- 1.4.31 IRS Quality Assurance Program
- 220.127.116.11 Overview
- 18.104.22.168 Background
- 22.214.171.124 Authorities
- 126.96.36.199 Definitions
- 188.8.131.52 Acronyms
- 184.108.40.206 Roles and Responsibilities
- 220.127.116.11.1 Operating and Functional Divisions Program Roles and Responsibilities
- 18.104.22.168.2 CFO Program Roles and Responsibilities
- 22.214.171.124.3 Statistics of Income (SOI)
- 126.96.36.199 IRS Quality Assurance Program Framework
- 188.8.131.52.1 Executive Oversight
- 184.108.40.206.2 Managerial Assertions
- 220.127.116.11.3 Quality Assurance Reviews
- 18.104.22.168.4 Policy and Guidance
- 22.214.171.124.5 Assurance Statement
- 126.96.36.199 Quality Assurance Program Review Process and Procedures
- 188.8.131.52.1 Review Timing
- 184.108.40.206.2 Review Selection Criteria
- 220.127.116.11.3 Quality Assurance Review Checklist
- 18.104.22.168.4 Review Team Selection and Training
- 22.214.171.124.5 Review Methodology
- 126.96.36.199.6 Review Documentation
- 188.8.131.52.7 Records Retention
- 184.108.40.206 Federal Management Integrity Criteria for Quality Assurance Reviews
- 220.127.116.11 Developing Quality Assurance Reviews
- 18.104.22.168 Related Resources
Part 1. Organization, Finance, and Management
Chapter 4. Resource Guide for Managers
Section 31. IRS Quality Assurance Program
August 05, 2015
(1) This transmits new IRM 1.4.31, Resource Guide for Managers, IRS Quality Assurance Program.
(1) This IRM contains the framework for the IRS Quality Assurance Program, which is designed to support the annual assurance statement signed by the Commissioner and submitted to the Department of the Treasury. The program includes executive oversight, managerial certifications, and reviews of quality assurance efforts.
Robin L. Canady
Chief Financial Officer
This IRM provides guidance on the processes and procedures for the IRS Quality Assurance Program to support the annual assurance statement required by the Federal Managers' Financial Integrity Act (FMFIA) and activities defined by OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control over Financial Reporting.
The Chief Financial Officer (CFO), Corporate Planning and Internal Control (CPIC) unit, Office of Internal Control (IC), developed and maintains this IRM. CPIC-IC develops internal control policy, performs A-123 internal control testing, and conducts compliance reviews and program evaluations to support the IRS unqualified audit opinion. CPIC-IC also provides audit-focused training, business-practice development, audit policy, and oversight.
Quality assurance is a planned, systematic approach designed to provide confidence that programs, products, policies, and procedures will conform to established requirements throughout their life cycle. The term “product" is used in this IRM to describe processes and systems developed, produced, and acquired by the IRS to carry out critical missions and functions.
Quality assurance identifies unsatisfactory trends and conditions, prevents defects and non-conformances, and corrects factors to contribute to improved processes and outcomes.
Quality assurance uses a variety of administrative, analytical, and technical methods and techniques to enhance the excellence and reliability of products and services. The IRS approach to quality assurance addresses an entire range of activities described for each functional program and/or a variety of systematic activities designed to identify and prevent defective or ineffective processes to verify that processes are acceptable and perform as intended.
Recently, a number of factors have exerted a significant influence on quality assurance programs in the Federal Government such as:
Advances in technology
More sophisticated and complex products and services, such as new software
Greater concern for reliability, user satisfaction, and security
More emphasis on economy, timely delivery, and the cost of quality
More stringent quality and reliability requirements
More involvement of quality assurance early in the process or in the development phase
Quality assurance reviews give the IRS added assurance that the organization is adhering to internal control and management guidance, standards, regulations, and legislation through a formal objective assessment process. Quality assurance reviews assess and document internal control activities over financial reporting such as:
Annual financial statements
Other significant internal or external financial reports
Compliance with laws and regulations that pertain to those financial reports
Federal Managers' Financial Integrity Act (FMFIA) of 1982. The FMFIA requires Federal agency managers to establish internal accounting and administrative controls according to the standards issued by the Government Accountability Office (GAO).
Background: The FMFIA is a response to continuing disclosures of waste, loss, unauthorized use, and misappropriation of funds or assets associated with weak internal control and accounting systems. It establishes requirements regarding management accountability and controls. This law encompasses program, operational, and administrative areas as well as accounting and financial management. The Act requires agency heads to submit an annual statement of assurance to the President and Congress on the adequacy of internal control and actions taken to correct identified weaknesses. Each annual statement must also include a report on whether the agency's accounting system conforms to the principles, standards, and other related FMFIA requirements.
GAO Internal Control Standards Background: Also required by the FMFIA, GAO publishes the Standards of Internal Control in the Federal Government. These standards provide the overall framework for establishing and maintaining internal control. The standards also identify and address major performance and management challenges, as well as areas at greatest risk of fraud, waste, abuse, and mismanagement. Internal control is an integral component of an organization's management and helps government program managers achieve desired results through the effective stewardship of public resources. See GAO Green Book GAO-13-830SP
OMB Circular A-123, Management’s Responsibility for Internal Control. The Circular provides guidance for Federal managers on improving the accountability and effectiveness of programs and operations. OMB issues implementation guidance in Circular A-123, Management's Responsibility for Internal Control, which provides guidance for Federal managers on improving the accountability and effectiveness of programs and operations by establishing, assessing, correcting, and reporting on management controls.
Background: Under the FMFIA provisions, OMB and GAO issue internal accounting and administrative control evaluation guidelines for agencies to determine their systems’ compliance.
Additional FMFIA policy is issued in OMB Circular A-123, Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996, to govern agencies’ financial management systems. Financial management systems must be in place to process and record financial events effectively and efficiently and provide complete, timely, reliable, and consistent information for decision makers and the public. In support of these objectives, each agency must establish and maintain a single integrated financial management system that complies with internal control standards, among other requirements, as defined in OMB Circular A–123 and successor documents. See OMB Circular A-123, Appendix D.
