1.35.14 IRS Annual Financial Statement Audit

Manual Transmittal

September 4, 2018

Purpose

(1) This transmits revised IRM 1.35.14, Financial Accounting, Internal Revenue Service Annual Financial Statement Audit.

Material Changes

(1) IRM 1.35.14.1, Program Scope and Objectives, added to conform to the new internal control requirements described in IRM 1.11.2, Internal Revenue Manual (IRM) Process. Also, rearranged and updated existing IRM content to place information involving internal controls for the IRM under this subsection. All other subsequent subsections were renumbered accordingly. Replaced the Associate CFO for Financial Management as the responsible party for IRM development and maintenance.

(2) IRM 1.35.14.1.3.1, Commissioner of Internal Revenue, revised title to Commissioner and updated responsibilities.

(3) IRM 1.35.14.1.3.2, Deputy Commissioner for Operations Support, added new section and included responsibilities.

(4) IRS 1.35.14.1.3.3, MC ESC, added new section and included responsibilities.

(5) IRM 1.35.14.1.3.4, CFO, revised title to CFO and Deputy CFO and updated responsibilities.

(6) IRM 1.35.14.1.3.5, Associate CFO for Financial Management, updated responsibilities.

(7) IRM 1.35.14.1.3.6, Associate CFO for Financial Management – Audit Team, updated responsibilities and updated annual Fraud Risk Factors meeting to a data request.

(8) IRM 1.35.14.1.3.7, Associate CFO for Corporate Planning and Internal Control, revised title to Associate CFO for Internal Control and updated responsibilities.

(9) IRM 1.35.14.1.3.8, Associate CFO for Internal Control, Audit Coordination, added new section and included responsibilities.

(10) IRM 1.35.14.1.3.9, Associate CFO for Corporate Planning and Internal Control - A-123 Section, revised title to Associate CFO for Internal Control - Enterprise Assurance and Controls - Financial Assurance Control Testing Section and updated responsibilities.

(11) IRM 1.35.14.1.3.10, Chief Technology Officer, updated responsibilities.

(12) IRM 1.35.14.1.3.11, Associate Chief Information Officer, Cybersecurity, Office of Architecture and Implementation, added new section and included responsibilities.

(13) IRM 1.35.14.1.3.12, Information Security Audit Team, revised title to IT audit team and updated responsibilities.

(14) IRM 1.35.14.1.3.14, Director, Office of Legislative Affairs, updated responsibilities.

(15) IRM 1.35.14.1.3.15, All Business Units, updated responsibilities.

(16) IRM 1.35.14.3.6, Fraud Risk Factors Meeting, revised title to Fraud Risk Factors Data Request and updated to reflect data request in lieu of meeting.

(17) IRM 1.35.14.3.14, Management Report, updated timeframe GAO provides management exposure draft and the issuance of the official management report.

(18) IRM 1.35.14.3.18, Joint Audit Management Enterprise System (JAMES) Reporting, updated to reflect ACFO-FM audit team responsibility for updates related to the financial statement audit.

(19) IRM 1.35.14.3.18.1, Management Report (Financial Management Audit), added new section to reflect JAMES responsibilities related to the financial management audit management report.

(20) IRM 1.35.14.3.18.2, Information Security Control Reports, added new section to identify JAMES responsibilities related to the Information Security Control Reports.

(21) IRM 1.35.14.3.19, Annual Open Audit Recommendation Update (Management Report), updated to reflect current process.

(22) IRM 1.35.14.3.20, Open Audit Recommendation Update (Information Security Control Reports), updated to reflect current process.

Effect on Other Documents

IRM 1.35.14, dated January 13, 2015, is superseded.

Audience

All Divisions and Functions.

Effective Date

(09-04-2018)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. Purpose: This IRM contains an overview of the annual audit of the IRS financial statements to provide business units with a general understanding of the process.

  2. Audience: Business unit employees responsible for financial audit activities.

  3. Policy Owner: CFO, Associate CFO for Financial Management (ACFO-FM).

  4. Program Owner: The ACFO-FM develops and maintains this IRM.

  5. Primary Stakeholders: Business units that are involved with the financial statement audit.

  6. Program Goals: Secure unmodified audit opinion on the IRS financial statements.

Background

  1. The CFO Act of 1990, expanded by the Government Management Reform Act of 1994, authorizes GAO to audit the IRS financial statements annually to determine whether (1) the financial statements are fairly presented, and (2) IRS management maintained effective internal control over financial reporting. GAO also tests IRS’s compliance with selected provisions of applicable laws, regulations, contracts and grant agreements. The IRS’s FY 1992 financial statements were the first to be audited by GAO.

