1.4.2 Monitoring and Improving Internal Control

Manual Transmittal

June 28, 2018

Purpose

(1) This transmits revised IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.

Material Changes

(1) Changed “significant control deficiency” to “internal control weakness” during management reviews and the annual assurance process.

(2) IRM 1.4.2.1, Program Scope and Objectives, added to conform to the new internal control requirements described in IRM 1.11.2, Internal Revenue Manual (IRM) Process. This IRM was revised to reflect the following:

  1. IRM 1.4.2.1.1, Background, updated to reflect a change in terminology from reasonable assurance to unmodified assurance.

  2. IRM 1.4.2.1.2, Authorities, updated to reflect a change in terminology from reasonable assurance to unmodified assurance.

  3. IRM 1.4.2.1.3(1)(d), Responsibilities, updated to reflect a change in terminology from reasonable assurance to unmodified assurance.

  4. IRM 1.4.2.1.3(2)(g), Responsibilities, updated to reflect changes in responsibilities.

  5. IRM 1.4.2.1.3(4), Responsibilities, updated to reflect the change of a responsible office from Director, Office of Legislative Affairs, to Audit Coordination.

  6. IRM 1.4.2.1.3(5), Responsibilities, updated to reflect a name change in a responsible office from Office of Research, Analysis and Statistics, to Office of Research, Applied Analytics and Statistics.

  7. IRM 1.4.2.1.6, Terms/Definitions, updated to reflect change in definitions for qualified and reasonable assurance.

  8. IRM 1.4.2.1.7, Acronyms, added and updated acronyms.

  9. IRM 1.4.2.1.8(l)(m), Related Resources, added IRM 1.4.31, IRS Quality Assurance Program and Office of Management and Budget (OMB) Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, M-16-17, July 15, 2016.

  10. IRM 1.4.2.5.2(1), Determine Existing Controls, updated to reflect a change in terminology from reasonable assurance to unmodified assurance.

  11. IRM 1.4.2.5.4(4), Review/Assess Internal Control, updated to reflect a change in terminology from reasonable assurance to unmodified assurance.

  12. IRM 1.4.2.6(3)(4), Annual Assurance Review Process, updated to reflect the current process.

  13. IRM 1.4.2.6(7)(a)(b), Annual Assurance Review Process, updated to reflect a change in terminology from reasonable assurance to unmodified assurance.

  14. IRM 1.4.2.6(7)(c), Annual Assurance Review Process, updated to add on additional type of assurance.

  15. IRM 1.4.2.9, Identification of Quality Assurance Reviews and Initiatives, updated to reflect the current process.

Effect on Other Documents

IRM 1.4.2, dated February 4, 2015, is superseded.

Audience

All IRS Managers

Effective Date

(06-28-2018)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. The IRS maintains an effective internal control program that complies with legislative requirements and related regulations and directives, such as the Standards for Internal Control in the Federal Government, commonly known as the "Green Book."

  2. Purpose: Internal controls are the programs, policies and procedures established to ensure that:

    1. Mission and program objectives are accomplished efficiently and effectively.

    2. Programs and resources are protected from waste, fraud, abuse, mismanagement and misappropriation of funds.

    3. Laws and regulations are followed.

    4. Financial reporting is reliable.

    5. Reliable information is obtained and used for decision making.

  3. Audience: This guidance applies to managers at all levels, who are expected to understand the risks associated with their operations, to ensure that controls are in place and operating effectively to mitigate known risks, and to provide candid, reliable, and supportable annual reports on the status of those controls.

  4. Policy Owner: Chief Financial Officer (CFO)

  5. Program Owner: CFO, Internal Controls

  6. Primary Stakeholders: IRS managers

  7. Program Goals: To accomplish the objectives identified in the Purpose section above.

Background

  1. Internal control, which is synonymous with management control, is a major part of managing an organization. It comprises the plans, methods and procedures used to meet missions, goals and objectives; and in doing so, supports performance-based management. It also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. It helps government program managers achieve desired results through effective stewardship of public resources. Systems of internal control provide unmodified assurance that the following objectives are being achieved:

    1. Effectiveness and efficiency of operations

    2. Reliability of financial reporting

    3. Compliance with applicable laws and regulations

  2. All employees must be committed to implementing effective and efficient internal controls. Internal controls are administrative and program-specific processes that ensure programs achieve their intended results, organizations realize their goals, laws and regulations are followed, assets are safeguarded, and financial and management reports are accurate, complete and timely. The Department of the Treasury and the Treasury Inspector General for Tax Administration (TIGTA) provide oversight to ensure control strategies are implemented that mitigate program and administrative operational risk.

  3. Internal controls are the responsibility of every manager. Managers are accountable for and have stewardship of all assigned operations within their organization, including program, administrative and financial, such as:

    1. Designing and using controls that provide unmodified assurance that programs are being accomplished as intended.

    2. Continuing assessments to ensure controls are in place and operating as intended.

    3. Identifying risks to program accomplishments, compliance with laws and regulations, and reporting accuracy.

    4. Implementing remedies to mitigate risk and measuring the results.

  4. It is important to identify problem areas and take appropriate corrective actions before external auditors, such as the Government Accountability Office (GAO) and TIGTA, issue findings or before problems escalate into serious control weaknesses. However, there must be an appropriate balance of control in programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled process or program may allow problems to go unnoticed and assets to be wasted.

  5. Being focused and aware of internal controls should be an integral part of all managers’ and employees’ daily activities. By fostering open, honest communications, and promoting problem-solving within an organization, managers create an environment where internal controls are acknowledged as tools to achieve goals.

Authorities

  1. The Budget and Accounting Procedures Act of 1950 requires the head of each federal department and agency to establish and maintain adequate systems of management controls. Further, the Federal Managers' Financial Integrity Act (FMFIA) of 1982, Public Law 97-255, Title VIII (31 U.S.C 3512 note) (hereinafter FMFIA), requires each executive agency to establish internal accounting and administrative controls in accordance with standards prescribed by the Comptroller General. These controls will provide unmodified assurance that:

    1. Obligations and costs comply with applicable law.

    2. Funds, property, and other assets are safeguarded against fraud, waste, loss, unauthorized use, or misappropriation.

    3. Revenues and expenditures are properly recorded permitting the preparation of accounts, reliable financial and statistical reports, and to maintaining accountability over assets.

  2. The FMFIA also requires that each executive agency:

    1. Resolve audit findings promptly.

    2. Conduct annual evaluations of its systems of internal accounting and administrative control using guidelines established by the Director of the Office of Management and Budget (OMB).

    3. Submit an annual statement to the President and Congress on the status of the agency's system of internal control.

  3. OMB Circular A-123 (revised) dated July 15, 2016, Management's Responsibility for Enterprise Risk Management and Internal Control, requires agencies and individual federal managers to:

    1. Integrate risk management and internal control functions.

    2. Implement management practices that identify, assess, respond and report on risks.

    3. Establish and maintain internal controls to achieve specific internal control objectives related to operations, reporting and compliance.

    4. Provide assurance on internal control effectiveness through their Annual Assurance Statement, Agency Financial Report or the Performance and Accountability Report.

  4. Internal control assessment can be performed using a variety of information sources. Management has primary responsibility for assessing and monitoring controls, and should use other sources as a supplement to, not a replacement for, its own judgment. Sources of information include:

    1. Management knowledge gained from the daily operation of agency programs and systems.

    2. Management reviews conducted (i) expressly for the purpose of assessing internal control, or (ii) for other purposes with an assessment of internal control as a by-product of the review.

    3. Inspector General (IG) and GAO reports, including audits, inspections, reviews, investigations, outcome of hotline complaints, or other products.

    4. Program evaluations.

    5. Audits of financial statements conducted pursuant to the Chief Financial Officers (CFO) Act of 1990, as amended, including: information revealed in preparing the financial statements; the auditor's reports on the financial statements, internal control, and compliance with laws and regulations; and any other materials prepared relating to the statements.

    6. Financial system reviews that consider whether the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA) and OMB Circular No. A-127,Financial Management Systems revised, are being met.

    7. Annual evaluations and reports pursuant to the Federal Information Security Modernization Act of 2014 and OMB Circular A-130, Responsibilities for Protecting Federal Information Resources.

    8. Annual performance plans and reports pursuant to Pub. Law 111-352, Government Performance and Results Act (GPRAMA) Modernization Act of 2010 .

    9. Annual reviews and reports pursuant to Pub. Law 111-204, Improper Payments Elimination and Recovery Act of 2010 (IPERA) and Pub. Law 112-248, Improper Payments Elimination and Recovery Improvement Act of 2012, (IPERIA), that amended the 2010 Act.

    10. Single audit reports for grant-making agencies.

    11. Reports and other information provided by the congressional committees of jurisdiction.

    12. Other reviews or reports relating to agency operations.

    13. Results from tests of key controls performed as part of the assessment of internal control over financial reporting conducted in accordance with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, M-16-17 July 15, 2016.

  5. The FFMIA, as codified at 31 U.S.C. 3512 note, established the statutory requirement for certain financial management systems. The FFMIA was intended to advance federal government financial management by ensuring federal management systems can and do provide reliable, consistent disclosure of financial data. Further, this disclosure should be done on a uniform basis across the federal government from year to year by consistently using professionally accepted accounting standards. Specifically, FFMIA Section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

    1. Federal financial management systems requirements

    2. Applicable federal government accounting standards

    3. The United States Standard General Ledger (USSGL) at the transaction level

  6. Under the GPRA and Pub. Law 106-531, the Reports Consolidation Act of 2000, the IRS commissioner is required to provide assurance in the Annual Assurance Statement that the IRS Critical Performance Measures are reliable.

Responsibilities

  1. The Commissioner and Deputy Commissioners have overall responsibility for the IRS system of internal control consisting of:

    1. Creating a positive control environment within the IRS to ensure operational efficiency and adherence to all applicable statutory and regulatory standards related to internal controls, including those standards found in the FMFIA and the GAO Standards for Internal Control.

    2. Establishing priorities in identifying, correcting, and reporting management control material weaknesses and accounting noncompliance.

    3. Ensuring that adequate funding is requested in the budget process to correct identified deficiencies.

    4. Establishing a quality assurance process that allows the commissioner to provide unmodified assurance, through the annual assurance statement to the Secretary of the Treasury, that the objectives of the FMFIA are being achieved.

    5. Providing information, data, reports, and assurances, as necessary, to the Department of the Treasury Deputy Chief Financial Officer (TDCFO) that all IRS internal controls and financial management systems adhere to applicable statutory and regulatory standards.

    6. Ensuring that the performance plans for each Senior Executive Service (SES) member or equivalent employee having significant responsibilities for internal control contain appropriate performance requirements and expectations.

    7. Ensuring that all other employees are aware of expectations and are subject to appropriate internal controls performance standards.

    8. Providing staff with necessary guidance, training, and incentives.

    9. Designating an Internal Control Officer to administer the IRS’s internal control processes.

  2. The Chief Financial Officer (CFO) is the IRS Internal Control Officer and with the Deputy CFO has operational responsibility for the IRS internal control program by:

    1. Evaluating all internal control systems continually and ensuring that audits, internal control reviews, risk assessments, and other evaluations are coordinated to complement one another with minimal duplication of effort.

    2. Determining annually which programs or administrative functions should be subject to a formal review to supplement management judgment as to the adequacy of management controls, and allocating adequate resources to evaluate their systems of control.

    3. Ensuring that detailed procedures, documentation, training for managers and employees, and reporting requirements necessary to review, establish, maintain, test, improve, and report on IRS’s control systems exist.

    4. Reporting to the TDCFO the management control deficiencies identified in audit reports, internal reviews, and from other sources that have the potential of meeting material weakness or significant deficiency criteria for the Department of the Treasury financial statement purposes.

    5. Ensuring timely correction and validation of all identified program and operations deficiencies whether material or nonmaterial.

    6. Ensuring management control guidelines issued are implemented and include employee accountability.

    7. Maintaining, correcting, and/or updating the Joint Audit Management Enterprise System (JAMES) with specific data on IRS FMFIA deficiencies and Remediation Plan (see IRM 1.4.30, Monitoring Internal Control Planned Corrective Actions, for information on JAMES).

