TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2006

 

 

 

May 21, 2007

 

Reference Number:  2007-10-077

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-927-7037

Email Address   |  Bonnie.Heald@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

May 21, 2007

 

 

MEMORANDUM FOR CHIEF FINANCIAL OFFICER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2006 (Audit # 200710010)

 

This report presents the results of our review of the Internal Revenue Service’s (IRS) Federal Financial Management Improvement Act of 1996 (FFMIA)[1] remediation plan as of December 31, 2006.  The overall objective of this review was to report to Congress, as required by the FFMIA, any instances of and reasons for missed intermediate target dates established in the IRS’ remediation plan.  We also evaluated whether the IRS is meeting its responsibilities in fulfilling the intent of the FFMIA.  The review was performed to meet our requirement under the FFMIA that states, in general, that each Inspector General shall report to Congress instances when and reasons why an agency has not met the intermediate target dates established in the remediation plan.

Impact on the Taxpayer

Our analysis of the December 31, 2006, FFMIA remediation plan indicated that the Fiscal Year (FY) 2007 cost calculations related to computer security remediation actions, totaling $58.5 million, could either not be verified or differed significantly from the detailed supporting documentation provided by the IRS.  If costs are not accurately estimated and budgeted for, it could delay the completion of the remediation actions due to insufficient resources being available when needed.  Until these actions are taken, the weaknesses in the IRS’ financial management system related to computer security issues will continue to exist.  Reliable financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.

Synopsis

During Calendar Year 2006, the IRS reported it canceled 11 and added 61 remedial actions to the 38 open remedial actions listed in its December 31, 2005, remediation plan.  The 11 canceled remedial actions related to computer security and were replaced by new remedial actions.  Also, during Calendar Year 2006, the IRS reported it completed 37 remedial actions, leaving 51 open remedial actions in its December 31, 2006, remediation plan. 

Our review of the 51 open remedial actions indicated that no intermediate target dates were missed and only 1 action was extended.  The IRS reported the target date extended related to the Integrated Financial System.  Our review also indicated that 40 of the 51 open remedial actions were new for Calendar Year 2006.  The 40 new actions all relate to computer security and replaced 11 existing actions that were all scheduled for completion by FY 2008.  The new actions’ completion dates range from FY 2007 through FY 2013.  The IRS reported that the 40 new actions were added to address extensive gaps identified through an indepth analysis of its computer security material weakness plan. 

Although the explanations provided by the IRS for extending 1 and replacing 11 existing actions are reasonable, the lengthy target completion dates associated with many of the new actions further hinder the IRS’ ability to timely resolve the critical issues that cause its noncompliance with the FFMIA.  We reviewed the Government Accountability Office’s FY 2006 financial statement audit and did not identify any additional recommendations that would have required inclusion in the IRS’ remediation plan.

Our analysis of individual project resources listed in the December 31, 2006, remediation plan indicated that information on the estimated resources needed to implement the 40 open remedial actions relating to computer security was either incomplete or differed significantly from the detailed supporting documentation provided by the IRS.  For example, resource estimates were not provided for any anticipated costs in FY 2008 and beyond.  Also, $58.5 million reported for FY 2007 calculated costs related to computer security remediation actions could either not be verified or differed significantly from the detailed supporting documentation provided.  During our audit fieldwork, IRS functional personnel stated the $58.5 million in calculated FY 2007 costs was based on a significantly outdated estimate.

Although the IRS did indicate in the December 31, 2006, FFMIA plan that it was presently in the process of recalculating computer security-related costs, in our opinion, presenting an outdated and unsupported estimate of calculated FY 2007 costs is confusing and potentially misleading.  We advised the IRS of our concerns on March 8, 2007, and it has subsequently stated that all FY 2007 cost information related to computer security remediation actions will be corrected and incorporated into the June 30, 2007, FFMIA plan.  As part of this effort, cost estimates for anticipated expenditures in FY 2008 and beyond will also be developed, as applicable. 

Recommendation

We recommended the IRS Associate Chief Financial Officer for Corporate Planning and Internal Control develop procedures requiring that all remediation actions presented in future FFMIA plans be reviewed to ensure they are supported by a calculation of resource needs by year and the calculations be compared to detailed supporting documentation on at least a sample basis.

Response

IRS management agreed with our recommendation.  The Associate Chief Financial Officer for Corporate Planning and Internal Control will develop procedures requiring that owners of all remediation actions presented in future FFMIA plans identify resources for all years covered by the actions and that the owners provide documentation to support the identified resources.  Where the supporting documentation is unclear or contradictory, the Associate Chief Financial Officer for Corporate Planning and Internal Control will obtain clarification from the owner of the remediation action.  Additionally, the Office of Internal Control will review all plans to ensure they are supported by a calculation of resource needs by year and will compare the calculations to detailed supporting documentation to ensure compliance with reporting procedures.  Management’s complete response to the discussion draft report is included as Appendix VI.

Copies of this report are also being sent to the IRS managers affected by the report recommendation.  Please contact me at (202) 622-6510 if you have questions or Nancy Nakamura, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs), at (202) 622-8500.

 

 

Table of Contents 

 

Background

Results of Review

Completion Dates for Remedial Actions Relating to Computer Security Material Weaknesses Extend to Fiscal Year 2013

Resource Information Regarding Many Remedial Actions Is Unsupported and Incomplete

Recommendation 1:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Financial Management Remediation Action Projects

Appendix VI – Management’s Response to the Discussion Draft Report

 

 

Abbreviations

 

FFMIA

Federal Financial Management Improvement Act of 1996

FY

Fiscal Year

IRS

Internal Revenue Service

 

 

 

 

Background

 

The Federal Financial Management Improvement Act of 1996 (FFMIA)[2] established in statute certain financial management systems requirements that were already established by Executive Branch policies.  The FFMIA was intended to advance Federal financial management by ensuring that Federal management systems can and do provide reliable, consistent disclosure of financial data.  Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year, by consistently using professionally accepted accounting standards.  Specifically, Section (§) 803 (a) of the FFMIA requires each agency to implement and maintain systems that comply substantially with:

  • Federal financial management systems requirements.
  • Applicable Federal Government accounting standards.
  • The Government Standard General Ledger at the transaction level.

Auditors are required to report on agency compliance with the three stated requirements as part of financial statement audit reports.  Agency heads are required to determine, based on the audit report and other information, whether their financial management systems comply with the FFMIA.  If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and file the plans with the Office of Management and Budget.

In addition, § 804 (b) of the FFMIA requires agency Inspectors General to report to Congress instances when and reasons why an agency has not met the intermediate target dates established in its remediation plan.

In the last several years, the Government Accountability Office has reported numerous financial management weaknesses in its audits of the Internal Revenue Service’s (IRS) annual financial statements and related assessments of internal control.  Due to these weaknesses, the IRS’ financial management systems have not been in substantial compliance with the requirements of the FFMIA; consequently, the IRS has been required to prepare and maintain a remediation plan.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of the Chief Financial Officer during the period November 2006 through March 2007.  The audit was conducted in accordance with Government Auditing Standards.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Completion Dates for Remedial Actions Relating to Computer Security Material Weaknesses Extend to Fiscal Year 2013

During Calendar Year 2006, the IRS reported it canceled 11 and added 61 remedial actions to the 38 open remedial actions listed in its December 31, 2005, remediation plan.  The Computer Security and Custodial Detail Data Base projects accounted for most of these new remedial actions.  The 11 canceled remedial actions related to computer security and were replaced by 40 new actions. 

Also during Calendar Year 2006, the IRS reported it completed 37 remediation actions, leaving 51 open remedial actions in its December 31, 2006, remediation plan.  All of these open actions were associated with five major financial management projects or issues (see Appendix V for a description of each project).

