1.4.2 Monitoring and Improving Internal Control

Manual Transmittal

July 17, 2020

Purpose

(1) This transmits revised IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.

Material Changes

(1) Added additional information for IRM 1.4.2.2, Management Controls Executive Steering Committee (MC ESC), and IRM 1.4.2.5, Annual Assurance Review Process.

(2) Added IRM 1.4.2.9, Internal Control Review (ICR).

(3) Added IRM 1.4.2.10, Management’s Discussion and Analysis (MD&A).

Effect on Other Documents

IRM 1.4.2, dated June 28, 2018, is superseded.

Audience

All IRS Managers

Effective Date

(07-17-2020)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. The IRS maintains an effective internal control program that complies with legislative requirements and related regulations and directives, such as the Standards for Internal Control in the Federal Government, commonly known as the "Green Book."

  2. Purpose: Internal controls are the programs, policies and procedures established to ensure that:

    1. Mission and program objectives are accomplished efficiently and effectively.

    2. Programs and resources are protected from waste, fraud, abuse, mismanagement, and misappropriation of funds.

    3. Laws and regulations are followed.

    4. Financial reporting is reliable.

    5. Reliable information is obtained and used for decision making.

  3. Audience: This guidance applies to managers at all levels. Managers are expected to understand the risks associated with their operations and ensure that controls are in place and operating effectively to mitigate known risks. Managers provide candid, reliable, and supportable reports on the status of those controls annually.

  4. Policy Owner: CFO

  5. Program Owner: CFO, Internal Controls (IC)

  6. Primary Stakeholders: IRS managers

  7. Program Goals: To accomplish the objectives identified in the Purpose section above.

Background

  1. Internal control, which is synonymous with management control, is a major part of managing an organization. It comprises the plans, methods, and procedures used to meet missions, goals, and objectives; and in doing so, supports performance-based management. It also serves as the first line of defense in safeguarding assets. Internal control prevents and detects errors and fraud. It helps government program managers achieve desired results through effective stewardship of public resources. Systems of internal control provide unmodified assurance that the following objectives are being achieved:

    1. Effectiveness and efficiency of operations.

    2. Reliability of financial reporting.

    3. Compliance with applicable laws and regulations.

  2. All employees must be committed to implementing effective and efficient internal controls. Internal controls are administrative and program-specific processes that ensure programs achieve their intended result and organizations realize their goals. Internal controls ensure that laws and regulations are followed, assets are safeguarded, and financial and management reports are accurate, complete, and timely. The Department of the Treasury and TIGTA provide oversight to ensure control strategies are implemented that mitigate program and administrative operational risk.

  3. Internal controls are the responsibility of every manager. Managers are accountable for and have stewardship of all assigned operations within their organization, including program, administrative, and financial, such as:

    1. Designing and using controls that provide unmodified assurance that programs are being accomplished as intended.

    2. Conducting regular assessments to ensure controls.

    3. Identifying risks to program accomplishments, compliance with laws and regulations, and reporting accuracy.

    4. Implementing remedies to mitigate risk and measuring the results.

  4. It is important to identify problem areas and take appropriate corrective actions before external auditors, such as the Government Accountability Office (GAO) and TIGTA, issue findings or before problems escalate into serious control weaknesses. However, there must be an appropriate balance of control in programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled process or program may allow problems to go unnoticed and assets to be wasted.

  5. Being focused and aware of internal controls should be an integral part of all managers’ and employees’ daily activities. By fostering open, honest communications, and promoting problem-solving within an organization, managers create an environment where internal controls are acknowledged as tools to achieve goals.

Authorities

  1. The Budget and Accounting Procedures Act of 1950 requires the head of each federal department and agency to establish and maintain adequate systems of management controls. Further, the Federal Managers' Financial Integrity Act (FMFIA) of 1982, Public Law 97-255, Title VIII (31 U.S.C 3512 note) (hereinafter FMFIA), requires each executive agency to establish internal accounting and administrative controls in accordance with standards prescribed by the Comptroller General. These controls will provide unmodified assurance that:

    1. Obligations and costs comply with applicable law.

    2. Funds, property, and other assets are safeguarded against fraud, waste, loss, unauthorized use, or misappropriation.

    3. Revenues and expenditures are properly recorded permitting the preparation of accounts, reliable financial and statistical reports, and maintaining accountability over assets.

  2. The FMFIA also requires that each executive agency:

    1. Resolve audit findings promptly.

    2. Conduct annual evaluations of its systems of internal accounting and administrative control using guidelines established by the Office of Management and Budget (OMB).

    3. Submit an annual statement to the President and Congress on the status of the agency's system of internal control.

  3. OMB Circular A-123 (revised) dated July 15, 2016, Management's Responsibility for Enterprise Risk Management and Internal Control, requires agencies and individual federal managers to:

    1. Integrate risk management and internal control functions.

    2. Implement management practices that identify, assess, respond, and report on risks.

    3. Establish and maintain internal controls to achieve specific internal control objectives related to operations, reporting, and compliance.

    4. Provide assurance on internal control effectiveness through their Annual Assurance Statement and Agency Financial Report.

  4. Internal control assessment can be performed using a variety of information sources. Management has primary responsibility for assessing and monitoring controls. Management should use other sources as a supplement to, not a replacement for, its own judgment. Sources of information include:

    1. Management knowledge gained from the daily operation of agency programs and systems.

    2. Management reviews conducted (i) expressly for the purpose of assessing internal control, or (ii) for other purposes with an assessment of internal control as a by-product of the review.

    3. Inspector General (IG) and GAO reports, including audits, inspections, reviews, investigations, outcome of hotline complaints, or other products.

    4. Program evaluations.

    5. Audits of financial statements conducted pursuant to the Chief Financial Officers (CFO) Act of 1990, as amended, including: information revealed in preparing the financial statements; the auditor's reports on the financial statements, internal control, and compliance with laws and regulations; and any other materials prepared relating to the statements.

    6. Financial system reviews that consider whether the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA)  PDFFinancial Management Systems and Appendix D to OMB Circular No. A-123 PDF, are being met.

    7. Annual evaluations and reports pursuant to the Federal Information Security Modernization Act of 2014 PDF and OMB Circular A-130. PDF

    8. Annual performance plans and reports pursuant to Pub. Law 111-352, Government Performance and Results Act Modernization Act of 2010 (GPRAMA).

    9. Annual reviews and reports pursuant to Pub. Law 116-117, Payment Integrity Information Act of 2019 (PIIA) PDF.

    10. Single audit reports for grant-making agencies.

    11. Reports and other information provided by the congressional committees of jurisdiction.

    12. Other reviews or reports relating to agency operations.

    13. Results from tests of key controls performed as part of the assessment of internal control over financial reporting conducted in accordance with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, M-16-17 July 15, 2016 PDF.