OMB Circular A-123 defines management controls as the organization’s policies and procedures used to reasonably assure that:
Programs achieve their intended results
Resources are used consistent with the agency mission
Laws and regulations are followed
Programs and resources are protected from waste, fraud, and mismanagement
Reliable and timely information is used for decision making
As Federal managers develop and implement strategies for re-engineering agencies’ programs and operations, they should design management structures that help account for results and include appropriate, cost-effective controls.
Annual Self-Assessment – is a manager's review of the effectiveness of controls within his/her area of responsibility and the documentation of that review through written and signed certifications. The involvement of each level of management in certifying the control environment within his/her sphere of operations assists in identifying risks at all levels. All managers and executives should complete the Self-Assessment Tool for Managers.
Continuous Monitoring – is the process and technology used to detect compliance and risk issues associated with an agency’s financial and operational activities.
Federal Managers' Financial Integrity Act (FMFIA) – is an act which requires each executive agency to establish internal accounting and administrative controls according to standards issued by the Government Accountability Office (GAO) Comptroller General. These controls provide reasonable assurance that:
Obligations and costs are in compliance with applicable law
Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation
Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts, reliable financial and statistical reports, and to maintain accountability over assets
Financial Audit: IRS's Fiscal Year Financial Statements (The Blue Book) – GAO annually audits the IRS financial statements to determine whether the financial statements are fairly presented and IRS management maintained effective internal control over financial reporting. GAO also tests IRS compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements.
Government Auditing Standards (The Yellow Book) – provides guidance for conducting high quality audits with competence, integrity, objectivity, and independence. The GAO Yellow Book is used by auditors of government entities that receive government awards, and other audit organizations performing Yellow Book audits.
Internal Control – is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Methodology – is a documented process for applying standards when assessing, documenting, and reporting on internal control over financial reporting.
OMB Circular A-123, Management's Responsibility for Internal Control – provides guidance to agencies and individual Federal managers on taking systematic and proactive measures to:
Develop and implement appropriate, cost-effective internal control for results-oriented management
Assess the adequacy of internal control in Federal programs and operations
Assess and document internal control over financial reporting
Identify needed improvements and take corresponding corrective action
Report annually on internal control through management assurance statements
Operating/Functional Divisions – are the IRS areas organized around customers with similar needs. The scope of IRS operations includes collection of individual and corporate taxes, examination of returns, taxpayer assistance, and tax-exempt organizations.
Opportunity for Improvement (OFI) – is a finding or recommendation by the A-123 internal control test team which identifies situations in which controls are working but could be strengthened through corrective actions or process improvements.
Quality Assurance (QA) – is a planned, systematic approach designed to provide confidence that programs, processes, products and services will conform to established requirements throughout their life cycle.
Risk - is an event that may occur and affect the achievement of a business objective.
Risk Assessment – is a process to allow an entity to consider the extent to which potential events have an impact on the achievement of objectives.
Sampling Plan – is an outline detailing the criteria for sample selection (population size, frequency of control, risk, etc.) from a population or universe.
Standards for Internal Control in the Federal Government (Green Book) – are GAO standards that provide management criteria for designing, implementing, and operating an internal control system and reinforce management’s accountability for internal control as required by the FMFIA.
Statement of Assurance – is a managerial certification that represents an informed judgment as to the overall adequacy and effectiveness of internal control. The manager will provide one of the following:
An unqualified statement of assurance that an effective and efficient system of internal control exists
A qualified statement of assurance that an overall sound system of internal control exists but one or more material weaknesses have been identified
No assurance on the system of internal control
Structured Management Review (SMR) – is a review of documented continuous monitoring activities including quality assurance reviews or other independent internal reviews put in place to cover many IRS internal control activities during the normal course of operations.
Tactical Review Assessment Plan (TRAP) – is the overarching review plan for selected quality assurance reviews that will occur during a fiscal year. The TRAP includes standard operating procedures for the selection criteria, risk assessment, and rotation schedule.
Work papers - are the records and documentation related to a management review, program evaluation, and quality assurance review.
This IRM contains the following acronyms and meanings:
Acronym Meaning AFR Agency Financial Report CFO Chief Financial Officer CPIC Corporate Planning and Internal Control ELMS Enterprise Learning Management System FISMA Federal Information Security Management Act FMFIA Federal Managers’ Financial Integrity Act FOD Functional Operating Division FY Fiscal Year GAO Government Accountability Office GPRAMA Government Performance and Results Act Modernization Act IFS Integrated Financial System IPERA Improper Payments Elimination and Recovery Act MC ESC Management Controls Executive Steering Committee NTA National Taxpayer Advocate OCS Office Communications Server OMB Office of Management and Budget PII Personally Identifiable Information RRACS Redesign Revenue and Accounting System SET Senior Executive Team SBU Sensitive But Unclassified SMR Structured Management Review SOI Statistics of Income TDCFO Treasury Deputy Chief Financial Officer TIGTA Treasury Inspector General for Tax Administration TRAP Tactical Review Assessment Plan UWR Unified Work Request
The IRS Quality Assurance Program requires the cooperation and assistance of many IRS organizations including:
IRS Operating/Functional Divisions: Identify, develop, and implement appropriate quality assurance reviews based on strategic and performance goals; complete the annual GAO Internal Control Questionnaire and FMFIA Managers' Self-Assessment; submit the Quality Assurance Questionnaire; and assist in the Quality Assurance Program reviews
Enterprise Risk Management Program Office: Supports the identification, assessment, and mitigation of risks, and provides senior management the information necessary to make sound decisions
Chief Financial Office: Provides overall program direction for the IRS Quality Assurance Program including developing and implementing policy, training, and reports to executive leadership
Statistics of Income (SOI): Identifies random review selection criteria for the Quality Assurance Program reviews
The operating/functional divisions are responsible for implementing quality assurance programs. The goal is to create independent quality assurance processes complimentary to, but separate from, the CFO Quality Assurance Program, including:
Identifying and developing quality assurance reviews for their organizations to meet internal control objectives
Identifying the executives responsible for internal control in their operating/functional divisions
Identifying Quality Assurance Program review volunteers for their organizations to participate as reviewers in the IRS quality assurance reviews led by the CFO
Advising all executives and managers of internal control and quality assurance review requirements
Interpreting internal control and quality assurance policy and providing general technical guidance and direction to executives and managers
Providing input to the CFO on needed updates to IRM guidance on quality assurance reviews
Developing and presenting appropriate quality assurance training for their organizations
Coordinating the FMFIA managers' annual self-certifications and reporting activities
Tracking and addressing open GAO/TIGTA audit findings and recommendations
The CFO develops financial management policy and procedures, performs A-123 testing and program evaluations as part of the IRS clean audit approach.
