AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 1. Organization, Finance and Management

Chapter 4. Resource Guide for Managers

Section 2. Monitoring and Improving Internal Accounting and Administrative Controls

1.4.2  Monitoring and Improving Internal Accounting and Administrative Controls

1.4.2.1  (05-31-2002)
Implementing the Federal Managers' Financial Integrity Act - an Overview

  1. The Budget and Accounting Procedures Act of 1950 requires the head of each Federal department and agency to establish and maintain adequate systems of management controls. Further, the Federal Managers' Financial Integrity Act (FMFIA) of 1982 (also known as the Integrity Act) requires, among other things:

    1. That each executive agency conduct annual evaluations of its systems of internal accounting and administrative control, using guidelines established by the Director of the Office of Management and Budget (OMB); and

    2. That each executive agency submit an annual statement to the President and Congress on the status of the agency's system of management controls.

  2. Office of Management and Budget (OMB) Circular A-123 (revised) dated June 21, 1995, provides guidance to federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls. OMB Circular A-123 also requires agencies and individual federal managers to take systematic and proactive measures to develop and implement appropriate, cost-effective management controls for results-oriented management; to assess the adequacy of management controls in Federal programs and operations; to identify needed improvements and take corresponding corrective action; and to report annually on management controls.

  3. Treasury Directive 40-04, dated January 4, 2001, provides guidance to Treasury managers on the Treasury Internal (Management) Control Program. Treasury confirmed by a memorandum dated August 30, 2001, that this Directive continues to apply to all Bureaus until a revision is made.

  4. In addition, the Federal Financial Management Improvement Act of 1996 (FFMIA) requires agency heads to assess and report annually and in accordance with Federal accounting standards and the US Standard General Ledger (SGL) on whether their financial management systems:

    1. can prepare required financial statements and reports,

    2. can provide reliable and timely financial information for managing operations, and

    3. can account for assets.

1.4.2.2  (05-31-2002)
Scope and Objectives

  1. The Internal Revenue Service intends to maintain an effective management controls program that complies with legislative requirements and related regulations and directives.

  2. Management controls are the organization, policies and procedures used by management to assure the efficient and effective accomplishment of its mission and program objectives; and to ensure that the use of resources is done in accordance with the mission; programs and resources are protected from waste, fraud, and mismanagement; laws and regulations are followed; and reliable, timely information is obtained and used for decision making.

  3. The Service's management controls are most often published in the IRM, but they may also be published in the form of standard announcements, Chief Officer memoranda, Division Commissioner memoranda, and the like.

  4. IRS managers at all levels are expected to understand the risks associated with their operations, to ensure that controls are in place and operating effectively to mitigate known risks, and to provide candid, reliable, and supportable annual reports on the status of those controls.

  5. This guidance applies to all IRS managers, in both Operating Divisions and Functions.

1.4.2.3  (05-31-2002)
Detailed Guidance

  1. Detailed guidance on Servicewide procedures for assessing risk, evaluating and improving the effectiveness of management controls, and reporting requirements are provided in Exhibit 1.4.2–1, Management Controls Accountability Program (MCAP) Handbook for Managers.

  2. Specific instructions for preparing required reports will be provided as needed by memoranda issued by the Chief Financial Officer.

1.4.2.4  (05-31-2002)
Responsibilities

  1. The Commissioner and Deputy Commissioner of Internal Revenue have overall responsibility for the Service's system of management controls and for ensuring that the Service has an effective management controls program.

  2. The Financial and Management Controls Executive Steering Committee (FMC ESC) provides policy guidance and oversight for the Service's management controls program and makes recommendations to the Commissioner on the contents of the Service's annual assurance statement to the Secretary of the Treasury.

  3. The Chief Financial Officer (CFO) is IRS's Management Controls Officer, and has operational responsibility for the Service's management controls program.

  4. The Office of Management Controls (OMC), on behalf of the CFO, administers the Service's management controls program. The OMC is responsible for:

    1. Recommending policy and procedures for the management controls program;

    2. Providing administrative support to the FMC ESC;

    3. Managing the annual assurance process and preparing the Commissioner's annual assurance letter to the Secretary of the Treasury;

    4. Monitoring the completion of corrective actions for material weaknesses and for audit corrective actions, and providing periodic reports to Treasury;

    5. Providing advice and assistance to Service managers and their coordinators, as needed; and

    6. Developing training content and assuring proper training is available to Service managers and their coordinators.

  5. The Director, Legislative Affairs, is responsible for advising the CFO of recent or planned General Accounting Office (GAO) or Treasury Inspector General for Tax Administration (TIGTA) audit work.

  6. The Division Commissioners, Chiefs, and National Taxpayer Advocate are responsible for:

    1. Establishing adequate and effective controls for all operations and activities in their area of mission responsibility, Servicewide;

    2. Ensuring that established controls are followed throughout their organization;

    3. Conducting a self-assessment and reporting on the status of management controls in their organization to the FMC ESC annually: (NOTE: Managers throughout the Service are responsible for participating in this annual assessment in accordance with the annual guidance issued.)

    4. Evaluating Chief and Division Commissioners' reports of significant control deficiencies and providing comments to the FMC ESC;

    5. Providing adequate resources to correct identified control deficiencies; and

    6. Designating a Senior Management Controls Coordinator to serve as a single point of contact for the assurance process and for FMFIA corrective actions and audit follow-up for their organization. The position occupied by the coordinator should have sufficient organizational stature to command the attention of managers throughout the Executive's organization and the ability to focus resources to correct identified deficiencies.