  3. The Associate CFO for Internal Controls (IC), on behalf of the CFO, administers the IRS internal control program and is responsible for carrying out the day-to day internal control program by:

    1. Preparing internal control policies and procedures.

    2. Implementing OMB's Circular A-123 requirements.

    3. Providing administrative support to the Management Controls Executive Steering Committee (MC ESC).

    4. Developing detailed procedures, documentation, training for managers and employees, and reporting requirements necessary to review, establish, maintain, test, improve, and report on IRS’s control systems.

    5. Managing the annual assurance process and preparing the commissioner's annual assurance letter to the Secretary of the Treasury.

    6. Monitoring the completion of corrective actions for material weaknesses, significant deficiencies, and for auditing corrective actions and providing periodic reports to Treasury.

    7. Providing advice and assistance to managers and their internal control coordinators, as needed.

    8. Maintaining JAMES, Treasury’s web-based internal control tracking system, with specific data on IRS’s FMFIA deficiencies and remediation plans.

  4. Audit Coordination is responsible for maintaining information on GAO and TIGTA audits.

  5. The Division Commissioners; Chiefs; National Taxpayer Advocate; Chief Counsel; and Director, Office of Research, Applied Analytics and Statistics are responsible for:

    1. Establishing adequate and effective controls for all operations and activities in their responsible areas.

    2. Ensuring that established controls are followed throughout their organizations.

    3. Conducting a self-assessment and reporting on the status of internal control in their organizations to the MC ESC annually (managers throughout the IRS are responsible for participating in this annual assessment in accordance with the annual guidance issued).

    4. Assessing the effect of known deficiencies and providing comments to the MC ESC.

    5. Providing adequate resources to correct identified material weaknesses and significant deficiencies.

    6. Designating an internal control coordinator to serve as a single point of contact for the assurance process and for FMFIA corrective actions and audit follow-up for their organizations.

    7. Preparing briefing documents for agenda topics at MC ESC and subgroup meetings.

  6. Managers at all levels are responsible for:

    1. Providing a positive control environment.

    2. Identifying potential risk areas.

    3. Ensuring that adequate and effective controls are in place.

    4. Reporting results of reviews to the next level of management.

    5. Ensuring reports are supportable, accurate and complete.

    6. Providing adequate resources to correct identified problems.

    7. Implementing corrective actions timely.

    8. Validating outcomes.

  7. Internal Control Coordinators are responsible for assisting management in developing and maintaining its management control program and serving as the primary liaison with IC. Their responsibilities include:

    1. Managing their organization's annual assurance review process and preparing its assurance certification memorandum.

    2. Providing technical assistance to management and review teams in the evaluation of controls.

    3. Reviewing documentation for completed corrective actions for significant deficiencies, material weaknesses, and Remediation Plan actions to IC.

    4. Monitoring the status of corrective actions for material weaknesses, significant deficiencies, and Remediation Plan actions, as well as reporting the status to IC.

    5. Ensuring that data contained within JAMES is current and accurate for material weakness, significant deficiency and remediation plan actions.

Program Management and Review

  1. Program reports include:

    1. Management Controls Executive Steering Committee briefings

    2. Annual Assurance Statement

    3. Remediation plans

  2. Program effectiveness is determined by:

    1. Mission and program objectives are accomplished efficiently and effectively.

    2. Reliable information is obtained and used for decision making.

    3. Laws and regulations are followed.

    4. Financial reporting is reliable.

    5. Program and resources are protected from fraud, waste, abuse, mismanagement and misappropriation of funds.

Program Controls

  1. Program controls are detailed throughout IRM 1.4.2, Monitoring and Improving Internal Control.

Terms/Definitions

  1. In this IRM, the terms below have the following meanings:

    1. Annual self-assessment - A manager’s review of the effectiveness of controls within their own area of responsibility and the preparation of an individual written statement of assurance to support certification. The involvement of each level of management in certifying the control environment within their own area is necessary in identifying risks at all levels.

    2. Control deficiency - A situation caused by the design or operation of a control not allowing management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

    3. Corrective action - An action taken by the audited entity that corrects identified deficiencies, produces recommended improvements, and demonstrates that audit findings are either invalid or do not warrant audited action.

    4. Internal controls - Internal (management) control is an integral component of an organization’s management that provides unmodified assurance that the following objectives are being achieved:
      a) Effectiveness and efficiency of operations
      b) Reliability of financial reporting
      c) Compliance with applicable laws and regulations

    5. Material weakness - A deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.

    6. Modified assurance - Informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems.

    7. Unmodified assurance - Informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect the resources and ensure mission completion. Unmodified assurance recognizes that the cost of controls should not exceed the benefits derived from them.

    8. Remediation plan - A plan to achieve FFMIA compliance when an agency's annual review determines their financial management systems cannot prepare required financial statements and reports, cannot provide reliable and timely financial information for managing operations, and cannot account for assets, all in accordance with federal accounting standards and the United States Standard General Ledger (USSGL).

    9. Significant deficiency - A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance.

    10. Internal control weakness - A reportable finding when testing or review reveals the internal controls for a process is deemed ineffective. The term “internal control weakness” is used to report issues identified during management reviews and the annual assurance process.