The CFO provides audit-focused training, business-practice development, and audit policy and oversight.
The CFO Quality Assurance Program oversight functions include:
Establishing and documenting the Quality Assurance Program framework and related components
Developing the Quality Assurance Program project timeline and plan, which identifies yearly tasks, new projects, due dates, and points of contact to conduct the continuous Quality Assurance Program reviews
Updating the Tactical Review Assessment Plan (TRAP)
Collaborating with operating/functional divisions to identify best practices and program improvements
Providing Quality Assurance Program liaisons with procedures for conducting the annual quality assurance reviews
Developing and maintaining Electronic Learning Management System (ELMS) training courses for the IRS Quality Assurance Program
Maintaining a website with references for training, new program policy, frequently asked questions, and program updates
Updating IRM guidance on the IRS Quality Assurance Program (See the Quality Assurance section on the CFO CPIC website)
Maintaining records retention of work papers associated with the annual quality assurance reviews
Tracking the status of open review findings and recommendations
The CFO issues the quality assurance call memorandum and the annual assurance call memorandum to operating/functional divisions related to the quality assurance process review.
Quality assurance call memorandum - announces the quality assurance reviews for the fiscal year cycle and requests support from each operating/functional division to assist in conducting quality assurance reviews by:
Identifying an executive responsible for internal control for each operating/functional division. This designee will be notified of issues that arise during the quality assurance review and receive the completed review results
Designating staff to assist in the quality assurance process. These reviewers will receive training and conduct the selected review(s) for each selected operating/functional division
The Annual assurance call memorandum - guidance issued to the Deputy Commissioners, Division Commissioners, Chiefs, Directors, National Taxpayer Advocate, the Chief Risk Officer, and Chief Counsel on the annual self-assessment of internal control, on preparing the annual assurance memorandum, and identifying quality assurance reviews for their organizations.
Attachment 1 - Annual Assurance Review Process- requests operating/functional divisions to consider the results from Management, Program, and Quality Assurance reviews as support for the annual certification. These are the managers' annual self-assessments to determine the effectiveness of controls within their area of responsibility and include the preparation of individual written certifications to support the overall operating/functional division’s certification. See IRM 22.214.171.124, Annual Assurance Review Process
Attachment 2 - Identification of IRS Quality Assurance Reviews and Initiatives- requests operating/functional divisions to identify and submit management, operational, and quality assurance review questionnaires to the CFO. Operating/functional divisions are asked to identify and submit all reviews, even ones previously submitted, given the organizational realignments and Concept of Operations (CONOPS) initiatives. Examples of existing reviews conducted throughout the IRS are provided as a reference. See IRM 126.96.36.199, Identification of Quality Assurance Reviews and Initiatives
Attachment 2 notifies operating/functional divisions that their management reviews, program evaluations, and quality assurance reviews may be selected for further review
Attachment 2 requests that operating/functional divisions submit new quality assurance reviews that were not previously submitted. This includes identifying all quality assurance reviews that test or review work quality, measure quality of data, identify trends, problem areas, and improvements to program effectiveness in light of applicable directives, standards, and procedures. These reviews include work process, program, or operation management reviews as well as operational reviews and site visits.
To aid in planning for future Quality Assurance Program reviews, operating/functional divisions are encouraged to provide senior leaders’ suggestions on quality assurance reviews that merit consideration for additional review. Input by operating/functional divisions is important and will help in designing a quality assurance review plan to best address issues that are important within the IRS.
The CFO compiles the operating/functional division annual assurance questionnaire results into an inventory of IRS internal control activities. The operating/functional division questionnaires are used to update the quality assurance catalogue with the number of IRS quality assurance reviews. The CFO documents the specified number of reviews selected for the current fiscal year based on review selection criteria. See IRM 188.8.131.52.2, Review Selection Criteria. The catalog of quality assurance reviews is maintained by the CFO and stored on the CPIC website. The website is updated as needed with references and other materials. (See the Assurance Call Memo)
The CFO Corporate Planning and Internal Control unit (CFO-CPIC) is responsible for providing the quality assurance review executive updates to the Management Controls Executive Steering Committee (MC ESC).
Statistics of Income (SOI) completes quality measurement programs and performs research and other statistical functions to meet IRS requirements. The SOI major responsibilities include:
Compiling information from tax returns sampled from those filed at Submission Processing Centers
Conducting IRS studies on the operations of tax laws for all types of filing entities
Providing information used by various Federal and State agencies, corporations, educational and research organizations, foreign governments, and international organizations in decision-making activities
Making data available to the general public in the form of publications and electronic databases
SOI assists in the Quality Assurance Program reviews by:
Determining the review sample size, when requested
Developing and maintaining procedures for random review selection
Working with the CFO to gather all information necessary to implement the sample selection procedures
Selecting a random sample of reviews
The IRS Quality Assurance Program goal is to support the annual assurance statement signed by the Commissioner and submitted to the Department of the Treasury as required by the FMFIA.
The IRS annual assurance statement is supported by the:
FMFIA Managers’ Assessment
A-123 internal control testing results
Material weakness remediation plan (as necessary)
Quality assurance reviews
The table below describes the elements that support the annual assurance statement.
The first column identifies the name of the element and the second column provides a description of the element.
Element Description FMFIA Managers’ Assessment Compilation of self-certifications signed and dated by IRS managers on or around July 31st and submitted to the CFO. These certifications assess the effectiveness of internal control and identify any potential risks. A-123 Internal Control Testing Results The Department of the Treasury's methodology supporting the assessment of internal control over financial reporting is centered on the documentation, testing, and assessment of internal control at the transaction level applied on a day-to-day basis. The methodology also includes factors surrounding the operational environment of internal control, including the financial reporting compilation and preparation process, an assessment of the control environment, compliance with governing laws and regulations, and information and actions derived from audit report findings and recommendations.
The Core Financial Processes represent the day-to-day actions taken to identify, collect, review, record, analyze, and summarize financial activity for reporting across all bureaus and offices. The Core Financial Processes are:
Budget & Finance
Accounts Payable & Payments
Sales, Accounts Receivable, & Collections
Manage Assets & Liabilities
Reporting & Information
Internal control testing occurs as of June 30th (interim) and September 30th (4th Quarter):
Over 20 transaction processes are identified by the Department of the as being material to its Consolidated Financial Statements.
The tests include 14 administrative processes related to the annual appropriation, six information system processes, and three custodial processes for tax revenue receipts through September 30th.
The transactions included additional testing for custodial activity related to tax refunds and cash reconciliation.
The testing indicates whether internal control was primarily in place and operating effectively with no new material weaknesses found in the design or operation of the internal control.
Material Weakness Remediation plan (as necessary) A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
The IRS monitors material weaknesses and prepares corresponding corrective action plans.
Quality Assurance Reviews Within the Quality Assurance Program framework is a review of selected management reviews, program evaluations, and quality assurance reviews performed by the operating/functional divisions to meet performance and internal control goals and objectives.
The IRS Quality Assurance Program catalogs the body of work performed by the operating/functional divisions designed to support internal control objectives and continuously improve programs. The Quality Assurance Program may also be viewed as the framework document under which individual projects are conducted and reviewed. The Quality Assurance Program consists of the following components:
Quality assurance reviews
Policy and guidance
The Quality Assurance Program executive oversight component fulfills a critical management and integration function for financial and management controls. The MC ESC is an advisory committee to the Commissioner and Deputy Commissioners who have overall responsibility for determining that the IRS has an effective internal control program in place.
The MC ESC is comprised of operating/functional division senior executives and provides a top leadership perspective to address important cross-functional issues. See IRM 184.108.40.206, Management Controls Executive Steering Committee (MC ESC).
The Quality Assurance Program managerial assertions component leverages existing internal control questionnaires, surveys, and certification instruments to reduce managerial burden. These instruments include:
A-123 Internal Control Evaluation Checklist/ Government Accountability Office (GAO) Internal Control Management and Evaluation Tool (Abbreviated). This is a checklist based on GAO's Standards for Internal Control in the Federal Government, which was issued to assist agencies in maintaining or implementing effective internal control and to help determine what, where, and how improvements can be implemented. The checklist provides a systematic, organized, and structured approach to assessing the internal control structure. The five sections of the checklist correspond to the five standards for internal control (control environment, risk assessment, control activities, information and communications, and monitoring). Each section contains a list of major factors to be considered when reviewing internal control as it relates to the particular standard. These factors represent some of the more important issues addressed by the standard. Included under each factor are points and subsidiary points that users should consider when addressing the factor. The points and subsidiary points are intended to help IRS managers consider specific items that indicate the degree to which internal control is functioning based on an informed judgment. The GAO Checklist is reviewed annually and has been updated with specific Quality Assurance Program related questions in the Monitoring section. See IRM 220.127.116.11, Federal Management Integrity Criteria for Quality Assurance Reviews.
FMFIA Manager’s Assessment. This is a questionnaire used to conduct a self-assessment of administrative controls in a manager's work area based on the five sections of the GAO standards for internal control (control environment, risk assessment, control activities, information and communications, and monitoring). IRS managers conduct a self-assessment of internal control and report to the CFO on their status every year through the Annual Assurance Review Process. The compilation of the managers' certifications is the basis for the Commissioner’s annual assurance statement required by the FMFIA. See IRM 18.104.22.168 , Annual Assurance Review Process. The FMFIA Manager's Assessment has been updated with specific Quality Assurance Program related questions in the Monitoring section.
The quality assurance review component of the Quality Assurance Program validates the operating/functional divisions' assessments of the effectiveness of IRS operational and internal control from:
Management and operational reviews
Quality assurance reviews
The quality assurance reviews include selected samples of:
Quality assurance reviews conducted throughout the IRS to carry out its critical mission and functions
FMFIA managers' self-certification results
A-123 Internal Control Evaluation Checklist results
The quality assurance reviews are completed annually by operating/functional division volunteers. See IRM 22.214.171.124.4, Review Team Selection and Training.
The quality assurance review findings and recommendations are documented and presented to:
The operating/functional division quality assurance point of contact
The program executive responsible for the area
The MC ESC
Work papers and review documentation are electronically stored on the CPIC shared drive. See IRM 126.96.36.199.6., Review Documentation.
The policy and guidance component of the Quality Assurance Program addresses the CFO responsibilities for guidance including:
Standard operating procedures for the Quality Assurance Program sample selection, risk assessment, and rotation schedule
Catalog of quality assurance reviews
Review team and Electronic Learning System (ELMS) training
Checklists and program documentation including memoranda, findings, and recommendations
Reference material and website maintenance
Retention and storage
The CFO-CPIC unit is also responsible for a variety of activities including:
Developing and administering guidance to comply with FMFIA and OMB Circular A-123
Implementing FMFIA and OMB Circular A-123 at appropriate organizational levels
Providing annual management integrity/A-123 guidance
Planning, developing, and implementing policies for validating IRS compliance with FMFIA
Providing supplemental guidance and training materials as needed to support senior managers in interpreting and applying oversight agency guidance
Developing and implementing a strategy for validating IRS-wide compliance with FMFIA
Developing the form and content of the annual statement of assurance on management control based on recommendations and annual assurance letters from senior managers/senior assessment team
Maintaining technical expertise in the field of internal control
Providing technical assistance to program managers and staff
The assurance statement is a certification included in the annual Agency Financial Report (AFR) that represents the Commissioner's informed judgment as to the overall adequacy and effectiveness of internal control. The Commissioner will provide one of the following:
A statement of no assurance on the system of internal control
A qualified statement of assurance that an overall sound system of internal control exists but one or more material weaknesses have been identified
The CFO takes the following steps in the assurance process:
Requests that the operating/functional divisions complete and return the Internal Control Evaluation Checklist during the months of January and February. The Internal Control Evaluation Checklist is an abbreviated version of GAO’s full Internal Control Management and Evaluation Tool that IRS managers use to evaluate their internal control.
Issues annual guidance (May-June) to program and regional offices on complying with FMFIA, which includes a requirement to complete the checklist and retain a copy as supporting documentation. The CFO’s guidance also includes a reporting template with specific instructions for completing each section of the assurance letters, which combined provide the basis for the IRS annual assurance statement to the Department of the Treasury.
Shares the proposed IRS assurance statement with the MC ESC prior to submission to the Department of the Treasury with copies to the Treasury Inspector General for Tax Administration (TIGTA) and GAO, when final. See IRM 1.4.2, Monitoring and Improving Internal Control
In FY 2012, the IRS Annual Assurance Process was expanded to identify key management reviews, program evaluations, and quality assurance reviews conducted by the operating/functional divisions to assess the effectiveness of IRS operational controls. See IRM 188.8.131.52, Identification of Quality Assurance Reviews and Initiatives.
The Quality Assurance Program is essentially a review of selected management reviews, program evaluations, and operational reviews completed by the operating/functional divisions.
The Quality Assurance Program reviews are timed to support the annual submission of the IRS assurance statement to the Department of the Treasury, generally as of September 30th.
Completing quality assurance reviews for operating/functional divisions products, processes, and procedures is considered a continuous monitoring activity.
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes, and systems working to support efficient and effective operations. Controls are put in place to address risks within these components. Continuous monitoring actively identifies, quantifies, and reports control failures such as duplicate vendor records, duplicate payments, and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes. See IRM 184.108.40.206, Continuous Monitoring.
The selection of the number of quality assurance, management, and operational reviews for each fiscal year to support the annual assurance statement is based on a combination of the following:
MC ESC identification of high priority/high risk areas
Random selection by SOI
CFO risk and ranking criteria including oversight agency guidance (Department of the Treasury and GAO) and risks (identified by the Enterprise Risk Management and the National Taxpayer Advocate programs, A-123 internal control testing, and audit findings/recommendations)
Department of the Treasury Guidance (issued annually):
Presents the background for OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A
Describes the updated methodology for the fiscal year assessment plan describing the overall approach for the documentation, testing, and assessment of internal control over financial reporting
Provides definitions and assessment parameters defining key factors of the plan, presents the implementation of the testing plan, and describes the actions to be taken to execute the methodology
Provides summary information on the Department of the Treasury annual assurance statement guidance; which is distributed by the Office of the Treasury Deputy Chief Financial Officer (TDCFO) in July
Presents the fiscal year timeline displaying the guidance critical dates
Enterprise Risk Management: Provides the program portfolio view of enterprise risks that are most critical to all layers of management, up to and including the Commissioner's Office, across IRS operations and critical initiatives.
National Taxpayer Advocate (NTA) Annual Report to Congress: Identifies IRS Challenges/Risks.
CPIC A-123 Risk Assessment (updated annually): Presents the A-123 rotation schedule for testing determined by the following Department of the Treasury requirements:
Risk level has been identified by the known susceptibility to errors, existence of manual versus automated processes, as well as the total dollar balances of the financial statement line items associated with the process
Transactions deemed to be high risk and associated with processes that contribute at least 10 percent to the Department of the Treasury financial statement line item balances are tested annually
Transactions that are rotated every three years are those transactions that have not had a documented history of vulnerabilities or errors and are associated with processes that contribute less than 10 percent to the balance of the Department of the Treasury financial statement line items
Material Weaknesses: Identify areas for improvement and include open items from remediation and action plans.
Audit Findings: Identify open GAO financial reporting audit recommendations and TIGTA reports.
Green Book and Yellow Book: Provide GAO's Standards for Internal Control in the Federal Government (Green Book) and Government Auditing Standards (The Yellow Book).
The CFO selection criteria and justification are documented and maintained on the CPIC shared drive for reference.
The CFO will assess the operating/functional divisions' quality assurance review questionnaire submissions to:
Identify gaps where operating/functional divisions may need to develop managerial reviews
Determine whether duplicate reviews exist that can be eliminated, combined, or leveraged in some other way
Categorize the reviews by risk and ranking
The CFO will review and update the Tactical Review Assessment Plan (TRAP), Quality Assurance Program timeline, and standard operating procedures. The TRAP is the overarching review plan that will cover a segment of the quality assurance reviews that take place throughout the IRS including:
Selected review rotation (number of reviews)
Risk assessment designations (high, medium, and low)
Hierarchy of reviews
The CFO will develop a detailed quality assurance review schedule to appropriately select the timing of the reviews and obtain sufficient resources to complete the reviews.
The CFO will monitor the schedule and inform the MC ESC of any review delays, emerging trends and impending issues.
The quality assurance review checklist is used by the review team to document review results. Checklist questions help to determine how the selected operating/functional division review supports the IRS internal control over financial reporting. Space is allotted in a separate checklist area to provide explanatory comments for questions in each section.
The quality assurance review checklist contains four sections:
Introduction - addresses the who, what, when, where, and why of the operating/functional division quality assurance review
Review Scope - addresses the specific review team and dates of the review
Control Review - addresses more specific aspects of the operating/functional division quality assurance review
Results/Findings - documents findings and recommendations regarding the operating/functional division quality assurance review
The quality assurance checklist "Introduction " section includes:
Purpose, goals, and objectives
Name of operating/functional division
Name of responsible analyst/specialist
The quality assurance review checklist "Review Scope" section includes:
Time period covered by the review
The quality assurance review checklist "Control Review" section includes the following questions:
What is the frequency of the review?
What are the applicable IRM references, standard operating procedures, and/or required authoritative directives?
Were documented processes/procedures used to complete the review?
Have any risk factors been identified?
Will the risk factors be analyzed to determine their potential impact?
Have the review results been identified and documented?
Will a report be published with the results of the review?
Have tolerance thresholds been established, documented, and communicated?
Has the team established a repository for all program/project documentation?
Is the quality assurance team separate and distinct from the preparers/process owners?
Does the quality assurance team have access to, or the ability to adjust, live data?
Does the system/process support accounting information recorded in the financial systems?
The administrative system is the Integrated Financial System (IFS). The custodial system is the Redesign Revenue and Accounting System (RRACS).
Is this process audited by GAO, TIGTA, or CFO? If yes, does the quality assurance review address the GAO, TIGTA, or CFO audit findings/recommendations?
Is this process related to or supportive of the annual audited financial statements?
