Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 1. Organization, Finance and Management

Chapter 4. Resource Guide for Managers

Section 2. Monitoring and Improving Internal Control

1.4.2  Monitoring and Improving Internal Control

1.4.2.1  (08-28-2009)
Management's Responsibility for Internal Control

  1. The Budget and Accounting Procedures Act of 1950 requires the head of each Federal department and agency to establish and maintain adequate systems of management controls. Further, the Federal Managers' Financial Integrity Act (FMFIA) of 1982,as codified at 31 U.S.C. §3512 (hereinafter "FMFIA" ), requires each executive agency to establish internal accounting and administrative controls in accordance with standards prescribed by the Comptroller General. These controls will provide reasonable assurance that:

    • Obligations and costs are in compliance with applicable law.

    • Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation.

    • Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts, reliable financial and statistical reports, and to maintain accountability over assets.

  2. The FMFIA also requires that each executive agency:

    • Resolve audit findings promptly.

    • Conduct annual evaluations of its systems of internal accounting and administrative control using guidelines established by the Director of the Office of Management and Budget (OMB).

    • Submit an annual statement to the President and Congress on the status of the agency's system of internal control.

  3. OMB, Circular A-123 (revised) dated December 31, 2004, Management's Responsibility for Internal Control, requires agencies and individual Federal managers to take systematic and proactive measures to:

    • Develop and implement appropriate, cost-effective internal control for results-oriented management.

    • Assess the adequacy of internal control in Federal programs and operations.

    • Assess and document internal control over financial reporting separately.

    • Identify needed improvements and take corresponding corrective action.

    • Report annually on internal control through management assurance statements.

  4. The Federal Financial Management Improvement Act of 1996 (FFMIA), codified in a note to 31 U.S.C. §3512, established in statute the requirement for certain financial management systems. The FFMIA was intended to advance Federal Government financial management by ensuring Federal management systems can and do provide reliable, consistent disclosure of financial data. Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year, by consistently using professionally accepted accounting standards. Specifically, FFMIA section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

    • Federal Government financial management systems requirements.

    • Applicable Federal Government accounting standards.

    • The United States Standard General Ledger (USSGL) at the transaction level.

  5. Under the Government Performance and Results Act (GPRA) of 1993 and P.L.106-51, the Reports Consolidation Act of 2000, the Commissioner is required to provide assurance in the Annual Assurance Statement that the IRS Critical Performance Measures are reliable.

1.4.2.2  (08-28-2009)
Overview

  1. The importance of internal control cannot be overstated. All managers must be committed to implementing effective and efficient internal controls. Internal controls are processes, both administrative and program specific, that ensure programs achieve their intended results, organizations realize their goals, laws and regulations are complied with, assets are safeguarded, and financial and management reports are accurate, complete, and timely. Treasury and the Treasury Inspector General for Tax Administration (TIGTA) provide oversight to ensure control strategies are implemented that mitigate risk in program and administrative operations.

  2. Internal controls are the responsibility of every manager. Managers are accountable for and have stewardship of all IRS assigned operations within their organization, including program, administrative, and financial areas, including:

    • Design and use of controls that provide 'reasonable assurance' that programs are being accomplished as intended.

    • Continue assessments to ensure controls are in place and operating as intended.

    • Identify risks to program accomplishments, compliance with laws and regulations, accuracy of reporting.

    • Implement remedies to mitigate risk and measure the results of these actions.

  3. It is beneficial to both the IRS and managers to be proactive in identifying problem areas and taking appropriate corrective actions before external audit sources, such as the Government Accountability Office (GAO) and TIGTA, issue findings or before problems escalate into serious control weaknesses. However, there must be an appropriate balance of control in programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled situation may allow problems to go unnoticed and assets to be wasted.

  4. Being focused and aware of internal controls should be an integral part of the daily activities of all IRS managers and employees. By fostering open, honest communications and promoting problem-solving within an organization, managers create an environment where internal controls are acknowledged as tools to achieving goals.

1.4.2.3  (08-28-2009)
Scope and Objectives

  1. The IRS intends to maintain an effective internal control program that complies with legislative requirements and related regulations and directives, such as the Standards for Internal Control in the Federal Government, commonly known as the "Green Book."

  2. Internal controls are the programs, policies, and procedures established to ensure that:

    • Mission and program objectives are efficiently and effectively accomplished.

    • Program and resources are protected from waste, fraud, abuse, mismanagement, and misappropriation of funds.

    • Laws and regulations are followed.

    • Financial reporting is reliable.

    • Reliable information is obtained and used for decision making.

  3. This guidance applies to IRS managers at all levels, who are expected to understand the risks associated with their operations, to ensure that controls are in place and operating effectively to mitigate known risks, and to provide candid, reliable, and supportable annual reports on the status of those controls.

1.4.2.4  (08-28-2009)
Roles and Responsibilities

  1. The Commissioner and Deputy Commissioners have overall responsibility for the Service's system of internal control and for ensuring that the Service has an effective internal control program.

  2. The Financial and Management Controls Executive Steering Committee (FMC ESC) provides policy guidance and oversight for the Service's internal control program and makes recommendations to the Commissioner on the contents of the Service's Annual Assurance Statement to the Secretary of the Treasury. ( See IRM 1.4.2.5.)

  3. The Chief Financial Officer (CFO) has operational responsibility for the IRS internal control program.

  4. The Associate CFO for Corporate Planning and Internal Control (CPIC), Office of Internal Control (OIC), on behalf of the CFO, administers the IRS internal control program and is responsible for:

    1. Recommending policy and procedures for the internal control program.

    2. Implementing OMB's Circular A-123 requirements.

    3. Providing administrative support to the FMC ESC.

    4. Managing the annual assurance process and preparing the Commissioner's annual assurance letter to the Secretary of the Treasury.

    5. Monitoring the completion of corrective actions for material weaknesses, significant deficiencies (a problem in the design or operation of an internal control that should be reported to the next level of management, formerly called reportable conditions), and for auditing corrective actions, and providing periodic reports to Treasury.

    6. Providing advice and assistance to IRS managers and their coordinators, as needed.

    7. Maintaining the Joint Audit Management Enterprise System (JAMES), Treasury’s web-based internal control tracking system.

  5. The Director, Office of Legislative Affairs, is responsible for advising the CFO of recent or planned GAO or TIGTA audit work.

  6. The Division Commissioners, Chief Officers, National Taxpayer Advocate, Chief Counsel, and Director, Office of Research, Analysis and Statistics are responsible for:

    1. Establishing adequate and effective controls for all operations and activities in their area of mission responsibility.

    2. Ensuring that established controls are followed throughout their organization.

    3. Conducting a self-assessment and reporting on the status of internal control in their organization to the FMC ESC annually. (Managers throughout the Service are responsible for participating in this annual assessment in accordance with the annual guidance issued.)

    4. Evaluating reports of significant deficiencies and providing comments to the FMC ESC.

    5. Providing adequate resources to correct identified material weaknesses and significant deficiencies.

    6. Designating an Internal Control Coordinator to serve as a single point of contact for the assurance process and for FMFIA corrective actions and audit follow-up for their organization.

  7. Managers At All Levels are responsible for:

    1. Providing a positive control environment.

    2. Identifying potential risk areas.

    3. Ensuring that adequate and effective controls are in place.

    4. Reporting results of reviews to the next level of management.

    5. Ensuring reports are supportable, accurate, and candid.

    6. Providing adequate resources to correct identified problems.

    7. Implementing corrective actions timely.

    8. Validating outcomes.

  8. Internal Control Coordinators are responsible for assisting management in developing and maintaining its management control program and serve as the primary liaison with the OIC. Their responsibilities include:

    1. Managing their organization's annual assurance review process and preparing its assurance certification memorandum.

    2. Providing technical assistance to management and review teams in the evaluation of controls.

    3. Preparing and submitting to the Director, Office of Internal Control, verification of completion of corrective actions for significant deficiencies, material weaknesses, and GAO and TIGTA audit reports.

    4. Monitoring the status of corrective actions for material weaknesses, significant deficiencies, and audits, as well as reporting that status to the OIC.

    5. Ensures that data contained within JAMES is updated and accurate.

1.4.2.5  (08-28-2009)
Financial and Management Controls Executive Steering Committee (FMC ESC)

  1. The Financial and Management Controls Executive Steering Committee has the following permanent members:

    1. Deputy Commissioner for Operations Support

    2. Chief Financial Officer (Chair)

    3. Treasury Deputy Chief Financial Officer

    4. Commissioner, Small Business/Self-Employed Division

    5. Commissioner, Wage and Investment Division

    6. Chief Technology Officer

    7. Director, Office of Research, Analysis and Statistics

    8. Associate Chief Counsel (Finance/Management)

  2. The FMC ESC will also have three rotating members, each for a one-year term. The rotating members will be Division Commissioners or Chief Officers.

  3. The FMC ESC does not supplant line management responsibility for financial and management controls; rather, it provides a top leadership perspective and addresses important cross-functional issues, such as:

    1. Financial Statement Audit

    2. Remediation Plans

    3. Material Weaknesses and Significant Deficiencies

    4. FMFIA

    5. Federal Financial Management Improvement Act

    6. OMB Circular A-123, Management's Responsibility for Internal Control

    7. Annual Assurance Process

    8. GAO and TIGTA audit findings

  4. The FMC ESC meets quarterly to discuss the status of material weaknesses and significant deficiencies. The FMC ESC's roles and responsibilities are:

    1. Providing oversight of IRS actions to correct material weaknesses and significant deficiencies by ensuring: (a) cross-functional coordination, (b) root causes of problems are identified and the corrective actions resolve the root causes, (c) costs and benefits are identified to establish priorities and measure results, (d) adequate management of risks, and (e) corrective actions are completed timely and adequately.

    2. Determining new material weaknesses and significant deficiencies.

    3. Monitoring the resolution of issues identified by GAO in the Financial Statement Audit and High Risk reports.

    4. Recommending downgrade or closure of material weaknesses.

    5. Closing significant deficiencies that have validated the achievement of their results indicators.

    6. Recommending the FMFIA annual level of assurance to the Commissioner.

    7. Recommending the OMB Circular A-123 level of assurance the IRS will provide to Treasury.

    8. Monitoring, reporting and certifying obligations under FMFIA, FFMIA, Treasury Directives, and the Annual Assurance Review Process.

  5. The Director, OIC, is the FMC ESC Program Manager. The OIC staff provides support to the FMC ESC by assisting the FMC ESC in meeting its responsibilities as described in the previous section. The responsibilities of the OIC program staff include:

    1. Providing an early alert system for risks, obstacles, and barriers in completing actions for material weaknesses, significant deficiencies, and Remediation Plans.

    2. Assisting business units to develop mitigating strategies for identified risks, obstacles, and barriers.

    3. Leading the Annual Assurance Review Process.

    4. Developing agendas for FMC ESC meetings, preparing the materials that will be presented in advance, and recording and keeping track of decisions and action items.

    5. Supporting the FMC ESC in meeting its reporting and certifying obligations under FMFIA, FFMIA, OMB Circulars, Treasury Directives, and the Annual Assurance Review Process.

    6. Coordinating issues with Treasury, GAO, and TIGTA.

1.4.2.6  (08-28-2009)
Internal Control Process

  1. The internal control process is ongoing and encompasses all aspects of IRS operations. The internal control process steps are:

    1. Identify risk.

    2. Determine existing controls.

    3. Establish new controls or revise existing controls.

    4. Document results of reviews.

    5. Document, report, and correct significant deficiencies.

    6. Validate outcomes.

    7. Develop indicators and goals.

1.4.2.6.1  (08-28-2009)
Identify Risk

  1. Risk is the probability of a negative, unanticipated occurrence. Risk is inherent in every activity; therefore, it is essential that managers identify the probability of risk within the operation and activity. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining internal control.

  2. Some areas or occurrences with higher potential for risk include:

    1. Cash handling activities.

    2. Procurement activity.

    3. Security.

    4. Level of reliance on automated processes.

    5. Changes in organizational structure, processes, procedures, personnel, and systems.

    6. Level of reliance on contractors.

  3. The assessment of risk is based on the manager's organizational knowledge and communication with employees. To identify risk, the manager should:

    1. Review findings from previous reviews and reports, such as management reviews and GAO and TIGTA audit reports.

    2. Ensure that organizational processes are performed in accordance with written policies and procedures, such as legislation, OMB Circulars, Department of Treasury directives, Standards for Internal Control in the Federal Government,and the Internal Revenue Manual (IRM).

    3. Involve employees in identifying risk.

  4. Examples of actions a manager might take to identify risks include:

    1. Verify Form 809, Receipt for Payment of Taxes.

    2. Post review of case files (e.g., seizure and sale files) to ensure conformity with statutes, regulations, and the IRM.

    3. Consider Disclosure/Privacy Act implications in all activities, including review of files and personnel folders.

    4. Initiate timely background and security investigations and take appropriate action based on the outcome of the investigation.

    5. Monitor telephone traffic volumes to ensure timely customer service.

    6. Review access to sensitive command codes for the Integrated Data Retrieval System (IDRS).

    7. Review assigned Portable Electronic Devices (PEDs) that include, but are not limited to, (a) laptop computers, (b) cellular/personal communications system devices, (d) audio/video/data recording or playback devices, (e) scanning devices, (f) messaging devices, and (g) personal digital assistants (PDAs), to ensure these devices and the data they contain are safeguarded.

    8. Conduct reviews to ensure laptops are locked.

    9. Periodic review of use of sensitive information, including Suspicious Activity Reports (SARs), in Web-CBRS.

1.4.2.6.2  (08-28-2009)
Determine Existing Controls

  1. Once risk areas have been identified, determine what management controls exist for those areas. An internal control is the method by which an organization governs its activities. Controls provide 'reasonable assurance' that programs and administrative activities are efficient, effective, and pose an acceptable level of potential risk.

  2. Internal controls are not separate systems or processes; they are tools routinely used by managers to manage their operations. The focus is not to have more controls but to have effective controls that mitigate risks. Some examples of internal controls are:

    1. Separation of duties (e.g., Managers authorized to approve funding must not be involved in the payment or procurement processes. Individuals (contracting officers) authorized to obligate the government must not be involved in the commitment, receipt/acceptance, or payment process).

    2. Adequate supervision (e.g., Purchase card approving officials monitor purchase cardholder activities to ensure purchases are appropriate and approved, funding is secured prior to the order being placed, and statements are processed timely).

    3. Reconciliation of records from two sources (e.g., matching travel receipts against the travel vouchers).

    4. Reconciliation of records against physical inventories.

    5. Limiting access (e.g., passwords on data systems).

    6. Verification of data entry.

    7. Documentation of processes and procedures, such as the IRM.

    8. Written delegations of authority.

    9. Logs and checklists.

  3. To determine existing controls, begin by comparing current practices and processes against existing procedures, policies, and guidelines. Some "red flags" that may indicate a need for assessing existing controls are:

    1. Costs incorrectly charged.

    2. One or a small group of employees handling all steps of a process.

    3. Inadequate training.

    4. Infrequent reviews.

    5. New or old automated systems.

    6. Security incidents.

    7. Adverse publicity.

    8. Inadequate reports.

    9. Increase in errors.

    10. Customer dissatisfaction.

    11. Recent (or frequent) change in management or key functions (See the Internal Control Management and Evaluation Tool.)

  4. Examples of control techniques and methods are listed below.

    Control Technique Control Method
    Separation of Duties Duties are separated to avoid having one employee or a small group of employees handling all steps of a process.
    Appropriate documentation of transactions and internal control Internal control and all transactions and other significant events need to be clearly documented, and the documentation should be readily available for examination.
    Supervision Adequate supervision to ensure organizational goals are achieved.
    Data Security Sensitive information is protected from unauthorized access.
    Physical Asset Security Assets (laptops, etc.) secured to protect against theft.

  5. If controls are needed and none currently exist, the manager may be responsible for establishing them ( See IRM 1.4.2.6.3 .) In cases where the manager determines that the level of risk does not justify establishing a formal control mechanism, the manager should still document his/her findings and decisions for future reference and use in the Annual Assurance Review Process. ( See IRM 1.4.2.7.)

1.4.2.6.3  (08-28-2009)
Establish New Controls or Revise Existing Controls

  1. Once the manager has decided that a process needs a control, he/she should determine the process owner. If the manager does not own the process at risk but it impacts his/her operation, he/she should proactively coordinate with the process owner or other stakeholders to encourage them to improve management controls. It may be necessary to elevate the issue to higher levels. The control being used may be a standardized control for the organization. However, if it is not working properly, the manager should inform the next higher organizational level if the manager does not have the authority to change the control. A lack of controls in one process may be impacting other processes, and a change to procedures may benefit several parts of the organization. Once the manager has determined what controls exist or has established new controls, the next step is to assess their effectiveness. ( See IRM 1.4.2.6.4.) The assessment and review of internal control is an ongoing process. If a manager does not own the process, determine the appropriate method of control to mitigate the risk. ( See IRM 1.4.2.6.2.) In selecting control methods, use the following criteria:

    • The control must be consistent with operational or legislative requirements.

    • The control must be cost effective.

1.4.2.6.4  (08-28-2009)
Review/Assess Internal Control

  1. Because organizational conditions are constantly changing, managers need to assess their internal controls continuously. Managers should be alert to the potential impact of changing organizational structure, objectives, processes and procedures, personnel, and systems on operations and initiate required reviews as necessary. Circumstances that should cause managers to initiate a review are:

    • External sources (e.g., taxpayers, Congress, GAO, TIGTA) have identified concerns.

    • Current controls do not appear to be effective or cost beneficial.

    • Conditions indicate a reduced level of quality or customer satisfaction.

    • Conditions have changed (e.g., reorganization, phase-out of operations, personnel turnover).

    • The office has a new responsibility or program.

  2. When conducting control reviews, managers should determine the dependencies or effects the controls have on other areas of the organization. Identifying dependencies often reflects a need for input from other organizations.

  3. To test the adequacy of internal control, managers should determine if the controls are:

    • Implemented as designed and meet the control objectives of mitigating risk to an acceptable level.

    • Performed by competent personnel.

    • Consistent with operational objectives or legislative requirements.

    • Efficient and cost effective.

  4. Techniques for testing the adequacy of internal control include:

    • A walk-through of operations to observe how the control functions in actual practice. During the walk-through, managers should determine how the control is meeting the objective. Problems identified should be further analyzed to determine if a significant deficiency exists.

    • Interviews are an important testing technique to facilitate an understanding of how controls are functioning. Often, the best sources of information are personnel performing the operation. Combining inquiry and observation can often provide valuable insights into problem areas, such as a lack of financial and personnel resources necessary to effectively meet control objectives.

    • If there are a considerable number of documents or transactions performed, the manager may review a sample of them. If no discrepancies are noted, then a reasonable conclusion is that the control is adequate. If discrepancies are identified, the manager should examine additional documents/transactions to confirm whether the control is functioning as designed.

    • The manager may select a sample of source documents and follow them through each step of the process. Source document analysis can often disclose improper procedures, failure to follow procedures, or breakdowns among processing steps.

    • The manager may chose to combine several methods of review to ensure the adequacy of the controls.

  5. At the conclusion of the review, the manager will decide if the existing controls provide reasonable assurance that the objectives are being achieved in an efficient and effective manner or a significant deficiency exists and should be corrected. A significant deficiency is a problem in the design or operation of an internal control that should be reported to the next level of management. The manager should prepare a Report of Significant Deficiency. ( See IRM 1.4.2.6.6.)

1.4.2.6.5  (08-28-2009)
Document Results of Reviews

  1. If no significant deficiencies were identified during the review, document the review results and retain them for use in preparing the Annual Assurance Certification Letter. ( See IRM 1.4.2.7.) The documentation can be as simple as a memorandum explaining the review methods and results. It normally does not require a separate formal report. The documentation may also be incorporated into other management reports as long as it is identified as the results of an internal control review.

  2. If deficiencies were identified and the manager has corrected them, the manager should retain the documentation for the Annual Assurance Certification Letter.

1.4.2.6.6  (08-28-2009)
Document, Report and Correct Significant Deficiencies

  1. All significant deficiencies should be reported as soon as identified on a Report of Significant Deficiency . A significant deficiency is a problem in the design or operation of an internal control that should be reported to the next level of management. The Report of Significant Deficiency provides management with the information necessary to clearly understand the problem and assess the level of risk.

  2. In some instances, the manager may identify a significant deficiency but have no control over the actions necessary to correct it. In this case, the manager should elevate the issue to the next level of management for possible action and review. Managers should submit Part I of the Report of Significant Deficiency to the next level of management with as much information as is available.

  3. The manager may not have the expertise to provide all the information in detailed, technical terms. Once the issue is shared with the appropriate program area, they may request additional information. If the significant deficiency requires a corrective action plan, the process owner will be responsible for finalizing Part I and preparing Part II of the Report of Significant Deficiency.

  4. If it is appropriate to develop a corrective action plan, the manager should include in the plan all the actions needed to correct the significant deficiency. When preparing the corrective action plan:

    • Develop actions that are specific and describe the end result. For example, the action should be: "Revise and issue procedures to the field, " not "Review current procedures."

    • Ensure commitment of other stakeholders before establishing any action that requires activity outside the manager's control.

    • Set realistic due dates. Successful plan completion may be dependent upon available resources, functional interdependencies, labor negotiations, legislation, or modernization issues. Therefore, consult with others as necessary in establishing realistic completion dates. Do not use "ongoing" as a completion date; always set a specific due date, e.g., MM/DD/YYYY. If completion date is long term, it may be necessary to establish interim milestone dates.

  5. The manager should identify goals and establish performance measures that will serve as progress indicators for correcting the significant deficiency.

  6. The manager should describe the validation process (a description of how to collect data supporting the performance measure(s) that will determine if the deficiency has been successfully corrected). The manager should describe the type and quantity of data to be gathered, the method of collection, and the source of the data.

  7. Once the Report of Significant Deficiency is completed, the manager should forward it to his/her manager, and provide a copy to the Internal Control Coordinator. The manager at the next level is responsible for reviewing the report and determining the validity of the issue. The next level manager will decide which one of the following actions is appropriate:

    • Return the report to the preparer if the issue is not valid or if additional information/clarification is needed.

    • Develop a corrective action plan if it is appropriate, and obtain approval.

    • Approve the corrective actions for implementation.

    • Elevate the issue to the next higher level of management or to the process owner.

  8. Approved plans will be returned to the appropriate level manager for implementation. The manager must then monitor and regularly report progress to the approving official. Periodically, the manager must also assess whether the corrective action plan is achieving the desired goal(s) and continues to be relevant under current operational conditions. Managers must document and obtain the appropriate level of approval to complete or revise an action or reschedule a target date. Provide a copy of all approved documentation to the Internal Control Coordinator for tracking purposes.

  9. The FMC ESC identifies new material weaknesses. The fields in a material weakness plan are the same as the significant deficiency plan (see Annual Assurance Process).


    REPORT OF SIGNIFICANT DEFICIENCY (Part 1)
    Material Weakness Field Field Description
    Title Enter a short but descriptive title.
    Responsible Official This will normally be a Head of Office, Division Commissioner, or Chief Officer.
    Description Describe the significant deficiency in terms of its effect on mission accomplishment, lost revenue, error rates, or impact on compliance, taxpayer burden, operating efficiency, etc. Be quantitative, if possible. Be specific about what undesirable consequences could occur if the significant deficiency is not corrected.
    Source of Discovery How was the significant deficiency identified? Sources usually include, but are not limited to, the Annual Assurance Review, a control review, an operational review, an event that occurred during the year, or audit reports.
    Correction Strategy Briefly summarize the proposed approach or course of action to correct the significant deficiency.
    Results Indicator/Effectiveness Measures Briefly describe what indicators will be used to evaluate whether the actions taken have corrected the underlying cause of the significant deficiency. Indicators should be specifically related to the significant deficiency and be based on performance measures, either qualitative or quantitative.
    Validation Process Describe how data will be collected to support the results indicator. Some possible methods include using existing management information or performance statistics, special surveys, sampling and analyzing data, management control reviews, etc.
    Target Correction Date Enter the date by which all corrective actions are expected to be completed and validated.
    Other Issues Use this space to briefly explain anything else that requires management's assistance or attention, including any related concerns such as resource needs, dependencies with other organizations, cross-functional ownership, etc.
      Prepared by: Name, Organizational Code
    Telephone Number
    Date of Preparation
    Include the name, organizational code and phone number of the manager who has identified the significant deficiency. (The submitting official is not necessarily the Responsible Official for correcting the significant deficiency)