  7. Senior Management Controls Coordinators are responsible for assisting their organization's top management in the basic direction and emphasis of its management controls program and serve as its primary liaison with the Office of Management Controls. Their responsibilities include:

    1. Managing their organization's annual assurance review process and preparing its assurance certification memorandum;

    2. Providing technical assistance to management and review teams in the evaluation of controls;

    3. Preparing and submitting to the OMC verification of completion of corrective actions for significant control deficiencies, material weaknesses, and GAO and TIGTA audit reports;

    4. Monitoring the status of corrective actions for material weaknesses, control deficiencies, and audits, as well as reporting that status to the OMC.

1.4.2.5  (05-31-2002)
Financial and Management Controls Executive Steering Committee (FMC ESC)

  1. The Financial and Management Controls Executive Steering Committee consists of 14 members (or their assigned alternates):

    1. Deputy Commissioner of the IRS (Chairperson)

    2. IRS Chief Financial Officer (Co-Chairperson)

    3. Deputy Chief Financial Officer, Treasury Department

    4. National Executive President, National Treasury Employees' Union (NTEU)

    5. Associate Chief Counsel (Finance/Management)

    6. Assistant Deputy Commissioner

    7. Four Division Commissioners (Large & Mid-Size Business, Small Business/Self-Employed, Tax Exempt & Government Entities, Wage & Investment)

    8. Four Chiefs (Agency-Wide Shared Services, Criminal Investigation, Communications & Liaison, Information Officer).

  2. The FMC ESC meets, on average, ten times a year to review the Service's progress in correcting identified control deficiencies and audit findings, resolve cross-functional and funding or priority issues, and determine whether corrective actions have been effective.

1.4.2.6  (05-31-2002)
Annual Assurance Review Process

  1. The Service's annual assurance statement is due to Treasury either by the end of October or upon the conclusion of GAO's audit of the IRS Financial Statements each year, whichever is later.

  2. The Chief Financial Officer will issue guidance each Spring to govern the annual self-assessment of management controls. Guidance will be issued to Chiefs and Division Commissioners, and will include the Self-Assessment Tool for Managers, which is provided asExhibit 1.4.2–2.

  3. The self-assessment will address all aspects of the organization's activities and report any significant control deficiencies that are found. The assessment should be based on the programmatic knowledge of managers and should consider the results of any reviews that have been conducted during the fiscal year.

  4. Corrective action plans will be prepared for all control deficiencies identified during the self-assessment. Significant control deficiencies will be reported to the next higher level of management.

  5. Corrective action plans for deficiencies identified in the previous fiscal year will be updated. Deficiencies that have been corrected will be submitted with a certificate of completion describing the validation process and the Results Indicator data that verifies that the deficiency has been corrected.

  6. The results of the self-assessment are reported in an Assurance Certification Memorandum, which is due in early Summer.

  7. The Assurance Certification Memorandum required by the Integrity Act will briefly describe the process used to verify the status of the organization's management controls and explain the basis for the executive's conclusions. The memorandum must contain a specific statement describing the condition of those management controls that takes one of the following three forms:

    1. There is reasonable assurance that the organization's controls are effective and operating as intended, or

    2. There is qualified assurance that the organization's controls are effective and operating as intended, considering the exceptions described in the report, or

    3. The organization does not have reasonable assurance that its controls are effective.

  8. Corrective action plans for newly-identified significant control deficiencies will be included in the report, as will updated corrective action plans or certificates of completion for deficiencies that were identified in previous fiscal years.

  9. In addition, the memorandum must address the compliance of the Service's financial management systems with the provisions of FFMIA and also provide assurance regarding the reliability of data and the status of the Service's Continuity-of-Operations plans.

  10. The Financial and Management Controls Executive Steering Committee will evaluate these reports, and based on this and other relevant information, recommend to the Commissioner what level of assurance should be submitted in the Service's annual assurance statement, and any newly-identified material weaknesses.

1.4.2.7  (05-31-2002)
Remediation Plan

  1. As noted above, the FFMIA requires agency heads to assess and report annually whether their financial management systems can prepare required financial statements and reports, provide reliable and timely financial information for managing operations, and account for assets, all in accordance with Federal accounting standards and the US Standard General Ledger.

  2. Agencies that are not in substantial compliance with FFMIA must develop a Remediation Plan to achieve compliance. The plan must include remedies, the resources required for implementation, and proposed implementation dates.

  3. Agencies that are not in substantial compliance with FFMIA must bring their financial management systems into substantial compliance within three years; if this cannot be achieved, a waiver for a longer period must be requested from OMB.

  4. The Deputy Commissioner has overall responsibility for IRS' Remediation Plan. The Plan is monitored by the FMC ESC and tracked in Treasury's Inventory Tracking and Closure System (ITCS) by the Office of Management Controls.

1.4.2.8  (05-31-02)
Management Controls Definitions

  1. Area of Concern - An instance of weak or missing controls that is important enough to be disclosed in the Commissioner's report to the Secretary, but which does not merit formal status as a material weakness.

  2. Control Objective - the specific purpose for which a management control is established (i.e., to reasonably assure that a specific risk does not become a negative occurrence).

  3. Material Weakness - A control deficiency that significantly impairs the fulfillment of the Service's mission or that the Commissioner determines to be significant enough to be reported outside the Service (i.e., be included in the annual Integrity Act report to the Secretary and, therefore, to the President and the Congress).

  4. Qualified Assurance -a description of the condition of an organization's controls that is intermediate between "reasonable assurance" and "no assurance". It is assurance that is qualified because of the number or severity of the specific control deficiencies that are reported in the Head of Office's assurance memorandum.

  5. Reasonable assurance - An informed judgment by the head of an organization, based upon all available information, regarding the adequacy and effectiveness of the organization's management controls. Reasonable assurance recognizes that the cost of controls should not exceed the benefits derived from them. It equates to a satisfactory level of confidence that resources and mission accomplishment are adequately protected within the context of program-specific risks balanced against the costs and benefits of mitigating those risks.

  6. Significant Control Deficiency - A specific instance of weak or missing controls that is of sufficient importance to be reported to the next level of management. Criteria for recognizing when to report a significant control deficiency include conditions that:

    1. Could lead to a serious injury or loss of life;

    2. Could exist in other parts of the organization/Service;

    3. Could cause higher levels of management to be questioned by Congress or the media;

    4. Could take more than three months to correct;

    5. Could have potential for significant loss of government resources;

    6. Could cause significant financial loss, either through misuse of appropriated funds or under collection of revenues;

    7. Could break laws or violate regulations;

    8. Could have potential liability to employees or third parties;

    9. Could cause ethical violations by organizational personnel;

    10. Could provide inaccurate information to be reported/used for management decisions;

    11. Could lead to an audit qualification on a Financial Statement.

1.4.2.9  (05-31-2002)
References

  1. Chapter 35 of Title 44, U.S.C., known as the Paperwork Reduction Act.

  2. Federal Managers Financial Integrity Act of 1982 (P.L. 97-255) codified at 31 U.S.C. 3512.

  3. Chief Financial Officers Act of 1990 (P.L. 101-576).

  4. Government Performance and Results Act of 1993 (P.L. 103-62).

  5. Federal Financial Management Improvement Act of 1996, Title VII of Section 101(f) of Title I, Division A of P.L. 104-208, as codified at 31 U.S.C. 3512 note.

  6. OMB Circular A-11, Part 2, Preparation and Submission of Strategic Plans, Annual Performance Plans, and Annual Program Performance Reports (Revised November 8, 2001).

  7. OMB Circular A-123, Management Accountability and Control (Revised June 21, 1995), prescribes policies and standards for evaluating, improving, and reporting on management controls for program, administrative, and financial activities.

  8. OMB Circular A-127, Financial Management Systems (Revised July 13, 1999), prescribes policies and standards for developing, operating, evaluating and reporting on financial management systems.

  9. OMB Circular A-130, Management of Federal Information Resources (Revised February 8, 1996) establishes policy for the management of Federal information resources and gives guidance for implementing those policies.

  10. OMB Circular A-50, Audit follow-up (September 29, 1982) establishes requirements for responding to audit reports.

  11. GAO's Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1 of November 1999) establishes government-wide standards for management controls that apply to both program management and financial management.

  12. Treasury Directive 40-04, Treasury Internal (Management) Control Program (January 4, 2001), assigns responsibilities and provides guidance for establishing, evaluating, improving, and reporting on management controls for all program and administrative activities in the Department of Treasury.

  13. Treasury Directive 40-03, Treasury Audit Resolution, Follow-Up, and Closure (February 2, 2001), assigns responsibilities and provides guidance for evaluating, resolving, tracking, and closing audit reports for all activities in the Department of Treasury.

  14. Department of the Treasury's Federal Managers' Financial Integrity Act Guidelines for Section 2 and Section 4 (April 1988), offers guidance that may be helpful in planning for evaluations of management controls and financial management and accounting systems.

  15. Management Controls Accountability Program (MCAP) Handbook for Managers, Version 2.01 of February 23, 2001, provided as Exhibit 1.4.2–1, contains detailed guidance for the Service's management controls program, as well as many of the above-listed references.

Exhibit 1.4.2-1  (05-31-2002)
Management Controls Accountability Program (MCAP) Handbook for Managers

GUIDING PRINCIPLES

Achieving the IRS' strategic goals will require change at every level of the organization, from front-line employees to top managers. During this process, it is helpful to articulate principles that guide our actions. These five guiding principles are a link between our goals and the actions we take to achieve them.
This image is too large to be displayed in the current screen. Please click the link to view the image.

PURPOSE AND SCOPE

Purpose of the Management Controls Accountability Program Handbook for Managers

As IRS managers, you are responsible for ensuring that your programs and organizations are managed effectively, and that financial, information, property, and human resource assets are protected and used wisely. The purpose of the Management Controls Accountability Program (MCAP) Handbook is to provide managers with a methodology for implementing management controls within their program to ensure effective management and protection of assets.

The Service's Guiding Principles emphasize that managers must be accountable, acknowledge and address problems, and perform with integrity. The MCAP supports these principles as well. The MCAP fits the Service's overall Management Model. The Management Model and the MCAP are based on a linked system of management processes (Plan, Do, Review, and Revise). Both the MCAP and the Management Model support the new mission, strategic goals, and guiding principles of the Service and offer a framework for managing in a Balanced Measurement System environment.
This image is too large to be displayed in the current screen. Please click the link to view the image.
Scope of the Management Controls Accountability Program Handbook

The Handbook provides an overview of the MCAP, which supports the Federal Managers Financial Integrity Act (FMFIA) process. It was developed for managers at all levels of the organization and takes a "one-size-fits-all" approach. It is designed to help managers understand their responsibility for implementing, maintaining, and reporting on management controls. Management controls are the programs, policies, and procedures established to ensure that:
• mission and program objectives are efficiently and effectively accomplished;
• programs and resources are protected from waste, fraud, abuse, mismanagement, and misappropriation of funds;
• laws and regulations are followed;
• financial reporting is reliable; and
• reliable information is obtained and used for decision making.

This Handbook conforms with the General Accounting Office (GAO) Standards for Internal Control in the Federal Government, issued November 1999 and describes and explains the:
• definition of management controls;
• importance of management controls;
• manager's roles and responsibilities;
• MCAP Process;
• Annual Assurance Reporting Process; and
• tracking and follow-up system for Corrective Action Plans.

All IRS managers must have a copy of this Handbook.

This Handbook refers to the duties of the MCAP Coordinator. The MCAP Coordinator provides support and guidance to executives and managers on conducting the MCAP. Placement and extent of involvement of the MCAP Coordinator may vary depending on the structure, size, and complexity of your organization. This Handbook is not intended as a desk guide or manual for the Coordinator. A separate document and training materials will be developed specifically to meet the needs of MCAP Coordinators. Where the Handbook uses the term "Head of Office," it refers to the appropriate executive level within your organization.
CHAPTER 1. OVERVIEW

The importance of management controls cannot be overstated. As IRS transitions into the re-engineered core business activities and our modernization plans become a reality, all managers must continue their commitment to implementing effective and efficient management controls. Without effective controls, the Service risks wasting program dollars, and worse, losing public confidence. In addition, Treasury and GAO continue to mandate that IRS vigorously pursue management control strategies that mitigate risk in program and administrative operations.

There are numerous risks to the organization if proper controls are not in place. These include the possibility of:
• legislative and administrative goals not being achieved;
• laws or regulations being violated;
• operations that are ineffective, inefficient, or misdirected;
• unauthorized activities;
• inaccurate reports to management and others;
• waste, fraud, and abuse occurring or being concealed;
• assets being stolen or lost; and
• ultimately, risk to the achievement of tax administration goals.

Management controls are often misrepresented to be the sole responsibility of financial, procurement, or other organizations managing processes with tangible dollar assets. This is not the case; management controls are the responsibility of every manager. You are accountable for, and have stewardship of, all IRS operations within your organization, including program, administrative, and financial areas under your control. Your responsibilities include:
• ensuring that controls are in place to protect government assets from waste, fraud, abuse, mismanagement, or misappropriation of funds;
• designing and using controls that provide 'reasonable assurance' that programs are being accomplished as intended;
• continuously assessing management controls to prevent and solve problems, improve products, and provide quality service;
• where the IRS is at risk, designing and implementing remedies to mitigate risk, and measuring the results of these actions; and
• documenting your activities regarding management controls and sharing them with others as needed.

The MCAP is designed to enable managers to identify and promptly correct management control deficiencies. A continuing assessment of management controls will help you identify opportunities to prevent and solve problems, improve your products, and provide quality customer service.

Managers' Accountability

It is beneficial to both the Service and managers to be proactive in identifying problem areas and taking appropriate corrective actions before external audit sources, such as GAO and Treasury Inspector General for Tax Administration (TIGTA), issue findings or before problems escalate into serious control weaknesses. However, you must strike an appropriate balance of controls in your programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled situation may allow problems to go unnoticed and assets to be wasted.

Being focused and aware of management controls should be an integral part of the daily activities of all IRS managers and employees. By fostering open, honest communications and promoting problem-solving within your organization, you create an environment where management controls are acknowledged as tools to achieving our goals.

Legal Background

In addition to being a good business practice, management control accountability is mandated by law. In 1982, Congress passed the FMFIA requiring:
• agencies to evaluate their internal controls annually;
• GAO to issue internal controls standards; and
• Office of Management and Budget (OMB) to issue Federal guidelines, including OMB Circulars A-123 Management Accountability and Control (Rev. June 1995) and A-127 Financial Management Systems (Rev. July 1999).

Since the Act was established, all federal agencies have been required to report annually to the President and the Congress as to whether their management controls comply with the GAO's standards. Although the FMFIA reporting requirements changed at the end of FY 1999, Treasury bureaus are still mandated to evaluate and report annually on their management controls.

Congress enacted other statutes that provide a framework for management accountability. These include the Chief Financial Officers (CFO) Act of 1990, as expanded by the Government Management Reform Act (GMRA) of 1994; the Government Performance and Results Act (GPRA) of 1993; and the Federal Financial Management Improvement Act (FFMIA) of 1996.
CHAPTER 2. ROLES AND RESPONSIBILITIES

The following defines specific manager and employee responsibilities for maintaining effective management control systems.

Managers at all levels
• Provide a positive control environment;
• Identify potential risk areas;
• Ensure that adequate and effective controls are in place;
• Report results of reviews to the next level of supervision;
• Ensure reports are supportable, accurate, and candid;
• Provide adequate resources to correct identified control deficiencies; and
• Implement corrective actions timely and validate outcomes.

Heads of Office

In addition to the above responsibilities for all managers, Heads of Office must also:
• Provide oversight and direction of management controls within their organization;
• Designate an MCAP coordinator as the single point of contact for management controls;
• Review and assess subordinate managers' reports of control deficiencies;
• Approve proposed Corrective Action Plans to correct identified deficiencies;
• Report periodically on the progress of corrective action plans; and
• Report annually on the status of management controls.

MCAP Coordinators
• Assist managers in the administration of and emphasis on management controls;
• Provide process support and advice to managers;
• Coordinate and analyze management control reports;
• Make recommendations to Heads of Office on management control issues;
• Consolidate and prepare the Annual Assurance Certification Letter for their organization; and
• Maintain tracking systems to monitor Corrective Action Plans and advise management on the status of deficiencies.

Office of Management Controls (OMC)
• Administers IRS' process for the Management Controls Accountability Program;
• Prepares the Commissioner's Annual Assurance statement;
• Monitors development and progress of Corrective Action Plans for Material Weaknesses and National Significant Control Deficiencies;
• Provides direction and assistance to Heads of Office and MCAP Coordinators;
• Develops training courses and materials on management controls; and
• Prepares and maintains management controls guidance (e.g., IRM, Handbook, OMC web page).

Chief Financial Officer/Director, Financial Analysis
• Provides leadership and has operational responsibility for IRS management controls program;
• Issues annual call letters to guide the annual certification reporting process; and
• Oversees timely completion of OMB Circular A-123 and A-127 reviews.

Financial and Management Controls Executive Steering Committee (FMC ESC)
• Strategically manages IRS initiatives aimed at strengthening financial and management accountability;
• Ensures that appropriate controls are an integral part of all IRS programs; and
• Provides top leadership perspective and direction in addressing important cross-functional issues.

Commissioner of Internal Revenue
• Responsible for ensuring management accountability throughout the IRS; and
• Reports the status of management controls to the Secretary of the Treasury via the Service's Annual Report.

The Secretary of the Treasury
• Responsible for ensuring management accountability throughout the Department of the Treasury; and
• Reports annually to the President and Congress on the status of management controls via Treasury's Annual Report.
This image is too large to be displayed in the current screen. Please click the link to view the image.
CHAPTER 3. MCAP PROCESS

The MCAP process is an ongoing practice that encompasses all aspects of IRS operations. The MCAP process steps are:
• Identify Risk;
• Determine Existing Controls;
• Establish New Controls or Revise Existing Controls;
• Assess/Review Management Controls;
• Document Results of Reviews;
• Document, Report, and Correct Significant Control Deficiencies; and
• Validate Outcomes.

This chapter addresses each step and explains use of the MCAP process to:
1. understand the risks associated with your operation;
2. ensure that controls are in place and operating effectively to mitigate known risks; and
3. provide candid, reliable and supportable reports on the status of those controls.
This image is too large to be displayed in the current screen. Please click the link to view the image.
3A. IDENTIFY RISK

Risk is nothing more than the probability of a negative, unanticipated occurrence. Risk is inherent in every activity; therefore, it is essential that you identify the probability of risk within your operations and activities. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining management controls.

You should be primarily concerned with the risk areas within your program authority. This can vary from manager to manager, even within the same function. For example, all Collection managers would identify the timely filing of Federal tax liens as a potential risk area. However, the manager of the Offers-in-Compromise group would have an additional risk associated with maintaining proper documentation to support the acceptance or rejection of an offer that other managers would not.

Some areas or occurrences with higher potential for risk include:
• Changes in organizational structure, processes, procedures, personnel, and systems;
• Cash handling activities;
• Procurement activity;
• Security;
• Stakeholder interest in your operation;
• Level of reliance on computerization; and
• Staffing.

Research Sources to Identify Risk

The assessment of risk is based on your organizational knowledge, knowledge gained from other organizations, and communication with your employees. Risk can often be identified in previous reviews of the organization rather than requiring the manager to perform a new review. To identify risk, you must:
a. Review findings from previous reviews and reports, such as:
• GAO and TIGTA audit reports;
• Operational reviews or Special Assurance reviews;
• Office of Security and Privacy Oversight reviews;
• Balanced Measures reviews; and
• Other reviews performed by management in the course of their duties.

b. Ensure that organizational processes are performed in accordance with written policies and procedures, such as:
• Legislation;
• OMB Circulars;
• Treasury Department Directives;
• Internal Revenue Manual (IRM);
• Internal Revenue Service Policy Statements;
• Delegation Orders;
• Integrated Data Retrieval System (IDRS) Operations Handbook; and
• Systems Users Manuals.

c. Involve your employees in identifying risk. Since employees are often closest to the organization's daily operations, they may become aware of risks and can alert you to problems as they arise. Examples of actions a manager might take to identify risks include:
• Verification of Form 809, Receipt for Payment of Taxes;
• Post review of case files (e.g., seizure and sale files to ensure conformity with statutes, regulations, and IRM);
• Consideration of Disclosure/Privacy Act implications in all activities, including review of files and personnel folders;
• Timely initiation of background and security investigations and appropriate action taken based on outcome of the investigation;
• Monitoring of telephone traffic volumes to ensure timely customer service; and
• Periodic reviews of access to sensitive command codes on IDRS.

Assess Level of Risk

You need to make informed judgments in order to determine the level of risk for the activities within your organization. Depending on the impact of negative occurrences, the level of risk will vary from activity to activity. For instance, an activity that violates statutory or regulatory requirements would be assessed at a high level of risk while missing one step in standard operating procedures might have lesser consequences.

Your assessment of the level of risk will guide you in determining where management controls need to be strengthened or established.
This image is too large to be displayed in the current screen. Please click the link to view the image.
3B. DETERMINE EXISTING CONTROLS
Once risk areas have been identified, determine what management controls exist for those areas. A management control is the method by which an organization governs its activities. Controls provide 'reasonable assurance' that programs and administrative activities are efficient, effective, and pose the lowest level of potential risk.

Management controls provide "reasonable assurance" that:
• revenue and expenditures are properly recorded and accounted for,
• wrongful acts are extremely difficult, abuses are discouraged, and safeguards against carelessness are in place, and
abusive or careless acts are detected shortly after they occur and trigger necessary corrective actions.

Controls are not separate systems or processes; they are tools routinely used by managers to manage their operations. The focus is not to have more controls but to have effective controls that mitigate risks. Some examples of management controls are:
• separation of duties;
• adequate supervision;
• reconciliation of records from two sources, (e.g., matching travel receipts against the travel vouchers);
• reconciliation of records against physical inventories;
• limiting access, (e.g., passwords on data systems);
• verification of data entry;
• documentation of processes and procedures (e.g., IRM, Standard Operating Procedures);
• written delegations of authority; and
• logs/checklists.

To determine existing controls, begin by comparing current practices and processes against existing procedures, policies and guidelines. Also consult your peers and employees to ensure that existing controls have been identified and that they do not overlap or conflict with other controls that are in place. It is as important to eliminate unnecessary or duplicative controls as it is to establish new controls.

Some "red flags" that may indicate a need for assessing existing controls are:
• costs mis-charged
• management turnover
• geographic dispersion
• one or a small group of employees handling all steps of a process
• training not provided
• infrequent reviews
• reorganization
• old or new automated systems
• security incidents
• environmental control problems
• adverse publicity
• inadequate reports
• increase in errors
• customer dissatisfaction
• employee dissatisfaction

Examples of control methods for specific areas of concern are listed below.
Area of Concern Control Method
Inventory Controls Physical inventory reconciliation is performed
Procedures Procedures are disseminated on a timely basis to the proper employees
Delegation of Authority Authority to approve critical processes is delegated to the appropriate level and is documented
Limit system access User profiles for systems access are appropriate for the requirements of the job
Separation of Duties Duties are separated to avoid having one employee or a small group of employees handling all steps of a process
Supervision Adequate supervision to ensure organizational goals are achieved
Quality Reviews Workload reviews are conducted to ensure quality work products
Data Security Sensitive information is protected from unauthorized access
Physical Asset Security Assets (laptops, etc.) secured to protect against theft
The GAO Standards contain additional examples of control activities, including specific control activities for information systems.

If controls are needed and none currently exist, you may be responsible for establishing them (see Chapter 3.C). In cases where you determine that the level of risk does not justify establishing a formal control mechanism, you should still document your findings and decisions for future reference and use in the Annual Assurance Review Process (see Chapter 4).
This image is too large to be displayed in the current screen. Please click the link to view the image.
3C. ESTABLISH NEW MANAGEMENT CONTROLS OR REVISE EXISTING CONTROLS

Once you have decided that a process needs a control, determine whether you own the process. If you do not own the process at risk but it impacts your operation, proactively coordinate with the process owners or other stakeholders to encourage them to improve those management controls. You may also find it necessary to elevate the issue to higher levels. The control you are using may be a standardized control for your organization. However, if you find that it is not working properly, you should still inform the next higher organizational level although you may not have the authority to change the control. A lack of controls in one process may be impacting other processes, and a change to procedures may benefit several parts of the organization. Once you have determined what controls exist or have established new controls, the next step is to assess their effectiveness (see Chapter 3.D). The assessment and review of your management controls is an ongoing process.

If you do own the process, determine the appropriate method of control to mitigate the risk (see Chapter 3.B). In selecting control methods, consider the following criteria:
• the control must be consistent with operational objectives or legislative requirements; and
• the control must be cost effective.

Ensure that control costs do not exceed the benefit to be derived. It may be cost prohibitive to implement a control that fully eliminates risk, but a cost-effective control could be implemented that mitigates risk to an acceptable level. For instance, it would not be cost effective to buy a $500 locking cabinet to protect $300 worth of calculators. Although that might fully eliminate the risk of theft, you could, at no cost, store the calculators in a locked office each night, thereby mitigating the risk to an acceptable level. On the other hand, if you have purchased ten laptops valued at $2,500 each, it might be appropriate and cost effective to purchase a $500 locking cabinet to secure the laptops.
This image is too large to be displayed in the current screen. Please click the link to view the image.
3D. REVIEW/ASSESS MANAGEMENT CONTROLS
Because organizational conditions are constantly changing, you will need to assess your management controls continuously. Be alert to the potential impact of changing organizational structure, objectives, processes and procedures, personnel, and systems on your operations and initiate required reviews as necessary.

Circumstances that should cause you to initiate a review are:
• Changing conditions (e.g., reorganization, phase-out of operations, personnel turnover);
• Current controls do not appear to be effective or cost beneficial;
• Assumption of a new responsibility, organization, or program;
• Conditions indicate reduced level of quality or customer satisfaction;
• External sources (e.g., taxpayers, Congress, GAO, TIGTA) express concern that may indicate control problems;
• Policy or procedures change; or
• Policy or procedure (local or national, internal or external) mandates a review.

When conducting control reviews, determine the dependencies or effects the control has on other areas of the organization. Identifying dependencies often reflects a need for input from other organizations and/or personnel.

Conducting Review

To test the adequacy of management controls, determine whether they are:
• Implemented as designed and meet the control objectives of mitigating risk to an acceptable level;
• Performed by competent personnel;
• Consistent with operational objectives or legislative requirements; and
• Efficient and cost effective.

There are various techniques for testing the adequacy of controls. However, before applying any of these techniques, examine the results of past reviews that address the adequacy of your controls. These include both internal reviews (e.g., operational reviews of records/cases/processes; reviews for compliance with OMB Circulars A-127 and A-130, Management of Federal Information Resources, (Rev. February 1996)); and external reviews (e.g., reviews conducted by GAO, TIGTA).

Other techniques for testing the adequacy of controls are:

Walk-Through - A walk-through of operations is made to observe how the control functions in actual practice. During the walk-through, determine how the control is meeting the objective. Any facet of operations that raises a concern should be identified for further analysis as to whether a control deficiency exists.

Individual and/or Group Interviews - Interviews are an important testing technique to facilitate an understanding of how controls are functioning. Often, the best sources of information are personnel performing the operation. Combining inquiry and observation can often provide valuable insights into problem areas, such as a lack of financial and personnel resources necessary to effectively meet control objectives.

Sampling - If there are a considerable number of documents or transactions performed, you may review a sample of them. If no discrepancies are noted, then a reasonable conclusion is that the control is adequate. If discrepancies are identified, you should examine additional documents/transactions to confirm whether the control is functioning as designed.

Analysis of Source Document Processing - Select a sample of source documents and follow them through each step of the process. Source document analysis can often disclose improper procedures, failure to follow procedures, or breakdowns among processing steps.

A combination of test procedures - You may want to combine several methods of review to ensure that your controls are adequate.

Assessing Review Results

At the conclusion of your review, assess whether the existing control:
• provides reasonable assurance that the objectives are being achieved in an efficient and effective manner; or
• is deficient and needs to be corrected.

For each deficiency identified, assess the degree of seriousness using one of the categories explained below. This assessment is critical in helping you determine the next step in the process.

Control Deficiency -
A control deficiency is an instance of weak, missing, or improper controls that is of local concern. A control deficiency may occur as part of the day-to-day activities. These deficiencies could result from policies and procedures not being followed, mistakes, work habits/conditions, system breakdowns, or other routine operating occurrences. Ideally, deficiencies within your control should be resolved as quickly as possible and at the lowest possible level. However, if it is not within your authority to correct the deficiency, you should elevate the deficiency to the next level of management for action (See Chapter 3.F).

Significant Control Deficiency -
A significant control deficiency is a control deficiency that is of sufficient importance to be reported to the next level of management. To qualify as significant, the control deficiency may:
• Impair the fulfillment of the organization's mission;
• Deprive the public of needed services;
• Violate statutory or regulatory requirements;
• Greatly weaken safeguards against waste, fraud, abuse, mismanagement or misappropriation of funds, property or other assets;
• Result in adverse publicity and erosion of public confidence in the Service's integrity; or
• Result in a conflict of interest.

If you are in doubt about the significance of the deficiency, elevate the issue as a potential significant control deficiency to the next level of management and inform your MCAP Coordinator.

Material Weakness -
A material weakness is a significant control deficiency of sufficient importance to be reported annually to the Department of Treasury and, ultimately, to the President and Congress until corrected. The determination that a significant control deficiency is a material weakness is only made by top Service executives on the Financial & Management Controls Executive Steering Committee (FMC ESC).
This image is too large to be displayed in the current screen. Please click the link to view the image.
3E. DOCUMENT RESULTS OF REVIEWS

If no deficiencies have been identified in the course of your review, document the results of your reviews and retain them for use in preparing your Annual Assurance Certification Letter (see Chapter IV). The documentation can be as simple as a memorandum explaining the review methods and results. It normally does not require a separate formal report. Your documentation may also be incorporated into other management reports as long as it is identified as the results of a management control review.

If deficiencies have been identified and you are able to correct them, take the appropriate action and retain the documentation for the Annual Assurance Certification Letter. If you determine that the deficiency falls into the category of a significant control deficiency and must be elevated to the next level of management, additional documentation is required (see Chapter 3.F).
This image is too large to be displayed in the current screen. Please click the link to view the image.
3F. DOCUMENT, REPORT, AND CORRECT SIGNIFICANT CONTROL DEFICIENCY

Documenting and Reporting Significant Control Deficiencies

All significant control deficiencies or potential significant control deficiencies should be reported as soon as identified on a Report of Significant Control Deficiency form (see Exhibit 3-F-1). These issues are then elevated to the next level of management with a copy to the MCAP Coordinator. Your report will provide management with the information necessary to clearly understand the problem and assess the level of risk.

In some instances, you may identify a potential significant control deficiency but have no control over the actions necessary to correct it. In this case, you would elevate the issue to the next level of management for possible action and review. For example, you become aware of deficiencies in the clearance process for separating employees. You do not own the process, but the issue should be provided to the owner of the process for appropriate action. In this case, you only need to submit Part I of the Report of Significant Control Deficiency to the next level of management with as much information as is available.

You may not have the expertise to provide all the information in detailed, technical terms. Once the issue is shared with the appropriate program area, they may consult with you and others for additional information. If the deficiency is determined to be valid and requires a Corrective Action Plan, the process owner will be responsible for finalizing Part I and preparing Part II of the Report of Significant Control Deficiency.

If it is appropriate to develop the corrective action plan at your level, your proposed plan will include all the actions needed to correct the deficiency. (see Exhibit 3-F-2) When preparing the corrective action plan:
• Develop actions that are specific and describe the end result. For example, the action should be: "Revise and issue procedures to the field," not "Review current procedures."
• Ensure commitment of other stakeholders before establishing any action that requires activity outside your control.
• Set realistic due dates. Successful plan completion may be dependent upon available resources, functional interdependencies, labor negotiations, legislation, or modernization issues. Therefore, consult with others as necessary in establishing realistic completion dates. Do not use "ongoing" as a completion date; always set a specific due date, e.g., MM/DD/YYYY. If completion date is long term, it may be necessary to establish interim milestone dates.
• Describe the goal and establish performance measures. Performance measures and goals serve as progress indicators for correcting the deficiency.
• Describe the validation process. This is a description of how you propose to collect the data supporting the performance measure(s) that will determine if the deficiency has been successfully corrected. Describe the type and quantity of data to be gathered, the method of collection, and the source of the data.

Once the Report of Significant Control Deficiency is completed, elevate it to the next level of management, and provide a copy to the MCAP Coordinator. If you are the manager at the next level, you are responsible for reviewing the report and determining the validity of the issue, based on your knowledge and expertise. As a second-level manager, you will need to decide which one of the following actions is appropriate:
• return the report to the preparer if the issue is not valid or if additional information/clarification is needed;
• develop a Corrective Action Plan if it is appropriate at your level and obtain approval from your manager;
• approve the corrective actions for implementation;
• elevate the issue to the next higher level of management or process owner.

Correcting Significant Control Deficiencies

Approved plans will be returned to the appropriate-level manager for implementation. The manager must then monitor and regularly report progress to the approving official. Periodically, the manager must also assess whether the Corrective Action Plan is achieving the desired goal(s) and continues to be relevant under current operational conditions.

Managers must document and obtain the appropriate level of approval to complete or revise an action or reschedule a target date. Provide a copy of all approved documentation to the MCAP Coordinator for tracking purposes.
Exhibit 3-F-1
REPORT OF SIGNIFICANT CONTROL DEFICIENCY
(Part 1)
Control Number The MCAP Coordinator will assign a control number.
Title Enter a short but descriptive title of the deficiency
Responsible Official The title of the official(s) accountable for correcting the deficiency. If you are not sure who this is, leave it blank. (Also identify a contact person who will maintain continuing knowledge of the issue.)
Description Describe the deficiency in terms of its effect on mission accomplishment, lost revenue, error rates, or impact on compliance, taxpayer burden, operating efficiency, etc.
Source of Discovery How was the deficiency identified? Sources usually include, but are not limited to, Management Controls Accountability Program (MCAP) or Annual Assurance Review (AAR) Processes, operational reviews, Special Assurance Reviews, performance assessments/appraisals, GAO or TIGTA audits, process analyses, etc.
Correction Strategy Briefly summarize the proposed approach or course of action to correct the deficiency.
Desired Outcome Briefly describe the goal and desired outcome that will be achieved once all corrective actions have been completed.
Results Indicator/Effectiveness Measures Briefly describe what indicators will be used to evaluate whether the actions taken have corrected the underlying cause of the deficiency. Indicators must be specifically related to the deficiency and be based on observable performance measures, either qualitative or quantitative. (See discussion on Exhibit 3-F-2)
Validation Process Describe how data will be collected to support the Results Indicator. Possible methods include using existing management information (reports) or business data, special surveys, sampling and analyzing data, special assurance reviews, audits, interviews, etc.
Target Correction Date Enter the date by which all corrective actions are expected to be completed and validated.
Other Issues Use this space to briefly explain anything else that requires top management's assistance or attention, including any related concerns such as resource needs, dependencies with other organizations, cross-functional ownership, etc.
  Prepared by: Name, Org Code Address
Location & Phone Number
Date of Preparation
Include the name, office codes and phone number of the manager who has identified the deficiency. (The submitting official is not necessarily the Responsible Official for correcting the deficiency)
Exhibit 3-F-1
REPORT OF SIGNIFICANT CONTROL DEFICIENCY
(Part 2)
Title –Use same short descriptive title as on previous page
Major Milestones Milestone Completion Dates
  Original Plan Revised Plan Actual Date
List all actions needed to correct the deficiency, including those that have been completed.      
List actions in chronological order.      
Update the plan as necessary to reflect revised or actual completion dates.      
Prepared by: Name, Org Code Address
Location & Phone Number
Date of Preparation
Exhibit 3-F-2
Additional Guidance on Setting Goals and Selecting Results Indicators

Indicators

Indicators (or measures) assist in determining how well the process is now working compared to past performance. They can also help you identify positive/negative factors affecting program and administrative performance/effectiveness.

In developing an appropriate Results Indicator (or performance measure), first consider the deficiency you are trying to correct or improve, such as timeliness of certain actions, reduction in the error rate of a particular process, decrease in the number of security lapses at a site, etc. Examples of an appropriate Results Indicator include:
• average timeliness of cash deposits,
• error rate for processing clearance forms,
• number of security lapses at XX site.

If the Results Indicator selected does not directly tie to the specific deficiency, the corrective actions may fix the problem but may not be reflected in the performance results. Therefore, ensure that the Results Indicator is relevant to the problem being fixed and is based on observable performance measures, either quantitative or qualitative.

Goals

Goals are used to tie the Results Indicator to the improvement of a particular product, process, or Service deficiency. Goals can be qualitative or quantitative. Qualitative goals are general in nature and suggest a desired direction but do not establish a specific numeric target (e.g., "Improve timely filing of travel vouches" ). Qualitative goals may be appropriate for new processes or processes for which no baseline data exists. However, without baseline data and quantitative measures, it will be difficult to assess whether your goals have been met.

Quantitative goals are more focused and establish a specific numeric target (e.g., "Travel Vouchers will be filed within five business days after the end of the month." ). Quantitative goals should be based on statistically valid results of previous reviews or a compilation of information or numerical/quantitative recordation.

In establishing quantitative goals, consider the anticipated level of available resources to implement your corrective action plan, organizational priorities and initiatives, and the interaction between multiple organizational goals. For instance, raising the quality level as a goal may inadvertently decrease timeliness unless additional resources are provided to accomplish the task. Examples of Results Indicators with quantitative goals include:
• Increase the "average timeliness of cash deposits" from 48 hours to 24 hours
• Reduce the "error rate for processing clearance forms" from 20% to less than 3%
• Reduce the "number of security lapses at XX site" from 25 per year to 0.
For additional information on establishing Results Indicators, performance measures, and goals, consult the Balance Checking Matrix and related steps of the problem solving process described in IRM 1.5.2, Managing Statistics in a Balanced Measurement System and the IRS Balanced Measurement Approach to Leadership, Training Course 9015.
This image is too large to be displayed in the current screen. Please click the link to view the image.
3G. VALIDATE OUTCOMES

When all corrective actions are completed, apply the validation process in your plan to evaluate whether the actions taken achieved the desired outcome as indicated by your Results Indicator. If the measure of the Results Indicator implies that the deficiency has not been corrected, examine whether the corrective actions were effective and/or the validation process was appropriate. If the Corrective Action Plan was not effective, review, revise, and implement a new plan.

Once your Results Indicator validates that your corrective actions have effectively cured the significant control deficiency, forward documentation to the approving official for concurrence. This concurrence represents management's assurance that the problem/deficiency has been successfully corrected. A copy should be submitted to the MCAP