Part 1. Organization, Finance, and Management
Chapter 4. Resource Guide for Managers
Section 2. Monitoring and Improving Internal Control
1.4.2 Monitoring and Improving Internal Control
Manual Transmittal
June 13, 2023
Purpose
(1) This transmits revised IRM 1.4.2, Resource Guide for Managers, Monitoring and Improving Internal Control.
Material Changes
(1) IRM 1.4.2.1, Program Scope and Objectives, clarified language to include all IRS employees.
(2) IRM 1.4.2.1.1(3), Background, replaced manager with employee.
(3) IRM 1.4.2.1.2 Authorities, updated with additional relevant regulations and guidance.
(4) Previous IRM 1.4.2.1.3.3, Enterprise Audit Management, removed section. Appropriate IRM section is referenced in IRM 1.4.2.3.2, The Role of Enterprise Risk Management.
(5) IRM 1.4.2.1.3.5, Internal Controls (IC) Coordinators, clarified that each business unit should have an IC Coordinator and incorporated the IC Community of Practice (ICCOP). Added managing the annual assurance review and monitoring action plans responsibilities.
(6) IRM 1.4.2.1.5, Program Controls, added Management Controls Executive Steering Committee (MC ESC) responsibilities.
(7) IRM 1.4.2.1.6, Terms/Definitions, refined definitions as appropriate, distinguished between Material Weakness in Internal Control over Financial Reporting versus Material Weakness in Internal Control over Operations.
(8) IRM 1.4.2.1.7, Acronyms, revised as appropriate.
(9) IRM 1.4.2.1.8, Related Resources, added IRM references. Government Acts are listed in IRM 1.4.2.1.2, Authorities.
(10) IRM 1.4.2.2, Improving Control, this section now has Steps to Downgrade a Material Weakness and Significant Deficiency, Annual Assurance Review Process, Identification of Quality Assurance Reviews and Initiatives, IC Reviews, and Outreach and Reporting. Steps to Downgrade a Material Weakness, was changed to include “Significant Deficiency” in the title and was revised to reflect the current process.
(11) IRM 1.4.2.3, IC Process, revised section to outline subsections reflecting the alignment of guidance within the Green Book.
(12) IRM 1.4.2.5, Information and Communication, added this section to describe how information and communication affect the internal control environment.
(13) IRM 1.4.2.6, New title is “Monitoring Controls” Management Controls Executive Steering Committee added to this section.
(14) IRM 1.4.2.7, Remediation Plan, included Remediation Plan in this section.
(15) Minor editorial changes have been made throughout the IRM.
Effect on Other Documents
IRM 1.4.2, dated July 17, 2020, is superseded.
Audience
All business units
Effective Date
(06-13-2023)
Teresa R. Hunter
Chief Financial Officer
Program Scope and Objectives
(1) This IRM provides guidance to all IRS employees for maintaining an effective internal controls program that complies with legislative requirements and related regulations and directives, such as the Standards for Internal Control in the Federal Government, commonly known as the "Green Book."
(2) Purpose: Internal controls are the programs, policies and procedures established to ensure that:
The IRS accomplishes its mission and program objectives efficiently and effectively.
Programs and resources are protected from waste, fraud, abuse, mismanagement and misappropriation of funds.
Laws and regulations are followed.
Financial reporting is reliable.
Reliable information is obtained and used for decision making.
(3) Audience: Internal controls are everyone’s responsibility. This guidance applies to managers at all levels. Managers are expected to understand the risks associated with their operations and ensure that controls are in place and operating effectively to mitigate known risks. Managers provide candid, reliable and supportable reports on the status of those controls annually.
(4) Policy Owner: The CFO, Office of IC, is responsible for this IRM.
(5) Program Owner: Associate CFO for IC.
(6) Primary Stakeholders: IRS managers.
(7) Program Goals: To accomplish the objectives identified in the Purpose section above.
Background
(1) Internal controls are a major part of effectively managing an organization. They comprise of the plans, methods and procedures used to meet missions, goals and objectives. Internal controls support performance-based management. Effective systems of internal control provide unmodified assurance that the IRS achieves the following objectives:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.
(2) All employees must be committed to implementing effective and efficient internal controls. The Department of the Treasury (Treasury), TIGTA and the Government Accountability Office (GAO) provide oversight to evaluate whether control strategies that mitigate program and administrative operational risks are implemented.
(3) Internal controls are the responsibility of every employee. Managers are accountable for and have stewardship of all assigned operations within their organization, including program, administrative and financial, such as:
Designing and implementing controls providing unmodified assurance that programs are being accomplished as intended.
Conducting regular assessments to identify risks to programs, compliance with laws and regulations and reporting accuracy.
Implementing remedies to mitigate risk and measuring the results.
(4) It is important to identify problem areas and take appropriate corrective actions before external auditors, such as GAO and TIGTA, issue findings or before problems escalate into serious control weaknesses. On the other hand, there must be an appropriate balance of control in programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled process or program may allow problems to go unnoticed and assets to be wasted.
(5) Internal controls focus and awareness should be an integral part of all managers’ and employees’ daily activities. By fostering open, honest communications and promoting problem-solving within an organization, managers create an environment where internal controls are acknowledged as tools to achieve goals.
Authorities
(1) The Budget and Accounting Procedures Act of 1950, requires the head of each federal department and agency establish and maintain adequate systems of management controls:
(2) The Federal Managers’ Financial Act of 1982, (FMFIA) and Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control require federal agencies to improve accountability in federal programs and operations.
(3) The CFO Act of 1990, as amended, requires agencies provide audited financial statements made available to the public.
(4) The Federal Financial Management Improvement Act of 1996 (FFMIA) Financial Management Systems and Appendix D to OMB Circular No. A-123 , require financial systems reviews.
(5) The Government Performance and Results Act Modernization Act of 2010 (GPRAMA) requires annual performance plans and reports.
(6) The Reports Consolidation Act of 2000, requires the Annual Assurance Statement to include reliable Performance Measures.
(7) The Federal Information Security Modernization Act of 2014 (FISMA) and OMB Circular, A-130 Managing Information as a Strategic Resource require annual systems performance and security reviews.
(8) The Standards for Internal Control in the Federal Government, (known as the "Green Book”) provide the overall framework for establishing and maintaining as effective internal control system.
(9) Treasury Directive 40-04, provides guidance on appropriate internal control and implementation for internal control statutes, regulations and other requirements.
(10) Inspector General Act 1978, as amended, 5 U.S.C. Appendix 3, grants the Office of the Inspector General (OIG) administrative authority.
Responsibilities
(1) This section provides responsibilities for:
Commissioner, Deputy Commissioners and CFO
Associate CFO for IC
Division Commissioners, Chiefs, National Taxpayer Advocates and Chief Counsel
Managers at all levels
IC coordinators
Commissioner, Deputy Commissioners and CFO
(1) The Commissioner, Deputy Commissioners and CFO are responsible for:
Creating a positive governance structure within the IRS to ensure operational efficiency and adherence to all applicable internal control requirements.
Establishing priorities in identifying, correcting and reporting internal control material weaknesses, significant deficiencies and accounting noncompliance.
Ensuring that adequate funding is requested during the budget process to correct identified deficiencies.
Establishing a quality assurance process that allows the Commissioner to provide assurance that the objectives of the FMFIA are being achieved.
Ensuring that the performance plans for each Senior Executive Service member or equivalent employee having significant responsibilities for internal control contain appropriate performance requirements and expectations.
Ensuring that all other employees are aware of expectations and are subject to appropriate internal controls performance standards.
(2) The CFO is the IRS’s IC Officer and has operational responsibility for the IRS’s internal control program by:
Evaluating all internal control systems periodically and ensuring that audits, internal control reviews, risk assessments and other evaluations are coordinated to complement one another with minimal duplication of effort.
Determining annually which programs or administrative functions should be subject to a formal review to supplement management judgment as to the adequacy of management controls and allocating adequate resources to evaluate their systems of internal control.
Ensuring that detailed procedures, documentation, training for managers and employees and reporting requirements necessary to review, establish, maintain, test, improve and report on IRS’s financial management systems are appropriately designed and operate effectively.
Reporting to the Treasury Deputy CFO (TDCFO) control deficiencies identified in audit reports, internal reviews and other sources that have the potential rising to the level of a material weakness or significant deficiency.
Ensuring timely correction and validation of all identified program, operations and reporting deficiencies whether material or immaterial.
Ensuring internal control guidelines issued are implemented and include employee accountability.
Maintaining, correcting and/or updating the Joint Audit Management Enterprise System (JAMES) with specific data on IRS FMFIA significant deficiencies and Remediation Plans.
Associate CFO for IC
(1) The Associate CFO for IC is responsible for administering and carrying out the day-to-day IRS internal control program by:
Preparing internal control policies and procedures.
Implementing OMB's Circular A-123 requirements.
Providing administrative support to the Management Controls Executive Steering Committee (MC ESC).
Developing internal control procedures, training and reporting requirements necessary to establish, review, improve and report on IRS’s systems controls.
Managing the annual assurance process and preparing the IRS Assurance Statements.
Monitoring the completion of corrective actions for material weaknesses and significant deficiencies.
Providing advice and assistance to managers and their internal control coordinators, as needed.
Division Commissioners, Chiefs, National Taxpayer Advocate and Chief Counsel
(1) The Division Commissioners, Chiefs, National Taxpayer Advocate and Chief Counsel are responsible for:
Establishing and implementing adequate and effective controls for all operations and activities in their responsible areas.
Conducting a self-assessment and reporting annually on the status of internal control to the MC ESC.
Assessing the effect of known deficiencies and providing comments to the MC ESC.
Providing adequate resources to correct identified material weaknesses and significant deficiencies.
Preparing briefing documents for agenda topics at MC ESC and subgroup meetings.
Managers at All Levels
(1) Managers at all levels are responsible for:
Providing a positive control environment.
Identifying potential risk areas.
Ensuring that adequate and effective controls are in place.
Reporting results of reviews to the next level of management.
Ensuring reports are supportable, accurate and complete.
Providing adequate resources to correct identified problems.
Documenting, implementing and validating corrective actions timely.
Internal Controls Coordinators
(1) Internal Controls Coordinators (ICC) are responsible for assisting management in developing and maintaining their internal control program and serving as the primary liaison with IC. Each business unit within the IRS is required to have a designated ICC. Their responsibilities include:
Managing their organization's annual assurance review process and preparing its assurance certification memorandum.
Providing technical assistance to management and review teams in the evaluation of controls.
Monitoring the status of corrective actions for material weaknesses and significant deficiencies, as well as reporting the status to IC.
Participate in the Internal Control Community of Practice (ICCOP) and attend ICCOP quarterly meetings.
Program Management and Review
(1) Program reports include:
MC ESC briefings
Annual Assurance Statement
Remediation plans
Financial Assurance Control Testing (IRM 1.4.3)
IRS Quality Assurance Review Program (IRM 1.4.31)
Internal Control Review Program (IRM 1.4.32)
(2) Program effectiveness is determined by:
Mission and program objectives are accomplished efficiently and effectively.
Reliable information is obtained and used for decision making.
Laws and regulations are followed.
Financial reporting is reliable.
Program and resources are protected from fraud, waste, abuse, mismanagement and misappropriation of funds.
Program Controls
(1) The MC ESC is responsible for:
Approving extensions to remediation plans.
Providing final internal approval of a material weakness closure or downgrade to a significant deficiency and elimination of a significant deficiency.
Terms/Definitions
(1) The following terms and definitions apply to this program:
Annual self-assessment - A manager’s review of the effectiveness of internal controls within their area of responsibility and the involvement of each level of management in certifying the control environment within their area is conducive to identifying risks or deficiencies at all levels.
Control deficiency - A situation caused by the design or operation of a control not allowing management or employees, in the normal course of performing their assigned functions, to prevent or detect errors on a timely basis, comply with relevant regulations and operate effective and efficient programs and operations.
Corrective action - Action taken to correct identified deficiencies.
Internal controls - Processes and procedures put into place by management to help an organization operate efficiently and effectively to achieve its objectives. Internal control is an integral component of an organization’s management that provides unmodified assurance that the internal control objectives are being achieved.
Material weakness in Internal Control over Financial Reporting - A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.
Material Weakness in Internal Control over Operations might include, but is not limited to, conditions that:
Modified assurance - Informed judgment by the head of an organization that internal controls may not be adequate to address specific problems identified in the assurance memorandum.
Unmodified assurance - Informed judgment by the head of an organization, based upon sufficient information, that the internal controls in place adequately protect the resources, ensure accurate reporting and facilitate mission completion.
Remediation plan - A plan to achieve FFMIA compliance when an agency's annual review determines the financial management systems cannot prepare the required financial statements and reports in accordance with federal accounting standards, provide reliable and timely financial information for managing operations and/or comply with United States Standard General Ledger (USSGL) requirements.
Significant deficiency - A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance.
1) Impact the operating effectiveness of entity-level controls.
2) Impair fulfillment of essential operations or mission.
3) Deprive the public of needed services.
4) Significantly weaken established safeguards against fraud, waste, loss, unauthorized with use or misappropriation of funds, property, other assets or conflicts of interest.
Acronyms
(1) The following acronyms apply to this program:
Acronym | Meaning |
---|---|
ERM | Enterprise Risk Management |
FFMIA | Federal Financial Management Improvement Act of 1996 |
FISMA | Federal Information Security Management Act of 2002 |
FMFIA | Federal Managers’ Financial Integrity Act of 1982 |
GAO | Government Accountability Office |
GPRAMA | Government Performance and Results Act Modernization Act of 2010 |
IC | Internal Controls |
ICC | Internal Controls Coordinator |
ICCOP | Internal Controls Community of Practice |
ICR | Internal Control Review |
JAMES | Joint Audit Management Enterprise System |
MC ESC | Management Controls Executive Steering Committee |
MD&A | Management’s Discussion and Analysis |
OMB | Office of Management and Budget |
OR | Outreach and Reporting |
PCA | Planned Corrective Action |
PIIA | Payment Integrity Information Act of 2019 |
QAR | Quality Assurance Reviews |
TDCFO | Treasury Deputy CFO |
Treasury | Department of the Treasury |
USSGL | United States Standard General Ledger |
Related Resources
(1) The following IRMs are the most significant IRMs that affect the IRS’s management controls program:
IRM 1.4.3, Financial Assurance Control Testing
IRM 1.1.31, Office of the Chief Risk Officer
IRM 1.4.31, IRS Quality Assurance Review Program
IRM 1.4.32, Internal Control Review Program
Improving Controls
(1) Sound internal controls support the IRS in improving its operations and meeting its compliance objectives. While this work begins with each IRS office, there are a number of Service-wide processes and programs to assess and improve internal controls.
Steps to Downgrade a Material Weakness and Significant Deficiency
(1) The steps to downgrade a material weakness or to close a significant deficiency are:
Identify/clarify issues that contribute to the material weakness or significant deficiency.
Develop planned actions to address the deficiency.
Verify that the planned actions will reduce the risk level as expected and informally meet with auditors to discuss the plan of action.
Finalize the action plan.
Ensure that actions are completed and results have been achieved.
Evaluate the process for continuous monitoring to ensure controls are in place and continue to operate effectively to mitigate continued risk and forward to IC for review.
Obtain MC ESC approval of closure/downgrade.
Prepare a memorandum (prepared by the business unit and reviewed by IC) from the IRS CFO to the TDCFO requesting concurrence for the closure/downgrade, providing the background and summary of accomplishments and results.
Report the material weakness or significant deficiency closure/downgrade in the Assurance Statement.
While IRS management determines whether a material weakness or significant deficiency has been resolved for Assurance Statement reporting purposes, the financial statement auditors will make an independent assessment of management’s assertion and report that conclusion in their report.
Annual Assurance Review Process
(1) The annual assurance review process focuses on the adequacy of internal controls within an organization. Managers assess risks (for example, the probability of a negative, unanticipated occurrence) of operations, determine whether controls mitigate those risks and report whether those controls are effective. If managers identify weaknesses in their internal control procedures, they are required to report them to the responsible officials and business unit leadership so that a corrective action plan can be developed and implemented.
(2) Each spring, the CFO issues guidance to the Deputy Commissioners, Division Commissioners, Chiefs, Directors, National Taxpayer Advocate and Chief Counsel on the annual self-assessment of internal controls, known as the Internal Controls Managerial Assessment (ICMA) and on preparing the annual assurance memorandum for their organizations.
(3) All managers use the ICMA to conduct an annual self-assessment of their internal controls. Managers review the effectiveness of controls within their own area of responsibility and verify that adequate management controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. The involvement of each level of management in assessing the control environment within their areas is necessary in identifying risks at all levels.
(4) Managers should report a problem in the design or operation of an internal control to the next level of management as an internal control deficiency. Heads of business units should determine if any reported internal control weaknesses warrant inclusion in their Statement of Assurance memorandum. The MC ESC will determine if the internal control deficiency rises to the level of a significant deficiency or a material weakness. The IRS reports significant deficiencies and material weaknesses to Treasury.
(5) Heads of business units review the ICMA results of their subordinate managers and prepare a Statement of Assurance memorandum indicating the status of their business unit’s internal controls. Heads of business units also consider external auditor reports, internal studies and assessments and other known factors.
(6) The Statement of Assurance memorandum is a one or two-page document containing a specific statement regarding the level of assurance of the business unit’s internal controls. There are three types of assurance:
Unmodified assurance is an informed judgment by the head of an organization, based on all available information, that the internal controls in place adequately protect resources and enable mission completion. Unmodified assurance recognizes that the cost of controls should not exceed the benefits derived from them.
Modified assurance is an informed judgment by the head of an organization, based on all available information, that the internal controls in place may not be adequate to address the problems identified in the Statement of Assurance memorandum. One or multiple material weaknesses that may not be pervasive are noted. This level of assurance is based on the seriousness of the problems.
Statement of no Assurance indicates that material weaknesses exist and that there is no, or a limited, system of internal control in this organization.
(7) The Statement of Assurance memorandum briefly describes the process used to assess whether adequate internal controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. Preparers consider the information systems environment operated or used by their organizations and issues identified by GAO, TIGTA and IRS management reviews (if applicable) in preparing the memorandum.
(8) Corrective action plans for newly identified internal control deficiencies should be included with the Statement of Assurance memorandum. Managers execute actions necessary to resolve internal control deficiencies, regardless of whether the MC ESC deems them significant deficiencies or material weaknesses. Corrective action plans for internal control deficiencies identified in the previous fiscal year will be updated.
(9) Internal control deficiencies that have been corrected will be submitted with a certificate of completion describing the validation process and the results indicator data that verifies that the internal control weakness has been corrected.
(10) The MC ESC will review and evaluate these documents and other relevant information to recommend to the Commissioner the level of assurance for submission in the IRS’s Annual Assurance Statement and any newly identified material weaknesses or significant deficiencies.
(11) The Commissioner signs and submits an Annual Assurance Statement to Treasury in early November each year.
(12) The Commissioner also provides an additional management Assurance Statement that is included in the annual IRS Financial Report. This management assurance is provided at the IRS bureau level and is intended to mirror agency requirements for reporting on internal controls over reporting, as described in OMB Circular A-123 and OMB Circular A-136, Financial Reporting Requirements. Like the Commissioner’s Annual Assurance Statement, the Commissioner’s IRS Financial Report management Assurance Statement is signed and submitted in early November of each year.
Identification of Quality Assurance Reviews and Initiatives
(1) In fiscal year 2012, the IRS expanded its annual assurance process to identify key program evaluations, managerial, operational, security and quality assurance (“reviews”) conducted by the business units to assess the effectiveness of IRS internal controls. These internal control reviews are important to the IRS and can result in greater efficiency, better taxpayer experiences and more effective responses to issues identified by GAO and TIGTA. See IRM 1.4.31, IRS Quality Assurance Review Program for information on the Quality Assurance Review Program.
IC Reviews
(1) IC provides business units with insight into the effectiveness of their implemented corrective actions for audit recommendations issued by GAO and TIGTA and evaluates critical controls over IRS programs identified as high risk, high impact or high visibility. This independent examination is known as an Internal Control Review (ICR) and assists IRS business units when they review and evaluate their internal control processes. See IRMs 1.4.3, Financial Assurance Control Testing and 1.4.32, Internal Control Review Program for additional information on the IC review Program.
Outreach and Reporting
(1) Outreach and Reporting (OR) works with external stakeholders to manage and control oversight processes through the MC ESC and the Subgroup.
The Improper Payments program provides Servicewide oversight for all improper payments reporting and compliance requirements pursuant to the Payment Integrity Information Act of 2019 (PIIA). The overall goal is to reduce improper payments by fostering an effective internal control framework, while also realizing the statutory implications and limitations of programs within the tax system.
The Management’s Discussion and Analysis (MD&A) is prepared each fiscal year as Required Supplemental Information to the IRS Financial Statements and is published annually in the IRS Agency Financial Report. It contains a high-level overview of the IRS’s organizational structure, strategic framework, programmatic and financial performance, as well as management assurances related to the IRS’s internal controls. The MD&A also contains other information required by OMB Circular A-136, Financial Reporting Requirements and Federal Accounting Standards Advisory Board’s Statement of Federal Financial Accounting Standards 15. IRS offices and business units provide information reported in the MD&A in accordance with the current fiscal year’s deliverable timeline.
(2) Outreach and Education section promotes internal control across the IRS by coordinating activities with and among staff throughout the IC organization. The Internal Controls Outreach & Education Program assists IRS business units in following through on organizational commitments, policy objectives, applicable laws, regulations and related processes and procedures. The overall goal is to enhance efficient and effective operations by increasing awareness of internal control through collaboration, communication, education and training.
IC Process
(1) Each business unit, regardless of size, is required to adopt methods to periodically assess risk and develop mitigation strategies and implement, review and update its system of internal controls. The methods should be tailored to the specific programs and needs of each business unit.
(2) The Green Book sets the standards for an effective internal control system for federal agencies.
(3) There are five interrelated components in the IRS internal control framework:
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
Responsibility of Management in Risk Assessment
(1) Managers are responsible for determining what levels of risk they are willing to assume. Assessing risk enables managers to reduce unwanted surprises.
The Role of Enterprise Risk Management
(1) The Office of the Chief Risk Officer oversees Enterprise Risk Management (ERM). The ERM program provides an agency-wide approach to risk management and helps IRS units incorporate risk management principles into strategies and daily operations. See IRM 1.1.31, Organization and Staffing, Office of the Chief Risk Officer for additional information regarding the responsibilities of the Chief Risk Officer.
Control Environment
(1) An effective control environment accomplishes the following:
Competent employees understand their responsibilities and the limits of their authority and are knowledgeable and committed to performing tasks correctly.
Employees follow the IRS policies and procedures, as well as the IRS ethical standards.
The Role of the IRS in the Control Environment
(1) The IRS is tasked with maintaining an effective control environment. To this end, the IRS should:
Establish and effectively communicate policies, procedures and standards of conduct to its employees.
Create a positive tone at the top by conducting itself in an ethical manner.
Require the same standard of conduct from all IRS employees.
Responsibility of Management in the Control Environment
(1) Management should foster an effective control environment by:
Maintaining high levels of integrity, professional standards and competence.
Establishing a leadership philosophy and style that promotes internal control throughout the IRS.
Taking appropriate disciplinary action to correct employee misconduct or delinquency that impairs operational effectiveness, or damages the public image of the IRS, thus affecting the efficiency of the Service when an employee does not comply with IRS policies, procedures or standards of conduct.
Maintaining an IC oversight body which is the MC ESC discussed in IRM 1.4.2.6.4, Management Controls Executive Steering Committee (MC ESC).
Risk Assessment
(1) Risk assessments allow the IRS to be aware of any internal and external risks that could affect its ability to meet its goals. Through risk assessments, the IRS can manage risks better by establishing appropriate internal controls to mitigate or minimize risks to acceptable levels.
(2) Risk assessments are iterative processes and should be reviewed and updated when changes occur or new risks emerge.
Control Activities
(1) Control activities are IRS policies and procedures that ensure the risks identified during the risk assessment process are mitigated or minimized to an acceptable level.
(2) Managers must document, validate and track planned corrective actions for all control deficiencies arising from the design or operating effectiveness of internal controls. Elements must include planned corrective actions, responsible parties, due dates, validation process and monitoring plans.
Incorporating the Use of Controls
(1) Management should establish only those control activities necessary to accomplish the IRS mission and objectives effectively and efficiently.
(2) The following chart provides the timing, method and type of controls management can leverage in developing a control.
Timing of a Control | Preventive Controls | Protect the IRS by identifying and addressing problems before they occur. |
---|---|---|
| Detective Controls | Designed to find errors after they have occurred. Properly designed and operating detective controls will also determine if preventative controls are functioning properly. |
Method of a Control | Manual Controls | Rely on human action. |
| Automated Controls | Rely on electronic actions. |
Type of a Control | Key Controls | Defined as one which, if it fails, is highly improbable that other controls could detect the control’s absence. |
| Non-Key Controls | Can fail without affecting a whole process. |
Information and Communication
(1) Communicating relevant information is essential to internal control. Within the IRS, information should be communicated to management and other employees in a form and time frame that helps everyone carry out responsibilities.
(2) The following information must be communicated at all levels throughout the IRS:
Mission
Control Environment
Risk
Control Activities
Performance
(3) Communicating efficient and effective information requires IRS employees to evaluate the quality of information.
(4) Management obtains or generates and uses relevant and quality information from both internal and external sources to support internal control. These sources include, but are not limited to:
Leadership Alerts
IRS Headlines
MC ESC
Management reports
GAO and TIGTA
Monitoring Controls
(1) Monitoring helps the IRS determine whether internal controls are adequate, properly executed over time and effective.
Role of Management in Monitoring
(1) Management has a critical role in the internal control system. Managers should focus their monitoring activities on high-risk areas.
(2) Management should review tasks or techniques to provide a reasonable level of confidence that controls are functioning as intended.
(3) Management is responsible for governance of testing the design and operating effectiveness of internal controls.
Testing Design and Effectiveness of Internal Controls
(1) In testing the design of an internal control, management is responsible for validating that the internal controls, if implemented effectively, would address the identified risk.
(2) In testing the effectiveness of internal controls, management is responsible for validating whether the control operated effectively and consistently over a period of time.
Role of the Government Accountability Office (GAO) and TIGTA
(1) The GAO and TIGTA audit and investigate IRS operations to:
Promote economy and efficiency.
Detect and prevent fraud and abuse.
Recommend actions for improvement.
(2) The timely closure of GAO and TIGTA audit recommendations are a positive indicator on the IRS’s control environment.
Management Controls Executive Steering Committee (MC ESC)
(1) The Deputy Commissioner for Operations Support and the Deputy Commissioner for Services and Enforcement are co-chairs of the MC ESC. The CFO is the vice-chair. The members are the TDCFO; Commissioner, Small Business/Self Employed; Commissioner, Wage and Investment; Commissioner, Large Business and International; Commissioner, Tax Exempt and Government Entities; Chief Information Officer; Chief Risk Officer; Chief, Facilities Management and Security Services; Chief Privacy Officer and Human Capital Officer.
(2) The CFO chairs the MC ESC Subgroup. The other participants are the Associate CFO for IC and support staff, decision-making executive representatives of the MC ESC voting members and program managers responsible for the topics/issues being discussed by the MC ESC.
(3) The MC ESC oversees management’s design, implementation and operation of the IRS’s internal control system to ensure that internal controls are universally recognized as a shared responsibility and that internal control deficiencies are identified, analyzed and remediated. The MC ESC’s operations are governed by a charter maintained by IC.
(4) The MC ESC’s mission is to ensure that all business units and functions identify, address and correct internal control deficiencies and recognize the importance of their shared responsibility for designing and implementing strong internal controls.
(5) The MC ESC’s objectives are to build a strong relationship between risk management and internal controls and ensure existing and new controls address identified risks effectively; ensure the remediation of existing control weaknesses and prevent new ones from arising; provide an unmodified Statement of Assurance that IRS internal controls are in place and functioning effectively and achieve an unmodified audit opinion on the IRS’s financial statements.
(6) The MC ESC oversees Servicewide progress in closing open financial statement audit recommendations.
(7) The MC ESC also:
Oversees processes to identify, remediate and close material weaknesses, significant deficiencies and other internal control issues and authorizes final engagement with GAO on the downgrade or closure of an existing material weakness or significant deficiency.
Approves reopened actions and revised due dates for these actions. A reopened action is one that IRS implemented but the financial statement auditor disagrees that the IRS addressed the recommendation.
Oversees the work of the Senior Assessment Team and ensures that the IRS meets all control testing requirements including those required by OMB Circular A-123.
Ensures that the IRS meets its reporting and certification obligations under the FMFIA, FFMIA, OMB guidelines, Treasury directives and the annual assurance review process.
Serves as an alliance between business units and other steering committees to ensure proper engagement and to minimize duplicative efforts in reporting.
Approves the closure of “Hold” recommendations as “unimplemented." Business units may request the MC ESC approve a “Hold” recommendation be closed as “unimplemented.” The following conditions should be in place before a Planned Corrective Action (PCA) could be placed in “Hold” status if:
The audit finding upon which the recommendation is based is valid.
The recommendation is in an area considered mission critical or requires an improvement that management agrees is critical/necessary.
There were no resources available at the time the response to the draft report was written.
(8) The office of the Associate CFO for IC identifies MC ESC agenda topics for:
Issues, concerns or recommendations related to the financial statement audit.
Issues driven by ICR; Quality Assurance Reviews (QAR); Annual Assurance Statement; OMB Circular A-123 transactions testing and results and other topics directed by senior IRS leadership.
(9) The office of the Chief Risk Officer identifies MC ESC agenda topics for:
Issues related to open or recently closed audits.
Active/open planned corrective actions.
GAO and TIGTA priority recommendations.
Other audits, including high priority audits or areas of significant risk or concern unless there is a known or potential effect on the financial statement audit or a significant deficiency.
Remediation Plan
(1) The FFMIA requires agency heads to assess annually whether their financial management systems can prepare required financial statements and reports, provide reliable and timely financial information for managing operations and account for assets, in accordance with federal accounting standards and the USSGL.
(2) Agencies that are not in compliance with FFMIA must develop a remediation plan to achieve compliance. The MC ESC outlines the format and information required within a remediation plan.
(3) Agencies that are not in substantial compliance with FFMIA must bring their financial management systems into substantial compliance within three years; if this cannot be achieved, Treasury must request a waiver for a longer period from OMB.
(4) As a condition of OMB’s waiver to the three-year requirement for completing FFMIA remediations, the IRS is required to provide a remediation plan and a status review of performance for all remedies that were open during the quarter. The CFO has overall responsibility for the IRS remediation plan. The MC ESC monitors the plan, which is tracked in JAMES.
(5) The remediation plan owners update the executive summary of the remediation plan with significant accomplishments achieved during the quarter and significant obstacles identified.
(6) The MC ESC approves all extensions to the final due date for any recommendation or major project with a remediation plan. Organizations must submit changes upon identification of a risk to completing a recommendation or major project by the due date.