  5. The FFMIA, as codified at 31 U.S.C. 3512, established the statutory requirement for certain financial management systems. The FFMIA was intended to advance federal government financial management by ensuring federal management systems can and do provide reliable, consistent disclosure of financial data. Further, this disclosure should be performed on a uniform basis across the federal government from year to year by consistently using professionally accepted accounting standards. Specifically, FFMIA Section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

    1. Federal financial management systems requirements.

    2. Applicable federal government accounting standards.

    3. The United States Standard General Ledger (USSGL) at the transaction level.

  6. Under the GPRA and Pub. Law 106-531, the Reports Consolidation Act of 2000 PDF, the IRS Commissioner is required to provide assurance in the Annual Assurance Statement that the IRS Critical Performance Measures are reliable.

Responsibilities

  1. This section provides responsibilities for:

    1. Commissioner and Deputy Commissioner

    2. Associate CFO for Internal Controls

    3. Enterprise Audit Management

    4. Division Commissioners, Chiefs, National Taxpayer Advocates, and Chief Counsel

    5. Managers at all levels

    6. IC coordinators

The Commissioner and Deputy Commissioners
  1. The Commissioner and Deputy Commissioners are responsible for:

    1. Creating a positive control environment within the IRS to ensure operational efficiency and adherence to all applicable statutory and regulatory standards related to internal controls, including those standards found in the FMFIA and the GAO Standards for Internal Control in the Federal Government.

    2. Establishing priorities in identifying, correcting and reporting management control material weaknesses and accounting noncompliance.

    3. Ensuring that adequate funding is requested in the budget process to correct identified deficiencies.

    4. Establishing a quality assurance process that allows the Commissioner to provide assurance, through the Annual Assurance Statement to the Secretary of the Treasury, that the objectives of the FMFIA are being achieved.

    5. Providing information, data, reports, and assurances, as necessary, to the Department of the Treasury Deputy Chief Financial Officer (TDCFO) that all IRS internal controls and financial management systems adhere to applicable statutory and regulatory standards.

    6. Ensuring that the performance plans for each Senior Executive Service (SES) member or equivalent employee having significant responsibilities for internal control contain appropriate performance requirements and expectations.

    7. Ensuring that all other employees are aware of expectations and are subject to appropriate internal controls performance standards.

    8. Providing staff with necessary guidance, training, and incentives.

    9. Designating an Internal Control Officer to administer the IRS’s internal control processes.

  2. The CFO is the IRS internal control officer and with the deputy CFO has operational responsibility for the IRS internal control program by:

    1. Evaluating all internal control systems continually and ensuring that audits, internal control reviews, risk assessments, and other evaluations are coordinated to complement one another with minimal duplication of effort.

    2. Determining annually which programs or administrative functions should be subject to a formal review to supplement management judgment as to the adequacy of management controls and allocating adequate resources to evaluate their systems of control.

    3. Ensuring that detailed procedures, documentation, training for managers and employees, and reporting requirements necessary to review, establish, maintain, test, improve, and report on IRS’s control systems exist.

    4. Reporting to the TDCFO the management control deficiencies identified in audit reports, internal reviews, and other sources that have the potential of meeting material weakness or significant deficiency criteria for the Department of the Treasury financial statement purposes.

    5. Ensuring timely correction and validation of all identified program and operations deficiencies whether material or nonmaterial.

    6. Ensuring management control guidelines issued are implemented and include employee accountability.

    7. Maintaining, correcting, and/or updating the Joint Audit Management Enterprise System (JAMES) with specific data on IRS FMFIA significant deficiencies and Remediation Plan. (See 1.4.30, Monitoring Internal Control Planned Corrective Actions, for JAMES information.)

The Associate CFO for Internal Controls (IC)
  1. On behalf of the CFO, administers the IRS internal control program and is responsible for carrying out the day-to-day internal control program by:

    1. Preparing internal control policies and procedures.

    2. Implementing OMB's Circular A-123 requirements.

    3. Providing administrative support to the Management Controls Executive Steering Committee (MC ESC).

    4. Developing procedures, documentation, and training for managers and employees.

    5. Developing reporting requirements necessary to review, establish, maintain, test, improve, and report on IRS’s control systems.

    6. Managing the annual assurance process and preparing the Commissioner’s Annual Assurance Statement to the Secretary of the Treasury.

    7. Monitoring the completion of corrective actions for material weaknesses and significant deficiencies.

    8. Providing advice and assistance to managers and their internal control coordinators, as needed.

Enterprise Audit Management
  1. Under the Chief Risk Officer is responsible for maintaining information on GAO and TIGTA audits.

The Division Commissioners, Chiefs, National Taxpayer Advocate, and Chief Counsel
  1. The Division Commissioners, Chiefs, National Taxpayer Advocate, and Chief Counsel are responsible for

    1. Establishing adequate and effective controls for all operations and activities in their responsible areas.

    2. Ensuring that established controls are followed throughout their organizations.

    3. Conducting a self-assessment and reporting on the status of internal control in their organizations to the MC ESC annually. (Managers throughout the IRS are responsible for participating in an annual internal control assessment in accordance with the annual guidance issued.)

    4. Defining objectives in measurable terms so that performance toward achieving those objectives can be assessed.

    5. Assessing the effect of known deficiencies and providing comments to the MC ESC.

    6. Providing adequate resources to correct identified material weaknesses and significant deficiencies.

    7. Preparing briefing documents for agenda topics at MC ESC and subgroup meetings.

    8. Preparing briefing documents for agenda topics at MC ESC and subgroup meetings.

Managers at All Levels
  1. Managers at all levels are responsible for:

    1. Providing a positive control environment.

    2. Identifying potential risk areas.

    3. Ensuring that adequate and effective controls are in place.

    4. Reporting results of reviews to the next level of management.

    5. Ensuring reports are supportable, accurate, and complete.

    6. Providing adequate resources to correct identified problems.

    7. Implementing corrective actions timely.

    8. Validating outcomes.

Internal Control Coordinators
  1. Internal Control Coordinators are responsible for assisting management in developing and maintaining its management control program and serving as the primary liaison with IC. Their responsibilities include:

    1. Managing their organization's annual assurance review process and preparing its assurance certification memorandum.

    2. Providing technical assistance to management and review teams in the evaluation of controls.

    3. Reviewing documentation for completed corrective actions for significant deficiencies, material weaknesses, and remediation plan actions to IC.

    4. Monitoring the status of corrective actions for material weaknesses and significant deficiencies, as well as reporting the status to IC.

    5. Ensuring that data contained within JAMES is current and accurate for material weakness, significant deficiency, and remediation plan actions.

