1.4.32 Internal Control Review Program

Manual Transmittal

September 26, 2019

Purpose

(1) This transmits new IRM 1.4.32, Resource Guidance for Managers, Internal Control Review Program.

Material Changes

(1) Creation of general guidance of the Internal Control Review Program.

Effect on Other Documents

None

Audience

All IRS Managers

Effective Date

(09-26-2019)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. This IRM provides general guidance on the Internal Control Review (ICR) program and the established procedures designed to support the CFO’s efforts to improve the quality of IRS’s internal controls. The ICR program provides business units with insight into the effectiveness of their implemented corrective actions for audit recommendations issued by Government Accountability Office (GAO) and TIGTA, as well as evaluate critical controls over IRS programs that may be high risk, high priority or high visibility. This independent examination assists the business units when they review and evaluate their internal control processes.

  2. Purpose: Internal controls include activities used to monitor processes, procedures and programs to ensure they are operating as intended. Effective internal controls are also the first line of defense for safeguarding assets, preventing and detecting errors, and mitigating risk. Internal controls are a vital tool allowing each manager to evaluate and monitor their programs proactively and eliminate deficiencies timely. Business unit program managers have the primary responsibility for ensuring effective controls over their specific programs. The ICR analyst performs reviews to determine if any internal control deficiencies exist in the business process and provide recommendations to improve or strengthen internal controls. The ICR program assists IRS senior leadership with oversight by providing independent insight into the status of program controls, outside of the program management.

  3. Audience: IRS managers and employees

  4. Policy Owner: The CFO, Internal Controls (IC) Office, is responsible for this IRM.

  5. Program Owner: The Outreach, Assessment and Reporting (OAR), Internal Control Review program, promotes knowledge management and sharing of internal controls throughout the Service by reviewing, testing, measuring and reporting on various controls.

  6. Primary Stakeholder: This IRM and procedures apply to the entire IRS workforce. It is incumbent upon the program owners to evaluate the effectiveness of their business programs. The term “program” in this IRM includes processes, projects, operations and any supporting activities.

  7. Program Goals: The Servicewide ICR program supports ongoing program improvements by conducting a thorough analysis of internal controls and identifying potential deficiencies. The process is intended to allow a third party (ICR) to evaluate the way a program works and makes recommendations for improvements to controls and risk mitigation strategies. This in turns allows the program owners to develop and implement process improvements and strengthen controls, thereby eliminating deficiencies and mitigating risks before a program failure occurs or external stakeholders are adversely affected.

    All managers have a responsibility to perform periodic monitoring to review the accuracy and effectiveness of the internal controls. As required by IRM 1.4.2, Monitoring and Improving Internal Controls, all program managers are responsible for ensuring their programs have effective controls in place and to monitor those controls for continued effectiveness over time.

Background

  1. This section provides clarification of the ICR role throughout the Service:

    1. The ICR partners with the business units to identify gaps, deficiencies, weaknesses or program concerns and to provide the business units with recommendations to improve or strengthen internal controls.

    2. The ICR analyst applies a variety of methods (for example, administrative, analytical or technical) when evaluating and examining a program, procedure or process.

    3. Once the ICR analyst concludes the review, the point of contact (POC) will receive a report including results, conclusions, recommendations and findings, if applicable.

  2. The importance of the ICR is to ensure that the IRS complies with regulations and directives, review the IRS’s programs and systems for improvement, and mitigate risk. The ICR provides reports that enable leadership to guide systems and programs in a positive direction.

Authorities

  1. Federal Manager’s Financial Integrity Act (FMFIA) of 1982. Under 31 USC Section 3512(d) of the FMFIA, federal agencies are required to establish internal control over their accounting and administrative (that is, operational) activities and review internal control systems periodically. The FMFIA also requires that GAO prescribe internal control standards to serve as criteria for those reviews.

  2. Standards for Internal Control in the Federal Government (Green Book) GAO-14-704G. The GAO issued Standards for Internal Control in the Federal Government (Green Book), which provided the overall framework for agencies to establish, maintain and assess internal control over agency operations. As part of the monitoring component, the Green Book directs agency personnel to monitor their internal control system, evaluate the results and remediate identified internal control deficiencies timely.

  3. Treasury Directive 40-04, Treasury Internal Control Program. Treasury Directive 40-04, Treasury Internal Control Program (TICP) (dated 7/12/2017), requires bureau heads and other officials to take all necessary steps to create an environment within their respective organizations that ensures adherence to all applicable statutory and regulatory standards related to operational, financial, program and administrative internal controls. This includes providing assurances to Treasury that internal controls within their respective organizations adhere to applicable statutory and regulatory standards and ensuring timely completion of corrective actions for identified control deficiencies.

Responsibilities

  1. This section provides responsibilities for:

    1. CFO and deputy CFO

    2. Associate CFO for Internal Controls

    3. Outreach, Assessment and Reporting office

CFO and Deputy CFO
  1. The CFO and deputy CFO manage a portfolio of enterprise-wide activities including budget formulation, budget execution, accounting, financial management and internal controls.

Associate CFO for Internal Controls
  1. The associate CFO for Internal Controls administers the IRS internal controls program and is responsible for coordinating and executing processes that assess the completeness and effectiveness of internal controls and support annual assurance and financial statement audit activities by:

    1. Evaluating the effectiveness of the internal controls.

    2. Partnering with business units to implement and evaluate Office of Management and Budget (OMB) Circular A-123 requirements.

    3. Developing detailed procedures, documentation, training for managers and employees, and reporting requirements necessary to review, establish, maintain, test, improve and report on the IRS’s control systems.

    4. Providing advice and assistance to managers and their internal control coordinators.

Office of Outreach, Assessment and Reporting
  1. The Outreach, Assessment and Reporting (OAR), ICR, responsibilities include:

    1. Establishing and documenting the ICR program processes, policies and procedures.

    2. Collecting and analyzing data relevant to the program under review.

    3. Developing a test plan for the ICR which states the objective, focus areas, related IRM references or external audits, issues identified and any additional comments important to the review.

    4. Providing a report outlining the purpose, scope, background analysis, findings and conclusions, in addition to any recommendations from the ICR.

Program Management and Review

  1. Program reporting includes the following:

    1. The ICR team develops a post-review report detailing methodology, testing, findings and recommendations, as appropriate. The report is delivered to the owner of the program being reviewed. The report may be provided to external stakeholders under certain circumstances, for example, reports and related materials will be provided upon request to TIGTA or GAO; reports may be provided automatically where the review is being conducted in conjunction with requirements of a larger audit process, such as the annual Campus Physical Security review performed in support of the GAO Financial Statement Audit.

    2. Findings may be reported to the Management Controls Executive Steering Committee (MC ESC) if the program is of sufficient scope and the control deficiencies discovered during the review are of sufficient seriousness to warrant a broad leadership discussion.

    3. General, aggregated results of reviews performed during the year will be used to support the generation of the IRS’s annual assurance statement.

    4. Results of reviews may be used to support the development of remediation plans where control deficiencies are significant enough to warrant that approach.

  2. Quantitative evaluation of this program’s effectiveness is determined by:

    1. Whether TIGTA or GAO identify other findings not identified by the ICR team during its reviews.

    2. If business units report successful completion of corrective actions related to the ICR team’s recommendations.

    3. If business units implement new controls or measures based on ICR’s reviews.

    4. When applicable, how external stakeholders such as TIGTA and GAO use or interpret the findings and recommendations of the ICR team and whether they find the analysis and recommendations thoughtful, insightful and comprehensive.

Program Controls

  1. Access to the ICR final report documentation and information is centralized and stored on the OAR SharePoint site. The site is protected by limiting access to those individuals that perform the reviews and manage the program.

  2. Final reports are provided to the program owner upon completion of the review. Distribution is limited unless further distribution is requested by the program owner based on specific requests from stakeholders.

  3. Final reports are stored on a secure SharePoint site with limited access.

Terms/Definitions

  1. In this IRM, the terms below have the following meanings:

    1. Internal Control - Internal control, which is synonymous with management control, is a major part of managing an organization. It comprises the plans, methods and procedures used to meet missions, goals and objectives, and in doing so, supports performance-base management. It also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. It helps government program managers achieve desired results through effective stewardship of public resources. Internal control systems provide reasonable assurance to achieve effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Reference GAO’s Standards for Internal Control in the Federal Government (GAO-14-704G), page 5, for a more comprehensive definition of internal control.

    2. Internal control review - An internal control review assesses existing internal controls by analyzing programs, policies and procedures and their efficiency and effectiveness.

    3. Risk - An event that may negatively affect the achievement of a business objective.

    4. Risk assessment - An evaluation of the potential hazards, threats or opportunities that could affect an organization’s ability to conduct business. The reviews help identify inherent business risks and provide measures, processes and controls to reduce or mitigate risks to business operations.

Acronyms

  1. The following chart contains acronyms that are used throughout this IRM.

    Acronym Meaning
    AC Audit Coordination
    FACT Financial Assurance Control Testing
    FMFIA Federal Manager’s Financial Integrity Act
    GAO Government Accountability Office
    IC Internal Controls
    ICR Internal Control Review
    ICW Internal Control Weakness
    IPU IRM Procedural Updates
    MC ESC Management Controls Executive Steering Committee
    MIO Management Information Only
    OAR Outreach, Assessment and Reporting
    OFI Opportunity for Improvement
    OMB Office of Management and Budget
    POC Point-of-Contact
    SERP Servicewide Electronic Research Program
    SME Subject Matter Expert
    SOP Standard Operating Procedure
    TICP Treasury Directive 40-04, Treasury Internal Control Program

Related Resources

  1. IRM 1.4.2, Monitoring and Improving Internal Control

Business Unit Roles and Responsibilities

  1. Managers are responsible for improving and strengthening internal controls. Program management responsibility with respect to the ICR program is to:

    1. Monitor controls with higher risk and greater vulnerabilities.

    2. Identify subject matter experts (SMEs) for each program, process or procedure.

    3. Foster communication and develop a strategy to engage staff by encouraging the importance of internal controls.

    4. Track and address open GAO, TIGTA and Financial Assurance Control Testing (FACT) audit findings and recommendations.

  2. Managers and SMEs are responsible for providing documentation to ICR program staff upon request.

  3. The SMEs are responsible for coordinating timely responses to ICR inquiries via the designated ICR POC.

  4. The SMEs are responsible for coordinating logistics for ICR team field visits.

  5. Managers and SMEs are responsible for providing comments on potential findings within the report.

Analytical Support

  1. The ICR analysts will consult with SMEs as needed for support and/or comments on testing methodology.

Selection of Program Reviews

  1. Each fiscal year, the inventory of program reviews will be updated and a judgemental sample will be selected.

  2. The ICR list is an inventory of IRS Quality Assurance Reviews and IRS audits created from:

    1. The Annual Assurance process, which requests verification of reviews on the QA Review Listing.

    2. The ICMA sampling of selected managers who completed the Internal Control Managerial Assessment.

    3. New IRS initiatives identified by the MC ESC or the Senior Executive Team.

    4. GAO and TIGTA audits identified as closed by Audit Coordination (AC).

  3. Each fiscal year, the ICR team obtains a list of reviews being performed by the IC QA and FACT teams to eliminate any duplication of efforts by the ICR team.

Review Selection Notification

  1. Each business unit executive whose program has been selected for review is notified by email that his/her program/process has been chosen.

  2. The review notification:

    1. Identifies the business unit selected for review.

    2. Designates the review period.

    3. Requests the names of SMEs and/or audit liaisons who will provide the necessary documentation and overview of the program.

    4. Provides a list of the documents needed for the review.

Review Procedures

  1. Prior to initiating a program review, the ICR team will obtain an understanding of the program and the key program controls. The ICR will use the following sources:

    1. A description of key processes, which includes examples of the processing documents (for example, flowcharts, cycle memos, desk guides).

    2. Policies and procedures governing transactions such as laws, regulations, IRMs, interim guidance memoranda, Servicewide Electronic Research Program (SERP) IRM Procedural Updates (IPUs), and Standard Operating Procedures (SOPs).

    3. External and internal reporting reviews (for example, reports issued by GAO or TIGTA).

    4. Congressional hearings or testimonies.

  2. The ICR team will use the information obtained to construct a framework and general review plan. This framework will outline the objectives and scope of the review and identify areas to be evaluated by the review team. However, it will also allow the review team the flexibility to identify and pursue new leads or areas of significant concern identified during the course of, or as a result of analyses performed as a part of, the review. The framework and review plan will guide the overall review but should not constrain it.

  3. To conduct the review, the ICR team will:

    1. Conduct an opening conference with the POC or designated liaison.

    2. Request that the POC provide contact information for the SME along with an overview of the controls that are in place and how often management reviews the controls.

    3. Obtain procedural manuals from the POC and/or SME (for example, IRMs, SOPs, desktop/technical manuals), and back up documentation from external audit sources (for example, internal examination reports, TIGTA or GAO audit reports).

    4. Request source documents such as raw data, transcripts, tax forms, logs and case files.

    5. Observe through business unit demonstration the program activity utilizing various mediums (for example, face-to-face, LiveMeeting, Skype) and transaction reporting.

    6. Conduct walkthrough procedures including a combination of inquiry, observation, inspection of relevant documentation and re-performance of controls. In performing a walkthrough, the ICR analyst will question personnel about their understanding of the prescribed procedures and controls involved in performing the daily work.

    7. Re-perform activities using source documents to check the procedural steps and perform the applicable action (for example, re-adding the total of a line of numbers to determine consistency).

    8. Evaluate the operating effectiveness of key internal controls.

    9. Conduct a closing conference at the end of the review with management to discuss draft review findings and recommendations.

Reporting Process

  1. After the ICR, the team will analyze the data gathered and draft a report. The report will provide findings and/or recommendations identified during the review.

  2. The ICR analyst will share the report with the appropriate officials. If the ICR analyst noted findings during the review, the report will address the findings as:

    1. Management Information Only (MIO) - Designed to make management aware of a potential future issue that may arise if there are no improvements to controls.

    2. Opportunity for Improvement (OFI) - Occurs when one or more individual controls are ineffective, but the overall system of controls is effective.

    3. Internal Control Weakness (ICW) - Occurs when testing reveals the overall system of internal controls is ineffective.

Business Unit Post Review

  1. Business unit program owners and executives will receive a report from the ICR team describing the team’s findings and recommendations once the review is complete. The recommendations are provided to help business units identify areas where control deficiencies should be addressed and to provide a general framework that business units may use for strengthening internal controls.

  2. Business units should take the following steps once they receive the ICR team’s report:

    1. Develop and implement corrective actions taken to address the findings and recommendations provided in the final report.

    2. Assess and document the degree to which a control deficiency represents an acceptable risk, if corrective actions are not going to be taken.

    3. Include any risks identified in the business unit’s risk register.

    4. Retain any documentation created as part of post-review corrective actions or risk documentation/mitigation activities in the event the program is audited by TIGTA or GAO.

  3. The ICR team may conduct a follow-up engagement with the business unit to ascertain the outcome of the steps described above. This follow-up engagement may include review of the corrective actions and accompanying documentation by the business unit, or other steps up to and including a comprehensive subsequent ICR. The timing and nature of any follow-up will depend on variables including the severity of control deficiencies, the nature of the program that was reviewed, and likelihood of the program to be subject to significant external stakeholder scrutiny.

  4. Business units should also consider these internal control improvement tips:

    1. Reevaluate controls periodically, especially when there are changes to personnel, work processes, business operations and regulations that may affect the business unit.

    2. Streamline monitoring processes to reduce burden and improve accountability.

    3. Monitor and mitigate risk using data-driven approaches.

    4. Involve employees in identifying and mitigating risk.

  5. Examples of control monitoring:

    1. Consider Disclosure/Privacy Act implications in all activities, including reviews of files and personnel folders.

    2. Perform risk reviews.

    3. Conduct quality assurance reviews.

    4. Initiate timely background and security investigations and take appropriate action based on the outcome of the investigation.

    5. Monitor telephone traffic volumes to ensure timely customer service.

    6. Review access to sensitive Integrated Data Retrieval System (IDRS) command codes.

    7. Review assignment of portable electronic devices (PEDs) such as laptop computers, cellular/personal communications’ system devices, audio/video/data recording or playback devices, scanning devices, and messaging devices to ensure safeguarding of these devices and the data the contain, and/or that the employees who possess them still have a business need for them.

Records Retention/Accessibility of Reports

  1. ICR reports are maintained on the OAR SharePoint site.

  2. Electronic records are maintained in accordance with the following IRS electronic records retention policies:

    1. IRM Section 1.15.1, Records and Information Management Program

    2. IRM Section 2.25.2, Managed Service for IRS, IRS Portal and Extranet Usage Standard

    3. IRM Section 10.5.1, Privacy and Information Protection, Privacy Policy

    4. IRM Section 10.5.2.3.1, FISMA Reporting

    5. IRM Section 11.1.4, Content Policies and Standards for Intranet Sites

  3. Records retention should be in accordance with the US Government General Records Schedule (https://www.archives.gov/records-mgmt/grs.html).