The Internal Revenue Service’s Federal Financial Management
Improvement Act Remediation Plan As of December 31, 2004
March 2005
Reference Number: 2005-10-068
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
March
25, 2005
MEMORANDUM FOR
CHIEF FINANCIAL OFFICER
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report - The Internal Revenue
Service’s Federal Financial Management Improvement Act Remediation Plan As of
December 31, 2004 (Audit # 200510007)
This
report presents the results of our review of the Internal Revenue Service’s
(IRS) Federal Financial Management Improvement Act of 1996 (FFMIA) remediation
plan as of December 31, 2004. The
overall objective of this review was to identify any instances and reasons for
missed intermediate target dates established in the IRS’ FFMIA remediation
plan. We also evaluated whether the IRS
was meeting its responsibilities in fulfilling the intent of the FFMIA. The review was performed to meet our
requirement under the FFMIA that states, in general, each Inspector General
shall report to the Congress instances and reasons when an agency has not met
the intermediate target dates established in the remediation plan.
In
summary, we determined from our review of all 12 open remedial actions as of December
31, 2004, that 1 intermediate target date was missed and 6 dates were extended. Although the IRS has reasonable explanations
for these missed and extended dates, these delays could further hinder the IRS’
ability to timely resolve the reported issues that cause its noncompliance with
the FFMIA.
Also,
all of the 12 open remedial actions had intermediate target dates that extended
more than 3 years from the initial reporting of the financial weakness. As required, the IRS, through the Department
of the Treasury, properly obtained Office of Management and Budget concurrence
to extend its corrective actions beyond the 3-year limitation. In addition, our analysis of individual
project resources listed in the December 31, 2004, remediation plan indicated
that project resources were generally verifiable to supporting documentation.
However,
our analysis also indicated 45 remedial actions were canceled prior to
completion in 2004. Forty-two (93
percent) of the 45 canceled actions were related to critical future releases of
the Integrated Financial System and Custodial Accounting Project, both of which
are key financial management projects. The
IRS reported this action was taken because both projects were significantly behind
schedule and faced funding shortfalls.
The canceled remedial actions were replaced by two placeholder remedial actions
to develop new plans. Until the IRS
develops new remediation actions and milestones to replace these placeholders, we
will be unable to reliably assess the IRS’ progress in resolving many of the
significant issues which cause its noncompliance with the FFMIA.
Finally,
our analysis indicated the IRS removed seven unaddressed findings and recommendations
in 2004. The findings and recommendations
all relate to accountability over property and equipment. The IRS informed us the findings and
recommendations were temporarily removed pending completion of the new plan
discussed above. We believe it is
critical that the IRS maintain and continue to report all significant open findings
and recommendations. We discussed this
issue with the IRS during our fieldwork, and management informed us they plan
to reinstate the removed findings and recommendations in the next FFMIA remediation
plan update, for the quarter ending March 31, 2005.
We do not have any specific
remediation plan recommendations to offer as a result of our analysis during
this audit. However, management reviewed
a draft of this report and agreed with its contents.
Copies
of this report are also being sent to the IRS managers affected by the report findings. Please contact me at (202) 622-6510 if you
have questions or Daniel R. Devlin, Assistant
Inspector General for Audit (Headquarters
Operations and Exempt Organizations Programs), at (202) 622-8500.
Some Intermediate
Target Dates Were Missed or Extended
Appendix
I – Detailed Objectives, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Financial Management Remedial Action Projects
The Federal Financial Management Improvement Act of 1996 (FFMIA) established in statute certain financial management systems requirements that were already established by Executive Branch policies. The FFMIA was intended to advance Federal financial management by ensuring that Federal management systems can and do provide reliable, consistent disclosure of financial data. Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year, by consistently using professionally accepted accounting standards. Specifically, Section (§) 803 (a) of the FFMIA requires each agency to implement and maintain systems that comply substantially with:
Auditors are required to report on agency compliance with the three stated requirements as part of financial statement audit reports. Agency heads are required to determine, based on the audit report and other information, whether their financial management systems comply with the FFMIA. If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and file the plans with the Office of Management and Budget (OMB).
In addition, § 804 (b) of the FFMIA requires agency Inspectors General to report to the Congress instances and reasons when an agency has not met the intermediate target dates established in its remediation plan.
In the last several years, the Government Accountability Office (GAO) has reported numerous financial management weaknesses in its audits of the Internal Revenue Service’s (IRS) annual financial statements and related assessments of internal control. Due to these weaknesses, the IRS’ financial management systems have not been in substantial compliance with the requirements of the FFMIA; consequently, the IRS has been required to prepare and maintain a remediation plan.
This review was performed during the period October 2004
through February 2005 in the office of the Chief Financial Officer at the IRS
National Headquarters located in
The IRS reported 12 open remedial actions in its December 31, 2004, remediation plan. All of these open actions were associated with five major financial management projects or issues:
See Appendix IV for a detailed description of each project.
Our detailed review of the 12 open remedial actions indicated 1 intermediate target date was missed and 6 dates were extended.
Missed intermediate
target date
The IRS reported the missed target date was due to delays in monitoring performance of CAP Release 1 attributable to a change in contract structure.
Extended intermediate
target dates
The IRS extended six remedial action intermediate target dates. Three of the six extended dates were attributed to delays in end-user training, performance monitoring, and the implementation of IFS Release 1. Two extended dates were attributed to hiring delays of interest reviewers for the CIQMS and identification of additional controls needed to improve computer security. The final extended date was attributable to performance monitoring related to CAP Release 1.
Although the IRS has reasonable explanations for these missed and extended intermediate target dates, these delays could further hinder the IRS’ ability to timely resolve the reported issues that cause its noncompliance with the FFMIA.
All of the 12 open remedial actions had intermediate target dates that extended more than 3 years from the initial reporting of the financial weakness. As required, the IRS, through the Department of the Treasury, properly obtained OMB concurrence to extend its corrective actions beyond the 3-year limitation.
Finally, our analysis of individual project resources for the 12 remediation actions listed in the December 31, 2004, remediation plan showed that project resources were generally verifiable to supporting documentation. Also, the GAO did not report any additional recommendations that would have required inclusion in the IRS’ remediation plan as a result of its Fiscal Year 2004 financial statement audit.
During Calendar Year (CY) 2004, the IRS reported it completed 17 and added 4 remedial actions to the 70 open remedial actions listed in its December 31, 2003, remediation plan. Also during 2004, the IRS reported that it canceled 45 remedial actions before completion, leaving 12 open remedial actions listed in its December 31, 2004, remediation plan.
Our analysis of the 45 actions canceled in CY 2004 indicated that 42 of the actions were related to critical future releases of the IFS and CAP, both of which are key financial management projects. The IRS reported both projects were significantly behind schedule and faced funding shortfalls, and further development of these two projects has been suspended or canceled. These 42 canceled actions were replaced by 2 placeholder remedial actions to develop new plans. The IRS reported it expected to complete development of the new plans to address the cancellation of future releases of the IFS and CAP by July 31, 2005, and October 1, 2006, respectively. We currently are planning a review of the actions the IRS will be taking on the revenue accounting issues.
Two of the remaining three canceled remedial actions dealt with the IRS’ Trust Fund Recovery Program, and the final canceled remedial action was related to the CIQMS. The IRS had reasonable explanations for canceling these actions. In addition to the two placeholder actions, described above, the remaining two actions added to the FFMIA remediation plan during CY 2004 related to the ATFR system.
Until the IRS develops new remediation actions and milestones to replace these placeholders, we will be unable to reliably assess the IRS’ progress in resolving many of the significant issues which cause its noncompliance with the FFMIA.
Removed findings
and recommendations
The IRS also removed seven unaddressed findings and recommendations from its December 31, 2004, remediation plan. The findings and recommendations all related to the accountability over property and equipment. The IRS informed us the findings and recommendations were temporarily removed pending completion of the new plan discussed above. We believe it is critical that the IRS maintain and continue to report all significant open findings and recommendations. We discussed this issue with the IRS during our fieldwork, and management informed us they plan to reinstate the removed findings and recommendations in the next FFMIA remediation plan update for the quarter ending March 31, 2005. We will continue to monitor FFMIA remediation plan updates throughout the year.
Appendix I
Detailed Objectives,
Scope, and Methodology
The overall objective of this review was to identify any instances and reasons for missed intermediate target dates established in the Internal Revenue Service’s (IRS) Federal Financial Management Improvement Act of 1996 (FFMIA) remediation plan. We also evaluated whether the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA. To accomplish our objective, we:
I.
Gained an
understanding of the requirements of the FFMIA, including Office of
Management and Budget and Department of the Treasury guidance
for compliance with the FFMIA.
II.
Determined whether the
IRS’ remediation plan was consistent with Government Accountability
Office recommendations from prior IRS financial
audits and related financial management reports.
III.
Determined whether 1) the
IRS missed any intermediate target dates established in its remediation plan,
2) intermediate target dates were extended without sufficient documentation to support
the revised date, and 3) proper approval was obtained for remedial actions
extending more than 3 years.
IV.
Determined whether the
IRS remediation plan had established resource needs for remedial actions and
the resources presented were consistent with other IRS modernization resource
budgets.
V.
Determined whether the
IRS had taken adequate corrective actions on prior reported audit findings.
Appendix II
Major Contributors to This
Report
Daniel R. Devlin, Assistant Inspector General for Audit (Headquarters
Operations and Exempt Organizations Programs)
John R. Wright, Director
Anthony J. Choma,
Audit Manager
Philip A. Smith, Lead
Auditor
Thomas Dori, Senior
Auditor
Bobbie M. Draudt,
Senior Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Office of Management Controls OS:CFO:AR:M
Chief Counsel CC
National
Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk
Analysis RAS:O
Audit
Liaison: Chief Financial Officer OS:CFO
Appendix IV
The Internal Revenue Service (IRS)
has initiated five significant financial management projects in response to the
various material weaknesses identified by the Government Accountability Office (GAO)
relating to the Federal Financial Management Improvement Act of 1996. The IRS described the functionality of the
projects contained in its remediation plan as follows:
The Integrated Financial System (IFS): The IFS, when
fully implemented, will provide the IRS with an integrated accounting system to
account for and control resources. The
first release of the IFS includes the General Ledger, Accounts Receivable,
Accounts Payable, Funds and Cost Management, and Financial Reporting, as well
as Budget Formulation.
Release 2 was to focus on asset
management and a software technical and functional upgrade, including the
configuration efforts to allow use of the enhanced features in the cost
accounting and finance modules.
Currently, all work on IFS Release 2 has been deferred due to the need
for the IRS to balance its systems modernization portfolio with management
capacity and available budget.
Procurement Management was planned
for Release 3. All remaining
functionality, with the exception of Travel Management, was planned for Release
4. Travel Management has been deleted
from the functional requirements as a result of the Government-wide travel
system development efforts. Content of
all future releases is being reevaluated and all future releases have been
delayed or placed on indefinite hold.
The Custodial Accounting Project (CAP): Formerly the
Enterprise Data Warehouse/CAP, the CAP is being stopped due to budget
cuts. The IRS is currently examining
other options for reducing the weakness to a reportable condition. The Acting Chief Financial Officer (CFO),
Business Systems Modernization, and Business Systems Development are currently
developing a business case to determine whether this approach can be funded
from the 2005 or 2006 Information Technology budget.
The Complex Interest Quality Measurement System
(CIQMS)/Related Systems: The IRS will implement the CIQMS review
process to reduce errors in calculating interest; develop a database to monitor
and measure accuracy; implement Decision Modeling Incorporated Interest Net
Software to provide functionality; and automate net rate interest adjustments,
as well as all other necessary interest computations.
The Automated Trust Fund Recovery (ATFR) System: The ATFR system provides
the capability to systematically upload Trust Fund Recovery Penalty assessments
from the Area Offices and properly cross-references payments received for
assessments made. The ATFR system will
replace manual processes and ensure compliance with GAO requirements and
accounting standards. Phase 1 will
automate the calculation of the penalties and assessment process, Phase II will
automate the cross-referencing process, and Phase III will centralize all
recovery cases into one compliance center.
In October 2004, the IRS determined it is not feasible to convert legacy
accounts to the ATFR system. The Small
Business/Self-Employed Division is working with the Acting CFO and GAO to
address issues with the remaining legacy accounts.
Security: This project addresses internal control deficiencies cited in various audits; initiates efforts to expand deterrent controls implemented at campuses, field offices, and post-of-duty offices to ensure uniformity and consistency; develops appropriate means through which the IRS can carry out periodic reviews of the effectiveness of policies and procedures, along with means to address security breaches; updates access control standards to reflect changes in technology and operating environments; provides computer security training to personnel; and conducts computer security self-assessment reviews that identify and mitigate vulnerabilities on a proactive basis.
Based on recent Treasury Inspector General for Tax
Administration findings during the review of the computer security material
weakness, the Mission Assurance & Security Services organization, in
partnership with the Chief Information Officer, have developed new program
action plans for the following five issues:
(1) Access Controls, (2) Rules of Behavior, (3) Audit Trails, (4)
Training, and (5) Process Authorizations (Certifications and Accreditations). The high level plan was presented at the
January 18, 2005, Financial and Management Controls Executive Steering
Committee meeting.