Is a report on the results of the review compiled and forwarded to senior management for evaluation and follow-up action?
Does a consolidated listing of identified control issues exist either internally or in collaboration with IT that indicates the status of actions?
Is the latest manager's FMFIA assurance "Reasonable" or "Qualified?" If qualified, do the related quality assurance review results identify areas for improvement?
Reasonable assurance is an informed judgment by the head of an organization, based upon all available information, that the internal control in place adequately protects the resources and ensures mission completion. Reasonable assurance recognizes that the cost of controls should not exceed the benefits derived from them.
Qualified assurance is an informed judgment by the head of an organization, based upon all available information, that the internal control in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems. (See IRM 220.127.116.11, Annual Assurance Review Process
What was the organization's response in the GAO Abbreviated Internal Control Questionnaire?
The quality assurance checklist "Results/Findings" section includes:
Control effectiveness - determines whether the review controls are effective or ineffective
Recommendations - identifies instances where the controls are working but could be strengthened (findings and recommendations require follow-up in a subsequent year)
Corrective actions required - summarizes the corrective actions that will be taken if the control is ineffective
The Quality Assurance Program review process is supported by assistance from operating/functional division volunteers including:
Assurance statement process liaisons
Audit liaisons and the operating/functional division risk liaisons
Embedded financial and other staffs
The CFO will prepare and submit the quality assurance call memorandum to the Division Commissioners, Chiefs, Chief Counsel, Chief Risk Officer, and National Taxpayer Advocate requesting volunteers to assist in the quality assurance reviews. Senior Executive Team (SET) members are asked to identify the executive responsible for internal control in their operating/functional division and to designate staff to assist in the quality assurance process. Individuals designated for the review must be:
A program manager, coordinator, or staff member familiar with either the FMFIA certification process, quality assurance reviews, internal control testing, risk assessment, or the assurance process
Available to participate during the scheduled review dates
The CFO convenes the quality assurance review team and assigns reviews. The size of the review team is based on the number of quality assurance reviews selected.
The CFO schedules and conducts training for the quality assurance review team. Before attending training, team members should review:
IRM 1.4.2, Monitoring and Improving Internal Control
IRM 1.4.31, IRS Quality Assurance Program
Samples of completed quality assurance checklists
The training session topics include, but are not limited to:
Overview of internal control
Sample selection and the sampling approach
Review team roles and responsibilities
"How-to-Complete" instructions for review checklists and templates
Definitions from IRM 1.4.2 and IRM 1.4.31
Examples and findings from previous reviews
Review logistics (virtual, on-site, or other electronic media)
The CFO determines the review period for the quality assurance reviews. While the reviews are part of internal control continuous monitoring, the review period covers a specific fiscal year to support the annual assurance statement.
The quality assurance review validates aspects of the:
Operating/functional divisions' management reviews, program evaluations, and internal quality assurance reviews
Information contained in the quality assurance questionnaires submitted as part of the annual assurance process
Selected FMFIA managerial assertions
GAO Internal Control Management and Evaluation Checklist
The quality assurance review may be conducted virtually, through other electronic media, or on-site.
Virtual reviews are held at the IRS headquarters building in Washington, DC. Selected review files must be provided via secure, encrypted methods to protect personally identifiable information (PII) and sensitive but unclassified (SBU) information. The review team examines documents to determine whether the review controls seem to be effective. Printed copies of electronic documents are destroyed after use, unless necessary to support findings.
Other electronic media reviews are on-line reviews that may be conducted through the Office Communications Server (OCS), or other electronic media and the use of shared work spaces to make documentation available to multiple reviewers. OCS merges real-time communications (instant messaging, voice, video, application sharing) and near-time communications (e-mail, voice mail, fax) with presence information (indication of users real-time availability across locations and devices), and allows for effective communications across a number of communications channels for employees, regardless of their location.
On-site reviews are held in a designated location for a selected area. These reviews generally last one week. A number of sites may be selected and there may be multiple locations for each selected site. Travel costs for on-site reviews are the responsibility of the operating/functional divisions.
Prepares the timeline and determines the review period and review schedule
Assigns reviews to the review team members
Provides templates for e-mails and contacting the selected operating/functional division
The quality assurance review team notifies the operating/functional division review contact using the template and schedules the review date(s) during the review period.
Once notified that their quality assurance review(s) are selected, the operating/functional divisions are asked to provide the following information to the quality assurance review team:
Standard operating procedures
TIGTA or GAO audit findings/recommendations
Identified risk factors
Latest completed quality assurance review questionnaire
Latest manager's FMFIA certification
GAO Internal Control Management and Evaluation Checklist, if applicable
The review team records findings on the quality assurance review checklist(s). One quality assurance checklist is used for each review. When a reviewer determines that there are multiple aspects contained within one review, the reviewer should complete a separate checklist for each review component.
An operational review contains multiple components (e.g., employee appraisals, courier service reviews, employee performance reviews, payment processing reviews, and physical/data security requirements). Each component of the review is separate and distinct from other components within the review. In this scenario, the reviewer(s) would prepare five separate checklists.
The quality assurance review is considered an inspection-type control test.
The CFO quality assurance review team shares findings with the selected operating/functional division point of contact, next level manager, and the appropriate executive.
The CFO examines all checklists prepared by the review team for completeness, especially noting whether review processes are subject to audit and internal control activities over financial reporting, and then:
Summarizes the results for each operating/functional division
Verifies storage of the quality assurance review work papers and related e-mail communications on the CPIC shared drive
Provides notification to the responsible executive of each operating/functional division
Reports overall results to the MC ESC
The operating/functional division quality assurance review is used as one of the bases for the annual assurance statement for internal control over financial reporting at the office, bureau, and department levels. The IRS assurance statement is supported by:
FMFIA managers' assessments
A-123 Internal Control Evaluation Checklist/GAO Internal Control Management and Evaluation Tool (Abbreviated)
A-123 Internal Control Testing (Interim as of June 30th and 4th Quarter as of September 30th)
Selected quality assurance reviews
Based on the summary of quality assurance checklist results by selected operating/functional division, the CFO e-mails the quality assurance review findings to the operating/functional division:
Point of contact
Next level manager
The summary is intended to be used as a tool by the operating/functional divisions to discuss findings and develop or update guidance for their organization.
