Treasury Inspector General for Tax Administration

Office of Audit

THE INTERNAL REVENUE SERVICE’S FEDERAL FINANCIAL MANAGEMENT IMPROVEMENT ACT REMEDIATION PLAN
AS
OF DECEMBER 31, 2008

Issued on July 30, 2009

Highlights

Highlights of Report Number:  2009-10-094 to the Internal Revenue Service Chief Financial Officer.

IMPACT ON TAXPAYERS

The Federal Financial Management Improvement Act (FFMIA) remediation plan is a critical part of the IRS’ efforts to bring its financial management systems into compliance with the FFMIA and to provide reliable, consistent financial data.  TIGTA’s analysis of the IRS’ FFMIA remediation plan found that the IRS continues to face challenges with reporting complete and verifiable resource estimates.  Without the appropriate estimates, there could be delays in completing remediation actions due to insufficient resources being available when needed.  Complete financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.

WHY TIGTA DID THE AUDIT

The overall objective of this review was to report to Congress any instances of and reasons for missed intermediate target dates established in the IRS’ remediation plan.  TIGTA also evaluated whether, in general, the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.

WHAT TIGTA FOUND

In Calendar Year 2008, the IRS added 50 remediation actions to the 34 open actions in its December 31, 2007, FFMIA remediation plan.  A comprehensive new Computer Security action plan resulted in 39 of the 50 new actions and in the cancellation of 25 remediation actions.  The IRS also completed 18 remediation actions, leaving 41 open remediation actions in its December 31, 2008, FFMIA remediation plan. 

TIGTA’s review of the 41 open actions indicated that the IRS missed no intermediate target dates.  However, it also indicated that the IRS’ December 31, 2008, FFMIA plan did not include actions to address certain findings related to noncompliance with the FFMIA.  The IRS was unable to provide supporting documentation for 4 Computer Security resource estimates totaling $41.3 million.  In addition, three Computer Security remediation actions did not include complete resource estimates beyond Fiscal Year 2009, even though the estimated completion dates for these actions are not until Fiscal Year 2013.  Accurate and complete resource estimates are necessary to effectively evaluate the commitments needed to fully implement actions in the IRS’ FFMIA remediation plan.  Until these remediation actions are completed, weaknesses in the IRS’ financial management system related to Computer Security issues will continue to exist. 

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Financial Officer (CFO) ensure that the incomplete and unsupported information is updated in future remediation plans and that the CFO and owners of the individual remediation actions strengthen the policies for reviewing the IRS’ remediation plans to ensure that future plans include complete and verifiable financial resource estimates, all open findings and recommendations relating to FFMIA noncompliance, and all associated remediation actions.  Further, the CFO should develop a system for tracking remediation actions to ensure the reason for removing a remediation action is documented and maintained.  The IRS should also obtain written concurrence from the Government Accountability Office and the Department of the Treasury that a recommendation is fully addressed before removing the associated remediation action(s).

In their response, IRS officials agreed with the two recommendations to update the incomplete resource estimates and ensure complete estimates for planned remediation actions.  The IRS plans corrective actions for those issues.  IRS officials disagreed with the need for a tracking system and the need to strengthen the policies and procedures for reviewing the IRS’ FFMIA remediation plans, stating that an adequate tracking system is already in place and a new working group was recently implemented to review remediation plans.

While TIGTA agrees with the establishment of a working group, if this control was working as intended, the IRS should have identified and addressed the issues included in our report.  Additionally, the IRS’ current tracking system does not provide effective tracking of FFMIA remediation actions.  Although IRS officials subsequently stated that they had additional documentation to support the closing of certain actions and additional tracking reports to monitor FFMIA remediation actions, this information was not provided to the auditors during the review.  As a result, TIGTA was not able to evaluate the effectiveness of these controls.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2009reports/200910094fr.html. 

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov