1.35.14 IRS Annual Financial Statement Audit

Manual Transmittal

July 24, 2020

Purpose

(1) This transmits revised IRM 1.35.14, Financial Accounting, IRS Annual Financial Statement Audit.

Material Changes

(1) IRM 1.35.14.1.3.6, Associate CFO for Financial Management - Audit Team, revised title to Associate CFO for Financial Management, Audit and Review, and updated responsibilities.

(2) IRM 1.35.14.1.3.8, Associate CFO for Internal Control, Audit Coordination, deleted section and replaced with Associate CFO for Internal Control, Enterprise Assurance and Controls, and updated responsibilities.

(3) IRM 1.35.14.1.3.9, Chief Risk Officer, added new section and included responsibilities.

(4) IRM 1.35.14.1.3.10, Chief Risk Officer, Enterprise Audit Management, added new section and included responsibilities.

(5) IRM 1.35.14.1.3.11, Chief Technology Officer, revised title to Chief Information Officer.

(6) IRM 1.35.14.1.3.12, IT Audit Team, deleted section and replaced with Associate Chief Information Officer, Cybersecurity, Office of Architecture and Implementation, and updated responsibilities.

(7) IRM 1.35.14.1.3.13, Associate Chief Information Officer, Cybersecurity, Office of Compliance Assessment, added new section and included responsibilities.

(8) IRM 1.35.14.1.3.14, Associate Chief Information Officer, Strategy and Planning, Office of Program Oversight Coordination, added new section and included responsibilities.

(9) IRM 1.35.14.1.5, Program Controls, updated to reflect current process owners.

(10) IRM 1.35.14.3.1, Audit Notification Letter, updated to reflect current process of dissemination.

(11) IRM 1.35.14.3.4, Audit Entrance Conference, updated to reflect current timeframe of entrance conference.

(12) IRM 1.35.14.3.8, Legal Representation Letter, updated to reflect current timeframe to request preparation of legal representation letter response.

(13) IRM 1.35.14.3.14, Management Report, updated information provided in the management report.

(14) IRM 1.35.14.1.3.15, 60-Day Management Report Response, revised title to 180-Day Management Report Response

(15) IRM 1.35.14.3.16, Information Security Control Reports, updated to reflect the current timeframe to receive exposure drafts and updated information provided in the information security control report.

(16) IRM 1.35.14.3.18, Joint Audit Management Enterprise System Reporting, updated to reflect the responsibilities of the ACFO for Financial Management, Audit and Review.

(17) IRM 1.35.14.3.18.2, Information Security Control Reports, updated to reflect current process owners.

Effect on Other Documents

IRM 1.35.14, dated September 4, 2018, is superseded.

Audience

All business units.

Effective Date

(07-24-2020)

Ursula S. Gillis
Chief Financial Officer

Program Scope and Objectives

  1. Purpose: This IRM contains an overview of the annual audit of the IRS financial statements to provide business units with a general understanding of the process.

  2. Audience: Business unit employees responsible for financial audit activities.

  3. Policy Owner: CFO, Associate CFO for Financial Management.

  4. Program Owner: The ACFO for Financial Management develops and maintains this IRM.

  5. Primary Stakeholders: Business units that are involved with the financial statement audit.

  6. Program Goals: Secure unmodified audit opinion on the IRS financial statements.

Background

  1. The CFO Act of 1990, expanded by the Government Management Reform Act of 1994, authorizes the Government Accountability Office (GAO) to audit the IRS financial statements annually to determine whether (1) the financial statements are fairly presented and (2) IRS management maintained effective internal control over financial reporting. GAO also tests IRS’s compliance with selected provisions of applicable laws, regulations, contracts and grant agreements. The IRS’s FY 1992 financial statements were the first to be audited by GAO.

  2. The IRS financial statement audit has implications beyond the IRS. The IRS’s financial statements roll up to the Department of the Treasury (Treasury) financial statements and Treasury's financial statements roll up to the governmentwide consolidated financial statements. An unfavorable audit opinion on the IRS financial statements impairs GAO's ability to rely on the Treasury and governmentwide financial statements to render an unmodified audit opinion for the federal government.

  3. The GAO also reports annually on the status of new internal financial management audit (FMA) and/or information security (IS) control weaknesses and/or deficiencies identified during its audit of the financial statements and provides updates on IRS efforts toward previously reported GAO recommendations in the (1) management report and (2) information security reports (Public and Limited Official Use (LOU)).

  4. Obtaining an unmodified audit opinion shows Congress and the public that the IRS is a good steward of public funds. An unmodified audit opinion also provides assurance that the IRS effectively plans and executes its strategic priorities (for example, to empower and enable all taxpayers to meet their tax obligations and protect the integrity of the tax system by encouraging compliance through administering and enforcing the tax code).

Authorities

  1. The authorities for this IRM include:

    1. CFO Act of 1990 (Pub. L. No. 101-576)

    2. The Federal Managers' Financial Integrity Act (FMFIA) of 1982, also known as the Integrity Act (Pub. L. No. 97-255)

    3. The Federal Financial Management Improvement Act of 1996 (FFMIA) (Pub. L. No. 104-208)

    4. The Government Management Reform Act of 1994 (GMRA) (Pub. L. No. 103-356)

    5. 31 USC 720: Agency Reports

    6. 31 USC 3512: Executive Agency Accounting and Other Financial Management Reports and Plans

    7. Reports Consolidation Act of 2000 (Pub. L. No. 106-531)

Responsibilities

  1. This section provides responsibilities for:

    1. Commissioner

    2. Deputy Commissioner for Operations Support (DCOS)

    3. Management Controls Executive Steering Committee (MC ESC)

    4. CFO and Deputy CFO

    5. Associate CFO for Financial Management

    6. Associate CFO for Financial Management, Audit and Review

    7. Associate CFO for Internal Control

    8. Associate CFO for Internal Control, Enterprise Assurance and Controls

    9. Chief Risk Officer (CRO)

    10. Chief Risk Officer, Enterprise Audit Management (CRO-EAM)

    11. Chief Information Officer (CIO)

    12. Associate Chief Information Officer, Cybersecurity, Office of Architecture and Implementation (ACIO-Cybersecurity OAI)

    13. Associate Chief Information Officer, Cybersecurity, Office of Compliance Assessment and Validation (ACIO-Cybersecurity CAV)

    14. Associate Chief Information Officer, Strategy and Planning, Office of Program Oversight Coordination (ACIO-Strategy and Planning PO)

    15. Chief Counsel

    16. Director, Office of Legislative Affairs

    17. All business units

Commissioner
  1. The Commissioner has overall organizational responsibility for the annual IRS financial statement audit by concurring with the audit engagement letter; attesting to the management representation letter; responding to the draft audit, management and information security (IS) control reports; submitting the 180-day management and IS control reports responses to the appropriate congressional committees; and ensuring that recommendations are implemented.

Deputy Commissioner for Operations Support
  1. The DCOS has organizational responsibility, on behalf of the Commissioner, for the annual IRS financial statement audit. The DCOS also is responsible for concurring with the audit engagement letter, attesting to the management representation letter and ensuring that recommendations are implemented.

Management Controls Executive Steering Committee
  1. The MC ESC’s mission is to oversee management’s design, implementation and operation of the IRS internal control system by ensuring that all business units identify, address and correct internal control deficiencies and recognize the importance of their shared responsibility for designing and implementing strong internal controls.

  2. The MC ESC’s objectives are to build a strong relationship between risk management and internal controls to ensure existing and new controls address identified risks effectively, ensure the remediation of existing control weaknesses and prevent new ones from arising, provide an unmodified statement of assurance that the IRS’s internal controls are in place and functioning effectively and achieve an unmodified opinion on the IRS financial statement audit.

  3. The MC ESC also oversees processes to identify, remediate and close material weaknesses, significant deficiencies and other internal control issues, including identifying and documenting new material weaknesses and significant deficiencies; approving remediation plan actions for existing material weaknesses and significant deficiencies; ensuring business units and program owners apply appropriate attention, commitment and resources to resolve control issues; authorizing engagement with GAO on the downgrade or closure of an existing material weakness or significant deficiency; and reviewing GAO- and TIGTA-identified management challenges and high-profile audits.

  4. The MC ESC membership is structured as follows:

    1. Deputy Commissioner for Operations Support, chair

    2. Deputy Commissioner for Services and Enforcement, chair

    3. CFO, vice-chair

    4. Commissioner, SB/SE, member

    5. Commissioner, W&I, member

    6. Commissioner, LB&I, member

    7. Commissioner, TE/GE, member

    8. Chief Information Officer, member

    9. Chief Risk Officer, member

    10. Chief, Facilities Management and Security Services, member

    11. Director, Privacy, Governmental Liaison and Disclosure, member

    12. Human Capital Officer, member

    13. Treasury Deputy CFO, member

CFO and Deputy CFO
  1. The CFO and the Deputy CFO are responsible for overseeing the financial statement audit.

  2. The CFO and the Deputy CFO are also responsible for acknowledging and agreeing to the terms of the audit, as stated in the engagement letter; attesting to the management representation letter; signing the management’s report on internal control over financial reporting; issuing the request for the legal representation response to Chief Counsel; and ensuring that recommendations are implemented.

Associate CFO for Financial Management
  1. The ACFO for Financial Management is responsible for managing an effective, efficient and responsive annual financial statement audit process for the IRS. This includes facilitating the audit opening and exit conferences, coordinating and delivering the financial statements and related notes to GAO, preparing the engagement and management representation letter responses for the Commissioner’s signature and delivering the signed responses to GAO.

  2. The ACFO for Financial Management also coordinates activities for the administrative and custodial audit subcomponents. Key activities include managing audit deliverables, cycle memorandum updates, issuing the annual fraud risk factors data and legal representation letter requests, facilitating audit-related meetings, preparing official responses to GAO reports, ensuring corrective actions are developed to address recommendations, and reporting to leadership on the audit status.

Associate CFO for Financial Management, Audit and Review
  1. The ACFO for Financial Management, Audit and Review, is responsible for the following overall financial statement audit activities:

    1. Facilitating the audit opening and exit conferences between GAO and IRS senior management.

    2. Coordinating, preparing and delivering the annual update to the client profile and fraud risk factors response to GAO.

    3. Coordinating, preparing and delivering the engagement letter response to GAO.

    4. Preparing and delivering the draft audit response to GAO.

    5. Coordinating, preparing and delivering the draft audit report response to GAO.

    6. Coordinating and managing Joint Audit Management Enterprise System (JAMES)-related activities for the financial statement audit, including entering new recommendations, sending audit summary reports to the business units, approving Planned Corrective Action (PCA) extension and closure requests, validating receipt and loading of reports, providing business unit guidance and reopening recommendations in JAMES.

    7. Managing the GAO financial audit interagency agreement.

    8. Reporting externally on any significant deficiency, material weakness and remediation plan.

  2. The ACFO for Financial Management, Audit and Review, is also responsible for the following activities for the FMA component of the financial statement audit:

    1. Serving as the primary point of contact for the administrative and custodial subcomponents of the audit, including providing financial/audit information and support to the IRS business units.

    2. Securing IRS/GAO agreement on, monitoring timely delivery of, and updating the administrative and custodial prepared by client (PBC) listing, as appropriate.

    3. Conducting the IRS/GAO FMA audit status meetings.

    4. Coordinating and responding to GAO on all FMA matter for further consideration (MFC) responses.

    5. Coordinating business unit updates to, and/or developing revised PCAs for, prior-year open management report recommendations.

    6. Preparing and delivering the prior-year open management report recommendation update to GAO.

    7. Coordinating business unit developed PCAs for new recommendations identified in the draft management report.

    8. Coordinating, preparing and delivering the draft management report response to GAO.

    9. Preparing the review process and tracking delivery of the final 180-day management report response to the congressional committees.

  3. The ACFO for Financial Management, Audit and Review, is also responsible for the following activities for the Information Security (IS) component of the financial statement audit:

    1. Reviewing, tracking and delivering the IS draft report response to GAO.

    2. Reviewing and tracking delivery of the 180-day IS final report response for the congressional committees.

Associate CFO for Internal Control
  1. The ACFO for Internal Control is responsible for coordinating MC ESC activities on behalf of the DCOS; overseeing and monitoring IRS management’s assessment of its internal controls over financial reporting to verify compliance with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control; and establishing program governance, defining scope of review and reporting on the internal controls over financial reporting.

  2. The ACFO for Internal Control also coordinates activities for the internal control subcomponent of the audit. Key activities include managing audit deliverables, facilitating audit-related meetings, preparing and delivering the Management Discussion & Analysis (MD&A) that is incorporated into the audit report, ensuring corrective actions are developed to address internal control audit findings, and preparing and delivering the management’s report on internal control over financial reporting to GAO.

Associate CFO for Internal Control, Enterprise Assurance and Controls
  1. The ACFO for Internal Control, Enterprise Assurance and Controls, is responsible for:

    1. Serving as the primary point of contact for the internal control subcomponent of the audit.

    2. Updating and/or securing IRS/GAO agreement on the internal control PBC listing, as appropriate.

    3. Monitoring the timely delivery of the internal control PBC listing deliverables.

    4. Preparing and delivering managements report on internal control over financial reporting to GAO.

Chief Risk Officer
  1. The CRO is responsible for the high-level oversight of all audit programs for the IRS.

Chief Risk Officer - Enterprise Audit Management (CRO-EAM)
  1. The CRO-EAM is responsible for:

    1. Receiving and disseminating the financial statement audit notification letter(s).

    2. Coordinating and managing JAMES-related activities with Treasury and GAO, including notating GAO’s concurrence of recommendation closures in JAMES.

Chief Information Officer
  1. The CIO is responsible for coordinating activities for the IS audit component. Key activities include managing audit deliverables, facilitating audit-related meetings, preparing the IS control reports’ responses to GAO and the 180-day control reports’ responses to the congressional committees, ensuring corrective actions are developed to address audit findings and reporting to management on the status of the IS audit component.

Associate Chief Information Officer, Cybersecurity, Architecture and Implementation
  1. The ACIO-Cybersecurity AI is responsible for coordinating with IT organizations, ACIO-Strategy and Planning PO, and the ACFO for Financial Management, Audit and Review, to ensure corrective actions, internal controls and mitigations are developed and implemented for significant deficiencies, material weaknesses and remediation plans.

Associate Chief Information Officer, Cybersecurity, Compliance Assessment and Validation
  1. The ACIO-Cybersecurity CAV is responsible for reviewing and validating corrective actions.

Associate Chief Information Officer, Strategy and Planning, Program Oversight Coordination
  1. The ACIO-Strategy and Planning PO is responsible for:

    1. Serving as the primary point of contact for the IS subcomponent of the audit.

    2. Managing the timely delivery of the IS PBC deliverables.

    3. Coordinating and responding to GAO on all IS MFC responses.

    4. Coordinating and conducting the IRS/GAO IS audit status meetings, as needed.

    5. Keeping the ACFO for Financial Management, Audit and Review, abreast of the IS-related MFCs and MFC responses.

    6. Coordinating and managing the review of the Statement of Facts and any related meetings (internal/external) and/or comments/proposed wording changes provided to GAO.

    7. Coordinating and preparing the IS draft reports’ responses for GAO through the CIO.

    8. Managing JAMES updates for IT.

    9. Preparing and delivering the prior-year IS open recommendation updates to GAO for validation.

    10. Coordinating and preparing the 180-day IS final report response for the congressional committees through the CIO.

    11. Coordinating the development of new corrective action plans for prior-year IS audit recommendations, as needed.

Chief Counsel
  1. The Chief Counsel is responsible for preparing and delivering the legal representation letter to GAO.

Director, Office of Legislative Affairs
  1. The director, Office of Legislative Affairs, is responsible for delivering the 180-day management and IS control reports’ responses to the congressional committees after securing the response from the Commissioner.

All Business Units
  1. All business units are responsible for:

    1. Ensuring adequate internal controls related to processes and procedures are identified, developed and implemented and are working effectively, thereby ensuring accuracy and reliability in accounting and operating data and/or transaction flows.

    2. Identifying audit coordinators, as appropriate.

    3. Providing input into the annual draft PBC roll-forward processes (FMA and IC subcomponents) and facilitating delivery of PBC items, as appropriate.

    4. Providing input into the annual cycle memorandum update processes, as appropriate.

    5. Facilitating/participating in GAO walk-throughs and site visits, as appropriate.

    6. Attending audit meetings and conference calls, collaborating with other business units on cross-functional audit-related activities and providing support for all GAO testing, as appropriate.

    7. Responding timely to GAO on all business unit specific questions and audit inquiry forms.

    8. Responding timely to the ACFO for Financial Management or CIO, as appropriate, on all business unit specific MFC responses.

    9. Collaborating with the ACFO for Financial Management or CIO, as appropriate, on the establishment and/or revision of MFCs and/or GAO audit recommendation PCAs.

    10. Requesting that the appropriate office approve/enter PCA extensions, modify existing PCAs or add new PCAs for existing recommendations in JAMES.

    11. Providing documentation and requesting the appropriate office validate closure of GAO audit recommendation PCAs in JAMES (based on Form 13872, Planned Corrective Action (PCA) Status Update for TIGTA/GAO/MW/SD/TAS/REM Reports, and supporting documentation).

Program Management and Review

  1. The program reports and tools used to manage the audit process are:

    1. Current-year PBC listings

    2. Current-year MFC issues, responses and auditor conclusions

    3. Current-year walk-through schedules

    4. GAO recommendations

    5. Current-year testing plans

  2. Program effectiveness is measured by:

    1. Securing an unmodified audit opinion from GAO.

    2. Securing GAO concurrence to close open recommendations.

Program Controls

  1. The following controls are in place to ensure compliance with the financial statement audit program:

    1. Receipt of Joint Committee on Taxation notification indicating that GAO has been granted access to taxpayer information.

    2. Approved auditor access listings.

    3. Centralized management of current PBC listings and related processes.

    4. Centralized management of requests for all administrative/custodial PBC, MFC and/or PCA extensions.

    5. Centralized review and approval of all current year administrative/custodial MFC responses by the ACFO for Financial Management, Audit and Review, and the ACFO for Financial Management.

    6. Centralized review and approval of all administrative/custodial completed PCAs for prior-year open recommendations and MFCs by the ACFO for Financial Management, Audit and Review.

    7. Centralized review and validation of all IS-completed PCAs for prior-year open recommendations by the ACIO-Cybersecurity CAV.

    8. Monthly status meetings with the IRS stakeholders and GAO auditors.

Terms/Definitions

  1. The following terms and definitions apply to this program:

    1. Audit inquiry form - An official request from GAO for clarification or additional information.

    2. Audit opinion - A professional opinion offered by a qualified internal or external auditor at the close of an audit of financial records. The opinion describes the processes used during auditing, the standards used by the auditor and other relevant information. It indicates whether the auditor believes that the financial records inspected support the financial statements.

    3. Audit recommendation - The auditor's prescribed course of action to address issues that are not specified in the audit opinion but have been identified by the auditor as areas needing improvement (usually as a result of concerns around internal control).

    4. Cycle memorandum - A document used by GAO during the audit planning phase that details the understanding of processes and procedures in relation to transaction flows and related internal controls in key audit areas (also known as cycles).

    5. Internal control - A process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies.

    6. Internal control testing - A process used by the auditors to assess whether internal controls are properly designed, placed in operation and operating effectively. These tests are conducted on a sample basis.

    7. Material weakness - A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected timely.

    8. Matter for further consideration - An official notification from GAO that identifies either an instance of non-conformance with internal control standards, IRM, standard operating procedures or other control guidance (internal control); a discrepancy in recorded dollar amounts (substantive); the unavailability of documentary support (missing documentation) or an incidence of non-compliance with laws and regulations (compliance).

    9. Prepared by client listing - A list of deliverables (for example, policies, procedures, work papers, reports, data extracts or other documentation) provided to the auditors during the course of field work.

    10. Significant deficiency - A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements timely.

    11. Site visit - A planned trip by GAO to an IRS location to conduct walk-throughs, make observations or conduct field testing.

    12. Substantive testing - A process used by the auditors to assess the completeness, validity and/or accuracy of account balances and underlying classes of transactions. These tests are conducted on a sample basis.

Acronyms

  1. The following acronyms apply to this program:

    Acronym Description
    AICPA American Institute of Certified Public Accountants
    AU Audit Standard Identifier
    EAM Enterprise Audit Management
    FFMIA Federal Financial Management Improvement Act
    FMA Financial Management Audit
    GAO Government Accountability Office
    IS Information Security
    JAMES Joint Audit Management Enterprise System
    LOU Limited Official Use
    MD&A Management Discussion & Analysis
    MFC Matter for Further Consideration
    PBC Prepared by Client
    PCA Planned Corrective Action
    SAS Statements on Auditing Standards

Related Resources

  1. OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control

  2. AICPA Statement on Auditing Standards (SAS) No, 122, Statements on Auditing Standards: Clarification and Recodification

  3. AICPA AU-C Section 210, Terms of Engagement, paragraph A23 - Form and Content of the Audit Engagement Letter

  4. AICPA AU-C Section 240, Considering Financial Fraud in Financial Statement Audits

  5. AICPA AU-C Section 315, Identifying and Assessing Risks of Misstatement

  6. Standards for Internal Control in the Federal Government (GAO-14-704G), dated September 2014

  7. OMB Circular No. A-136, Financial Reporting Requirements

Forms

  1. The following form is used throughout this IRM:

    Form Number Title
    Form 13872 Planned Corrective Action (PCA) Status Update for TIGTA/GAO/MW/SD/TAS/REM Reports

Audit Components

  1. The IRS financial statement audit has two components - the FMA and the IS audit.

  2. The GAO issues three management reports, one addressing concerns and recommendations related to the FMA, the other two addressing concerns and recommendations related to IS (Public and LOU).

Financial Management Audit Component

  1. The FMA component focuses on IRS’s internal controls over its use of, and accounting for, its financial resources. The FMA is comprised of three subcomponents: administrative, custodial and internal control.

  2. The ACFO for Financial Management organization oversees the administrative and custodial subcomponents and the ACFO for Internal Control organization oversees the internal control subcomponent.

Administrative
  1. The administrative subcomponent focuses on IRS’s use of its available financial resources (for example, appropriations received and user fees) to implement its mission and strategic plans.

Custodial
  1. The custodial subcomponent focuses primarily on accounting for and reporting of taxes receivable on its balance sheet and tax collections and refunds reported on the statement of custodial activity.

Internal Control
  1. The internal control subcomponent focuses on IRS controls for ensuring the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.

Information Security

  1. The IS component focuses on IRS internal controls over its key financial and tax processing systems, and its information and interconnected networks to ensure the confidentiality, integrity and availability of financial and sensitive taxpayer information.

  2. The CIO organization coordinates activities for the IS audit component.

Key Events/Products of the Financial Audit

  1. During the financial audit process, several key events must occur and GAO and/or IRS must develop products. Each of them has unique content, timeframes, participants and signature/date requirements.

Audit Notification Letter

  1. The GAO issues an audit notification letter to the IRS in December providing official notice that the financial statement audit is starting.

  2. The letter provides the job assignment code and states that GAO has requested approval to access all records, files and tax return information needed to complete the audit from the Joint Committee on Taxation. If GAO already has secured an approval letter from the committee, the audit notification letter will reference that and the transmittal will include the letter from the committee.

  3. The GAO sends the audit notification letter to CRO-EAM to disseminate it throughout the IRS as needed.

Prepared By Client Listings

  1. The ACFO for Financial Management and the ACFO for Internal Control update two lists of audit deliverables between November and March - the administrative/custodial PBC listing and the internal control PBC listing, respectively. The two groups update the due dates and the descriptions from the prior year's PBC listings for the current audit year and where changes are needed and get agreement from the affected IRS business units. Once the business units agree, the two groups forward their draft listings to GAO with the changes highlighted and facilitate any meetings that may be needed to finalize the listings by the end of March.

  2. Updates to these listings can and do occur throughout the audit on an as needed basis. The appropriate IRS subject matter expert, GAO cycle team member and appropriate ACFO office coordinate all changes.

  3. For the IS audit component, the CIO organization creates a list of documents and files as GAO requests them. This list is referred to as the IS PBC listing.

Audit Engagement Letter

  1. The GAO issues an audit engagement letter to the IRS between February and March that provides written objectives for the IRS financial statement audit.

  2. The ACFO for Financial Management receives the audit engagement letter and disseminates it to the appropriate IRS staff.

  3. The IRS issues a formal acknowledgement to GAO of the receipt of the audit engagement letter and agreement to the terms of the engagement outlined therein (as prescribed by SAS #122, Statements on Auditing Standards: Clarification and Recodification).

Audit Entrance Conference

  1. A formal financial statement audit entrance conference occurs every March with GAO and IRS senior executives discussing the purpose and scope of the upcoming annual financial statement audit process.

Program and Internal Control Walk-Throughs

  1. Throughout the fiscal year, IRS subject matter experts conduct meetings, conference calls and/or site visits with GAO to gain a basic understanding of how certain IRS programs and/or controls work.

Fraud Risk Factors Data Request

  1. The appropriate IRS senior executives provide updates to schedules and questions provided by GAO in April to help GAO understand what actions, policies, procedures and controls IRS has established to mitigate the risk of fraud and the potential of material misstatements in the financial statements. The audit requirements specifically addressed by this response are AU-C 240 (risk of fraud) and AU-C 315 (material misstatement).

Testing - Internal Control and Substantive

  1. The GAO performs internal control testing to determine whether IRS internal controls are properly designed and effectively implemented. They test various IRS financial reporting and information technology controls, including safeguarding of assets, segregation of duties, budget, compliance and operation controls. GAO then evaluates the results of its internal control testing to determine the extent of substantive control testing to perform. There is a direct relationship between the number of errors allowed during internal control testing for an audit area (for example, reimbursable revenue transactions, procurement disbursements) and the sample size of the subsequent substantive testing.

  2. The GAO performs substantive testing to obtain evidence that provides reasonable assurance about whether the IRS financial statements are free of material misstatements. This involves testing IRS financial (appropriation and taxpayer-related) transactions and account balances to enable GAO to issue its audit report on IRS financial statements, internal controls and compliance with significant provisions of laws and regulations.

Legal Representation Letter

  1. The ACFO for Financial Management issues a request to the IRS Chief Counsel in September asking that he or she prepare a legal representation letter response to GAO.

  2. The GAO provides the letter’s language and requires:

    1. Disclosing any instances of known violations of laws and regulations that may have a direct and material effect on the presentation of the financial statements.

    2. Providing information on pending or threatened litigation and claims or assessments above a specified threshold.

    3. Providing information on unasserted claims and assessments that are probable of assertion and have a reasonable possibility of an unfavorable outcome for the IRS.

  3. The Associate Chief Counsel (General Legal Services) issues the legal representation letter to GAO in early November.

Delivery of Management Discussion & Analysis

  1. The IRS delivers the MD&A to GAO in early November.

  2. The MD&A summarizes the IRS organization, resources, performance, challenges, risks and actions the IRS has identified to mitigate risks.

  3. The GAO incorporates the IRS MD&A into the audit report.

Delivery of Financial Statements

  1. The IRS delivers its annual financial statements including the principal statements and related footnotes, required supplementary information and other information to GAO in early November.

  2. The financial statements report the IRS’s financial position and results of operations, pursuant to the requirements of the CFO Act of 1990, the Government Management Reform Act of 1994 and the Office of Management and Budget Circular No. A-136, Financial Reporting Requirements. The integrity of the information included in the financial statements is the responsibility of IRS management.

  3. The annual IRS financial statements include:

    1. MD&A

    2. Principal financial statements and related footnotes

    3. Required supplementary information

    4. Other information

  4. The IRS principal financial statements include:

    1. Balance Sheet

    2. Statement of Net Cost

    3. Statement of Changes in Net Position

    4. Statement of Budgetary Resources

    5. Statement of Custodial Activity

    6. Related footnotes

  5. The GAO’s audit report includes the IRS financial statements.

Management Representation Letter Issued

  1. The IRS issues a written confirmation to GAO in early November that representations made to the auditors during the audit regarding the completeness and reliability of audit data are accurate as of the date of the letter.

  2. The management representations detailed in the letter cover a broad range of audit areas including financial statements, required supplementary information, other information, intra-governmental activities, internal control, fraud, compliance of financial management systems with FFMIA requirements, and budgetary and restricted funds.

Exit Conference

  1. The GAO meets with the IRS senior executives in late October to convey to IRS management:

    1. Overarching issues identified during the audit

    2. Remaining audit timeline

    3. Overall message the audit opinion will contain

Financial Statements and Audit Opinion Issued

  1. At the completion of the IRS financial statement audit, GAO issues a report titled IRS's Fiscal Years 20XX and 20XX Financial Statements, in November.

  2. This report contains the:

    1. IRS financial statements, notes, required supplementary information and other information

    2. MD&A

    3. Auditor's opinion on the fair presentation of the IRS financial statements, the effectiveness of IRS internal control over financial reporting, IRS compliance with laws and regulations, and IRS financial systems compliance with FFMIA requirements. The auditors issue one of four opinions:
      (i) Unmodified -- Financial statements, including the accompanying notes, present fairly, in all material respects, the financial information
      (ii) Qualified -- Except for the circumstances specified in the report, the statements present fairly the financial information
      (iii) Adverse -- The auditor disagrees with the application of certain accounting principles and the financial statements do not present fairly the financial information
      (iv) Disclaimer -- The auditor could not obtain enough evidential matter to express an audit opinion

    4. Auditor's statement of any material weaknesses, significant deficiencies and/or management challenges

GAO Management Report

  1. The GAO provides IRS with an exposure draft (restricted use only) of the upcoming management report for review and comment between March and May. The draft report identifies new deficiencies in internal control that GAO observed during the latest audit of the IRS financial statements and recommendations for action.

  2. The IRS has about three to four weeks to respond formally to the draft report. The response includes a letter from the Commissioner and an enclosure that summarizes each new recommendation, states whether the IRS agrees with each recommendation and identifies PCAs and projected completion dates for each.

  3. The GAO issues its official management report between April and June. In addition to identifying and discussing new deficiencies in internal control and related recommendations, the report includes enclosures that identify 1) new PCAs with projected completion dates and 2) GAO's assessment of IRS actions taken on open recommendations from prior years.

180-Day Management Report Response

  1. 31 U.S.C. Section 720, Agency Reports, requires the IRS to send a management report response to congressional committee leadership within 180 days of GAO's issuance of its management report.

  2. The response updates Congress on IRS’s efforts to address GAO's financial statement audit recommendations.

  3. The response includes a letter from the Commissioner and the management report enclosure sent to GAO. If actions were to occur in the interim, the IRS sends an updated version of the enclosure.

Information Security Control Reports

  1. The GAO provides IRS with exposure drafts (restricted use only) of the upcoming IS control reports (Public and LOU) for review and comment between February and May. The draft reports identify and discuss new deficiencies in internal control that GAO observed during the latest audit of the IRS financial statements. While these deficiencies are not severe enough to be considered material weaknesses or significant deficiencies, they nevertheless warrant IRS management's attention.

  2. The IRS has about three to four weeks to formally respond to the draft reports.

  3. The GAO issues its official IS control reports between March and July. In addition to identifying and discussing new deficiencies in internal control, the LOU report includes enclosures that identify 1) new recommendations for action and 2) summarize GAO's assessment of IRS actions taken on open recommendations from prior years.

180-Day Information Security Control Reports’ Response

  1. 31 U.S.C. Section 720 requires the IRS to send an IS control reports’ response to congressional committee leadership within 180 days of GAO's issuance of its reports.

  2. The response updates Congress on IRS’s efforts to address GAO's information security audit recommendations.

  3. The response includes a letter from the Commissioner and an enclosure that summarizes each new recommendation, states whether IRS agrees with each recommendation and identifies PCAs and projected completion dates for each.

Joint Audit Management Enterprise System Reporting

  1. JAMES is Treasury’s web-based audit tracking system used for tracking issues, findings, recommendations and PCAs from TIGTA and GAO audit reports. PCAs are linked in JAMES to the specific report that generated the recommendation.

  2. The ACFO for Financial Management, Audit and Review, coordinates JAMES activities related to the financial statement audit as well as any related significant deficiencies, material weaknesses and/or remediation plans.

Management Report (FMA)
  1. Shortly after the issuance of the FMA management report, the ACFO for Financial Management, Audit and Review, inputs the new recommendations, PCAs, projected due dates and responsible parties into JAMES.

  2. Business units are responsible for providing timely updates to the ACFO for Financial Management, Audit and Review, to approve PCA additions, modifications, closures or extensions.

Information Security Control Reports
  1. Shortly after the issuance of the IS control reports (Public and LOU), the ACFO for Financial Management, Audit and Review, inputs the new recommendations into JAMES.

  2. The ACIO-Strategy and Planning PO provides the ACFO for Financial Management, Audit and Review, with documentation that identifies new PCAs, projected due dates and responsible parties for input into JAMES as part of the 180-day IS control reports’ response.

  3. Business units are responsible for providing timely updates to the ACFO for Financial Management, Audit and Review, to approve PCA additions, modifications, closures or extensions.

Annual Open Audit Recommendation Update (Management Report)

  1. The ACFO for Financial Management distributes a listing of all open administrative/custodial financial statement audit recommendations to the affected business units requesting status updates in October. Business units must provide relevant backup documentation for closed actions.

  2. The IRS provides GAO with an updated status of open recommendations in December. In addition to the status, the IRS provides backup documentation for all closed recommendations.

  3. The GAO uses the responses and related backup documentation in conjunction with its audit testing results to assess which recommendations it will close.

  4. The GAO publishes its assessment of IRS’s progress in an enclosure to the next management report.

Open Audit Recommendation Update (Information Security Control Reports)

  1. The IRS provides a list of prior year IS financial statement audit recommendations to GAO between March and June with implemented PCAs and requests that GAO assess them during the next audit.

  2. The GAO uses this list in conjunction with its audit testing results to assess which recommendations it will close.

  3. The GAO publishes its assessment of IRS’s progress in an enclosure to the next IS control report.