears to be operating effectively.

    2. Evaluate results to determine: (1) Control effectiveness (Who reviews the results of the test and how will effectiveness be determined?) and (2) Consistent application (Are the controls consistently applied?)

  5. SUMMARIZE THE RESULTS

    1. Evaluate control effectiveness (Effective or Ineffective)

    2. Determine whether controls were consistently applied (Does the test reflect consistent application?)

    3. OFI required (Summarize OFIs that are applicable to the process and should be discussed with the operating/functional divisions.)

    4. Corrective actions required (If a control weakness exists, summarize the corrective actions that will be taken.)

1.4.3.15  (10-01-2010)
Template to Develop Sample

  1. Template to Develop Sample - As discussed in IRM 1.4.3.11.5, use the template below to provide the requested information including the transaction, name, scope, and brief answers (two or three sentences).

    Description of Population for Sample Selection
    1. Transaction and Name:
       
    Scope of the Test
       
    2. What is the population (i.e., universe, start and end date) of the item cycled through the internal control? Provide a brief (two or three sentences) description of the universe, which includes universe totals by the frequency the control is performed (i.e., weekly, monthly, or quarterly).
     
    3. Approximate frequency the control is performed:
       
    a. Daily  
    b. Weekly  
    c. Monthly  
    d. Quarterly  
    e. Annually  
    f. Recurring (Cyclical)  
       
    4. Transaction Risk.  
     
     
    5. Number of locations where the transaction and control is performed.  
         
         
    6. How far back is historical data available?  
         
         
    7. Briefly explain how sample size was derived.  
         
         

1.4.3.16  (05-25-2012)
Combined Procedure Report

  1. The Combined Procedure Report is a TeamMate-generated report that provides a detailed account of the purpose of the transaction and the test results of each transaction step. The report is submitted to the ACFOs at the conclusion of testing in order to gain an understanding of the overall test results.

    Combined Procedure Report
     
    Profile
     
    General
    Code: AC-6
    Name: AC-6, Cash Reconciliation
    Group: Financial Management
    Type: Accounting (AC)
    Location: DC
    Origin: Treasury Transaction
       
    Team  
       
    Lead: A. Controls
    Manager: M. Internal
       
    Risk  
       
    Risk: Moderate - Annual
       
    Contact  
       
    Primary  
       
    SME Accountant
       
    Other  
       
    Signature: _______________________________
    Associate Chief Financial Officer (OS:CFO:CPIC)
    ACFO@irs.gov  
    Summary Detail
    A.1. PRG - Introduction Objective:
      (Purpose of the test)
         
    Procedure Step: Test Objective  
         
    Prepared By:  
    Reviewed By:  
         
    A.1. PRG - Introduction Objective:
        (Determine if there are any outstanding GAO or TIGTA findings related to the transaction and assess impact.)
       
    Procedure Step: GAO and TIGTA Findings Record of Work Done:
        XXXXXX
    Prepared By:  
    Reviewed By:  
         
    A.1. PRG - Introduction Objective:
      XXXXXX
    Procedure Step: Information needed to conduct test Record of Work Done:
        XXXXXX
    Prepared By:  
    Reviewed By:  
       
    B.1. PRG - Test Objective 1: To XXXXXX Objective:
      XXXXXX
    Procedure Step: 1. Record of Work Done:
        XXXXXX
    Prepared By:  
    Reviewed By: Conclusion:
      XXXXXX
    B.2. PRG - Test Objective 2: To verify timely processing of XXXXXX Objective:
      XXXXXX
    Procedure Step: 1. Record of Work Done:
        XXXXXX
    Prepared By:  
    Reviewed By: Conclusion:
        XXXXXX
    C.1. PRG - Document the Effectiveness of the Control Objective:
        Control effectiveness (Effective or Ineffective):
    Procedure Step: A. Control effectiveness Record of Work Done:
        XXXXXX
    Prepared By:  
    Reviewed By:  
         
    C.1. PRG - Document the Effectiveness of the Control Objective:
      (Determine if there are any outstanding GAO or TIGTA findings related to the transaction and assess impact.)
         
    Procedure Step: B. Corrective actions required Record of Work Done:
    Prepared By: XXXXXX
    Reviewed By:  
       
    C.1. PRG - Document the Effectiveness of the Control Objective:
      Determination as to whether the controls have been consistently applied (Does the test reflect consistent application?)
    Procedure Step: C. Record of Work Done:
        XXXXXX
    Prepared By:  
    Reviewed By:  
       

1.4.3.17  (05-25-2012)
Opportunity for Improvements (OFIs)/Corrective Action Plans (CAPs)

  1. OFIs are identified by the A-123 test team at the interim testing period (June 30th) and at year end (September 30th). OFIs arise in situations in which the controls are working, but could be strengthened through remedial measures. OFIs are re-evaluated once the transaction is tested during the next scheduled cycle. For example, OFIs for annual transactions will be reevaluated on an annual basis. Plans addressing non-material issues will be tracked in CCH TeamMate® and the office responsible for the internal control.

