1.4.31 IRS Quality Assurance Program

Manual Transmittal

April 02, 2020

Purpose

(1) This transmits IRM 1.4.31, Resource Guide for Managers, IRS Quality Assurance Program.

Material Changes

(1) IRM 1.4.31.1.6, Terms/Definitions, updated.

(2) IRM 1.4.31.3.1 (1), Quality Assurance Call Memorandum, updated the issuance of the quality assurance call memorandum from December and January to November and December.

(3) IRM 1.4.31.4.2, Internal Control Managerial Assessment Sampling, subsection title change from Federal Manager’s Financial Integrity Act Sampling.

(4) IRM 1.4.31.5.2 (1) Form 14750-A, IRS Quality Assurance Review Checklist, (note) updated review period start date from February to January.

(5) IRM 1.4.31.5.2 (2) Form 14750-A, IRS Quality Assurance Review Checklist, (note) updated to reflect current process.

(6) IRM 1.4.31.5.2 (3)(b), Form 14750-A, IRS Quality Assurance Review Checklist, (note) updated review period end date from June to May.

(7) IRM 1.4.31.5.3 (2)(a), Form 14750-B, IRS Quality Assurance Review Notification, updated to reflect current process.

(8) IRM 1.4.31.5.3 (3), Form 14750-B, IRS Quality Assurance Review Notification, updated Form 14750-B notes section to Recommendations/Findings section.

(9) IRM 1.4.31.5.3 (5), Form 14750-B, IRS Quality Assurance Review Notification, updated responsible party from ACFO to ACFO for Internal Controls.

(10) IRM 1.4.31.5.4, Completed Form 14750-C, IRS Quality Assurance Review Information Document Request, added new subsection to describe purpose and provide instructions for completion of Form 14750-C.

(11) IRM 1.4.31.5.5, Completed Form 14750-D, IRS Quality Assurance Review Closed, added new subsection to describe purpose and provide instructions for completion of Form 14750-D.

(12) IRM 1.4.31.6.1 (1), Timing of Reviews, updated Quality Assurance program review period from January through June to January through May.

(13) IRM 1.4.31.6.4 (5), Volunteer Review Team Training, updated to reflect current process.

(14) IRM 1.4.31.6.5 (1)(d), Review Methodology, updated reference from GAO Internal Control Management tool to GAO Internal Control Evaluation tool.

(15) IRM 1.4.31.6.5 (5)(b), Review Methodology, updated to reflect current process.

(16) This revision includes changes throughout the document for the following:

  1. Updated all references of Federal Manager’s Financial Integrity Act Sampling (FMFIA) to Internal Control Managerial Assessment (ICMA)

  2. Updated all references of shared drive to SharePoint site

  3. Added minor editorial changes

Effect on Other Documents

IRM 1.4.31, dated December 15, 2017, is superseded. This IRM supports IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.

Audience

All IRS managers

Effective Date

(04-02-2020)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. This IRM provides guidance on the processes and procedures for the IRS Quality Assurance (QA) Program designed to support the annual assurance statement required by the Federal Managers' Financial Integrity Act (FMFIA) and activities defined by Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Internal Control over Financial Reporting.

  2. Purpose: The QA program identifies and assesses the many management, operational, program and quality assurance internal control reviews completed by the business units.

  3. Audience: All IRS managers.

  4. Policy Owner: The CFO develops and maintains this IRM. CFO develops internal control policy, performs A-123 internal control testing and conducts compliance reviews and program evaluations to pursue an unmodified audit opinion on IRS financial statements. CFO also provides audit-focused training, business-practice development, audit policy and oversight.

  5. Primary Stakeholders: This policy and these procedures apply to managers responsible for creating and monitoring the results of management, operational, program and quality assurance internal control reviews.

  6. Program Goals: The QA program supports the Annual Assurance Statement signed by the Commissioner and submitted to the Department of the Treasury as required by the FMFIA on the status of internal controls.

Background

  1. Quality assurance is a planned, systematic approach designed to provide confidence that programs, products, policies and procedures will conform to established requirements throughout their life cycle. The term “product" is used in this IRM to describe processes and systems developed, produced and acquired by the IRS to carry out critical missions and functions.

  2. Quality assurance identifies unsatisfactory trends and conditions, prevents defects and non-conformances and corrects factors to contribute to improved processes and outcomes.

  3. Quality assurance uses a variety of administrative, analytical, and technical methods and techniques to enhance the excellence and reliability of products and services. The IRS's approach to quality assurance addresses an entire range of activities described for each functional program and/or a variety of systematic activities designed to identify and prevent defective or ineffective processes, and to verify that processes are acceptable and perform as intended.

  4. Recently, a number of factors have exerted a significant influence on the federal government’s quality assurance programs such as:

    1. Internal control requirements

    2. Advances in technology

    3. More sophisticated and complex products and services, such as new software

    4. Greater concern for reliability, user satisfaction and security

    5. More emphasis on economy, timely delivery and the cost of quality

    6. More stringent quality and reliability requirements

  5. Quality assurance reviews give the IRS added assurance that it is adhering to internal control and management guidance, standards, regulations and legislation through a formal objective assessment process. Quality assurance reviews evaluate and document internal control activities over financial reporting in:

    1. Annual financial statements

    2. Other significant internal or external financial reports

    3. Compliance with laws and regulations related to those financial reports

Authorities

Federal Managers’ Financial Integrity Act
  1. The FMFIA requires each executive agency to establish internal accounting and administrative controls. These controls provide reasonable assurance that:

    1. Obligations and costs comply with applicable law.

    2. Funds, property and other assets are safeguarded against waste, loss, unauthorized use or misappropriation.

    3. Revenues and expenditures applicable to agency operations are properly recorded and accounted for permitting the preparation of accounts, reliable financial and statistical reports and maintaining accountability over assets.

  2. The FMFIA is a response to continuing disclosures of waste, loss, unauthorized use and misappropriation of funds or assets associated with weak internal control and accounting systems. This law includes program, operational and administrative areas, as well as accounting and financial management. The law requires agency heads to submit an annual statement of assurance to the President and Congress on the adequacy of internal control and actions taken to correct identified weaknesses. Each annual statement must also include a report on whether the agency's accounting system conforms to the principles, standards and other related FMFIA requirements.

  3. The FMFIA requires federal agency managers to establish internal accounting and administrative controls according to Government Accountability Office (GAO) standards. The FMFIA further requires federal agency managers to annually:

    1. Evaluate and report on the effectiveness of internal control and financial accounting systems according to FMFIA Sections 2 and 4, respectively.

    2. Evaluate whether their agency’s internal controls comply with GAO’s standards according to Office of Management and Budget (OMB) guidelines.

    3. Issue a statement of assurance and indicate full compliance or non-compliance.

  4. IRS management, operational, program and quality assurance reviews conducted by business units support internal accounting and administrative controls prescribed by FMFIA.

Government Accountability Office (GAO) Standards for Internal Control in the Federal Government (Green Book)
  1. As required by FMFIA, GAO established the Standards for Internal Control in the federal government. The standards provide the overall framework for establishing and maintaining internal control, and for identifying and addressing performance and management challenges and areas at greatest risk of fraud, waste, abuse and mismanagement.

  2. The overall internal control framework is illustrated below:

    Figure 1.4.31-1

    This is an Image: 66821002.gif
     

    Please click here for the text description of the image.

  3. The standards comprise a major part of managing an organization, including plans, methods and procedures used to meet missions, goals and objectives and, in doing so, support performance-based management. The three-column table below describes GAO's standards for internal control in the federal government. The first column identifies the standard number, the second column lists the standard and the third column describes the standard.

    GAO’s Standards for Internal Control in the Federal Government
    No. Standard Standard Description
    1. Control Environment The control environment is the foundation for an internal control system. It provides the discipline and structure, which affect the overall quality of internal control. It influences how objectives are defined and how control activities are structured. The oversight body and management establish and maintain an environment throughout the entity that sets a positive attitude toward internal control.
    2. Risk Assessment Having established an effective control environment, management assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. Management assesses the risks the entity faces from both external and internal sources.
    3. Control Activities Control activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity’s information system.
    4. Information and Communications Management uses quality information to support the internal control system. Effective information and communication are vital for an entity to achieve its objectives. Entity management needs access to relevant and reliable communication related to internal as well as external events.
    5. Monitoring Internal control monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Corrective actions are a necessary complement to control activities in order to achieve objectives.
  4. Policymakers and program managers are continually seeking ways to improve accountability in achieving an entity’s mission. A key factor in improving accountability in achieving an entity’s mission is to implement an effective internal control system. An effective internal control system helps an entity adapt to shifting environments, evolving demands, changing risks and new priorities. As programs change and entities strive to improve operational processes and implement new technology, management continually evaluates its internal control system so that it is effective and updated when necessary.