Program Management and Review

  1. Program reports include:

    1. MC ESC briefings.

    2. Annual Assurance Statement.

    3. Remediation plans.

    4. Internal Control Review Program (IRM 1.4.32).

    5. IRS Quality Assurance Program (IRM 1.4.31).

    6. Structured Management Review (IRM 1.4.3, IRS Guidance for Financial Assurance Control Testing (FACT)).

  2. Program effectiveness is determined by:

    1. Mission and program objectives are accomplished efficiently and effectively.

    2. Reliable information is obtained and used for decision making.

    3. Laws and regulations are followed.

    4. Financial reporting is reliable.

    5. Program and resources are protected from fraud, waste, abuse, mismanagement, and misappropriation of funds.

Program Controls

  1. Program controls are detailed throughout IRM 1.4.2, Monitoring and Improving Internal Control.

Terms/Definitions

  1. The following terms and definitions apply to this program:

    1. Annual self-assessment - A manager’s review of the effectiveness of controls within their area of responsibility and the involvement of each level of management in certifying the control environment within their area is conducive to identifying risks or deficiencies at all levels.

    2. Control deficiency - A situation caused by the design or operation of a control not allowing management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

    3. Corrective action - An action taken to correct identified deficiencies, produces recommended improvements, or demonstrates that control findings are either invalid or do not warrant audited action.

    4. Internal controls - Processes and procedures put into place by management to help an organization operate efficiently and effectively to achieve its objectives. Internal (management) control is an integral component of an organization’s management that provides unmodified assurance that the following objectives are being achieved:
      a) Effectiveness and efficiency of operations.
      b) Reliability of financial reporting.
      c) Compliance with applicable laws and regulations.

    5. Material weakness - A deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.

    6. Modified assurance - Informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems.

    7. Unmodified assurance - Informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect the resources and ensure mission completion. Unmodified assurance recognizes that the cost of controls should not exceed the benefits derived from them.

    8. Remediation plan - A plan to achieve FFMIA compliance when an agency's annual review determines their financial management systems cannot prepare required financial statements and reports, cannot provide reliable and timely financial information for managing operations, and cannot account for assets, all in accordance with federal accounting standards and the USSGL.

    9. Significant deficiency - A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance.

    10. Internal control weakness - A reportable finding when testing or review reveals the internal controls for a process is deemed ineffective. The term “internal control weakness” is used to report issues identified during management reviews and the annual assurance process.

Acronyms

  1. The following acronyms apply to this program:

    Acronym Meaning
    ACFO Associate Chief Financial Officer
    CFO Chief Financial Officer
    FASAB Federal Accounting Standards Advisory Board
    FFMIA Federal Financial Management Improvement Act of 1996
    FISMA Federal Information Security Management Act of 2002
    FMFIA Federal Managers’ Financial Integrity Act of 1982
    FTE Full-Time Equivalent
    GAO Government Accountability Office
    GPRA Government Performance and Results Act of 1993
    GPRAMA Government Performance and Results Act Modernization Act of 2010
    IC Internal Controls
    IDRS Integrated Data Retrieval System
    IPERA Improper Payments Elimination and Recovery Act of 2010
    JAMES Joint Audit Management Enterprise System
    MC ESC Management Controls Executive Steering Committee
    MC ESC-S Management Controls Executive Steering Committee Sub-group
    MD&A Management Discussion and Analysis
    OMB Office of Management and Budget
    PCA Planned Corrective Action
    PIIA Payment Integrity Information Act of 2019
    SAR Suspicious Activity Report
    SFFAS Statement of Federal Financial Accounting Standards
    TDCFO Treasury Deputy Chief Financial Officer
    TFRP Trust Fund Recovery Program
    TIGTA Treasury Inspector General for Tax Administration

Related Resources

  1. The following statutes and regulations are the most significant congressional acts, OMB circulars, and IRMs that affect the IRS’s management controls program:

Management Controls Executive Steering Committee (MC ESC)

  1. The MC ESC oversees management’s design, implementation, and operation of the IRS’s internal control system to ensure that internal controls are universally recognized as a shared responsibility and that internal control deficiencies are identified, analyzed, and remediated. The MC ESC’s operations are governed by a charter maintained by IC.

  2. The MC ESC’s mission is to oversee management’s design, implementation, and operation of the IRS’s internal control system, ensuring that all business units and functions (1) identify, address, and correct internal control deficiencies; and (2) recognize the importance of their shared responsibility for designing and implementing strong internal controls.

  3. The MC ESC’s objectives are to (1) build a strong relationship between risk management and internal controls and ensure existing and new controls address identified risks effectively; (2) ensure the remediation of existing control weaknesses and prevent new ones from arising; (3) provide an unmodified statement of assurance that IRS internal controls are in place and functioning effectively; and (4) achieve an unmodified audit opinion on the IRS’s financial statements. To accomplish these objectives, the MC ESC will exercise oversight authority over significant annual internal control processes and engage with IRS leadership to discuss and address promptly all risks, issues, and controls using a shared responsibility approach.

  4. The MC ESC oversees internal control issues throughout the IRS, including material weaknesses, significant deficiencies, and other control deficiencies identified through self-assessment, audits, or in the normal course of business operations. The committee also oversees Servicewide progress in closing open audit recommendations. To meet these responsibilities, the MC ESC ensures that (1) internal controls are in place and effective so the IRS can detect and manage risks; (2) root causes of problems are identified fully, corrective actions are designed, and adequate resources are deployed to address the source of the deficiency; and (3) coordination across business units is open, collaborative, and effective, particularly when responsibilities for remediation of a deficiency are shared.

  5. The MC ESC also:

    1. Oversees processes to identify, remediate, and close material weaknesses, significant deficiencies, and other internal control issues, including (1) identifying and documenting new material weaknesses and significant deficiencies; (2) approving actions for remediation plans that address existing material weaknesses and significant deficiencies; (3) ensuring business units and program owners apply appropriate attention, commitment, and resources to resolve control issues; and (4) authorizing engagement with GAO on the downgrade or closure of an existing material weakness or significant deficiency.

    2. Ensures that the IRS meets all control testing requirements including those required by OMB Circular A-123.

    3. Ensures that the IRS meets its reporting and certification obligations under the FMFIA, the FFMIA, OMB guidelines, Treasury directives, and the annual assurance review process.

    4. Serves as an alliance between business units and other steering committees to ensure proper engagement and to minimize duplicative efforts and reporting.

  6. The MC ESC has the authority to execute its responsibilities. The MC ESC may direct individuals and organizations to take appropriate actions to identify, analyze, and resolve internal control weaknesses; ensure effective internal controls are in place; exercise oversight and approval authority over corrective action plans linked to material weaknesses, significant deficiencies, and other internal control issues; and monitor and enforce adjudication of recommendations and findings stemming from internal assessments or external audits.

  7. The office of the Associate Chief Financial Officer for Internal Controls identifies MC ESC agenda topics for (1) issues, concerns, or recommendations related to the financial statement audit; (2) issues, concerns, or recommendations related to any reported material weaknesses and significant deficiencies; (3) matters driven by Internal Control Reviews (ICRs) or Quality Assurance Reviews (QARs); (4) the Annual Assurance Statement; (5) OMB Circular A-123 transactions testing and results; and (6) matters directed by senior IRS leadership.

  8. The office of the Chief Risk Officer identifies MC ESC agenda topics for (1) matters related to open or recently closed audits; (2) active/open planned corrective actions; (3) GAO priority recommendations; and (4) other audits, including high priority audits or areas of significant risk or concern unless there is a known or potential effect on the financial statement audit or a significant deficiency.

  9. The Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement are co-chairs of the MC ESC. The CFO is the vice-chair. The members are the TDCFO; Commissioner, Small Business/Self-Employed; Commissioner, Wage and Investment; Commissioner, Large Business and International; Commissioner, Tax Exempt and Government Entities; Chief Information Officer; Chief Risk Officer; Chief, Facilities Management and Security Services; Director, Privacy, Governmental Liaison and Disclosure; and the HCO.

  10. The deputy CFO chairs the MC ESC Subgroup. The other participants are the Associate Chief Financial Officer for Internal Controls and his/her support staff, decision-making executive representatives of the MC ESC voting members, and program managers responsible for the topics/issues being discussed by the MC ESC. IRM 1.4.2.2 (7) and (8) outlines the procedure for identifying subgroup agenda topics.

Steps to Downgrade a Material Weakness

  1. The IRS is responsible for correcting material weaknesses. The steps to downgrade a material weakness to a significant deficiency are:

    1. Identify/clarify issues that contribute to a material weakness through discussion with external auditors to identify and understand issues/weaknesses that should be resolved in order to downgrade and/or eliminate the material weakness.

    2. Verify that planned actions will reduce the level of materiality as expected.

    3. Informally meet with GAO on a plan of action, current matters, and controls being implemented to mitigate risk and results.

    4. Finalize the action plan based on internal review and GAO comments.

    5. Ensure that results have been achieved, verifying that the conditions that led to the issue being originally classified as a material weakness have been eliminated.

    6. Document the process for continuous monitoring to ensure controls are in place and continue to operate effectively to mitigate continued risk, identifying the level of risk (for example, control deficiency, internal control weaknesses, and others), and forward to IC for review.

    7. Meet with auditors (GAO for support in closure/downgrade).

    8. Obtain MC ESC approval of closure/downgrade.

    9. Prepare a memorandum (prepared by the business unit and reviewed by IC) from the Commissioner to the Treasury Assistant Secretary for Management and Chief Financial Officer requesting concurrence for the closure/downgrade, providing the background and summary of accomplishments and results.

    10. Report the material weakness closure/downgrade in the assurance statement.

Internal Control Process

  1. The internal control process is ongoing and encompasses all aspects of IRS operations. The internal control process steps are:

    1. Identify risk.

    2. Determine existing controls.

    3. Establish new controls or revise existing controls.

    4. Document results of reviews.

    5. Document, report, and correct significant deficiencies.

    6. Validate outcomes.

    7. Develop indicators and goals.

Identify Risk

  1. Risk is the probability of a negative, unanticipated occurrence. Risk is an event that may occur and could negatively affect the achievement of a business objective. Risk is inherent in every activity; therefore, it is essential that managers identify the probability of risk within their operations and activities. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining internal control.

  2. Some areas or occurrences with higher potential for risk include:

    1. Cash-handling activities.

    2. Procurement activities.

    3. Refunds and refundable credits.

    4. Security.

    5. Level of reliance on automated processes.

    6. Changes in organizational structure, processes, procedures, personnel, and systems.

    7. Level of reliance on contractors.

  3. The assessment of risk is based on the manager's organizational knowledge and communication with employees. To identify risk, the manager should:

    1. Review findings from previous reviews and reports, including management reviews and GAO and TIGTA audit reports.

    2. Ensure that organizational processes are performed in accordance with written policies and procedures, including legislation, OMB Circulars, Department of the Treasury directives, GAO’s Standards for Internal Control in the Federal Government, and IRMs.

    3. Involve employees in identifying risk.

  4. Examples of actions a manager might take to identify risks include:

    1. Verify Form 809, Receipt for Payment of Taxes.

    2. Post review of case files (for example, seizure and sale files) to ensure conformity with statutes, regulations, and the IRM.

    3. Consider disclosure/Privacy Act implications in all activities, including review of files and personnel folders.

    4. Perform risk assessments.

    5. Conduct quality assurance reviews.

    6. Initiate background and security investigations timely and take appropriate action based on the outcome of the investigations.

    7. Monitor telephone traffic volumes to ensure timely customer service.

    8. Review access to sensitive command codes for the Integrated Data Retrieval System (IDRS).

    9. Review assigned portable electronic devices that include, but are not limited to, laptop computers, cellular/personal communications system devices, audio/video/data recording or playback devices, scanning devices, and messaging devices, to ensure these devices and the data they contain are safeguarded.

    10. Conduct reviews to ensure laptops are locked.

    11. Periodically review use of sensitive information, including suspicious activity reports, in the online Currency and Banking Retrieval System (Web-CBRS).

Determine Existing Controls

  1. Once risk areas have been identified, determine what management controls exist for those areas. An internal control is the method by which an organization governs its activities. Controls provide unmodified assurance that programs and administrative activities are efficient, effective, and pose an acceptable level of potential risk.

  2. Internal controls are not separate systems or processes; they are tools routinely used by managers to manage their operations. The focus is not to have more controls but to have effective controls that mitigate risks. Some examples of internal controls are:

    1. Separation of duties (for example, managers authorized to approve funding must not be involved in the payment or procurement processes; contracting officers authorized to obligate the government must not be involved in the commitment, receipt/acceptance, or payment process).

    2. Adequate supervision (for example, purchase card approving officials monitor purchase cardholder activities to ensure purchases are appropriate and approved, funding is secured prior to the order being placed, and statements are processed timely).

