1.4.31 IRS Quality Assurance Program

Manual Transmittal

August 05, 2015

Purpose

(1) This transmits new IRM 1.4.31, Resource Guide for Managers, IRS Quality Assurance Program.

Material Changes

(1) This IRM contains the framework for the IRS Quality Assurance Program, which is designed to support the annual assurance statement signed by the Commissioner and submitted to the Department of the Treasury. The program includes executive oversight, managerial certifications, and reviews of quality assurance efforts.

Effect on Other Documents

This IRM supports IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.

Audience

All IRS Managers

Effective Date

(08-05-2015)

Robin L. Canady
Chief Financial Officer

Overview

  1. This IRM provides guidance on the processes and procedures for the IRS Quality Assurance Program to support the annual assurance statement required by the Federal Managers' Financial Integrity Act (FMFIA) and activities defined by OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control over Financial Reporting.

  2. The Chief Financial Officer (CFO), Corporate Planning and Internal Control (CPIC) unit, Office of Internal Control (IC), developed and maintains this IRM. CPIC-IC develops internal control policy, performs A-123 internal control testing, and conducts compliance reviews and program evaluations to support the IRS unqualified audit opinion. CPIC-IC also provides audit-focused training, business-practice development, audit policy, and oversight.

Background

  1. Quality assurance is a planned, systematic approach designed to provide confidence that programs, products, policies, and procedures will conform to established requirements throughout their life cycle. The term “product" is used in this IRM to describe processes and systems developed, produced, and acquired by the IRS to carry out critical missions and functions.

  2. Quality assurance identifies unsatisfactory trends and conditions, prevents defects and non-conformances, and corrects factors to contribute to improved processes and outcomes.

  3. Quality assurance uses a variety of administrative, analytical, and technical methods and techniques to enhance the excellence and reliability of products and services. The IRS approach to quality assurance addresses an entire range of activities described for each functional program and/or a variety of systematic activities designed to identify and prevent defective or ineffective processes to verify that processes are acceptable and perform as intended.

  4. Recently, a number of factors have exerted a significant influence on quality assurance programs in the Federal Government such as:

    1. Advances in technology

    2. More sophisticated and complex products and services, such as new software

    3. Greater concern for reliability, user satisfaction, and security

    4. More emphasis on economy, timely delivery, and the cost of quality

    5. More stringent quality and reliability requirements

    6. More involvement of quality assurance early in the process or in the development phase

  5. Quality assurance reviews give the IRS added assurance that the organization is adhering to internal control and management guidance, standards, regulations, and legislation through a formal objective assessment process. Quality assurance reviews assess and document internal control activities over financial reporting such as:

    1. Annual financial statements

    2. Other significant internal or external financial reports

    3. Compliance with laws and regulations that pertain to those financial reports

Authorities

  1. Federal Managers' Financial Integrity Act (FMFIA) of 1982. The FMFIA requires Federal agency managers to establish internal accounting and administrative controls according to the standards issued by the Government Accountability Office (GAO).

    1. Background: The FMFIA is a response to continuing disclosures of waste, loss, unauthorized use, and misappropriation of funds or assets associated with weak internal control and accounting systems. It establishes requirements regarding management accountability and controls. This law encompasses program, operational, and administrative areas as well as accounting and financial management. The Act requires agency heads to submit an annual statement of assurance to the President and Congress on the adequacy of internal control and actions taken to correct identified weaknesses. Each annual statement must also include a report on whether the agency's accounting system conforms to the principles, standards, and other related FMFIA requirements.

    2. GAO Internal Control Standards Background: Also required by the FMFIA, GAO publishes the Standards of Internal Control in the Federal Government. These standards provide the overall framework for establishing and maintaining internal control. The standards also identify and address major performance and management challenges, as well as areas at greatest risk of fraud, waste, abuse, and mismanagement. Internal control is an integral component of an organization's management and helps government program managers achieve desired results through the effective stewardship of public resources. See GAO Green Book GAO-13-830SP

  2. OMB Circular A-123, Management’s Responsibility for Internal Control. The Circular provides guidance for Federal managers on improving the accountability and effectiveness of programs and operations. OMB issues implementation guidance in Circular A-123, Management's Responsibility for Internal Control, which provides guidance for Federal managers on improving the accountability and effectiveness of programs and operations by establishing, assessing, correcting, and reporting on management controls.

    1. Background: Under the FMFIA provisions, OMB and GAO issue internal accounting and administrative control evaluation guidelines for agencies to determine their systems’ compliance.

    2. Additional FMFIA policy is issued in OMB Circular A-123, Appendix D, Compliance with the Federal Financial Management Improvement Act of 1996, to govern agencies’ financial management systems. Financial management systems must be in place to process and record financial events effectively and efficiently and provide complete, timely, reliable, and consistent information for decision makers and the public. In support of these objectives, each agency must establish and maintain a single integrated financial management system that complies with internal control standards, among other requirements, as defined in OMB Circular A–123 and successor documents. See OMB Circular A-123, Appendix D.

  3. OMB Circular A-123 defines management controls as the organization’s policies and procedures used to reasonably assure that:

    1. Programs achieve their intended results

    2. Resources are used consistent with the agency mission

    3. Laws and regulations are followed

    4. Programs and resources are protected from waste, fraud, and mismanagement

    5. Reliable and timely information is used for decision making


  4. As Federal managers develop and implement strategies for re-engineering agencies’ programs and operations, they should design management structures that help account for results and include appropriate, cost-effective controls.

Definitions

  1. Annual Self-Assessment – is a manager's review of the effectiveness of controls within his/her area of responsibility and the documentation of that review through written and signed certifications. The involvement of each level of management in certifying the control environment within his/her sphere of operations assists in identifying risks at all levels. All managers and executives should complete the Self-Assessment Tool for Managers.

  2. Continuous Monitoring – is the process and technology used to detect compliance and risk issues associated with an agency’s financial and operational activities.

  3. Federal Managers' Financial Integrity Act (FMFIA) – is an act which requires each executive agency to establish internal accounting and administrative controls according to standards issued by the Government Accountability Office (GAO) Comptroller General. These controls provide reasonable assurance that:

    1. Obligations and costs are in compliance with applicable law

    2. Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation

    3. Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts, reliable financial and statistical reports, and to maintain accountability over assets

  4. Financial Audit: IRS's Fiscal Year Financial Statements (The Blue Book) – GAO annually audits the IRS financial statements to determine whether the financial statements are fairly presented and IRS management maintained effective internal control over financial reporting. GAO also tests IRS compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements.

  5. Government Auditing Standards (The Yellow Book) – provides guidance for conducting high quality audits with competence, integrity, objectivity, and independence. The GAO Yellow Book is used by auditors of government entities that receive government awards, and other audit organizations performing Yellow Book audits.

  6. Internal Control – is an integral component of an organization’s management that provides reasonable assurance that the following objectives are being achieved:

    1. Effectiveness and efficiency of operations

    2. Reliability of financial reporting

    3. Compliance with applicable laws and regulations

  7. Methodology – is a documented process for applying standards when assessing, documenting, and reporting on internal control over financial reporting.

  8. OMB Circular A-123, Management's Responsibility for Internal Control – provides guidance to agencies and individual Federal managers on taking systematic and proactive measures to:

    1. Develop and implement appropriate, cost-effective internal control for results-oriented management

    2. Assess the adequacy of internal control in Federal programs and operations

    3. Assess and document internal control over financial reporting

    4. Identify needed improvements and take corresponding corrective action

    5. Report annually on internal control through management assurance statements

  9. Operating/Functional Divisions – are the IRS areas organized around customers with similar needs. The scope of IRS operations includes collection of individual and corporate taxes, examination of returns, taxpayer assistance, and tax-exempt organizations.

  10. Opportunity for Improvement (OFI) – is a finding or recommendation by the A-123 internal control test team which identifies situations in which controls are working but could be strengthened through corrective actions or process improvements.

  11. Quality Assurance (QA) – is a planned, systematic approach designed to provide confidence that programs, processes, products and services will conform to established requirements throughout their life cycle.

  12. Risk - is an event that may occur and affect the achievement of a business objective.

  13. Risk Assessment – is a process to allow an entity to consider the extent to which potential events have an impact on the achievement of objectives.

  14. Sampling Plan – is an outline detailing the criteria for sample selection (population size, frequency of control, risk, etc.) from a population or universe.

  15. Standards for Internal Control in the Federal Government (Green Book) – are GAO standards that provide management criteria for designing, implementing, and operating an internal control system and reinforce management’s accountability for internal control as required by the FMFIA.

  16. Statement of Assurance – is a managerial certification that represents an informed judgment as to the overall adequacy and effectiveness of internal control. The manager will provide one of the following:

    1. An unqualified statement of assurance that an effective and efficient system of internal control exists

    2. A qualified statement of assurance that an overall sound system of internal control exists but one or more material weaknesses have been identified

    3. No assurance on the system of internal control

  17. Structured Management Review (SMR) – is a review of documented continuous monitoring activities including quality assurance reviews or other independent internal reviews put in place to cover many IRS internal control activities during the normal course of operations.

  18. Tactical Review Assessment Plan (TRAP) – is the overarching review plan for selected quality assurance reviews that will occur during a fiscal year. The TRAP includes standard operating procedures for the selection criteria, risk assessment, and rotation schedule.

  19. Work papers - are the records and documentation related to a management review, program evaluation, and quality assurance review.

Acronyms

  1. This IRM contains the following acronyms and meanings:

    Acronym Meaning
    AFR Agency Financial Report
    CFO Chief Financial Officer
    CPIC Corporate Planning and Internal Control
    ELMS Enterprise Learning Management System
    FISMA Federal Information Security Management Act
    FMFIA Federal Managers’ Financial Integrity Act
    FOD Functional Operating Division
    FY Fiscal Year
    GAO Government Accountability Office
    GPRAMA Government Performance and Results Act Modernization Act
    IFS Integrated Financial System
    IPERA Improper Payments Elimination and Recovery Act
    MC ESC Management Controls Executive Steering Committee
    NTA National Taxpayer Advocate
    OCS Office Communications Server
    OMB Office of Management and Budget
    PII Personally Identifiable Information
    RRACS Redesign Revenue and Accounting System
    SET Senior Executive Team
    SBU Sensitive But Unclassified
    SMR Structured Management Review
    SOI Statistics of Income
    TDCFO Treasury Deputy Chief Financial Officer
    TIGTA Treasury Inspector General for Tax Administration
    TRAP Tactical Review Assessment Plan
    UWR Unified Work Request

Roles and Responsibilities

  1. The IRS Quality Assurance Program requires the cooperation and assistance of many IRS organizations including:

    1. IRS Operating/Functional Divisions: Identify, develop, and implement appropriate quality assurance reviews based on strategic and performance goals; complete the annual GAO Internal Control Questionnaire and FMFIA Managers' Self-Assessment; submit the Quality Assurance Questionnaire; and assist in the Quality Assurance Program reviews

    2. Enterprise Risk Management Program Office: Supports the identification, assessment, and mitigation of risks, and provides senior management the information necessary to make sound decisions

    3. Chief Financial Office: Provides overall program direction for the IRS Quality Assurance Program including developing and implementing policy, training, and reports to executive leadership

    4. Statistics of Income (SOI): Identifies random review selection criteria for the Quality Assurance Program reviews

Operating and Functional Divisions Program Roles and Responsibilities

  1. The operating/functional divisions are responsible for implementing quality assurance programs. The goal is to create independent quality assurance processes complimentary to, but separate from, the CFO Quality Assurance Program, including:

    1. Identifying and developing quality assurance reviews for their organizations to meet internal control objectives

    2. Identifying the executives responsible for internal control in their operating/functional divisions

    3. Identifying Quality Assurance Program review volunteers for their organizations to participate as reviewers in the IRS quality assurance reviews led by the CFO

    4. Advising all executives and managers of internal control and quality assurance review requirements

    5. Interpreting internal control and quality assurance policy and providing general technical guidance and direction to executives and managers

    6. Providing input to the CFO on needed updates to IRM guidance on quality assurance reviews

    7. Developing and presenting appropriate quality assurance training for their organizations

    8. Coordinating the FMFIA managers' annual self-certifications and reporting activities

    9. Tracking and addressing open GAO/TIGTA audit findings and recommendations

CFO Program Roles and Responsibilities

  1. The CFO develops financial management policy and procedures, performs A-123 testing and program evaluations as part of the IRS clean audit approach.

  2. The CFO provides audit-focused training, business-practice development, and audit policy and oversight.

  3. The CFO Quality Assurance Program oversight functions include:

    1. Establishing and documenting the Quality Assurance Program framework and related components

    2. Developing the Quality Assurance Program project timeline and plan, which identifies yearly tasks, new projects, due dates, and points of contact to conduct the continuous Quality Assurance Program reviews

    3. Updating the Tactical Review Assessment Plan (TRAP)

    4. Collaborating with operating/functional divisions to identify best practices and program improvements

    5. Providing Quality Assurance Program liaisons with procedures for conducting the annual quality assurance reviews

    6. Developing and maintaining Electronic Learning Management System (ELMS) training courses for the IRS Quality Assurance Program

    7. Maintaining a website with references for training, new program policy, frequently asked questions, and program updates

    8. Updating IRM guidance on the IRS Quality Assurance Program (See the Quality Assurance section on the CFO CPIC website)

    9. Maintaining records retention of work papers associated with the annual quality assurance reviews

    10. Tracking the status of open review findings and recommendations

  4. The CFO issues the quality assurance call memorandum and the annual assurance call memorandum to operating/functional divisions related to the quality assurance process review.

  5. Quality assurance call memorandum - announces the quality assurance reviews for the fiscal year cycle and requests support from each operating/functional division to assist in conducting quality assurance reviews by:

    1. Identifying an executive responsible for internal control for each operating/functional division. This designee will be notified of issues that arise during the quality assurance review and receive the completed review results

    2. Designating staff to assist in the quality assurance process. These reviewers will receive training and conduct the selected review(s) for each selected operating/functional division

  6. The Annual assurance call memorandum - guidance issued to the Deputy Commissioners, Division Commissioners, Chiefs, Directors, National Taxpayer Advocate, the Chief Risk Officer, and Chief Counsel on the annual self-assessment of internal control, on preparing the annual assurance memorandum, and identifying quality assurance reviews for their organizations.

    1. Attachment 1 - Annual Assurance Review Process- requests operating/functional divisions to consider the results from Management, Program, and Quality Assurance reviews as support for the annual certification. These are the managers' annual self-assessments to determine the effectiveness of controls within their area of responsibility and include the preparation of individual written certifications to support the overall operating/functional division’s certification. See IRM 1.4.2.11, Annual Assurance Review Process

    2. Attachment 2 - Identification of IRS Quality Assurance Reviews and Initiatives- requests operating/functional divisions to identify and submit management, operational, and quality assurance review questionnaires to the CFO. Operating/functional divisions are asked to identify and submit all reviews, even ones previously submitted, given the organizational realignments and Concept of Operations (CONOPS) initiatives. Examples of existing reviews conducted throughout the IRS are provided as a reference. See IRM 1.4.2.14, Identification of Quality Assurance Reviews and Initiatives

    3. Attachment 2 notifies operating/functional divisions that their management reviews, program evaluations, and quality assurance reviews may be selected for further review

    4. Attachment 2 requests that operating/functional divisions submit new quality assurance reviews that were not previously submitted. This includes identifying all quality assurance reviews that test or review work quality, measure quality of data, identify trends, problem areas, and improvements to program effectiveness in light of applicable directives, standards, and procedures. These reviews include work process, program, or operation management reviews as well as operational reviews and site visits.

      Note:

      To aid in planning for future Quality Assurance Program reviews, operating/functional divisions are encouraged to provide senior leaders’ suggestions on quality assurance reviews that merit consideration for additional review. Input by operating/functional divisions is important and will help in designing a quality assurance review plan to best address issues that are important within the IRS.

      Note:

      Every manager (e.g., unit, group, section, office) must complete an FMFIA Managers’ Assessment. However, every manager may not have management reviews, program evaluations, or quality assurance reviews, and may not be required to submit quality assurance review questionnaires.

  7. The CFO compiles the operating/functional division annual assurance questionnaire results into an inventory of IRS internal control activities. The operating/functional division questionnaires are used to update the quality assurance catalogue with the number of IRS quality assurance reviews. The CFO documents the specified number of reviews selected for the current fiscal year based on review selection criteria. See IRM 1.4.31.8.2, Review Selection Criteria. The catalog of quality assurance reviews is maintained by the CFO and stored on the CPIC website. The website is updated as needed with references and other materials. (See the Assurance Call Memo)

  8. The CFO Corporate Planning and Internal Control unit (CFO-CPIC) is responsible for providing the quality assurance review executive updates to the Management Controls Executive Steering Committee (MC ESC).

Statistics of Income (SOI)

  1. Statistics of Income (SOI) completes quality measurement programs and performs research and other statistical functions to meet IRS requirements. The SOI major responsibilities include:

    1. Compiling information from tax returns sampled from those filed at Submission Processing Centers

    2. Conducting IRS studies on the operations of tax laws for all types of filing entities

    3. Providing information used by various Federal and State agencies, corporations, educational and research organizations, foreign governments, and international organizations in decision-making activities

    4. Making data available to the general public in the form of publications and electronic databases

  2. SOI assists in the Quality Assurance Program reviews by:

    1. Determining the review sample size, when requested

    2. Developing and maintaining procedures for random review selection

    3. Working with the CFO to gather all information necessary to implement the sample selection procedures

    4. Selecting a random sample of reviews

IRS Quality Assurance Program Framework

  1. The IRS Quality Assurance Program goal is to support the annual assurance statement signed by the Commissioner and submitted to the Department of the Treasury as required by the FMFIA.

  2. The IRS annual assurance statement is supported by the:

    1. FMFIA Managers’ Assessment

    2. A-123 internal control testing results

    3. Material weakness remediation plan (as necessary)

    4. Quality assurance reviews

  3. The table below describes the elements that support the annual assurance statement.
    The first column identifies the name of the element and the second column provides a description of the element.

    Element Description
    FMFIA Managers’ Assessment Compilation of self-certifications signed and dated by IRS managers on or around July 31st and submitted to the CFO. These certifications assess the effectiveness of internal control and identify any potential risks.
    A-123 Internal Control Testing Results The Department of the Treasury's methodology supporting the assessment of internal control over financial reporting is centered on the documentation, testing, and assessment of internal control at the transaction level applied on a day-to-day basis. The methodology also includes factors surrounding the operational environment of internal control, including the financial reporting compilation and preparation process, an assessment of the control environment, compliance with governing laws and regulations, and information and actions derived from audit report findings and recommendations.
    The Core Financial Processes represent the day-to-day actions taken to identify, collect, review, record, analyze, and summarize financial activity for reporting across all bureaus and offices. The Core Financial Processes are:
    • Budget & Finance

    • Accounting

    • Purchasing

    • Accounts Payable & Payments

    • Sales, Accounts Receivable, & Collections

    • Manage Assets & Liabilities

    • Reporting & Information

    • Information Technology


    Internal control testing occurs as of June 30th (interim) and September 30th (4th Quarter):
    • Over 20 transaction processes are identified by the Department of the as being material to its Consolidated Financial Statements.

    • The tests include 14 administrative processes related to the annual appropriation, six information system processes, and three custodial processes for tax revenue receipts through September 30th.

    • The transactions included additional testing for custodial activity related to tax refunds and cash reconciliation.

    • The testing indicates whether internal control was primarily in place and operating effectively with no new material weaknesses found in the design or operation of the internal control.

    Material Weakness Remediation plan (as necessary) A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
    The IRS monitors material weaknesses and prepares corresponding corrective action plans.
    Quality Assurance Reviews Within the Quality Assurance Program framework is a review of selected management reviews, program evaluations, and quality assurance reviews performed by the operating/functional divisions to meet performance and internal control goals and objectives.
  4. The IRS Quality Assurance Program catalogs the body of work performed by the operating/functional divisions designed to support internal control objectives and continuously improve programs. The Quality Assurance Program may also be viewed as the framework document under which individual projects are conducted and reviewed. The Quality Assurance Program consists of the following components:

    1. Executive oversight

    2. Manager’s assertions

    3. Quality assurance reviews

    4. Policy and guidance

    5. Assurance statement

    Figure 1.4.31-1

    This is an Image: 66821001.gif

    Please click here for the text description of the image.

Executive Oversight

  1. The Quality Assurance Program executive oversight component fulfills a critical management and integration function for financial and management controls. The MC ESC is an advisory committee to the Commissioner and Deputy Commissioners who have overall responsibility for determining that the IRS has an effective internal control program in place.

  2. The MC ESC is comprised of operating/functional division senior executives and provides a top leadership perspective to address important cross-functional issues. See IRM 1.4.2.7, Management Controls Executive Steering Committee (MC ESC).

Managerial Assertions

  1. The Quality Assurance Program managerial assertions component leverages existing internal control questionnaires, surveys, and certification instruments to reduce managerial burden. These instruments include:

    1. A-123 Internal Control Evaluation Checklist/ Government Accountability Office (GAO) Internal Control Management and Evaluation Tool (Abbreviated). This is a checklist based on GAO's Standards for Internal Control in the Federal Government, which was issued to assist agencies in maintaining or implementing effective internal control and to help determine what, where, and how improvements can be implemented. The checklist provides a systematic, organized, and structured approach to assessing the internal control structure. The five sections of the checklist correspond to the five standards for internal control (control environment, risk assessment, control activities, information and communications, and monitoring). Each section contains a list of major factors to be considered when reviewing internal control as it relates to the particular standard. These factors represent some of the more important issues addressed by the standard. Included under each factor are points and subsidiary points that users should consider when addressing the factor. The points and subsidiary points are intended to help IRS managers consider specific items that indicate the degree to which internal control is functioning based on an informed judgment. The GAO Checklist is reviewed annually and has been updated with specific Quality Assurance Program related questions in the Monitoring section. See IRM 1.4.31.9, Federal Management Integrity Criteria for Quality Assurance Reviews.

    2. FMFIA Manager’s Assessment. This is a questionnaire used to conduct a self-assessment of administrative controls in a manager's work area based on the five sections of the GAO standards for internal control (control environment, risk assessment, control activities, information and communications, and monitoring). IRS managers conduct a self-assessment of internal control and report to the CFO on their status every year through the Annual Assurance Review Process. The compilation of the managers' certifications is the basis for the Commissioner’s annual assurance statement required by the FMFIA. See IRM 1.4.2.11 , Annual Assurance Review Process. The FMFIA Manager's Assessment has been updated with specific Quality Assurance Program related questions in the Monitoring section.

Quality Assurance Reviews

  1. The quality assurance review component of the Quality Assurance Program validates the operating/functional divisions' assessments of the effectiveness of IRS operational and internal control from:

    1. Management and operational reviews

    2. Program evaluations

    3. Quality assurance reviews

  2. The quality assurance reviews include selected samples of:

    1. Quality assurance reviews conducted throughout the IRS to carry out its critical mission and functions

    2. FMFIA managers' self-certification results

    3. A-123 Internal Control Evaluation Checklist results

  3. The quality assurance reviews are completed annually by operating/functional division volunteers. See IRM 1.4.31.8.4, Review Team Selection and Training.

  4. The quality assurance review findings and recommendations are documented and presented to:

    1. The operating/functional division quality assurance point of contact

    2. The program executive responsible for the area

    3. The MC ESC

    Note:

    See IRM 1.4.31.8, Quality Assurance Program Review Process and Procedures.

  5. Work papers and review documentation are electronically stored on the CPIC shared drive. See IRM 1.4.31.8.6., Review Documentation.

Policy and Guidance

  1. The policy and guidance component of the Quality Assurance Program addresses the CFO responsibilities for guidance including:

    1. Standard operating procedures for the Quality Assurance Program sample selection, risk assessment, and rotation schedule

    2. Catalog of quality assurance reviews

    3. Review team and Electronic Learning System (ELMS) training

    4. Checklists and program documentation including memoranda, findings, and recommendations

    5. Reference material and website maintenance

    6. Retention and storage

  2. The CFO-CPIC unit is also responsible for a variety of activities including:

    1. Developing and administering guidance to comply with FMFIA and OMB Circular A-123

    2. Implementing FMFIA and OMB Circular A-123 at appropriate organizational levels

    3. Providing annual management integrity/A-123 guidance

    4. Planning, developing, and implementing policies for validating IRS compliance with FMFIA

    5. Providing supplemental guidance and training materials as needed to support senior managers in interpreting and applying oversight agency guidance

    6. Developing and implementing a strategy for validating IRS-wide compliance with FMFIA

    7. Developing the form and content of the annual statement of assurance on management control based on recommendations and annual assurance letters from senior managers/senior assessment team

    8. Maintaining technical expertise in the field of internal control

    9. Providing technical assistance to program managers and staff

Assurance Statement

  1. The assurance statement is a certification included in the annual Agency Financial Report (AFR) that represents the Commissioner's informed judgment as to the overall adequacy and effectiveness of internal control. The Commissioner will provide one of the following:

    1. An unqualified statement of assurance that an effective and efficient system of internal control exists

    2. A statement of no assurance on the system of internal control

    3. A qualified statement of assurance that an overall sound system of internal control exists but one or more material weaknesses have been identified

  2. The CFO takes the following steps in the assurance process:

    1. Requests that the operating/functional divisions complete and return the Internal Control Evaluation Checklist during the months of January and February. The Internal Control Evaluation Checklist is an abbreviated version of GAO’s full Internal Control Management and Evaluation Tool that IRS managers use to evaluate their internal control.

    2. Issues annual guidance (May-June) to program and regional offices on complying with FMFIA, which includes a requirement to complete the checklist and retain a copy as supporting documentation. The CFO’s guidance also includes a reporting template with specific instructions for completing each section of the assurance letters, which combined provide the basis for the IRS annual assurance statement to the Department of the Treasury.

    3. Shares the proposed IRS assurance statement with the MC ESC prior to submission to the Department of the Treasury with copies to the Treasury Inspector General for Tax Administration (TIGTA) and GAO, when final. See IRM 1.4.2, Monitoring and Improving Internal Control

Quality Assurance Program Review Process and Procedures

  1. In FY 2012, the IRS Annual Assurance Process was expanded to identify key management reviews, program evaluations, and quality assurance reviews conducted by the operating/functional divisions to assess the effectiveness of IRS operational controls. See IRM 1.4.2.14, Identification of Quality Assurance Reviews and Initiatives.

  2. The Quality Assurance Program is essentially a review of selected management reviews, program evaluations, and operational reviews completed by the operating/functional divisions.

Review Timing

  1. The Quality Assurance Program reviews are timed to support the annual submission of the IRS assurance statement to the Department of the Treasury, generally as of September 30th.

  2. Completing quality assurance reviews for operating/functional divisions products, processes, and procedures is considered a continuous monitoring activity.

    Note:

    Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes, and systems working to support efficient and effective operations. Controls are put in place to address risks within these components. Continuous monitoring actively identifies, quantifies, and reports control failures such as duplicate vendor records, duplicate payments, and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes. See IRM 1.4.3.18, Continuous Monitoring.

Review Selection Criteria

  1. The selection of the number of quality assurance, management, and operational reviews for each fiscal year to support the annual assurance statement is based on a combination of the following:

    1. MC ESC identification of high priority/high risk areas

    2. Random selection by SOI

    3. CFO risk and ranking criteria including oversight agency guidance (Department of the Treasury and GAO) and risks (identified by the Enterprise Risk Management and the National Taxpayer Advocate programs, A-123 internal control testing, and audit findings/recommendations)

  2. Department of the Treasury Guidance (issued annually):

    1. Presents the background for OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A

    2. Describes the updated methodology for the fiscal year assessment plan describing the overall approach for the documentation, testing, and assessment of internal control over financial reporting

    3. Provides definitions and assessment parameters defining key factors of the plan, presents the implementation of the testing plan, and describes the actions to be taken to execute the methodology

    4. Provides summary information on the Department of the Treasury annual assurance statement guidance; which is distributed by the Office of the Treasury Deputy Chief Financial Officer (TDCFO) in July

    5. Presents the fiscal year timeline displaying the guidance critical dates

  3. Enterprise Risk Management: Provides the program portfolio view of enterprise risks that are most critical to all layers of management, up to and including the Commissioner's Office, across IRS operations and critical initiatives.

  4. National Taxpayer Advocate (NTA) Annual Report to Congress: Identifies IRS Challenges/Risks.

  5. CPIC A-123 Risk Assessment (updated annually): Presents the A-123 rotation schedule for testing determined by the following Department of the Treasury requirements:

    1. Risk level has been identified by the known susceptibility to errors, existence of manual versus automated processes, as well as the total dollar balances of the financial statement line items associated with the process

    2. Transactions deemed to be high risk and associated with processes that contribute at least 10 percent to the Department of the Treasury financial statement line item balances are tested annually

    3. Transactions that are rotated every three years are those transactions that have not had a documented history of vulnerabilities or errors and are associated with processes that contribute less than 10 percent to the balance of the Department of the Treasury financial statement line items

  6. Material Weaknesses: Identify areas for improvement and include open items from remediation and action plans.

  7. Audit Findings: Identify open GAO financial reporting audit recommendations and TIGTA reports.

  8. Green Book and Yellow Book: Provide GAO's Standards for Internal Control in the Federal Government (Green Book) and Government Auditing Standards (The Yellow Book).

  9. The CFO selection criteria and justification are documented and maintained on the CPIC shared drive for reference.

  10. The CFO will assess the operating/functional divisions' quality assurance review questionnaire submissions to:

    1. Identify gaps where operating/functional divisions may need to develop managerial reviews

    2. Determine whether duplicate reviews exist that can be eliminated, combined, or leveraged in some other way

    3. Categorize the reviews by risk and ranking

  11. The CFO will review and update the Tactical Review Assessment Plan (TRAP), Quality Assurance Program timeline, and standard operating procedures. The TRAP is the overarching review plan that will cover a segment of the quality assurance reviews that take place throughout the IRS including:

    1. Selected review rotation (number of reviews)

    2. Risk assessment designations (high, medium, and low)

    3. Hierarchy of reviews

  12. The CFO will develop a detailed quality assurance review schedule to appropriately select the timing of the reviews and obtain sufficient resources to complete the reviews.

  13. The CFO will monitor the schedule and inform the MC ESC of any review delays, emerging trends and impending issues.

Quality Assurance Review Checklist

  1. The quality assurance review checklist is used by the review team to document review results. Checklist questions help to determine how the selected operating/functional division review supports the IRS internal control over financial reporting. Space is allotted in a separate checklist area to provide explanatory comments for questions in each section.

    Note:

    The checklist will be reviewed annually and questions will be updated or expanded as needed.

  2. The quality assurance review checklist contains four sections:

    1. Introduction - addresses the who, what, when, where, and why of the operating/functional division quality assurance review

    2. Review Scope - addresses the specific review team and dates of the review

    3. Control Review - addresses more specific aspects of the operating/functional division quality assurance review

    4. Results/Findings - documents findings and recommendations regarding the operating/functional division quality assurance review

  3. The quality assurance checklist "Introduction " section includes:

    1. Program/project name

    2. Purpose, goals, and objectives

    3. Name of operating/functional division

    4. Office symbols

    5. Name of responsible analyst/specialist

    6. Telephone number

    7. Responsible official

  4. The quality assurance review checklist "Review Scope" section includes:

    1. Designated reviewer(s)

    2. Start date

    3. Completion date

    4. Area reviewed

    5. Time period covered by the review

  5. The quality assurance review checklist "Control Review" section includes the following questions:

    1. What is the frequency of the review?

      Example:

      Quarterly, annually, or by the 15th workday following the close of the review period, etc.

    2. What are the applicable IRM references, standard operating procedures, and/or required authoritative directives?

    3. Were documented processes/procedures used to complete the review?

    4. Have any risk factors been identified?

      Example:

      Identified in TIGTA, GAO, A-123 audits and/or other reports

    5. Will the risk factors be analyzed to determine their potential impact?

    6. Have the review results been identified and documented?

    7. Will a report be published with the results of the review?

    8. Have tolerance thresholds been established, documented, and communicated?

    9. Has the team established a repository for all program/project documentation?

    10. Is the quality assurance team separate and distinct from the preparers/process owners?

    11. Does the quality assurance team have access to, or the ability to adjust, live data?

    12. Does the system/process support accounting information recorded in the financial systems?

      Note:

      The administrative system is the Integrated Financial System (IFS). The custodial system is the Redesign Revenue and Accounting System (RRACS).


      Example:

      Does the system/process feed data as a subsidiary system?

    13. Is this process audited by GAO, TIGTA, or CFO? If yes, does the quality assurance review address the GAO, TIGTA, or CFO audit findings/recommendations?

    14. Is this process related to or supportive of the annual audited financial statements?

    15. Is a report on the results of the review compiled and forwarded to senior management for evaluation and follow-up action?

      Note:

      Indicate whether the report is retained in a permanent file for examination by IRS external auditors such as GAO and TIGTA, and/or the A-123 Internal Control review team.

    16. Does a consolidated listing of identified control issues exist either internally or in collaboration with IT that indicates the status of actions?

      Example:

      Development of Unified Work Requests (UWRs) to address system-related control issues arising from the review.

    17. Is the latest manager's FMFIA assurance "Reasonable" or "Qualified?" If qualified, do the related quality assurance review results identify areas for improvement?

      Note:

      Reasonable assurance is an informed judgment by the head of an organization, based upon all available information, that the internal control in place adequately protects the resources and ensures mission completion. Reasonable assurance recognizes that the cost of controls should not exceed the benefits derived from them.
      Qualified assurance is an informed judgment by the head of an organization, based upon all available information, that the internal control in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems. (See IRM 1.4.2.11, Annual Assurance Review Process

      .)

    18. What was the organization's response in the GAO Abbreviated Internal Control Questionnaire?

  6. The quality assurance checklist "Results/Findings" section includes:

    1. Control effectiveness - determines whether the review controls are effective or ineffective

    2. Recommendations - identifies instances where the controls are working but could be strengthened (findings and recommendations require follow-up in a subsequent year)

    3. Corrective actions required - summarizes the corrective actions that will be taken if the control is ineffective

Review Team Selection and Training

  1. The Quality Assurance Program review process is supported by assistance from operating/functional division volunteers including:

    1. Assurance statement process liaisons

    2. Audit liaisons and the operating/functional division risk liaisons

    3. Embedded financial and other staffs

  2. The CFO will prepare and submit the quality assurance call memorandum to the Division Commissioners, Chiefs, Chief Counsel, Chief Risk Officer, and National Taxpayer Advocate requesting volunteers to assist in the quality assurance reviews. Senior Executive Team (SET) members are asked to identify the executive responsible for internal control in their operating/functional division and to designate staff to assist in the quality assurance process. Individuals designated for the review must be:

    1. A program manager, coordinator, or staff member familiar with either the FMFIA certification process, quality assurance reviews, internal control testing, risk assessment, or the assurance process

    2. Available to participate during the scheduled review dates

  3. The CFO convenes the quality assurance review team and assigns reviews. The size of the review team is based on the number of quality assurance reviews selected.

  4. The CFO schedules and conducts training for the quality assurance review team. Before attending training, team members should review:

    1. IRM 1.4.2, Monitoring and Improving Internal Control

    2. IRM 1.4.31, IRS Quality Assurance Program

    3. Samples of completed quality assurance checklists

  5. The training session topics include, but are not limited to:

    1. Overview of internal control

    2. Sample selection and the sampling approach

    3. Review team roles and responsibilities

    4. Communication protocol

    5. "How-to-Complete" instructions for review checklists and templates

    6. Definitions from IRM 1.4.2 and IRM 1.4.31

    7. Examples and findings from previous reviews

    8. Review logistics (virtual, on-site, or other electronic media)

Review Methodology

  1. The CFO determines the review period for the quality assurance reviews. While the reviews are part of internal control continuous monitoring, the review period covers a specific fiscal year to support the annual assurance statement.

  2. The quality assurance review validates aspects of the:

    1. Operating/functional divisions' management reviews, program evaluations, and internal quality assurance reviews

    2. Information contained in the quality assurance questionnaires submitted as part of the annual assurance process

    3. Selected FMFIA managerial assertions

    4. GAO Internal Control Management and Evaluation Checklist

    Note:

    The CFO will consider expanding key aspects of the operating/functional division review, and if needed, will review individual controls at a more detailed level to isolate risks and undertake a corrective action plan.

  3. The quality assurance review may be conducted virtually, through other electronic media, or on-site.

    1. Virtual reviews are held at the IRS headquarters building in Washington, DC. Selected review files must be provided via secure, encrypted methods to protect personally identifiable information (PII) and sensitive but unclassified (SBU) information. The review team examines documents to determine whether the review controls seem to be effective. Printed copies of electronic documents are destroyed after use, unless necessary to support findings.

    2. Other electronic media reviews are on-line reviews that may be conducted through the Office Communications Server (OCS), or other electronic media and the use of shared work spaces to make documentation available to multiple reviewers. OCS merges real-time communications (instant messaging, voice, video, application sharing) and near-time communications (e-mail, voice mail, fax) with presence information (indication of users real-time availability across locations and devices), and allows for effective communications across a number of communications channels for employees, regardless of their location.

    3. On-site reviews are held in a designated location for a selected area. These reviews generally last one week. A number of sites may be selected and there may be multiple locations for each selected site. Travel costs for on-site reviews are the responsibility of the operating/functional divisions.

  4. The CFO:

    1. Prepares the timeline and determines the review period and review schedule

    2. Assigns reviews to the review team members

    3. Provides templates for e-mails and contacting the selected operating/functional division

  5. The quality assurance review team notifies the operating/functional division review contact using the template and schedules the review date(s) during the review period.

    Example:

    If the quality assurance review period is February 1st to June 30th, a quality assurance review team may schedule its selected operating/functional review within review period (i.e., from February 1st to April 1st), as long as the review is completed by June 30th.

  6. Once notified that their quality assurance review(s) are selected, the operating/functional divisions are asked to provide the following information to the quality assurance review team:

    1. IRM references

    2. Standard operating procedures

    3. TIGTA or GAO audit findings/recommendations

    4. Identified risk factors

    5. Latest completed quality assurance review questionnaire

    6. Latest manager's FMFIA certification

    7. GAO Internal Control Management and Evaluation Checklist, if applicable

  7. The review team records findings on the quality assurance review checklist(s). One quality assurance checklist is used for each review. When a reviewer determines that there are multiple aspects contained within one review, the reviewer should complete a separate checklist for each review component.

    Example:

    An operational review contains multiple components (e.g., employee appraisals, courier service reviews, employee performance reviews, payment processing reviews, and physical/data security requirements). Each component of the review is separate and distinct from other components within the review. In this scenario, the reviewer(s) would prepare five separate checklists.

  8. The quality assurance review is considered an inspection-type control test.

    Note:

    An inspection control test examines the evidence of a given control, such as looking for signatures of a reviewing official or reviewing reconciliations and reports.

  9. The CFO quality assurance review team shares findings with the selected operating/functional division point of contact, next level manager, and the appropriate executive.

  10. The CFO examines all checklists prepared by the review team for completeness, especially noting whether review processes are subject to audit and internal control activities over financial reporting, and then:

    1. Summarizes the results for each operating/functional division

    2. Verifies storage of the quality assurance review work papers and related e-mail communications on the CPIC shared drive

    3. Provides notification to the responsible executive of each operating/functional division

    4. Reports overall results to the MC ESC

Review Documentation

  1. The operating/functional division quality assurance review is used as one of the bases for the annual assurance statement for internal control over financial reporting at the office, bureau, and department levels. The IRS assurance statement is supported by:

    1. FMFIA managers' assessments

    2. A-123 Internal Control Evaluation Checklist/GAO Internal Control Management and Evaluation Tool (Abbreviated)

    3. A-123 Internal Control Testing (Interim as of June 30th and 4th Quarter as of September 30th)

    4. Selected quality assurance reviews

  2. Based on the summary of quality assurance checklist results by selected operating/functional division, the CFO e-mails the quality assurance review findings to the operating/functional division:

    1. Point of contact

    2. Next level manager

    3. Appropriate executive

  3. The summary is intended to be used as a tool by the operating/functional divisions to discuss findings and develop or update guidance for their organization.

  4. The CFO verifies retention and storage of the quality assurance review work papers and related e-mail communications on the CPIC shared drive or other designated storage media/applications, including hard-copy folders. All review work papers are retained for a period of three years.

    Note:

    Review checklists containing findings and recommendations that are accepted by the operating/functional division, are retained indefinitely until the recommendations are implemented. After the findings and recommendations are addressed, the work papers are retained for three years.

  5. Review work papers represent all quality assurance materials, including, but not limited to:

    1. Training material

    2. Completed review checklists

    3. IRM extracts and/or references

    4. Operating/functional division’s standard operating procedures

    5. Review reports provided by the selected operating/functional division

    6. Copies of TIGTA or GAO audit findings/recommendations

    7. Latest manager's FMFIA certification

    8. E-mail correspondence

    9. GAO Internal Control Management and Evaluation Checklist, if applicable

    10. Operating/functional division quality assurance questionnaire responses

    11. Reviewer notes, findings, and recommendations

Records Retention

  1. The CFO summarizes the results for each selected review organized by operating/functional division (usually using an electronic spreadsheet). The summary is completed usually within two weeks after the quality assurance review period ends and is stored on the CPIC shared drive or other designated location.

  2. The Quality Assurance Program review documentation is considered temporary records. These selected review records must be closed out at the end of the fiscal year and destroyed three years after closure as follows:

    • E-mail communications including selected review notifications

    • Review documentation, checklists and work papers

    • Review findings and recommendations

    • Operating/functional division Quality Review Questionnaires

    Note:

    The retention requirement applies only to CFO. Operating/functional divisions should refer to IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles, for retention guidance.

Federal Management Integrity Criteria for Quality Assurance Reviews

  1. The FMFIA requires Federal agency managers to establish internal accounting and administrative controls according to GAO standards.

  2. The FMFIA requires Federal agency managers to annually:

    1. Evaluate and report on the effectiveness of internal control and financial accounting systems in accordance with Sections 2 and 4 of FMFIA, respectively

    2. Evaluate, in accordance with OMB guidelines, whether their agency’s internal controls comply with GAO’s standards

    3. Issue a statement of assurance and indicate full compliance or non-compliance

  3. OMB Circular A-123 describes Federal managers’ responsibilities for internal control, stating that management is responsible for establishing and maintaining internal control to achieve the objectives of:

    1. Effective and efficient operations

    2. Reliable financial reporting

    3. Compliance with applicable laws and regulations

  4. Appendix A of Circular A-123 requires Federal agencies to separately assess effectiveness of internal control over financial reporting. The Circular also states that "Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness." OMB Circular A-123 provides guidance to Federal managers on meeting FMFIA requirements.

  5. OMB Circular A-123:

    1. States that "Internal control guarantees neither the success of agency programs, nor the absence of waste, fraud, and mismanagement, but is a means of managing the risk associated with Federal programs and operations." By including "programs and operations," OMB emphasizes goals set by the organization, risks agencies face in meeting those goals, whether agencies have identified and assessed risks, and whether agencies have taken steps to manage those risks

    2. Requires Federal managers to take systematic and proactive measures to develop and implement appropriate internal control for results-oriented management

    3. Describes the requirements of FMFIA as "an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management’s assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations"

      Note:

      "Other reviews" that FMFIA reporting should coordinate and consider include activities under the Government Performance and Results Act Modernization Act (GPRAMA), such as developing strategic plans, setting performance goals and measures, and reporting annually on actual performance results compared to goals.

  6. The FMFIA and OMB requirements support an overall internal control framework as illustrated below:

    Figure 1.4.31-2

    This is an Image: 66821002.gif

    Please click here for the text description of the image.

  7. As required by FMFIA, GAO established the "Standards for Internal Control in the Federal Government" listed in OMB Circular A-123. The standards provide the overall framework for establishing and maintaining internal control, and for identifying and addressing performance and management challenges and areas at greatest risk of fraud, waste, abuse, and mismanagement.

  8. The standards comprise a major part of managing an organization, including plans, methods, and procedures used to meet missions, goals, and objectives and, in doing so, support performance-based management.
    The three-column table below describes GAO's standards for internal control in the Federal Government. The first column identifies the standard number, the second column lists the standard, and the third column describes the standard.

    GAO’s Standards for Internal Control in the Federal Government
    No. Standard Standard Description
    1. Control Environment This standard establishes and maintains an environment throughout the organization that sets a positive and supporting attitude toward internal control and conscientious management. This includes establishing goals, objectives, and performance measures at the entity-wide and activity levels.
    2. Risk Assessment Once the goals, objectives, and measures have been defined, the risks that could impede the efficient and effective achievement of those objectives are identified. This includes an assessment of the risks the agency faces from both internal and external sources. Risk assessment includes identifying and analyzing relevant risks associated with achieving objectives, such as those defined in strategic and annual performance plans developed under GPRAMA, and form a basis for determining how to manage risks. Management needs to comprehensively identify risks and should consider all significant interactions between the entity and other parties as well as internal factors at both the entity-wide and activity levels.
    3. Control Activities These are the policies, procedures, techniques, and mechanisms that implement management’s direction toward achievement of goals. Internal control activities help verify that management’s directives are carried out.
    4. Information and Communications This standard includes data and information (performance and financial) to determine whether the organization is meeting its goals and objectives and maintaining accountability over resources.
    5. Monitoring Internal control monitoring should assess the quality of performance over time and ensure that findings of audits and other reviews are promptly resolved.
    Source: OIG summary of GAO’s Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999).
  9. The IRS quality assurance program complies with OMB Circular A-123, Management’s Responsibility for Internal Control, Appendix A: Internal Control over Financial Reporting issued under the authority of the Federal Managers' Financial Integrity Act of 1982:

    1. Purpose. OMB Circular A-123 provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on internal control. This Circular defines management’s responsibilities related to internal control and the process for assessing internal control effectiveness along with a summary of the significant changes. The Circular also provides updated internal control standards and new specific requirements for conducting management’s assessment of the effectiveness of internal control over financial reporting (Appendix A). This Circular emphasizes the need for integrated and coordinated internal control assessments that synchronize all internal control-related activities.

    2. Policy. Management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations. Management shall consistently apply the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness. When assessing the effectiveness of internal control over financial reporting and compliance with financial-related laws and regulations, management must follow the assessment process contained in Appendix A. Annually, management must provide assurances on internal control in its Agency Financial Report, including a separate assurance on internal control over financial reporting, along with a report on identified material weaknesses and corrective actions.

    3. Actions Required. Agencies and individual Federal managers must take systematic and proactive measures to (i) develop and implement appropriate, cost-effective internal control for results-oriented management; (ii) assess the adequacy of internal control in Federal programs and operations; (iii) separately assess and document internal control over financial reporting consistent with the process defined in Appendix A; (iv) identify needed improvements; (v) take corresponding corrective action; and (vi) report annually on internal control through management assurance statements.

  10. According to the OMB Circular A-123 Implementation Guide:

    1. Federal agencies are subject to numerous legislative and regulatory requirements that promote and support an effective internal control framework. Similarly, numerous reviews are performed by management, or on management’s behalf, throughout the year in order to comply with various laws and regulations.

    2. Agencies should strive to integrate control-related activities within the control framework outlined in Circular A-123. In particular, management should identify opportunities to integrate and coordinate in order to leverage the internal reviews already being performed.

      Example:

      Internal reviews are required by the Federal Information Security Management Act of 2002 (FISMA) and the Improper Payments Elimination and Recovery Act (IPERA). Management should consider the results of these reviews to identify gaps between baseline control activities, the documentation, and the assessment process for financial reporting.

    3. The results of the work performed under these laws may also be used to support management’s assertion as to the effectiveness of the internal control. The desired approach would be to design the testing and assessment to accomplish all requirements in the most efficient manner.

Developing Quality Assurance Reviews

  1. The IRS quality assurance reviews examine management reviews, program evaluations, and quality assurance reviews developed by the operating/functional divisions. When the need for a new quality assurance review is determined by the operating/functional division, there are guidelines for what components should be included when developing the new review.

  2. Examples of existing IRS quality assurance review titles include:

    1. Operational Reviews

    2. Appeals Quality Measurement System

    3. Quality Analysis and System Review

    4. Manual Refund Reviews

    5. 100-Day Case Reviews

    6. Application Development Quality Assurance Audits

    7. Integrated Functional Test and Exercises Evaluation

    8. Interest Penalty Payment Review and Report

    9. Quality Assurance Internal Compliance Review

    10. Operational Review of Employment Tax Groups

    11. Tax Exempt Bonds Quality Review Program

  3. New operating/functional division reviews may be identified by:

    1. The operating/functional division

    2. The MC ESC

    3. TIGTA and GAO audit recommendations

    4. Newly enacted legislation (e.g., the Affordable Care Act)

    5. Threats and trends (e.g., cyber terrorism and identity theft)

    6. The IRS Quality Assurance Program

  4. The three basic principles for quality assurance reviews are:

    1. Final responsibility for quality rests with the organizations that design, develop, produce, maintain, store, and issue the product, process, or procedure. Quality assurance supports these activities by verifying that adequate quality provisions are planned, developed, and implemented.

    2. Quality cannot be "inspected" into the finished product, process, or procedure. Quality assurance focuses its activities on the identification, prevention, and correction of unsatisfactory conditions or elements which influence acceptability of the end product.

    3. Quality is defined in terms of specific requirements to be met. Such requirements must be effectively communicated to and understood by those organizations whose operations may, in any way, influence the quality of the product, process, or procedure in terms of its use, interchangeability, form, fit, function, or safety.

  5. Operating/functional divisions’ quality assurance reviews may use the following techniques:

    1. Inspection - requires a review examining the evidence of a given control (looking for signatures of a reviewing official or reviewing past reconciliations).

    2. Observation - requires watching actual controls in operation (observing a physical inventory or watching a reconciliation occur).

    3. Re-performance - requires re-completing a given control (re-calculating an estimate or re-performing a reconciliation).

    Note:

    The CFO quality assurance review is considered an inspection review. Reviews developed by the operating/functional divisions may use any suitable technique.

  6. In designing quality assurance reviews, operating/functional divisions should make certain that controls are tested by individuals other than those routinely executing them.

  7. The CFO will assess the listing of IRS quality assurance, management, and operational reviews to recommend new reviews for operating/functional divisions where gaps are identified.

  8. In developing new quality assurance reviews, operating/functional divisions are encouraged to refer to the questions from the Quality Assurance Review Checklist under the Control Review Section. This section may be used to determine whether a quality assurance review is needed and provides key components (e.g., guidance in IRMs and SOPs, review reports, review relationship to financial reporting, and executive and managerial notification of findings/recommendations) that can be incorporated in the new review. IRM 1.4.31.8.3., Quality Assurance Review Checklist.

  9. Operating/functional divisions are encouraged to:

    1. Develop management, operational, and quality assurance reviews that address a single activity. Identifying one review process that occurs over multiple locations is considered one review. Reviews with multiple activities (e.g., data security and employee performance) should be separated, as practical

    2. Test the performance of the new review and refine the review techniques and documentation

    3. Complete a Quality Assurance Questionnaire for the new review as part of the annual assurance call memorandum process. The new review will be incorporated into the IRS inventory of quality assurance, management, and operational reviews

  10. The IRS internal control environment continues to improve through the corrective actions implemented by management. The management commitment to excellence, accountability, and compliance with applicable laws and regulations is evidenced in actions to establish effective controls, make sound determinations on corrective actions, and verify and validate the results.

Quality Assurance Knowledge and Skills

  1. Generally, quality assurance work requires the following kinds of knowledge and skills:

    1. Knowledge of pertinent product, process, or procedure characteristics, methods and processes

    2. Knowledge of quality assurance/control methods, principles, and practices, including statistical analysis and sampling techniques

    3. Knowledge of inspection, test, and measurement techniques

    4. Knowledge of the relationship of quality assurance to other activities such as tax administration, legal and judicial activities, administrative hearings to resolve income tax and collection controversies, including collection due process activities, financial reporting/auditing and assessment and supporting tax and/or financial systems

    5. Skill in interpreting and applying products, processes or procedures, specifications, technical data, regulations, policy statements, and other guideline materials

    6. Skill in conducting studies and investigations, problem analysis, and developing logical and documented recommendations

    7. Skill in written and oral communications

    8. Skill in establishing effective interpersonal relationships

Structured Management Reviews (SMRs)

  1. Quality review and quality assurance processes that are already in place are considered Structured Management Reviews (SMRs) and may be tested as part of the A-123 internal control testing process.

    Example:

    The A-123 transaction test called the AC-6: Administrative Cash Reconciliation, verifies that internal control procedures governing IRS cash reconciliations are in place and working effectively. Cash reconciliations are performed monthly and the IRS A-123 testing is performed on three monthly reconciliations.

  2. SMRs may serve as assurance of testing of internal control, but the review must meet specific criteria. The documentation should contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and to verify the reviewer’s judgments and conclusions. See IRM 1.4.3.11.3, Evaluate Structured Management Review (SMR).

  3. An SMR should have the following elements:

    1. Documented procedures that guide the SMR

    2. Reviews performed at regular intervals

    3. Documented and independent review of results

    4. Documented process to resolve noted deficiencies


    The three-column table below provides questions to address in developing a new quality assurance review. The first column provides the question, the second column is used to determine a yes-or-no answer, and the third column is used to explain the results of the answer.

    Quality Assurance Review Development Questions YES or NO Explain
    Is the SMR actually being used as designed?
    Is the SMR meeting the internal control objectives?
    Do the personnel executing the SMR have adequate skills and receive sufficient training to complete review?
    Are adequate procedures in place for the SMR?
    Is the guidance for the SMR followed?
    Were issues/errors/concerns adequately and consistently addressed and documented?
    Is the guidance for the SMR consistently followed for error determination and documentation requirements?
    Do the personnel have adequate time, resources, etc. to competently execute the SMR?
    Are the sample sizes and sample methodologies appropriate for the internal control?
    Is a documented SMR in place and is it being monitored by an appropriate level of management?
    Is the SMR performed an appropriate number of times per year to fulfill the internal control function?
    Is the review performed at an appropriate time in the process to allow for error correction and prevention of a similar error?
    Is management using the results of the SMRs to correct the error, process, or procedure?

Related Resources

  1. OMB Circular A-123, Management’s Responsibility for Internal Control.

  2. Federal Managers' Financial Integrity Act (FMFIA) of 1982.

  3. Government Accountability Office (GAO) Comptroller General.

  4. Financial Audit: IRS's Fiscal Year Financial Statements (The Blue Book).

  5. Government Auditing Standards (The Yellow Book).

  6. Standards for Internal Control in the Federal Government (Green Book).

  7. Federal Information Security Management Act of 2002 (FISMA).

  8. Improper Payments Elimination and Recovery Act (IPERA).

  9. IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycles.

  10. IRM 1.4.2, Monitoring and Improving Internal Control).

  11. IRM 1.4.3, IRS Guidance for Implementing OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Internal Control Over Financial Reporting.