TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2005

 

 

 

March 2006

 

Reference Number:  2006-10-069

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-927-7037

Email Address   |  Bonnie.Heald@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

March 28, 2006

 

 

MEMORANDUM FOR CHIEF FINANCIAL OFFICER

 

FROM:                            Michael R. Phillips /s/Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2005 (Audit # 200610011)

 

This report presents the results of our review of the Internal Revenue Service’s (IRS) Federal Financial Management Improvement Act of 1996 (FFMIA)[1] remediation plan as of December 31, 2005.  The overall objective of this review was to identify any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan.  We also evaluated, in general, whether the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  The review was performed to meet our requirement under the FFMIA that each Inspector General report to Congress instances and reasons when an agency has not met the intermediate target dates established in the remediation plan.

Synopsis

From our review of all 38 open remedial actions as of December 31, 2005, we determined no intermediate target dates were missed; however, 23 dates were extended.  Although the IRS has reasonable explanations for the extended dates, these delays could further hinder the IRS’ ability to timely resolve the reported issues that cause its noncompliance with the FFMIA.

Also, each of the 38 open remedial actions had an intermediate target date that extended more than 3 years from the initial reporting of the financial weakness.  As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation. 

Our analysis of individual project resources listed in the December 31, 2005, remediation plan indicated that timely completion of up to 25 open remedial actions is in jeopardy due to significant funding shortfalls.  These remedial actions relate to computer security enhancements including application and systems access controls, configuration management, expanded audit trails, and contingency and disaster recovery planning.  The IRS indicated that, as a result of its funding shortfalls, it plans to completely reevaluate existing target due dates for remedial actions relating to computer security later in Fiscal Year 2006.

The IRS also indicated that the resources necessary for the continued development of the Custodial Detail Data Base (CDDB), which is a key financial management project, are not available beyond Fiscal Year 2006.  The IRS currently plans to develop a new action plan to address future releases of the CDDB by October 1, 2006, pending funding availability at that time.  Finally, the IRS reported that it plans to continue to delay development of future releases of the Integrated Financial System (IFS)[2] due to a lack of funding.  The delayed future IFS releases address longstanding financial weaknesses relating to the IRS’ lack of reliable cost accounting information and inadequate control over its fixed asset records. 

The delays caused by the rescheduling and suspension of needed remediation actions further hinder the IRS’ ability to timely resolve the reported issues that cause its ongoing noncompliance with the FFMIA.  For example, the CDDB, when fully implemented, is designed to address longstanding financial weaknesses relating to the IRS’ inability to routinely generate reliable and timely financial management information.  In addition, until the IRS completes its revised plans, we will be unable to reliably assess the IRS’ progress in resolving many of the significant findings and recommendations reported in the FFMIA remediation plan.

Recommendation

We made no specific remediation plan recommendations as a result of the analyses performed during this audit.  However, IRS management reviewed a draft of this report and agreed with the facts and findings presented. 

Copies of this report are also being sent to the IRS managers affected by the report results.  Please contact me at (202) 622-6510 if you have questions or Daniel R. Devlin, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs), at (202) 622-8500.

 

 

Table of Contents

 

Background

Results of Review

Many Intermediate Target Dates Were Extended

Timely Completion of Many Remedial Actions Is Doubtful

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Financial Management Remedial Action Projects

 

 

Background

 

The Federal Financial Management Improvement Act of 1996 (FFMIA)[3] established in statute certain financial management systems requirements that were already established by Executive Branch policies.  The FFMIA was intended to advance Federal Government financial management by ensuring Federal management systems can and do provide reliable, consistent disclosure of financial data.  Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year, by consistently using professionally accepted accounting standards.  Specifically, FFMIA section (§) 803 (a) requires each agency to implement and maintain systems that comply substantially with:

• Federal Government financial management systems requirements.
• Applicable Federal Government accounting standards.
• The United States Government Standard General Ledger at the transaction level.

Auditors are required to report on agency compliance with the three stated requirements as part of financial statement audit reports.  Agency heads are required to determine, based on the audit report and other information, whether their financial management systems comply with the FFMIA.  If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and file the plans with the Office of Management and Budget.  In addition, FFMIA § 804 (b) requires agency Inspectors General to report to Congress instances and reasons when an agency has not met the intermediate target dates established in its remediation plan.

In the last several years, the Government Accountability Office has reported numerous financial management weaknesses in its audits of the Internal Revenue Service’s (IRS) annual financial statements and related assessments of internal control.  Due to these weaknesses, the IRS’ financial management systems have not been in substantial compliance with the requirements of the FFMIA; consequently, the IRS has been required to prepare and maintain a remediation plan.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of the Chief Financial Officer, during the period October 2005 through February 2006.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

Many Intermediate Target Dates Were Extended

During Calendar Year 2005, the IRS reported it cancelled 1 and added 67 remedial actions to the 12 open remedial actions listed in its December 31, 2004, remediation plan.  The Computer Security and Custodial Detail Data Base (CDDB) projects accounted for most of these new remedial actions.  The cancelled remedial action related to the monitoring of a project that was subsequently cancelled, eliminating the need for the remediation action. 

Also during Calendar Year 2005, the IRS reported it completed 40 remediation actions, leaving 38 open remedial actions in its December 31, 2005, remediation plan.  All of these open actions were associated with four major financial management projects or issues (see Appendix IV for a description of each project).

• CDDB - 11 remedial actions.
• Automated Trust Fund Recovery (ATFR) System – 1 remedial action.
• Integrated Financial System (IFS) – 1 remedial action.
• Computer Security – 25 remedial actions.

Our review of the 38 open remedial actions indicated that no intermediate target dates were missed; however, 23 dates were extended.  The IRS reported in its remediation plan that extensions of intermediate target dates were necessary due to the following:

• CDDB (six actions extended) – Target dates were revised to reflect experience gained during initial project implementation and to allow additional time for developing system interfaces.  
• ATFR System (one action extended) – Target date was revised to allow more time to evaluate the effectiveness of the ATFR system.
• IFS (one action extended) – An action plan was developed to address future releases delayed pending future funding availability.
• Computer Security (15 actions extended) – Target dates were revised due to delays in completing procedures and training relating to system configuration, system access controls, and audit trails, as well as to allow additional time to coordinate actions requiring multifunctional input.

Although the IRS has reasonable explanations for the extended intermediate target dates, these delays could further hinder the IRS’ ability to timely resolve the reported issues that cause its noncompliance with the FFMIA.

Each of the 38 open remedial actions had an intermediate target date that extended more than 3 years from the initial determination that IRS financial management systems were not in substantial compliance with the FFMIA.  As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation.

We did not identify any additional recommendations that would have required inclusion in the IRS’ remediation plan as a result of the Government Accountability Office’s Fiscal Year 2005 financial statement audit.

Timely Completion of Many Remedial Actions Is Doubtful

Our analysis of individual project resources listed in the December 31, 2005, remediation plan indicated that timely completion of up to 25 open remedial actions is in jeopardy due to significant funding shortfalls.  These remedial actions relate to computer security enhancements including application and systems access controls, configuration management, expanded audit trails, and contingency and disaster recovery planning.  The IRS indicated that, as a result of its funding shortfalls, it plans to completely reevaluate existing target due dates for remedial actions relating to computer security later in Fiscal Year 2006.  The IRS reported a projected funding shortfall of at least $43 million for computer security.

The IRS also indicated that the resources necessary for the continued development of the CDDB, which is a key financial management project, are not available beyond Fiscal Year 2006.  The IRS currently plans to develop a new action plan to address future releases of the CDDB by October 1, 2006, pending funding availability at that time.  The IRS reported a projected funding shortfall of $13 million for the CDDB.  The IRS also reported that it plans to continue to delay development of future releases of the IFS due to a lack of funding.  The delayed future IFS releases address longstanding financial weaknesses relating to the IRS’ lack of reliable cost accounting information and inadequate controls over its fixed asset records. 

The delays caused by the rescheduling and suspension of needed remediation actions further hinder the IRS’ ability to timely resolve the reported issues that cause its ongoing noncompliance with the FFMIA.  For example, the CDDB, when fully implemented, is designed to address longstanding financial weaknesses relating to the IRS’ inability to routinely generate reliable and timely financial management information.  In addition, until the IRS completes its revised plans, we will be unable to reliably assess the IRS’ progress in resolving many of the significant findings and recommendations reported in the FFMIA remediation plan.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to report to Congress, as required by the Federal Financial Management Improvement Act of 1996 (FFMIA),[4] any instances of and reasons for missed intermediate target dates established in the Internal Revenue Service’s (IRS) FFMIA remediation plan as of December 31, 2005.  We also evaluated, in general, whether the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  To accomplish our objective, we:

I.                   Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the Act.

II.                Determined whether the IRS’ remediation plan was consistent with Government Accountability Office recommendations from prior IRS financial audits and related financial management reports.

III.             Determined whether 1) the IRS missed any intermediate target dates established in its remediation plan, 2) intermediate target dates were extended without sufficient documentation to support the revised date, and 3) proper approval was obtained for remedial actions extending more than 3 years.

IV.             Determined whether the IRS remediation plan had established resource needs for remedial actions and the resources presented were consistent with other IRS modernization resource budgets.

V.                Determined whether the IRS had taken adequate corrective actions on prior reported audit findings.

 

Appendix II

 

Major Contributors to This Report

 

Daniel R. Devlin, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs)

John R. Wright, Director

Anthony J. Choma, Audit Manager

Philip A. Smith, Lead Auditor

Chinita Coates, Auditor

Rashme Sawhney, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Office of Management Controls  OS:CFO:AR:M

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Audit Liaison:  Chief Financial Officer  OS:CFO

 

Appendix IV

 

Financial Management Remedial Action Projects

 

The Internal Revenue Service (IRS) has initiated four significant financial management projects in response to the various material weaknesses identified by the Government Accountability Office relating to the Federal Financial Management Improvement Act of 1996.[5]  The IRS described the functionality of the projects contained in its remediation plan as follows:

Custodial Detail Data Base (CDDB):  To more accurately report a single balance due for Trust Fund Recovery Penalty (TFRP) assessments and determine areas for improvement, the IRS Chief Financial Officer developed a TFRP database.  The TFRP database is the first release of the Financial Management Information System enhancement to the CDDB that will enable the IRS to address many of the outstanding financial management recommendations.  Full CDDB functionality will be accomplished in 4 releases over 3 years.

• Release I – Unpaid Assessments subledger.
• Release II – Master File[6] transactions and Electronic Funds Transfer Payment System[7] preposted transactions.
• Release III – All other preposted revenue receipt transactions and refund transactions.
• Release IV – Frozen Credit subledger and Excise Tax Allocations.

Automated Trust Fund Recovery (ATFR) System:  The ATFR system provides the capability to systematically upload TFRP assessments from the Area Offices and properly cross-references payments received for assessments made.  The ATFR system replaced manual processes for assessing penalties and cross-referencing payments and will ensure compliance with Government Accountability Office requirements and accounting standards.  The IRS reviewed the revised TFRP process in December 2005 and identified three areas in which additional actions are needed to address deficiencies.  The IRS is in the process of developing an action plan to address each of these deficiencies. 

Integrated Financial System (IFS):  The IFS, when fully implemented, will provide the IRS with an integrated accounting system to account for and control resources.  The first release of the IFS includes the General Ledger, Accounts Receivable, Accounts Payable, Funds and Cost Management, and Financial Reporting, as well as Budget Formulation. 

Release 2 was to focus on asset management and a software technical and functional upgrade, including the configuration efforts to allow use of the enhanced features in the cost accounting and finance modules.  Procurement Management was planned for Release 3.  All remaining functionality, with the exception of Travel Management, was planned for Release 4.  Travel Management has been deleted from the functional requirements as a result of the Federal
Government-wide travel system development efforts. 

Computer Security:  This project addresses internal control deficiencies cited in various audits; initiates efforts to develop controls implemented at campuses,[8] field offices, and post-of-duty offices to ensure uniformity and consistency; develops appropriate means through which the IRS can carry out periodic reviews of the effectiveness of policies and procedures, along with means to address security breaches; updates access control standards to reflect changes in technology and operating environments; provides computer security training to personnel; and conducts computer security self-assessment reviews that identify and alleviate vulnerabilities on a proactive basis. 

Based on recent Treasury Inspector General for Tax Administration findings during the review of the computer security material weakness, the Mission Assurance and Security Services organization, in partnership with the Chief Information Officer, has developed new program action plans for the following six issues:  (1) Access Controls, (2) Rules of Behavior, (3) Audit Trails, (4) Training, (5) Process Authorizations (Certifications and Accreditations), and (6) Disaster Recovery.