The CFO verifies retention and storage of the quality assurance review work papers and related e-mail communications on the CPIC shared drive or other designated storage media/applications, including hard-copy folders. All review work papers are retained for a period of three years.
Review work papers represent all quality assurance materials, including, but not limited to:
Completed review checklists
IRM extracts and/or references
Operating/functional division’s standard operating procedures
Review reports provided by the selected operating/functional division
Copies of TIGTA or GAO audit findings/recommendations
Latest manager's FMFIA certification
GAO Internal Control Management and Evaluation Checklist, if applicable
Operating/functional division quality assurance questionnaire responses
Reviewer notes, findings, and recommendations
The CFO summarizes the results for each selected review organized by operating/functional division (usually using an electronic spreadsheet). The summary is completed usually within two weeks after the quality assurance review period ends and is stored on the CPIC shared drive or other designated location.
The Quality Assurance Program review documentation is considered temporary records. These selected review records must be closed out at the end of the fiscal year and destroyed three years after closure as follows:
E-mail communications including selected review notifications
Review documentation, checklists and work papers
Review findings and recommendations
Operating/functional division Quality Review Questionnaires
The FMFIA requires Federal agency managers to establish internal accounting and administrative controls according to GAO standards.
The FMFIA requires Federal agency managers to annually:
Evaluate and report on the effectiveness of internal control and financial accounting systems in accordance with Sections 2 and 4 of FMFIA, respectively
Evaluate, in accordance with OMB guidelines, whether their agency’s internal controls comply with GAO’s standards
Issue a statement of assurance and indicate full compliance or non-compliance
OMB Circular A-123 describes Federal managers’ responsibilities for internal control, stating that management is responsible for establishing and maintaining internal control to achieve the objectives of:
Effective and efficient operations
Reliable financial reporting
Compliance with applicable laws and regulations
Appendix A of Circular A-123 requires Federal agencies to separately assess effectiveness of internal control over financial reporting. The Circular also states that "Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness." OMB Circular A-123 provides guidance to Federal managers on meeting FMFIA requirements.
OMB Circular A-123:
States that "Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but is a means of managing the risk associated with Federal programs and operations." By including "programs and operations," OMB emphasizes goals set by the organization, risks agencies face in meeting those goals, whether agencies have identified and assessed risks, and whether agencies have taken steps to manage those risks
Requires Federal managers to take systematic and proactive measures to develop and implement appropriate internal control for results-oriented management
Describes the requirements of FMFIA as "an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management’s assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations"
"Other reviews" that FMFIA reporting should coordinate and consider include activities under the Government Performance and Results Act Modernization Act (GPRAMA), such as developing strategic plans, setting performance goals and measures, and reporting annually on actual performance results compared to goals.
The FMFIA and OMB requirements support an overall internal control framework as illustrated below:
As required by FMFIA, GAO established the "Standards for Internal Control in the Federal Government" listed in OMB Circular A-123. The standards provide the overall framework for establishing and maintaining internal control, and for identifying and addressing performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement.
The standards comprise a major part of managing an organization, including plans, methods, and procedures used to meet missions, goals, and objectives and, in doing so, support performance-based management.
The three-column table below describes GAO's standards for internal control in the Federal Government. The first column identifies the standard number, the second column lists the standard, and the third column describes the standard.
GAO’s Standards for Internal Control in the Federal Government No. Standard Standard Description 1. Control Environment This standard establishes and maintains an environment throughout the organization that sets a positive and supporting attitude toward internal control and conscientious management. This includes establishing goals, objectives, and performance measures at the entity-wide and activity levels. 2. Risk Assessment Once the goals, objectives, and measures have been defined, the risks that could impede the efficient and effective achievement of those objectives are identified. This includes an assessment of the risks the agency faces from both internal and external sources. Risk assessment includes identifying and analyzing relevant risks associated with achieving objectives, such as those defined in strategic and annual performance plans developed under GPRAMA, and form a basis for determining how to manage risks. Management needs to comprehensively identify risks and should consider all significant interactions between the entity and other parties as well as internal factors at both the entity-wide and activity levels. 3. Control Activities These are the policies, procedures, techniques, and mechanisms that implement management’s direction toward achievement of goals. Internal control activities help verify that management’s directives are carried out. 4. Information and Communications This standard includes data and information (performance and financial) to determine whether the organization is meeting its goals and objectives and maintaining accountability over resources. 5. Monitoring Internal control monitoring should assess the quality of performance over time and ensure that findings of audits and other reviews are promptly resolved. Source: OIG summary of GAO’s Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999).
The IRS quality assurance program complies with OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control over Financial Reporting issued under the authority of the Federal Managers' Financial Integrity Act of 1982:
Purpose. OMB Circular A-123 provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control. This Circular defines management’s responsibilities related to internal control and the process for assessing internal control effectiveness along with a summary of the significant changes. The Circular also provides updated internal control standards and new specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting (Appendix A). This Circular emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities.
Policy. Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness. When assessing the effectiveness of internal control over financial reporting and compliance with financial-related laws and regulations, management must follow the assessment process contained in Appendix A. Annually, management must provide assurances on internal control in its Agency Financial Report, including a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.
Actions Required. Agencies and individual Federal managers must take systematic and proactive measures to (i) develop and implement appropriate, cost-effective internal control for results-oriented management; (ii) assess the adequacy of internal control in Federal programs and operations; (iii) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A; (iv) identify needed improvements; (v) take corresponding corrective action; and (vi) report annually on internal control through management assurance statements.
According to the OMB Circular A-123 Implementation Guide:
Federal agencies are subject to numerous legislative and regulatory requirements that promote and support an effective internal control framework. Similarly, numerous reviews are performed by management, or on management’s behalf, throughout the year in order to comply with various laws and regulations.
Agencies should strive to integrate control-related activities within the control framework outlined in Circular A-123. In particular, management should identify opportunities to integrate and coordinate in order to leverage the internal reviews already being performed.
Internal reviews are required by the Federal Information Security Management Act of 2002 (FISMA) and the Improper Payments Elimination and Recovery Act (IPERA). Management should consider the results of these reviews to identify gaps between baseline control activities, the documentation, and the assessment process for financial reporting.