Acronyms

  1. The following chart contains acronyms that are used throughout this IRM:

    Acronym Meaning
    ACFO Associate Chief Financial Officer
    BOD Business Operating Division
    IC Internal Control
    CFO Chief Financial Officer
    FISMA Federal Information Security Management Act of 2002
    MC ESC Management Controls Executive Steering Committee
    MC ESC-S Management Controls Executive Steering Committee Subgroup
    FMFIA Federal Managers’ Financial Integrity Act of 1982
    FFMIA Federal Financial Management Improvement Act of 1996
    FTE Full-Time Equivalent
    GAO Government Accountability Office
    GPRA Government Performance and Results Act of 1993
    GPRAMA Government Performance and Results Act Modernization Act of 2010
    IDRS Integrated Data Retrieval System
    IPERA Improper Payments Elimination and Recovery Act of 2010
    JAMES Joint Audit Management Enterprise System
    OMB Office of Management and Budget
    PCA Planned Corrective Action
    PED Portable Electronic Device
    SAR Suspicious Activity Report
    TDCFO Treasury Deputy Chief Financial Officer
    TFRP Trust Fund Recovery Program
    TIGTA Treasury Inspector General for Tax Administration
    Web-CBRS Online Currency and Banking Retrieval System

Related Resources

  1. The following statutes and regulations are the most significant congressional acts that affect the IRS’s management controls program:

Management Controls Executive Steering Committee (MC ESC)

  1. The MC ESC oversees management’s design, implementation and operation of the IRS’s internal control system to ensure that internal controls are universally recognized as a shared responsibility and that internal control deficiencies are identified, analyzed and remediated. The MC ESC’s operations are governed by a charter maintained by the CFO’s Internal Controls organization.

Steps to Downgrade a Material Weakness

  1. The IRS is responsible for correcting material weaknesses. The steps to downgrade a material weakness to a significant deficiency are:

    1. Identify/clarify issues that contribute to a material weakness through discussion with external auditors to identify and understand issues/weaknesses that should be resolved in order to downgrade and/or eliminate the material weakness.

    2. Verify that planned actions will reduce the level of materiality as expected.

    3. Informally meet with GAO on a plan of action, current matters, controls being implemented to mitigate risk, and results, as applicable.

    4. Finalize the action plan based on internal review and GAO comments.

    5. Ensure that results have been achieved, verifying that the conditions that led to the issue being originally classified as a material weakness have been eliminated.

    6. Document the process for continuous monitoring to ensure controls are in place and continue to operate effectively to mitigate continued risk, identifying the level of risk (i.e., control deficiency, internal control weaknesses, etc.). Forward to IC for review.

    7. Meet with auditors (GAO for support in closure/downgrade).

    8. Obtain MC ESC approval of closure/downgrade.

    9. Prepare a memorandum (prepared by the business unit and reviewed by IC) from the Commissioner to the Treasury Assistant Secretary for Management and Chief Financial Officer requesting concurrence for the closure/downgrade providing the background and summary of accomplishments and results.

    10. Report the material weakness closure/downgrade in the assurance statement.

Internal Control Process

  1. The internal control process is ongoing and encompasses all aspects of IRS operations. The internal control process steps are:

    1. Identify risk

    2. Determine existing controls

    3. Establish new controls or revise existing controls

    4. Document results of reviews

    5. Document, report and correct significant deficiencies

    6. Validate outcomes

    7. Develop indicators and goals

Identify Risk

  1. Risk is the probability of a negative, unanticipated occurrence. Risk is inherent in every activity; therefore, it is essential that managers identify the probability of risk within their operations and activities. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining internal control.

  2. Some areas or occurrences with higher potential for risk include:

    1. Cash-handling activities

    2. Procurement activities

    3. Refunds and refundable credits

    4. Security

    5. Level of reliance on automated processes

    6. Changes in organizational structure, processes, procedures, personnel and systems

    7. Level of reliance on contractors

  3. The assessment of risk is based on the manager's organizational knowledge and communication with employees. To identify risk, the manager should:

    1. Review findings from previous reviews and reports, including management reviews and GAO and TIGTA audit reports.

    2. Ensure that organizational processes are performed in accordance with written policies and procedures, including legislation, OMB Circulars, Department of the Treasury directives, GAO's Standards for Internal Control in the Federal Government and IRMs.

    3. Involve employees in identifying risk.

  4. Examples of actions a manager might take to identify risks include:

    1. Verify Form 809, Receipt for Payment of Taxes.

    2. Post review of case files (e.g., seizure and sale files) to ensure conformity with statutes, regulations, and the IRM.

    3. Consider disclosure/Privacy Act implications in all activities, including review of files and personnel folders.

    4. Perform risk assessments.

    5. Conduct quality assurance reviews.

    6. Initiate background and security investigations timely and take appropriate action based on the outcome of the investigations.

    7. Monitor telephone traffic volumes to ensure timely customer service.

    8. Review access to sensitive command codes for the Integrated Data Retrieval System (IDRS).

    9. Review assigned portable electronic devices that include, but are not limited to, laptop computers, cellular/personal communications system devices, audio/video/data recording or playback devices, scanning devices, and messaging devices, to ensure these devices and the data they contain are safeguarded.

    10. Conduct reviews to ensure laptops are locked.

    11. Periodically review use of sensitive information, including suspicious activity reports, in the online Currency and Banking Retrieval System (Web-CBRS).

Determine Existing Controls

  1. Once risk areas have been identified, determine what management controls exist for those areas. An internal control is the method by which an organization governs its activities. Controls provide 'unmodified assurance' that programs and administrative activities are efficient, effective and pose an acceptable level of potential risk.

  2. Internal controls are not separate systems or processes; they are tools routinely used by managers to manage their operations. The focus is not to have more controls but to have effective controls that mitigate risks. Some examples of internal controls are:

    1. Separation of duties (e.g., managers authorized to approve funding must not be involved in the payment or procurement processes; contracting officers authorized to obligate the government must not be involved in the commitment, receipt/acceptance, or payment process)

    2. Adequate supervision (e.g., purchase card approving officials monitor purchase cardholder activities to ensure purchases are appropriate and approved, funding is secured prior to the order being placed, and statements are processed timely)

    3. Reconciliation of records from two sources (e.g., matching travel receipts against the travel vouchers)

    4. Reconciliation of records against physical inventories

    5. Limited access (e.g., passwords on data systems)

    6. Verification of data entry

    7. Documentation of processes and procedures, such as the IRM

    8. Written delegations of authority

    9. Logs and checklists

  3. To determine existing controls, begin by comparing current practices and processes against existing procedures, policies, and guidelines. Some "red flags" that may indicate a need for assessing existing controls are:

    1. Costs charged incorrectly

    2. One or a small group of employees handling all steps of a process

    3. Inadequate training

    4. Infrequent reviews

    5. New or old automated systems

    6. Security incidents

    7. Adverse publicity

    8. Inadequate reports

    9. Increase in errors

    10. Customer dissatisfaction

    11. Recent (or frequent) change in management or key functions (see the Internal Control Management and Evaluation Tool)

  4. Examples of control techniques and methods are listed below.

    Control Technique Control Method
    Separation of duties Duties are separated to avoid having one employee or a small group of employees handling all steps of a process.
    Appropriate documentation of transactions and internal control Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination.
    Supervision Adequate supervision to ensure organizational goals are achieved.
    Data security Sensitive information is protected from unauthorized access.
    Physical asset security Assets (such as laptops) are secured to protect against theft.
  5. If controls are needed and none currently exist, the manager may be responsible for establishing them (see IRM 1.4.2.4.3, Establish New Controls or Revise Existing Controls). In cases where the manager determines that the level of risk does not justify establishing a formal control mechanism, the manager should still document his/her findings and decisions for future reference and use in the annual assurance review process (see IRM 1.4.2.5, Annual Assurance Review Process).

Establish New Controls or Revise Existing Controls

  1. Once the manager has decided that a process needs a control, he/she should determine the process owner. If the manager does not own the process at risk but it impacts his/her operation, he/she should take proactive measures to coordinate with the process owner or other stakeholders to encourage them to improve management controls. It may be necessary to elevate the issue to higher levels. The control being used may be a standardized control for the organization. However, if it is not working properly, the manager should inform the next higher organizational level if the manager does not have the authority to change the control. A lack of controls in one process may be impacting other processes, and a change to procedures may benefit several parts of the organization. Once the manager has determined what controls exist or has established new controls, the next step is to assess their effectiveness (see IRM 1.4.2.4.4, Review/Assess Internal Control). The assessment and review of internal control is an ongoing process. If a manager does not own the process, determine the appropriate method of control to mitigate the risk (see IRM 1.4.2.4.2, Determine Existing Controls). In selecting control methods, use the following criteria:

    • The control must be consistent with operational or legislative requirements.

    • The control must be cost effective.

Review/Assess Internal Control

  1. Organizational conditions are constantly changing; therefore, managers need to assess their internal controls continuously. Managers should be alert to the potential impact of changing organizational structure, objectives, processes and procedures, personnel, and systems on operations and initiate required reviews as necessary. Circumstances that should cause managers to initiate a review are:

    1. External sources (e.g., taxpayers, Congress, GAO, TIGTA) have identified concerns.

    2. Current controls do not appear to be effective or cost beneficial.

    3. Conditions indicate a reduced level of quality or customer satisfaction.

    4. Conditions have changed (e.g., reorganization, phase-out of operations, personnel turnover).

    5. The office has a new responsibility or program.

  2. When conducting control reviews, managers should determine the dependencies or effects the controls have on other areas of the organization. Identifying dependencies often reflects a need for input from other organizations.

  3. To test the adequacy of internal control, managers should determine if the controls are:

    1. Implemented as designed and meet the control objectives of mitigating risk to an acceptable level.

    2. Performed by competent personnel.

    3. Consistent with operational objectives or legislative requirements.

    4. Efficient and cost effective.

  4. Techniques for testing the adequacy of internal control include:

    1. A walk-through of operations to observe how the control functions in actual practice. During the walk-through, managers should determine how the control is meeting the objective. Problems identified should be further analyzed to determine if internal control weaknesses exists.

    2. Interviews to facilitate an understanding of how controls are functioning. Often, the best sources of information are personnel performing the operation. Combining inquiry and observation can often provide valuable insights into problem areas, such as a lack of financial and personnel resources necessary to effectively meet control objectives.

    3. If there are a considerable number of documents generated or transactions performed, the manager may review a sample of them. If no discrepancies are noted, then a reasonable conclusion is that the control is adequate. If discrepancies are identified, the manager should examine additional documents/transactions to confirm whether the control is functioning as designed.

    4. The manager may select a sample of source documents and follow them through each step of the process. Source document analysis can often disclose improper procedures, failure to follow procedures, or breakdowns among processing steps.

    5. The manager may choose to combine several methods of review to ensure the adequacy of the controls.

  5. At the conclusion of the review, the manager will decide if the existing controls provide unmodified assurance that the objectives are being achieved in an efficient and effective manner or an internal control weakness exists and should be corrected. An internal control weakness is a problem in the design or operation of an internal control that should be reported to the next level of management. The manager should prepare a Report of Internal Control Weakness (IRM 1.4.2.4.6, Document, Report, and Correct Internal Control Weaknesses).

Document Results of Reviews

  1. If no internal control weaknesses were identified during the review, document the review results and retain them for use in preparing the annual assurance certification letter (IRM 1.4.2.5, Annual Assurance Review Process). The documentation can be as simple as a memorandum explaining the review methods and results. It normally does not require a separate formal report. The documentation may also be incorporated into other management reports as long as it is identified as the results of an internal control review.

  2. If deficiencies were identified and the manager has corrected them, the manager should retain the documentation for the annual assurance certification letter.

Document, Report and Correct Internal Control Weaknesses

  1. Each internal control weakness should be reported as soon as identified on a Report of Internal Control Weakness. An internal control weakness is a problem in the design or operation of an internal control that should be reported to the next level of management. The Report of Internal Control Weakness provides management with the information necessary to understand the problem clearly and assess the level of risk.

  2. In some instances, the manager may identify an internal control weakness but have no control over the actions necessary to correct it. In this case, the manager should elevate the issue to the next level of management for possible action and review. Managers should submit Part I of the Report of Internal Control Weakness to the next level of management with all available information.

  3. The manager may not have the expertise to provide all the information in detailed, technical terms. Once the issue is shared with the appropriate program area, they may request additional information. If the internal control weakness requires a corrective action plan, the process owner will be responsible for finalizing Part I and preparing Part II of the Report of Internal Control Weakness.

  4. If it is appropriate to develop a corrective action plan, the manager should include in the plan all the actions needed to correct the internal control weakness. When preparing the corrective action plan:

    1. Develop actions that are specific and describe the end result. For example, the action should be: "Revise and issue procedures to the field," not "Review current procedures."

    2. Ensure commitment of other stakeholders before establishing any action that requires activity outside the manager's control.

    3. Set realistic due dates. Successful plan completion may be dependent upon available resources, functional interdependencies, labor negotiations, legislation, or modernization issues. Therefore, consult with others as necessary in establishing realistic completion dates. Do not use "ongoing" as a completion date; always set a specific due date, e.g., MM/DD/YYYY. If the completion date is long-term, it may be necessary to establish interim milestone dates.

  5. The manager should identify goals and establish performance measures that will serve as progress indicators for correcting the internal control weakness.

  6. The manager should describe the validation process (a description of how to collect data supporting the performance measure(s) that will determine if the internal control weakness has been corrected successfully). The manager should describe the type and quantity of data to be gathered, the method of collection, and the data source.

  7. Once the Report of Internal Control Weakness is completed, the manager should forward it to his/her manager, and provide a copy to the internal control coordinator. The manager at the next level is responsible for reviewing the report and determining the validity of the issue. The next level manager will decide which one of the following actions is appropriate:

    1. Return the report to the preparer if the issue is not valid or if additional information/clarification is needed.

    2. Develop a corrective action plan, if appropriate, and obtain approval.

    3. Approve the corrective actions for implementation.

    4. Elevate the issue to the next higher level of management or to the process owner.

  8. Approved plans will be returned to the appropriate level manager for implementation. The manager must then monitor and regularly report progress to the approving official. Periodically, the manager must:

    1. Assess whether the corrective action plan is achieving the desired goal(s) and continues to be relevant under current operational conditions.

    2. Document and obtain the appropriate level of approval to complete or revise an action or reschedule a target date.

    3. Provide a copy of all approved documentation to the internal control coordinator for tracking purposes.

  9. The MC ESC identifies new material weaknesses. The fields in a material weakness plan are the same as the internal control weakness plan (see the CFO website for the Annual Assurance Process).


    REPORT OF INTERNAL CONTROL WEAKNESS (Part 1)
    Material Weakness Field Field Description
    Title Enter a short but descriptive title.
    Responsible Official This will normally be a head of office, division commissioner, or chief officer.
    Description Describe the internal control weakness in terms of its effect on mission accomplishment, lost revenue, error rates, or impact on compliance, taxpayer burden or operating efficiency. Be quantitative, if possible. Be specific about what undesirable consequences could occur if the internal control weaknesses is not corrected.
    Source of Discovery How was the internal control weakness identified? Sources usually include, but are not limited to, the annual assurance review, a control review, an operational review, an event that occurred during the year, or audit reports.
    Correction Strategy Briefly summarize the proposed approach or course of action to correct the internal control weakness.
    Results Indicator/Effectiveness Measures Briefly describe what indicators will be used to evaluate whether the actions taken have corrected the underlying cause of the internal control weakness. Indicators should be specifically related to the internal control weakness and be based on performance measures, either qualitative or quantitative.
    Validation Process Describe how data will be collected to support the results indicator. Some possible methods include using existing management information or performance statistics, special surveys, sampling and analyzing data, and management control reviews.
    Target Correction Date Enter the date by which all corrective actions are expected to be completed and validated.
    Other Issues Use this space to briefly explain anything else that requires management's assistance or attention, including any related concerns such as resource needs, dependencies with other organizations, or cross-functional ownership.
    Include the name, organizational code and phone number of the manager who has identified the internal control weakness. (The submitting official is not necessarily the responsible official for correcting the internal control weakness)

    REPORT OF INTERNAL CONTROL WEAKNESS (Part 2)
    Internal Control Weakness Title – Enter the title on each page of the Corrective Action Plan.
    Major Milestones Completion Dates
      Original Plan Revised Plan Actual Date
    Completed Actions - List actions that have already been completed and show the completion date in the Actual column.      
    Short-Term Actions - List each action that will take place within the next twelve months and give the target completion date in the Original column.      
    Longer-Term Actions - List each action that will be completed more than twelve months from now and show the target completion date in the Original column.      
    Prepared by: Name, Organizational Code
    Phone Number
    Date of Preparation

Indicators and Goals

  1. Results indicators (or performance measures) assist in determining how well the process is working compared to past performance. They can also identify positive/negative factors affecting program and administrative performance/effectiveness. In developing an appropriate results indicator, first consider the problem you are trying to correct or improve, such as timeliness of certain actions or reduction in the error rate of a particular process. If the results indicator selected does not directly tie to the specific deficiency, the corrective actions may fix the problem but may not be reflected in the performance results. Therefore, ensure that the results indicator is relevant to the problem being fixed and is based on observable performance measures, either quantitative or qualitative.

  2. Goals are used to tie the results indicator to the improvement of a particular product or process. Goals can be qualitative or quantitative.

    1. Qualitative goals are general in nature and suggest a desired direction but do not establish a specific numeric target. Qualitative goals may be appropriate for new processes or processes for which no baseline data exists. However, without baseline data and quantitative measures, it will be difficult to assess whether goals have been met.

    2. Quantitative goals are more focused and establish a specific numeric target (e.g., "Travel vouchers will be filed within five business days after the end of the month" ). Quantitative goals should be based on statistically valid results of previous reviews or a compilation of information or numerical/quantitative recordation. In establishing quantitative goals, consider the anticipated level of available resources to implement the corrective action plan, organizational priorities and initiatives, and the interaction between multiple organizational goals.

    See IRM 1.5.1, The IRS Balanced Performance Measurement System.

Validate Outcomes

  1. When all corrective actions are completed, apply the plan's validation process to evaluate whether the actions taken achieved the desired outcome as indicated by the results indicator. If the measure or the results indicator implies that the problem has not been corrected, examine whether the corrective actions were effective and/or the validation process was appropriate. If the corrective action plan was not effective, review, revise, and implement a new plan.

  2. Once a results indicator validates that corrective actions have mitigated the internal control weakness effectively, forward the Report of Internal Control Weakness to the approving official for concurrence. This concurrence represents management's assurance that the problem/deficiency has been corrected. A copy should be submitted to the internal control coordinator and retained for use in preparing the annual assurance certification memorandum (IRM 1.4.2.5, Annual Assurance Review Process).

