1.57.1 FMSS Quality Assurance Programs

Manual Transmittal

April 12, 2021

Purpose

(1) The purpose of this IRM is to establish responsibilities for Facilities Management and Security Services (FMSS) Quality Assurance (QA) programs.

Material Changes

(1) This is a new IRM.

Effect on Other Documents

None.

Audience

Facilities Management and Security Services

Effective Date

(04-12-2021)

Richard L. Rodriguez
Chief
Facilities Management and Security Services

Program Scope and Objectives

  1. Purpose: The purpose of this IRM is to establish responsibilities for Facilities Management and Security Services (FMSS) Quality Assurance (QA) programs.

  2. Audience: FMSS managers and employees.

  3. Policy Owner: Chief, FMSS.

  4. Program Owner: FMSS Associate Director (AD), QA.

  5. Primary Stakeholders: FMSS managers and staff.

  6. Program Goals: To improve FMSS program processes, monitor program adherence to guidance, and implement IRS policy on Audits, Internal Management Documents (IMD), and the Balanced Performance Measurement System (BPMS) and Enterprise Risk Management (ERM).

Background

  1. This IRM section provides clarification on the role of the QA organization within FMSS.

  2. QA partners with FMSS functions and activities to:

    1. Improve program effectiveness by conducting reviews and analyses.

    2. Identify program processes and controls that are not operating in accordance with policy, procedures, or other requirements.

    3. Provide technical and analytical support to implement program improvements and corrective measures.

    4. Address requests and inquiries from the Government Accountability Office (GAO), Treasury Inspector General for Tax Administration (TIGTA), the Chief Financial Officer (CFO), and other organizations auditing FMSS programs.

    5. Ensure IMD (IRM, Policy Statements, Delegation Orders, etc.) are aligned and current.

    6. Gather and report FMSS performance measures as part of the IRS’s BPMS.

    7. Maintain the Risk Register and Key Risk Indicators (KRI), collect and report FMSS risk identification and assessment activities and facilitate integration of risk in the decision-making process.

Authority

  1. Public Law 97-255, Federal Managers’ Financial Integrity Act (FMFIA) of 1982.

  2. Treasury Directive 40-04, Treasury Internal Control Program (Dated 7/12/2017).

  3. GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Dated 9/10/14).

  4. GAO’s Agency Protocols, January 2019, GAO-19-55G.

  5. OMB Circular No. A-50, Audit Follow-up, September 29, 1982.

  6. 31 USC 720 (b), Agency Reports.

  7. The Commissioner of Internal Revenue has authority under Treasury Order 150-10 to administer and enforce the Internal Revenue laws. The Commissioner provides subordinates certain authorities to act on his behalf by issuing Delegations of Authority. IRS directors throughout the IRS, with the authority and responsibility for a program, issue IMD to administer and enforce the Internal Revenue laws.

  8. 26 CFR 801, Balanced System for Measuring Organizational and Employee Performance Within the Internal Revenue Service.

  9. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control.

Responsibilities

  1. The Chief, FMSS is authorized to prescribe QA programs within FMSS.

  2. The AD, QA is responsible for planning, developing, implementing, evaluating, and controlling the QA programs.

  3. The Section Chief, Program Review Team is responsible for planning, developing, implementing, managing, and evaluating the Quality Assurance Review (QAR) program and ensuring that IRS policies and procedures are followed.

  4. The Section Chief, Audit Team is responsible for planning, developing, implementing, managing, and evaluating FMSS’s Audit, IMD, BPMS and ERM processes and ensuring that IRS policies and procedures are followed.

  5. FMSS program owners are responsible for:

    1. Responding to requests and inquiries from QA personnel.

    2. Cooperating with QA personnel to improve the accountability and operation of FMSS programs, strengthen controls, and address deficiencies.

    3. Identifying areas within their programs that may benefit from a review and submitting a request to *FMSS QAR Suggestions.

Program Management and Review

  1. Program Reports: The QA program reports include:

    1. Quality Assurance Review (QAR) reports

    2. Summary of Analysis (SOA)

    3. Deputy Commissioner Business Performance Reviews (BPR)

    4. Open Audit and Planned Corrective Actions (PCA) reports

  2. Program Effectiveness: QA uses performance metrics to measure the effectiveness of reviews and, when possible, improvements made in response to QA recommendations.

Program Controls

  1. Management exercises continuous oversight of projects and program activities through regular project status meetings and status reporting.

  2. A documentation trail of reviews, approvals, coordination activities and key decisions is maintained in compliance with policy for each QA program.

  3. The status of audits, corrective actions, audit inquiries, and requests is tracked; program risks and mitigations are documented and reviewed/updated periodically; and a documentation trail on issues, actions, and resolutions is retained.

  4. Data dictionaries are developed and maintained to document compliance with policy requirements for BPMS measures.

  5. Access to program documentation, reports and information is centralized and stored on a SharePoint site with access limited to authorized personnel.

Terms/Definitions/Acronyms

  1. The following terms and definitions apply to this IRM section:

    1. Action Plan – A detailed plan outlining actions needed to reach one or more goals.

    2. Audit – An assessment of FMSS program activities performed by the Government Accountability Office, Treasury Inspector General for Tax Administration, Chief Financial Officer, or a federal organization.

    3. Balanced Performance Measurement System (BPMS) – The IRS performance measurement system for setting organizational objectives, establishing targets, assessing progress and results, and evaluating individual performance.

    4. Close-out Record – A written agreement that documents any transfer of responsibilities for a process or activity from FMSS to another IRS Business Unit or office when transfer is the agreed upon solution.

    5. Data Collection Instrument (DCI) – A form or spreadsheet used to document testing results when multiple records, observations, transactions, or cases are tested in a monitoring focused QAR. The DCI identifies the specific guidance tested and the testing results.

    6. Data Dictionary – A document that describes a performance measure in detail, including formal definition, responsible official, data source, data reliability, and program controls.

    7. eLibrary – The repository for FMSS IMD products.

    8. ERM Liaisons – The designated officials that serve as ambassadors/champions for risk management and support their business unit leadership in identifying, assessing and managing risk that, if not mitigated, will undermine the attainment of their business unit’s and/or the IRS’s goals and mission.

    9. Guidance – The source of criteria or standards against which a program’s is tested in a monitoring focused QAR.

    10. Internal Management Document (IMD) – An official communication that designates policies, authorities, and delivers instructions to IRS officials and employees.

    11. Key Risk Indicators (KRI) – Provide timely leading indicators of existing and emerging risks that allow the business unit to recognize and respond to risks before they are realized.

    12. Matter for Further Consideration (MFC) – A notification from GAO that identifies an instance of non-conformance with internal control standards, provisions of the Internal Revenue Manual, or other applicable guidance.

    13. Planned Corrective Actions (PCA) – A detailed description of how management plans to implement a recommendation to address the audit finding(s). The PCA also identifies due date(s) and responsible official(s).

    14. Process Flow Diagram – A graphical representation of a process or workflow identifying processing steps and who performs them.

    15. Program Owner – A manager with primary responsibility for establishing policies and procedures and/or managing a program.

    16. Project Status Report – A periodic report of progress on a QAR project delivered by the Project Lead to management.

    17. Quality Assurance Review (QAR) – In an improvement focused QAR, program processes are reviewed to identify underlying causes for issues and opportunities to improve efficiency and effectiveness. In a monitoring focused QAR, program processes are reviewed to determine if policies, procedures, and controls were implemented effectively and, as necessary, identify corrective measures.

    18. Risk Register – A template for business units to document and report risk information in a standardized format to the Office of the Chief Risk Officer (OCRO) for enterprise risk assessment updates.

    19. Stakeholders – Organizations or persons with program policy responsibilities or with a vested interest in a program.

    20. Summary of Analysis (SOA) – A document that identifies the causes for the issues under review and proposes solutions for improvement.

    21. Testing Approach – A planning document that identifies the methodology that will be used to evaluate program processes during a monitoring focused QAR.

    22. Testing Summary – A document that describes testing performed and results in a monitoring focused QAR.

      Acronyms

      Acronym Definition
      AD Associate Director
      BPMS Balanced Performance Measurement System
      BPR Business Performance Review
      CFO Chief Financial Officer
      DCI Data Collection Instrument
      EAM Enterprise Audit Management
      ERM Enterprise Risk Management
      FMSS Facilities Management and Security Services
      GAO Government Accountability Office
      IG Interim Guidance
      IMD Internal Management Documents
      KRI Key Risk Indicators
      MFC Matter for Further Consideration
      OCRO Office of the Chief Risk Officer
      PCA Planned Corrective Action
      QA Quality Assurance
      QAR Quality Assurance Review
      RAAS Research, Applied Analytics and Statistics
      SME Subject Matter Experts
      SOA Summary of Analysis
      SOP Standard Operating Procedures
      SPDER Servicewide Policy, Directives and Electronic Resources
      TIGTA Treasury Inspector General for Tax Administration
       

Related Resources

  1. IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control

  2. IRM 1.4.3, Resource Guide for Managers, Financial Assurance Control Testing

  3. IRM 1.4.31, Resource Guide for Managers, IRS Quality Assurance Program

  4. IRM 1.4.32, Resource Guidance for Managers, Internal Control Review Program

  5. IRM 1.4.60, Resource Guide for Managers, Enterprise Risk Management (ERM) Program

  6. IRM 1.5.1, Managing Statistics in a Balanced Measurement System, The IRS Balanced Performance Measurement System

  7. IRM 1.11.1, Internal Management Documents System, Internal Management Document (IMD) Program and Responsibilities

  8. IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process

  9. IRM 1.11.3, Internal Management Documents System, Servicewide Policy Statement Process

  10. IRM 1.11.4, Internal Management Documents System, Servicewide Delegation Order Process

  11. IRM 1.11.5, Internal Management Documents System, Publishing the Internal Revenue Manual (IRM)

  12. IRM 1.11.9, Internal Management Documents System, Clearing and Approving Internal Management Documents (IMDs)

  13. IRM 1.11.10, Internal Management Documents System, Interim Guidance Process

  14. IRM 1.29.1, Audit Coordination Process, Authorities and Responsibilities

  15. IRM 1.35.14, Financial Accounting, IRS Annual Financial Statement Audit

  16. FMSS Physical Security Strategy (FY 2020-2022)

Performing QAR Improvement Projects

  1. Management designates a project lead for each improvement-focused QAR project.

  2. The project team completes the activities identified in IRM 1.57.1.2.1 through IRM 1.57.1.2.4.

Conducting Discovery

  1. Obtain an understanding of the operation of program processes, policies, practices, program risks and mitigations as well as prior audit findings and any other program concerns that apply to the project’s objectives sufficient to identify underlying and contributing causes. Document applicable program processes in a process flow diagram. Key sources for information include:

    1. Audit reports, Matters for Further Consideration (MFC) forms, corrective action documentation

    2. IRM, procedures, desk guides, program documents

    3. Training courses

    4. Subject Matter Experts (SME)

    5. Other historical and current material that may be relevant to the project objectives

Developing and Implementing Solutions

  1. Prepare a Summary of Assessment documenting the results of the analysis of information gathered during discovery and the proposed solution(s). The SOA should include:

    1. Objective of the review

    2. Background

    3. Identification of root or contributing causes

    4. Proposed solution(s)

  2. Finalize the proposed solution after consulting with program owner and stakeholders.

  3. Support the program owner’s implementation of the solution. Complex process improvements may require development of an action plan.

    Note:

    If the solution requires program responsibilities to be transferred to another Business Unit or group, a written agreement should be used to document the decision in a close-out record.

Evaluating Solutions

  1. Evaluate the solution(s) and identify and document recommendations for improvement or follow-on actions, as necessary.

Overseeing QAR Improvement Projects

  1. The project lead submits project status reports to management and attends recurring oversight meetings at management’s discretion throughout the QAR project.

  2. The project lead uploads the following final QAR project records to the review team’s SharePoint site with access limited to authorized personnel designated by the manager:

    1. List of documents reviewed and sources

    2. Process flow diagram

    3. SOA

    4. Action plan, as necessary

    5. Close-out record, as necessary

    6. Project status reports

Performing QAR Monitoring Projects

  1. Management designates a project lead for each monitoring focused QAR project.

  2. The project team completes the activities identified in IRM 1.57.1.3.1 through IRM 1.57.1.3.3.

Planning QAR Monitoring Projects

  1. Develop an understanding of the program under review and any recent program improvements by reviewing program documentation, studies, guidance, processing documents, and discussing program operation with the SME, as necessary.

  2. Develop a Testing Approach and Data Collection Instrument (DCI) to document the testing plan and test results. A Testing Summary may be prepared when results from several DCI will need to be aggregated or when using a DCI is not efficient.

Testing and Reporting Results

  1. Test program adherence to guidance. Testing techniques include:

    1. Direct physical inspection and observations

    2. Document reviews

    3. Inquiries (e.g., interviews, written inquiries, questionnaires)

    4. Random sampling used in conjunction with the above-mentioned techniques

    5. Analytical reviews (e.g., computations, data comparisons, variance analyses, data matching)

  2. Report testing results to program owners and finalize a written report identifying review objectives, guidance used as testing criteria, scope and methodology, results and any recommended actions.

Overseeing QAR Monitoring Projects

  1. The project lead will submit project status reports to management and attend recurring oversight meetings at management’s discretion throughout the QAR project.

  2. The project lead will upload the following final QAR records to the review team’s SharePoint site with access limited to authorized personnel designated by the manager:

    1. List of documents reviewed

    2. Testing Approach

    3. DCI or Testing Summary

    4. QAR Report

Overseeing Audits

  1. The GAO, TIGTA, CFO, and federal organizations (e.g., Department of Treasury, Office of Personnel Management, etc.) conduct audits, reviews and inspections of FMSS programs and operations (Collectively referred to as "audits" in this IRM).

  2. The following organizations establish IRS Audit oversight policies:

    1. Office of the Chief Risk Officer, Enterprise Audit Management (TIGTA, GAO, and Federal agency audits, except for the IRS Financial Statement Audit)

    2. CFO, Financial Management Division (IRS Financial Statement Audit), and Internal Control Division (IRS QA Program, Financial Assurance Control Testing, Internal Control Reviews)

  3. The QA Audit Team is responsible for managing FMSS’s implementation of the Audit oversight program. This includes:

    1. Coordinating information and access requests with affected functions and areas.

    2. Providing management and program owners analysis and insight on audit issues.

    3. Monitoring and reporting on the status of audits and planned corrective actions.

  4. The QA Audit Team follows applicable IRS policies and FMSS Standard Operating Procedures (SOP), which include but are not limited to:

    1. IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control

    2. IRM 1.4.3, Resource Guide for Managers, Financial Assurance Control Testing

    3. IRM 1.4.31, Resource Guidance for Managers, IRS Quality Assurance Program

    4. IRM 1.4.32, Resource Guidance for Managers, Internal Control Review Program

    5. IRM 1.29.1, Audit Coordination Process, Authorities and Responsibilities

    6. IRM 1.35.14, Financial Accounting, IRS Annual Financial Statement Audit

Managing Internal Management Documents

  1. IMD are official communications that designate authorities and/or provide instructions to IRS officials and employees. IMD include IRM, Delegation Orders, Policy Statements, Interim Guidance, SOP and Operating Level Directives.

  2. The Office of Servicewide Policy, Directives and Electronic Resources (SPDER), within the Research, Applied Analytics and Statistics (RAAS) organization establishes IRS IMD policy.

  3. The QA IMD Team is responsible for managing FMSS’s implementation of the IMD program. IMD coordinators manage program activities, including acting as a clearing house for all IMD products, verifying all IMD products are current and providing support to IMD authors.

  4. The QA IMD Team follows applicable IRS policies and FMSS SOP, which include but are not limited to:

    1. IRM 1.11.1, Internal Management Documents System, Internal Management Document (IMD) Program and Responsibilities

    2. IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process

    3. IRM 1.11.3, Internal Management Documents System, Servicewide Policy Statement Process

    4. IRM 1.11.4, Internal Management Documents System, Servicewide Delegation Order Process

    5. IRM 1.11.5, Internal Management Documents System, Publishing the Internal Revenue Manual (IRM)

    6. IRM 1.11.9, Internal Management Documents System, Clearing and Approving Internal Management Documents (IMDs)

    7. IRM 1.11.10, Internal Management Documents System, Interim Guidance Process

Collecting and Reporting Measures for the Balanced Performance Measurement System (BPMS) and Enterprise Risk Management (ERM)

  1. The IRS developed the BPMS to reflect its priorities consistent with its mission and strategic goals. The IRS considers each of the three components of balanced measures (customer satisfaction, employee satisfaction, and business results) when setting organizational objectives, establishing targets, assessing progress and results and evaluating individual performance. Each component is given an equal importance.

  2. The Corporate Budget office within the CFO organization establishes the IRS BPMS policy.

  3. The IRS developed the ERM Program to provide an IRS-wide approach to risk management and foster a risk-aware culture. The program helps IRS units incorporate risk management principles in the decision-making process.

  4. The OCRO organization establishes the IRS ERM policy.

  5. The QA Measures Team is responsible for managing the FMSS implementation of the BPMS program, including collecting and reporting FMSS performance measures and providing guidance to FMSS divisions to develop measures. The Measures Team is also responsible for maintaining the Risk Register and KRI, collecting and reporting FMSS risk identification and assessment activities and facilitating the integration of risk in the decision-making process.

  6. The QA Measures Team follows applicable IRS policies and FMSS SOP, which include but are not limited to:

    1. IRM 1.5.1, Managing Statistics in a Balanced Measurement System, The IRS Balanced Performance Measurement System

    2. IRM 1.4.60, Resource Guide for Managers, Enterprise Risk Management (ERM) Program