The results of the work performed under these laws may also be used to support management’s assertion as to the effectiveness of the internal control. The desired approach would be to design the testing and assessment to accomplish all requirements in the most efficient manner.
The IRS quality assurance reviews examine management reviews, program evaluations, and quality assurance reviews developed by the operating/functional divisions. When the need for a new quality assurance review is determined by the operating/functional division, there are guidelines for what components should be included when developing the new review.
Examples of existing IRS quality assurance review titles include:
Appeals Quality Measurement System
Quality Analysis and System Review
Manual Refund Reviews
100-Day Case Reviews
Application Development Quality Assurance Audits
Integrated Functional Test and Exercises Evaluation
Interest Penalty Payment Review and Report
Quality Assurance Internal Compliance Review
Operational Review of Employment Tax Groups
Tax Exempt Bonds Quality Review Program
New operating/functional division reviews may be identified by:
The operating/functional division
The MC ESC
TIGTA and GAO audit recommendations
Newly enacted legislation (e.g., the Affordable Care Act)
Threats and trends (e.g., cyber terrorism and identity theft)
The IRS Quality Assurance Program
The three basic principles for quality assurance reviews are:
Final responsibility for quality rests with the organizations that design, develop, produce, maintain, store, and issue the product, process, or procedure. Quality assurance supports these activities by verifying that adequate quality provisions are planned, developed, and implemented.
Quality cannot be "inspected" into the finished product, process, or procedure. Quality assurance focuses its activities on the identification, prevention, and correction of unsatisfactory conditions or elements which influence acceptability of the end product.
Quality is defined in terms of specific requirements to be met. Such requirements must be effectively communicated to and understood by those organizations whose operations may, in any way, influence the quality of the product, process, or procedure in terms of its use, interchangeability, form, fit, function, or safety.
Operating/functional divisions’ quality assurance reviews may use the following techniques:
Inspection - requires a review examining the evidence of a given control (looking for signatures of a reviewing official or reviewing past reconciliations).
Observation - requires watching actual controls in operation (observing a physical inventory or watching a reconciliation occur).
Re-performance - requires re-completing a given control (re-calculating an estimate or re-performing a reconciliation).
In designing quality assurance reviews, operating/functional divisions should make certain that controls are tested by individuals other than those routinely executing them.
The CFO will assess the listing of IRS quality assurance, management, and operational reviews to recommend new reviews for operating/functional divisions where gaps are identified.
In developing new quality assurance reviews, operating/functional divisions are encouraged to refer to the questions from the Quality Assurance Review Checklist under the Control Review Section. This section may be used to determine whether a quality assurance review is needed and provides key components (e.g., guidance in IRMs and SOPs, review reports, review relationship to financial reporting, and executive and managerial notification of findings/recommendations) that can be incorporated in the new review. IRM 18.104.22.168.3., Quality Assurance Review Checklist.
Operating/functional divisions are encouraged to:
Develop management, operational, and quality assurance reviews that address a single activity. Identifying one review process that occurs over multiple locations is considered one review. Reviews with multiple activities (e.g., data security and employee performance) should be separated, as practical
Test the performance of the new review and refine the review techniques and documentation
Complete a Quality Assurance Questionnaire for the new review as part of the annual assurance call memorandum process. The new review will be incorporated into the IRS inventory of quality assurance, management, and operational reviews
The IRS internal control environment continues to improve through the corrective actions implemented by management. The management commitment to excellence, accountability, and compliance with applicable laws and regulations is evidenced in actions to establish effective controls, make sound determinations on corrective actions, and verify and validate the results.
Generally, quality assurance work requires the following kinds of knowledge and skills:
Knowledge of pertinent product, process, or procedure characteristics, methods and processes
Knowledge of quality assurance/control methods, principles, and practices, including statistical analysis and sampling techniques
Knowledge of inspection, test, and measurement techniques
Knowledge of the relationship of quality assurance to other activities such as tax administration, legal and judicial activities, administrative hearings to resolve income tax and collection controversies, including collection due process activities, financial reporting/auditing and assessment and supporting tax and/or financial systems
Skill in interpreting and applying products, processes or procedures, specifications, technical data, regulations, policy statements, and other guideline materials
Skill in conducting studies and investigations, problem analysis, and developing logical and documented recommendations
Skill in written and oral communications
Skill in establishing effective interpersonal relationships
Quality review and quality assurance processes that are already in place are considered Structured Management Reviews (SMRs) and may be tested as part of the A-123 internal control testing process.
The A-123 transaction test called the AC-6: Administrative Cash Reconciliation, verifies that internal control procedures governing IRS cash reconciliations are in place and working effectively. Cash reconciliations are performed monthly and the IRS A-123 testing is performed on three monthly reconciliations.
SMRs may serve as assurance of testing of internal control, but the review must meet specific criteria. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and to verify the reviewer’s judgments and conclusions. See IRM 22.214.171.124.3, Evaluate Structured Management Review (SMR).
An SMR should have the following elements:
Documented procedures that guide the SMR
Reviews performed at regular intervals
Documented and independent review of results
Documented process to resolve noted deficiencies
The three-column table below provides questions to address in developing a new quality assurance review. The first column provides the question, the second column is used to determine a yes-or-no answer, and the third column is used to explain the results of the answer.
Quality Assurance Review Development Questions YES or NO Explain Is the SMR actually being used as designed? Is the SMR meeting the internal control objectives? Do the personnel executing the SMR have adequate skills and receive sufficient training to complete review? Are adequate procedures in place for the SMR? Is the guidance for the SMR followed? Were issues/errors/concerns adequately and consistently addressed and documented? Is the guidance for the SMR consistently followed for error determination and documentation requirements? Do the personnel have adequate time, resources, etc. to competently execute the SMR? Are the sample sizes and sample methodologies appropriate for the internal control? Is a documented SMR in place and is it being monitored by an appropriate level of management? Is the SMR performed an appropriate number of times per year to fulfill the internal control function? Is the review performed at an appropriate time in the process to allow for error correction and prevention of a similar error? Is management using the results of the SMRs to correct the error, process, or procedure?
IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles.
IRM 1.4.2, Monitoring and Improving Internal Control).
IRM 1.4.3, IRS Guidance for Implementing OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting.