1.4.3 Financial Assurance Control Testing

Manual Transmittal

April 01, 2020

Purpose

(1) This transmits revised IRM 1.4.3, Resource Guide for Managers, Financial Assurance Control Testing.

Material Changes

(1) The name of the work group that performs this function was changed from A-123 to Financial Assurance Control Testing (FACT). Changes were made throughout this document to reflect these changes.

(2) Added new section 1.4.3.1, Program Scope and Objectives; all subsequent sections were re-numbered accordingly.

(3) The IRM was renamed Financial Assurance Control Testing. The following laws and regulations were added to the 1.4.3.1.2, Authorities:

  1. Sarbanes-Oxley Act (SOX) of 2002, Pub. L. No. 107-204.

  2. 31 USC 3512, Federal Managers' Financial Integrity Act (FMFIA) of 1982.

  3. 31 USC 1115, Government Performance Results Act (GPRA) Modernization Act.

(4) The following changes were made to IRM 1.4.3.1.3, Responsibilities:

  1. Changed name of Associate CFO for Corporate Planning and Internal Controls to Associate CFO for Internal Controls; revised responsibilities as appropriate.

  2. Combined responsibilities for ACFO for Financial Management and ACFO for Corporate Budget into one section.

  3. Added responsibilities for Director, Enterprise Assurance and Controls.

  4. Added responsibilities for FACT Section Chiefs.

  5. Changed name of Business Operating Divisions, Functional Operating Divisions/Process Owners to Process Owners.

  6. Changed the name of Test Team Lead to transaction lead.

  7. Changed name of A-123 Test Team to Financial Assurance Control Testing Teams.

(5) Added new section 1.4.1.3.4, Program Management and Review.

(6) Added new section 1.4.1.3.5, Program Controls.

(7) The following Terms were deleted from IRM 1.4.3.1.6, Terms/Definitions:

Term Reason
Anomaly Standardized terminology throughout, this term is no longer used in this IRM
Assertions Created a stand-alone section for assertions; see IRM 1.4.3.3.2.1, Assertions
Axway Not used in this IRM
Closed Opportunity for Improvement Removed from IRM
Completeness and Accuracy Created a stand-alone section for assertions; see IRM 1.4.3.3.2.1, Assertions
Ineffective Common knowledge
Information and Communication Removed from IRM
Interim Guidance Common knowledge
Interim Testing Period Explained in IRM section 1.4.3.3.1, Fact Schedule
Internal Management Document Common knowledge
Internal Revenue Manual Common knowledge
Effective Common knowledge
Deviation Standardized terminology throughout, this term is no longer used in this IRM
Existence or Occurrence Created a stand-alone section for assertions; see IRM 1.4.3.3.2.1, Assertions
Existing Opportunity for Improvement Removed from IRM
Existing Opportunity for Improvement not verified Removed from IRM
Financial Reporting Common knowledge
Financial Statements Common knowledge
Personally-Identifiable Information Common knowledge
Planning Phase Expanded to a stand-alone section; see IRM 1.4.3.3.2, Planning Phase
Reporting Phase Expanded to a stand-alone section; see IRM 1.4.3.3.4, Reporting Phase
Rights and Obligations Created a stand-alone section for assertion; see IRM 1.4.3.3.2.1, Assertions
Standard Operating Procedures Common knowledge
Team Leader Common knowledge
Test Activities Common knowledge
Test Team Leader No longer used in this IRM
Testing Phase Expanded to a stand-alone section; see IRM 1.4.3.3.3, Testing Phase
Valuation and Allocation Created a stand-alone section for assertions; see IRM 1.4.3.3.2.1, Assertions
Workpapers Procedures Report Not relevant to document

(8) The following terms were added to IRM 1.4.3.1.6. Terms/Definition:

Term Reason
Internal Control Weakness This level of finding was added to processes and procedures.
Misstatement This term was added to increase understanding of language used in reports.
Operating Effectiveness This term was added to increase understanding of language used in reports.

(9) The following terms were revised in IRM 1.4.3.1.6, Terms/Definition:

Term Reason
Compensating Control Revised to clarify
Control Activity Revised to clarify
Control Deficiency Revised to clarify
Control Design Analysis Revised to clarify
Methodology Revised to clarify
Reportable Issue Revised to clarify
SERP Alert Revised to clarify
TeamMate Revised to clarify how the system is used

(10) The following guidance was deleted from 1.4.3.1.2, Authorities, and was moved to 1.4.3.1.8, Related Resources:

  1. GAO CIGIE Financial Audit Manual (FAM)

  2. OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control Appendix A: Internal Control over Reporting

  3. Treasury Annual Implementation guidance

(11) Deleted old section 1.4.3.8, The Department of the Treasury’s Five-Part Approach. This approach is no longer used and new guidance is issued annually.

(12) This IRM was restructured chronologically into the three phases of the FACT test cycle (planning, testing, reporting); sections throughout were moved to accomplish the new structure. The following sections were deleted as a result:

  1. 1.4.3.10.1, A-123 Schedule.

  2. 1.4.3.10.2, Test Planning.

  3. 1.4.3.10.3, Work Paper Documentation.

  4. 1.4.3.10.4, Testing.

  5. 1.4.3.11, Transaction Test Plan Development and Test Execution.

  6. 1.4.3.11.1, Document Internal Controls.

  7. 1.4.3.11.2, Document Control Design Analysis (CDA).

  8. 1.4.3.11.3, Evaluate Quality Assurance Reviews (QARs) and Structured Management Reviews (SMRs).

  9. 1.4.3.11.4, Develop and Document Test Plan.

  10. 1.4.3.11.5, Document Population and Obtain Sample from Statistics of Income (SOI).

  11. 1.4.3.11.6, A-123 Review Board Reviews Test Plan.

  12. 1.4.3.11.7, Transaction Testing Sequence.

  13. 1.4.3.11.8, Evaluating Errors Discovered During Testing.

  14. 1.4.3.12, Work Papers.

  15. 1.4.3.13, A-123 Work Product Approval Process.

  16. 1.4.3.14, Internal Control Test Plan Outline.

  17. 1.4.3.15, Combined Procedures Report (CPR).

  18. 1.4.3.16, Combined Issues Report (CIR).

  19. 1.4.3.17, Opportunity for Improvements (OFIs)/Corrective Action Plans (CAPs).

(13) This IRM was restructured chronologically into the three phases of the FACT test cycle (planning, testing, reporting), sections throughout were moved to accomplish the new structure. The following sections were added as a result:

  1. 1.4.3.3, General Guidance for FACT.

  2. 1.4.3.3.2, Planning Phase.

  3. 1.4.3.3.2.1, Assertions.

  4. 1.4.3.3.2.2, Test Plan Template.

  5. 1.4.3.3.3, Testing Phase.

  6. 1.4.3.3.3.1, Sampling.

  7. 1.4.3.3.3.2, Review of SMRs and QARs.

  8. 1.4.3.3.3.3, Substantive Testing.

  9. 1.4.3.3.3.4, Evaluating Exceptions.

  10. 1.4.3.3.4, Reporting Phase.

Effect on Other Documents

IRM 1.4.3, dated May 4, 2016, is superseded.

Audience

All business units

Effective Date

(04-01-2020)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. Purpose - The IRM provides information for implementing OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk.

  2. Audience - All business units

  3. Policy Owner - The CFO, Associate CFO (ACFO) for Internal Controls (IC) unit.

  4. Program Owner - Financial Assurance Control Testing (FACT) Team

  5. Primary Stakeholders - All divisions and functions.

  6. Program Goals - Ensure the IRS implements and complies with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk

Background

  1. The passage of the Sarbanes-Oxley Act of 2002 (SOX) served as an impetus for the Federal Government to reevaluate its policies relating to internal control over financial reporting and management’s related responsibilities. SOX requires management of publicly-traded companies to strengthen their processes for assessing and reporting on internal control over financial reporting. While SOX created a new requirement for publicly-traded companies, federal managers had been subject to similar internal control reporting requirements for many years.

  2. A joint committee of representatives from the CFO Council and the Council of Inspectors General on Integrity and Efficiency (CIGIE) was formed in 2008 and tasked with reviewing the SOX requirements for publicly-traded companies, determining how these requirements apply to federal agencies, and recommending changes to the existing guidance on internal control. The joint committee recommended significant changes to the OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Management of Reporting and Data Integrity Risk, which included a requirement for agencies to document and test internal controls to verify they are in place and working as intended.

  3. In order to emphasize the importance of having appropriate risk management processes, OMB updated Circular A-123, Management's Responsibility for Internal Control to include Enterprise Risk Management (ERM). The Circular was renamed Management’s Responsibility for Enterprise Risk Management and Internal Control, and Appendix A was renamed Management of Reporting and Data Integrity Risk.

Authorities

  1. The authorities related to this IRM are:

    1. Sarbanes-Oxley Act (SOX) of 2002, Pub. L. No. 107-204

    2. 31 USC 3512, Federal Managers' Financial Integrity Act (FMFIA) of 1982

    3. 31 USC 1115, Government Performance Results Act (GPRA) Modernization Act

Responsibilities

  1. This section provides responsibilities for:

    1. CFO

    2. ACFO for Internal Controls (IC)

    3. Associate CFOs for Financial Management (FM) and Corporate Budget (CB)

    4. Director, Enterprise Assurance and Controls

    5. Statistics of Income (SOI) Division

    6. Financial Assurance Control Testing (FACT) Teams

    7. FACT section chiefs

    8. Transaction lead

    9. Process owners

CFO and Deputy CFO
  1. The CFO and deputy CFO are responsible for executing OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk requirements to support Treasury’s assurance statement by properly identifying, testing, and evaluating the IRS’s controls over data integrity and financial reporting.

Associate CFO for Internal Controls
  1. The ACFO for IC is responsible for:

    1. Overseeing the FACT process including approving final test plans.

    2. Administering the governance process by chairing the FACT Review Board, providing the status and results of FACT activities to the Management Controls Executive Steering Committee (MC ESC) and the FACT Review Board, and documenting key decisions.

Associate CFOs for Financial Management and Corporate Budget
  1. The ACFO for FM and the ACFO for CB are responsible for:

    1. Approving test plans.

    2. Designating a FACT Review Board representative and back-up.

    3. Providing SMEs to review the control design analysis to verify that the transaction lead identified key controls.

    4. Delivering requested internal control documentation stated in the Prepared by Client (PBC) listing timely.

    5. Developing and monitoring corrective action plans (CAPs) for identified weaknesses.

    6. Reviewing and signing the combined procedure report (CPR), combined issues report (CIR) and executive summary, as applicable.

Enterprise Assurance and Controls
  1. Enterprise Assurance and Controls is responsible for:

    1. Providing clear and concise communication of FACT assessment objectives throughout the agency.

    2. Approving the FACT assessment methodology and guidance.

    3. Leading the coordination of testing activities and timelines with process owners, Treasury and GAO.

    4. Ensuring the FACT team carries out assessments in a thorough, effective and timely manner.

    5. Communicating agency management issues identified during testing.

    6. Collaborating with SMEs and points of contacts (POCs) to assist in the development of the control design analysis (CDA) and test plans timely.

    7. Communicating and coordinating with external oversight groups.

    8. Ensuring FACT documentation meets retention standards.

Statistics of Income Division
  1. SOI is responsible for:

    1. Determining an appropriate sampling method and size for each control based on frequency.

    2. Using statistical sampling methods to generate random samples.

Financial Assurance Control Testing Teams
  1. FACT teams are comprised of the transaction lead and individuals assisting with executing the test plan.

  2. FACT testing teams are responsible for:

    1. Obtaining and reading applicable IRMs, Interim Guidance Memoranda, SOPs, Job Aids, Servicewide Electronic Research Program (SERP) Alerts, IRM Procedural Updates (IPUs), GAO/TIGTA audit reports and other guidance related to assigned test steps.

    2. Reviewing and checking off FACT checklists to verify required steps are completed.

    3. Conducting substantive testing of supporting documents received from the process owners.

    4. Communicating any exceptions found within the test plan.

    5. Verifying all required supporting documentation is available for assigned test steps and timely notifying the POC and SME of any exceptions.

    6. Verifying facts with the appropriate process owner, if exceptions are identified.

    7. Analyzing test results to determine if internal controls are in place and working effectively.

    8. Reporting results of substantive testing to the process owners and management.

    9. Providing suggested test plan updates based on recent execution of the test plan.

FACT Section Chiefs
  1. The FACT section chiefs are responsible for:

    1. Providing guidance and management support for the planning, testing and reporting on the effectiveness of controls related to mitigating risk and ensuring data integrity for financial reporting.

    2. Coordinating with internal stakeholders and business units to identify areas of risk related to key internal controls.

    3. Directing test procedures to evaluate whether internal controls are effective at managing and mitigating risk and ensuring data integrity for financial reporting.

    4. Reporting on the results of testing of internal controls, particularly those related to financial management, and prompting program managers to develop and implement corrective action plans to remediate any control weaknesses or other deficiencies identified during the course of testing.

    5. Engaging with external stakeholders, including the Treasury Department and GAO, on the development and implementation of program guidance, assessment activities, test outcomes, and formal reporting.

Transaction Lead
  1. The transaction lead is responsible for:

    1. Understanding the processes and procedures related to their transactions.

    2. Performing test work in accordance with relevant standards, OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk FACT SOPs and other adopted federal guidance.

    3. Identifying the risks associated with the transactions and the controls in place to mitigate those risks.

    4. Assessing the control risk for each control.

    5. Determining the nature, timing and extent of testing performed.

    6. Developing the CDA, internal control test plan and PBC listing.

    7. Communicating deadlines with process owners to ensure timeliness of work performed.

    8. Verifying necessary meetings and interviews, documenting all conclusions and planning appropriate follow-up actions.

    9. Elevating significant matters to the FACT section chiefs, team leads, and when necessary, Enterprise Assurance and Controls, for further consideration.

    10. Reviewing test work completed by other team members.

    11. Documenting exceptions from the internal control test plan as reported by the test teams.

    12. Submitting completed workpapers at the end of the interim and fourth quarter testing.

    13. Reviewing GAO/TIGTA reports that contain open recommendations.

Process Owners
  1. The process owners are responsible for:

    1. Providing SMEs to identify key controls and review the CDA to verify that FACT identified key controls.

    2. Participating in FACT interviews and walkthroughs.

    3. Communicating existing MFCs or recommendations noted by GAO or TIGTA and the current status related to processes under review, if applicable.

    4. Gathering and delivering requested Internal Control documentation stated in the PBC listing by the respective due date.

    5. Evaluating existing management review procedures.

    6. Reviewing and signing the CPR, CIR and executive summary, as applicable.

    7. Developing and monitoring CAPs for reported issues.

    8. Providing timely responses to reported issues.

    9. Communicating changes to processes.

Program Management and Review

  1. Program Reports - The reports issued by FACT are:

    1. CIR - Report detailing the reportable issues identified during testing of a transaction, which includes issues identified during the current testing period as well as existing issues from previous testing periods.

    2. CPR - Report detailing the test steps, dates and results of transaction testing.

    3. Executive Summary - Report summarizing the scope and testing performed and the results.

  2. Program Effectiveness:

    1. Ability to identify internal control weaknesses related to financial reporting.

    2. Ability to make recommendations that improve internal controls or program efficiency.

Program Controls

  1. The following controls are in place to ensure compliance:

    1. Test plans are reviewed and approved by the FACT Review Board.

    2. Test plan documentation, evidence and results are reviewed by FACT team leads and/or section chiefs and the Director, Enterprise Assurance & Controls.

    3. Final CIRs and CPRs are reviewed and signed by the responsible executive for the process.

    4. Final test plans, results of testing and reportable issues are reviewed by Treasury and GAO.

    5. The MC ESC is notified anytime an Internal Control Weakness (ICW) is identified.

Terms/Definitions

  1. The following terms and definitions apply to this program:

    1. CCH TeamMate – A Windows-based Audit Management System used by the FACT team to manage the review and reporting of the annual control testing process. Workpapers are prepared and stored in the application for all the transactions tested.

    2. Combined Issues Report (CIR) - A consolidated report of issues identified during testing of a transaction, which includes issues identified during the current testing period as well as existing issues from previous testing periods.

    3. Combined Procedures Report (CPR) - A consolidated report that provides the details of the test steps, dates and results of transactional testing.

    4. Compensating Control – A control that limits the severity of risk from a missing control. While a compensating control mitigates the effects of a control deficiency, it does not eliminate a control deficiency.

    5. Continuous monitoring - Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

    6. Control Activities - The actions management establishes through policies and procedures to ensure directives are carried out and that necessary steps are taken to address risks.

    7. Control Deficiency - Exists when the design, implementation or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to prevent or detect control weakness in a timely manner or aid in addressing risks.

    8. Control Design Analysis (CDA) - Documents the risk associated with a process, key controls designed to mitigate the risk and assessment of their effectiveness.

    9. Control Environment - The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objective.

    10. Control Risk - The risk that a material misstatement could occur but may not be detected and corrected or prevented by the entity’s internal controls.

    11. Corrective Action – An action taken by the process owner that corrects identified deficiencies and produces recommended improvements.

    12. Corrective Action Plan - Documents the strategy and/or detailed steps to be taken to remediate an identified control deficiency or weakness.

    13. Exception - A testing attribute that does not conform to the common rule.

    14. Internal Control Weakness (ICW) - A reportable issue identified during testing that indicates that there is a weakness in an overall system of controls.

    15. Inspection - Examination of documents, products or services to evaluate the consistency, efficiency and/or effectiveness of a control.

    16. Internal controls - An integral part of any organization's financial and business policies and procedures. Internal controls consist of all the measures taken by the organization for the purpose of (1) protecting its resources against fraud, waste and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization and (4) evaluating the level of performance in all organizational units of the organization.

    17. Job aids - May be an IRM exhibit or SERP Alert, a Technical Communications Document (TCD) or a document used as training material.

    18. Management Information Only (MIO) - A reportable issue identified during testing that is designated as being for Management’s Information Only and consisting of a suggestion to enhance a working control based on industrial standards and/or best practices. In these scenarios, controls are in place and are effective but there are some potential enhancements that could be made to improve the control.

    19. Material Weakness - A deficiency deemed significant enough by the Agency Head to render internal controls ineffective and warrant reporting outside of the agency (for example, the Executive Office of the President and the relevant Congressional oversight committees).

    20. Methodology – A documented process for applying standards when assessing, documenting and reporting on internal controls over risks related to financial reporting and data integrity.

    21. Misstatement - The amount by which a financial statement line item can differ from its true amount.

    22. Mitigating Control – A type of control used to discover and prevent mistakes that may lead to uncorrected and/or unrecorded misstatements related to control deficiencies.

    23. Monitoring - Activities management establishes and operates to assess the quality of performance over time.

    24. National Institute of Standards and Technology (NIST) – Responsible for developing information security standards and guidelines, including minimum requirements for federal information systems based on its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law 107-347.

    25. Observation - The review of a process or procedure being performed by others.

    26. Operating effectiveness - A measure of the extent to which controls achieve their stated goals; evaluated by the test of controls to address the how, by whom, and with what level of consistency controls, policies and procedures have been applied.

    27. Opportunity for Improvement (OFI) – A reportable issue identified during testing that indicates there is a weakness in a control.

    28. Prepared by Client (PBC) Listing - Detailed request of information and documents needed from the customer to conduct testing.

    29. Population - Universe or list of items for a given period of time from which the sample will be derived.

    30. Process owner - Organization, business unit, operating/business division or office responsible for managing and overseeing the objectives and performance of a process.

    31. Quality Assurance Review (QAR) - Assessment of an organization’s risk and internal controls to verify adequate management controls are in place and functioning effectively to accomplish organizational goals and protect resources.

    32. Re-performance - Independent execution of procedures or controls that were originally performed as part of the entity’s internal control.

    33. Reportable Issue - An issue that is identified during testing that indicates controls are weak, nonexistent or bear monitoring. There are three categories of reportable issues: ICW, OFI and MIO.

    34. Risk assessment – Assess the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

    35. Sample - Items selected from a population to be tested to reach a conclusion about the population as a whole.

    36. Sampling Plan – An outline detailing the criteria to use to select a sample (size, frequency of control, risk, etc.) from which the transaction lead will select a certain number of items to use to reach a conclusion representative of the whole population.

    37. Scope - Description of the physical locations, organizational units, activities and processes and the corresponding time period subjected to examination or review.

    38. SERPAlert - The information communicated to employees may provide a reminder or notification to address work stream, programming or system problems.

    39. Significant Deficiency – A deficiency or a combination of deficiencies in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

    40. Statement of Assurance – A certification included in the annual Agency Financial Report (AFR) that represents the Commissioner’s informed judgment as to overall adequacy and effectiveness of internal controls. The Commissioner provides either an unmodified statement that an effective and efficient system of internal controls exists, a modified statement that an overall sound system of internal control exists but one or more material weaknesses have been identified, or a statement of no assurance on the system of internal controls.

    41. Structured Management Review (SMR) – A review of documented continuous monitoring activities including QARs or other independent internal reviews put in place to cover many IRS internal control activities during the normal course of operations.

    42. Supporting Documentation - Written information and/or data providing backup to substantiate the conclusion.

    43. Testing – After planning, the transaction lead performs the procedures listed in the test plan. The transaction lead tests the key internal controls and the accuracy of the transaction. The transaction lead uses various techniques such as sampling.

    44. Test Objectives - Purposes or intended goals stating what the transaction lead wants to accomplish when implementing the specified test activities.

    45. Test Plan - A document describing the scope of the testing and identifying the methodology used to conduct tests.

    46. Test Steps - Procedures performed to reach established audit objectives and assess the efficiency and effectiveness of control activity.

    47. Transaction - Represents activities and/or processes impacting and reflected in the Treasury consolidated financial statements.

    48. Walkthrough - Process by which to assist in understanding design and implementation of controls and may include a combination of interviews, observations, examination of documents and/or tracing a transaction from initiation to completion.

    49. Workpapers - Documents that support the test results. The workpapers reveal the comprehensive actions the test team performed to test each control during the testing phase. The workpapers connect the entity’s accounting records and financial reporting to the transaction’s assertion.

Acronyms

  1. The following acronyms apply to this program.

    Acronym Meaning
    ACFO Associate CFO
    CAP Corrective Action Plan
    CB Corporate Budget
    CDA Control Design Analysis
    CIGIE Council of Inspectors General on Integrity and Efficiency
    CIR Combined Issues Report
    CPR Combined Procedures Report
    FM Financial Management
    FMFIA Federal Managers’ Financial Integrity Act
    FFMIA Federal Financial Management Improvement Act
    JAMES Joint Audit Management Enterprise System
    MC ESC Management Controls Executive Steering Committee
    NIST National Institute of Standards and Technology
    OFI Opportunity for Improvement
    OMB Office of Management and Budget
    PBC Prepared by Client
    POC Point of Contact
    QAR Quality Assurance Review
    SERP Servicewide Electronic Research Program
    SOP Standard Operating Procedures
    SOX Sarbanes-Oxley Act of 2002
    SME Subject Matter Expert
    SMR Structured Management Review
    SOI Statistics of Income Division
    TDCFO Treasury Deputy Chief Financial Officer
    TIER Treasury Information Executive Repository

Related Resources

  1. GAO CIGIE Financial Audit Manual (FAM)

  2. OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A:Management of Reporting and Data Integrity Risk

  3. Treasury Annual Implementation guidance

  4. Generally Accepted Government Auditing Standards (Yellow Book). GAO-18-568G

  5. Standards for Internal Controls in the Federal Government (Green Book). GAO-14-704G

  6. OMB Circular A-136, Financial Reporting Requirements

  7. IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance

  8. NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Revision 1

  9. NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4 (Recommended Security Controls)

  10. IRM 1.4.2, Monitoring and Improving Internal Control

  11. IRM 1.4.31, IRS Quality Assurance Program

Governance

  1. The IRS has adopted a two-tiered governance process to verify it consistently executes OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk requirements, has documentation procedures, provides credible results, and issues, identifies and implements corrective actions. The two-tiered governance process consists of the MC ESC and the FACT Review Board.

    1. The IRS Deputy Commissioners for Operations Support and Services and Enforcement chair the MC ESC, which provides executive level oversight to the FACT process by reviewing testing results and approving the interim and final assurance statements. Refer to IRM 1.4.2, Monitoring and Improving Internal Control, and Sections 1.4.2.6, Roles and Responsibilities, and 1.4.2.7, Management Controls Executive Steering Committee (MC ESC), for additional information related to the MC ESC.

    2. The FACT Review Board is an advisory working group composed of senior executives. Members represent IC, FM, CB, Chief Risk Officer (CRO) and process owners, as applicable. The FACT Review Board has two key responsibilities:
      i) Review test plans to verify test objectives are accurately defined and contain all required internal control procedures.
      ii) Review the sampling plan to verify the methodology, type of sample, and sample sizes are appropriate.

General Guidance for FACT

  1. A transaction is a discrete financial activity that produces information in Treasury’s Agency Financial Report (AFR). It contains a series of risks and controls that defines the process; each key control must be identified. Testing controls involves verifying the controls are in place, operating as intended and meeting the stated objectives.

  2. Internal control is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies. The objectives and related risks can be broadly classified into one or more of the following three categories:

    1. Operations - Effectiveness and efficiency of operations

    2. Reporting - Reliability of reporting for internal and external use

    3. Compliance - Compliance with applicable laws and regulations

  3. Each reporting agency in Treasury is required to include a Statement of Assurance in their FMFIA and FFMIA Annual Assurance Statement. Management cannot rely on internal control testing performed by external oversight organizations (for example, GAO and TIGTA) to meet the OMB requirements for providing assurance. The Statement of Assurance must take one of the following forms:

    1. Unmodified statement of assurance (no material weaknesses reported);

    2. Modified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses or lack of substantial compliance reported); or

    3. Statement of no assurance (no processes in place or pervasive material weaknesses).

  4. FACT team members execute the test plans and determine the effectiveness of the internal controls. The teams include individuals who are:

    1. Adequately trained to execute the test plan

    2. Aware of documentation requirements

    3. Properly supervised

    4. Independent of those responsible for carrying out or supervising the controls or transactions tested (not directly responsible or not an employee who reports to the manager directly responsible for the internal control being tested)

  5. The FACT team follows the GAO Standards for Internal Control in the Federal Government, also known as the Green Book. According to the Green Book, there are five components of internal controls, which are comprised of 17 principles. The components and principles are as follows:

    Components of Internal Control Principles
    Control Environment 1. Demonstrate Commitment to Integrity and Ethical Oversight Responsibility
    2. Exercise Oversight Responsibility
    3. Establish Structure, Responsibility and Authority
    4. Demonstrate Commitment to Competence
    5. Enforce Accountability
    Risk Assessment 6. Define Objectives and Risk Tolerances
    7. Identify, Analyze and Respond to Risk
    8. Assess Fraud Risk
    9. Analyze and Respond to Change
    Control Activities 10. Design Control Activities
    11. Design Activities for Information Systems
    12. Implement Control Activities
    Information and Communication 13. Use Quality Information
    14. Communicate Internally
    15. Communicate Externally
    Monitoring 16. Perform Monitoring Activities
    17. Evaluate Issues and Remediate Deficiencies

FACT Schedule

  1. There are two FACT testing cycles; interim and fourth quarter. Generally, fourth quarter testing is a continuation of interim testing; however, because of the nature and timing of the transactions, some are only tested during one of the cycles.

  2. The FACT section chiefs develop a detailed FACT timeline for the testing cycles to verify tests are appropriately scheduled and sufficient resources are available. They monitor the schedule and inform the EAC Director and ACFO for IC of any execution delays.

  3. There are three phases during each testing cycle:

    1. Planning phase

    2. Testing phase

    3. Reporting phase

Planning Phase

  1. The planning phase begins in November and ends in March for interim testing, and begins in July and ends in November for fourth quarter testing.

  2. The FACT team transaction lead first obtains an understanding of the process and related risks. This is accomplished by:

    1. Reviewing applicable risk registers.

    2. Reviewing the IRS Enterprise Risk Profile.

    3. Reviewing related IRMs, Interim Guidance Memoranda, SOPs, Job Aids and SERP Alerts.

    4. Interviewing SMEs, observing and walking through processes.

    5. Reviewing and following-up on applicable GAO and TIGTA findings and recommendations.

    6. Identifying potential sources of data that could be used as evidence.

    7. Reviewing relevant SMRs and/or QARs.

    8. Reviewing any other miscellaneous documents.

  3. The transaction lead documents the process and creates the CDA. The CDA defines the following transaction attributes:

    1. Risks

    2. Control activities

    3. Control objectives

    4. The risk level (high, medium or low)

    5. Frequency of controls

    6. Compensating controls

    7. The type of control (preventive or detective)

    8. How the control is performed (manual or automated)

    9. The business unit SME

    10. The financial assertions (see IRM 1.4.3.4.2.1)

    11. The test objective where the control will be tested

    12. References to policies and procedures

    13. The enterprise risk the control mitigates

  4. Using the CDA, the transaction lead determines the scope, objectives and methodology for testing.

    1. The scope defines the boundaries of the tests and directly relates to the test objectives. For example, the period reviewed, the availability of necessary documentation or records and the locations of testing are included in the scope definition.

    2. The test objective describes what testing intends to accomplish.

    3. The methodology comprises the steps and techniques involved in gathering and analyzing data to achieve the objectives, such as inspecting sample data or observing controls. Additionally, it includes both the types and extent of test procedures used to achieve the objectives. The test plan documents and provides sufficient, competent and relevant evidence to achieve the test objectives.

  5. After the scope, test objectives and methodology have been determined, the transaction lead develops the test plan. The test plan encompasses:

    1. The control test objective

    2. Population from which the testing sample size will be drawn

    3. Sample methodology

    4. Parameters that constitute a failed test

    5. Specific tests and documents to review

  6. Once the test plan is complete, the transaction lead starts the approval process as follows:

    1. The transaction lead sends the test plan and CDA to the SMEs for review and comment. The transaction lead collaborates with the SMEs to update the test plan, as necessary.

    2. The transaction lead sends the test plan to the team lead for review and updates the plan, as necessary.

    3. The team lead sends the test plan to the section chief for review and approval.

    4. The section chief sends the test plan to the review board. The review board has five business days to approve the test plan.

  7. FACT Test Plan Approval Process: The flowchart below shows the process through which the test plans will progress. The bottom of the chart shows that the transaction lead develops the internal control test plans, then forwards the test plan to the FACT section chief and/or team lead for internal reviews. Next, the FACT Review Board will review and approve the test plans. Finally, the tests plans are sent to Treasury.

    FACT STRUCTURE FOR TEST PLAN APPROVAL
     
    Department of the Treasury
    FACT Review Board
    FACT Section Chief and Director of EAC
    FACT Transaction Lead
     
  8. A-123 Test Workpaper Approval Process: The flowchart below shows the process through which the completed workpapers will progress. The transaction lead is the first level of review, followed by the review of the FACT section chief and/or team lead. Finally, the CPR and CIR, if applicable, is sent to the appropriate process owner(s) for review and sign-off.

    FACT STRUCTURE FOR WORKPAPERS APPROVAL PROCESS
     
    Brief MC ESC and FACT Review Board
    Process Owners
    FACT Section Chief and Team Lead Review
    FACT Transaction Lead
     
Assertions
  1. Financial statement assertions are the implicit or explicit assertions that management is making to users of their financial statements. The role of FACT is to test the controls to determine whether management's assertions can be supported. The financial statement assertions are:

    1. Completeness

    2. Existence and occurrence

    3. Accuracy and valuation

    4. Rights and obligations

    5. Presentation and disclosure

  2. Completeness - Addresses whether all transactions and accounts that should be in the financial statements are included. To support the completeness assertion, FACT obtains sufficient, competent evidence that transactions that should be recorded have been recorded.

  3. Existence and occurrence - Addresses whether assets or liabilities exist at a given date or recorded transactions have occurred during a given period. To support the existence and occurrence assertion FACT obtains sufficient evidence that the asset or liability existed at the time it was recorded.

  4. Accuracy and valuation - Addresses whether assets, liabilities and equity interests included in the financial statements are at appropriate amounts and any corresponding adjustments are appropriately recorded. To support the accuracy and valuation assertion, FACT obtains sufficient evidence that transactions have been recorded accurately.

  5. Rights and obligations - Addresses whether the entity holds or controls the rights to assets included on the financial statements and that liabilities are obligations of the entity. To support the rights and obligations assertion, FACT obtains sufficient evidence to confirm the IRS has a legal title or controls the rights to an asset or has an obligation to repay a liability.

  6. Presentation and disclosure - Addresses whether components of the financial statements are properly classified, described and disclosed. To support the presentation and disclosure assertion, FACT obtains sufficient evidence to support that the account balance has not only been properly measured but also adequately described and disclosed.

Test Plan Template
  1. The test plan template is created during the planning phase to ensure consistency among all test plans. The template is used as the basis for all FACT test plans. The template contains the following sections:

    1. Introduction

    2. Scope of the test

    3. Control test

    4. Test objectives

    5. Results of testing

    6. Effectiveness of controls

  2. Introduction

    1. Test objective (Purpose of the test)

    2. Expected results (What is the expected outcome?)

    3. Controls tested (Identify IRS controls tested in this test plan, and state whether they include all controls in the CDA)

    4. Contact Name (Name of person to contact for explanation of issues/problems)

      Note:

      Test plans that are tested in both interim and fourth quarter testing cycles will not repeat most of the introduction in the fourth quarter template.

  3. Scope of the Test

    1. Delineate the scope of the test based on the control’s nature, frequency, and timing (Are all transactions included or only a specific subset? What is the frequency of the testing?)

    2. Resource capabilities required to perform testing (What degree of knowledge is required for performing the test?)

    3. Resources to be used to perform the control test (Is there separation between individuals who test and individuals who perform the control?)

    4. Determination of the type of relevant reporting assertion provided by the control (What type of assertion do the controls provide?) Rights or Obligations; Completeness or Accuracy; Presentation or Disclosure; Existence or Occurrence; and Valuation or Allocation

    5. Type of test (Inspection, Observation or Reperformance)

    6. Sample size and basis (Specify method used to select the sample and sample size.)

    7. Assess QAR and SMR potential of the transaction (Determine if the transaction meets the criteria to be deemed a QAR or an SMR as discussed in IRM 1.4.3.10.3, Evaluate Quality Assurance Reviews (QARs) and Structured Management Reviews (SMRs) and IRM 1.4.31, IRS Quality Assurance Program.)

  4. Control Test

    1. Information needed to conduct the test (List documents required for testing)

    2. Steps for testing transaction controls (What are the steps to perform the test against the sample?)

    3. Additional procedures (Describe additional procedures to take if the tester cannot successfully complete the initial test)

    4. Documentation requirements (Describe the documentation process of the test content and results)

  5. Test Objective

    1. Generally, the purpose of a test objective is to obtain and review IMDs to include IRMs (references), SERP IRM IPUs, Interim Guidance Memoranda, SOPs and flowcharts to verify procedures have been developed, implemented and maintained for use by personnel. Also, verify the procedures adequately describe the internal controls for the process and the responsibilities for the organization.

    2. Using the following sources, review findings and related recommendations to assess impact on the process under review and document results:

    • GAO/TIGTA Weekly Summary Reports

    • GAO Management Reports

    • GAO MFCs

    • JAMES

    • Prior FACT findings

    Note:

    Test plans that are tested in both interim and fourth quarter testing cycles may not include all the steps within test objective one that were already performed during the interim testing cycle.

  6. Results of Testing

    1. Determination of Control Effectiveness (Who reviews the test results and determines the effectiveness of the control?)

    2. Determine whether the process owner(s) consistently applied the controls (Does the test reflect consistent application of the control?)

  7. Effectiveness of Controls

    1. Determine the effectiveness of the controls

    2. Determine if reportable issues are required (If the process owner disagrees with an issue, obtain written documentation from the process owner stating an acceptable level of risk in lieu of implementing a corrective action)

    3. Determine if corrective action plans are required (If overall controls are ineffective, summarize corrective actions to take within a corrective action plan)

Testing Phase

  1. During the testing phase, the transaction lead executes the approved test plan by:

    1. Detailing when the testing phase begins/ends for interim and fourth quarter testing.

    2. Obtaining a sample for testing from SOI.

    3. Reviewing SMRs and QARs to determine if they provide assurance.

    4. Performing substantive testing on samples and other supporting documentation.

Sampling
  1. In defining the population, the transaction lead should identify the entire set of items from which the sample should be drawn. This includes:

    1. Verifying the entire population is accounted for when the sample is drawn.

    2. Determining the source document or the transaction documents to be tested.

    3. Defining the period covered by the test.

    4. If applicable, dividing the population to verify the sample is taken from an appropriate group of the population, such as only high-dollar value items.

  2. The sample items selected for testing purposes must be those from the current fiscal year. However, when transactions occur only at the end of the fiscal year, selection from the previous fiscal year is permissible.

  3. If internal controls over financial reporting have changed or if financial systems have changed, select the sample after the implementation.

  4. When multiple locations are involved, the population of all or several locations may be used for sampling if the controls at each location perform essentially the same function and use the same internal controls. Before combining locations into one population, management and the transaction lead should consider such factors as:

    1. The extent of uniformity of the controls and their applications at each location.

    2. Whether the individual locations can make significant changes to the controls or their application.

    3. The amount and nature of centralized oversight or control over local operations.

    4. Whether there could be a need for separate conclusions for each location. If the testers concluded the locations should be separate populations, then transaction leads must select separate samples at each location, and testers and management will evaluate the results of each sample separately.

  5. The transaction lead sends the population to SOI to generate the sample. SOI determines the most appropriate sample method for each test to be performed, where applicable. Sampling methodologies must be:

    1. Reliable: Will a particular technique, applied repeatedly to the same object, yield similar results?

    2. Consistent: Is the test plan’s scope and depth appropriate and consistent with other test plans?

    3. Valid: Does the test plan measure what it is intended to measure?

  6. FACT preference is to use one of the following two sampling methods.

    1. Non-Statistical sample: A subset of a defined population, selected using judgement, but not valid to make statistical inferences within a defined level of confidence and precision.

    2. Random sample: A subset of a defined population, selected using a statistically valid methodology in which every member of the population has an equal, non-zero probability of being selected. With this method, transaction leads can make inferences about the population with a defined level of confidence and precision. Usually, the larger the sample size, the higher the level of confidence and precision.

  7. Sampling Guidelines:

    1. In some cases, seasonal fluctuations (such as periods of limited availability) early in the fiscal year for obligations or tax return filing patterns may require selecting samples from several periods throughout the year to verify a representative sample. The transaction lead should fully explain such work patterns to SOI and have them recommend an appropriate sample methodology.

    2. If one of the sample items cannot be reviewed (for example, the transaction was reversed and is no longer there), the transaction lead should not use that item. Instead, select the very next item from the population list to review. The transaction lead must clearly document the reason for the change in the workpapers.

Review of SMRs and QARs
  1. Quality review and quality assurance processes that are already in place are considered Structured Management Reviews (SMRs) and may be tested as part of FACT. SMRs may serve as assurance of FACT; however, the review must meet specific criteria. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and to verify the reviewer’s judgments and conclusions. Refer to IRM 1.4.31, Resource Guide for Managers, IRS Quality Assurance Program, for additional details related to Quality Assurance Reviews.

  2. The SMR should have the following elements:

    1. Documented procedures that guide the SMR.

    2. Reviews performed at regular intervals.

    3. Documented and independent review of results.

    4. Documented processes to resolve noted deficiencies.

Substantive Testing
  1. Substantive testing is performed by following the procedures the transaction lead identified in the test plan to ensure controls are implemented and working as intended. The transaction lead may delegate substantive testing to supporting team members. The team member testing the samples must appropriately document and record test steps in their workpapers.

  2. All aspects of testing activities require a high level of documentation. Documentation provides the principal support for the FACT process, aids those conducting and leading the testing, and allows for reviews to be conducted. The test team obtains sufficient, competent and evidential documentation to present a reasonable basis for an opinion regarding the tested internal controls through inspection, reperformance, observation, inquiries or confirmations.

  3. Documentation related to planning, testing and reporting on FACT activities should contain sufficient information to enable an individual who has had no previous connection with the testing to understand what was tested, how the test was conducted, the test results and to verify the reviewer’s judgments and conclusions.

  4. The FACT team determines the quantity, type and content of documentation, which provides a clear understanding of the internal control test’s purpose, data sources, results and conclusions. The team organizes the documentation logically to provide a clear link to the conclusions and issues. FACT test documentation must contain the following items:

    1. Objectives, scope and methodology for each transaction, including the testing period, the definition of the sampling universe, and if the team deviated from the approved sampling methodology, the rationale for such actions.