  3. Under no circumstances should management concur that a problem has been corrected until it is certain the risk has been mitigated to an acceptable level. This process is continuous; management must periodically reassess risks against current conditions to ensure that controls are effective.

Annual Assurance Review Process

  1. The annual assurance review process focuses on the adequacy of internal controls within each organization. Internal controls are processes, both administrative and program specific, that ensure programs achieve their intended results, organizations realize their goals, and financial and management reports are accurate, complete and timely. Managers assess risks (i.e., the probability of a negative, unanticipated occurrence) of operations, determine if controls do not mitigate those risks, and certify that those controls are effective. If managers identify weaknesses found in the internal control procedures they are required to report them to the responsible officials and business unit leadership so that a corrective action plan can be developed and implemented.

  2. Each spring, the CFO issues guidance to the deputy commissioners, division commissioners, chiefs, directors, national taxpayer advocate, and chief counsel on the annual self-assessment of internal controls and on preparing the annual assurance memorandum for their organizations.

  3. Through the annual assurance review process, all managers conduct an annual self-assessment to review the effectiveness of controls within their own area of responsibility and prepare an individual written statement of assurance. The involvement of each level of management in certifying the control environment within their areas is necessary in identifying risks at all levels. Managers must address in their assurance memorandum financial management systems compliance with the provisions of FFMIA.

  4. Managers should use the Internal Controls Managerial Assessment to review and evaluate management controls. Function-specific questions may be added to this document to further enhance its usefulness.

  5. A problem in the design or operation of an internal control should be reported to the next level of management as an internal control weakness. The MC ESC will determine if the internal control weakness rises to the level of a significant deficiency or a material weakness (i.e., a internal control weaknesses reported to Treasury and, potentially, through Treasury to the President).

  6. Material internal control weaknesses are systemic deficiencies in the design or operation of programs or systems, or a lack of controls that pose a significant risk of one or more of the following occurring:

    1. The inability to deliver/execute program/operational services in accordance with the agency’s mission and/or legislation.

    2. Errors, omissions and/or fraud in performance and other financial information or financial statements that would mislead users and/or management in decision-making processes.

    3. Financial commitments for programs and/or operations that are inconsistent with applicable provisions of law.

    4. The inability to properly safeguard assets.

  7. The assurance memorandum is a one or two-page certification containing a specific statement on the status of your internal controls. There are three types of assurance:

    1. Unmodified assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect the resources and ensure mission completion. Unmodified assurance recognizes that the cost of controls should not exceed the benefits derived from them.

    2. Modified assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems.

    3. Statement of no assurance (no process in place or pervasive material weaknesses).

  8. The assurance memorandum should briefly describe the process used to verify that adequate management controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. Consider the information systems environment operated or used by your organizations and issues identified by GAO, TIGTA and IRS management reviews in preparing the certification.

  9. Corrective action plans for newly identified internal control weaknesses should be included with the assurance memorandum. Managers should execute actions necessary to resolve internal control weaknesses, regardless of whether or not the MC ESC deems them significant deficiencies or material weaknesses. Corrective action plans for internal control weaknesses identified in the previous fiscal year will be updated. Internal control weaknesses that have been corrected will be submitted with a certificate of completion describing the validation process and the results indicator data that verifies that the internal control weakness has been corrected.

  10. The MC ESC will evaluate these reports and, based on this and other relevant information, recommend to the commissioner what level of assurance should be submitted in the IRS's Annual Assurance Statement and any newly identified material weaknesses.

  11. As required by FMFIA, the commissioner signs and submits an Annual Assurance Statement to Treasury in early November each year.

Servicewide Tracking of Material Weaknesses and Significant Deficiencies

  1. The JAMES system tracks issues, findings, recommendations and the current status of corrective action plans for all material weaknesses, significant deficiencies, remediation plans, and audit reports from the Office of the Inspector General, GAO and TIGTA for all Treasury bureaus. Tracking these plans is mandatory to comply with the intent of FMFIA and with OMB and Treasury circulars and directives. The information contained in JAMES is used by Treasury to assess the effectiveness and progress that bureaus are making in implementing audit recommendations and correcting their internal control material weaknesses and significant deficiencies.

  2. Internal control weaknesses reported during the annual assurance process are reviewed by the MC ESC. If the MC ESC determines that an internal control weakness rises to the level of a significant deficiency or material weakness (i.e., a significant deficiency reported to Treasury and, potentially, through Treasury to the President), the significant deficiency or material weakness is entered and tracked in JAMES.

Remediation Plan

  1. The FFMIA requires agency heads to assess annually whether their financial management systems can prepare required financial statements and reports, can provide reliable and timely financial information for managing operations, and can account for assets, all in accordance with federal accounting standards and the USSGL.

  2. Agencies that are not in compliance with FFMIA must develop a remediation plan to achieve compliance.

  3. Agencies that are not in substantial compliance with FFMIA must bring their financial management systems into substantial compliance within three years; if this cannot be achieved, a waiver for a longer period must be requested from OMB.

  4. As a condition of OMB’s waiver to the three-year requirement for completing FFMIA remediations, the IRS is required to provide a remediation plan and a status review of performance for all remedies that were open during the quarter. The CFO has overall responsibility for the IRS remediation plan. The MC ESC monitors the plan and it is tracked in JAMES.

  5. The responsible organization updates the executive summary of the remediation plan with significant accomplishments achieved during the quarter and significant obstacles identified.

  6. The FFMIA requires that estimated and actual resources to implement action plans be identified by fiscal year. The responsible organization provides all costs to implement the recommendations and indicates the dollar amount approved by project. The responsible organization is also required to:

    1. Describe the methodology to calculate costs.

    2. Identify the phase if the estimated resources apply to a particular phase of implementation.

    3. Identify the resources associated with the primary recommendation and any subsequent recommendations if the resources apply to more than one recommendation.

    4. Identify the cost in dollars for full-time equivalents (FTEs).

    5. State any costs that will be absorbed by normal business practices.

    6. Report costs associated with contractor support, technical requirements (include hardware, software, infrastructure build-out and data storage), and any other cost category associated with implementation of the remedial action.

