TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2007

 

 

 

March 28, 2008

 

Reference Number:  2008-10-096

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

March 28, 2008

 

 

MEMORANDUM FOR CHIEF FINANCIAL OFFICER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2007 (Audit # 200810014)

 

This report presents the results of our review of the Internal Revenue Service’s (IRS) Federal Financial Management Improvement Act of 1996 (FFMIA)[1] remediation plan as of December 31, 2007.  The overall objective of this review was to report to Congress any instances of and reasons for missed intermediate target dates established in the IRS’ remediation plan.  We also evaluated whether, in general, the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  This review was included in our Fiscal Year 2008 Annual Audit Plan and was performed to meet our requirement under the FFMIA that states, in general, each Inspector General shall report to Congress instances and reasons when an agency has not met the intermediate target dates established in the remediation plan.

Impact on the Taxpayer

Our analysis of the December 31, 2007, FFMIA remediation plan indicated that the intermediate target dates for 10 (29 percent) of 35 remedial actions open at yearend were extended by 6 months to 18 months.  Although the IRS has reasonable explanations for the extended dates, these delays further hinder the IRS’ ability to address its noncompliance with the FFMIA in a timely manner.  In addition, the IRS is still in the process of updating the remediation plan with specific actions to develop timely and reliable cost accounting information.  Complete financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.

Synopsis

During Calendar Year 2007, the IRS reported that it resolved a key component of one of the material weaknesses associated with its ongoing noncompliance with the FFMIA.  The resolved issue related to the IRS’ financial reporting material weakness area.  The IRS also reported that it canceled 2 and added 6 remedial actions to the 51 open remedial actions in its December 31, 2006, remediation plan.  The two canceled remedial actions were related to the Custodial Detail Data Base.[2]  These two actions were replaced by six new expanded remediation actions for the same project.  This change did not materially affect the completion date of remedial actions related to the Custodial Detail Data Base.  The IRS reported that the expanded actions were added to allow it to better track enhancements affecting its various payment systems.

Also during Calendar Year 2007, the IRS reported that it completed 20 remedial actions, leaving 35 open remedial actions in its December 31, 2007, remediation plan.  All of the open actions were associated with four major financial management projects or issues.  Our review of the 35 open remedial actions indicated that the IRS missed no intermediate target dates.  However, it extended target dates related to 10 of the 35 open remedial actions.  The extensions ranged from 6 months to 18 months.  Although the IRS has reasonable explanations for the extended intermediate target dates, these delays could further hinder the IRS’ ability to make timely resolutions of the reported issues that cause its noncompliance with the FFMIA.  In addition, while the IRS completed development of a cost accounting policy in August 2007, it is still in the process of updating the remediation plan with the specific actions it plans to take to develop timely and reliable cost accounting information.  Until the IRS updates the remediation plan with these actions, we will continue to be unable to fully assess its progress in resolving this longstanding financial weakness area.

Finally, we had previously reported[3] that some resources listed in the December 31, 2006, remediation plan were not verifiable to supporting documentation and recommended that the IRS Associate Chief Financial Officer for Corporate Planning and Internal Control review resources listed in future plans for accuracy.  Overall, the IRS has taken effective steps to address our finding.  However, our analysis of the December 31, 2007, remediation plan indicated that information reported on the estimated resources needed to implement the 30 open remedial actions relating to Computer Security included estimated costs related only to Fiscal Year 2008, even though 13 of the 30 actions are scheduled to be completed in Fiscal Year 2009 or beyond. 

The IRS informed us that it is currently conducting a comprehensive reassessment of all the planned actions associated with the Computer Security material weakness area.  Until the IRS completes its reassessment and provides complete resource estimates for all actions listed, we will be unable to fully assess its progress in resolving the findings and recommendations associated with the Computer Security area.

Response

We made no specific remediation plan recommendations as a result of the analyses performed during this audit.  However, key IRS management officials reviewed the report prior to issuance and agreed with the facts and conclusions presented.

Copies of this report are also being sent to the IRS managers affected by the report results.  Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs), at (202) 622-8500.

 

 

Table of Contents 

 

Background

Results of Review

Progress Was Made in Addressing One of the Weaknesses Associated With the Internal Revenue Service’s Noncompliance With the Federal Financial Management Improvement Act

Some Intermediate Target Dates Were Extended

Resource Information Regarding Some Actions Is Incomplete

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Financial Management Remediation Action Projects

 

 

Abbreviations

 

FFMIA

Federal Financial Management Improvement Act of 1996

FY

Fiscal Year

GAO

Government Accountability Office

IRS

Internal Revenue Service

 

 

Background

 

The Federal Financial Management Improvement Act of 1996 (FFMIA)[4] established in statute certain financial management systems requirements that were already established by executive branch policies.  The FFMIA was intended to advance Federal financial management by ensuring that Federal Government management systems can and do provide reliable, consistent disclosure of financial data.  Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year by consistently using professionally accepted accounting standards.  Specifically, FFMIA Section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

Auditors are required to report on agency compliance with the three stated requirements as part of financial statement audit reports.  Agency heads are required to determine, based on the audit report and other information, whether their financial management systems comply with the FFMIA.  If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and to file the plan with the Office of Management and Budget.

