- 1.4.3 IRS Guidance on OMB Circular A-123, Managements Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting
- 22.214.171.124 Overview
- 126.96.36.199 Background
- 188.8.131.52 Authorities
- 184.108.40.206 Related Resources
- 220.127.116.11 Definitions
- 18.104.22.168 Acronyms
- 22.214.171.124 Responsibilities
- 126.96.36.199.1 Chief Financial Officer (CFO)
- 188.8.131.52.2 Associate Chief Financial Officer (ACFO) for Corporate Planning and Internal Control (CPIC)
- 184.108.40.206.3 Associate Chief Financial Officers for Financial Management (FM) and Corporate Budget (CB)
- 220.127.116.11.4 Business Operating/Functional Divisions and Process Owners
- 18.104.22.168.5 Statistics of Income (SOI) Division
- 22.214.171.124.6 Test Team Leader
- 126.96.36.199.7 A-123 Test Teams
- 188.8.131.52 The Department of the Treasurys Five-Part Approach
- 184.108.40.206 Governance
- 220.127.116.11 General Guidance for A-123
- 18.104.22.168.1 A-123 Schedule
- 22.214.171.124.2 Test Planning
- 126.96.36.199.3 Work Paper Documentation
- 188.8.131.52.4 Testing
- 184.108.40.206 Transaction Test Plan Development and Test Execution
- 220.127.116.11.1 Document Internal Controls
- 18.104.22.168.2 Document Control Design Analysis (CDA)
- 22.214.171.124.3 Evaluate Quality Assurance Reviews (QARs) and Structured Management Reviews (SMRs)
- 126.96.36.199.4 Develop and Document Test Plan
- 188.8.131.52.5 Document Population and Obtain Sample from Statistics of Income (SOI)
- 184.108.40.206.6 A-123 Review Board Reviews Test Plan
- 220.127.116.11.7 Transaction Testing Sequence
- 18.104.22.168.8 Evaluating Errors Discovered During Testing
- 22.214.171.124 Work Papers
- 126.96.36.199 A-123 Work Product Approval Process
- 188.8.131.52 Internal Control Test Plan Outline
- 184.108.40.206 Combined Procedures Report (CPR)
- 220.127.116.11 Combined Issues Report (CIR)
- 18.104.22.168 Opportunity for Improvements (OFIs)/Corrective Action Plans (CAPs)
- 22.214.171.124 Continuous Monitoring
Part 1. Organization, Finance, and Management
Chapter 4. Resource Guide for Managers
Section 3. IRS Guidance on OMB Circular A-123, Managements Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting
1.4.3 IRS Guidance on OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting
May 04, 2016
(1) This transmits revised IRM 1.4.3, IRS Guidance for Implementing OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting.
(1) In this revision of IRM 1.4.3, IRS Guidance for Implementing OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting, the content was significantly rearranged and revised to reflect updated methodology and processes to A-123 testing.
(2) IRM 126.96.36.199, Overview, revised to add A-123 team.
(3) IRM 188.8.131.52, Background, revised to add Council of the Inspector General on Integrity and Efficiency (CIGIE), removed reference to President’s Council on Integrity and Efficiency (PCIE), and added additional information related to internal control.
(4) IRM 184.108.40.206, Authorities, revised authorities.
(5) IRM 220.127.116.11, Related Resources, added additional IRM reference.
(6) IRM 18.104.22.168, Definitions, revised definitions.
(7) IRM 22.214.171.124, Acronyms, revised and added acronyms.
(8) IRM 126.96.36.199, Responsibilities, revised responsibilities.
(9) IRM 188.8.131.52, The Department of the Treasury’s Five - Part Approach, was revised to reflect current process.
(10) IRM 184.108.40.206, Governance, revised A-123 requirements and procedures.
(11) IRM 220.127.116.11, General Guidance for A-123, revised to reflect current process.
(12) IRM 18.104.22.168, Transaction Test Plan Development and Test Execution, revised test plan procedures.
(13) IRM 22.214.171.124.1, Document Internal Controls, revised financial reporting process documentation.
(14) IRM 126.96.36.199.2, Document Control Design Analysis (CDA), changed section title from Document Crosswalk to Document Control Design Analysis and inserted Control Design Analysis template.
(15) IRM 188.8.131.52.3, Evaluate Quality Assurance Reviews (QARS) and Structured Management Reviews (SMRs), revised and updated table, and changed section title from Evaluate Structured Management Review (SMR) to Evaluate Quality Assurance Reviews (QARs) and Structured Management Reviews (SMRs).
(16) IRM 184.108.40.206,4, Develop and Document Test Plan, revised to reflect current test plan.
(17) IRM 220.127.116.11.5, Document Population and Obtain Sample from Statistics of Income (SOI), revised to reflect current process.
(18) IRM 18.104.22.168.6, A-123 Review Board Reviews Test Plan, revised to reflect current process.
(19) IRM 22.214.171.124.8, Evaluating Errors Discovered During Testing, revised to reflect current process.
(20) IRM 126.96.36.199, Work Papers, revised to reflect current process and replaced sample lead sheet.
(21) IRM 188.8.131.52(13), Personally Identifiable Information (PII), revised to reflect correct referenced IRM and title.
(22) IRM 184.108.40.206, A-123 Work Product Approval Process, revised to reflect current process.
(23) IRM 220.127.116.11, Internal Control Test Plan Outline, revised to reflect current process.
(24) IRM 18.104.22.168, Combined Procedures Report (CPR), revised to reflect current process.
(25) IRM 22.214.171.124, Combined Issues Report (CIR), deleted template and previous IRM 126.96.36.199 and added combined issue report information.
(26) IRM 188.8.131.52, Opportunity for Improvements (OFIs)/Corrective Action Plans (CAPs), revised to reflect current process.
(27) IRM 184.108.40.206, Continuous Monitoring, revised to reflect current monitoring process.
Ursula S. Gillis
Chief Financial Officer
This IRM provides IRS guidance on processes and procedures for implementing Office of Management and Budget (OMB) Circular A-123, Management’s Responsibilityfor Internal Control, Appendix A: Internal Control Over Financial Reporting, in order to support the Business Operating Divisions (BODs) and Functional Operating Divisions (FODs).
The Chief Financial Officer (CFO), Corporate Planning & Internal Control, Office of Internal Controls (CPIC-IC), A-123 team, develops and maintains this IRM.
The passage of the Sarbanes-Oxley Act of 2002 (SOX) served as an impetus for the Federal Government to reevaluate its current policies relating to internal control over financial reporting and management’s related responsibilities. SOX requires management of publicly-traded companies to strengthen their processes for assessing and reporting on internal control over financial reporting. While SOX created a new requirement of publicly-traded companies, federal managers have been subject to similar internal control reporting requirements for many years.
A joint committee of representatives from the Chief Financial Officers Council and the Council of Inspectors General on Integrity and Efficiency (CIGIE) was formed and tasked with reviewing the SOX requirements for publicly-traded companies, determining how these requirements apply to federal agencies, and recommending changes to the existing guidance on internal control. The joint committee recommended significant changes to the OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting, which included a requirement for agencies to document and test internal controls to verify they are in place and working as intended.
The authorities for these policies are:
Revised OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting December 2004
GAO/CIGIE Financial Audit Manual (FAM)
Department of the Treasury Annual Implementation Guidance
IRM 10.8.1, Information Technology (IT)Security, Policy and Guidance
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4(Recommended Security Controls)
IRM 1.4.2, Monitoring and Improving Internal Control
In this IRM, the terms below have the following meanings:
Anomaly (Anomalies) – a deviation from the common rule; an irregularity that is difficult to explain using existing rules or theory.
Assertions - management representations embodied in financial statement components, comprised of the following five categories:
Existence or occurrence
Rights and obligations
Accuracy/valuation or allocation
Presentation and disclosure
Axway - a secure data transfer software used to securely transmit work papers and documents electronically to the Government Accountability Office (GAO).
Closed Opportunity for Improvement - describes the remediated (resolved) status of a situation identified during a previous testing period(s) in which controls were in place, but could be strengthened through remedial measures.
Combined Issues Report (CIR) - details the Opportunity for Improvement (OFI) identified during testing of a transaction, which includes issues identified during the current testing period as well as existing issues from previous testing periods.
Combined Procedures Report (CPR) - details the test steps, dates, and results of transaction testing.
Compensating Control – a control that limits the severity of a control deficiency and prevents it from rising to the level of a significant deficiency, or in some cases, a material weakness. It operates at a level of precision, considering the possibility of further undetected misstatements that would result in the prevention or detection of a misstatement that is more than inconsequential or material to the financial statements. Although a compensating control mitigates the effects of a control deficiency, it does not eliminate the control deficiency.
Completeness and Accuracy - addresses whether all transactions and accounts that should be in the financial statements are included and are recorded appropriately.
Continuous Monitoring - activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.
Control Activities - the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information systems.
Control Deficiency - exists when the design, implementation, or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to achieve control objectives and address related risks.
Control Design Analysis (CDA) - documents the risk associated with a process, key controls designed to mitigate the risk, and assessment of the effectiveness of the design for each key control. It also references the test plan and where each of the key controls determined to be effective will be tested.
Control Environment - the foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objective.
Control Risk - the risk that a material misstatement could occur but may not be detected and corrected or prevented by the entity’s internal controls.
Corrective Action – an action taken by the audited entity that corrects identified deficiencies, produces recommended improvements, or demonstrates that audit findings are either invalid or do not warrant audited action.
Corrective Action Plan (CAP)- documents the strategy and/or detailed steps to be taken to remediate an identified control deficiency or weakness.
Effective - business objective and intended result for the control activity has been met successfully.
Exception - an error, instance or case not conforming to the guidance requiring adherence.
Existence or Occurrence - addresses whether assets or liabilities exist at a given date or recorded transactions have occurred during a given period.
Existing Opportunity for Improvement - describes the open (non-remediated) status of a situation identified in a previous testing period in which controls were in place, but could be strengthened through measures.
Existing Opportunity for Improvement Not Verified - describes the open (non remediated) status of a situation identified in a previous testing period in which controls were in place, but could be strengthened through remedial measures; however, remedial actions could not be substantiated to eliminate the vulnerability.
Financial Reporting – consists of an Agency's annual financial statements and other significant internal and external financial reports that could have a material effect on significant spending, budgetary, or other financial decisions of the agency or that are used to determine compliance with laws and regulations.
Financial Statements – provide information about an entity's financial position, performance, and/or changes in financial position that is useful to a wide range of users in making economic decisions. Financial statements should be understandable, relevant, reliable, and comparable. Reported assets, liabilities, equity, income, and expenses are directly related to an organization's financial position.
Ineffective - business objective and intended result for the control activity failed and has not been met.
Information and Communication - the quality information that management and personnel communicate, and use to support the internal control system.
Inspection - examination of documents, products, or services to evaluate the consistency, efficiency, and/or effectiveness of a control.
Interim Guidance - is an Internal Manual Document (IMD) used by organizations to issue immediate, time- sensitive, or temporary instructions to employees. The guidance communicates procedural directions, guidelines, or standards to employees in the performance of their assigned duties. See IRM 1.11.10, Interim Guidance Process
Interim Testing Period - describes the first phase of testing for the fiscal year, representing controls tested as of June 30.
Internal Controls - an integral part of any organization's financial and business policies and procedures. Internal controls consist of all the measures taken by the organization for the purpose of (1) protecting its resources against waste, fraud, and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the level of performance in all organizational units of the organization.
Internal Management Document (IMD) - are official communications that designate authorities and /or disseminate instructions to staff for officials and employees. IMD include delegations of authority, policy statements, and interim guidance that include procedural changes. See IRM 220.127.116.11 for definitions of each type of IMD.
Internal Revenue Manual - the primary, official source of “instructions to staff” that relate to the administration and operation of the IRS. See IRM 18.104.22.168, IRM Standards.
Job Aids - may be an IRM exhibit, an IRM job aid on SERP, a Technical Communications Document (TCD) job aid, or a document used as training material.
Management’s Information Only (MIO) - recommendation designated as being for Management’s Information Only and consisting of a suggestion to enhance a working control based on industrial standards and/or best practices. In these scenarios, controls are in place and are effective but there are some potential enhancements that could be made to improve the control. Does not rise to the level of an Opportunity for Improvement (OFI).
Material Weakness - a significant deficiency in which the Agency Head determines to be significant enough to report outside of the agency (e.g., merits the attention of the Executive Office of the President and the relevant Congressional oversight committees) as a material weakness.
Methodology – a documented process for applying standards when assessing, documenting, and reporting on internal controls over financial reporting.
Mitigation Control – a type of control used to discover and prevent mistakes that may lead to uncorrected and/or unrecorded misstatements related to control deficiencies.
Monitoring - activities management establishes and operates to assesses the quality of performance over time and promptly resolve the findings of audits and other reviews.
National Institute of Standards and Technology (NIST) – responsible for developing information security standards and guidelines, including minimum requirements for federal information systems based on its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law 107-347.
Observation - looking at a process or procedure being performed by others.
Opportunity for Improvement (OFI) – suggestion to strengthen an existing control through remedial measures to improve the overall process.
Personally Identifiable Information (PII) - any information that, by itself or in combination with other information, may be used to uniquely identify an individual.
Planning Phase – based on the sample data tested, the Test Team Leader researches policies and procedures and conducts walkthroughs to gain an understanding of the process being tested and subsequently documents the key controls and develops a test plan to execute during the testing phase.
Population - universe or list of items for a given period of time from which the sample will be derived.
Process Owner - organization, business unit, operating/business division or office responsible for managing and overseeing the objectives and performance of a process.
Prepared by Client (PBC) Listing - detailed request of information and documents needed from the client to conduct testing.
Quality Assurance Review (QAR) - assessment of organization risk and internal controls to verify adequate management controls are in place and functioning effectively to accomplish organizational goals and protect resources.
Re-performance - independent execution of procedures or controls that were originally performed as part of the entity’s internal control.
Reporting Phase – based on sample data tested, the Test Team Leader forms conclusions about:
the financial statements
the entity’s internal controls
the financial management systems’ compliance with the three FFMIA requirements
compliance with laws and regulations
other information, such as Management’s Discussion and Analysis or the overview of the reporting entity
any required supplementary information or additional information, such as unaudited financial statements
Rights and Obligations - addresses the assertion of whether the entity holds or controls the rights to assets included on the financial statements and that liabilities are obligations of the entity.
Risk Assessment – assess the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.
Sample - items selected from a population to reach a conclusion about the population as a whole.
Sampling Plan – an outline detailing the criteria to use to select a sample (size, frequency of control, risk, etc.) from which the Test Team Leader will select a certain number of items to use to reach a conclusion representative of the whole population.
Scope - description of the physical locations, organizational units, activities and processes and the corresponding time period subjected to examination or review.
SERPAlert - information, delivered to employees required to use the SERP platform, maintained on the IRS internal website. The information communicated may provide a reminder or notification to address work stream, programming or system problems.
Significant Deficiency – a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
Standard Operating Procedures (SOP) - written documentation that lists the step-by-step instructions on how to perform a job or task or carry out the activities associated with a process.
Statement of Assurance – a certification included in the annual Agency Financial Report (AFR) that represents the Commissioner’s informed judgment as to overall adequacy and effectiveness of internal controls. The Commissioner provides either an unmodified statement that an effective and efficient system of internal controls exists, a modified statement that an overall sound system of internal control exists but one or more material weaknesses have been identified, or a statement of no assurance on the system of internal controls.
Structured Management Review (SMR) – a review of documented continuous monitoring activities including QARs or other independent internal reviews put in place to cover many IRS internal control activities during the normal course of operations.
Supporting Documentation - written information and/or data providing backup to substantiate the conclusion.
Team Leader - an individual responsible for assisting the A-123 Section Chief in overseeing program activities.
Test Team Leader - individual responsible for leading the A-123 testing process for assigned transactions.
TeamMate – a Windows-based Audit Management System, used by the A-123 team to prepare work papers for the reviews conducted. The A-123 team uses TeamMate to manage the audit process, which includes scheduling, planning, execution, review, and report generation.
Test Activities – actions performed over policies and procedures, which helps ensure that management directives are carried out and that management’s assertions in its financial reporting are valid (that is, gain understanding of a process through interview, walkthrough, observation or re-performance).
Test Objectives – purposes or intended goals stating what the tester wants to accomplish when implementing the specified test activities.
Test Plan – a document which describes the scope of the testing and identifies the methodology used to conduct tests.
Test Steps - procedures performed to reach established audit objectives and assess the efficiency and effectiveness of control activity.
Testing – after the preliminary review, the Test Team Leader performs the procedures in the audit program. The Test Team Leader tests the major internal controls and the accuracy and correctness of the transaction. The team leader uses various techniques such as sampling.
Testing Phase – the Test Team Leader gathers evidence to report on the financial statements, internal controls, and the entity's systems with the three requirements of FFMIA, significant provisions of applicable laws and regulations.
Transaction - represents activities and/or processes impacting and reflected in the Treasury consolidated financial statements.
Valuation and Allocation - addresses whether assets, liabilities, and equity interests included in the financial statements are at appropriate amounts and any corresponding adjustments are appropriately recorded.
Walkthrough - process by which to assist in understanding design and implementation of controls and may include a combination of interviews, observations, examination of documents, and/or tracing a transaction from initiation to completion.
Work Papers - documents that support the audit opinion. The work papers reveal the comprehensive actions the Test Team Leader performed to test each control during the testing phase. The work papers connect the entity’s accounting records and financial reporting to the Test Team Leader’s opinion.
Work Papers Procedures Report - a TeamMate generated report listing the reference number and document title of documentation used to test steps and results.
This IRM contains the following acronyms and meanings:
Acronym Meaning ACFO Associate Chief Financial Officer BOD Business Operating Division CAP Corrective Action Plan CB Corporate Budget CDA Control Design Analysis CIGIE Council of Inspectors General on Integrity and Efficiency CIR Combined Issues Report CPIC-IC Corporate Planning and Internal Control, Office of Internal Control CPR Combined Procedures Report FM Financial Management FMFIA Federal Managers Financial Integrity Act FFMIA Federal Financial Management Improvement Act FOD Functional Operating Division GAO Government Accountability Office IRM Internal Revenue Manual JAMES Joint Audit Management Enterprise System MC ESC Management Controls Executive Steering Committee NIST National Institute of Standards and Technology OFI Opportunity for Improvement OMB Office of Management and Budget PBC Prepared by Client POC Point of Contact QAR Quality Assurance Review SERP Servicewide Electronic Research Program SOP Standard Operating Procedures SOX Sarbanes-Oxley Act of 2002 SME Subject Matter Expert SMR Structured Management Review SOI Statistics of Income Division TIGTA Treasury Inspector General for Tax Administration TDCFO Treasury Deputy Chief Financial Officer TIER Treasury Information Executive Repository
This section provides responsibilities for:
Chief Financial Officer (CFO)
Associate Chief Financial Officer (ACFO) for Corporate Planning and Internal Control (CPIC)
ACFO for Financial Management (FM)
ACFO for Corporate Budget (CB)
Business Operating Divisions (BODs)/Functional Operating Divisions (FODs)/Process Owners
Statistics of Income (SOI) Division
Test Team Leader
A-123 Test Team
The CFO is responsible for executing A-123 responsibilities to support Treasury’s assurance statement by properly identifying, testing, and evaluating IRS’ controls over financial reporting.
The ACFO for CPIC is responsible for:
Verifying clear communication of the A-123 assessment objectives throughout the agency
Developing the A-123 assessment methodology and guidance
Coordinating testing activities and time lines with BODs, FODs, process owners, the Department of the Treasury, and GAO
Providing oversight and assistance to verify the testing team carries out the assessment in a thorough, effective, and timely manner
Administering the Governance process by chairing the A-123 Review Board, providing scheduling and administrative support to the test team, providing the status and results of A-123 activities to the Management Controls Executive Steering Committee (MC ESC) and the A-123 Review Board, and documenting key decisions
Communicating with agency management and employees regarding the A-123 assessment
Identifying subject matter experts (SMEs) and point of contact (POC) to assist in the development of the control design analysis (CDA) and complete and timely test plans
Communicating and coordinating with external oversight groups
Serving as a central repository for all official A-123 records
Preparing the prepared by client (PBC) listing for required documentation for A-123 internal control reviews
The ACFO for FM and the ACFO for CB are responsible for:
Designating an A-123 Review Board representative and back-up
Providing SMEs to review the control design analysis to verify that the test team identified key controls
Communicating existing matters for consideration (MFCs) or recommendations noted by GAO or TIGTA and the current status related to processes under review, if applicable
Gathering requested internal control documentation stated in the PBC listing
Evaluating existing management review procedures
Supporting transaction testing responsibilities by: identifying and obtaining data (and other documents needed for testing) from cross-servicing organizations (for example, Department of Labor, National Finance Center) and reviewing test plans and results
Developing and monitoring corrective action plans (CAPs) for identified weaknesses
Reviewing and addressing OFIs for identified areas of potential improvement
Reviewing and signing the combined procedure report (CPR) and combined issues report (CIR), as applicable
The business operating/functional divisions/process owners are responsible for:
Providing SMEs to identify key controls and review the CDA to verify that the test team identified key controls
Communicating existing MFCs or recommendations noted by GAO or TIGTA and the current status related to processes under review, if applicable.
Gathering requested internal control documentation stated in the PBC listing
Evaluating existing management review procedures
Reviewing and signing the combined procedures report (CPR) and combined issues report (CIR), as applicable
Developing and monitoring CPAs for identified weaknesses
Providing timely responses to OFIs and/or CAPs
Communicating changes to processes
Reviewing and addressing OFIs for identified areas of potential improvement
The SOI is responsible for:
Determining an appropriate sampling method and size for each control based on frequency
Using statistical sampling methods to generate random samples
The Test Team Leader is responsible for:
Understanding the work processes and procedures related to the tested transaction
Performing test work in accordance with relevant standards, OMB Circular A-123, internal A-123 SOPs, and other adopted federal guidance
Reviewing and checking off the A-123 checklist to verify required steps were completed
Coordinating development of the CDA, internal control test plan and PBC listing; communicating updates and deadlines with BODs and FODs for timeliness of work performed
Revising, if appropriate, the nature, timing, and extent of testing performed
Verifying necessary meetings and interviews, documenting all conclusions, and planning appropriate follow-up actions
Elevating significant matters to the A-123 Section Chief, Team Lead, and the IC Director for further consideration
Documenting deviations from the internal control test plan as reported by the test teams
Test teams are comprised of the A-123 Team Lead and individuals assisting with executing the test plan.
The A-123 Test Teams are responsible for:
Reviewing and checking off A-123 checklists to verify required steps are completed
Obtaining and reading applicable IRMs, Interim Guidance Memoranda, SOPs, Job Aids, SERP IRM Procedural Updates (IPUs), and other guidance related to assigned test steps
Communicating any deviation from the test plan to the Test Team Leader
Analyzing test results to determine if internal controls are working
Proposing OFIs and/or corrective action items to the appropriate process owner if improvements or weaknesses are identified
Verifying all required supporting documentation is available for assigned test steps and timely notifying the Test Team Leader, POC, and SME of any discrepancies
Providing suggestive test plan updates to the Test Team Leader based on recent execution of the test plan
Treasury requires bureaus to use the following five-part approach:
Part One: Core Financial Process: Test controls over specific financial transactions that are material to Treasury’s consolidated financial statements. Each year, Treasury provides a list of transactions that the IRS is required to test in addition to the transactions meeting the materiality criterion as established in Treasury’s annual guidance and implementation plan.
Part Two: Financial Reporting: Identify key financial reports and review the format, content, accuracy, method of assembly, and usefulness to decision makers. In addition, Treasury requires IRS to review Treasury Information Executive Repository (TIER) reporting and eliminations procedures for intergovernmental payments.
Part Three: Self - Assessment: Financial reporting organizations complete the GAO Abbreviated Internal Control Questionnaire to assess the overall adherence to the five components of internal control: (1) Control Environment, (2) Risk Assessment, (3) Control Activities, (4) Information and Communications, and (5) Monitoring.
Components of Internal Control Principles Control Environment 1. Demonstrate Commitment to integrity and Ethical Oversight Responsibility 2. Exercise Oversight Responsibility 3. Establish Structure, Responsibility and Authority 4. Demonstrate Commitment to Competence 5. Enforce Accountability Risk Assessment 6. Define Objectives and Risk Tolerances 7. Identify, Analyze, and Respond to Risk 8. Assess Fraud Risk 9. Analyze and Respond to Change Control Activities 10. Design Control Activities 11. Design Activities for Information Systems 12. Implement Control Activities Information and Communication 13. Use quality Information 14. Communicate Internally 15. Communicate Externally Monitoring 16. Perform Monitoring Activities 17. Remediate Deficiency
Part Four: Regulatory Compliance and Internal Review: Evaluate the implementation of governing regulations and incorporate the results of internal control or management oversight reviews in the overall assessment of internal controls over financial reporting by i) Reviewing test plans to verify test objectives are accurately defined and contain all required internal control procedures
ii)Reviewing the sampling plan to verify the methodology, type of sample, and sample sizes are appropriate
Part Five: Audits: Review TIGTA and GAO audits related to financial reporting to determine potential agency risk and the impact to various processes.
The IRS has adopted a two-tiered governance process to verify it consistently executes A-123 requirements, has documentation procedures, provides credible results, and all OFIs and CAPs adequately address open issues. The two-tiered governance process consists of the MC ESC and the A-123 Review Board.
The IRS Deputy Commissioner for Operations Support chairs the MC ESC, which provides executive level oversight to the A-123 process by reviewing A-123 results and approving the interim and final assurance statements. Refer to IRM 1.4.2, Monitoring and Improving Internal Control, and Sections 22.214.171.124, Roles and Responsibilities, and 126.96.36.199, Management Controls Executive Steering Committee (MC ESC), for additional information related to the MC ESC.
The A-123 Review Board is an advisory working group composed of senior executives. Members represent CPIC, FM, CB, and process owners, as applicable. The A-123 Review Board has two key responsibilities:
i) Review test plans to verify test objectives are accurately defined and contain all required internal control procedures
ii) Review the sampling plan to verify the methodology, type of sample, and sample sizes are appropriate
The A-123 team follows general guidance as outlined in OMB Circular A-123 Appendix A and guidance established by the Department of the Treasury.
Internal control is a process affected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of the entity will be achieved. These objectives and related risks can be broadly classified into one or more of the following three categories:
Operations - Effectiveness and efficiency of operations
Reporting - Reliability of reporting for internal and external use
Compliance - Compliance with applicable laws and regulations
Management cannot rely on internal control testing by external oversight organizations (i.e., Government Accountability Office (GAO) and the Treasury Inspector General for Tax Administration (TIGTA)) to meet the A-123 requirement to test internal controls. Each reporting entity in the Department of the Treasury is required to include an A-123 Statement of Assurance in their Federal Managers’ Financial Integrity Act (FMFIA) (31 USC 3512) and Federal Financial Management Improvement Act (FFMIA) (Pub. L. No. 104 - 208) Annual Assurance Statement. The Statement of Assurance must take one of the following forms:
Unmodified statement of assurance (no material weaknesses reported)
Modified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses or lack of substantial compliance reported); or
Statement of no assurance (no processes in place or pervasive material weaknesses).
The A-123 Section Chief and Team Leader will develop a detailed A-123 timeline for interim and fourth quarter testing periods to verify tests are appropriately scheduled and sufficient resources are available. The A-123 Section Chief and Team Leader will monitor the schedule and inform the IC director and ACFO for CPIC of any execution delays.
In the planning phase, the Test Team Leader defines the test objectives and the objectives’ scope and methodology. The team plans these three elements simultaneously, as the considerations in determining each often overlap.
The test objective describes what the test intends to accomplish
The scope defines the boundaries of the tests and directly relates to the test objectives. For example, the period reviewed, the availability of necessary documentation or records, and the locations of testing are included in the scope definition
The methodology comprises the steps and techniques involved in gathering and analyzing data to achieve the objectives, such as inspecting sample data or observing controls. Methodology includes both the types and extent of test procedures used to achieve the objectives. The test plan documents and provides sufficient, competent, and relevant evidence to achieve the test objectives
During test planning, the A-123 team documents its planning activities, which include:
Reviewing related IRMs, Interim Guidance Memoranda, SOPs, Job Aids, and SERP IRM Procedural Updates (IPUs) as applicable
Interviewing SMEs and walkthrough of the process, as applicable
Documentation of the internal control process and environment as it relates to the specific transactions to be tested (Control Design Analysis)
Reviewing and following up on known significant GAO and TIGTA findings and recommendations that directly relate to the objectives of the test
Identifying potential sources of data that could be used as evidence
Reviewing relevant management reviews and determining whether structured management reviews (SMRs) or QARs may be used to satisfy some of the test objectives
Developing a test plan, which documents and provides sufficient, competent, and relevant evidence to achieve the test objective
Identifying appropriate and sufficient staff and other resources necessary to perform testing
Communicating information about the test plan and process of testing to the responsible owners of the tested controls
Developing the PBC listing to include appropriate deadlines for timeliness and completion of work performed
All aspects of testing activities require a high level of documentation. Refer to IRM 188.8.131.52, Work Papers, for more information on work paper documentation. Documentation provides the principal support for the A-123 process, aids those conducting and supervising the testing, and allows for quality review and oversight reviews. The test team obtains sufficient, competent, and evidential documentation to afford a reasonable basis for an opinion regarding the tested internal controls through inspection, reperformance, observation, inquiries, or confirmations.
Documentation related to planning, testing, and reporting on A-123 activities should contain sufficient information to enable an individual who has had no previous connection with the testing to understand what was tested, how the test was conducted, the test results, and to verify the reviewer’s judgments and conclusions.
The A-123 team determines the quantity, type, and content of documentation, which provides a clear understanding of the internal control test’s purpose, data sources, results, and conclusions. The team organizes the documentation logically to provide a clear link to the conclusions and OFIs. A-123 test documentation must contain the following items:
Objectives, scope, and methodology for each A-123 transaction, including the testing period, the definition of the sampling universe, and if the team deviated from the approved sampling methodology, the rationale for such actions
Support for each test conducted, including the copies of documents examined and the rationale for key decisions and any deviations made from approved guidance
Testing results, analysis, and conclusions that provide a clear and concise summary of results cross-referenced to supporting documents and resolution of anomalies or other issues
Evidence of Test Team Leader review and sign-off of the work papers reviewed prior to supervisory review
Evidence of A-123 Section Chief or Team Leader review of the work performed that supports conclusions and OFIs about the controls tested
Test teams execute the test plans and determine the effectiveness of the internal controls. The teams include individuals who are:
Adequately trained to execute the test plan
Aware of documentation requirements
Independent of those responsible for carrying out or supervising the controls or transactions tested (not directly responsible or an employee who reports to the manager directly responsible for the internal control being tested)
Test teams may be comprised of A-123 staff, testers independent of the process, SMEs, and contractors.
To conduct an independent testing of internal controls outside of audits conducted by GAO and TIGTA, the team must develop the test plan, execute the test plan, and document the internal controls. This IRM describes the IRS processes for test plan development, test execution, and internal control documentation.
Internal controls are documented policies and procedures used by management to verify transactions are accurate, properly recorded, and executed in accordance with management’s directives. SMEs will work with the A-123 team to verify current documentation is available for each transaction.
Process documentation includes:
A description of key processes, which includes examples of the processing documents (flowcharts, cycle memos, desk guides)
Correlation of the process relationship to financial statement line items, significant accounts, group of accounts, and major classes of transactions
Inputs, activities, and outputs in place to accomplish the processes control objectives
Descriptions of key financial reporting controls
Descriptions of information systems used to support the process
Descriptions and results of monitoring activities in place to verify controls are functioning properly
Descriptions of process relationships to other financial reporting processes
Policies and procedures governing transactions such as laws, regulations, IRM, interim guidance memoranda, SERP IRM Procedural Updates (IPUs), and SOPs
External financial reporting assessments (reports issued by GAO or TIGTA)
Internal financial reporting assessments (FMFIA and FFMIA)
Verify there is an adequate crosswalk between the risks and controls in the IRS CDA. For each of the transactions tested, the A-123 team will develop a crosswalk between the risks and controls associated with a given process and the risk and control tested in the transaction’s test plan. Information documented on the CDA template below is shared and confirmed with process owners.
Quality review and quality assurance processes that are already in place are considered SMRs and may be tested as part of the A-123 internal control testing process.
The A-123 transaction test called the AC-6: Administrative Cash Reconciliation, verifies that internal control procedures governing IRS cash reconciliations are in place and working effectively. Cash reconciliations are performed monthly and the IRS A-123 testing is performed on three monthly reconciliations.
SMRs may serve as assurance of testing of internal control; however, the review must meet specific criteria. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and to verify the reviewer’s judgments and conclusions.
The SMR should have the following elements:
Documented procedures that guide the SMR
Reviews performed at regular intervals
Documented and independent review of results
Documented processes to resolve noted deficiencies
The three-column table below provides questions to address in developing a new quality assurance review. The first column provides questions, the second column is used to determine a yes-or-no answer, and the third column is used to explain the results of the answer.
Quality Assurance Review Development Questions Yes or No Explain Is the SMR actually being used as designed? Is the SMR meeting the internal control objectives? Do the personnel executing the SMR have adequate skills and receive sufficient training to complete review? Are adequate procedures in place for the SMR? Is the guidance for the SMR followed? Were issues/errors /concerns adequately and consistently addressed and documented? Is the guidance for the SMR consistently followed for error determination and documentation requirements? Do the personnel have adequate time, resources, etc. to competently execute the SMR? Are the sample sizes and sample methodologies appropriate for the internal control? Is a documented SMR in place and is it being monitored by an appropriate level of management? Is the SMR performed an appropriate number of times per year to fulfill the internal control function? Is the review performed at an appropriate time in the process to allow for error correction and prevention of a similar error? Is management using the results of SMRs to correct the error, process, or procedure?
Refer to IRM 1.4.31 Resource Guide for Managers, IRS Quality Assurance Program for additional details related to Quality Assurance Reviews.
A transaction is a discrete financial activity that produces information in Treasury’s Consolidated Financial Statements. Each transaction has a series of risks and controls that defines the process; each key control must be tested. Testing controls involves verifying the controls are in place, operating as intended, and meeting control objectives. Test plans allow the team to test the control’s objective, effectiveness, risks, strengths, and weaknesses. Use the outline in IRM 184.108.40.206, Internal Control Test Plan Outline, to develop the internal control test plan.
Procedures when evaluating controls include:
Description of the control test objective.
Testing methods used to test control effectiveness (1) Inspection: looking for evidence of the control, such as the signatures of reviewing official(s) or reviewing past reconciliations; (2) Observation: observing the controls in operation (for example, observing the physical inventory or watching a reconciliation occur); (3) Reconciliation: verifying the balance of one or more items; (4) Re-performance: performing the control as stated in current procedures
Population from which the testing sample size will be drawn
Size of samples to be tested
Parameters that constitute a failed test
Specific tests and documents to review
SOI will determine the most appropriate sample method for each internal control, where applicable. Sampling methodologies must be:
Reliable: Will a particular technique, applied repeatedly to the same object, yield similar results?
Consistent: Is the test plan’s scope and depth appropriate and consistent with other test plans?
Valid: Does the test plan measure what it is intended to measure?
Acceptable Sampling Methods for A-123: Under A-123 there is no requirement to do statistically valid, random sampling. At IRS, the preference is to use one of the following two methods.
Non-Statistical Sample: A subset of a defined population, randomly selected, but not valid to make statistical inferences within a defined level of confidence and precision.
Simple Random Sample: A subset of a defined population, selected using a statistically valid methodology in which every member of the population has an equal, non zero probability of being selected. With this method, testers can make inferences about the population with a defined level of confidence and precision. Usually, the larger the sample size, the higher the level of confidence and precision.
In some cases, seasonal fluctuations (such as periods of limited availability) early in the fiscal year for obligations or tax return filing patterns may require selecting samples from several periods throughout the year to verify a representative sample. The test team should fully explain such work patterns to SOI and have SOI recommend an appropriate sample methodology.
If one of the sample items cannot be reviewed (for example, transaction was reversed and is no longer there), the tester should not use that item. Instead, select the very next item from the population list to review. For example, if testers review a sample of invoices and cannot use a certain invoice, then the testers will select the very next invoice from the population. Additionally, the testers must fully document the reason they cannot review the sampled item in the work papers. If testers have any questions about how to proceed, they must confer with the Test Team Leader.
In defining the population, Test Team Leaders should identify the entire set of items from which the sample should be drawn. This includes:
Verifying the entire population is accounted for when the sample is drawn.
Determining the source document or the transaction documents to be tested.
Defining the period covered by the test.
If applicable, dividing the population to verify the sample is taken from an appropriate group of the population, such as only high-dollar value items.
The sample items selected for testing purposes must be those from the current fiscal year. However, when transactions occur only at the end of the fiscal year, selection from the previous fiscal year is permissible.
If internal controls over financial reporting have changed or if financial systems have changed, select the sample after the implementation.
When multiple locations are involved, the population of all or several locations may be used for sampling if the controls at each location perform essentially the same function and use the same internal controls. Before combining locations into one population, management and test team leaders should consider such factors as:
The extent of uniformity of the controls and their applications at each location
Whether the individual locations can make significant changes to the controls or their application
The amount and nature of centralized oversight or control over local operations
Whether there could be a need for separate conclusions for each location. If the testers concluded the locations should be separate populations, then test team leaders must select separate samples at each location, and testers and management will evaluate the results of each sample separately.
After the test team leader completes and reviews the test plan, the A-123 Section Chief approves the test plan and forwards it to the A-123 Review Board for its approval.
The following chart documents the A-123 Test Sequence.
First Stage (Performed in TeamMate) Second Stage (Performed in TeamMate) Third Stage (Performed via E-mail) Responsible Party Test Team Leader A- 123 Section Chief and Team Leader Process Owner Responsibility Complete record of work done and conclusions and sign off as preparer within CCH TeamMate and notify A-123 Section Chief and Team Leader. A-123 Section Chief and/or Team Leader review work paper documentation in TeamMate. Upon completion of review of each transaction, forward Combined Procedures and Issues Report to process owner for review. The process owner has up to seven days to review the test packages and certify that the A-123 results are reflective of the procedures performed.
The tests are complete when the A-123 Section Chief and/or Team Leader completes and signs off on the work papers.
Evaluating Errors: Test teams must be conscious of the sequential nature of the internal control process. Errors detected in one internal control may be corrected in another step in the process. Therefore, when testers find an internal control problem, before reporting the problem as an error for A-123 purposes, they must verify that a subsequent internal control is not mitigating the problem before it impacts the financial statement. A failure in one of several tests would not necessarily indicate an internal control weakness exists. The testers must consider the error in the context of the entire transaction. The ultimate goal of internal control over financial reporting is to verify accurate information is reported in the financial statements.
Identifying and Documenting Errors: An error exists when a control for a given financial activity does not exist, does not adequately address the relevant risk and control, or is not operating effectively. Control errors may relate to the design of a control or the operation of a control. A control error exists when a properly designed control does not operate as intended, or when the person performing the control does not possess the necessary authority or qualification to perform the control effectively. When a control error is encountered, the team will evaluate it to determine the extent of the error, the effect the error will have on the control, and whether compensating controls exist that mitigate the risk. A compensating control is a technique, or other effort(s), designed to mitigate a control design deficiency, an ineffective operation, or a simple lack of control over a financial process. If compensating controls mitigate the risk posed by internal control error, then the test team will document and explain the result of the mitigating control.
Supporting Documentation for Errors: The A-123 team must thoroughly document the error to support its evaluation of the internal controls. The A-123 team considers the factors below when determining the importance of the error:
The complexity of the transactions (Will one error at the early stages of a process create errors later in the process?)
The volume of transactions (Is the volume of transactions so large that one or two errors will not have an impact?)
The potential risk of fraud (Is this error an indication of fraud, which should be pursued?)
The extent to which the controls have been subjected to on-going monitoring activities throughout the year (Are the controls monitored throughout the year, and errors possibly caught at a later time in the year?)
Magnitude of Errors: The testers must verify that the errors are not irregular or extraordinary, that is the error does not indicate potential for a recurring problem. Therefore, testers must analyze the error to determine all significant factors that may cause the expectation to differ from the actual results.
Evaluating the Impact: At the completion of testing, the Test Team Leader and test team will evaluate the results. The Test Team Leader and test team should have a strong understanding of the errors and decide if the errors are anomalies or a pattern. In most cases, when errors follow a pattern, they are of greater interest than simple anomalies.
Determining What Constitutes the Errors: If an error is due to a failure in internal controls, it requires judgment and an understanding of the relative importance of the errors. Providing absolute error rate thresholds is one approach, but absolute error rates tend to ignore the complexity and diversity of the test environment(s). For example, in a small sample (less than 14) one error may constitute an internal control failure. On the other hand, for medium size samples (15-45), one error may not constitute a failed test, but two errors may constitute a failed test.
Defining Error Conditions: The Test Team Lead will clearly identify the objectives of the specific transaction and define the error conditions. The Test Team Leader will define the criteria for the control deviations (errors) in terms of control activities not followed. For example, the Test Team Leader may define the deviation in the Refunds 6652 Reconciliation as:
A difference was not identified and cleared after 90 days
A reconciliation was not signed by the appropriate person by the designated date
Using the Error Rate Table: In defining the error rate, Test Team Leaders will use judgment in applying Tables I and II. Tables I and II show various sample sizes and the maximum number of errors that may be detected to rely on the controls. The use of each table is encouraged for population sizes over 2,000 items. However, according to the GAO/(CIGIE) Financial Audit Manual, if the population size is smaller, the auditor may ask the statistician to calculate a reduced sample size. The Test Team Leaders will use judgment to evaluate the existence and significance of errors.
Sample Sizes and Acceptable Number of Deviations (90% Confidence Level)
Table I (Tolerable Rate of 5%) Sample Size Acceptable Number of Deviations 45 0 78 1 105 2 132 3 158 4 209 6 Table II (Tolerable Rate of 10%) Sample Size Acceptable Number of Deviations 45 1 78 4 105 6 132 8 158 10 209 14
Documentation: Documentation must support the Test Team Leader’s judgment on whether a control is functioning adequately or not. Exceptions noted in tests of properly designed internal controls may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses are classified as a control deficiency, significant deficiency, or a material weakness.
Recommend Development of Corrective Actions: The IRS will track corrective actions for material problems and OFIs (See IRM 220.127.116.11).
Corrective actions are required when a test reveals material internal control problems which are serious enough to conclude that the internal controls are not working. A problem is material when a reasonable person relies on the information and would have changed their judgement if the corrective actions were taken.
OFIs are situations in which the controls are working but can be strengthened through remedial measures.
Corrective Action Plans: Action plans addressing material problems identified by external sources will be tracked in Joint Audit Management Enterprise System (JAMES) by both the IRS and Treasury. The A-123 team will track OFIs along with the office responsible for the internal control.
Work papers document the A-123 review and record information obtained and analyzed during the A-123 process. The A-123 team uses CCH TeamMate, a Windows-based audit management system, for work paper documentation. CCH TeamMate maintains all work papers created directly in the system as well as work papers scanned and uploaded into the system. The A-123 team prepares and updates work papers throughout the planning and testing phase. The test team documents the following in CCH TeamMate:
Plans for the review, including the test plans
Examination and the evaluation of the adequacy and effectiveness of the systems of internal control
Test procedures followed, the information obtained, and the conclusions reached
CAPs and OFIs
Work papers must be sufficient to:
Enable an experienced tester having no previous connection with the test to understand the nature, timing, extent, and results of testing procedures performed, evidence obtained, and conclusions reached
Indicate the test team member(s) who performed the work and the date they completed the work, as well as the person who reviewed the work and the date of such review
Enable oversight groups to assess adequacy of the test and conclusions
Documentation Guidance for the Test Team Leader: The Test Team Leader is responsible for determining which documents to include in the work papers. If the Test Team Leader determines "exception only documentation" will provide sufficient support for the test results, the work papers must include the following:
A lead sheet identifying all items, attributes, and findings (i.e., x = exception, check mark = no exception). See Sample Lead Sheet below
For one sample, the work papers must include one complete example that clearly identifies and documents all attributes tested
For samples that contain exceptions, the work papers must include all supporting documents
Any documents that may not be retrievable in their exact form at a later date. For example, if a screen print is necessary to support a number or dollar amount that may change in the future, that screen print should be retained to verify that figure as of the test date
In addition, testers and the Test Team Leader should use TeamMate to initial and date each of the work papers prepared and reviewed.
SAMPLE LEAD SHEET
Purpose: To monitor controls over fixed assets
Source: Joe Smith, Operating Accountant
Scope: Active Fixed assets with addition in First Quarter
Procedures: Report #3 List of Active Assets for October, November, and December 20XX was obtained from Joe Smith. The asset file was also obtained, which contained the project invoices from XYZ: Authorization for Fixed Assets and Related Services. See testing performed and results below.
GL Account Property Number Project Number Cost Center Description Beg Balance Addition Ending Balance Est. Life (years) Attributes A B C D E 1 16210 471 01–44000 1074 Grenser Sheet $3,537,649 $3,466 $3,541,115 18/10 Y Y Y Y Y 2 16160 15008 04–10740 1074 Forensic System $55,000 $8,654 $63,654 7 Y Y Y Y Y 3 16210 1438 99–06205 6205 Upgrade Elevator $1,179,369 $3,987 $1,183,356 22/18 Y X X Y Y 4 16150 19958 04–45000 4500 Magnetic Sensor $34,567 $23,459 $58,026 10 Y Y X Y Y 5 16110 12958 00–31100 5200 Spare Punching $934,545 $5,437 $939,982 11 Y Y X Y Y Attributes:
Test objective 1: XYZ reconciliation is submitted timely and accurately.
A. Review sample of XYZ reconciliation to determine whether it was submitted in accordance with Treasury guidelines. B. Review the XYZ reconciliation to ensure the accuracy of the XYZ submission. Test objective 2: Identify, research, and reconcile differences. C. Review sample of ABC reconciliation and supporting documentation for items identified as reconciling differences after researching the summary reports. D. Verify the reconciling items on the IRS ABC agree to the ABC 6652 (Statement if Difference) reports from GWA. Test objective 3: Corrective entries are recorded and posted.. E. Review subsequent reconciliations of ZXC 6652 reports to ensure correcting entries were posted for differences. Attribute Source: Attribute A - Supported by XYZ reconciliation, Statement of Transactions, date transmitted via GWA, pages D.1.2. Attribute B - Supported by comparison of XYZ sub-sample items listed on XYZ report, Statement of Transactions, Pages D.2.3, to IIFS ERXY reports showing monthly activity to Treasury Account Symbol used in the XYZ reconciliation, Pages D.2.5. Attribute C - Supported by Disbursement Tie Out Sheet, Page D.3.4 and the individual transactions listed on the ABC Transaction Log, Pages D.3.8, and the ABC Z224 DISB report, Pages D.2.13. Attribute D - Supported by the comparison of ABC 6652 total, Page D. 4.18, to GWA ABC total, Page 5.18. Attribute E - Supported by ZXC 6652, Page D. 6.23, showing all reconciling differences posted in the month of November 20XX. Test was to review subsequent ZXC 6652 - See 3A Note, Page D. 6.34 - No ZXC (Nov. 0X) printed for the file if there is no activity, i.e. reconciling items. Tick Marks:
Y Attribute met without exception
X Attribute met with exception
Conclusion*: Based on the review of the XYZ reconciliation and supporting documents, it appears that the controls in place to identify and timely address differences are operating effectively.
Documentation: Among other things, work papers may include:
Planning documents and review plans
Control questionnaires, flowcharts, checklists, and the results of control evaluations
Documentation of walkthroughs and interviews
Organization charts, policy and procedures statements, and job descriptions
Copies of important contracts and agreements
Letters of confirmation and representation
Photographs, diagrams, and other graphic displays
Tests and analyses of documentation to support the results of testing and opportunities for improvement, if applicable
Results of analytical review procedures
Audit reports and management replies
E-mails, memos, and other relevant correspondence
CAPs, if appropriate and available
Preparing Work Papers: The documentation within the work papers must be appropriately organized to provide a clear link to the significant findings or issues. Work papers must be sufficient to show that the Test Team completed the following:
Obtained guidance to understand the internal control, plan the testing, and determine the nature, timing, and extent of the tests performed
Adequately planned and supervised work
Observed standards of test work
Obtained sufficient competent documentation to afford a reasonable conclusion
Notation: Highlight or identify the specific attribute in the work papers that the tester verified, such as a signature indicating managerial approval.
Indexing: Work papers will be automatically indexed once loaded into TeamMate to verify test plan results are properly referenced and can be easily traced to supporting documentation. When referring to reports in TeamMate, use the reference number and page number. Based on the associated test objective to the work papers, TeamMate will automatically assign each work paper a reference and a page number.
Sources of data: Clearly identify the source of any information appearing in work papers. An independent reviewer should be able to retrace the reviewer’s steps, from basic schedules to summaries and comments. Worksheets should be cross-referenced to other related work papers and to the test plans. Effective cross-referencing often reduces the need to duplicate data.
Work paper summaries: The process of summarizing provides an objective overview and puts findings in perspective. The team’s Summary should focus on key information and data. Do not include trivial information or editorial comments not supported by testing. Periodically summarizing findings helps verify firm control over the test.
Record Key Meetings and Interviews: Record all key discussions (meetings and interviews) used as support for key decisions (testing decisions/conclusions) and understanding the subject matter or test evidence and include the notes in the work papers. Key decisions and conclusions are often a result of meetings and interviews. Without a record, important information will be lost. Use the format below.
Record of Discussion Date: Time: Type of Contact: In Person: By Telephone: Location of Discussion: Conference Call Person(s) Contacted/Interviewed:(Please list all participants): Name, Position/Title, Office, Telephone Number Name, Position/Title, Office, Telephone Number Initiator(s)/Interviewer(s): Name, Position/Title, Office, Telephone Number Purpose: (Provide a brief description of meeting objective.) Discussion: (Provide notes from meeting.) Other Matters Discussed: (Provide detail notes of other matters discussed outside of the general purpose meeting.) Follow-up Actions: (List follow-up actions from meeting.) Documents to Obtain: (List documents to obtain related to meeting discussion.)
Keep the Writing Simple: Work papers should be easily understandable to an uninitiated reviewer. Avoid jargon and explain all technical terms and acronyms in a separate part of the work papers (glossary of terms).
Keep Papers Understandable: Work papers should be clear, understandable, and must stand on their own. They should need no supplementary information. Anyone reading the papers should be able to determine what the reviewer set out to do, what they did, what they found, and what they concluded. Conciseness is important, of course; however, clarity should not be sacrificed to save time and paper.
Keep Papers Free of Personally Identifiable Information (PII): The work paper documentation should not contain taxpayer, employee, vendor data, etc. All information must be protected according to the guidelines in 18.104.22.168.4, Personally Identifiable Information (PII). All IRS personnel must verify they recognize information that requires protection, regardless of the media on which that information is contained.
Some examples of PII are:
Social Security Numbers
Bank account numbers
Date and place of birth
Mother’s maiden name
Biometric data (height, weight, eye color, fingerprints, etc.)
Keep Papers Relevant: Work papers should be restricted to relevant and material matters; they should directly relate to the review’s objectives. Well-organized test plans, execution of A-123 testing procedures, and work paper review help verify the inclusion of relevant documents only. Do not include editorial comments and observations not supported by testing. It is important that all conclusions are in context and related to specific evidence.
Work Papers Review: After the Test Team Leader has reviewed the work papers, the A-123 Section Chief and/or Team Leader not involved in the testing process reviews the work papers. The purpose of the review is to verify the work papers and testing comply with requirements.
A-123 TEST PLAN APPROVAL PROCESS: The flowchart below shows the process through which the test plans will progress. The bottom of the chart shows that the Test Team Leader develops the internal control test plans, then forwards the test plan to the A-123 Section Chief and/or Team Leader for internal reviews. Next, the A-123 Review Board will review and approve the test plans. Finally, the tests plans are sent to the Department of the Treasury.
A-123 STRUCTURE FOR TEST PLAN APPROVAL Department of the Treasury ⇑ A-123 Review Board ⇑ A-123 Section Chief and Team Leader Review ⇑ A-123 Test Team Leader
A-123 TEST WORK PAPER APPROVAL PROCESS: The flowchart below shows the process through which the completed work papers will progress. The Test Team Leader is the first level of review, followed by the review of the A-123 Section Chief and/or Team Leader. Finally, the CPR and CIR, if applicable is sent to the appropriate process owner(s) for review and sign-off.