    REPORT OF SIGNIFICANT DEFICIENCY (Part 2)
    Significant Deficiency Title –Enter the title of each page of the Corrective Action Plan.
    Major Milestones Completion Dates
      Original Plan Revised Plan Actual Date
    Completed Actions - List actions that have already been completed and show the completion date in the Actualcolumn.      
    Short-Term Actions - List each action that will take place within the next twelve months and give the target completion date in the Original column.      
    Longer-Term Actions - List each action that will be completed more than twelve months from now and show the target completion date in the Original column.      
    Prepared by: Name, Organizational Code
    Phone Number
    Date of Preparation

1.4.2.6.7  (08-28-2009)
Indicators and Goals

  1. Results indicators (or performance measures) assist in determining how well the process is working compared to past performance. They can also identify positive/negative factors affecting program and administrative performance/effectiveness. In developing an appropriate results indicator, first consider the problem you are trying to correct or improve, such as timeliness of certain actions or reduction in the error rate of a particular process. If the results indicator selected does not directly tie to the specific deficiency, the corrective actions may fix the problem but may not be reflected in the performance results. Therefore, ensure that the results indicator is relevant to the problem being fixed and is based on observable performance measures, either quantitative or qualitative.

  2. Goals are used to tie the results indicator to the improvement of a particular product or process. Goals can be qualitative or quantitative. Qualitative goals are general in nature and suggest a desired direction but do not establish a specific numeric target. Qualitative goals may be appropriate for new processes or processes for which no baseline data exists. However, without baseline data and quantitative measures, it will be difficult to assess whether your goals have been met. Quantitative goals are more focused and establish a specific numeric target (e.g., "Travel Vouchers will be filed within five business days after the end of the month" ). Quantitative goals should be based on statistically valid results of previous reviews or a compilation of information or numerical/quantitative recordation. In establishing quantitative goals, consider the anticipated level of available resources to implement the corrective action plan, organizational priorities and initiatives, and the interaction between multiple organizational goals. See IRM 1.5.1, Managing Statistics in a Balanced Measurement System, The IRS Balanced Performance Measurement System.

1.4.2.6.8  (08-28-2009)
Validate Outcomes

  1. When all corrective actions are completed, apply the plan's validation process to evaluate whether the actions taken achieved the desired outcome as indicated by the results indicator. If the measure or the results indicator implies that the deficiency has not been corrected, examine whether the corrective actions were effective and/or the validation process was appropriate. If the corrective action plan was not effective, review, revise, and implement a new plan.

  2. Once a results indicator validates that corrective actions have effectively cured the significant control deficiency, forward the Report of Significant Deficiency to the approving official for concurrence. This concurrence represents management's assurance that the problem/deficiency has been corrected. A copy should be submitted to the Internal Control Coordinator and retained for use in preparing the Annual Assurance Certification Memorandum. ( See IRM 1.4.2.7.)

  3. Under no circumstances should management concur that a deficiency has been corrected until they are certain the risk has been mitigated to an acceptable level. This process is continuous; management must periodically reassess risks against current conditions to ensure that controls are effective.

1.4.2.7  (08-28-2009)
Annual Assurance Review Process

  1. As required by FMFIA, the Commissioner signs an Annual Assurance Statement which is due to Treasury by November 1 of each year.

  2. The CFO will issue guidance each spring to govern the annual self-assessment of internal control. Guidance will be issued to the Deputy Commissioners, Division Commissioners, Chiefs, National Taxpayer Advocate, and Chief Counsel.

  3. The Annual Assurance Review Process focuses on the adequacy of controls within each organization. Internal Controls are processes, both administrative and program specific, that ensure programs achieve their intended results, organizations realize their goals, and financial and management reports are accurate, complete, and timely. Managers assess risks (i.e., the probability of a negative, unanticipated occurrence) of operations, determine if controls mitigate those risks, and certify that those controls are effective. If not, managers identify significant deficiencies found in the internal control procedures.