  • Custodial Detail Data Base – 8 remedial actions.
  • Employment and Excise Tax – 1 remedial action.
  • Automated Trust Fund Recovery System – 1 remedial action.
  • Integrated Financial System – 1 remedial action.
  • Computer Security – 40 remedial actions.

Our review of the 51 open remedial actions indicated that no intermediate target dates were missed and only 1 action was extended.  The IRS reported the target date extended related to the Integrated Financial System.  Specifically, the IRS reported that after December 2009, the Integrated Financial System would no longer be supported by the vendor.  Accordingly, a new action plan is being developed to address enhancing cost data and better integrating budget and performance data.  

Our review also indicated that 40 of the 51 open remedial actions were new for Calendar Year 2006.  The 40 new actions all relate to computer security and replaced 11 existing actions that were scheduled for completion by Fiscal Year (FY) 2008.  The new actions’ completion dates range from FY 2007 through FY 2013.  The IRS reported in its remediation plan that the 40 new actions were added to address extensive gaps identified through an indepth analysis of its computer security material weakness plan.  

Although the explanations provided by the IRS for extending 1 and replacing 11 existing actions are reasonable, the lengthy target completion dates associated with many of the new actions further hinder the IRS’ ability to timely resolve the critical issues that cause its noncompliance with the FFMIA.  We were unable to fully evaluate the reason for the lengthy completion dates because the IRS did not provide complete information regarding the resources necessary to implement the 40 new remedial actions.  Similarly, until the IRS completes its new action plan to address enhancing cost data and better integrating budget and performance data, we will be unable to fully evaluate its progress on these issues.

Each of the 51 open remedial actions had an intermediate target date that extended more than 3 years from the initial determination that IRS financial management systems were not in substantial compliance with the FFMIA.  As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation.

We reviewed the Government Accountability Office’s FY 2006 financial statement audit and did not identify any additional recommendations that would have required inclusion in the IRS’ remediation plan.

Resource Information Regarding Many Remedial Actions Is Unsupported and Incomplete

Our analysis of the resource estimates for completing remedial actions in the December 31, 2006, remediation plan indicated that resource information regarding the 40 open remedial actions relating to computer security were either incomplete or differed significantly from the detailed supporting documentation provided by the IRS.  Specifically:

  • Resource estimates were not provided for any anticipated FY 2008 and beyond costs associated with remediation actions related to computer security.  Our review identified 19 computer security-related actions with target completion dates in FY 2008, 3 with target completion dates in FY 2009, 4 with target completion dates in FY 2011, 1 with a target completion date in FY 2012, and 1 with a target completion date in FY 2013.  Resource estimates are a critical component of the FFMIA remediation plan process and should be provided for all open remediation actions.
  • Resource estimates totaling $58.5 million for FY 2007 costs related to computer security remediation actions could either not be verified or differed significantly from the detailed supporting documentation provided.  For example, the IRS reported a resource estimate for FY 2007 of $21 million for contractor support related to audit trail enhancements as of December 31, 2006.  However, the supporting documentation provided by the IRS for these enhancements identified anticipated costs of only $1.6 million in FY 2007 for this area.  During our audit fieldwork, IRS functional personnel, responsible for computer security remediation actions, stated the $58.5 million in FY 2007 calculated costs reported was based on a significantly outdated estimate.

Although the IRS did indicate in the December 31, 2006, FFMIA plan that it is presently in the process of recalculating computer security enhancement-related costs, in our opinion, presenting outdated and unsupported costs as calculated FY 2007 costs is confusing and potentially misleading.  We advised the IRS of our concerns on March 8, 2007, and it has subsequently stated that all FY 2007 cost information related to computer security enhancement remediation action items will be corrected and incorporated into the June 30, 2007, FFMIA plan.  As part of this effort, cost estimates for FY 2008 and beyond will also be developed, as applicable.

Remediation plans should describe the resources, remedies, and intermediate target dates for achieving compliance with the FFMIA.  The Chief Financial Officer function has overall responsibility for verifying the accuracy of remediation plan status updates, associated resources, and the preparation of the final quarterly report for submission to the Office of Management and Budget and the Department of the Treasury.  The Chief Financial Officer function informed us that they did not compare any of the resource information related to computer security presented in the December 31, 2006, FFMIA plan to supporting documentation.  

Without a timely, accurate, and complete estimate of the resources needed to fully implement all of the remediation actions presented in the FFMIA plan, the IRS cannot effectively evaluate the commitments needed to correct the cited weaknesses.  This could delay the completion of the remediation actions due to insufficient resources being available when needed.  Furthermore, until these actions are taken, the weaknesses in the IRS’ financial management system related to computer security issues will continue to exist.  In addition, we will be unable to fully assess the IRS’ progress in resolving many of the significant findings and recommendations reported in the FFMIA remediation plan.

Recommendation

Recommendation 1:  The IRS Associate Chief Financial Officer for Corporate Planning and Internal Control should develop procedures requiring that all remediation actions presented in future FFMIA plans be reviewed to ensure they are supported by a calculation of resource needs by year and the calculations be compared to detailed supporting documentation on at least a sample basis.

Management’s Response:  The IRS agreed with our recommendation.  The Associate Chief Financial Officer for Corporate Planning and Internal Control will develop procedures requiring that owners of all remediation actions presented in future FFMIA plans identify resources for all years covered by the actions and that the owners provide documentation to support the identified resources.  Where the supporting documentation is unclear or contradictory, the Associate Chief Financial Officer for Corporate Planning and Internal Control will obtain clarification from the owner of the remediation action.  Additionally, the Office of Internal Control will review all plans to ensure they are supported by a calculation of resource needs by year and will compare the calculations to detailed supporting documentation to ensure compliance with reporting procedures.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to report to Congress, as required by the FFMIA,[3] any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan as of December 31, 2006.  We also evaluated, in general, whether the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  To accomplish our objective, we:

I.                   Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the Act.

II.                Determined whether the IRS’ remediation plan was consistent with Government Accountability Office recommendations from prior IRS financial audits and related financial management reports.

III.             Determined whether (1) the IRS missed any intermediate target dates established in its remediation plan, (2) intermediate target dates were extended without sufficient documentation to support the revised date, and (3) proper approval was obtained for remedial actions extending more than 3 years.

IV.             Determined whether (1) the IRS remediation plan had established resource needs for remedial actions and (2) the resources presented were consistent with supporting documentation.

 

Appendix II

 

Major Contributors to This Report

 

Nancy Nakamura, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs)

John R. Wright, Director

Anthony J. Choma, Audit Manager

Joseph F. Cooney, Lead Auditor

Richard Louden, Senior Auditor

Rashme Sawhney, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Financial Officer  OS:CFO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Chief Financial Officer  OS:CFO

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective action will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

·         Reliability of Information – Actual; $58.5 million in reported FFMIA remediation plan FY 2007 resources which could either not be verified or differed materially from the detailed supporting documentation provided by the IRS (see page 3).

Methodology Used to Measure the Reported Benefit:

To determine whether the IRS reliably reported remediation plan resources, we compared remediation action resources reported to supporting documentation and interviewed selected IRS personnel.  Our analysis determined that $58.5 million in FY 2007 reported resources either could not be verified or differed significantly from the detailed supporting documentation provided by the IRS.

 

Appendix V

 

Financial Management Remediation Action Projects

 

The IRS has initiated five financial management projects in response to the various material weaknesses identified by the Government Accountability Office and the Treasury Inspector General for Tax Administration relating to the FFMIA.[4]  The IRS described the functionality of the projects contained in its remediation plan as follows:

Custodial Detail Data Base:  To more accurately report a single balance due for Trust Fund Recovery Penalty assessments and determine areas for improvement, the IRS Chief Financial Officer developed a Trust Fund Recovery Penalty database.  The Trust Fund Recovery Penalty database is the first release of the Financial Management Information System enhancement to the Custodial Detail Data Base that will enable the IRS to address many of the outstanding financial management recommendations.  Full Custodial Detail Data Base functionality will be accomplished in four releases. 

  • Release I – Unpaid Assessments subledger.
  • Release II – Master File[5] transactions and Electronic Funds Transfer Payment System[6] preposted transactions.
  • Release III – All other preposted revenue receipt transactions and refund transactions.
  • Release IV – Frozen Credit subledger and Excise Tax Allocations.

Employment and Excise Tax:  This project addresses deficiencies in the detailed support for revenue collected relating to employment and excise taxes.  The IRS provided two disclosures to the FY 2006 financial statements for additional breakouts of Social Security taxes and other excise taxes collected.

Automated Trust Fund Recovery System:  The Automated Trust Fund Recovery System provides the capability to systematically upload Trust Fund Recovery Penalty assessments from the Area Offices[7] and properly cross-references payments received for assessments made.  The Automated Trust Fund Recovery System replaced manual processes for assessing penalties and cross-referencing payments and will ensure compliance with Government Accountability Office requirements and accounting standards.  All Wage and Investment Division Trust Fund Recovery Penalty work was transferred to the Small Business/Self-Employed Division campuses[8] on January 2006.  

Integrated Financial System:  The Integrated Financial System provides the IRS with an integrated accounting system to account for and control resources.  The Integrated Financial System includes a Core Financial System (General Ledger, Accounts Receivable, Accounts Payable, Funds and Cost Management, and Financial Reporting), as well as a Budget Formulation system and a 3-year rolling forecast.  

Because the current version of the Integrated Financial System software will no longer be supported by the vendor after December 2009, the IRS is currently evaluating the cost, benefits, and risks associated with various replacement options.  The IRS is also developing a strategy and action plan for enhancing cost data and integrating budget and performance data to provide more robust data for resource allocation decisions in FY 2008.  The plan is under development and scheduled for completion during the fourth quarter of FY 2007.

Computer Security:  This project addresses internal control deficiencies cited in various audits; initiates efforts to develop controls implemented at campuses, field offices, and post-of-duty offices to ensure uniformity and consistency; develops appropriate means through which the IRS can carry out periodic reviews of the effectiveness of policies and procedures, along with means to address security breaches; updates access control standards to reflect changes in technology and operating environments; provides computer security training to personnel; and conducts computer security self-assessment reviews that identify and alleviate vulnerabilities on a proactive basis. 

Based on recent Treasury Inspector General for Tax Administration findings during the review of the computer security material weakness, the Mission Assurance and Security Services organization, in partnership with the Chief Information Officer, has developed new program action plans for the following six issues:  (1) Access Controls, (2) Rules of Behavior, (3) Audit Trails, (4) Training, (5) Process Authorizations (Certifications and Accreditations), and (6) Disaster Recovery.

A new plan for computer security was developed and approved by the IRS Financial and Management Controls Executive Steering Committee on September 19, 2006.

 

Appendix VI

 

Management’s Response to the Discussion Draft Report

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.



[1] Pub. L. No. 104-208, 110 Stat. 3009.

1 Pub. L. No. 104-208, 110 Stat. 3009.

[3] Pub. L. No. 104-208, 110 Stat. 3009.

1 Pub. L. No. 104-208, 110 Stat. 3009.

[5] The IRS database that stores various types of taxpayer account information.  This database includes individual, business, and employee plans and exempt organizations data.

[6] The IRS system that allows taxpayers to make their Federal tax payments electronically.

[7] A geographic organizational level used by IRS business units and offices to help their specific types of taxpayers understand and comply with tax laws and issues.

[8] The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.