  2. CAPs are prepared to address findings in A-123, GAO and TIGTA audit reports. The CAPs provide IRS specific actions, deadlines and resources to address the audit findings, identify needed improvements that correct identified deficiencies and produces recommended improvements.

    1. In the case of TIGTA and GAO findings, remedial CAPs are needed when a test reveals material internal control problems that are serious enough to conclude the internal controls are not working in that transaction. CAPs addressing material problems are tracked in JAMES by both the IRS and Treasury until the corrective action is appropriately addressed and closed by the business unit.

    2. In the case of A-123 findings, CAPS are needed when testing reveals internal control problems. When the business unit concurs with findings, the test team leader assists in developing CAPs which are tracked in CPIC-IC through CCH TeamMate® and by the business unit office responsible for the internal control. When business units do not concur with OFIs, the internal control risk shifts to the business unit and the status of those recommendations are not tracked. The status of OFIs and CAPs are determined as of June 30th and September 30th as part of the test plans. OFIs and CAPs remain open until closed.

1.4.3.18  (06-28-2013)
Continuous Monitoring

  1. Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes, and systems working to support efficient and effective operations. Controls are put in place to address risks within these components.

  2. Continuous monitoring actively identifies, quantifies, and reports control failures such as duplicate vendor records, duplicate payments, and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes.

  3. Overall responsibility for IRS continuous monitoring includes:

    1. Management (all levels) - Issues and monitors internal control programs, policies, and procedures. Continuously assesses key business controls and transactions, which permits ongoing insight into the effectiveness of the controls and the integrity of transactions.

    2. Information Technology (IT) - Issues security, policy, and guidance for the IRS’ information systems (see IRM 10.8.1, Information Technology Security, Policy and Guidance). Conducts annual assessments of automated internal controls that affect authorizing, processing, transmitting, or reporting material financial transactions to determine whether security controls are in place and operating effectively.

    3. CFO Financial Management (FM) - Conducts reconciliations and reviews in preparation of financial statements to ensure timely and accurate reporting.

    4. CFO Corporate Planning and Internal Control (CPIC) - Conducts interim and year-end internal control testing to determine the IRS' compliance with laws and regulations (see IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control).

  4. Continuous monitoring can be traced back to its roots in traditional auditing processes. It goes further than a traditional periodic snapshot audit by putting in place continuous monitoring of transactions and controls so that weak or poorly designed controls can be corrected. When assessing federal agency compliance, inspectors general, evaluators, auditors, and assessors consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission and business responsibilities, operational environment, and unique organizational conditions. (See NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, Background).

  5. IT continuous monitoring activities intersect the IRS A-123 internal control activities through interim and year-end operational controls testing. (See IRM 1.4.3.8, The Department of the Treasury’s Five-Part Approach.)

    Example:

    Transactions IT-2, Set-up and Maintenance of Systems Applications Security, and IT-3, Verify Systems Software Change Control Procedures, include an objective to determine whether user access, roles, and permissions are monitored and updated as necessary. Also included is a comparison of the risks and controls listed in the Control Design Analysis template to those in NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations to determine compliance with NIST requirements.

    Example:

    Transactions IT-14, Treasury Information Executive Repository (TIER) Upload, FACTS I & II Reporting and IT-15, CFO Vision Financial Statement Generation (Administrative and Custodial Revenue), includes an objective to verify that processes and internal controls are in place for composing, reviewing and approving financial data required for TIER data transmission.

  6. Through continuous monitoring, weak or poorly-designed controls can be corrected or replaced to improve the IRS risk profile. Multi-disciplinary teams consisting of automated systems specialists and accounting and reporting experts will use the appropriate policies and procedures as a basis for performing periodic and routine examinations of each of the financial systems that authorize, process, transmit, or report material financial transactions.

Exhibit 1.4.3-1 
TeamMate Program Box

This image is too large to be displayed in the current screen. Please click the link to view the image.

Exhibit 1.4.3-2 
Opportunity for Improvement (OFI)/Corrective Action Plan (CAP) Template

This image is too large to be displayed in the current screen. Please click the link to view the image.

The final objective for each issue should be to validate that the CAP has resolved the problem.


More Internal Revenue Manual