Tax Notes logo

1.4.3. Financial Assurance Control Testing

1.4.3 Financial Assurance Control Testing

Manual Transmittal

August 18, 2023

Purpose

(1) This transmits revised IRM 1.4.3, Resource Guide for Managers, Financial Assurance Control Testing.

Material Changes

(1) IRM 1.4.3.1.3, Responsibilities, the following changes were made:

  1. Changed Enterprise Assurance and Controls to Assurance Review Testing throughout this section.

  2. Combined responsibilities for Senior Associate CFO for Financial Management and Associate CFO for Corporate Budget into one section.

  3. Added to responsibilities for Senior Associate CFO for Financial Management and Associate CFO for Corporate Budget.

  4. Updated and added to responsibilities for FACT Section Chief and Transaction Leads.

  5. Updated and added to responsibilities to Process Owners.

(2) IRM 1.4.3.1.4, Program Management and Review, expanded and refined section.

(3) IRM 1.4.3.1.5, Program Controls, updated section.

(4) IRM 1.4.3.1.6, Terms/Definitions, the following terms were deleted:

Term

Reason

Combined Procedures Report

Removed from IRM

Internal Control Weakness

Common knowledge

Opportunity for Improvement

Common knowledge

(5) IRM 1.4.3.1.6, Terms/Definitions the following terms were added:

Term

Reason

Operating Effectiveness

This term was added to increase understanding of language used in reports.

JAMES

This term was added to address the current process of logging findings in JAMES (Joint Audit Management Enterprise System).

PCA

This term planned corrective action (PCA) was added due to use of the JAMES system in the reporting and corrective action process.

Significant Deficiency

This term was added to increase understanding of language used in reports.

Test Result Spreadsheet

This report replaces the Combined Procedures Report (CPR).

(6) IRM 1.4.3.1.6, Terms/Definitions, the following terms were revised:

Term

Reason

Compensating Control

Revised to clarify

Control Activity

Revised to clarify

Control Deficiency

Revised to clarify

Control Design Analysis

Revised to clarify

Management Information Only

Revised to clarify

Material Weakness

Revised to clarify

Population

Revised to clarify

Reportable Issue

Revised to clarify

Significant Deficiency

Revised to clarify

(7) IRM 1.4.3.1.7, Acronyms, the following acronyms were added:

Acronym

Meaning

PCA

Planned Corrective Action

TRS

Test Results Spreadsheet

(8) IRM 1.4.3.1.8, Related Resources, updated.

(9) IRM 1.4.3.3.2.2, Test Plan Template, the following changes were made:

  1. Updated Scope of Test with new information and steps.

  2. Updated Control Test to delete parts b and c.

  3. Updated Test Objectives to clarify and provide new information.

  4. Updated Results of Testing to clarify information.

  5. Updated Effectiveness of Controls to provide more in depth and complete information.

(10) IRM 1.4.3.3.3.1, Sampling, the following changes were made:

  1. Updated steps for clarity and to provide new information.

  2. Added several additional procedures in 1.4.3.3.3.1 (7) on additional sampling considerations.

(11) IRM 1.4.3.3.3.4, Evaluating Exceptions and Classifying Finding, the following changes were made:

  1. This section was renamed from Evaluating Exceptions to Evaluating Expectations and Classifying Findings.

  2. New information was added regarding Classifying Findings.

  3. Updates were made to Evaluating Exceptions with more complete definitions of key terms.

(12) IRM 1.4.3.3.4, Reporting Phase, the following changes were made:

  1. Updated definitions of each phase by providing more complete information.

  2. Added Executive Summary description.

(13) IRM 1.4.3.4, Continuous Monitoring, streamlined the number of statuses from seven to three: Open, Implemented and Closed.

(14) IRM 1.4.3.5, Record Retention, added section.

(15) Minor editorial changes have been made throughout the IRM.

Effect on Other Documents

IRM 1.4.3, dated April 1, 2020, is superseded.

Audience

All business units

Effective Date

(08-18-2023)

Teresa R. Hunter
Chief Financial Officer

Program Scope and Objectives

(1) Purpose - The IRM provides information for implementing OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk.

(2) Audience - All business units.

(3) Policy Owner - The CFO, Associate CFO for Internal Controls unit.

(4) Program Owner - Financial Assurance Control Testing (FACT) Team.

(5) Primary Stakeholders - All divisions and functions.

(6) Program Goals - Ensure the IRS implements and complies with OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk.

Background

(1) The passage of the Sarbanes-Oxley Act of 2002 (SOX) served as an impetus for the Federal Government to reevaluate its policies relating to internal control over financial reporting and management’s related responsibilities. SOX requires management of publicly traded companies to strengthen their processes for assessing and reporting on internal control over financial reporting. While SOX created a new requirement for publicly traded companies, federal managers had been subject to similar internal control reporting requirements for many years.

(2) A joint committee of representatives from the CFO Council and the Council of Inspectors General on Integrity and Efficiency (CIGIE) was formed in 2008 and tasked with reviewing the SOX requirements for publicly traded companies, determining how these requirements apply to federal agencies, and recommending changes to the existing guidance on internal control. The joint committee recommended significant changes to the OMB Circular A-123, Management's Responsibility for Internal Control, Appendix A: Management of Reporting and Data Integrity Risk, which included a requirement for agencies to document and test internal controls to verify they are in place and working as intended.

(3) To emphasize the importance of having appropriate risk management processes, OMB updated Circular A-123, Management's Responsibility for Internal Control to include Enterprise Risk Management (ERM). The Circular was renamed Management’s Responsibility for Enterprise Risk Management and Internal Control, and Appendix A was renamed Management of Reporting and Data Integrity Risk.

Authorities

(1) The authorities related to this IRM are:

  1. Treasury Directive 40-04 and associated authorities (October 31, 2022)

Responsibilities

(1) This section provides responsibilities for:

  1. CFO and Deputy CFO

  2. Associate CFO for Internal Controls

  3. Senior Associate CFO for Financial Management and Associate CFO for Corporate Budget

  4. Assurance Review Testing

  5. Statistics of Income (SOI) division

  6. Financial Assurance Control Testing (FACT) teams

  7. FACT section chiefs

  8. Transaction leads

  9. Process owners

CFO and Deputy CFO

(1) The CFO and Deputy CFO are responsible for executing OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk requirements to support Treasury’s assurance statement by properly identifying, testing, and evaluating the IRS’s controls over data integrity and financial reporting.

Associate CFO for Internal Controls

(1) The Associate CFO for Internal Controls is responsible for:

  1. Overseeing the FACT process including approving final test plans.

  2. Administering the governance process by chairing the FACT Technical Review Board, providing the status and results of FACT activities to the Management Controls Executive Steering Committee (MC ESC) and the FACT Technical Review Board, and documenting key decisions.

Senior Associate CFO for Financial Management and Associate CFO for Corporate Budget

(1) The Senior Associate CFO for Financial Management and the Associate CFO for Corporate Budget are responsible for:

  1. Approving test plans.

  2. Designating a FACT Technical Review Board representative and back-up.

  3. Providing subject matter experts (SMEs) to points of contact (POCs) to review the control design analysis to verify that the transaction lead identified key controls.

  4. Delivering requested internal control documentation stated in the Prepared by Client (PBC) listing timely.

  5. Developing and monitoring corrective action plans (CAPs) for identified weaknesses.

  6. Reviewing and signing the Test Results Spreadsheet (TRS), Combined Issues Report (CIR) and Executive Summary, as applicable.

  7. Signing the Executive Summary to acknowledge test results.

Assurance Review Testing

(1) Assurance Review Testing is responsible for:

  1. Providing clear and concise communication of FACT assessment objectives throughout the agency.

  2. Approving the FACT assessment methodology and guidance.

  3. Leading the coordination of testing activities and timelines with process owners, Treasury and GAO.

  4. Ensuring the FACT team carries out assessments in a thorough, effective and timely manner.

  5. Communicating the results of testing activities to IRS and agency management.

  6. Collaborating with SMEs and (POCs) to assist in the timely development of the control design analysis (CDA) and test plans timely.

  7. Communicating and coordinating with external oversight groups.

  8. Ensuring FACT documentation meets retention standards.

Statistics of Income Division

(1) SOI is responsible for:

  1. Determining an appropriate sampling method and size for each control based on frequency.

  2. Using statistical sampling methods to generate samples for testing.

Financial Assurance Control Testing Teams

(1) FACT teams are comprised of the transaction lead and individuals that assist with the execution of the test plan (also referred to as transaction co-leads).

(2) FACT testing teams are responsible for:

  1. Obtaining and reading applicable IRMs, interim guidance memoranda, standard operating procedures (SOPs), job aids, Servicewide Electronic Research Program (SERP) alerts, IRM Procedural Updates (IPUs), GAO/TIGTA audit reports and other guidance related to assigned test steps.

  2. Completing and reviewing FACT planning, testing, and reporting activities to ensure that all requirements have been satisfied.

  3. Conducting substantive testing of supporting documents received from the process owners.

  4. Communicating exceptions found within the test plan to relevant internal and external stakeholders.

  5. Verifying that all necessary supporting documentation is available for assigned test steps.

  6. Verifying facts with the appropriate process owner (to include the condition, criteria, cause, and effect), when exceptions are identified.

  7. Analyzing test results to determine if internal controls are in place and working effectively.

  8. Reporting test results to the process owners, management, and other relevant stakeholders.

  9. Recommending future test plan updates based on the execution of the test plan and lessons learned.

FACT Section Chiefs

(1) The FACT section chiefs are responsible for:

  1. Providing guidance and support for planning, testing, and reporting activities in order to determine the effectiveness of internal controls over financial reporting, mitigate risk and ensure the quality of IRS data.

  2. Coordinating with internal stakeholders and business units to identify areas of risk related to key internal controls.

  3. Directing test procedures to evaluate whether internal controls are effective at managing and mitigating risk and ensuring data integrity for financial reporting.

  4. Reporting the results of internal control testing and prompting program managers to develop and implement corrective action plans to remediate any control deficiencies and/or weaknesses that were identified during the course of the review.

  5. Directing the entry of resulting findings into the JAMES system, monitoring of open items and review of supporting documentation until closure can be accomplished.

  6. Engaging with external stakeholders, to include the Department of Treasury and GAO, when developing and implementing program guidance, performing assessment activities, determining outcomes and reporting results.

  7. Developing/delivering training and Knowledge Management tools to support operationalization of internal controls activities at the program level.

FACT Team Leads

(1) The FACT team leads are responsible for:

  1. Supporting team members throughout the FACT review cycle. Team leads serve as the first level of support for questions.

  2. Providing feedback to Transaction Leads and co-Leads throughout the review process. This includes providing guidance, sharing best practices, and identifying opportunities for improvement.

  3. Providing JAMES report of open transaction findings to Transaction Lead and co-Leads during planning stage.

  4. Staying informed on the status of team milestones, deliverables, and issues.

  5. Reviewing and signing-off on transaction steps and work papers in TeamMate.

  6. Providing coaching notes to team members.

  7. Completing assigned deliverables for Treasury and GAO stakeholders.

  8. Providing input on program guidance, staffing, transaction assignments, and relevant timelines and deliverables.

  9. Serving as a subject-matter-expert and providing recommendations and guidance to Section Chiefs, Transaction Leads, and Co-leads.

  10. Helping team members resolve issues or escalate issues, as needed.

  11. Notifying BUs, POCs, SMEs of any changes to the FACT process.

Process Owners

(1) The process owners are responsible for:

  1. Providing POCs and SMEs to identify and describe applicable internal controls, review the CDA and verify that FACT test plans accurately capture key internal controls related to the process.

  2. Participating in and coordinating FACT interviews and walkthroughs to describe applicable internal controls and to answer any questions.

  3. Communicating existing audit findings or recommendations (noted by GAO or TIGTA), the status of corrective action, and how it relates to processes under review, if applicable.

  4. Gathering and delivering Internal Control documentation that is included in the PBC listing, or has otherwise been requested, by the respective due date.

  5. Evaluating existing management review procedures.

  6. Reviewing and signing the TRS, CIR and Executive Summary, as applicable.

  7. Developing, executing and monitoring CAPs (for reported issues) to meet projected completion date(s).

  8. Providing timely PCA responses to reported issues through use of the JAMES system.

  9. Communicating changes to relevant processes and internal controls.

Program Management and Review

(1) Program Reports - The reports issued by FACT are:

  1. CIR - Report that describes the current issue(s) identified during testing and the status of prior issue(s), as applicable.

  2. Executive Summary - Report that describes the purpose and scope of the review along with a summary of the results and other pertinent information.

  3. TRS - Report that includes a detailed description of the test steps, actions taken, review dates, and results of transaction testing.

(2) Program Effectiveness:

  1. Identify internal control deficiencies and/or weaknesses related to financial reporting.

  2. Make recommendations that improve internal controls or program efficiency.

Program Controls

(1) The following controls are in place to ensure compliance and quality:

  1. Test plans are reviewed and approved by the FACT Technical Review Board.

  2. Test plan documentation, evidence and results are reviewed by FACT team leads and/or section chiefs and the director, Assurance Review Testing.

  3. Final CIRs and TRSs are reviewed by the business unit stakeholders and the Executive Summary is signed by the responsible executive for the process.

  4. Final test plans, results of testing and reportable issues are provided to the Department of Treasury and GAO.

  5. The MC ESC is notified anytime a Material Weakness or Significant Deficiency is identified.

Terms/Definitions

(1) The following terms and definitions apply to this program:

  1. CCH TeamMate – A Windows-based Audit Management System used by the FACT team to manage the review and reporting of the annual control testing process. Workpapers are prepared and stored in the application for all the transactions tested.

  2. Combined Issues Report (CIR) - A consolidated report of issues identified during testing of a transaction, which includes issues identified during the current testing period as well as existing issues from previous testing periods.

  3. Compensating Control – A control that limits the severity of risk from a missing control. While a compensating control mitigates the effects of a control deficiency, it does not eliminate a control deficiency.

  4. Control Activities - The actions management establishes through policies and procedures to ensure directives are carried out and that necessary steps are taken to address risks.

  5. Control Deficiency - Exists when the design, implementation or operation of a control does not allow management or personnel, in the normal course of performing their assigned functions, to prevent or detect control weakness in a timely manner or aid in addressing risks.

  6. Control Design Analysis (CDA) - Documents the risk associated with a process, key controls designed to mitigate the risk and assessment of their effectiveness.

  7. Control Environment - The foundation for an internal control system. It provides the discipline and structure to help an entity achieve its objective.

  8. Control Risk - The risk that a material misstatement could occur but may not be detected and corrected or prevented by the entity’s internal controls.

  9. Corrective Action – An action taken by the process owner that corrects identified deficiencies and produces recommended improvements.

  10. Corrective Action Plan - Documents the strategy and/or detailed steps to be taken to remediate an identified control deficiency or weakness.

  11. Exception - A testing attribute that does not conform to the common rule.

  12. Inspection - Examination of documents, products or services to evaluate the consistency, efficiency and/or effectiveness of a control.

  13. Internal controls - An integral part of any organization's financial and business policies and procedures. Internal controls consist of all the measures taken by the organization for the purpose of (1) protecting its resources against fraud, waste and inefficiency; (2) ensuring accuracy and reliability in accounting and operating data; (3) securing compliance with the policies of the organization; and (4) evaluating the level of performance in all organizational units of the organization.

  14. Job aids - May be an IRM exhibit or SERP Alert, a Technical Communications Document (TCD) or a document used as training material.

  15. Joint Audit Management Enterprise System (JAMES) – A Treasury database used to track the progress and implement planned corrective actions (PCA) of process owners as a result of an internal control review.

  16. Management Information Only (MIO) – When an observation is made that doesn’t rise to the level of an audit finding, yet still warrants the attention of internal control process owners, the FACT team has the ability to issue a MIO which serves to notify the process owner of an opportunity to improve the design or operation of an internal control(s). Unlike the findings described above, MIO notifications do not require a response or corrective action plan.

  17. Material Weakness - A combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.

  18. Methodology – A documented process for applying standards when assessing, documenting and reporting on internal controls over risks related to financial reporting and data integrity.

  19. Misstatement - The amount by which a financial statement line item can differ from its true amount.

  20. Monitoring - Activities management establishes and operates to assess the quality of performance over time.

  21. National Institute of Standards and Technology (NIST) – Responsible for developing information security standards and guidelines, including minimum requirements for federal information systems based on its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law 107-347.

  22. Observation - Seeing a process or procedure being performed by others.

  23. Operating effectiveness - A measure of the extent to which controls achieve their stated goals; evaluated by the test of controls to address the how, by whom, and with what level of consistency controls, policies and procedures have been applied.

  24. Planned Corrective Action (PCA) – A field utilized within the JAMES system that is intended to track the response of process owners regarding open review findings.

  25. Prepared by Client (PBC) Listing - Detailed request of information and documents needed from the customer to conduct testing.

  26. Population - Universe or list of items for a given period of time from which the sample will be derived.

  27. Process owner - Organization, business unit, operating/business division or office responsible for managing and overseeing the objectives and performance of a process.

  28. Quality Assurance Review (QAR) - Assessment of an organization’s risk and internal controls to verify adequate management controls are in place and functioning effectively to accomplish organizational goals and protect resources.

  29. Re-performance - Independent execution of procedures or controls that were originally performed as part of the entity’s internal control.

  30. Reportable Issue - An issue that is identified during testing that indicates controls are weak, nonexistent or bear monitoring. There are three categories of reportable issues: Control Deficiency, Significant Deficiency and Material Weakness.

  31. Risk assessment – Assess the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses.

  32. Sample - Items selected from a population to be tested to reach a conclusion about the population as a whole.

  33. Sampling Plan – An outline detailing the criteria to use to select a sample (size, frequency of control, risk, etc.) from which the transaction lead will select a certain number of items to use to reach a conclusion representative of the whole population.

  34. Scope - Description of the physical locations, organizational units, activities and processes and the corresponding time period subjected to examination or review.

  35. SERP Alert - The information communicated to employees may provide a reminder or notification to address work stream, programming or system problems.

  36. Significant Deficiency – A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

  37. Statement of Assurance – A certification included in the annual Agency Financial Report (AFR) that represents the Commissioner’s informed judgment as to overall adequacy and effectiveness of internal controls. The Commissioner provides either an unmodified statement that an effective and efficient system of internal controls exists, a modified statement that an overall sound system of internal control exists but one or more material weaknesses have been identified or a statement of no assurance on the system of internal control.

  38. Structured Management Review (SMR) – A review of documented continuous monitoring activities including QARs or other independent internal reviews put in place to cover many IRS internal control activities during the normal course of operations.

  39. Supporting Documentation - Written information and/or data providing backup to substantiate the conclusion.

  40. Testing – After planning, the transaction lead performs the procedures listed in the test plan. The transaction lead tests the key internal controls and the accuracy of the transaction. The transaction lead uses various techniques such as sampling.

  41. Test Results Spreadsheet (TRS) – A consolidated report that provides the details of the test steps, dates and results of transactional testing.

  42. Test Objectives – Purposes or intended goals stating what the transaction lead wants to accomplish when implementing the specified test activities.

  43. Test Plan – A document describing the scope of the testing and identifying the methodology used to conduct tests.

  44. Test Steps – Procedures performed to reach established audit objectives and assess the efficiency and effectiveness of control activity.

  45. Transaction – Represents activities and/or processes impacting and reflected in the Treasury consolidated financial statements.

  46. Walkthrough – Process by which to assist in understanding design and implementation of controls and may include a combination of interviews, observations, examination of documents and/or tracing a transaction from initiation to completion.

  47. Workpapers – Documents that support the test results. The workpapers reveal the comprehensive actions the test team performed to test each control during the testing phase. The workpapers connect the entity’s accounting records and financial reporting to the transaction’s assertion.

Acronyms

(1) The following acronyms apply to this program.

Acronym

Meaning

CAP

Corrective Action Plan

CDA

Control Design Analysis

CIGIE

Council of Inspectors General on Integrity and Efficiency

CIR

Combined Issues Report

CPR

Combined Procedures Report

FMFIA

Federal Managers’ Financial Integrity Act

FFMIA

Federal Financial Management Improvement Act

JAMES

Joint Audit Management Enterprise System

MC ESC

Management Controls Executive Steering Committee

NIST

National Institute of Standards and Technology

OMB

Office of Management and Budget

PBC

Prepared by Client

PCA

Planned Corrective Action

POC

Point of Contact

QAR

Quality Assurance Review

SERP

Servicewide Electronic Research Program

SOP

Standard Operating Procedures

SOX

Sarbanes-Oxley Act of 2002

SME

Subject Matter Expert

SMR

Structured Management Review

SOI

Statistics of Income Division

TDCFO

Treasury Deputy Chief Financial Officer

TIER

Treasury Information Executive Repository

TRS

Test Results Spreadsheet

Governance

(1) The IRS has adopted a two-tiered governance process to verify it consistently executes OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, Appendix A: Management of Reporting and Data Integrity Risk requirements, has documentation procedures, provides credible results and issues, identifies and implements corrective actions. The two-tiered governance process consists of the MC ESC and the FACT Technical Review Board.