OMB Circular A-123
  1. OMB Circular A-123 provides specific requirements for assessing and reporting on controls in the federal government. The term internal control in this document covers all aspects of an entity’s objectives for operations, reporting and compliance. The circular:

    1. Requires federal managers to take systematic and proactive measures to develop and implement appropriate internal control for results-oriented management.

    2. Describes the requirements of FMFIA as "an umbrella under which other reviews, evaluations and audits should be coordinated and considered to support management’s assertion about the effectiveness of internal control over operations, financial reporting and compliance with laws and regulations."

      Note:

      "Other reviews" that FMFIA reporting should coordinate and consider include activities under the Government Performance and Results Act Modernization Act (GPRAMA), such as developing strategic plans, setting performance goals and measures and reporting annually on actual performance results compared to goals.

  2. OMB Circular A-123 states:

    1. "Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud and mismanagement, but is a means of managing the risk associated with federal programs and operations." By including "programs and operations," OMB emphasizes goals set by the organization, risks agencies face in meeting those goals, whether agencies have identified and assessed risks and whether agencies have taken steps to manage those risks.

    2. "Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting and compliance with applicable laws and regulations. Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness. When assessing the effectiveness of internal control over financial reporting and compliance with financial-related laws and regulations, management must follow the assessment process contained in Appendix A. Annually, management must provide assurances on internal control in its Agency Financial Report, including a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions."

  3. Appendix A of Circular A-123 requires federal agencies to assess effectiveness of internal control over financial reporting separately.

  4. Additional FMFIA policy is issued in OMB Circular A-123, Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996, governing agencies’ financial management systems. Financial management systems must be in place to process and record financial events effectively and efficiently and provide complete, timely, reliable and consistent information for decision makers and the public. In support of these objectives, each agency must establish and maintain a single integrated financial management system that complies with internal control standards, among other requirements, as defined in OMB Circular A–123 and successor documents. See OMB Circular A-123, Appendix D PDF.

  5. According to the OMB Circular A-123 Implementation Guide:

    1. Federal agencies are subject to numerous legislative and regulatory requirements that promote and support an effective internal control framework. Similarly, numerous reviews are performed by management or on management’s behalf, throughout the year to comply with various laws and regulations.

    2. Agencies should strive to integrate control-related activities within the control framework outlined in Circular A-123. In particular, management should identify opportunities to integrate and coordinate in order to leverage the internal reviews already being performed.

      Example:

      Internal reviews are required by the Federal Information Security Management Act of 2002 (FISMA) PDF and the Improper Payments Elimination and Recovery Act (IPERA) of 2010 PDF. Management should consider the results of these reviews to identify gaps between baseline control activities, the documentation and the assessment process for financial reporting.

    3. The results of the work performed under these laws may also be used to support management’s assertion as to the effectiveness of the internal control. The desired approach would be to design the testing and assessment to accomplish all requirements in the most efficient manner.

Treasury Department Requirements
  1. The Quality Assurance Program follows the Department of the Treasury Guidance (issued annually) that:

    1. Presents the background for OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, Appendix A PDF.

    2. Describes the updated methodology for the fiscal year assessment plan describing the overall approach for the documentation, testing and assessment of internal control over financial reporting.

    3. Provides definitions and assessment parameters defining key factors of the plan, presents the implementation of the testing plan and describes the actions to be taken to execute the methodology.

    4. Provides summary information on the Department of the Treasury annual assurance statement guidance that is distributed by the Office of the Treasury Deputy Chief Financial Officer (TDCFO) in July.

    5. Presents the fiscal year timeline displaying the guidance critical dates.

Responsibilities

  1. This section provides responsibilities for:

    1. CFO

    2. Statistics of Income (SOI)

    3. Business units

CFO
  1. The CFO develops financial management policy and procedures, and performs A-123 testing and program evaluations as part of the IRS clean audit approach. The CFO provides overall program direction for the QA reviews and the ICMA programs, including developing and implementing policy, training and reports to executive leadership.

  2. The CFO QA program responsibilities include:

    1. Establishing and documenting the QA framework and related components.

    2. Developing the annual QA project timeline and plan that identifies yearly tasks, new projects, due dates and points of contact to conduct the continuous QA reviews.

    3. Issuing the Quality Assurance Call Memorandum and the Annual Assurance Call Memorandum to business units for the quality assurance review process.

    4. Developing the annual QA communications plan.

    5. Updating and maintaining the QA review listing through business unit submissions of Form 14750, IRS Quality Assurance Review Questionnaires, as part of the annual assurance review process and the ICMA sampling of managers who complete the annual ICMA.

    6. Collaborating with business units to identify best practices and program improvements.

    7. Providing QA volunteer reviewers with procedures for conducting the annual quality assurance reviews.

    8. Developing and maintaining Integrated Talent Management (ITM) system training courses for the QA program.

    9. Maintaining a website and SharePoint site with references for training, new program policy, frequently asked questions and program updates.

    10. Updating IRM 1.4.31, IRS Quality Assurance Program.

    11. Maintaining records retention of work papers for the annual quality assurance reviews.

    12. Tracking the status of open review findings and recommendations.

    13. Providing the quality assurance review executive updates to the Management Controls Executive Steering Committee (MC ESC).

    14. Conducting in-house quality assurance reviews throughout the IRS, including leveraging the ICMA and GAO Evaluation Tools to carry out its critical mission and functions.

Statistics of Income
  1. SOI assists in the QA program reviews by:

    1. Providing review selections based on CFO criteria when requested (QA and ICMA sample).

    2. Developing and maintaining procedures for review selection.

    3. Working with the CFO to gather all information necessary to implement the sample selection procedures.

Business Units
  1. The business units are responsible for internal controls and implementing quality assurance programs. The goal is to create independent quality assurance processes complimentary to, but separate from, the CFO Quality Assurance Program, including:

    1. Interpreting internal control and quality assurance policy and providing general technical guidance and direction to executives and managers.

    2. Completing the annual GAO internal control evaluation tool.

    3. Identifying and developing quality assurance reviews for their organizations to meet internal control objectives such as management, operational, program and quality assurance reviews based on strategic and performance goals.

    4. Submitting the Form 14750, IRS Quality Assurance Review Questionnaire for each identified management, operational, program and quality assurance review.

    5. Identifying the executives responsible for internal control in their business units.

    6. Identifying Quality Assurance Program review volunteers for their organizations to participate as reviewers in the quality assurance review process led by the CFO.

    7. Advising all executives and managers of internal control and quality assurance review requirements.

    8. Providing input to the CFO on best practices and IRM guidance updates for quality assurance reviews.

    9. Developing and presenting appropriate quality assurance training for their organizations.

    10. Tracking and addressing open GAO, TIGTA and A-123 audit findings and recommendations.

Program Management and Review

  1. Program Reports: The QA program reports include:

    1. MC ESC briefings

    2. Deputy Commissioner Business Performance Reviews (BPRs)

    3. Review results notifications to the business units on Form 14750-B, IRS Quality Assurance Review Notification

    4. Quality Assurance Program Timeline

    5. Quality Assurance Program Communications Plan

  2. Program Effectiveness: The QA program effectiveness is determined by the:

    1. Ability to support the Annual Assurance Statement signed by the Commissioner and submitted to the Treasury Department on the status of internal controls.

    2. Ability to survey the universe of potential reviews adequately.

    3. Continuous program improvement based on best practices discussions with business units, such as the QA program enhancements, including the ICMA sampling, developing and updating official forms used in the review process and providing case studies and instructions.

    4. QA program training and increased managerial awareness of internal controls.

  3. All quality assurance program documentation and reports are stored on the CFO QA SharePoint site and in CCH TeamMate, as appropriate.

Program Controls

  1. Access to the QA program information stored on the CFO QA SharePoint site and on CCH TeamMate is protected by limiting access to those individuals that manage the program.

Terms/Definitions

  1. The following terms and definitions apply to this program:

    1. Annual ICMA - A manager's review of the effectiveness of controls within his/her area of responsibility and the documentation of that review through written and signed certifications. The involvement of each level of management in certifying the control environment within his/her sphere of operations assists in identifying risks at all levels. All managers and executives must complete the ICMA.

    2. Assurance statement - A managerial certification that represents an informed judgment as to the overall adequacy and effectiveness of internal control.

    3. Business units - The IRS areas organized around customers with similar needs. The scope of operations includes collecting individual and corporate taxes, examining returns, assisting taxpayers and servicing tax-exempt organizations.

    4. Continuous monitoring - A process and technology used to detect compliance and risk issues associated with an agency’s financial and operational activities.

    5. Corrective action plan - Describes the specific control weaknesses and the actions necessary for resolution. Plans should include the specific steps to correct the root causes of the weaknesses, responsible individuals and organizations, completion dates and a description of testing or validation methods to ensure findings were appropriately addressed. For any internal controls over financial reporting deemed ineffective as a result of testing and not resolved by June 30, bureaus must develop and submit corrective action plans to the Department.

    6. Effective controls - Designed to safeguard assets, check the accuracy and reliability of accounting data, promote operational efficiency and encourage adherence to prescribed managerial policies.

    7. Enterprise risk management (ERM) - A discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision making and supports the achievement of an organization’s mission, goals and objectives.

    8. Finding - An observation of the internal control results from evaluating the collected audit evidence against audit criteria. Audit findings indicate conformity or nonconformity. If the audit criteria are selected from legal or other requirements, the audit finding is either compliance or non-compliance. If a significant issue is identified during the audit, the issue is classified as a finding. Findings include the criteria or basis for determining that a problem exists, a condition or situation that was observed, the effect of the condition and the root cause of the problem to the extent that it can be determined. Findings should result in recommendations that resolve the issue and are helpful to management. For QA review purposes, recommendations should be actionable items.

    9. Government Accountability Office (GAO) - An independent, nonpartisan agency that works for Congress. GAO investigates how the federal government spends taxpayer dollars. The GAO mission is to support the Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people. GAO provides Congress with timely information that is objective, fact-based, nonpartisan, non-ideological, fair and balanced.

    10. Internal control - A process used by management to help an entity achieve its objectives. Internal control helps an entity run its operations efficiently and effectively, report reliable information about its operations and comply with applicable laws and regulations.

    11. Management controls - A term used interchangeably with internal controls.

    12. Management Controls Executive Steering Committee (MC ESC) - An advisory committee to the IRS Commissioner, co-chaired by both Deputy Commissioners, that has overall responsibility for determining that the IRS has an effective internal control program in place.

    13. Methodology - A documented process for applying standards when assessing, documenting and reporting on internal control over financial reporting.

    14. Quality assurance (QA) - A planned, systematic approach to provide confidence that programs, processes, products and services will conform to established requirements throughout their life cycle.

    15. Random sample - A randomly selected subset of a population with each member of the population having a known non-zero probability of selection.

    16. Risk - An event that may occur and affect the achievement of a business objective.

    17. Risk assessment - A process allowing an entity to consider the extent that potential events will affect the achievement of objectives.

    18. Standards for Internal Control in the Federal Government (Green Book) - Sets internal control standards for federal entities. An entity uses the Green Book to design, implement and operate internal controls to achieve its objectives related to operations, reporting and compliance as required by the FMFIA. The Green Book requires that management:

      • Develops and maintains documentation of its internal control system.

      • Creates policies stating the organization’s internal control responsibilities.

      • Documents and evaluates ongoing monitoring and separate evaluations to identify issues, correction actions and remediation in a timely fashion.

      • Provides support for any principle deemed relevant to the agency.


      Those who use the Green Book are:

      • Program managers at federal agencies,

      • Inspector general staff conducting a financial or performance audit,

      • Independent public accountants conducting audits of expenditures of federal dollars to state agencies, or

      • Compliance officers responsible for making sure that personnel have completed required training.

    19. Structured Management Review (SMR) - A review of documented continuous monitoring activities including quality assurance reviews or other independent internal reviews put in place to cover many internal control activities during the normal course of operations.

    20. TIGTA - The organization established under the IRS Restructuring and Reform Act of 1998 to provide independent oversight of IRS activities. TIGTA promotes economy, efficiency and effectiveness in administering the internal revenue laws. It is also committed to the prevention and detection of fraud, waste and abuse within the service and related entities.

    21. Work papers - The records and documentation of management, operational, program and quality assurance reviews. They represent all quality assurance materials including, but not limited to:

    • Business unit training material

    • Completed Forms 14750-A, IRS Quality Assurance Review Checklist

    • Completed Forms 14750, IRS Quality Assurance Questionnaire

    • IRM extracts and/or references

    • Business units’ standard operating procedures

    • Reports provided by the selected business unit

    • Copies of TIGTA or GAO audit findings and recommendations

    • Latest ICMA

    • GAO Internal Control Evaluation Tool, if applicable

    • Reviewer notes, findings and recommendations

    • Completed Forms 14750-C, IRS Quality Assurance Review Information Document Request

Acronyms

  1. The following acronyms apply to this program:

    Acronym Meaning
    ACFO Associate Chief Financial Officer
    AFR Agency Financial Report
    BUN Business Unit News (IRS Source)
    ERM Enterprise Risk Management
    FISMA Federal Information Security Management Act
    FMFIA Federal Managers’ Financial Integrity Act
    FY Fiscal Year
    GPRAMA Government Performance and Results Act Modernization Act
    ICMA Internal Control Managerial Assessment
    IFS Integrated Financial System
    IPERA Improper Payments Elimination and Recovery Act
    ITM Integrated Talent Management
    MC ESC Management Controls Executive Steering Committee
    MIO Management Information Only
    NTA National Taxpayer Advocate
    OMB Office of Management and Budget
    PII Personally Identifiable Information
    POC Point of Contact
    QA Quality Assurance
    RCG Risk and Control Group (Treasury Department)
    RRACS Redesign Revenue and Accounting System
    SAT Senior Assessment Team
    SBU Sensitive But Unclassified
    SET Senior Executive Team
    SMR Structured Management Review
    SOI Statistics of Income
    SOPs Standard Operating Procedures
    TDCFO Treasury Deputy Chief Financial Officer
    UWR Unified Work Request

Related Resources

  1. OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control PDF.

  2. Federal Managers' Financial Integrity Act (FMFIA) of 1982.

  3. Government Accountability Office (GAO) Decisions of the Comptroller General.

  4. Financial Audit: IRS's Fiscal Year Financial Statements (Blue Book).

  5. Government Auditing Standards (Yellow Book) PDF.

  6. Standards for Internal Control in the Federal Government (Green Book).

  7. Federal Information Security Management Act of 2002 (FISMA) PDF.

  8. Improper Payments Elimination and Recovery Act (IPERA) of 2010 PDF.

  9. IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles.

  10. IRM 1.4.2, Monitoring and Improving Internal Control.

  11. IRM 1.4.3, IRS Guidance for Financial Assurance Control Testing.

  12. The QA review listing plus instructions and examples of the Form 14750, IRS Quality Assurance Questionnaire and Form 14750-A, IRS Quality Assurance Review Checklist are available on the CFO website under the QA program section.

IRS Quality Assurance Program Framework

  1. The QA program’s goal is to support the Annual Assurance Statement signed by the Commissioner and submitted to the Treasury Department, as required by the FMFIA.

  2. The IRS Annual Assurance Statement is supported by the:

    1. ICMA on the status of internal controls within the manager’s purview.

    2. A-123 internal control testing results for specified transactions.

    3. GAO Internal Control Evaluation Tool as applicable.

    4. Quality assurance reviews that assess the status of internal controls for selected reviews.

    5. Significant deficiency corrective action plan, as necessary.

  3. The table below describes the elements that support the Annual Assurance Statement.
    The first column identifies the name of the element and the second column provides a description of the element.

    Element Description
    ICMA (Managerial Assessment) Managers’ certifications assessing the effectiveness of internal control and identifying any potential risks. These managers’ certifications are submitted to the CFO as part of the Annual Assurance process.
    A-123 Internal Control Testing Results A-123 tests use OMB guidance and the Treasury Department’s methodology to assess internal control over financial reporting at the transaction level for:
    • Budget and Finance

    • Accounting

    • Purchasing

    • Accounts Payable and Payments

    • Sales, Accounts Receivable and Collections

    • Management of Assets and Liabilities

    • Reporting and Information

    • Information Technology

    The methodology includes the operational environment of internal control, such as:
    • Financial reporting compilation and preparation

    • The control environment

    • Compliance with laws and regulations

    • Audit report findings and recommendations

    Internal control testing occurs as of June 30th (interim) and September 30th (4th quarter).
    Quality Assurance Program Reviews Within the QA program framework is an assessment of selected management reviews, operational reviews/program evaluations and quality assurance reviews performed by the business units to meet performance and internal control goals and objectives. QA program reviews occur between January and May.
    GAO Internal Control Evaluation Tool (Abbreviated) The Evaluation Tool is based upon the guidance provided in the GAO Standards for Internal Control in the Federal Government (Green Book). The Green Book provides the context for the use and application of the checklist. The Evaluation Tool is completed in the first two quarters of the fiscal year.
    Significant Deficiency Corrective Action plan (as necessary) The IRS monitors significant deficiencies and prepares corresponding corrective action plans. A significant deficiency is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, timely. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements timely.
  4. The QA program catalogs the body of work in management, operational, program and quality assurance internal control reviews performed by the business units designed to support internal control objectives and continuously improve programs. The quality assurance review listing documents those reviews. The QA program consists of the following components:

    1. Executive oversight

    2. Managerial assertions

    3. Quality assurance reviews

    4. Policy and guidance

    5. Annual Assurance Statement

    Figure 1.4.31-2

    This is an Image: 66821001.gif
     

    Please click here for the text description of the image.

Executive Oversight

  1. The MC ESC serves as the Senior Assessment Team (SAT), which governs the internal control program. The SAT includes individuals from all parts of the organization who may affect internal control over financial reporting, including strategic, operational (including Information Technology (IT)), financial and programmatic aspects.

  2. The MC ESC meets quarterly and provides a top leadership perspective addressing important cross-functional issues and advising the Commissioner and Deputy Commissioners.

Managerial Assertions

  1. The QA program managerial assertions component leverages existing internal control questionnaires, surveys and certification instruments to reduce managerial burden. These instruments include:

    1. GAO Internal Control Evaluation Tool. This tool assesses the organizational status of internal control and is based on GAO's Standards for Internal Control in the Federal Government, that was issued to assist agencies in maintaining or implementing effective internal control and to help determine what, where and how improvements can be implemented. The tool provides a systematic, organized and structured approach to assessing the internal control structure. The five sections of the checklist correspond to the five standards for internal control (control environment, risk assessment, control activities, information and communications, and monitoring). Each section contains a list of major factors to be considered when reviewing internal control as it relates to the particular standard. These factors represent some of the more important issues addressed by the standard. Included under each factor are points and subsidiary points that users should consider when addressing the factor. The points and subsidiary points are intended to help managers consider specific items that indicate the degree to which internal control is functioning based on an informed judgment. This tool is assembled and completed within the first two quarters of the fiscal year.

    2. ICMA. This questionnaire is an individual manager’s assessment of the status of internal control based on the administrative controls within their purview. Managers report to the CFO through the Annual Assurance Review process. The compilation of the managers' certifications is the basis for the Commissioner’s annual assurance statement required by the FMFIA. These certifications are signed and dated by managers on or around July 31.

Quality Assurance Reviews

  1. The quality assurance reviews component of the QA program validates the business units’ assessments of the effectiveness of operational and internal control by selecting a number of:

    1. Management and operational reviews

    2. Program evaluations

    3. Quality assurance reviews

  2. The quality assurance reviews are generally completed between January and May using Form 14750-A, IRS Quality Assurance Review Checklist, and are based on documentation from:

    1. Quality assurance reviews conducted throughout the IRS to carry out its critical mission and functions

    2. Policy and guidance

    3. Reports that detail the area reviewed and the results

    4. ICMA results

    5. Enterprise risks

    6. GAO, TIGTA and/or A-123 audit findings and/or recommendations

    7. GAO Internal Control Evaluation Tool results, as applicable

  3. The quality assurance reviews are completed annually by business unit review volunteers and CFO-IC QA review team members.

  4. The quality assurance review findings and recommendations are documented and presented to the:

    1. Business unit quality assurance point of contact

    2. Program executive responsible for the area

    3. MC ESC

    4. Review responsible official

  5. Work papers and review documentation are stored electronically on the CFO QA SharePoint site and/or in the CCH TeamMate audit software.

Policy and Guidance

  1. The policy and guidance component of the QA program addresses the CFO duties for developing:

    1. IRM and standard operating procedures (SOPs)

    2. Sample selection, risk assessment and rotation schedule

    3. QA review listing

    4. Volunteer review team training and the new Integrated Talent Management (ITM) system

    5. Program forms (in the Form 14750 series)

    6. Documentation including memoranda, findings and recommendations

    7. Reference materials and maintenance of web and SharePoint sites

    8. Retention and storage

Annual Assurance Statement

  1. The assurance statement is a certification that represents the IRS Commissioner's informed judgment as to the overall adequacy and effectiveness of internal control. The Commissioner will provide one of the following:

    1. Unmodified Statement of assurance: indicate that there are no significant weaknesses or lack of substantial compliance reported. All evidence indicates that the organization's controls are effective and operating as intended.

    2. Modified Statement of assurance: indicate that the organization’s controls are generally effective and operating as intended, considering the exception(s) explicitly noted (one or more material weaknesses or lack of substantial compliance reported).

    3. Statement of No assurance: indicate that there are no processes in place or there are pervasive material weaknesses.

  2. The CFO takes the following steps in the annual assurance process:

    1. Request that the business units complete and return the GAO Internal Control Evaluation Tool during the months of January and February to evaluate the status of internal control within the business unit.

    2. Complete A-123 internal control testing of key financial transactions as required by Treasury Department guidance.

    3. Request all managers to complete the ICMA by the deadline.

    4. Complete quality assurance reviews based on random selection and update the QA review listing based on business units’ submissions of Form 14750, IRS Quality Assurance Review Questionnaire.

    5. Share the proposed IRS assurance statement with the MC ESC prior to submitting it to the Treasury Department with copies to TIGTA and GAO, when final.

Quality Assurance Memoranda

  1. The CFO issues the QA Call Memorandum and the Annual Assurance Call Memorandum to the business units to:

    1. Announce the quality assurance review period for the fiscal year.

    2. Obtain management, operational, program review and quality assurance reviews for the QA review listing.

    3. Identify the business unit executive and designated point-of-contact (POC) responsible for internal control.

    4. Identify review volunteers.

      Note:

      The management, operational, program review and quality assurance reviews submitted should be based on the responses to the internal controls questions on the Internal Control Managerial Assessment (ICMA).

Quality Assurance Call Memorandum

  1. The QA call memorandum is signed by the Deputy Commissioner, Operations Support and is generally issued between November and December.

  2. This memorandum announces the quality assurance review period for the fiscal year cycle and requests support from business units to assist in conducting quality assurance reviews by:

    1. Identifying an executive responsible for internal control for each business unit. This designee will be notified of issues that arise during the quality assurance review and receive the completed review results. The QA executive contact listing is updated annually with information received from the business units.

    2. Designating staff to assist in the quality assurance process. These review volunteers will receive training and conduct the review(s) for each selected business unit.

      Note:

      While all business units are represented on the QA review listing, not all are selected for review.

  3. An email notification is prepared by the CFO and sent to Senior Executive Team (SET) members. The email request includes a copy of the memorandum and an information request to provide the names of the executive responsible for internal control, designated POC/liaison and the review volunteers.

  4. IRS Source Business Unit News (BUN) articles also provide general IRS awareness about the QA call memorandum, the fiscal year selected reviews and the submission deadlines.

  5. The QA call memorandum, BUNs and executive contact listing are available on the CFO website under the QA Program.

Annual Assurance Call Memorandum

  1. The IRS Annual Assurance Process identifies key management reviews, operational reviews, program evaluations and quality assurance reviews conducted by the business units to assess the effectiveness of IRS operational controls.

  2. The Annual Assurance Call Memorandum contains guidance issued to the SET on:

    1. Completing the annual ICMA,

    2. Preparing the manager’s annual assurance memorandum, which is a one or two-page certification containing a specific statement on the status of internal control and corrective action plans for any newly identified significant control deficiencies and

    3. Identifying their organization’s quality assurance reviews, as applicable.

  3. The Annual Assurance Call Memorandum is generally issued in the third quarter of the fiscal year, between April and May with a submission due date around the end of July.

  4. Attachment 1 - Annual Assurance Review Process - requests that business units consider the results from management, operational, program and quality assurance reviews as support for the annual certification. These reviews are the annual ICMAs that determine the effectiveness of internal controls within their areas of responsibility and include the preparation of individual written certifications to support the overall business unit’s certification.

  5. Attachment 2 - Identification of QA Reviews - requests that business units submit new management, operational, program and quality assurance reviews that were not previously submitted. This includes identifying all quality assurance reviews that test or review work quality, measure quality of data, identify trends, problem areas and improvements to program effectiveness in light of applicable directives, standards and procedures. These reviews include work process, program or management reviews, as well as operational reviews and site visits.

    Note:

    Attachment 2 notifies business units that their management reviews, program evaluations and quality assurance reviews may be selected for further review.