  2. The effect of the IRS financial statement audit extends far beyond the IRS. The IRS’s financial statements roll up to the Department of the Treasury (Treasury) financial statements and Treasury's financial statements roll up to the governmentwide consolidated financial statements. An unfavorable audit opinion on the IRS financial statements impairs GAO's ability to rely on the Treasury and governmentwide financial statements to render an unmodified audit opinion for the federal government as a whole.

  3. The GAO also reports annually on the status of new internal financial management audit (FMA) and/or information security (IS) control weaknesses and/or deficiencies identified during its audit of the financial statements and provides updates on IRS efforts toward previously reported GAO recommendations in the (1) management report (R Report), and (2) information security reports (Public and Limited Official Use (LOU)).

  4. Obtaining an unmodified audit opinion shows Congress and the public that the IRS is a good steward of public funds. An unmodified audit opinion also provides assurance that the IRS effectively plans and executes its strategic priorities (i.e., provide top-quality service by helping taxpayers understand and meet their tax responsibilities and enforce the law with integrity and fairness to all).

Authorities

  1. The authorities for this IRM include:

    1. CFO Act of 1990 (Pub. L. No. 101-576)

    2. The Federal Managers' Financial Integrity Act (FMFIA) of 1982, also known as the Integrity Act (Pub. L. No. 97-255)

    3. The Federal Financial Management Improvement Act of 1996 (FFMIA) (Pub. L. No. 104-208)

    4. OMB Circular No. A-123, Management's Responsibility for Internal Control

    5. The Government Management Reform Act of 1994 (GMRA) (Pub. L. No. 103-356)

    6. 31 USC 720: Agency Reports

    7. AICPA Statement on Auditing Standards (SAS) No. 122, Statements on Auditing Standards: Clarification and Recodification

    8. AICPA AU-C Section 210, Terms of Engagement, paragraph A23 - Form and Content of the Audit Engagement Letter

    9. AICPA AU-C Section 240, Considering Financial Fraud in Financial Statement Audits

    10. AICPA AU-C Section 315, Identifying and Assessing Risks of Misstatement

    11. 31 USC 3512: Executive Agency Accounting and Other Financial Management Reports and Plans

    12. Standards for Internal Control In the Federal Government (GAO-14-704G), dated September 2014

    13. OMB Circular No. A-136, Financial Reporting Requirements

    14. Reports Consolidation Act of 2000 (Pub. L. No. 106-531)

Responsibilities

  1. This section provides responsibilities for:

    1. Commissioner

    2. Deputy Commissioner for Operations Support (DCOS)

    3. Management Controls Executive Steering Committee (MC ESC)

    4. CFO and Deputy CFO (DCFO)

    5. Associate CFO for Financial Management (ACFO-FM)

    6. Associate CFO for Financial Management audit team (ACFO-FM audit team)

    7. Associate CFO for Internal Control (ACFO-IC)

    8. Associate CFO for Internal Control, Audit Coordination (ACFO-IC-AC)

    9. Associate CFO for Internal Control, Enterprise Assurance and Controls, Financial Assurance Control Testing Section

    10. Chief Technology Officer (CTO)

    11. Associate Chief Information Officer, Cybersecurity, Office of Architecture and Implementation (ACIO-Cybersecurity OAI)

    12. IT audit team

    13. Chief Counsel

    14. Director, Office of Legislative Affairs

    15. All business units

Commissioner
  1. The commissioner has overall organizational responsibility for the annual the IRS financial statement audit; concurring with the audit engagement letter; attesting to the management representation letter; responding to the draft audit, management and information security (IS) control reports; submitting the 60-day management and IS control reports’ responses to the appropriate congressional committees; and ensuring that recommendations are implemented.

Deputy Commissioner for Operations Support
  1. The DCOS has organizational responsibility, on behalf of the commissioner, for the annual the IRS financial statement audit. The DCOS also is responsible for concurring with the audit engagement letter, attesting to the management representation letter and ensuring that recommendations are implemented.

Management Controls Executive Steering Committee
  1. The mission of the MC ESC is to oversee management’s design, implementation and operation of the IRS internal control system ensuring that all business units and functions identify, address and correct internal control deficiencies and recognize the importance of their shared responsibility for designing and implementing strong internal controls.

  2. The objectives of the MC ESC are to build a strong relationship between risk management and internal controls to ensure existing and new controls address identified risks effectively, ensure the remediation of existing control weaknesses and prevent new ones from arising, provide an unmodified statement of assurance that the IRS internal controls are in place and functioning effectively and achieve an unmodified opinion on the IRS financial statement audit.

  3. The MC ESC also oversees processes to identify, remediate and close material weaknesses, significant deficiencies and other internal control issues, including identifying and documenting new material weaknesses and significant deficiencies; approving actions for remediation plans related to existing material weaknesses and significant deficiencies; ensuring business units and program owners apply appropriate attention, commitment and resources to resolve control issues; authorizing engagement with GAO on the downgrade or closure of an existing material weakness or significant deficiency; and reviewing GAO and TIGTA identified management challenges and high profile audits.

  4. The MC ESC membership is structured as follows:

    1. Deputy Commissioner for Operations Support, Chair

    2. Deputy Commissioner for Services and Enforcement, Chair

    3. CFO, Vice-Chair

    4. Treasury Deputy CFO, Member

    5. Commissioner, SB/SE, Member

    6. Commissioner, W&I, Member

    7. Commissioner, LB&I, Member

    8. Commissioner, TE/GE, Member

    9. Chief Technology Officer, Member

    10. Chief Risk Officer, Member

    11. Chief, Facilities Management and Security Services, Member

    12. Director, Privacy, Governmental Liaison and Disclosure, Member

    13. Human Capital Officer, Member

CFO and Deputy CFO
  1. The CFO and the DCFO are responsible for overseeing the financial statement audit.

  2. The CFO and the DCFO are also responsible for acknowledging and agreeing to the terms of the audit, as stated in the engagement letter; attesting to the management representation letter; signing the management’s report on internal control over financial reporting; issuing the request for the legal representation response to Chief Counsel; and ensuring that recommendations are implemented.

Associate CFO for Financial Management
  1. The ACFO-FM is responsible for managing an effective, efficient and responsive annual financial statement audit process for the IRS. This includes facilitating the audit opening and exit conferences, coordinating and delivering the financial statements and related notes to GAO, and preparing the engagement and management representation letter responses for commissioner signature and delivering the signed responses to GAO.

  2. The ACFO-FM also coordinates activities for the administrative and custodial audit subcomponents. Key activities include managing audit deliverables, issuing the annual fraud risk factors data and legal representation letter requests, facilitating audit-related meetings, preparing official responses to GAO reports, ensuring corrective actions are developed to address recommendations, and reporting to leadership on the audit status.

Associate CFO for Financial Management - Audit Team
  1. The ACFO-FM audit team is responsible for:

    1. Serving as the primary point of contact for the administrative and custodial subcomponents of the audit, including providing financial/audit information and support to the IRS organizations and offices.

    2. Coordinating business unit updates to, and/or developing revised corrective action plans for, prior year FMA open recommendations.

    3. Preparing and delivering the prior year financial statement audit open recommendation update to GAO.

    4. Coordinating and managing Joint Audit Management Enterprise System (JAMES)-related activities for the FMA component of the financial statement audit, including entering new recommendations, approving Planned Corrective Action (PCA) closure and extension requests, validating reports, providing business unit guidance and reopening FMA recommendations in JAMES.

    5. Facilitating the audit opening and exit conferences between GAO and IRS senior management.

    6. Conducting the IRS/GAO administrative and custodial audit status meetings.

    7. Updating and/or securing IRS/GAO agreement on the administrative and custodial PBC listing, as appropriate, as well as, monitoring the timely delivery of administrative and custodial PBC listing deliverables.

    8. Coordinating and responding to GAO on all FMA matter for further consideration (MFC) responses.

    9. Coordinating, preparing and delivering the annual fraud risk factors update request response to GAO.

    10. Managing the GAO financial audit Interagency Agreement.

    11. Coordinating, preparing and delivering the engagement letter response to GAO.

    12. Preparing and delivering the management representation letters (financial statement and excise agreed upon procedures).

    13. Coordinating, preparing and delivering the draft audit report response to GAO.

    14. Coordinating business unit developed PCAs for new recommendations identified in the draft management report.

    15. Coordinating, preparing and delivering the draft management report response to GAO.

    16. Preparing the final 60-day management report response to the congressional committees.

Associate CFO for Internal Control
  1. The ACFO-IC is responsible for coordinating activities for the MC ESC on behalf of the DCOS, overseeing and monitoring IRS management’s assessment of its internal controls over financial reporting to verify compliance with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, and for establishing program governance, defining scope of review and reporting on the internal controls over financial reporting.

  2. The ACFO-IC also coordinates activities for the internal control subcomponent of the audit. Key activities include managing audit deliverables, facilitating audit-related meetings, preparing and delivering the Management Discussion & Analysis (MD&A) that is incorporated into the audit report, ensuring corrective actions are developed to address IC audit findings, and preparing and delivering the management’s report on internal control over financial reporting to GAO. Additionally, the ACFO-IC is responsible for external reporting on any material weaknesses (MW) and/or significant deficiencies (SD) related to the financial statement audit.

Associate CFO for Internal Control - Audit Coordination
  1. The ACFO-IC-AC is responsible for receiving and disseminating the financial statement audit notification letter and the draft IS control reports.

  2. The ACFO-IC-AC coordinates and manages JAMES-related activities with Treasury and GAO, this includes notating GAOs concurrence of recommendation closures in JAMES.

  3. The ACFO-IC-AC is also responsible for the following related to the IS component of the financial statement audit:

    1. Coordinating and managing JAMES-related activities, including report validation, guidance, and corrective action projections.

    2. Entering new recommendations in JAMES.

    3. Sending A6 reports to the business units for review and approval.

    4. Entering/revising business unit PCAs and PCA extensions in JAMES.

    5. Validating and approving business unit PCA closures in JAMES.

    6. Reopening recommendations in JAMES.

Associate CFO for Internal Control - Enterprise Assurance and Controls - Financial Assurance Control Testing Section
  1. The ACFO-IC, Enterprise Assurance and Controls, Financial Assurance Control Testing Section is responsible for:

    1. Serving as the primary point of contact for the internal control subcomponent of the audit.

    2. Updating and/or securing IRS/GAO agreement on the internal control PBC listing, as appropriate.

    3. Monitoring the timely delivery of the internal control PBC listing deliverables.

    4. Preparing and delivering management's report on internal control over financial reporting to GAO.

Chief Technology Officer
  1. The CTO is responsible for coordinating activities for the IS audit component. Key activities include managing audit deliverables, facilitating audit-related meetings, preparing the IS control reports’ response to GAO and the 60-day control reports’ response to the congressional committees, ensuring corrective actions are developed to address audit findings, and reporting to management the status of the IS audit component.

Associate Chief Information Officer, Cybersecurity, Office of Architecture and Implementation
  1. The ACIO-Cybersecurity OAI is responsible for coordinating with IT organizations and the IT and ACFO-FM audit teams to ensure corrective actions, internal controls and mitigations are developed and implemented, as needed.

IT Audit Team
  1. The IT audit team is responsible for:

    1. Serving as the primary point of contact for the IS audit component, including keeping the ACFO-FM audit team abreast of the status of IS open recommendations, new MFCs and potential recommendations.

    2. Coordinating business unit updates to and/or developing revised corrective action plans for prior year IS open audit recommendations.

    3. Preparing and delivering the prior year IS open recommendation updates to GAO.

    4. Conducting the IRS/GAO IS audit status meetings.

    5. Monitoring the timely delivery of the IS PBC listing deliverables.

    6. Coordinating and responding to GAO on all IS MFC responses.

    7. Coordinating, preparing and delivering the draft IS control reports’ response to GAO.

    8. Coordinating business unit developed PCAs for new recommendations identified in the IS control reports.

    9. Coordinating and preparing the final 60-day IS control reports’ response to the congressional committees.

    10. Providing the ACFO-IC-AC with the PCAs listed in the 60-day IS control reports’ response for JAMES input.

Chief Counsel
  1. The Chief Counsel is responsible for preparing and delivering the legal representation letter to GAO.

Director, Office of Legislative Affairs
  1. The Director, Office of Legislative Affairs, is responsible for delivering the 60-day management and IS control reports’ responses to the congressional committees after securing the response from the commissioner.

All Business Units
  1. All business units are responsible for:

    1. Ensuring adequate internal controls related to processes and procedures are identified, developed, implemented and working effectively, thereby ensuring accuracy and reliability in accounting and operating data and/or transaction flows.

    2. Establishing audit coordinators, as appropriate.

    3. Providing input into the annual draft PBC roll-forward processes (FMA and IC subcomponents) and facilitating delivery of PBC items, as appropriate.

    4. Providing input into the annual cycle memorandum update processes, as appropriate.

    5. Facilitating/participating in GAO walk-throughs and site visits, as appropriate.

    6. Attending audit meetings and conference calls, collaborating with other business units on cross-functional audit-related activities and providing support for all GAO testing, as appropriate.

    7. Responding timely to GAO on all business unit specific questions and audit inquiry forms (AIFs).

    8. Responding timely to the ACFO-FM or CTO, as appropriate, on all business unit specific MFC responses.

    9. Collaborating with the ACFO-FM or CTO, as appropriate, on the establishment and/or revision of MFCs and/or GAO audit recommendation PCAs.

    10. Requesting that the appropriate office approve/enter PCA extensions, modify existing PCAs or add new PCAs for existing recommendations in JAMES.

    11. Providing documentation and requesting the appropriate office validate closure of GAO audit recommendation PCAs in JAMES (based on Form 13872 and supporting documentation).

Program Management and Review

  1. The program reports and tools used to manage the audit process are:

    1. Current year PBC listings

    2. Current year MFC issues, responses and auditor conclusions

    3. Current year walk-through schedule

    4. GAOs recommendations

    5. Current year testing plan

  2. Program effectiveness is measured by:

    1. Securing an unmodified audit opinion from GAO

    2. Securing GAO concurrence to close open recommendations

Program Controls

  1. The following controls are in place to ensure compliance with the financial statement audit program:

    1. Receipt of Joint Committee on Taxation notification indicating GAO has been granted access to taxpayer information

    2. Approved auditor access listings

    3. Current PBC listings

    4. Centralized management of requests for all administrative/custodial PBC, MFC and/or PCA extensions

    5. Centralized review and approval of all current year administrative/custodial MFC responses by the FM audit team and ACFO-FM

    6. Centralized review and approval of all administrative/custodial completed PCAs for prior year open recommendations and MFCs by the FM audit team

    7. Centralized review and approval of all IS completed PCAs for prior year open recommendations by the ACIO-Cybersecurity OAI

    8. Monthly status meetings with the IRS stakeholders and GAO auditors

Terms/Definitions

  1. In this IRM, the terms below have the following meanings:

    1. Audit inquiry form - An official request from GAO for clarification or additional information.

    2. Audit opinion - A professional opinion offered by a qualified internal or external auditor at the close of an audit of financial records. The opinion describes the processes used during auditing, the standards used by the auditor, and other relevant information. It indicates whether or not the auditor believes that the financial records inspected support the financial statements.

    3. Audit recommendation - The auditor's prescribed course of action to address issues that are not specified in the audit opinion, but have been identified by the auditor as areas needing improvement (usually as a result of concerns around internal control).

    4. Cycle memorandum - A document used by GAO during the audit planning phase that details the understanding of processes and procedures in relation to transaction flows and related internal controls in key audit areas (also known as cycles).

    5. Internal control - A process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

    6. Internal control testing - A process used by the auditors to assess whether internal controls are properly designed, placed in operation and operating effectively. These tests are conducted on a sample basis.

    7. Material weakness - A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

    8. Matter for further consideration - An official notification from GAO that identifies either an instance of non-conformance with internal control standards, IRM, standard operating procedures or other control guidance (internal control); a discrepancy in recorded dollar amounts (substantive); the unavailability of documentary support (missing documentation); or an incidence of non-compliance with laws and regulations (compliance).

    9. Prepared by client listing - A list of deliverables (i.e., policies, procedures, work papers, reports, data extracts or other documentation) to be provided to the auditors during the course of field work.

    10. Significant deficiency - A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements timely.

    11. Site visit - A planned trip by GAO to an IRS location in order to conduct walk-throughs, make observations, or conduct field testing.

    12. Substantive testing - A process used by the auditors to assess the completeness, validity, and/or accuracy of account balances and underlying classes of transactions. These tests are conducted on a sample basis.

Acronyms

  1. The following acronyms are used throughout this IRM:

    Acronym Description
    AICPA American Institute of Certified Public Accountants
    AIF Audit Inquiry Form
    AU Audit Standard Identifier
    FFMIA Federal Financial Management Improvement Act
    FMA Financial Management Audit
    FMFIA Federal Managers' Financial Integrity Act
    GAAP Generally Accepted Accounting Principles
    GAO Government Accountability Office
    IS Information Security
    JAMES Joint Audit Management Enterprise System
    LOU Limited Official Use
    MD&A Management's Discussion & Analysis
    MFC Matter for Further Consideration
    PBC Prepared by Client
    PCA Planned Corrective Action
    SAS Statements on Auditing Standards

Forms

  1. The following form is used throughout this IRM:

    Form Number Title
    Form 13872 Planned Corrective Action (PCA) Status Update for TIGTA/GAO/MW/SD/TAS/REM Reports

Audit Components

  1. The IRS financial statement audit has two components - the FMA and the IS audit.

  2. The GAO issues three management reports, one addressing concerns and recommendations related to the FMA (R Report), the other two addressing concerns and recommendations related to IS (Public and LOU).

Financial Management Audit Component

  1. The FMA component focuses on IRS’s internal controls over its use of, and accounting for, its financial resources. The FMA is comprised of three subcomponents: administrative, custodial and internal control.

  2. The ACFO-FM organization oversees the administrative and custodial subcomponents and the ACFO-IC organization oversees the internal control subcomponent.

Administrative
  1. The administrative subcomponent focuses on IRS’s use of its available financial resources (e.g., appropriations received and user fees) to implement its mission and strategic plans.

Custodial
  1. The custodial subcomponent focuses primarily on accounting for and reporting of taxes receivable on its balance sheet, and tax collections and refunds reported on the statement of custodial activity.

Internal Control
  1. The internal control subcomponent focuses on IRS controls for ensuring the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

Information Security

  1. The IS component focuses on IRS internal controls over its key financial and tax processing systems, and its information and interconnected networks to ensure the confidentiality, integrity and availability of financial and sensitive taxpayer information.

  2. The CTO organization coordinates activities for the IS audit component.

Key Events/Products of the Financial Audit

  1. During the financial audit process, several key events must occur and products must be developed by GAO and/or IRS. Each of them has unique content, timeframes, participants and signature/date requirements.

Audit Notification Letter

  1. The GAO issues an audit notification letter to the IRS in December providing official notice that the financial statement audit is starting.

  2. The letter provides the job assignment code and states that GAO has requested approval to access all records, files and tax return information needed to complete the audit from the Joint Committee on Taxation. If GAO already has secured an approval letter from the committee, the audit notification letter will reference that and the transmittal will include the letter from the committee.

  3. The audit notification letter is sent to the ACFO-IC-AC to disseminate it throughout the IRS as needed.

Prepared By Client Listings

  1. The ACFO-FM and the ACFO-IC update two lists of audit deliverables between November and March - the administrative/custodial PBC listing and the internal control PBC listing, respectively. The two groups update the due dates and the descriptions from the prior year's PBC listings for the current audit year and where changes are needed, get agreement from the affected IRS business units. Once the business units agree, the two groups forward their draft listings to GAO with all of the changes highlighted and facilitate any meetings that may be needed to finalize the listings by the end of March.

  2. Updates to these listings can and do occur throughout the audit on an as needed basis. All changes must be coordinated through the appropriate IRS subject matter expert, GAO cycle team member and appropriate ACFO office.

  3. For the IS audit component, the CTO organization creates a list of documents and files as they are requested by GAO. This list is referred to as the IS PBC listing.

Audit Engagement Letter

  1. The GAO issues an audit engagement letter to the IRS between February and March providing written objectives for the IRS financial statement audit.

  2. The ACFO-FM receives the audit engagement letter and disseminates it to the appropriate IRS staff.

  3. The IRS issues a formal acknowledgement to GAO of the receipt of the audit engagement letter and agreement to the terms of the engagement outlined therein (as prescribed by SAS #122).

Audit Entrance Conference

  1. A formal financial statement audit entrance conference occurs every April with GAO and IRS senior executives discussing the purpose and scope of the upcoming annual financial statement audit process.

Program and Internal Control Walk-Throughs

  1. Throughout the fiscal year, meetings, conference calls and/or site visits are conducted by IRS subject matter experts for GAO to gain a basic understanding of how certain IRS programs and/or controls work.

Fraud Risk Factors Data Request

  1. The appropriate IRS senior executives provide updates to schedules and questions provided by GAO in April to help GAO understand what actions, policies, procedures and controls IRS has established to mitigate the risk of fraud and the potential of material misstatements in the financial statements. The audit requirements specifically addressed by this response are AU-C 240 (risk of fraud) and AU-C 315 (material misstatement).

Testing - Internal Control and Substantive

  1. The GAO performs internal control testing to determine whether IRS internal controls are properly designed and effectively implemented. They test various IRS financial reporting and information technology controls, including safeguarding of assets, segregation of duties, budget, compliance and operation controls. GAO then evaluates the results of its internal control testing to determine the extent of substantive control testing to perform. There is a direct relationship between the number of errors allowed during internal control testing for an audit area (for example, reimbursable revenue transactions, procurement disbursements) and the sample size of the subsequent substantive testing.

  2. The GAO performs substantive testing to obtain evidence that provides reasonable assurance about whether the IRS financial statements are free of material misstatements. This involves testing IRS financial (appropriation and taxpayer-related) transactions and account balances to enable GAO to issue its audit report on IRS financial statements, internal controls and compliance with significant provisions of laws and regulations.

Legal Representation Letter

  1. The ACFO-FM issues a request to the IRS Chief Counsel between August and September asking that he/she prepare a legal representation letter response to GAO.

  2. The letter’s language is provided by GAO and requires:

    1. Disclosing any instances of known violations of laws and regulations that may have a direct and material effect on the presentation of the financial statements.

    2. Providing information on pending or threatened litigation, claims or assessments above a specified threshold.

    3. Providing information on unasserted claims and assessments that are probable of assertion and have a reasonable possibility of an unfavorable outcome for the IRS.

  3. The Associate Chief Counsel (General Legal Services) issues the legal representation letter to GAO in early November.

Delivery of Management's Discussion & Analysis

  1. The IRS delivers the MD&A to GAO in November.

  2. The MD&A summarizes the IRS organization, resources, performance, challenges, risks and actions the IRS has identified to mitigate risks.

  3. The GAO incorporates the IRS MD&A into the audit report.

Delivery of Financial Statements

  1. The IRS delivers its annual financial statements including the principal statements and related footnotes, required supplementary information and other information to GAO in early November.

  2. The financial statements report the IRS’s financial position and results of operations, pursuant to the requirements of the CFO Act of 1990, the Government Management Reform Act of 1994, and the Office of Management and Budget Circular No. A-136, Financial Reporting Requirements. The integrity of the information included in the financial statements is the responsibility of IRS management.

  3. The annual IRS financial statements include:

    1. MD&A

    2. Principal financial statements and related footnotes

    3. Required supplementary information

    4. Other information

  4. The IRS principal financial statements include:

    1. Balance Sheet

    2. Statement of Net Cost

    3. Statement of Changes in Net Position

    4. Statement of Budgetary Resources

    5. Statement of Custodial Activity

    6. Related footnotes

  5. The IRS financial statements are included in GAO’s audit report.

Management Representation Letter Issued

  1. The IRS issues a written confirmation to GAO in early November that representations made to the auditors during the audit regarding the completeness and reliability of audit data are accurate as of the date of the letter.

  2. The management representations detailed in the letter cover a broad range of audit areas including: financial statements, required supplementary information, other information, intra-governmental activities, internal control, fraud, compliance of financial management systems with FFMIA requirements, and budgetary and restricted funds.

Exit Conference

  1. The GAO meets with the IRS senior executives in late October to convey to IRS management:

    1. Overarching issues identified during the audit

    2. Remaining audit timeline

    3. Overall message the audit opinion will contain

Financial Statements and Audit Opinion Issued

  1. At the completion of the IRS financial statement audit, GAO issues a report titled IRS's Fiscal Years 20XX and 20XX Financial Statements, in November.

  2. This report contains the:

    1. IRS financial statements, notes, required supplementary information and other information

    2. MD&A

    3. Auditor's opinion on the fair presentation of the IRS financial statements, the effectiveness of IRS internal control over financial reporting, IRS compliance with laws and regulations, and IRS financial systems compliance with FFMIA requirements. The auditors issue one of four opinions:
      (i) Unmodified -- financial statements, including the accompanying notes, present fairly, in all material respects, the financial information
      (ii) Qualified -- Except for the circumstances specified in the report, the statements present fairly the financial information
      (iii) Adverse -- The auditor disagrees with the application of certain accounting principles, and the financial statements do not present fairly the financial information
      (iv) Disclaimer -- The auditor could not obtain enough evidential matter to express an audit opinion

    4. Auditor's statement of any material weaknesses, significant deficiencies and/or management challenges

Management Report

  1. The GAO provides the IRS with an exposure draft (restricted use only) of the upcoming management report (R Report) for review and comment between March and May. The draft report identifies new deficiencies in internal control that GAO observed during the latest audit of the IRS financial statements and recommendations for action.

  2. The IRS has about three to four weeks to respond formally to the draft report. The response includes a letter from the commissioner and an enclosure that summarizes each new recommendation, states whether the IRS agrees with each recommendation and identifies PCAs and projected completion dates for each.

  3. The GAO issues its official management report between April and June. The first section of the report discusses GAO's identification of the new deficiencies and development of recommendations, and IRS’s identification of PCAs with projected completion dates. The second section is an enclosure that summarizes GAO's current assessment of IRS actions on open recommendations from prior years.

60-Day Management Report Response

  1. The IRS is required to send a management report response to congressional committee leadership within 60 days of GAO's issuance of its management report.

  2. The response is required by 31 U.S.C. Section 720 to update Congress on IRS’s efforts to address GAO's financial statement audit recommendations.

  3. The response includes a letter from the commissioner and the management report enclosure sent to GAO. If actions were to occur in the interim, an updated version of the enclosure is sent.

Information Security Control Reports

  1. The GAO provides the IRS with exposure drafts (restricted use only) of the upcoming IS control reports (Public and LOU) for review and comment between February and June. The draft reports identify new deficiencies in internal control that GAO observed during the latest audit of the IRS financial statements and recommendations for action. While these deficiencies are not severe enough to be considered material weaknesses or significant deficiencies, they nevertheless warrant IRS management's attention.

  2. The IRS has about three to four weeks to formally respond to the draft reports.

  3. The GAO issues its official IS control reports between March and July. The reports discuss GAO's identification of the new deficiencies and include enclosures that summarize GAO's current assessment of IRS actions on open recommendations from prior years.

60-Day Information Security Control Reports’ Response

  1. The IRS is required to send an IS control reports’ response to congressional committee leadership within 60 days of GAO's issuance of its reports.

  2. The response is required by 31 U.S.C. Section 720 to update Congress on IRS’s efforts to address GAO's information security audit recommendations.

  3. The response includes a letter from the commissioner and an enclosure that summarizes each new recommendation, states whether IRS agrees with each recommendation and identifies PCAs and projected completion dates for each.

Joint Audit Management Enterprise System Reporting

  1. JAMES is Treasury’s web-based audit tracking system used for tracking issues, findings, recommendations and PCAs from TIGTA and GAO audit reports. PCAs are linked in JAMES to the specific report that generated the recommendation.

  2. The FM audit team coordinates JAMES activities for the FMA component of the financial statement audit, the ACFO-IC-AC coordinates JAMES activities for the IS component of the financial statement audit and IC coordinates JAMES activities for any MW and SD related to the financial statement audit.

Management Report (FMA)
  1. Shortly after the issuance of the FMA management report, the ACFO-FM audit team inputs the new recommendations, PCAs, projected due dates and responsible parties into JAMES.

  2. Business units are responsible for providing timely updates to the FM audit team to approve PCA additions, modifications, closures or extensions.

Information Security Control Reports
  1. Shortly after the issuance of the IS control reports (Public and LOU), the ACFO-IC-AC inputs the new recommendations into JAMES.

  2. The IT audit team provides the ACFO-IC-AC with documentation that identifies new PCAs, projected due dates, and responsible parties for input into JAMES as part of the 60-day IS control reports’ response.

  3. Business units are responsible for providing timely updates to the ACFO-IC-AC to approve PCA additions, modifications, closures or extensions.

Annual Open Audit Recommendation Update (Management Report)

  1. The ACFO-FM distributes a listing of all open financial statement recommendations to the affected business units requesting status updates in October. For those actions being identified by the business units as closed, relevant backup documentation must be provided.

  2. The IRS provides GAO with an updated status of open recommendations in December. In addition to the status, backup documentation is supplied for all recommendations identified as closed by the IRS.

  3. The GAO uses the responses and related backup documentation in conjunction with its audit testing results to assess which recommendations it will close.

  4. The GAO publishes its assessment of IRS’s progress in an enclosure to the next management report.

Open Audit Recommendation Update (Information Security Control Reports)

  1. The IRS provides a list of prior year recommendations to GAO between March and June with implemented PCAs and requests that GAO assess them during the next audit.

  2. The GAO uses this list in conjunction with its audit testing results to assess which recommendations it will close.

  3. The GAO publishes its assessment of IRS’s progress in an enclosure to the next IS control report.