In addition, FFMIA Section 804 (b) requires that agency Inspectors General report to Congress instances when and reasons why an agency has not met the intermediate target dates established in its remediation plan.

In the last several years, the Government Accountability Office (GAO) has reported numerous financial management weaknesses in its audits of the Internal Revenue Service’s (IRS) annual financial statements and related assessments of internal control.  Due to these weaknesses, the IRS’ financial management systems have not been in substantial compliance with the requirements of the FFMIA.  Consequently, the IRS has been required to prepare and maintain a remediation plan.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of the Chief Financial Officer during the period November 2007 through February 2008.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Progress Was Made in Addressing One of the Weaknesses Associated With the Internal Revenue Service’s Noncompliance With the Federal Financial Management Improvement Act

During Calendar Year 2007, the IRS reported that it resolved a key component of one of the material weaknesses associated with its ongoing noncompliance with the FFMIA.  The resolved issue related to the financial reporting material weakness area.  Specifically, the GAO had previously reported that the IRS did not separately report the amounts of revenue it collected for Social Security, hospital insurance, and individual income taxes and was unable to attribute excise tax receipts to the correct trust fund in a timely manner.  In November 2007, the GAO noted in its Fiscal Years (FY) 2007 and 2006 financial statement audit report[5] that it no longer considers this issue to be an internal control deficiency.

Some Intermediate Target Dates Were Extended

During Calendar Year 2007, the IRS reported that it:

The two canceled remedial actions were related to the Custodial Detail Data Base.[6]  These two actions were replaced by six new expanded remediation actions for the same project.  The IRS reported that the expanded actions were added to allow it to better track enhancements affecting its different payment systems.  This change did not materially affect the completion date of remedial actions related to the Custodial Detail Data Base.

All of the 35 open actions were associated with 4 major financial management projects or issues:

Our review of the 35 open remedial actions indicated that the IRS missed no intermediate target dates.  However, it extended target dates related to 10 of the open actions during Calendar Year 2007.  The extensions ranged from 6 months to 18 months.  The IRS reported that extensions of the intermediate target dates were necessary due to the following:

Although the IRS has reasonable explanations for the extended intermediate target dates, these delays could further hinder the IRS’ ability to make timely resolutions of the reported issues that cause its noncompliance with the FFMIA.  In addition, while the IRS completed development of a cost accounting policy in August 2007, it is still in the process of updating the remediation plan with the specific actions it plans to take to develop timely and reliable cost accounting information.  Until the IRS updates the remediation plan with these actions, we will continue to be unable to fully assess its progress in resolving this longstanding financial weakness area.  Complete financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.

Each of the 35 actions had an intermediate target date that extended more than 3 years from the initial determination that IRS financial management systems were not in substantial compliance with the FFMIA.  As required, the IRS through the Department of the Treasury properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation. 

Finally, we reviewed the GAO’s FY 2007 financial statement audit and did not identify any additional recommendations that would have required inclusion in the IRS remediation plan.

 

Resource Information Regarding Some Actions Is Incomplete

We had previously reported[7] that some resources listed in the December 31, 2006, remediation plan were not verifiable to supporting documentation and recommended that the IRS Associate Chief Financial Officer for Corporate Planning and Internal Control review resources listed in future plans for accuracy.  Overall, the IRS has taken effective steps to address our finding.  We did not identify any instances in which the resources listed in the December 31, 2007, remediation plan were not verifiable to supporting documentation.  However, we did find that information reported on the estimated resources needed to implement the 30 open remedial actions relating to Computer Security included estimated costs related only to FY 2008, even though 13 of the 30 actions are scheduled to be completed in FY 2009 or beyond.  The remediation plan should include resource estimates for each year until the planned action is completed.

The IRS informed us that it is currently conducting a comprehensive reassessment of all the planned actions associated with the Computer Security material weakness area.  The IRS further noted that it plans to update the FFMIA remediation plan to reflect the results of the reassessment as well as add the complete estimated costs associated with all Computer Security related actions later this fiscal year.  Until the IRS completes its reassessment and provides complete resource estimates for all actions listed, we will be unable to fully assess its progress in resolving the findings and recommendations associated with the Computer Security area. 

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to report to Congress, as required by the FFMIA,[8] any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan as of December 31, 2007.  We also evaluated whether, in general, the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  To accomplish our objective, we:

I.                   Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the Act.

II.                Determined whether the IRS’ remediation plan was consistent with GAO recommendations from prior IRS financial audits and related financial management reports.

III.             Determined whether 1) the IRS missed any intermediate target dates established in its remediation plan, 2) intermediate target dates were extended without sufficient documentation to support the revised dates, and 3) proper approval was obtained for remedial actions extending more than 3 years.

IV.             Determined whether 1) the IRS remediation plan had established resource needs for remedial actions and 2) the resources presented were consistent with supporting documentation.

V.                Determined whether the IRS had taken adequate corrective actions on prior reported audit findings related to the FFMIA remediation plan.

 

Appendix II

 

Major Contributors to This Report

 

Nancy A. Nakamura, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs)

Alicia P. Mrozowski, Director

Anthony J. Choma, Audit Manager

Mildred Rita Woody, Lead Auditor

Richard E. Louden, Senior Auditor

Angela Garner, Auditor

William E. Thompson, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Acting Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Financial Officer  OS:CFO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaison:  Chief Financial Officer  OS:CFO

 

Appendix IV

 

Financial Management Remediation Action Projects

 

The IRS initiated five financial management projects in response to the various material weaknesses identified by the GAO and the Treasury Inspector General for Tax Administration relating to the FFMIA.[9]  The IRS described the functionality of the projects contained in its remediation plan as follows.

Custodial Detail Data Base:  To more accurately report a single balance due for Trust Fund Recovery Penalty[10] assessments and determine areas for improvement, the IRS Chief Financial Officer developed a Trust Fund Recovery Penalty database.  This database is the first release of the Financial Management Information System enhancement to the Custodial Detail Data Base that will enable the IRS to address many of the outstanding financial management recommendations.  Full Custodial Detail Data Base functionality will be accomplished in four releases. 

Employment and Excise Tax:  This project addresses deficiencies in the detailed support for revenue collected relating to employment and excise taxes.  The GAO evaluated the IRS’ completed actions during its audit of the IRS’ FYs 2007 and 2006 financial statements and reported that it no longer considers these issues to represent internal control deficiencies.[13] 

Automated Trust Fund Recovery System:  This system provides the capability to systematically upload Trust Fund Recovery Penalty assessments from the Area Offices[14] and properly cross-references payments received for assessments made.  The Automated Trust Fund Recovery System replaced manual processes for assessing penalties and cross-referencing payments and is designed to ensure compliance with GAO requirements and accounting standards. 

Integrated Financial System:  This system provides the IRS with an integrated accounting system to account for and control resources.  It includes a Core Financial System (General Ledger, Accounts Receivable, Accounts Payable, Funds and Cost Management, and Financial Reporting) as well as a Budget Formulation system and a 3-year rolling forecast.  Because the current version of the Integrated Financial System software will not be supported by the vendor after December 2009, the IRS is currently evaluating the costs, benefits, and risks associated with various replacement options. 

Computer Security:  This project addresses internal control deficiencies cited in various audits; initiates efforts to develop controls implemented at campuses,[15] field offices, and post-of-duty offices to ensure uniformity and consistency; develops appropriate means through which the IRS can carry out periodic reviews of the effectiveness of policies and procedures, along with means to address security breaches; updates access control standards to reflect changes in technology and operating environments; provides computer security training to personnel; and conducts computer security self-assessment reviews that identify and alleviate vulnerabilities on a proactive basis. 


[1] Pub. L. No. 104-208, 110 Stat. 3009.

[2] See Appendix IV for a description of the projects mentioned in the report.

[3] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007).

[4] Pub. L. No. 104-208, 110 Stat. 3009.

[5] FINANCIAL AUDIT:  IRS’ Fiscal Years 2007 and 2006 Financial Statements (GAO-08-166, dated November 2007).

[6] See Appendix IV for a description of the projects mentioned in the report.

[7] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007).

[8] Pub. L. No. 104-208, 110 Stat. 3009.

[9] Pub. L. No. 104-208, 110 Stat. 3009.

[10] When a company does not pay the taxes it withholds from employee wages, such as Social Security or individual income tax, the IRS has the authority to assess all responsible corporate officers individually for the taxes withheld via the Trust Fund Recovery Penalty.

[11] The IRS database that stores various types of taxpayer account information.  This database includes individual, business, and employee plans and exempt organizations data.

[12] The IRS system that allows taxpayers to make their Federal tax payments electronically.

[13] FINANCIAL AUDIT:  IRS’ Fiscal Years 2007 and 2006 Financial Statements (GAO-08-166, dated November 2007).

[14] A geographic organizational level used by IRS business units and offices to help their specific types of taxpayers understand and comply with tax laws and issues.

[15] The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.