  6. The Annual Assurance Call Memorandum and QA review listing are available on the CFO website under the Quality Assurance Program section.

Quality Assurance Review Listing

  1. The QA review listing is an inventory of IRS internal control reviews in a spreadsheet format. It is updated based on Forms 14750, IRS Quality Assurance Review Questionnaire submitted by the business units from:

    1. The Annual Assurance Call Memorandum request for the validation and verification of reviews on the QA review listing.

    2. The ICMA sampling of selected managers who completed the assessment.

    3. New IRS initiatives identified by the MC ESC or the SET.

  2. Key columns on the QA review listing include:

    1. Organization Title - Naming the business unit.

    2. Organizational Code - Indicating the business unit’s symbols. Large business units are encouraged to provide the lowest level of organization code possible to differentiate reviews with similar names.

      Example:

      OS:CFO denotes the Operations Support Deputy Commissioner area and the CFO.

    3. Frequency - Providing whether the review occurs weekly, monthly, quarterly, annually, ad hoc or some other frequency.

    4. Quality Assurance Review Name - Providing the name of the business unit review.

      Example:

      Manual Interest Quality Review, Civil Penalty Quality Review, Lockbox IT Security Review.

    5. Risk - Provides a risk rating of high, medium or low.

    The CFO assigns risk ratings as follows:

    1. High Risk - Denotes affirmative responses to questions 5, 6, 7 and 10.

    2. Medium Risk - Denotes security and financial related reviews or responses that may affect multiple business units for question 3.

    3. Low Risk - Denotes a review with a frequency of meeting at least monthly or more for question 9.

  3. The CFO assesses each review and assigns a high risk rating depending on the responses to Form 14750, IRS Quality Assurance Review Questionnaire, as follows:

    1. Question 5 - Does the review encompass any identification of material internal control issues defined as significant problems or significant level of errors? If so, describe and provide the corrective actions taken.

    2. Question 6 - Does the review include identification for IRS Enterprise or Servicewide risks? If so, describe the risks and how they were addressed.

    3. Question 7 - Has the review been the subject of Congressional scrutiny or press coverage? If so, describe.

    4. Question 10 - Is a report on the results of the review compiled and forwarded to senior management for evaluation and follow-up action (indicate whether the report is retained in a permanent file for examination by IRS external auditors such as GAO or TIGTA and/or the A-123 Financial Assurance Control Testing team).

  4. The CFO assesses each review and assigns a medium risk rating depending on the responses to the Form 14750, IRS Quality Assurance Review Questionnaire as follows:

    1. Question 3 - Provide a brief description of the review, the area of focus and the expected and/or actual outcome.

  5. The CFO assesses each review and assigns a low risk rating depending on the responses to Form 14750, IRS Quality Assurance Review Questionnaire, as follows:

    1. Question 9 - What is the time period covered by the review and/or the frequency of the review performance.

  6. The CFO will assess the business units’ Form 14750, IRS Quality Assurance Review Questionnaire, submissions to:

    1. Identify gaps where business units may need to develop managerial reviews and determine appropriate treatment.

    2. Determine whether duplicate reviews can be eliminated, combined or leveraged in some other way.

    3. Categorize the reviews by risk.

  7. The CFO may annotate the names on the QA review listing to indicate the source or critical information concerning the review, as follows:

    1. New - Indicates a new review for the fiscal year.

    2. Revised - Indicates that the review has been updated, such as changes for the point of contact or organizational codes to reflect reorganizations.

    3. ICMA - Indicates that the review originated from the ICMA sampling.

  8. The CFO may develop new annotations as needed.

Identification of IRS Quality Assurance Reviews

  1. Annual Assurance Call Memorandum, Attachment 2, requests that business units review the QA review listing and:

    1. Identify and submit new quality assurance reviews.

    2. Update and resubmit quality assurance reviews, as needed.

    3. Indicate which reviews should be deleted.

    4. Break out and resubmit quality assurance reviews that encompass more than one review.

      Note:

      A review called "QA Reviews" may incorporate several different reviews either by location or work type. In this case, CFO requests the business unit submit a separate Form 14750, IRS Quality Assurance Review Questionnaire, for each review.

  2. To aid in planning for future QA program reviews, business units are encouraged to provide senior leaders’ suggestions on quality assurance reviews that merit consideration for additional review. Input by business units is important and will help in designing a quality assurance review plan to best address issues that are important to the IRS.

    Note:

    Every manager (for example, unit, group, section, office) must complete an ICMA. However, every manager may not have management or operational reviews, program evaluations or quality assurance reviews and may not be required to submit Form 14750, IRS Quality Assurance Review Questionnaire. However, managers that respond positively to the ICMA questions about establishing and monitoring quality assurance reviews should be able to identify those reviews and document them on the Form 14750, IRS Quality Assurance Review Questionnaire, especially if selected for review.

Internal Control Managerial Assessment Sampling

  1. The ICMA is one of the bases for the annual assurance statement signed by the IRS Commissioner and submitted to the Treasury department. Traditionally, CFO receives a summary statement from the business unit heads of office regarding the ICMA.

  2. There is a direct relationship between the ICMA and the quality assurance review process. The following ICMA questions under Section I: Internal Controls Review and Monitoring and Risk Assessment, address the quality assurance reviews:

    • Manager establishes and performs internal control reviews (i.e. management or operational reviews, program evaluations and quality assurance reviews).

    • Manager monitors internal control results during the year from management or operational reviews, program evaluations and quality assurance reviews, then develops and implements appropriate corrective action plans.

  3. The QA program team requests a listing of IRS managers who responded to the ICMA from the annual assurance program team. The QA program forwards the annual IRS manager listing to SOI for sample selection based on the following criteria:

    1. The IRS manager had positive responses to both quality assurance questions.

    2. The IRS manager was a permanent manager (not acting).

    3. The IRS manager was not selected in a prior year.

  4. The ICMA sample allows the CFO to verify that managers:

    1. Understand internal controls

    2. Are able to identify and provide the name of the management, program, operational and quality assurance review(s) that they relied on to answer the assessment control questions found in the annual ICMA.

  5. The selected IRS managers are notified by email that they have been selected for review by the IRS QA program. The IRS managers are asked to provide completed Forms 14750, IRS Quality Assurance Review Questionnaire, for each review that they established and monitored as part of their internal control operations.

  6. The ICMA sample is generally selected in the first quarter of the new fiscal year.

  7. The QA review listing is updated with the Form 14750, IRS Quality Assurance Review Questionnaires, received from the selected managers. Reviews derived from the ICMA sampling are designated as "ICMA" on the QA review listing.

New Initiatives

  1. Periodically, new IRS initiatives are identified by the MC ESC or the SET and require new management, operational, program or quality assurance reviews.

  2. These new reviews are identified outside of the normal annual assurance process and the end-of-July call that requests business units update the QA review listing or ICMA sampling that results in new reviews. These new reviews may result from GAO, TIGTA, A-123 testing findings and recommendations or an increased awareness of a particular program or new initiative.

  3. The CFO will request the point of contact information and assist the business unit in completing the Form 14750, IRS Quality Assurance Review Questionnaire, to describe the new review including the timing, reports, risk level, etc.

  4. The CFO will update and post the QA review listing with the new reviews.

Quality Assurance Program Forms

  1. There are certain forms used within the QA program. These forms are available on the IRS Intranet (IRS Source) under Forms, Publications and Documents and under the subheading commonly used forms. There is a special section called the IRS QA Program that contains:

    1. Form 14750, IRS Quality Assurance Review Questionnaire

    2. Form 14750-A, IRS Quality Assurance Review Checklist

    3. Form 14750-B, IRS Quality Assurance Review Notification

    4. Form 14750-C, IRS Quality Assurance Review Information Document Request

    5. Form 14750-D, IRS Quality Assurance Review Closed Recommendations/Findings

  2. Annually, the quality assurance forms are reviewed based on best practices and updated as needed.

  3. New quality assurance forms may be added as the program expands and the need for new information arises.

Form 14750, IRS Quality Assurance Review Questionnaire

  1. The Form 14750, IRS Quality Assurance Review Questionnaire, allows business units to provide information that describes their management, operational, program and/or quality assurance reviews.

  2. The Form 14750, IRS Quality Assurance Review Questionnaire, is prepared in response to:

    1. The Annual Assurance Call Memorandum

    2. ICMA internal control sampling results

    3. New IRS initiatives identified by the MC ESC or the SET

  3. The Forms 14750, IRS Quality Assurance Review Questionnaire, submitted by the business units are used to compile the QA review listing, which is updated annually.