    2. Support for each test conducted, including the copies of documents examined and the rationale for key decisions and any deviations made from approved guidance.

    3. Testing results, analysis and conclusions that provide a clear and concise summary of results cross-referenced to supporting documents and resolution of exceptions or other issues.

    4. Evidence of transaction lead review and sign-off of the workpapers reviewed prior to supervisory review.

    5. Evidence of FACT section chief, team lead or senior team member review of the work performed that supports conclusions about the controls tested.

  5. Workpapers document the FACT review and record information obtained and analyzed during the FACT process. CCH TeamMate maintains all workpapers created directly in the system as well as workpapers scanned and uploaded into the system. The FACT team prepares and updates workpapers throughout the planning and testing phase and documents the following in CCH TeamMate:

    1. Plans for the review, including the test plans.

    2. Examination and the evaluation of the adequacy and effectiveness of the systems of internal control.

    3. Test procedures followed, the information obtained, and the conclusions reached.

    4. Management reviews.

    5. Audit reports.

    6. Issues.

  6. The transaction lead is responsible for determining which documents to include in the workpapers; the workpapers must include the following:

    1. A lead sheet identifying all items, attributes and findings (i.e., x = exception, check mark = no exception).

    2. For one sample, the workpapers must include one complete example that clearly identifies and documents all attributes tested.

    3. For samples that contain exceptions, the workpapers must include all supporting documents.

    4. Documents that may not be retrievable in their exact form at a later date. For example, if a screen print is necessary to support a number or dollar amount that may change in the future, that screen print should be retained to verify that figure as of the test date.

  7. Among the required items above, workpapers may also include:

    1. Planning documents and review plans.

    2. Control questionnaires, flowcharts, checklists and the results of control evaluations.

    3. Documentation of walkthroughs and interviews.

    4. Organization charts, policy and procedures statements and job descriptions.

    5. Copies of important contracts and agreements.

    6. Letters of confirmation and representation.

    7. Photographs, diagrams and other graphic displays.

    8. Results of analytical review procedures.

    9. Audit reports and management replies.

    10. Emails, memos and other relevant correspondence.

    11. CAPs, if appropriate and available.

  8. The documentation within the workpapers must be appropriately organized to provide a clear link to the significant findings or issues. Workpapers must be sufficient to show that the transaction lead completed the following:

    1. Obtained guidance to understand the internal control, plan the testing, and determine the nature, timing and extent of the tests performed.

    2. Adequately planned and supervised work.

    3. Observed standards of test work.

    4. Obtained sufficient competent documentation to afford a reasonable conclusion.

  9. The transaction lead should use the following techniques for documenting in workpapers:

    1. Notation: Highlight or identify the specific attribute in the workpapers that the team member verified, such as a signature indicating managerial approval.

    2. Indexing: Workpapers will be automatically indexed once loaded into TeamMate to verify test plan results are properly referenced and can be easily traced to supporting documentation. When referring to reports in TeamMate, use the reference number and page number. Based on the associated test objective to the workpapers, TeamMate will automatically assign each workpaper a reference and a page number.

    3. Sources of data: Clearly identify the source of any information appearing in workpapers. An independent reviewer should be able to retrace the reviewer’s steps, from basic schedules to summaries and comments. Worksheets should be cross-referenced to other related workpapers and to the test plans. Effective cross-referencing often reduces the need to duplicate data.

    4. Workpaper summaries: The process of summarizing provides an objective overview and puts findings in perspective. The team’s summary should focus on key information and data. Do not include trivial information or editorial comments not supported by testing. Periodically summarizing findings helps verify firm control over the test.

    5. Record Key Meetings and Interviews: Record all key discussions (meetings and interviews) used as support for key decisions (testing decisions/conclusions) and understanding the subject matter or test evidence and include the notes in the workpapers. Key decisions and conclusions are often a result of meetings and interviews. Without a record, important information will be lost. Use the format below.

    6. Keep the Writing Simple: Workpapers should be clear and concise to an uninitiated reviewer. Avoid jargon and explain all technical terms and acronyms in a separate part of the workpapers (glossary of terms).

    7. Keep Workpapers Understandable: Workpapers should be clear, concise and must stand on their own. They should not need any supplementary information. Anyone reading the papers should be able to determine what the team member set out to do, what they did, what they found, and what they concluded.

    8. Keep Workpapers Free of PII: The workpaper documentation should not contain taxpayer, employee, vendor data, etc. All information must be protected according to the guidelines in 1.4.18.12.4, Personally Identifiable Information (PII).

    9. Keep Workpapers Relevant: Workpapers should be restricted to relevant and material matters; they should directly relate to the review’s objectives. Well-organized test plans, execution of FACT procedures and workpaper reviews help verify the inclusion of relevant documents only. Do not include editorial comments and observations not supported by testing. It is important that all conclusions are in context and related to specific evidence.

Evaluating Exceptions
  1. An exception is an attribute that does not meet the expected test criteria. The transaction lead must determine if the exception is a control weakness. The transaction lead must be conscious of the sequential nature of the internal control process. Exceptions detected in one internal control may be corrected in another step in the process. Therefore, when an exception is identified, before reporting the problem as an issue, the transaction lead must verify that a subsequent internal control is not mitigating the problem before it impacts the financial statement. An exception in one of several tests would not necessarily indicate an internal control weakness exists. The transaction lead must consider exceptions in the context of the entire transaction. The ultimate goal of FACT is to verify accurate information is reported in the financial statements.

  2. An internal control weakness exists when a control for a given activity does not exist, does not adequately address the relevant risk and control, or is not operating effectively.

  3. The FACT team must thoroughly document the exception to support its evaluation of the internal controls. The FACT team considers the factors below when determining the importance of the exception:

    1. The complexity of the transactions (Will one control failure at the early stages of a process create errors later in the process?)

    2. The volume of transactions (Is the volume of transactions so large that one or two exceptions will not have an impact?)

    3. The potential risk of fraud (Is this exception an indication of fraud, which should be pursued?)

    4. The extent to which the controls have been subjected to on-going monitoring activities throughout the year (Are the controls monitored throughout the year, and exceptions possibly caught at a later time in the year?)

  4. The transaction lead must verify that the exceptions are not irregular or extraordinary, that it does not indicate potential for a recurring problem. Therefore, the transaction lead must analyze the exception to determine all significant factors that may cause the expectation to differ from the actual results.

    Note:

    If the transaction lead determines the exception(s) warrant immediate attention, the transaction lead must contact the FACT section chief and/or team leader. The FACT section chief and/or team leader must notify the Enterprise Assurance & Controls office and/or the ACFO for IC to raise the concerns.

  5. Documentation must support the transaction lead’s judgment on whether a control is functioning adequately or not. Exceptions noted in tests of properly designed internal controls may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Findings are referred to as a reportable issue and classified as an ICW, OFI or MIO.

    1. ICW - A weakness that exists in an internal control such that the overall system of controls is compromised.

    2. OFI - A weakness exists in an internal control; however, the overall system of controls is not compromised.

    3. MIO - An exception exists that does not present a weakness in an internal control; however, it warrants management’s attention.

  6. If a finding is deemed to be a reportable issue, it is documented and sent to the process owner. The documentation must contain:

    1. The type of issue (ICW, OFI or MIO).

    2. A description of the test objective and the test step where the exception occurred.

    3. A description of the condition in which the exception occurred.

    4. The criteria that was used to determine that the exception occurred. For example, the internal control standard, IRM or SOP.

    5. The cause of the exception.

    6. The effect the exception has on internal controls.

    7. A recommended corrective action.

    8. The process owner and contact information.

    9. The process owner response.

    10. The estimated completion date.

  7. In the case of FACT reported issues, corrective actions or CAPs are needed when testing reveals an OFI or ICW. When the business unit concurs with findings, the transaction lead assists in developing CAPs, which are tracked by the office responsible for the internal control and by the FACT team via CCH TeamMate. When business units do not concur with corrective actions, the internal control risk shifts to the business unit and remains on file in the event a recurring issue is noted within future testing of the process. The status of issues is determined during interim and fourth quarter testing as part of the test plans.

Reporting Phase

  1. The final stage of the FACT cycle is the reporting phase. During the reporting phase, the transaction lead assesses the results of the testing and asserts an opinion on whether or not controls are working.

  2. The transaction lead creates three final reports:

    1. CPR - The CPR is a TeamMate-generated report that provides a detailed account of the purpose of the transaction and the test results of each transaction test step performed. The FACT section chief and/or team leader submits the CPR to the process owner(s) at the conclusion of testing so they may gain an understanding of the overall test results.

    2. CIR - The CIR is a TeamMate-generated report that provides a detailed account of OFIs identified during testing of a transaction, comprised of issues identified during the current testing period as well as existing issues from previous testing periods. The CIR also provides a detailed response from the process owner stating their concurrence and applicable actions and implementation date for the new process. The CIR also captures a detailed response from process owners when issues reported by the FACT team are not accepted and the process owner accepts the level of risk for not implementing a corrective action.

    3. Executive Summary - The executive summary is a one-page report that summarizes the tests performed, the results of the testing, and the assertion made by the transaction lead. The responsible executive that owns the process signs the executive summary, acknowledging receipt of the work performed by the FACT team.

Continuous Monitoring

  1. Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes and systems working to support efficient and effective operations. Controls are put in place to address risks within these components.

  2. Continuous monitoring actively identifies, quantifies and reports control failures such as duplicate vendor records, duplicate payments and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes.

  3. Overall responsibility for IRS continuous monitoring includes:

    1. Management (all levels) - Issues and monitors internal control programs, policies and procedures. Continuously assesses key business controls and transactions, which permits ongoing insight into the effectiveness of the controls and the integrity of transactions.

    2. Information Technology - Issues security, policy and guidance for the IRS’s information systems (see IRM 10.8.1, Information Technology Security, Policy and Guidance). Conducts annual assessments of automated internal controls that affect authorizing, processing, transmitting or reporting material financial transactions to determine whether security controls are in place and operating effectively.

    3. CFO FM - Conducts reconciliations and reviews in preparation of financial statements to verify timely and accurate reporting.

    4. CFO FACT - Conducts interim and year-end internal control testing to determine the IRS's compliance with laws and regulations. (See IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control).

  4. Continuous monitoring is a key function of the FACT team. The statuses of OFIs and ICWs are tracked and reported on annually. If the status is:

    1. Open - The finding has been reported and no corrective action has been implemented.

    2. Implemented - A corrective action has been implemented but the FACT team has not verified the control is working.

    3. Closed - A corrective action has been implemented and the FACT team has verified the control is working.

    4. Closed Management Accepts Risk - A corrective action has not been implemented and the process owner has accepted the risk associated with the weakness.

    5. Closed No Longer Applicable - A corrective action has not been implemented but the control is no longer relevant. This can occur when there is a change in the overall process.

  5. Continuous monitoring can be traced back to its roots in traditional auditing processes. It goes further than a traditional periodic snapshot audit by putting in place continuous monitoring of transactions and controls so that weak or poorly designed controls can be corrected. When assessing federal agency compliance, evaluators, auditors and assessors consider the intent of the security concepts and principles articulated within the specific guidance document and how the agency applied the guidance in the context of its mission and business responsibilities, operational environment and unique organizational conditions. (See NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information System Backgrounds)

  6. IT’s continuous monitoring activities intersect the FACT internal control activities through interim and year-end operational controls testing. As a result, the FACT team maintains various IT transactions to ensure compliance with Treasury guidance.

  7. Through continuous monitoring, weak or poorly-designed controls can be corrected or replaced to improve the IRS risk profile. Multi-disciplinary teams consisting of automated systems specialists, accounting and reporting experts will use the appropriate policies and procedures as a basis for performing periodic and routine examinations of each of the financial systems that authorize, process, transmit or report material financial transactions.

Record of Discussion

Record of Discussion
Date: Time:
Type of Contact: In Person: By Telephone:
     
Location of Discussion:
Conference Call
     
Person(s) Contacted/Interviewed:(Please list all participants):
Name, Position/Title, Office, Telephone Number
Name, Position/Title, Office, Telephone Number
     
Initiator(s)/Interviewer(s):  
Name, Position/Title, Office, Telephone Number
     
Purpose:    
(Provide a brief description of the meeting objective.)
     
Discussion:    
(Provide notes from the meeting.)
     
Other Matters Discussed:
(Provide detailed notes of other matters discussed outside of the general purpose of the meeting.)
     
Follow-up Actions:
(List follow-up actions from the meeting.)
     
Documents to Obtain:
(List documents to obtain related to the meeting discussion.)

Sample Sizes and Acceptable Number of Errors (90% Confidence Level)

In defining the severity of the exceptions, the transaction lead may use the error rate tables. The transaction lead may use judgment in applying Tables I and II. Tables I and II show various sample sizes and the maximum number of errors that may be detected. The use of each table is encouraged for population sizes over 2,000 items. However, according to the GAO/CIGIE FAM, if the population size is smaller, the statistician may be asked to calculate a reduced sample size. The transaction lead will use judgment to evaluate the existence and significance of a weakness.

Sample Sizes and Acceptable Number of Errors (90% Confidence Level)

 

Table I (Tolerable Rate of 5%)
Sample Size Acceptable Number of Exceptions
45 0
78 1
105 2
132 3
158 4
209 6

Note:

Table I is used for determining sample sizes in all cases.

 

Table II (Tolerable Rate of 10%)
Sample Size Acceptable Number of Exceptions
45 1
78 4
105 6
132 8
158 10
209 14

Note:

Table II is used for evaluating sample results only if preliminary assessment of financial reporting control risk is low and exceptions exceed Table I.