  1. The IRS Deputy Commissioners for Operations Support and Services and Enforcement chair the MC ESC, which provides executive-level oversight to the FACT process by reviewing testing results and approving the interim and final assurance statements. Refer to IRM 1.4.2, Monitoring and Improving Internal Control, and Sections 1.4.2.6, Remediation Plan for additional information related to the MC ESC.

  2. The FACT Technical Review Board is an advisory working group composed of senior executives. Members represent Internal Controls, Financial Management, Corporate Budget, Office of the Chief Risk Officer (CRO) and process owners, as applicable. The FACT Technical Review Board has two key responsibilities:
    i) Review test plans to verify test objectives are accurately defined and contain all required internal control procedures.
    ii) Review the sampling plan to verify the methodology, type of sample, and sample sizes are appropriate.

General Guidance for FACT

(1) A transaction is a discrete financial activity that produces information in Treasury’s Agency Financial Report (AFR). It contains a series of risks and controls that defines the process; each key control must be identified. Testing controls involves verifying the controls are in place, operating as intended and meeting the stated objectives.

(2) Internal control is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies. The objectives and related risks can be broadly classified into one or more of the following three categories:

  1. Operations - Effectiveness and efficiency of operations

  2. Reporting - Reliability of reporting for internal and external use

  3. Compliance - Compliance with applicable laws and regulations

(3) Each reporting agency in Treasury is required to include a Statement of Assurance in their FMFIA and FFMIA Annual Assurance Statement. Management cannot rely on internal control testing performed by external oversight organizations (for example, GAO and TIGTA) to meet the OMB requirements for providing assurance. The Statement of Assurance must take one of the following forms:

  1. Unmodified statement of assurance (no material weaknesses reported);

  2. Modified statement of assurance, considering the exceptions explicitly noted (one or more material weaknesses or lack of substantial compliance reported); or

  3. Statement of no assurance (no processes in place or pervasive material weaknesses).

(4) FACT team members execute the test plans and determine the effectiveness of the internal controls. The teams include individuals who are:

  1. Adequately trained to execute the test plan

  2. Aware of documentation requirements

  3. Properly supervised

  4. Independent of those responsible for carrying out or supervising the controls or transactions tested (not directly responsible or not an employee who reports to the manager directly responsible for the internal control being tested)

(5) The FACT team follows the GAO Standards for Internal Control in the Federal Government, also known as the Green Book. According to the Green Book, there are five components of internal controls, which are comprised of 17 principles. The components and principles are as follows:

Components of Internal Control

Principles

Control Environment

1. Demonstrate Commitment to Integrity and Ethical Oversight Responsibility

2. Exercise Oversight Responsibility

3. Establish Structure, Responsibility and Authority

4. Demonstrate Commitment to Competence

5. Enforce Accountability

Risk Assessment

6. Define Objectives and Risk Tolerances

7. Identify, Analyze and Respond to Risk

8. Assess Fraud Risk

9. Analyze and Respond to Change

Control Activities

10. Design Control Activities

11. Design Activities for Information Systems

12. Implement Control Activities

Information and Communication

13. Use Quality Information

14. Communicate Internally

15. Communicate Externally

Monitoring

16. Perform Monitoring Activities

17. Evaluate Issues and Remediate Deficiencies

FACT Schedule

(1) There are two FACT testing cycles: interim and fourth quarter. Generally, fourth quarter testing is a continuation of interim testing; however, because of the nature and timing of the transactions, some are only tested during one of the cycles.

(2) The FACT section chiefs develop a detailed FACT timeline for the testing cycles to verify tests are appropriately scheduled and sufficient resources are available. They monitor the schedule and inform the Assurance Review Testing Director and Associate CFO for Internal Controls of any execution delays.

(3) There are three phases during each testing cycle:

  1. Planning phase

  2. Testing phase

  3. Reporting phase

Planning Phase

(1) The planning phase, which cover both interim and fourth quarter transaction, begins in November and typically ends in April.

(2) The FACT team transaction lead first obtains an understanding of the process and related risks. This is accomplished by:

  1. Reviewing applicable risk registers.

  2. Reviewing the IRS Enterprise Risk Profile.

  3. Reviewing related IRMs, Interim Guidance Memoranda, SOPs, Job Aids and SERP Alerts.

  4. Interviewing SMEs, observing and walking through processes.

  5. Reviewing and following-up on applicable GAO and TIGTA findings and recommendations.

  6. Identifying potential sources of data that could be used as evidence.

  7. Reviewing relevant SMRs and/or QARs.

  8. Reviewing any other miscellaneous documents.

(3) The transaction lead documents the process and creates the CDA. The CDA defines the following transaction attributes:

  1. Risks

  2. Control activities

  3. Control objectives

  4. The risk level (high, medium or low)

  5. Frequency of controls

  6. Compensating controls

  7. The type of control (preventive or detective)

  8. How the control is performed (manual or automated)

  9. The business unit SME

  10. The financial assertions

  11. The test objective where the control will be tested

  12. References to policies and procedures

  13. The enterprise risk the control mitigates

(4) Using the CDA, the transaction lead determines the scope, objectives and methodology for testing.

  1. The scope defines the boundaries of the tests and directly relates to the test objectives. For example, the period reviewed, the availability of necessary documentation or records and the locations of testing are included in the scope definition.

  2. The test objective describes what testing intends to accomplish.

  3. The methodology comprises the steps and techniques involved in gathering and analyzing data to achieve the objectives, such as inspecting sample data or observing controls. Additionally, it includes both the types and extent of test procedures used to achieve the objectives. The test plan documents and provides sufficient, competent and relevant evidence to achieve the test objectives.

(5) After the scope, test objectives and methodology have been determined, the transaction lead develops the test plan. The test plan encompasses:

  1. The control test objective

  2. Population from which the testing sample size will be drawn

  3. Sample methodology

  4. Parameters that constitute a failed test

  5. Specific tests and documents to review

(6) Once the test plan is complete, the transaction lead starts the approval process as follows:

  1. The transaction lead sends the test plan and CDA to the SMEs for review and comment. The transaction lead collaborates with the SMEs to update the test plan, as necessary.

  2. The transaction lead sends the test plan to the team lead for review and updates the plan, as necessary.

  3. The team lead sends the test plan to the section chief for review and approval.

  4. The section chief sends the test plan to the Technical Review Board. The TRB has five business days to approve the test plan.

(7) FACT Test Plan Approval Process: The flowchart below shows the process through which the test plans will progress. The bottom of the chart shows that the transaction lead develops the internal control test plans, then forwards the test plan to the FACT section chief and/or team lead for internal reviews. Next, the FACT Review Board will review and approve the test plans. Finally, the tests plans are sent to Treasury.

FACT STRUCTURE FOR TEST PLAN APPROVAL

 

Department of the Treasury

FACT Technical Review Board

FACT Section Chief and Director of EAC

FACT Transaction Lead

 

Assertions

(1) Financial statement assertions are the implicit or explicit assertions that management is making to users of their financial statements. The role of FACT is to test the controls to determine whether management's assertions can be supported. The financial statement assertions are:

  1. Completeness

  2. Existence and occurrence

  3. Accuracy and valuation

  4. Rights and obligations

  5. Presentation and disclosure

(2) Completeness - Addresses whether all transactions and accounts that should be in the financial statements are included. To support the completeness assertion, FACT obtains sufficient, competent evidence that transactions that should be recorded have been recorded.

(3) Existence and occurrence - Addresses whether assets or liabilities exist at a given date or recorded transactions have occurred during a given period. To support the existence and occurrence assertion FACT obtains sufficient evidence that the asset or liability existed at the time it was recorded.

(4) Accuracy and valuation - Addresses whether assets, liabilities and equity interests included in the financial statements are at appropriate amounts and any corresponding adjustments are appropriately recorded. To support the accuracy and valuation assertion, FACT obtains sufficient evidence that transactions have been recorded accurately.

(5) Rights and obligations - Addresses whether the entity holds or controls the rights to assets included on the financial statements and that liabilities are obligations of the entity. To support the rights and obligations assertion, FACT obtains sufficient evidence to confirm the IRS has a legal title or controls the rights to an asset or has an obligation to repay a liability.

(6) Presentation and disclosure - Addresses whether components of the financial statements are properly classified, described and disclosed. To support the presentation and disclosure assertion, FACT obtains sufficient evidence to support that the account balance has not only been properly measured but also adequately described and disclosed.

Test Plan Template

(1) The test plan template is created during the planning phase to ensure consistency among all test plans. The template is used as the basis for all FACT test plans. The template contains the following sections:

  1. Introduction

  2. Scope of the test

  3. Control test

  4. Test objectives

  5. Results of testing

  6. Effectiveness of controls

(2) Introduction

  1. Test objective (Purpose of the test)

  2. Expected results (What is the expected outcome?)

  3. Controls tested (Identify IRS controls tested in this test plan, and state whether they include all controls in the CDA)

  4. Contact Name (Name of person to contact for explanation of issues/problems)

  5. Note: Test plans that are tested in both interim and fourth quarter testing cycles will have one test plan that captures both periods (the full year).

(3) Scope of the Test

  1. Delineate the scope of the test based on the control’s nature, frequency and timing (Are all processes being tested or a specific subset? What is the frequency of the testing?)

  2. Identify the resource capabilities required to perform testing (What degree of knowledge is required for performing the test?)

  3. Identify other resources needed to perform the control test (Who and what is needed to perform the testing?)

  4. Determine of the type of relevant reporting assertion(s) provided by the control(s) (What type of assertion(s) are provided? Rights or Obligations; Completeness or Accuracy; Presentation or Disclosure; Existence or Occurrence; and Valuation or Allocation) Determination of the type of relevant reporting assertion provided by the control (What type of assertion do the controls provide?) Rights or Obligations; Completeness or Accuracy; Presentation or Disclosure; Existence or Occurrence; and Valuation or Allocation

  5. Identify the method(s) of testing (Inspection of Documents, Observation, Inquiry or Walkthrough, or Reperformance)

  6. Determine the sample size and basis (Specify the method used to select the sample and sample size.)

  7. Assess QAR to determine if the transaction meets the criteria to be deemed a QAR as discussed in IRM 1.4.31,IRS Quality Assurance Review Program.

(4) Control Test

  1. Identifies the information needed to conduct the test (List documents required for testing)

  2. Describes the documentation requirements (Describe the documentation process of the test content and results) Steps for testing transaction controls (What are the steps to perform the test against the sample?)

(5) Test Objective

  1. In general, internal control test objectives describe an assessment of one or more aspects of an entity’s internal control system and are designed to provide reasonable assurance of achieving effective and efficient operations, reliability of reporting for internal and external use, or compliance with provisions of applicable laws and regulations.
    i.) Test objectives may vary widely (based on the process under review) and are used to verify that internal controls are effective and operating as intended.

  2. Each objective (in the test plan) includes a list of steps that describe the methodology that will be used to accomplish the test objective.

  3. Each test plan includes an objective that addresses the design of the internal control system (under review). The purpose of this objective is to determine if the internal controls in place are designed adequately and to communicate any associated vulnerabilities. Steps (methodology) taken to achieve this objective include:
    i.) Reviewing relevant internal control documents (such as operating procedures, manuals, policies, and desk guides);
    ii) Conducting interviews and/or walkthroughs;
    iii) Assessing risk; and
    iv) Reviewing the results of other oversight activity. Relevant sources of information include GAO and TIGTA audit reports GAO Management Report (related to the IRS financial statement audit) GAO audit findings, also called Matters for Further Consideration (MFCs) Internal (IRS) reviews.

  4. In addition, each test plan also includes an objective that verifies the status of prior FACT findings and recommendations to ensure that corrective action (when appropriate) was taken to remediate the issue observed.

(6) Results of Testing

  1. Determine whether the controls that were tested are effective, overall.

  2. Determine whether the process owner(s) consistently applied the controls.

(7) Effectiveness of Controls

  1. Determine the effectiveness of the controls.

  2. Determine if reportable issues are required.
    i.) If the process owner disagrees with an issue, obtain written documentation from the process owner that describes the reason for the disagreement.
    ii.) In addition, if the process owner chooses to accept the risk identified, in lieu of implementing corrective actions to remediate the finding (control deficiency, significant deficiency, material weakness), obtain written documentation that describes the rationale for doing so.

  3. Determine if corrective action plans are required.

Testing Phase

(1) During the testing phase, the transaction lead executes the approved test plan by:

  1. Coordinating with business unit process owners.

  2. Specifying when the testing phase begins/ends for interim and fourth quarter testing.

  3. Obtaining a sample for testing from SOI.

  4. Reviewing SMRs and QARs to determine if they provide assurance.

  5. Performing substantive testing on samples and other supporting documentation.

Sampling

(1) In defining the population, the transaction lead should identify the entire set of items from which the sample should be drawn. This includes:

  1. Verifying the entire population is accounted for when the sample is drawn.

  2. Determining the source document or the transaction documents to be tested.

  3. Defining the period covered by the test.

  4. If applicable, identifying significant subsets within the population, such as high dollar value items, and working with SOI to develop an appropriate sampling plan.

(2) The sample items selected for testing purposes must come from the current fiscal year. However, when transactions occur only at the end of the fiscal year, a sample selection from the previous fiscal year may be permissible.

(3) Changes to internal controls over financial reporting process and changes to financial systems should be considered when developing a sampling plan.

(4) When sampling from multiple locations, the population may include all or several locations if the controls at each location perform the same function and use the same internal controls. Before combining separate locations into one population, management and the transaction lead should consider such factors as:

  1. The extent of uniformity of the controls and their applications at each location.

  2. Whether the individual locations can make significant changes to the controls or their application of these controls.

  3. The amount and nature of centralized oversight or control over local operations.

  4. Whether there may be a need to develop separate conclusions for each location. If the testers, transaction lead or manager concluded the locations should be separate populations, then transaction leads must select separate samples at each location, and testers and management will evaluate the results of each sample separately.

(5) The transaction lead sends the population to SOI to generate the sample. SOI works with the transaction lead to determines the most appropriate sample method for each test to be performed. Sampling methodologies must be:

  1. Reliable: Will the sampling approach produce dependable results?

  2. Consistent: Can the sampling approach be applied uniformly?

  3. Valid: Does the sampling approach adhere to applicable guidance and best practices? Does the test plan measure what it is intended to measure?

(6) FACT generally applies one of the following two sampling methods.

  1. Non-statistical sample: A subset of a defined population, selected using judgement, but not valid to make statistical inferences within a defined level of confidence and precision.

  2. Random sample: A subset of a defined population, selected using a statistically valid methodology in which every member of the population has a known, non-zero probability of being selected. With this method, transaction leads can make inferences about the population with a defined level of confidence and precision. The confidence level is fixed, but the precision level can vary. Usually, estimates have more precision as sample size increases.

(7) Additional sampling consideration include:

  1. Seasonal fluctuations (such as periods of limited availability), due to the nature of an activity, may necessitate multiple samples that cover several periods throughout the year to ensure a representative sample. The transaction lead should fully disclose seasonal fluctuations and other noteworthy conditions to SOI so that they can make an informed recommendation for an appropriate sample methodology.

  2. In some instances, transaction leads may find that one or more of the sample items selected for testing cannot be reviewed (for example, the transaction was reversed and is no longer there). In these circumstances, the transaction lead should work with SOI to identify a replacement sample for testing and clearly document the need for this approach. As a precaution, transaction leads may ask SOI to identify additional sample items which can be used to test a control when a sample item cannot be tested. In this scenario, the transaction lead would test the next sample item identified in the sample selection list.

Review of SMRs and QARs

(1) Quality reviews and quality assurance processes that are already in place are considered Structured Management Reviews (SMRs) and may be tested as part of a FACT review. In addition, SMRs can also be leveraged to provide reasonable assurance over internal controls that are covered under a FACT review. If a transaction lead plans to leverage a SMR the review must contain sufficient information to enable an individual with no previous connection with the evaluation to understand what was reviewed, what was found, and to verify the reviewer’s judgments and conclusions. Refer to IRM 1.4.31, Resource Guide for Managers, IRS Quality Assurance Review Program, for additional details related to Quality Assurance Reviews.

(2) To be considered, a SMR should have the following elements:

  1. Documented procedures that guide the SMR.

  2. Reviews performed at regular intervals.

  3. Documented and independent review of results.

  4. Documented processes to resolve noted deficiencies.

Substantive Testing

(1) Substantive testing is performed by following the procedures the transaction lead identified in the test plan to ensure controls are implemented and working as intended. The transaction lead may delegate substantive testing to supporting team members. The team member testing the samples must appropriately document and record test steps in their workpapers.

(2) All aspects of testing activities require a high level of documentation. Documentation provides support for FACT planning, testing, and reporting processes, aids those conducting and leading the testing, and allows for reviews to be conducted. The test team obtains sufficient and appropriate evidence to develop a reasonable basis for an opinion regarding the effectiveness of internal controls tested through inspection, reperformance, observation, inquiries or confirmations. The documentation of evidence supports overall FACT conclusions.

(3) Documentation related to planning, testing and reporting on FACT activities should contain sufficient information to enable an individual who has had no previous connection with the testing to understand what was tested, how the test was conducted, the test results and to verify the reviewer’s judgments and conclusions.

(4) The FACT team determines the quantity, type and content of documentation, which provides a clear understanding of the internal control test’s purpose, data sources, results and conclusions. The team organizes the documentation logically to provide a clear link to the conclusions and issues. FACT test documentation must contain the following items:

  1. Objectives, scope and methodology for each transaction, including the testing period, a description of the sampling methodology, and if the team deviated from the approved sampling methodology, the rationale for such actions.

  2. Support for each test conducted, including the copies of documents examined and the rationale for key decisions and any deviations made from approved guidance.

  3. Testing results, analysis and conclusions that provide a clear and concise summary of results cross-referenced to supporting documents and resolution of exceptions or other issues.

  4. Evidence of transaction lead and/or supporting team member review and sign-off of workpapers and steps (as prepared) prior to supervisory review.

  5. Evidence of FACT section chief, team lead or senior team member review of the work performed that supports conclusions about the controls tested.

(5) Workpapers document the FACT review and record information obtained and analyzed during the FACT process. CCH TeamMate maintains all workpapers created directly in the system as well as workpapers scanned and uploaded into the system. The FACT team prepares and updates workpapers throughout the planning and testing phase and documents the following in CCH TeamMate:

  1. Plans for the review, including the test plans.

  2. Examination and the evaluation of the adequacy and effectiveness of the systems of internal control.

  3. Test procedures followed, the information obtained and the conclusions reached.

  4. Management reviews.

  5. Audit reports.

  6. Issues.

(6) The transaction lead is responsible for determining which documents to include in the workpapers; the workpapers must include the following:

  1. A lead sheet identifying all items, attributes and findings (i.e., x = exception, check mark = no exception).

  2. For one sample, the workpapers must include one complete example that clearly identifies and documents all attributes tested.

  3. For samples that contain exceptions, the workpapers must include all supporting documents.

  4. Documents that may not be retrievable in their exact form at a later date. For example, if a screen print is necessary to support a number or dollar amount that may change in the future, that screen print should be retained to verify that figure as of the test date.

(7) Among the required items above, workpapers may also include:

  1. Planning documents and review plans.

  2. Control questionnaires, flowcharts, checklists and the results of control evaluations.

  3. Documentation of walkthroughs and interviews.

  4. Organization charts, policy and procedures statements and job descriptions.

  5. Copies of important contracts and agreements.

  6. Letters of confirmation and representation.

  7. Photographs, diagrams and other graphic displays.

  8. Results of analytical review procedures.

  9. Audit reports and management replies.

  10. Emails, memos and other relevant correspondence.

  11. CAPs, if appropriate and available.

(8) The documentation within the workpapers must be appropriately organized to provide a clear link to the overall conclusion. Workpapers must be sufficient to show that the transaction lead completed the following:

  1. Obtained guidance to understand the internal control, plan the testing and determine the nature, timing and extent of the tests performed.

  2. Adequately planned and supervised work.

  3. Observed standards of test work.

  4. Obtained sufficient and appropriate documentation to support a reasonable conclusion.

(9) The transaction lead should use the following techniques for documenting in workpapers:

  1. Notation: Highlight or identify the specific attribute in the workpapers that the team member verified, such as a signature indicating managerial approval.

  2. Indexing: Workpapers will be automatically indexed once loaded into TeamMate to verify test plan results are properly referenced and can be easily traced to supporting documentation. When referring to reports in TeamMate, use the reference number and page number. Based on the associated test objective to the workpapers, TeamMate will automatically assign each workpaper a reference number.

  3. Sources of data: Clearly identify the source of any information appearing in workpapers. An independent reviewer should be able to retrace the reviewer’s steps, from basic schedules to summaries and comments. Worksheets should be cross-referenced to other related workpapers and to the test plans. Effective cross-referencing often reduces the need to duplicate data.

  4. Workpaper summaries: The process of summarizing provides an objective overview and puts findings in perspective. The team’s summary should focus on key information and data. Do not include trivial information or editorial comments not supported by testing. Periodically summarizing findings helps verify firm control over the test.

  5. Record Key Meetings and Interviews: Record all key discussions (meetings and interviews) used as support for key decisions (testing decisions/conclusions) and understanding the subject matter or test evidence and include the notes in the workpapers. Key decisions and conclusions are often a result of meetings and interviews. Without a record, important information will be lost. Use the format below.

  6. Keep the Writing Simple: Workpapers should be clear and concise to an uninitiated reviewer. Avoid jargon and explain all technical terms and acronyms in a separate part of the workpapers (glossary of terms).

  7. Keep Workpapers Understandable: Workpapers should be clear, concise and must stand on their own. They should not need any supplementary information. Anyone reading the papers should be able to determine what the team member set out to do, what they did, what they found, and what they concluded.

  8. Safeguard PII: Some workpapers and documentation contain PII (taxpayer, employee, vendor data, etc.) based on the type of review being performed. All PII must be protected according to the guidelines in 1.4.18.12.4, Personally Identifiable Information (PII).

  9. Keep Workpapers Relevant: Workpapers should be restricted to relevant and material matters; they should directly relate to the review’s objectives. Well-organized test plans, execution of FACT procedures and workpaper reviews help verify the inclusion of relevant documents only. Do not include editorial comments and observations not supported by testing. It is important that all conclusions are in context and related to specific evidence.

Evaluating Exceptions and Classifying Findings

(1) Test results support the FACT team’s conclusion on whether the controls (being tested) are adequate and effective. Exceptions found when testing may indicate that there is an issue with the controls. A testing exception is an attribute that does not meet the expected test criteria.

  1. When exceptions are noted, the transaction lead should, in consultation with the team lead and section chief, determine the impact of the exception and the likelihood that the entity’s controls will fail to prevent, or detect and correct, misstatements in financial information.

  2. When making this determination, the FACT team should consider a number of factors, to include: the frequency of errors, compliance with laws and regulations, materiality, impact to financial reporting, and if compensating controls are in place to reduce or address the impact and likelihood of the exception(s) noted, among other things.
    i) In this context, a compensating control is a technique or other effort(s) designed to mitigate a control design deficiency, or ineffective operation or implementation of a control, or the simple lack of control over a financial process or program.

  3. Test exceptions may result in audit findings which could involve deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and operating procedures (among other things); or instances of fraud.
    i) If fraud is suspected, the FACT team will pause testing, promptly notify TIGTA, and wait for instructions on how to move forward.

(2) If testing exception(s) result in an audit finding additional consideration is needed to classify the finding according to the parameters below (listed from least severe to most severe):

  1. Control Deficiency: Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
    i) A simple deficiency is an internal control deficiency that creates minimal exposure for management and is generally an anomaly. Examples could include missing initials indicating a supervisor’s review on 1 of 26 reconciliations sampled, or the slight delay of an internal control activity.

  2. Significant Deficiency: A significant control deficiency, or combination of internal control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements, or other significant financial reports, that is more than inconsequential will not be prevented or detected.
    i) The term “remote” is defined as the chance of the future event, or events, occurring is slight.
    ii) A misstatement is “inconsequential” if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when combined with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement would be more than inconsequential.
    iii) Significant deficiencies are reportable conditions that warrant the attention of the Management Controls Executive Steering Committee.

  3. Material Weakness: A reportable condition, or combination of reportable conditions, that results in more than a remote likelihood that a material misstatement of the financial statements, or other significant financial reports, will not be prevented or detected. Material weaknesses are reportable conditions that warrant the attention of the Management Controls Executive Steering Committee.

(3) In addition to the categories described above, the FACT team may encounter a situation that doesn’t rise to the level of an audit finding, yet still warrants the attention of internal control process owners. Under these conditions, the FACT team has the ability to issue a Management Information Only (MIO), which serves to notify the process owner of the situation observed. Unlike the findings described above, MIO notifications do not require a response or corrective action plan.

Note: If the transaction lead determines the exception warrants immediate attention, the transaction lead must contact the FACT section chief and/or team leader. The FACT section chief and/or team leader must notify the Assurance Review Testing Director and/or the Associate CFO for Internal Controls to notify them of the urgent situation.

(4) All audit findings and MIOs require formal documentation and notification to the process owner and IRS management. When documenting the issues and situations observed FACT team members must include the following information:

  1. Classification: The type of issue observed (Control Deficiency, Significant Deficiency, Material Weakness or MIO).

  2. Condition: A description of the situation in which the exception or issue was observed, along with any other pertinent information.

  3. Criteria: Criteria may include the laws, regulations, contracts, standard operating procedures, IRMs, standards, measures, expected performance, defined business practices and benchmarks against which performance is compared or evaluated.
    i) Criteria identify the required or desired state or expectation with respect to the program or operation.
    ii) Criteria provide a context for evaluating evidence and a basis for understanding the findings, conclusions and recommendations that are being reported.

  4. Cause: The cause is the factor or factors responsible for the difference between the condition and the criteria. The cause may also serve as a basis for recommendations for corrective actions.
    i) Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete or incorrect implementation; unintentional oversights, or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor contributing to the difference between the condition and the criteria.
    ii) The FACT team should follow-up with the process owner to make sure that they have a clear understanding of the root cause.

  5. Effect or potential effect: The effect or potential effect is the outcome or consequence resulting from the difference between the condition and the criteria. It describes the impact or potential impact associated with the deficiency observed.
    i) Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks and should consider materiality, impact to financial reporting and compensating controls, among other things.

  6. Recommendation: A recommendation is the FACT team’s proposed solution to address the deficiency observed and root cause.

  7. Responsible Entity: The finding should indicate the responsible entity and process owners and/or manager(s).

  8. Owner Response with Corrective Action Plan: After the information listed above has been prepared the FACT team issues the finding to the process owner and asks for their response. An owner response should describe management’s position on the issue and include a description of the corrective action that is planned to address the issue(s) observed. Corrective action should seek to address the root cause of the issue, correct past deficiencies (if possible) and prevent reoccurrence.
    i) If, for some reason, the process owner disagrees with the FACT team’s finding and recommendation, they should include a description for the basis of their disagreements and planned action when moving forward.
    ii) This also applies to situations where the process owner chooses to accept the risk associated with the deficiency. If the process owner chooses to accept the risk the FACT team will follow-up to request documentation in the form of an executed Risk Acceptance Form and Tool.