    3. Reconciliation of records from two sources (for example, matching travel receipts against the travel vouchers).

    4. Reconciliation of records against physical inventories.

    5. Limited access (for example, passwords on data systems).

    6. Verification of data entry.

    7. Documentation of processes and procedures, such as the IRM.

    8. Written delegations of authority.

    9. Logs and checklists.

  3. To determine existing controls, begin by comparing current practices and processes against existing procedures, policies, and guidelines. Some "red flags" that may indicate a need for assessing existing controls are:

    1. Costs charged incorrectly.

    2. One or a small group of employees handling all steps of a process.

    3. Inadequate training.

    4. Infrequent reviews.

    5. New or old automated systems.

    6. Security incidents.

    7. Adverse publicity.

    8. Inadequate reports.

    9. Increase in errors.

    10. Customer dissatisfaction.

    11. Recent (or frequent) change in management or key functions (see the Internal Control Management and Evaluation Tool).

  4. Examples of control techniques and methods are listed below.

    Control Technique Control Method
    Separation of duties Duties are separated to avoid having one employee or a small group of employees handling all steps of a process.
    Appropriate documentation of transactions and internal control Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination.
    Supervision Adequate supervision to ensure organizational goals are achieved.
    Data security Sensitive information is protected from unauthorized access.
    Physical asset security Assets (such as laptops) are secured to protect against theft.
  5. If controls are needed and none currently exist, the manager may be responsible for establishing them (see IRM 1.4.2.4.3, Establish New Controls or Revise Existing Controls). In cases where the manager determines that the level of risk does not justify establishing a formal control mechanism, the manager should still document his/her findings and decisions for future reference and use in the annual assurance review process (see IRM 1.4.2.5, Annual Assurance Review Process).

Establish New Controls or Revise Existing Controls

  1. Once the manager has decided that a process needs a control, he/she should determine the process owner. If the manager does not own the process at risk but it impacts his/her operation, he/she should take proactive measures to coordinate with the process owner or other stakeholders to encourage them to improve management controls. It may be necessary to elevate the issue to higher levels. The control being used may be a standardized control for the organization. However, if it is not working properly, the manager should inform the next higher organizational level if the manager does not have the authority to change the control. A lack of controls in one process may be impacting other processes, and a change to procedures may benefit several parts of the organization. Once the manager has determined what controls exist or has established new controls, the next step is to assess their effectiveness (see IRM 1.4.2.4.4, Review/Assess Internal Control). The assessment and review of internal control is an ongoing process. If a manager does not own the process, he/she determines the appropriate method of control to mitigate the risk (see IRM 1.4.2.4.2, Determine Existing Controls). In selecting control methods, use the following criteria:

    1. The control must be consistent with operational or legislative requirements.

    2. The control must be cost effective.

Review/Assess Internal Control

  1. Organizational conditions are constantly changing; therefore, managers need to assess their internal controls continuously. Managers should be alert to the potential impact of changing organizational structure, objectives, processes and procedures, personnel, and systems on operations, and they should initiate required reviews as necessary. Circumstances that should cause managers to initiate a review are:

    1. External sources (for example, taxpayers, Congress, GAO, TIGTA) have identified concerns.

    2. Current controls do not appear to be effective or cost beneficial.

    3. Conditions indicate a reduced level of quality or customer satisfaction.

    4. Conditions have changed (for example, reorganization, phase-out of operations, personnel turnover).

    5. The office has a new responsibility or program.

  2. When conducting control reviews, managers should determine the dependencies or effects the controls have on other areas of the organization. Identifying dependencies often reflects a need for input from other organizations.

  3. To test the adequacy of internal control, managers should determine if the controls are:

    1. Implemented as designed and meet the control objectives of mitigating risk to an acceptable level.

    2. Performed by competent personnel.

    3. Consistent with operational objectives or legislative requirements.

    4. Efficient and cost effective.

  4. Techniques for testing the adequacy of internal control include:

    1. A walk-through of operations to observe how the control functions in actual practice. During the walk-through, managers should determine how the control is meeting the objective. Problems identified should be further analyzed to determine if internal control weaknesses exist.

    2. Interviews to facilitate an understanding of how controls are functioning. Often, the best sources of information are personnel performing the operation. Combining inquiry and observation can often provide valuable insights into problem areas, such as a lack of financial and personnel resources necessary to effectively meet control objectives.

    3. If there are a considerable number of documents generated or transactions performed, the manager may review a sample of them. If no discrepancies are noted, then a reasonable conclusion is that the control is adequate. If discrepancies are identified, the manager should examine additional documents/transactions to confirm whether the control is functioning as designed.

    4. The manager may select a sample of source documents and follow them through each step of the process. Source document analysis can often disclose improper procedures, failure to follow procedures, or breakdowns among processing steps.

    5. The manager may choose to combine several methods of review to ensure the adequacy of the controls.

  5. At the conclusion of the review, the manager will decide if the existing controls provide unmodified assurance that the objectives are being achieved in an efficient and effective manner or an internal control weakness exists and should be corrected. An internal control weakness is a problem in the design or operation of an internal control that should be reported to the next level of management. The manager should prepare a Report of Internal Control Weakness (IRM 1.4.2.4.6, Document, Report, and Correct Internal Control Weaknesses).

Document Results of Reviews

  1. If no internal control weaknesses were identified during the review, document the review results and retain them for use in preparing the annual assurance certification letter (IRM 1.4.2.5, Annual Assurance Review Process). The documentation can be as simple as a memorandum explaining the review methods and results. It normally does not require a separate formal report. The documentation may also be incorporated into other management reports as long as it is identified as the results of an internal control review.

  2. If deficiencies were identified and the manager has corrected them, the manager should retain the documentation for the annual assurance certification letter.

Document, Report and Correct Internal Control Weaknesses

  1. Each internal control weakness should be reported as soon as identified on a Report of Internal Control Weakness. An internal control weakness is a problem in the design or operation of an internal control that should be reported to the next level of management. The Report of Internal Control Weakness provides management with the information necessary to understand the problem clearly and assess the level of risk.

  2. In some instances, the manager may identify an internal control weakness but have no control over the actions necessary to correct it. In this case, the manager should elevate the issue to the next level of management for possible action and review. Managers should submit Part I of the Report of Internal Control Weakness to the next level of management with all available information.

  3. The manager may not have the expertise to provide all the information in detailed, technical terms. Once the issue is shared with the appropriate program area, they may request additional information. If the internal control weakness requires a corrective action plan, the process owner will be responsible for finalizing Part I and preparing Part II of the Report of Internal Control Weakness.

  4. If it is appropriate to develop a corrective action plan, the manager should include in the plan all the actions needed to correct the internal control weakness. When preparing the corrective action plan:

    1. Develop actions that are specific and describe the end result. For example, the action should be: "Revise and issue procedures to the field," not "Review current procedures."

    2. Ensure commitment of other stakeholders before establishing any action that requires activity outside the manager's control.