  4. A significant deficiency is a problem in the design or operation of an internal control that should be reported to the next level of management. The FMC ESC will determine which significant deficiencies rise to the level of material weaknesses (i.e., a significant deficiency reported to Treasury and, potentially, through Treasury to OMB).

  5. Material internal control weaknesses (material weakness) are systemic deficiencies in the design or operation of programs or systems, or a lack of controls that pose a significant risk of one or more of the following occurring:

    • The inability to deliver/execute program/operational services in accordance with the agency’s mission and/or legislation.

    • Errors, omissions, and/or fraud in performance and other financial information or financial statements that would mislead users and/or management in decision-making processes.

    • Financial commitments for programs and/or operations that are inconsistent with applicable provisions of law.

    • The inability to properly safeguard assets.

  6. The assurance memorandum should be a one or two-page certification containing a specific statement on the status of your internal control. There are two types of assurance:

    • Reasonable Assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place adequately protect the resources and ensure mission completion. Reasonable assurance recognizes that the cost of controls should not exceed the benefits derived from them.

    • Qualified Assurance is an informed judgment by the head of an organization, based upon all available information, that the internal controls in place may not be adequate to address the problems identified in the assurance memorandum. This opinion is based on the number of identified problems or the seriousness of the problems.

  7. The assurance memorandum should briefly describe the process used to verify that adequate management controls are in place and functioning effectively to accomplish organizational goals and protect IRS resources. Consider the information systems environment operated or used by your organizations and issues identified by GAO, TIGTA, and IRS management reviews in preparing the certification.

  8. As part of the Annual Assurance Review process, all managers must review the adequacy of controls within their own area of responsibility and prepare individual written certifications to support certification. The involvement of each level of management in certifying the control environment within their own sphere of operations is necessary in identifying risks at all levels. Managers must address in their assurance memorandum financial management systems compliance with the provisions of FFMIA.

  9. First-line managers should use the Self-Assessment Tool for Managers as part of their self-assessment. Function-specific questions may be added to this document to further enhance its usefulness.

  10. Corrective action plans for newly identified significant deficiencies should be included with the assurance memorandum. ( See IRM 1.4.2.6.6.) Managers should execute actions necessary to resolve significant deficiencies, regardless of whether or not the FMC ESC deems them material. Corrective action plans for significant deficiencies identified in the previous fiscal year will be updated. Significant deficiencies that have been corrected will be submitted with a certificate of completion describing the validation process and the Results Indicator data that verifies that the significant deficiency has been corrected.

  11. The FMC ESC will evaluate these reports and, based on this and other relevant information, recommend to the Commissioner what level of assurance should be submitted in the IRS's Annual Assurance Statement, and any newly-identified material weaknesses.

1.4.2.8  (08-28-2009)
Servicewide Tracking of Material Weaknesses and Significant Deficiencies

  1. JAMES is Treasury’s web-based internal control tracking system. This system tracks issues, findings, recommendations and the current status of corrective actions plans for all material weaknesses, significant deficiencies, remediation plans and the Office of the Inspector General, GAO, and TIGTA audit reports for all Treasury Bureaus. Tracking these plans is mandatory to comply with the intent of FMFIA and with OMB and Treasury Circulars and Directives. The information contained in JAMES is used by Treasury to assess the effectiveness and progress that bureaus are making in implementing audit recommendations and correcting their internal control material weaknesses and significant deficiencies.

1.4.2.9  (08-28-2009)
Remediation Plan

  1. FFMIA requires agency heads to annually assess whether their financial management systems can prepare required financial statements and reports, can provide reliable and timely financial information for managing operations, and can account for assets, all in accordance with Federal accounting standards and the USSGL.

  2. Agencies that are not in compliance with FFMIA must develop a Remediation Plan to achieve compliance.

  3. Agencies that are not in substantial compliance with FFMIA must bring their financial management systems into substantial compliance within three years; if this cannot be achieved, a waiver for a longer period must be requested from OMB.

  4. The CFO has overall responsibility for the IRS Remediation Plan. The plan is monitored by FMC ESC and tracked in JAMES.

  5. Quarterly, the IRS updates the Remediation Plan which tracks actions identified in GAO Annual Financial Audit and related audits, the Annual Assurance Process, and management reviews.


More Internal Revenue Manual