  9. Estimated Completion Date for Corrective Action: The Owner’s Response should include an estimated completion date for the corrective action plan.

Reporting Phase

(1) The final stage of the FACT cycle is the reporting phase. During the reporting phase, the transaction lead assesses the results of the testing and presents a conclusion to state whether the controls were found to be effective and adequate, or not.

(2) The transaction lead creates three final reports:

  1. Test Results Spreadsheet (TRS): The TRS is an Excel spreadsheet that is maintained within TeamMate that provides a detailed account of the purpose of the transaction and the test results of each transaction test step performed. The FACT section chief and/or team leader submits the TRS to the process owner(s) at the conclusion of testing so they may gain an understanding of the overall test results.

  2. Combined Issues Report (CIR): The CIR is a TeamMate-generated report that provides a detailed account of the findings identified when testing a transaction. The report is comprised of issues that were identified during the current testing period, any open findings from prior periods and any recently closed findings from prior periods. The CIR includes all elements of each finding that was issued, the process owner’s response (to describe their corrective action plan) and estimated completion date for corrective action.

  3. Executive Summary: The Executive Summary is included as a tab within the TRS and provides a high-level synopsis of the testing purpose, scope, and overall results, among other important information. The Executive Summary is issued to the responsible executive(s) for the transaction and is sent with a copy of the CIR and TRS for their information and consideration. All Executive Summaries must be signed and returned by the responsible executive(s) to acknowledge the test results. Note: An executive’s signature is viewed as an acknowledgement of the testing results rather than an acceptance of the conclusions made. An executive may disagree with the results but should always be able to demonstrate their acknowledgement via their signature on the Executive Summary.

Continuous Monitoring

(1) Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational activities. The financial and operational environment consists of the people, processes and systems working to support efficient and effective operations. Controls are put in place to address risks within these components.

(2) Continuous monitoring actively identifies, quantifies and reports control failures such as duplicate vendor records, duplicate payments and transactions that fall outside of approved parameters. It highlights opportunities to improve operational processes.

(3) Overall responsibility for IRS continuous monitoring includes:

  1. Management (all levels) - Issues and monitors internal control programs, policies and procedures. Continuously assesses key business controls and transactions, which permits ongoing insight into the effectiveness of the controls and the integrity of transactions.

  2. Information Technology - Issues security, policy and guidance for the IRS’s information systems (see IRM 10.8.1, Information Technology Security, Policy and Guidance). Conducts annual assessments of automated internal controls that affect authorizing, processing, transmitting or reporting material financial transactions to determine whether security controls are in place and operating effectively.

  3. CFO Financial Management - Conducts reconciliations and reviews in preparation of financial statements to verify timely and accurate reporting.

  4. CFO FACT - Conducts interim and year-end internal control testing to determine the IRS's compliance with laws and regulations. (See IRM 1.4.2, Monitoring and Improving Internal Control).

(4) Continuous monitoring is a key function of the FACT team. The statuses of prior findings are tracked and reported within the JAMES system on a continuous basis. The statuses of OFIs and ICWs are tracked and reported on annually. If the status is:

  1. Open: The finding has been reported and corrective action has not been implemented.

  2. Open, Pending: This indicates that the process owner has begun to take corrective actions(s); however, additional action still needs to be taken by the responsible process owner to remediate the finding prior to submitting for review and approval.

  3. Open, Implemented: This indicates that the responsible process owner has implemented corrective actions and is awaiting verification to determine if their actions were effective in remediating the issue observed.

  4. Closed, Verified: This indicates that the actions taken to remediate the finding have been verified and were effective in addressing the issue observed.

(5) Continuous monitoring can be traced back to its roots in traditional auditing processes. However, it goes further than a traditional audit (which provides a snapshot at a specific point in time) by establishing continuous monitoring activities to inform management of internal control vulnerabilities or issues on a more frequent basis. This is especially applicable in an information systems environment where technology can be leveraged to provide frequent testing and continuous monitoring. (See NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information System Backgrounds).

(6) IT’s continuous monitoring activities supplement the FACT internal control activities (through interim and year-end operational controls testing). Each year, the FACT team tests various IT transactions to ensure compliance with Treasury guidance.

(7) Through continuous monitoring, weak or poorly designed controls can be corrected or replaced to improve the IRS risk profile. Multi-disciplinary teams consisting of automated systems specialists, accounting and reporting experts will use the appropriate policies and procedures as a basis for performing periodic and routine examinations of the financial systems that authorize, process, transmit or report material financial transactions.

Record Retention

(1) FACT has established a 6-year standard for record retention. Certain FACT records could be considered ancillary records in situations where FACT testing has an influence on the IRS’s Statement of Assurance. This being the case, the records would be captured under GRS 5.7, item 050. On a yearly basis, FACT management will identify records which fall outside the retention period per the Records Retention and Disposal SOP.

Record of Discussion

Record of Discussion

Date:

Time:

Type of Contact:

In Person:

By Telephone:

 

 

 

Location of Discussion:

Conference Call

 

 

 

Person(s) Contacted/Interviewed:(Please list all participants):

Name, Position/Title, Office, Telephone Number

Name, Position/Title, Office, Telephone Number

 

 

 

Initiator(s)/Interviewer(s):

 

Name, Position/Title, Office, Telephone Number

 

 

 

Purpose:

 

 

(Provide a brief description of the meeting objective.)

 

 

 

Discussion:

 

 

(Provide notes from the meeting.)

 

 

 

Other Matters Discussed:

(Provide detailed notes of other matters discussed outside of the general purpose of the meeting.)

 

 

 

Follow-up Actions:

(List follow-up actions from the meeting.)

 

 

 

Documents to Obtain:

(List documents to obtain related to the meeting discussion.)

Sample Sizes and Acceptable Number of Errors (90% Confidence Level)

(1) In defining the severity of the exceptions, the transaction lead may use the error rate tables. The transaction lead may use judgment in applying Tables I and II. Tables I and II show various sample sizes and the maximum number of errors that may be detected. The use of each table is encouraged for population sizes over 2,000 items. However, according to the GAO/CIGIE FAM, if the population size is smaller, the statistician may be asked to calculate a reduced sample size. The transaction lead will use judgment to evaluate the existence and significance of a deficiency.

Sample Sizes and Acceptable Number of Errors (90% Confidence Level)


Table I (Tolerable Rate of 5%)

Sample Size

Acceptable Number of Exceptions

45

0

78

1

105

2

132

3

158

4

209

6

Note: Table I is used for determining sample sizes in all cases.


Table II (Tolerable Rate of 10%)

Sample Size

Acceptable Number of Exceptions

45

1

78

4

105

6

132

8

158

10

209

14

Note: Table II is used for evaluating sample results only if preliminary assessment of financial reporting control risk is low and exceptions exceed Table I.

This data was captured by Tax Analysts from the IRS website on August 23, 2023.
Copy RID