    3. Set realistic due dates. Successful plan completion may be dependent upon available resources, functional interdependencies, labor negotiations, legislation, or modernization issues. Therefore, consult with others as necessary in establishing realistic completion dates. Do not use “ongoing” as a completion date; always set a specific due date (MM/ DD/YYYY). If the completion date is long-term, it may be necessary to establish interim milestone dates.

  5. The manager should identify goals and establish performance measures that will serve as progress indicators for correcting the internal control weakness.

  6. The manager should describe the validation process (a description of how to collect data supporting the performance measure(s) that will determine if the internal control weakness has been corrected successfully). The manager should describe the type and quantity of data to be gathered, the method of collection, and the data source.

  7. Once the Report of Internal Control Weakness is completed, the manager should forward it to his/her manager and provide a copy to the internal control coordinator. The manager at the next level is responsible for reviewing the report and determining the validity of the issue. The next level manager will decide which one of the following actions is appropriate:

    1. Return the report to the preparer if the issue is not valid or if additional information/clarification is needed.

    2. Develop a corrective action plan, if appropriate, and obtain approval.

    3. Approve the corrective actions for implementation.

    4. Elevate the issue to the next higher level of management or to the process owner.

  8. Approved plans will be returned to the appropriate level manager for implementation. The manager must then monitor and regularly report progress to the approving official. Periodically, the manager must:

    1. Assess whether the corrective action plan is achieving the desired goal(s) and continues to be relevant under current operational conditions.

    2. Document and obtain the appropriate level of approval to complete or revise an action or reschedule a target date.

    3. Provide a copy of all approved documentation to the internal control coordinator for tracking purposes.

  9. The MC ESC identifies new material weaknesses. The fields in a material weakness plan are the same as the internal control weakness plan.


    REPORT OF INTERNAL CONTROL WEAKNESS (Part 1)
    Material Weakness Field Field Description
    Title Enter a short but descriptive title.
    Responsible Official This would typically be the head of a business unit.
    Description Describe the internal control weakness in terms of its effect on mission accomplishment, lost revenue, error rates, impact on compliance, taxpayer burden, or operating efficiency. Be quantitative, if possible. Be specific about what undesirable consequences could occur if the internal control weaknesses is not corrected.
    Source of Discovery How was the internal control weakness identified? Sources usually include, but are not limited to, the annual assurance review, a control review, an operational review, an event that occurred during the year, or audit reports.
    Correction Strategy Summarize the proposed approach or course of action to correct the internal control weakness. Include interim milestones describing planned actions, due dates, and responsible parties.
    Results Indicator/Effectiveness Measures Briefly describe what indicators will be used to evaluate whether the actions taken have corrected the underlying cause of the internal control weakness. Indicators should be specifically related to the internal control weakness and be based on performance measures, either qualitative or quantitative.
    Validation Process Describe how data will be collected to support the results indicator. Some possible methods include using existing management information or performance statistics, special surveys, sampling and analyzing data, and management control reviews.
    Target Correction Date Enter the date (i.e., MM/DD/YYYY) by which all corrective actions are expected to be completed and validated.
    Other Issues Use this space to briefly explain anything else that requires management's assistance or attention, including any related concerns such as resource needs, dependencies with other organizations, or cross-functional ownership.
    Include the name, organizational code and phone number of the manager who has identified the internal control weakness. (The submitting official is not necessarily the responsible official for correcting the internal control weakness)

    REPORT OF INTERNAL CONTROL WEAKNESS (Part 2)
    Internal Control Weakness Title – Enter the title on each page of the Corrective Action Plan.
    Major Milestones Completion Dates
      Original Plan Revised Plan Actual Date
    Completed Actions - List actions that have already been completed and show the completion date in the Actual column.      
    Short-Term Actions - List each action that will take place within the next twelve months and give the target completion date in the Original column.      
    Longer-Term Actions - List each action that will be completed more than twelve months from now and show the target completion date in the Original column.      
    Prepared by: Name, Organizational Code
    Phone Number
    Date of Preparation

Indicators and Goals

  1. Results indicators (or performance measures) assist in determining how well the process is working compared to past performance. They can also identify positive/negative factors affecting program and administrative performance/ effectiveness. In developing an appropriate results indicator, first consider the problem you are trying to correct or improve, such as timeliness of certain actions or reduction in the error rate of a process. If the results indicator selected does not directly tie to the specific deficiency, the corrective actions may fix the problem but may not be reflected in the performance results. Therefore, ensure that the results indicator is relevant to the problem being fixed and is based on observable performance measures, either quantitative or qualitative.

  2. Goals are used to tie the results indicator to the improvement of a product or process. Goals can be qualitative or quantitative.

    1. Qualitative goals are general in nature and suggest a desired direction but do not establish a specific numeric target. Qualitative goals may be appropriate for new processes or processes for which no baseline data exists. However, without baseline data and quantitative measures, it will be difficult to assess whether goals have been met.

    2. Quantitative goals are more focused and establish a specific numeric target (for example, “Travel vouchers will be filed within five business days after the end of the month”). Quantitative goals should be based on statistically valid results of previous reviews or a compilation of information or numerical/quantitative recordation. In establishing quantitative goals, consider the anticipated level of available resources to implement the corrective action plan, organizational priorities, and the interaction between multiple organizational goals.

    See IRM 1.5.1, The IRS Balanced Performance Measurement System.

Validate Outcomes

  1. When all corrective actions are completed, apply the plan’s validation process to evaluate whether the actions taken achieved the desired outcome as indicated by the results indicator. If the measure or the results indicator implies that the problem has not been corrected, examine whether the corrective actions were effective and/or the validation process was appropriate. If the corrective action plan was not effective, review, revise, and implement a new plan.

  2. Once a results indicator validates that corrective actions have mitigated the internal control weakness effectively, forward the Report of Internal Control Weakness to the approving official for concurrence. This concurrence represents management’s assurance that the problem/deficiency has been corrected. A copy should be submitted to the internal control coordinator and retained for use in preparing the annual assurance certification memorandum (IRM 1.4.2.5, Annual Assurance Review Process).

  3. Under no circumstances should management concur that a problem has been corrected until it is certain the risk has been mitigated to an acceptable level. This process is continuous; management must periodically reassess risks against current conditions to ensure that controls are effective.

Annual Assurance Review Process

  1. The annual assurance review process focuses on the adequacy of internal controls within an organization. Internal controls are processes, both administrative and program specific, that ensure programs achieve their intended results and organizations realize their goals. Internal controls ensure that financial and management reports are accurate, complete, and timely. Managers assess risks (for example, the probability of a negative, unanticipated occurrence) of operations, determine if controls do not mitigate those risks and certify that those controls are effective. If managers identify weaknesses in their internal control procedures, they are required to report them to the responsible officials and business unit leadership so that a corrective action plan can be developed and implemented.

  2. Each spring, the CFO issues guidance to the Deputy Commissioners, Division Commissioners, Chiefs, Directors, National Taxpayer Advocate, and Chief Counsel on the annual self-assessment of internal controls, known as the Internal Controls Managerial Assessment (ICMA) and on preparing the annual assurance memorandum for their organizations.

  3. All managers use the ICMA to conduct an annual self-assessment of their internal controls. Managers review the effectiveness of controls within their own area of responsibility and verify that adequate management controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. The involvement of each level of management in certifying the control environment within their areas is necessary in identifying risks at all levels.

  4. A problem in the design or operation of an internal control should be reported to the next level of management as an internal control weakness. The MC ESC will determine if the internal control weakness rises to the level of a significant deficiency or a material weakness (for example, an internal control weakness reported to Treasury and, potentially, through Treasury to the President).

  5. Material internal control weaknesses are systemic deficiencies in the design or operation of programs or systems, or a lack of controls that pose a significant risk of one or more of the following:

    1. The inability to deliver/execute program/operational services in accordance with the agency’s mission and/or legislation.

    2. Errors, omissions, and/or fraud in performance and other financial information or financial statements that would mislead users and/or management in decision-making processes.

    3. Financial commitments for programs and/or operations that are inconsistent with applicable provisions of law.

    4. The inability to properly safeguard assets.

  6. Heads of business units review the ICMA results of their subordinate managers and prepare a statement of assurance memorandum indicating the status of their business unit’s internal controls.

  7. The assurance memorandum is a one or two-page certification containing a specific statement regarding the level of assurance of the business unit’s internal controls. There are three types of assurance:

    1. Unmodified assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect resources and enable mission completion. Unmodified assurance recognizes that the cost of controls should not exceed the benefits derived from them.

    2. Modified assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. Material weaknesses are noted, but not pervasive. This opinion is based on the number of identified problems or the seriousness of the problems.

    3. Statement of no assurance means there is no internal control process in place or pervasive material weaknesses exist.

  8. The assurance memorandum briefly describes the process used to verify that adequate management controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. Preparers consider the information systems environment operated or used by their organizations and issues identified by GAO, TIGTA, and IRS management reviews (if applicable) in preparing the memorandum.

  9. Corrective action plans for newly identified internal control weaknesses are included with the assurance memorandum. Managers execute actions necessary to resolve internal control weaknesses, regardless of whether the MC ESC deems them significant deficiencies or material weaknesses. Corrective action plans for internal control weaknesses identified in the previous fiscal year will be updated. Internal control weaknesses that have been corrected will be submitted with a certificate of completion describing the validation process and the results indicator data that verifies that the internal control weakness has been corrected.

  10. The MC ESC will review and evaluate these documents and other relevant information to recommend to the Commissioner the level of assurance to submit in the IRS’s Annual Assurance Statement and any newly identified material weaknesses.

  11. As required by FMFIA, the Commissioner signs and submits an Annual Assurance Statement to Treasury in early November each year.

Servicewide Tracking of Material Weaknesses and Significant Deficiencies

  1. The JAMES system tracks issues, findings, recommendations, and the current status of corrective action plans for all material weaknesses, significant deficiencies, remediation plans and audit reports from the Office of the Inspector General, GAO, and TIGTA for all Treasury bureaus. Tracking these plans is mandatory to comply with the intent of FMFIA and with OMB and Treasury circulars and directives. The information contained in JAMES is used by Treasury to assess the effectiveness and progress that bureaus are making in implementing audit recommendations and correcting their internal control material weaknesses and significant deficiencies.

  2. Internal control weaknesses reported during the annual assurance process are reviewed by the MC ESC. If the MC ESC determines that an internal control weakness rises to the level of a significant deficiency or material weakness, the IRS reports such conditions to Treasury and, potentially, through Treasury to the President. The IRS entity responsible for corrective action enters the significant deficiency or material weakness in JAMES.

Remediation Plan

  1. The FFMIA requires agency heads to assess annually whether their financial management systems can prepare required financial statements and reports, can provide reliable and timely financial information for managing operations, and can account for assets, all in accordance with federal accounting standards and the USSGL.

  2. Agencies that are not in compliance with FFMIA must develop a remediation plan to achieve compliance.

  3. Agencies that are not in substantial compliance with FFMIA must bring their financial management systems into substantial compliance within three years; if this cannot be achieved, Treasury must request a waiver for a longer period from OMB.

  4. As a condition of OMB’s waiver to the three-year requirement for completing FFMIA remediations, the IRS is required to provide a remediation plan and a status review of performance for all remedies that were open during the quarter. The CFO has overall responsibility for the IRS remediation plan. The MC ESC monitors the plan and it is tracked in JAMES.

  5. The responsible organization updates the executive summary of the remediation plan with significant accomplishments achieved during the quarter and significant obstacles identified.

  6. The FFMIA requires that estimated and actual resources to implement action plans be identified by fiscal year. The responsible organization provides all costs to implement the recommendations and indicates the dollar amount approved by project. The responsible organization is also required to:

    1. Describe the methodology to calculate costs.

    2. Identify the phase if the estimated resources apply to a particular phase of implementation.

    3. Identify the resources associated with the primary and any subsequent recommendations if the resources apply to multiple recommendations.

    4. Identify the cost in dollars for full-time equivalents (FTEs).

    5. State any costs that will be absorbed by normal business practices.

    6. Report costs associated with contractor support, technical requirements (include hardware, software, infrastructure build-out and data storage), and any other cost category associated with implementation of the remedial action.

  7. The responsible organization identifies the source used to document estimated and approved resources.

    1. Owners of all remediation actions identify resources for all years covered by the actions, and the owners maintain work paper documentation to support the identified resources. The documentation includes a breakdown and explanation of estimated costs for FTEs, hardware, software, and contractor support costs, as well as dates indicating when the last estimates were calculated. The TIGTA audit team will validate that the current and out-years resource estimates reflect the date of reassessment. The IC will determine if the documentation should be submitted.

    2. Supporting documentation identifies the material weakness area and associated project/component area (corrective action) covered in the analysis. In addition, the preparer’s name and date of preparation must be clearly shown on the documentation.

    3. Supporting documentation identifies the same category breakouts (for instance, FTE, contractors, hardware) as those reported in the actual remediation plan in order to map/trace reported dollar figures with corresponding supporting documentation.

    4. Non-FTE incurred costs such as those for contractors, hardware and software are supported by billing statements or requisitions.

    5. Non-FTE estimates comprised of multi-organizational requirements and pooled funding should reflect spending priorities. Provide time deadlines for the various phases/equipment purchases and identify those that need approved funding in order for the remedial action to meet their target due dates.

  8. The responsible organization updates the status when appropriate. This includes any change in the current status, issues, completed actions, rescheduled interim due dates or revised actions. If the action is not due yet and does not need to be rescheduled, the responsible organization indicates “On schedule.”

    Action Information Provided
    Completed Remedies Brief description of the action taken and the date completed.
    Rescheduled Remedies Provide the new date and the justification for the delay.
    Revised Remedies Concise but brief description of the revised action, anticipated completion date or date completed and the justification for the revision. The IC will coordinate the approval process.
    New Remedies Identify the related GAO finding and recommendation for the new remedy. Give a concise but complete description of the action to be taken and the anticipated completion date or date completed, and the resources required for implementation of any open remedy. Identify duplicate actions contained in a material weakness or audit report. This crosswalk will allow you to report any update to the status simultaneously for all reports and eliminate the need for duplicate reporting.
  9. The MC ESC approves all extensions to the final due date for any recommendation or major project. Organizations must submit changes upon identification of a risk to completing a recommendation or major project by the due date.

  10. Annually, TIGTA reviews the IRS FFMIA remediation plan. TIGTA performs the review to meet its requirement under the FFMIA that states, in general, that each Inspector General shall report to the Congress instances and reasons when an agency has not met the intermediate target dates established within its FFMIA remediation plans.

  11. TIGTA’s overall objective is to determine any instances of and reasons for missed intermediate target dates established in the current fiscal year’s FFMIA remediation plan and to determine whether the IRS has taken adequate corrective actions on its prior year’s audit findings related to the FFMIA remediation plan. To achieve its overall objective, TIGTA will determine whether:

    1. The IRS FFMIA remediation plan was consistent with GAO recommendations from prior IRS financial statement audits and related financial management reports.

    2. The IRS missed any intermediate target dates established in its FFMIA remediation plan, any intermediate target dates were extended without sufficient documentation to support the revised dates, and proper approval was obtained for remedial actions extending more than three years.

    3. The IRS FFMIA remediation plan had established resource needs for remedial actions and the resources presented were consistent with supporting documentation.

    4. The IRS took adequate corrective actions on its prior year’s audit findings related to the FFMIA remediation plan.

Identification of Quality Assurance Reviews and Initiatives

  1. In fiscal year 2012, the IRS expanded its annual assurance process to identify key management reviews, program evaluations, and quality assurance reviews (“reviews”) conducted by the business units to assess the effectiveness of IRS operational controls. These organizational reviews are extremely important to the IRS and can result in saved resources, enhanced mission accomplishments, and more effective responses to issues identified by GAO and TIGTA.

  2. Each spring, the CFO issues guidance to the Deputy Commissioners, Division Commissioners, Chiefs, Directors, National Taxpayer Advocate, and Chief Counsel on:

    1. Completing the annual self-assessment of internal controls.

    2. Preparing the annual assurance memorandum for their organization.

    3. Identifying quality assurance reviews for their organizations.

  3. The CFO issues a questionnaire to the business units and the results are used to determine an inventory of IRS internal control activities.

  4. The inventory of the internal control activities is available on the IC website as the Quality Assurance Review Listing. Business units should examine the Quality Assurance Review Listing on the IC website to validate existing reviews, and to identify and submit new reviews. This includes identifying all quality assurance reviews that test or review work quality; measure data quality; and identify trends, problem areas, and improvements to program effectiveness considering applicable directives, standards and procedures. These reviews include work process, program, or operation management reviews, and operational reviews and site visits.

  5. When identifying management, program, and quality assurance reviews, the following examples should be considered:

    1. Business unit quality assurance reviews that objectively and independently evaluate adherence to processes and work products in applicable directives, processes, standards, procedures, and guidelines, such as the Trust Fund Recovery Program (TFRP), Quality and Assessment Reviews, and Reviews to Determine Lien Release Timeliness in Scope.

    2. Compliance IDRS Adjustment Reviews to help prevent unpostables and ensure correction of errors.

    3. Quality review of data to provide a basis for measuring and improving program effectiveness that generate corrective actions (for example, quarterly announced and unannounced reviews of couriers; receipt and control at lockbox banks, campuses, and Taxpayer Assistance Centers).

    4. Quality review process that provides a method to monitor, measure and improve the quality of work; identify trends, problem areas, training needs and opportunities for process improvement (for example, random testing of guard response to alarms at all campuses and computing centers).

  6. To aid in planning for future quality assurance program reviews, business units are encouraged to provide senior leadership with suggestions on quality assurance reviews that merit consideration for additional review. Business unit input is important and will help in designing a quality assurance review plan to best address issues that are important to the IRS.

  7. Every manager, at every organizational level, must complete an Internal Control Managerial Assessment. Included in the assessment are questions related to management reviews, program evaluations, or quality assurance reviews, and may be required to submit quality assurance review questionnaires.

  8. The CFO uses selected quality assurance review results to support the Annual Assurance Statement signed by the Commissioner and submitted to the Department of the Treasury as required by the FMFIA. (See IRM 1.4.2.1.2, Authorities)

Internal Control Reviews

  1. IC provides business units with insight into the effectiveness of their implemented corrective actions for audit recommendations issued by GAO and TIGTA, and evaluates critical controls over IRS programs identified as high risk, high priority, or high visibility. This independent examination is known as an Internal Control Review (ICR) and assists IRS business units when they review and evaluate their internal control processes.

  2. The ICR teams perform reviews to determine if any internal control deficiencies exist in the business process and to provide recommendations to improve or strengthen internal controls. ICRs include activities used to monitor processes, procedures, and programs to ensure business units programs and activities are operating as intended. Effective ICRs are also key to safeguarding assets, preventing and detecting errors, and mitigating risk. ICRs are a vital tool to evaluate and monitor programs proactively and eliminate deficiencies timely. The ICR program assists IRS senior leadership with oversight by providing, from outside of the program management, independent insight into the status of program controls. For a comprehensive review of the ICR program, refer to IRM 1.4.32.1

Management Discussion and Analysis (MD&A)

  1. The Management Discussion and Analysis (MD&A) is prepared each fiscal year as Required Supplemental Information to the IRS Financial Statements and is published annually by GAO in its Financial Audit of the IRS’s Statements report. It contains the IRS high-level fiscal year accomplishments, performance measures, issues, and other information required by the Federal Accounting Standards Advisory Board (FASAB) Statement of Federal Financial Accounting Standards (SFFAS) 15, and OMB Circular A-136. Information reported in the MD&A is provided by IRS offices and business units in accordance with the current fiscal year’s deliverable timeline. The CFO’s Internal Controls Office of Outreach and Reporting is responsible for developing and coordinating the MD&A.