A-123 STRUCTURE FOR WORK PAPERS APPROVAL PROCESS Brief MC ESC and A-123 Review Board ⇑ Process Owners ⇑ A-123 Section Chief and Team Leader Review ⇑ A-123 Test Team Leader
Test objective (Purpose of the test)
Expected results (What is the expected outcome?)
Controls tested (Identify IRS controls tested in this test plan, and state whether they include all controls in the CDA)
Contact Name (Name of person to contact for explanation of issues/problems)
SCOPE OF THE TEST
Delineate the scope of the test based on the control’s nature, frequency, and timing (Are all transactions included or only a specific subset? What is the frequency of the testing?)
Resource capabilities required to perform testing (What degree of knowledge do performing the test need?)
Resources to be used to perform control test (Is there separation between individuals who test and individuals who perform the control?)
Determination of the type of relevant reporting assertion provided by the control (What type of assertion do the controls provide?) Rights or Obligations; Completeness or Accuracy; Presentation or Disclosure; Existence or Occurrence; and Valuation or Allocation
Type of test (Inspection, Observation, or Reperformance)
Sample size and basis (Specify method used to select the sample and sample size?)
Assess QAR and SMR potential of transaction (Determine if transaction meets the criteria to be deemed a QAR or an SMR as discussed in IRM 22.214.171.124.3, Evaluate Quality Assurance Reviews (QARs) and Structured Management Reviews (SMRs) and IRM 1.4.31, IRS Quality Assurance Program.
Information needed to conduct test (List documents required for testing)
Steps for testing transaction controls (What are the steps to perform the test against the sample?)
Additional procedures (Describe additional procedures to take if the tester cannot successfully complete the initial test).
Documentation requirements (Describe the documentation process of the test content and results)
TEST OBJECTIVE 1
Obtain and review Internal Management Documents (IMDs) to include Internal Revenue Manual (references), Servicewide Electronic Research Program (SERP) IRM Procedural Updates (IPUs), Interim Guidance Memoranda, Standard Operating Procedures (SOPs),and flowcharts to verify procedures have been developed, implemented and maintained for use by personnel. Also, verify the procedures adequately describe the internal controls for the process and the responsibilities for the organization.
Using the following sources, review findings and related recommendations to assess impact on the process under review and document results:
GAO/TIGTA Weekly Summary Reports
GAO Management Reports
GAO Matters for Consideration (MFC)
RESULTS OF TESTING
Determination of Control Effectiveness (Who reviews the test results and determines the effectiveness of the control?)
Determine whether the process owner(s) consistently applied the controls: (Does the test reflect consistent application of the control?)
DOCUMENT THE EFFECTIVENESS OF THE CONTROL
Determine the effectiveness of the controls
Determine if OFIs are required (If process owner disagrees with OFI, obtain written documentation from process owner stating acceptable level of risk in lieu of implementing OFI)
Determine if corrective action plans are required (If overall controls are ineffective, summarize corrective actions to take within corrective action plan)
The Combined Procedures Report (CPR) is a TeamMate-generated report that provides a detailed account of the purpose of the transaction and the test results of each transaction test step performed. The A-123 Section Chief and/or Team Leader submits the CPR to the process owner(s) at the conclusion of testing so they may gain an understanding of the overall test results.
The Combined Issues Report (CIR) is a TeamMate generated report that provides a detailed account of OFIs identified during testing of a transaction, comprised of issues identified during the current testing period as well as existing issues from previous testing periods. The CIR also provides a detailed response from the process owner stating their concurrence and applicable actions and implementation date for the new process. The CIR also captures a detailed response from process owners when the OFIs issued by A-123 team are not accepted and the process owner accepts the level of risk for not implementing the OFI.
The A-123 team identifies OFIs at the end of the interim testing period (June 30th) and at year end (September 30th). OFIs arise when an existing control is in place, but it could be strengthened through remedial measures. OFIs are re-evaluated once the transaction is tested during the next scheduled cycle. For example, OFIs for annual transactions will be re-evaluated on an annual basis. Non-material issues are tracked by the office responsible for the internal control and the A-123 Team.
CAPs are prepared to address findings in A-123, GAO and TIGTA audit reports. The CAPs provide IRS specific actions, deadlines and resources to address the audit findings, identify needed improvements that correct deficiencies found during testing, and produce recommended improvements.
In the case of TIGTA and GAO findings, remedial CAPs are needed when a test reveals material internal control problems that are serious enough to conclude the internal controls are not working in that transaction. For CAPs that address material problems, both the IRS and Treasury track the CAP in JAMES until the business unit appropriately addresses and closes the corrective action.
In the case of A-123 findings, CAPs are needed when testing reveals internal control problems. When the business unit concurs with findings, the Test Team Leader assists in developing CAPs, which are tracked by the office responsible for the internal control and by the A-123 team via CCH TeamMate. When business units do not concur with corrective actions, the internal control risk shifts to the business unit and remains on file in the event a recurring issue is noted within future testing of the process. The status of OFIs and CAPs are determined as of June 30th and September 30th as part of the test plans.
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes, and systems working to support efficient and effective operations. Controls are put in place to address risks within these components.
Continuous monitoring actively identifies, quantifies, and reports control failures such as duplicate vendor records, duplicate payments, and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes.
Overall responsibility for IRS continuous monitoring includes:
Management (all levels) - Issues and monitors internal control programs, policies, and procedures. Continuously assesses key business controls and transactions, which permits ongoing insight into the effectiveness of the controls and the integrity of transactions.
Information Technology (IT) - Issues security, policy, and guidance for the IRS’ information systems (see IRM 10.8.1, Information Technology Security, Policy and Guidance). Conducts annual assessments of automated internal controls that affect authorizing, processing, transmitting, or reporting material financial transactions to determine whether security controls are in place and operating effectively.
CFO Financial Management (FM) - Conducts reconciliations and reviews in preparation of financial statements to verify timely and accurate reporting.
CFO Corporate Planning and Internal Control (CPIC) - Conducts interim and year-end internal control testing to determine the IRS' compliance with laws and regulations. (See IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control).
Continuous monitoring can be traced back to its roots in traditional auditing processes. It goes further than a traditional periodic snapshot audit by putting in place continuous monitoring of transactions and controls so that weak or poorly designed controls can be corrected. When assessing federal agency compliance, inspectors general, evaluators, auditors, and assessors consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission and business responsibilities, operational environment, and unique organizational conditions. (See NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information System Backgrounds)
IT continuous monitoring activities intersect the IRS A-123 internal control activities through interim and year-end operational controls testing. (See IRM 126.96.36.199, The Department of the Treasury’s Five-Part Approach.)
Transactions IT-2, Set-up and Maintenance of Systems Applications Security, and IT-3, Verify Systems Software Change Control Procedures, include an objective to determine whether user access, roles, and permissions are monitored and updated as necessary. Also included is a comparison of the risks and controls listed in the Control Design Analysis template to those in NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations to determine compliance with NIST requirements.
Transactions IT-14, TIER Upload and Government-wide Treasury Account Symbols (GTAS) Reporting and IT-15, TIER Financial Statement (TFS) Financial Generation (Administrative and Custodial), includes an objective to verify that processes and internal controls are in place for composing, reviewing and approving financial data required for TIER data transmission.
Through continuous monitoring, weak or poorly-designed controls can be corrected or replaced to improve the IRS risk profile. Multi-disciplinary teams consisting of automated systems specialists and accounting and reporting experts will use the appropriate policies and procedures as a basis for performing periodic and routine examinations of each of the financial systems that authorize, process, transmit, or report material financial transactions.