  4. The CFO will examine the Form 14750, IRS Quality Assurance Review Questionnaire, to:

    1. Identify information gaps where business units may need to provide additional clarifying information or address conflicting information.

    2. Validate the name of the review, the organization and the business unit organization code.

    3. Determine whether multiple reviews exist on one Form 14750, IRS Quality Assurance Review Questionnaire, that may need to be documented separately.

    4. Determine the risk level of the review.

    5. Update the QA review listing.

    6. File the reviews in the CFO QA SharePoint site by fiscal year and business unit.

Form 14750-A, IRS Quality Assurance Review Checklist

  1. The Form 14750-A, IRS Quality Assurance Review Checklist, is used by the business unit review volunteers to assess the selected review. Review volunteers are trained on completing the Form 14750-A, IRS Quality Assurance Review Checklist, at the beginning of the review period, generally in January. Examples and instructions are provided in the review volunteers’ training.

  2. The Form 14750-A, IRS Quality Assurance Review Checklist, contains four sections and summarizes the selected review results:

    1. Section 1, Introduction provides a description of the selected review. Information from the Form 14750, IRS Quality Assurance Review Questionnaire may be used to complete this section. QA review volunteers may complete the checklist in an interview setting, if preferred.

    2. Section 2, Review Scope provides information about the volunteer reviewers and describes how long the volunteer reviewers took to complete the review, what period of time the review covers and what documents the volunteer reviewers examined in completing their assessment.

    3. Section 3, Control Review provides information about the review volunteer’s assessment of the selected review. Information from the Form 14750, IRS Quality Assurance Review Questionnaire, may be used to complete this section. Provide explanations in the comment section beside the “No” box for each question.

    4. Section 4, Results/Findings requires a conclusion from the volunteer review team whether the review controls are Effective or Ineffective.

      Note:

      Responses to Section 3, Control Review questions B, D, E and F may result in a recommendation in Section 4, Results/Findings. This section requires a concurrence date, due date and concurring official. Concurrence is also required for a result of “No findings.”

  3. General tips for completing the Form 14750-A, IRS Quality Assurance Review Checklist:

    1. Schedule an interview with the point of contact listed on the Form 14750, IRS Quality Assurance Review Questionnaire. The point of contact may be able to walk you through the review process and familiarize you with the associated work papers and reports, the review goals, objectives and expected outcomes.

    2. Schedule enough time to complete the review. The CFO estimates that reviews take 20-40 hours to complete based on prior year completion times.

      Note:

      Review completion estimates may vary from year to year.

      Note:

      The review period generally begins in January and ends on the last business day in May; however these dates are subject to change annually.

    3. Verify that the business unit review volunteer is someone other than the point of contact listed on the Form 14750, IRS Quality Assurance Review Questionnaire.

      Note:

      In smaller business units, there may be a limited staff. Please contact the CFO to determine alternatives.

    4. Determine if there are multiple reviews contained within one review. Select one review topic or location with the highest risk level.

      Note:

      If resources are available, the volunteer review team may decide to assess all the review activities. Complete a separate Form 14750-A, IRS Quality Assurance Review Checklist, for each review. A corresponding Form 14750, IRS Quality Assurance Review Questionnaire, must also be prepared. Please contact the CFO for additional instructions.

    5. Gather and examine work papers such as IRM references, SOPs, oversight agency guidance and the latest copy of the completed review.

    6. The IRS requires the protection of personally identifiable information (PII) and sensitive but unclassified (SBU) information. Volunteer reviewers should request sanitized documents, especially those related to taxpayers, IRS managers and employees. In addition, the name of the office and various case data may be redacted as it is considered evaluative.

    7. Determine whether the review identifies IRS Enterprise or Servicewide risks, has been the subject of Congressional scrutiny or press coverage, and/or addresses material internal control issues.

    8. Attach work papers to the Form 14750-A, IRS Quality Assurance Review Checklist, using the paperclip icon.

      Note:

      The CFO will provide instructions for work papers annually.

    9. Determine whether or not the review is effective. This requires a conclusion from the review volunteer.

    10. Findings are observations of the status of internal control results against audit criteria. Findings indicate conformity or nonconformity and compliance or non-compliance for legal or other requirements.

      Note:

      Findings/recommendations may be benign, such as a notation to continue the review.

    11. If the review is effective but could use enhancements, discuss recommendations with the point of contact and document a corrective action plan in Section 4, Results/Findings.

      Note:

      Findings for selected reviews receive follow-up for the status of actions in the subsequent fiscal year.

  4. The Form 14750-A, IRS Quality Assurance Review Checklist, examples and instructions are available on the CFO IC website under the QA program section. The form is also available on the IRS Intranet.

Form 14750-B, IRS Quality Assurance Review Notification

  1. The Form 14750-B, IRS Quality Assurance Review Notification, is used by the CFO to evaluate the completeness and accuracy of the selected review results prepared by the business unit review volunteers.

  2. The CFO:

    1. Reviews all Forms 14750-A, IRS Quality Assurance Review Checklist and associated work papers prepared by the CFO QA team for in-house and volunteer reviews.

    2. Summarizes the results for each selected review on Form 14750-B, Quality Assurance Review Notification.

    3. Stores work papers and related email communications on the CFO QA SharePoint site and on CCH TeamMate.

    4. Identifies trends and missing reviews to update the QA review listing.

  3. On Form 14750-B, IRS Quality Assurance Review Notification, Recommendations/Findings section, the CFO may provide:

    1. Recommendations/Findings that include the criteria or basis for determining that a problem does exist, a condition or situation that was observed, the effect of the condition and the root cause of the problem to the extent that it can be determined. If a significant issue is identified (such as non-compliance with Terms and Conditions in an award or grant), the issue is a finding. Review volunteers or the CFO may identify findings. Findings should result in recommendations that resolve an issue and are helpful to management.

    2. Management Information Only (MIO) is a finding issued by CFO that does not compromise internal control integrity but could present a problem in the future. It is designed to make management aware of a potential future issue that may arise if improvements are not made to the control.

  4. The CFO shares findings using Form 14750-B, IRS Quality Assurance Review Notification, with the selected business unit point of contact, next level manager and responsible executive.

  5. The Associate CFO (ACFO) for Internal Controls (IC) provides a summary email notification including Form 14750-B, IRS Quality Assurance Review Notification, to the head of office when all the reviews for that business unit are complete.

Completed Form 14750-C, IRS Quality Assurance Review Information Document Request

  1. Completed Form 14750-C, IRS Quality Assurance Information Document Request, is used by the CFO and business unit review volunteers to track the requested documentation and information necessary to conduct the selected quality assurance reviews.

  2. Form Instructions

    1. Instructions for completing the form are attached to the form.

  3. Form frequency

    1. A new form should be completed each time documentation is requested. The reviewer may request additional documentation, as necessary.

  4. Storage

    1. Form 14750-C should be stored on the SharePoint site under “Selected Reviews” for the current fiscal year under the appropriate business unit folder for that particular selected review.

Completed Form 14750-D, IRS Quality Assurance Review Closed Recommendation(s)/Finding(s)

  1. Form 14750-D, IRS Quality Assurance Review Closed Recommendation(s)/Findings(s) is completed and used by the CFO to track the closure of the recommendation(s)/finding(s). It also ensures that verification of the closure is documented in a formal proceeding.

    1. A CFO-IC manager signature approval is needed for a recommendation/finding to be considered closed.

  2. Form Instructions

    1. Instructions for completing Form 14750-D, IRS Quality Assurance Review Closed Recommendation(s)/Finding(s)are attached to the form.

  3. Form Frequency

    1. A new form will need to be completed for each recommendation/finding, unless the recommendation/finding affects the same corrective action supporting documentation.

  4. Storage

    1. Form 14750-D, IRS Quality Assurance Review Closed Recommendation(s)/Findings(s) should be stored on the QA SharePoint site under the Closed Recommendation folder for the respective fiscal year (FY).

Quality Assurance Program Review Process and Procedures

  1. The quality assurance program review essentially is an assessment of selected business unit management reviews, program evaluations, operational and quality assurance reviews to determine the effectiveness of the controls.

  2. The quality assurance review is considered an inspection-type control test:

    Note:

    An inspection control test examines the evidence of a given control, such as looking for signatures of a reviewing official or reviewing reconciliations and reports.

Timing of Reviews

  1. The QA program reviews generally occur January through May and are timed to support the IRS Assurance Statement submission to the Treasury Department.

  2. QA reviews for business unit products, processes and procedures are considered continuous monitoring activities.

    Note:

    Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes and systems working to support efficient and effective operations. Controls are put in place to address risks within these components. Continuous monitoring actively identifies, quantifies, and reports control failures such as duplicate vendor records, duplicate payments and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes.