  7. The responsible organization identifies the source used to document estimated and approved resources.

    1. Owners of all remediation actions identify resources for all years covered by the actions, and the owners maintain work paper documentation to support the identified resources. The documentation includes a breakdown and explanation of estimated costs for FTEs, hardware, software, and contractor support costs, as well as dates indicating when the last estimates were calculated. The TIGTA audit team will validate that the current and out-years resource estimates reflect the date of reassessment. The IC will determine if the documentation should be submitted.

    2. Supporting documentation identifies the material weakness area and associated project/component area (corrective action) covered in the analysis. In addition, the preparer’s name and date of preparation must be clearly shown on the documentation.

    3. Supporting documentation identifies the same category break-outs (e.g. FTE, contractors, hardware) as those reported in the actual remediation plan in order to map/trace reported dollar figures with corresponding supporting documentation.

    4. Non-FTE incurred costs such as those for contractors, hardware and software are supported by billing statements or requisitions.

    5. Non-FTE estimates comprised of multi-organizational requirements (i.e., sustaining infrastructure) and pooled funding should reflect spending priorities. Provide time deadlines for the various phases/equipment purchases and identify those that need approved funding in order for the remedial action to meet their target due dates.

  8. The responsible organization updates the status when appropriate. This includes any change in the current status, issues, completed actions, rescheduled due dates or revised actions. If the action is not due yet and does not need to be rescheduled, the responsible organization indicates “On schedule.”

    Action Information Provided
    Completed Remedies Brief description of the action taken and the date completed
    Rescheduled Remedies Provide the new date and the justification for the delay
    Revised Remedies Concise but brief description of the revised action, anticipated completion date or date completed, and the justification for the revision. The IC will coordinate the approval process
    New Remedies Identify the related GAO finding and recommendation for the new remedy. Give a concise but complete description of the action to be taken and the anticipated completion date or date completed, and the resources required for implementation of any open remedy, also, identify duplicate actions contained in a material weakness or audit report. This crosswalk will allow you to report any update to the status simultaneously for all reports and eliminate the need for duplicate reporting
  9. Annually, TIGTA reviews the IRS FFMIA remediation plan. TIGTA performs the review to meet its requirement under the FFMIA that states, in general, that each Inspector General shall report to the Congress instances and reasons when an agency has not met the intermediate target dates established within its FFMIA remediation plans.

  10. TIGTA’s overall objective is to determine any instances of and reasons for missed intermediate target dates established in the current fiscal year’s FFMIA remediation plan and to determine whether the IRS has taken adequate corrective actions on its prior year’s audit findings related to the FFMIA remediation plan. To achieve its overall objective, TIGTA will determine whether:

    1. The IRS FFMIA remediation plan was consistent with GAO recommendations from prior IRS financial statement audits and related financial management reports.

    2. The IRS missed any intermediate target dates established in its FFMIA remediation plan, whether any intermediate target dates were extended without sufficient documentation to support the revised dates, and if proper approval was obtained for remedial actions extending more than three years.

    3. The IRS FFMIA remediation plan had established resource needs for remedial actions and whether the resources presented were consistent with supporting documentation.

    4. The IRS took adequate corrective actions on its prior year’s audit findings related to the FFMIA remediation plan.

Identification of Quality Assurance Reviews and Initiatives

  1. In FY 2012, the IRS annual assurance process was expanded to identify key management reviews, program evaluations, and quality assurance reviews (“reviews”) conducted by the business units to assess the effectiveness of IRS operational controls. These organizational reviews are extremely important to the IRS and can result in saved resources, enhanced mission accomplishments, and more effective responses to issues identified by GAO and TIGTA.

  2. Each spring, the CFO issues guidance to the deputy commissioners, division commissioners, chiefs, directors, national taxpayer advocate, and chief counsel on:

    1. Completing the annual self-assessment of internal controls.

    2. Preparing the annual assurance memorandum for their organization.

    3. Identifying quality assurance reviews for their organizations. (see IRM 1.4.2.5, Annual Assurance Review Process)

  3. The CFO issues a questionnaire to the business units and the results are used to determine an inventory of IRS internal control activities.

  4. The inventory of the internal control activities are available on the IC website as the Quality Assurance Review Listing. Business units should examine the Quality Assurance Review Listing on the IC website to validate existing reviews, and to identify and submit new reviews. This includes identifying all quality assurance reviews that test or review work quality; measure data quality; and identify trends, problem areas, and improvements to program effectiveness in light of applicable directives, standards, and procedures. These reviews include work process, program, or operation management reviews, and operational reviews and site visits.

  5. When identifying management, program, and quality assurance reviews, the following examples should be considered:

    1. Business unit quality assurance reviews that objectively and independently evaluate adherence to processes and work products in applicable directives, processes, standards, procedures, and guidelines (e.g., Trust Fund Recovery Program (TFRP), Quality and Assessment Reviews, and Reviews to Determine Lien Release Timeliness in Scope).

    2. Compliance IDRS Adjustment Reviews to help prevent unpostables and ensure correction of errors.

    3. Quality review of data to provide a basis for measuring and improving program effectiveness that generate corrective actions (e.g., quarterly announced and unannounced reviews of couriers; receipt and control at lockbox banks, campuses and Taxpayer Assistance Centers).

    4. Quality review process that provides a method to monitor, measure, and improve the quality of work and identify trends, problem areas, training needs, and opportunities for process improvement (e.g., random testing of guard response to alarms at all campuses and computing centers).

  6. To aid in planning for future quality assurance program reviews, business units are encouraged to provide senior leadership with suggestions on quality assurance reviews that merit consideration for additional review. Business unit input is important and will help in designing a quality assurance review plan to best address issues that are important to the IRS.

  7. Every manager (e.g., unit, group, section, office) must complete an Internal Control Managerial Assessment. Included in the assessment are questions related to management reviews, program evaluations, or quality assurance reviews, and may be required to submit quality assurance review questionnaires.

  8. The CFO uses selected quality assurance review results to support the annual assurance statement signed by the IRS commissioner and submitted to the Department of the Treasury as required by the FMFIA. (See IRM 1.4.2.1.2, Authorities)