Review Selection Criteria

  1. The CFO determines a specified number of reviews for the current fiscal year based on review selection criteria.

  2. The number of management, program, operational and quality assurance reviews selected for each fiscal year is based on a combination of the following:

    1. SOI uses random selection procedures for all samples. However, not all samples are projected to the entire population.

    2. Elimination of reviews that have been completed within the last two years from selection.

      Note:

      Reviews that have findings/recommendations will require follow-up in the subsequent fiscal year.

    3. Elimination of reviews that are tested as part of the A-123 internal control testing and the Internal Control Review process (see IRM 1.4.32, Internal Control Review Process).

    4. CFO risk and ranking criteria including oversight agency guidance (Treasury Department and GAO) and risks identified by the Enterprise Risk Management and the National Taxpayer Advocate programs, A-123 transactional internal control testing and audit findings/recommendations.

  3. Enterprise Risk Management: Provides the program portfolio view of enterprise risks that are most critical to all layers of management, up to and including the Commissioner's Office, across IRS operations and critical initiatives.

  4. National Taxpayer Advocate (NTA) Annual Report to Congress: Identifies IRS challenges and risks.

  5. CFO A-123 Risk Assessment (updated annually): Presents the A-123 transactional rotation schedule for internal control testing determined by the following Treasury Department requirements:

    1. Risk level has been identified by the known susceptibility to errors, existence of manual versus automated processes and the total dollar balances of the financial statement line items associated with the process.

    2. Transactions deemed to be high risk and associated with processes that contribute at least 10 percent to the Department of the Treasury financial statement line item balances are tested annually.

    3. Transactions that are rotated every three years are those transactions that have not had a documented history of vulnerabilities or errors and are associated with processes that contribute less than 10 percent to the balance of the Department of the Treasury financial statement line items.

    4. Reviews are selected by high, medium and low risk levels.

  6. Significant Deficiency: Identify areas for improvement and include open items from remediation and action plans.

  7. Audit Findings: Identify open GAO financial reporting audit recommendations and TIGTA reports.

  8. The Green Book and The Yellow Book: Provide GAO's Standards for Internal Control in the Federal Government (The Green Book) and Government Auditing Standards (The Yellow Book).

  9. The CFO selection criteria and justification are documented and maintained on the CFO SharePoint site for reference.

  10. The CFO will review and update the Tactical Review Assessment Plan (TRAP), QA program timeline and standard operating procedures. The TRAP is the overarching review plan that will cover a segment of the quality assurance reviews that take place throughout the IRS including:

    1. Selected review rotation (number of reviews)

    2. Risk assessment designations (high, medium and low)

    3. Hierarchy of reviews

  11. The CFO will develop a detailed quality assurance review schedule to select the appropriate timing of the reviews and obtain sufficient resources to complete the reviews.

  12. The CFO will develop a new listing of selected quality assurance reviews each fiscal year.

    Note:

    Reviews that have been completed within the last two years will be eliminated from selection.

  13. The CFO will monitor the schedule and inform the MC ESC of any review delays, emerging trends and impending issues.

Review Selection Notification

  1. Each business unit executive responsible for internal control is notified that his/her business unit is selected for review by email.

  2. The review notification:

    1. Identifies the business unit’s selected review(s).

      Note:

      The review selection is random. To the best of its ability, not discounting risk level, the CFO will attempt to alleviate an unfair review burden on any one business unit.

    2. Designates the review period for the fiscal year.

    3. Requests the names of review volunteers who will complete the selected review(s).

    4. Indicates the review volunteers’ training date(s).

    5. Provides references and attachments such as the Form 14750, IRS Quality Assurance Review Questionnaire, associated with each selected review, a blank Form 14750-A, IRS Review Checklist, to be completed for each selected review and the current QA call memorandum.

Volunteer Review Team Training

  1. The QA program is supported by review volunteers from business units, generally:

    1. Assurance statement process liaisons

    2. Audit liaisons and the business unit risk liaisons

    3. Embedded financial and other staff

  2. Review volunteers must be:

    1. A program manager, coordinator or staff member familiar with either the ICMA process, quality assurance reviews, internal control testing, risk assessment or the assurance process.

    2. Available to participate during the scheduled review dates.

    3. Different than the review point of contact identified on the Form 14750, IRS Quality Assurance Review Questionnaire.

  3. The volunteer review team is assigned reviews that correspond to their business unit. The size of the review team is based on the number of quality assurance reviews selected for the fiscal year and how many will be conducted in-house by the QA review team.

  4. The training session topics include, but are not limited to:

    1. How to read/understand the Form 14750, IRS Quality Assurance Review Questionnaire.

    2. How to complete the Form 14750-A, IRS Quality Assurance Review Checklist, and attach work papers.

    3. How to locate QA reference materials.

    4. How to document results and recommendations.

  5. The CFO examines all 14750-A forms prepared by the volunteer review team for completeness, especially noting whether review processes are subject to audit and internal control activities over financial reporting, and then schedules and conducts two main training sessions, a primary introductory session and a mini-refresher session. Additionally, conference calls are scheduled periodically to address topics of interest to the volunteer review team.

  6. The review team training presentation is available on the CFO IC website under the QA program section.

Review Methodology

  1. Using the Form 14750-A, IRS Quality Assurance Review Checklist, the QA program review validates aspects of the:

    1. Support documentation of the business units' management and operational reviews, program evaluations and quality assurance reviews.

    2. Information contained on the Form 14750, IRS Quality Assurance Review Questionnaire.

    3. Selected ICMAs.

    4. GAO Internal Control Evaluation Tool, as needed.

    Note:

    The CFO may expand the quality assurance review for individual controls at a more detailed level to isolate risks and undertake a corrective action plan, if necessary.

  2. The quality assurance review may be conducted virtually or through other electronic media.

    1. Virtual reviews are held at a specified location. Selected review files must be provided via secure, encrypted methods to protect PII and SBU information. The volunteer review team examines documents to determine whether the review controls are effective. Printed copies of electronic documents are destroyed after use, unless necessary to support findings.

    2. Other electronic media reviews are on-line reviews that may be conducted through Skype or other similar electronic media and the use of shared work spaces to make documentation available to multiple reviewers. Skype merges real-time communications (instant messaging, voice, video, application sharing) and near-time communications (email, voice mail, fax) with presence information (indication of users’ real-time availability across locations and devices) and allows for effective communications across a number of channels for employees, regardless of their location.

  3. The volunteer review team completes the Form 14750-A, IRS Quality Assurance Review Checklist, which is used for each review. A selected review may contain multiple locations or timing. Select the one review topic or location with the highest risk level. Please contact the CFO for additional instructions.

    Note:

    When a volunteer reviewer determines that there are multiple activities (for example, data security, case reviews and employee performance), select the activity with the highest risk level and complete a separate Form 14750-A, IRS Quality Assurance Review Checklist. Note the specifics of the selection in Section 2, Review Scope.

    Example:

    An operational review may contain multiple components (for example, employee appraisals, courier service reviews, employee performance reviews, payment processing reviews and physical/data security requirements). Each component of the review is separate and distinct from other components. In this scenario, if resources permit, the volunteer reviewers may prepare five separate Forms 14750-A, IRS Quality Assurance Review Checklist. Also prepare a corresponding Form 14750, IRS Quality Assurance Review Questionnaire, for each review.

  4. The volunteer review team may share findings with the selected business unit point of contact, next level manager and the appropriate executive.

  5. The CFO examines all Forms 14750-A, IRS Quality Assurance Review Checklist, prepared by the volunteer review team for completeness, especially noting whether review processes are subject to audit and internal control activities over financial reporting and then:

    1. Summarizes the results for each business unit.

    2. Verifies storage of the quality assurance review work papers and related email communications on the CFO QA SharePoint site by fiscal year.

    3. Provides notification to the responsible executive of each business unit.

    4. Reports overall results to the MC ESC.

Review Documentation

  1. The CFO stores quality assurance review work papers and related email communications on:

    1. The CFO QA SharePoint site by fiscal year and by business unit.

    2. CCH TeamMate, a Windows-based audit management system, that may be used by the QA program to prepare work papers for the reviews conducted. CCH TeamMate helps to manage the audit process, including: scheduling, planning, executing, reviewing and generating reports. CCH TeamMate generates a Work Papers Procedures Report that provides a reference number and document title of documentation used for steps and results. CCH TeamMate allows users to create, review and approve audit documentation. CCH TeamMate allows users to cross-reference, import and track the status of results.

    3. Other designated storage media/applications, including the QA SharePoint site.

    Note:

    Form 14750-A, IRS Quality Assurance Review Checklist, containing findings and recommendations that are accepted by the business unit are retained indefinitely until the recommendations are implemented. After the findings and recommendations are addressed, the work papers are retained for three years.

    Note:

    Any review materials (work papers) provided to the review team should be retained and forwarded to CFO along with the Form 14750-A, IRS Quality Assurance Review Checklist, for storage.

  2. Review work papers represent all quality assurance materials, including, but not limited to:

    1. Business Units’ training material

    2. Completed Forms 14750-A, IRS Quality Assurance Review Checklist

    3. Completed Forms 14750, IRS Quality Assurance Review Questionnaire

    4. IRM extracts and/or references

    5. Business unit standard operating procedures

    6. Review reports provided by the selected business unit

    7. Copies of GAO, TIGTA and A-123 audit findings/recommendations

    8. Latest ICMA

    9. GAO Internal Control Evaluation Tool, if applicable

    10. Reviewer notes, findings and recommendations

  3. Review documentation should be:

    1. Sufficient: Complete and accurate to provide full support for findings, conclusions and judgments.

    2. Competent: Permit a reader with some knowledge of the subject to reach the same conclusion(s).

    3. Relevant: Information restricted to matters that are materially important and relevant to the objectives of the audit.

    4. All evidence needs to demonstrate how the reviewer arrived at the conclusion(s) and should provide a basis for determining whether the conclusions are reasonable and accurate.

  4. A status summary of the selected quality assurance reviews is provided to the MC ESC and included in the Annual Assurance Statement.

Records Retention

  1. All quality assurance review work papers are retained for three years.

  2. The CFO summarizes the results for each selected review organized by business unit (usually using an electronic spreadsheet). The summary is completed usually within two weeks after the quality assurance review period ends and is stored on the CFO QA SharePoint site or other designated location.

  3. QA documentation is considered a temporary record. Selected review records must be closed out at the end of the fiscal year and destroyed three years after closure as follows:

    1. Email communications including selected review notifications

    2. Review documentation, checklists and work papers

    3. Review findings and recommendations

    4. Business units’ QA Review Questionnaires

    Note:

    The retention requirement for QA work papers and summary review results applies only to CFO. Business units should refer to IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles, for retention guidance. Also refer to Document 12990, Records Control Schedules for the National Archives and Record Administration (NARA) approved records retention and disposition to prevent unauthorized/unlawful destruction of records.

  4. These record retention policies may be superseded by IRS record retention policies, litigation holds or other retention requirements.

Identifying and Developing Quality Assurance Reviews

  1. Business units are encouraged to examine operations and identify new reviews using components of:

    1. Form 14750, IRS Quality Assurance Review Questionnaire. This questionnaire asks for specific information about any review that should be considered when developing new reviews, including required IRM and SOP guidance, description, reports, frequency and contacts.

    2. Form 14750-A, IRS Quality Assurance Review Checklist, under Section 3, Control Review. Section 3 asks questions about review components such as required IRM and SOP guidance, review reports, review relationship to financial reporting and executive and managerial notifications of findings/recommendations.

  2. The IRS QA program examines the internal controls of management reviews, operational reviews, program evaluations and quality assurance reviews developed by the business units. Examples of existing IRS quality assurance reviews include:

    1. Operational reviews

    2. Appeals Quality Measurement System

    3. Quality analysis and system review

    4. Manual refund reviews

    5. 100-day case reviews

    6. Application development quality assurance audits

    7. Integrated functional test and exercises evaluation

    8. Interest penalty payment review and report

    9. QA internal compliance reviews

    10. Operational reviews of employment tax groups

    11. Tax exempt bonds quality review program

  3. The CFO will assess the QA review listing consisting of quality assurance, management and operational reviews to recommend new reviews for business units where gaps are identified.

  4. Sources for new reviews may be identified by examining:

    1. Existing IRM guidance and confirming that processes and procedures have associated reviews.

    2. Executive, managerial and management officials’ commitments and program goals.

    3. TIGTA, GAO and CFO A-123 transactional testing recommendations.

    4. Newly enacted legislation.

    5. Threats and trends (for example, cyber terrorism and identity theft).

    6. Survey results.

  5. In designing new reviews, business units should make certain that they follow guidance from:

    1. GAO Standards for Internal Control (Green Book)

    2. OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control

  6. Verify that the internal controls are defined in terms of specific requirements to be met and that the requirements are communicated to and understood by those responsible for managing them.

  7. Verify that controls are tested by individuals other than those routinely executing them.

  8. Business unit quality assurance reviews may use the following techniques:

    1. Inspection - requires a review examining the evidence of a given control.

      Example:

      Looking for signatures of a reviewing official or reviewing past reconciliations.

    2. Observation - requires watching actual controls in operation.

      Example:

      Observing a physical inventory or watching a reconciliation occur.

    3. Re-performance - requires re-completing a given control.

      Example:

      Re-calculating an estimate or re-performing a reconciliation.

    Note:

    The QA program review component is an inspection type review. Reviews developed by the business units may use any suitable technique.

  9. Business units are encouraged to:

    1. Develop management, program, operational and quality assurance reviews that address a single activity. Identifying one review process that occurs over multiple locations is considered one review. Reviews with multiple activities (for example, data security, case reviews and employee performance) should be separated, as practical.

    2. Test the performance of the new review and refine the review techniques and documentation.

    3. Complete a Form 14750, IRS Quality Assurance Review Questionnaire, for the new review as part of the annual assurance call memorandum process. The new review will be incorporated into the QA review listing.

  10. The IRS internal control environment continues to improve through the corrective actions implemented by management. The management commitment to excellence, accountability and compliance with applicable laws and regulations is evidenced in actions to establish effective controls, make sound determinations on corrective actions and verify and validate the results.

Quality Assurance Knowledge and Skills

  1. Generally, quality assurance work requires the following kinds of knowledge and skills:

    1. Knowledge of pertinent product, process or procedure characteristics, methods and processes.

    2. Knowledge of quality assurance/control methods, principles and practices, including statistical analysis and sampling techniques.

    3. Knowledge of inspection, test and measurement techniques.

    4. Knowledge of the relationship of quality assurance to other activities such as tax administration, legal and judicial activities, administrative hearings to resolve income tax and collection controversies, including collection due process activities, financial reporting/auditing, assessment and supporting tax and/or financial systems.

    5. Skill in interpreting and applying products, processes or procedures, specifications, technical data, regulations, policy statements and other guideline materials.

    6. Skill in conducting studies and investigations, problem analysis and developing logical and documented recommendations.

    7. Skill in written and oral communications.

    8. Skill in establishing effective interpersonal relationships.

Structured Management Reviews (SMRs)

  1. Quality reviews and quality assurance processes that are already in place are considered Structured Management Reviews (SMRs) and may be tested as part of the A-123 internal control testing process.

    Example:

    The A-123 transaction test called AC-6: Administrative Cash Reconciliation, verifies that internal control procedures governing IRS cash reconciliations are in place and working effectively. Cash reconciliations are performed monthly and the A-123 testing is performed on three monthly reconciliations.

  2. SMRs may serve as assurance of testing of internal control. However, the review must meet specific criteria. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found and to verify the reviewer’s judgments and conclusions. See IRM 1.4.3.11.3, Evaluate Structured Management Review (SMR).

  3. An SMR should have the following elements:

    1. Documented procedures that guide the SMR

    2. Reviews performed at regular intervals

    3. Documented and independent review of results

    4. Documented process to resolve noted deficiencies


    The three-column table below provides questions to address in developing a new quality assurance review. The first column provides the question, the second column is used to determine a yes or no answer and the third column is used to explain the results of the answer.

    Quality Assurance Review Development Questions YES or NO Explain
    Is the SMR actually being used as designed?    
    Is the SMR meeting the internal control objectives?    
    Do the personnel executing the SMR have adequate skills and receive sufficient training to complete the review?    
    Are adequate procedures in place for the SMR?    
    Is the guidance for the SMR followed?    
    Were issues/errors/concerns adequately and consistently addressed and documented?    
    Is the guidance for the SMR consistently followed for error determination and documentation requirements?    
    Do the personnel have adequate time, resources, etc. to execute the SMR competently?    
    Are the sample sizes and sample methodologies appropriate for the internal control?    
    Is a documented SMR in place and is it being monitored by an appropriate level of management?    
    Is the SMR performed an appropriate number of times per year to fulfill the internal control function?    
    Is the review performed at an appropriate time in the process to allow for error correction and prevention of a similar error?    
    Is management using the results of the SMR to correct the error, process, or procedure?