The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008
July 30, 2009
Reference Number: 2009-10-094
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
July 30, 2009
MEMORANDUM FOR CHIEF FINANCIAL OFFICER
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008 (Audit # 200910006)
This report presents the results of our review of the
Federal Financial Management Improvement Act of 1996 (FFMIA).[1] The overall objective of this review was to
report to Congress, as required by the FFMIA, any instances of and reasons for
missed intermediate target dates established in the Internal Revenue Service’s
(IRS) FFMIA remediation plan as of December 31, 2008. We also evaluated whether, in general, the
IRS was meeting its responsibilities in fulfilling the intent of the
FFMIA. This review was included in our Fiscal
Year (FY) 2009 Annual Audit Plan and was performed to meet our requirement
under the FFMIA that states, in general, each Inspector General shall report to
Congress instances and reasons when an agency has not met the intermediate
target dates established in the remediation plan. This review is part of our audit
coverage under the major management challenge of Improving Performance and
Financial Data for Program and Budget Decisions.
Impact on the Taxpayer
The FFMIA remediation plan is a critical part of the IRS’
efforts to bring its financial management systems into compliance with the
FFMIA and to provide reliable, consistent financial data. Our analysis of the IRS’ December 31, 2008,
FFMIA remediation plan found 4 resource estimates relating to Computer
Security,[2] totaling
$41.3 million, that could not be verified from the supporting
documentation provided by the IRS, and 3 remediation actions that did not
include complete resource estimates beyond FY 2009, even though the estimated
completion dates are not until FY 2013.
Complete financial information is critical to the IRS’ ability to
accurately report on the results of its operations to both internal and
external stakeholders, including taxpayers.
Synopsis
During Calendar Year 2008, the IRS reported that it added 50 remediation actions to the 34 open remediation actions listed in its December 31, 2007, FFMIA remediation plan. The IRS also reported that it implemented a comprehensive Computer Security action plan during April 2008, which resulted in the cancellation of 25 remediation actions and the implementation of 39 new actions. During our review, we found that 4 of the 39 new Computer Security remediation actions were extended beyond 3 years. As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation. The remaining 11 remediation actions added in Calendar Year 2008 were related to the Custodial Detail Data Base, Redesign Revenue Accounting Control System, and Automated Trust Fund Recovery System. These additional actions did not materially affect the completion dates for any existing actions.
The IRS also reported that it completed 18 remediation actions, leaving 41 open remediation actions in its December 31, 2008, FFMIA remediation plan. Our review of the 41 open remediation actions indicated that the IRS missed no intermediate target dates. However, our analysis found that the IRS’ December 31, 2008, FFMIA remediation plan did not include remediation actions to address certain Government Accountability Office findings and recommendations related to the IRS’ noncompliance with the FFMIA. These findings and recommendations related to the IRS’ Integrated Financial System, which provides the IRS with an integrated accounting system to account for and control resources. We believe it is critical that the IRS maintain and continue to report in its FFMIA remediation plan all significant open findings and recommendations relating to FFMIA noncompliance.
In addition, we previously reported[3] that some resources listed in the IRS’ December 31, 2006, FFMIA remediation plan were not verifiable to supporting documentation and recommended that the IRS review resources listed in future plans for accuracy. Although we reported[4] that the IRS took effective steps during Calendar Year 2007 to address this finding, we continue to find instances where the resource information for certain remediation actions is either unsupported or incomplete. Specifically, during our review of the IRS’ December 31, 2008, remediation plan, the IRS was unable to provide supporting documentation for 4 Computer Security resource estimates totaling $41.3 million. As a result, we believe the IRS’ current procedures are not effective and that additional procedures are needed to effectively ensure that all remediation actions have verifiable and complete resource estimates.
The IRS also did not include complete resource estimates for several of the remediation actions included in its December 31, 2007, and December 31, 2008, FFMIA remediation plans. For instance, during March 2008, we reported[5] that 13 Computer Security remediation actions reported in the IRS’ December 31, 2007, FFMIA remediation plan included estimated resources for FY 2008 only, even though the scheduled completion dates were not until FY 2009 or beyond. In addition, during our review of the IRS’ December 31, 2008, FFMIA remediation plan, we found three Computer Security remediation actions that did not include complete resource estimates beyond FY 2009, even though the estimated completion dates for these actions are not until FY 2013.
Accurate and complete resource estimates are necessary to effectively evaluate the commitments needed to fully implement all of the remediation actions presented in the IRS’ FFMIA remediation plan. Without the appropriate estimates, the remediation actions could be delayed as a result of insufficient resources being available when needed. Further, until these remediation actions are completed, the weaknesses in the IRS’ financial management system related to Computer Security issues will continue to exist.
Recommendations
The Chief Financial Officer should ensure that the incomplete and unsupported information identified during our review is appropriately updated in future remediation plans. In addition, the Chief Financial Officer, along with the owners of the individual remediation actions, should strengthen the policies and procedures for reviewing the IRS’ FFMIA remediation plans to effectively ensure that future plans include 1) complete and verifiable financial resource estimates for each year until the planned actions are completed and 2) all open findings and recommendations relating to FFMIA noncompliance and remediation actions to address such findings. Further, the Chief Financial Officer should develop a comprehensive system for tracking the remediation actions included in the IRS’ FFMIA remediation plans to effectively ensure that the reason for removing a remediation action is properly documented and maintained, which would provide the users of the FFMIA plan with a consolidated list of open and closed remediation actions as well as an explanation for any additions or deletions. Additionally, the IRS should obtain written concurrence from the Government Accountability Office and the Department of the Treasury that a recommendation is fully addressed prior to removing the associated remediation action(s) from its FFMIA remediation plan.
Response
The IRS agreed with two of the four recommendations made in our report. Specifically, the IRS stated that it will ensure that future remediation plans include 1) the necessary supporting documentation for the four identified Computer Security resource estimates and 2) resource estimates for each year until the planned actions are completed.
The IRS partially agreed with one of the remaining recommendations. Specifically, the IRS obtains written concurrence from the Department of the Treasury when it requests to close a material weakness or significant deficiency. The IRS also stated that it will continue to work with the Government Accountability Office to demonstrate how the actions it has taken address the material weaknesses and significant deficiencies. The IRS disagreed with the part of the recommendation that related to the implementation of a comprehensive tracking system. The IRS stated that it currently has a comprehensive system in place and uses the Joint Audit Management Enterprise System (JAMES) to track all audit recommendations.
The IRS disagreed with the remaining recommendation to strengthen the policies and procedures for reviewing its FFMIA remediation plans. IRS management stated that the Financial Management Control Executive Steering Committee, chaired by the Chief Financial Officer, provides policy guidance and oversight of the IRS management controls program. In FY 2009, the Chief Financial Officer established a business unit working group to ensure corrective actions are current and all remediation plans include actions to address audit findings. The IRS also stated that the Associate Chief Financial Officer for Corporate Planning and Internal Control and the Deputy Chief Financial Officer review all remediation plans quarterly to ensure actions are addressed. Management’s complete response to the draft report is included as Appendix VI.
Office of Audit Comment
We agree with the IRS’ establishment of a business unit working group to ensure corrective actions are current and all remediation plans include actions to address audit findings. However, if these controls were working as intended, the IRS should have identified and addressed the issues included in our report. We discussed this further with IRS management, and they stated that they had additional documentation to support the closing of certain recommendations that was not provided to the audit team during our review. As a result, we were not able to evaluate the effectiveness of these controls.
We also understand that the IRS uses the JAMES as its primary tracking system for all audit report recommendations, including FFMIA recommendations and corrective actions. However, during our review, we found that the IRS had difficulty researching the recommendations in the JAMES. As a result, we believe that solely relying on the JAMES does not provide the IRS with adequate assurance that it can effectively track the FFMIA recommendations and actions. We discussed this further with IRS management and they stated that they have additional internal IRS tracking reports that they use to monitor FFMIA recommendations and actions. However, this information also was not provided to the audit team during our review. As a result, we were not able to evaluate the effectiveness of these controls. We will follow up on these two recommendations during subsequent FFMIA audits.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.
No Intermediate Target
Dates Were Extended on Any of the Open Remedies
Improvements Are
Needed to Procedures to Track Open Findings and Recommendations
Resource Information Continues
to Be Unsupported and Incomplete
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
V – Financial Management Remediation Action Projects
Appendix
VI – Management’s Response to the Draft Report
Abbreviations
|
FFMIA |
Federal Financial Management Improvement Act
of 1996 |
|
FY |
Fiscal Year |
|
GAO |
Government Accountability Office |
|
IFS |
Integrated Financial System |
|
IRS |
Internal Revenue Service |
|
JAMES |
Joint Audit
Management |
The Federal Financial Management Improvement Act of 1996 (FFMIA)[6] established in statute certain financial management systems requirements that were already established by executive branch policies. The FFMIA was intended to advance Federal Government financial management by ensuring that Federal Government management systems can and do provide reliable, consistent disclosure of financial data. Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year by consistently using professionally accepted accounting standards. Specifically, FFMIA Section 803 (a) requires each agency to implement and maintain systems that comply substantially with:
Auditors are required to report on agency compliance with the three stated requirements as part of financial statement audit reports. Agency heads are required to determine, based on the audit report and other information, whether their financial management systems comply with the FFMIA. If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and to file the plan with the Office of Management and Budget. In addition, FFMIA Section 804 (b) requires that agency Inspectors General report to Congress instances when and reasons why an agency has not met the intermediate target dates established in its remediation plan.
In the last several years, the Government Accountability Office (GAO) has reported numerous financial management weaknesses in its audits of the Internal Revenue Service’s (IRS) annual financial statements and related assessments of internal control. Due to these weaknesses, the IRS’ financial management systems have not been in substantial compliance with the requirements of the FFMIA. Consequently, the IRS has been required to prepare and maintain a remediation plan.
This review was performed at the IRS National Headquarters
in
The IRS continues to face challenges with reporting
complete and verifiable resource estimates in its FFMIA remediation plans. During our review of the IRS’ December 31,
2008, FFMIA remediation plan, the IRS was unable to provide supporting
documentation for certain resource estimates, totaling $41.3 million. In addition, we found that the IRS did not
include complete resource estimates for several remediation actions included in
its December 31, 2008, FFMIA remediation plan.
Further, the IRS does not have effective procedures to track and report
all open recommendations in its FFMIA remediation plan.
Accurate and complete resource estimates are necessary to
effectively evaluate the commitments needed to fully implement all of the
remediation actions presented in the IRS’ FFMIA remediation plan. Without the appropriate estimates, the
remediation actions could be delayed as a result of insufficient resources
being available when needed. Until the
IRS develops and completes the necessary remediation actions to address all of the
GAO’s open findings and recommendations, the IRS will continue to be
noncompliant with the FFMIA.
No Intermediate Target Dates Were Extended on Any of the Open Remedies
During Calendar Year 2008, the IRS reported that it:
The 25 canceled remediation actions were related to Computer Security[7] and resulted from a new Computer Security plan that was approved in April 2008. These 25 actions were replaced by 39 new expanded remediation actions for the same project. We found that 4 of the 39 new remediation actions significantly extend the completion dates of the remediation actions related to Computer Security, causing some actions to be extended beyond 3 years. As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation. The remaining 11 remediation actions added in Calendar Year 2008 were related to the Custodial Detail Data Base, Redesign Revenue Accounting Control System, and Automated Trust Fund Recovery System. These additional actions did not materially affect the completion dates for any existing remediation actions.
All of the 41 open actions were associated with 3 major financial management projects or issues:
Our review of the 41 open remediation actions indicated that the IRS missed no intermediate target dates. Although the IRS was able to meet the target dates for all open remedies, any future delays could hinder the IRS’ ability to make timely resolutions of the reported issues that caused its noncompliance with the FFMIA.
Progress Was Made in Addressing Material Weaknesses in Internal Controls; However, Improvements Are Still Needed for Compliance With the Federal Financial Management Improvement Act of 1996
In November 2008, the GAO reported[8] that the IRS continued to make significant strides in addressing its financial management challenges and material weaknesses in internal controls. Specifically, the GAO noted that the IRS’ progress to address control deficiencies over the collection of unpaid taxes and the issuance of improper refunds is such that the GAO no longer considers the remaining control deficiencies in this area to constitute a material weakness.
However, the GAO
continued to report that the IRS’ financial management systems did not
substantially comply with the requirements of the FFMIA. The GAO highlighted the following as reasons
for the noncompliance:
·
Noncompliance
with Federal Financial Management Systems Requirements.
·
Noncompliance
with Federal Accounting Standards.
·
Noncompliance
with United States Government Standard General Ledger.
·
Material
weaknesses in information security controls.
·
Reliance
on obsolete systems.
·
Lack of
interface between systems.
The GAO reported
that these financial challenges adversely affect the IRS’ ability to fulfill
its responsibilities as the nation’s tax collector and prevents it from
routinely obtaining comprehensive, timely, accurate, and useful information for
day-to-day decision making.
Improvements Are Needed to Procedures to Track Open Findings and Recommendations
During our review of the IRS’ December 31, 2008, FFMIA remediation plan, we found that the GAO recommendation relating to the development of meaningful cost data was not addressed in that plan. Specifically, the GAO recommended that the IRS develop the data to support meaningful cost information categories and cost-based performance measures. On September 30, 2008, the IRS canceled the remediation action intended to address this recommendation and provided the following explanation in its September 30, 2008, FFMIA remediation plan:
The IRS has a
detailed cost allocation methodology that provides full cost information to the
five operating business units and three complete years of fully allocated cost
data in IFS.[9] The Statement of Net
Cost is produced from the Integrated Financial System cost accounting
module. The IRS briefed the GAO on the
capability to calculate the full cost of products and services.
During our fieldwork, IRS management informed us that the IRS considers this recommendation to be fully addressed and that funding is currently not available for updates to the IFS. However, the IRS was unable to provide supporting documentation that the GAO considered the recommendation closed. In addition, in November 2008, the GAO reported[10] that:
IRS’s financial
management systems do not comply with federal accounting standards because IRS
did not have reliable, current information on the costs of its activities
available to support decision making on a routine basis, consistent with
Statement of Federal Financial Accounting Standards No 4, Managerial Cost
Accounting. Although IRS believes its
recently completed cost pilots have demonstrated its ability to do so, IRS has
not applied the cost information maintained in the cost module of IFS to the
tax related activities processed by separate legacy information systems.
Based on the GAO findings noted above, we consider this recommendation to be unaddressed and, as a result, it should be included in the IRS’ FFMIA remediation plans as an open recommendation. To ensure that the IRS’ FFMIA remediation plans are effective, we believe that the IRS should (1) obtain written concurrence from both the GAO and the Department of the Treasury that a recommendation is fully addressed prior to removing the associated remediation action(s) from its FFMIA remediation plan and (2) include in its FFMIA remediation plan the justification for removing the recommendation(s), the status of the recommendation(s), and whether additional remediation actions will be developed and included in subsequent remediation plans. It is also important that the IRS continue to report open recommendations regardless of funding availability. Specifically, the remediation actions associated with the open recommendations should be presented, along with an explanation that resources are currently not available.
During our fieldwork, we also identified another GAO recommendation[11] that was removed from the IRS’ FFMIA remediation plan and, although this recommendation was no longer associated with a reportable condition, we met with IRS management to determine the status of implementing the recommendation. IRS management informed us that they were unaware that the remediation action was removed from the IRS’ remediation plan. After IRS management researched the issue, they discovered that the remediation action was removed several years prior to the December 31, 2008, plan; however, they were not certain of the reason since the GAO considers it to be an open issue that needed to be addressed. IRS management stated that they planned to research the issue further and would consider adding additional remedies to address this open recommendation. Because the IRS lacks a comprehensive FFMIA tracking system, it was unable to promptly identify when the recommendation and the associated remediation actions were removed from the IRS’ FFMIA remediation plan and the basis for removal.
On April 1, 2009, we provided the IRS with a discussion draft of our review, and the IRS provided the following comments relating to this recommendation:
The
remediation plan action was incorporated into a higher level action that
required IRS to implement Release 2 of the Integrated Financial System (IFS),
which included the Asset Management module that provides the functionality for
subsidiary ledgers for property and equipment.
The Treasury Department concurred that all IFS Release 2 actions could
be canceled due to lack of funding for the IFS upgrade. The actions were canceled, as approved, and
replacement actions will be established once funding is provided so realistic
dates for future actions can be determined.
It is not known when funding for the IFS upgrade will occur, and
therefore, the recommendation remains closed.
We met with IRS management regarding the comments received,
and we were informed that during their initial review they had not researched
the status of the recommendation in the Department of the Treasury’s Joint
Audit Management Enterprise System (JAMES).[12]
Although the information contained in the
JAMES provided the IRS with additional details regarding the closing of the
recommendation, we believe the IRS’ exclusive use of the JAMES is not an
effective or efficient tracking tool for monitoring the FFMIA remediation
actions. The JAMES is a Department-wide
tracking system and, as of January 1, 2008, there were over 4,000 corrective
actions recorded in the system. In
addition, we found that sorting through the information contained in the JAMES can
be rather cumbersome depending on the number of planned corrective actions
associated with each recommendation. For
example, the IRS provided us with a report from the JAMES that included several
pages of corrective actions for each recommendation. Specifically, one recommendation had 16
planned corrective actions that resulted in an 8 page report, and another
recommendation had 26 planned corrective actions covering 12 pages.
Although the IRS is required to record and track its corrective action plans in the JAMES, we believe that the IRS needs to supplement its use of the system by developing a separate process for tracking key information for each recommendation and corrective action related to the FFMIA. For example, the IRS needs to document and maintain a high-level synopsis for each recommendation and corrective action, which would include the origination date for each recommendation and corrective action, the date the recommendation and corrective action was closed or canceled, and the date the action was closed in the JAMES. Overall, the tracking system should provide a high-level summary for IRS management to (1) adequately monitor the status of all current and prior remediation actions and (2) timely respond to inquires regarding the IRS’ FFMIA remediation plans. This supplemental tracking system would provide more assurance that remediation actions are not removed until the IRS fully addresses the recommendation. If remediation actions are inappropriately removed, findings and recommendations will remain open and the IRS will continue to be noncompliant with the FFMIA. We will continue to monitor the FFMIA remediation plan updates throughout Calendar Year 2009.
Recommendations
Recommendation 1: The Chief Financial Officer and the owners of the individual remediation actions should strengthen the policies and procedures for reviewing the IRS’ FFMIA remediation plans to effectively ensure that future plans include all open findings and recommendations and that there are remediation actions to address such findings.
Management’s Response: The IRS disagreed with this recommendation. The IRS stated that the Financial Management
Control Executive Steering Committee, chaired by the Chief Financial Officer,
provides policy guidance and oversight of the IRS management controls
program. In Fiscal Year (FY) 2009, the Chief
Financial Officer established a business unit working group to ensure
corrective actions are current and all remediation plans include actions to
address audit findings. The Associate
Chief Financial Officer for Corporate Planning and Internal Control and the Deputy Chief Financial Officer review all
remediation plans quarterly to ensure actions are addressed.
Office
of Audit Comment: We agree with the IRS’ establishment of a
business unit working group to ensure corrective actions are current and all
remediation plans include actions to address audit findings. However, if these controls were working as
intended, the IRS should have identified and addressed the issues included in
our report. We discussed this further
with IRS management, and they stated that they believe they have sufficient
guidance and oversight for ensuring that all FFMIA open findings and
recommendations are included in its FFMIA remediation plans. In addition, IRS management stated that they
had additional documentation to support the closing of certain recommendations
that was not provided to the audit team during our review. As a result, we were not able to evaluate the
effectiveness of these controls. We will
follow up on this recommendation during subsequent FFMIA audits.
Recommendation 2: The Chief Financial Officer should develop a comprehensive system for tracking the remediation actions included in the IRS’ FFMIA remediation plans to effectively ensure that the reason for removing a remediation action is properly documented and maintained. This would provide the users of the FFMIA plan with a consolidated list of open and closed remediation actions as well as an explanation for any additions or deletions. Additionally, the IRS should obtain written concurrence from the GAO and the Department of the Treasury that a recommendation is fully addressed prior to removing the associated remediation action(s) from its FFMIA remediation plan.
Management’s Response: The IRS agreed with this recommendation, in part. The IRS stated that it obtains written concurrence from the Department of the Treasury when it requests to close a material weakness or significant deficiency. The IRS also stated that it will continue to work with the GAO to demonstrate how the actions it has taken address the material weaknesses and significant deficiencies. The GAO addresses the status of its recommendations in its Annual Audited Financial Statement report and its annual Status of GAO Financial Audit and Related Financial Management recommendations. The IRS disagreed with the part of the recommendation regarding the comprehensive tracking system. The IRS stated that it currently has a comprehensive system in place and uses the JAMES to track all audit recommendations issued by the Department of the Treasury’s Office of Inspector General, the Treasury Inspector General for Tax Administration, and the GAO, including auditor reported material weaknesses and significant deficiencies in accordance with Treasury Directive 40-03 (Treasury Audit Resolution, Follow-up, and Closure). In addition, the Financial Management Control Executive Steering Committee monitors all corrective action plans related to open material weaknesses and significant deficiencies and approves additions and deletions to these plans.
Office of Audit Comment: We understand that the IRS uses the JAMES as its primary tracking system for all audit report recommendations, including FFMIA recommendations and corrective actions. However, during our review, the IRS had difficulty researching the recommendations in the JAMES. As a result, we believe that solely relying on the JAMES does not provide the IRS with adequate assurance that it can effectively track the FFMIA recommendations and actions. We discussed this further with IRS management and they stated that they have additional internal IRS tracking reports that they use to monitor FFMIA recommendations and actions. However, this information was not provided to the audit team during our review. As a result, we were not able to evaluate the effectiveness of these controls. We will follow up on this recommendation during subsequent FFMIA audits.
Resource Information Continues to Be Unsupported and Incomplete
We previously reported[13] that some resources listed in the IRS’ December 31, 2006, FFMIA remediation plan were not verifiable to supporting documentation and recommended that the IRS Associate Chief Financial Officer for Corporate Planning and Internal Control review resources listed in future plans for accuracy. Although we reported[14] that the IRS took effective steps during Calendar Year 2007 to address this finding, we continue to find instances where the resource information for certain remediation actions is either unsupported or incomplete. Therefore, we believe the IRS’ current procedures are not effective and additional procedures are needed to effectively ensure that all remediation actions have verifiable and complete resource estimates.
During our review of the IRS’ December 31, 2008, FFMIA remediation plan, the IRS was unable to provide supporting documentation for 4 Computer Security resource estimates totaling $41.3 million. During our audit fieldwork, IRS management stated that the $41.3 million was based on outdated estimates and supporting documentation was not maintained. The IRS also informed us that it will determine the appropriate resource estimates and include the estimates in its March 31, 2009, FFMIA remediation plan.
The IRS also did not include complete resource estimates for several other remediation actions included in its December 31, 2007, and December 31, 2008, FFMIA remediation plans. For instance, during March 2008, we reported[15] that 13 Computer Security remediation actions reported in the IRS’ December 31, 2007, remediation plan included estimated resources for FY 2008 only, even though the scheduled completion date was not until FY 2009 or beyond. In addition, the IRS’ December 31, 2008, remediation plan did not include complete resource estimates for three Computer Security remediation actions that had target dates that extended to FY 2013. Specifically, we found 3 remediation actions that lacked complete resource estimates for 4 years—FY 2010 through FY 2013. IRS management informed us that the responsibility for these remediation actions had been reassigned to another area within the Modernization and Information Technology Services organization and the resource estimates were not completed beyond FY 2009. IRS management also informed us that the IRS plans to include the appropriate resource estimates in its June 30, 2009, FFMIA remediation plan. In the future, it is important that the IRS ensure that each remediation action includes resource estimates for each year until the planned actions are completed.
Accurate and complete resource estimates are necessary for the IRS to effectively evaluate the commitments needed to fully implement all of the remediation actions presented in the FFMIA remediation plan. Without the appropriate estimates, the completion dates for the remediation actions could be delayed as a result of insufficient resources being available when needed. Further, until these remediation actions are completed, the weaknesses in the IRS’ financial management system related to Computer Security issues will continue to exist.
Recommendations
Recommendation 3: The Chief Financial Officer should ensure that the incomplete and unsupported information identified during our review of the IRS’ December 31, 2008, FFMIA remediation plan is appropriately updated in future remediation plans.
Management’s Response: The IRS agreed with this recommendation and will ensure that future remediation plans include the supporting documentation for the four identified Computer Security resource estimates.
Recommendation 4: The Chief Financial Officer and the owners of
the individual remediation actions should strengthen the policies and
procedures for reviewing the IRS’ FFMIA remediation plans to effectively ensure
that future plans include complete and verifiable financial resource estimates for each year
until the planned actions are completed.
Management’s Response: The IRS agreed with
this recommendation and will ensure that future remediation plans include
resource estimates for each year until the planned actions are completed for
the identified remediation actions related to the December 31, 2007, and
December 31, 2008, remediation plans.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to report to Congress, as required by the FFMIA,[16] any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan as of December 31, 2008. We also evaluated whether, in general, the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA. To accomplish our objective, we:
I. Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the FFMIA.
A. Reviewed the FFMIA and all related Office of Management and Budget and Department of the Treasury guidance.
B. Summarized all relative procedural standards to be used during our audit tests.
II. Determined whether the IRS’ remediation plan was consistent with GAO recommendations from prior IRS financial audits and related financial management reports.
A. Obtained the following IRS financial statement-related reports issued by the GAO[17] since the last remediation plan audit.
1. Opinion Report.
2. Recommendation Report.
3. Management Letter.
B. Identified any financial management recommendations meeting FFMIA criteria from the GAO reports obtained in Step II.A.
C. Mapped the identified GAO recommendations to the current IRS remediation plan to identify any recommendations not included in the plan.
D. If instances were identified, inquired of IRS officials as to why the GAO recommendations were not included.
III. Determined whether 1) the IRS missed any intermediate target dates established in its remediation plan, 2) intermediate target dates were extended without sufficient documentation to support the revised dates, and 3) proper approval was obtained for remediation actions extending more than 3 years.
A. Verified that all remedial actions have intermediate target dates established.
B. Identified instances when the IRS has not met the intermediate target dates.
C. If instances of missed dates were identified, inquired of IRS officials as to the reason the IRS did not meet the intermediate target date.
D. Evaluated the impact the missed intermediate target date had on the IRS in meeting the established goal of the remedial action.
E. Compared the December 31, 2008, IRS FFMIA remediation plan to prior plans to identify intermediate target dates that have changed since the previous Treasury Inspector General for Tax Administration review, and obtained and analyzed documentation in support of any changes.
F. Identified any intermediate target dates extending more than 3 years since the recommendation was reported.
G. If instances of intermediate target dates extending longer than 3 years were identified, verified that approval was requested of the Office of Management Budget.
IV.
Determined whether 1) the IRS remediation plan
had established resource needs for remediation actions and 2) the resources
presented were consistent with supporting documentation.
A. Verified that resource requirements were identified for all remedial actions.
B.
Obtained budget information.
C.
Traced remediation plan resources to budget
information.
D.
If differences were identified, inquired of IRS
officials as to the reason the resource needs did not match budget information.
E.
Evaluated the impact, if any, of deferring
additional releases of the IFS[18]
on the IRS’ FFMIA remedial actions and whether the IRS has plans to reduce the
impact.
V. Determined whether the IRS had taken adequate corrective actions on prior reported audit findings related to the FFMIA remediation plan.
A.
Identified
prior audit findings and corresponding management responses concerning
corrective actions that should have been completed by the time of our audit.
B. Confirmed through discussions/observations that actions had been completed.
C. Performed tests, to the extent needed, to determine the effectiveness of the corrective actions.
Appendix II
Major Contributors to This Report
Nancy
A. Nakamura, Assistant Inspector General for Audit (Management Services and
Exempt Organizations)
Alicia
P. Mrozowski, Director
Michelle
Philpott, Audit Manager
Kenneth
E. Henderson, Lead Auditor
William
E. Thompson, Lead Auditor
Seth
A. Siegel, Senior Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Chief Financial Officer OS:CFO
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief Financial Officer OS:CFO
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective action will have on tax administration. This benefit will be incorporated into our Semiannual Report to Congress.
Type and Value of Outcome Measure:
· Reliability of Information – Actual; $41.3 million of the resource estimates reported in the IRS’ December 31, 2008, FFMIA[19] remediation plan could not be verified from the supporting documentation provided by the IRS (see page 9).
Methodology Used to Measure the Reported Benefit:
To determine whether the IRS reliably reported estimated resources in its December 31, 2008, FFMIA remediation plan, we compared the estimated resources to the supporting documentation and interviewed selected IRS personnel. Our analysis determined that $41.3 million of the reported resources could not be verified from the supporting documentation provided by the IRS.
Appendix V
Financial Management Remediation Action Projects
The IRS initiated five financial management projects in response to the various material weaknesses identified by the GAO and the Treasury Inspector General for Tax Administration relating to the FFMIA.[20] The IRS described the functionality of the projects contained in its remediation plan as follows.
Custodial Detail Data Base: To more accurately report a single balance due for Trust Fund Recovery Penalty[21] assessments and determine areas for improvement, the IRS Chief Financial Officer developed a Trust Fund Recovery Penalty database. This database is the first release of the Financial Management Information System enhancement to the Custodial Detail Data Base that will enable the IRS to address many of the outstanding financial management recommendations. Full Custodial Detail Data Base functionality will be accomplished in four releases.
The Redesign
Revenue Accounting Control System: The
current Redesign Revenue Accounting Control System records financial
transactions pertaining to taxpayer processing and is the IRS custodial
accounting system of record. Although the
IRS has received 11 consecutive clean opinions on its financial reports, the GAO
continues to cite several material weaknesses with custodial accounting
pertaining to traceability and noncompliance with the United States Standard
General Ledger, among other issues. The IRS
Submissions Processing function also requested that the Redesign Revenue
Accounting Control System consolidate reporting due to campus[24] consolidation and to relieve the campus directors’ burden
to certify monthly reports. In addition,
the Redesign Revenue Accounting Control System does not conform to the current IRS Enterprise
Architecture.
Automated Trust Fund Recovery System: This system provides the capability to systematically
upload Trust Fund Recovery Penalty assessments from the Area Offices[25] and properly cross-references payments received for
assessments made. The Automated Trust
Fund Recovery System replaced manual processes for assessing penalties and
cross-referencing payments and is designed to ensure compliance with the GAO
requirements and accounting standards.
Integrated Financial System: This system provides the IRS with an integrated accounting
system to account for and control resources.
It includes a Core Financial System (General Ledger, Accounts
Receivable, Accounts Payable, Funds and Cost Management, and Financial
Reporting) as well as a Budget Formulation system and a 3-year rolling
forecast.
Computer Security: This project addresses internal control deficiencies cited in various audits; initiates efforts to develop controls implemented at campuses, field offices, and post-of-duty offices to ensure uniformity and consistency; develops appropriate means through which the IRS can carry out periodic reviews of the effectiveness of policies and procedures, along with means to address security breaches; updates access control standards to reflect changes in technology and operating environments; provides computer security training to personnel; and conducts computer security self-assessment reviews that identify and alleviate vulnerabilities on a proactive basis.
Appendix VI
Management’s Response to the Draft Report
The response was removed due to its
size. To see the response, please go to
the Adobe PDF version of the report on the TIGTA Public Web Page.
[1] Pub. L. No. 104-208, 110 Stat. 3009.
[2] See Appendix V for a description of the projects mentioned in the report.
[3] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007).
[4] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).
[5] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).
[6] Pub. L. No. 104-208, 110 Stat. 3009.
[7] See Appendix V for a description of the projects mentioned in the report.
[8] FINANCIAL AUDIT: IRS’s Fiscal Years 2008 and 2007 Financial Statements (GAO-09-119, dated November 2008).
[9] The Integrated Financial System (IFS) was acquired by the IRS to provide timely, detailed financial, cost accounting, property accounting, and procurement data to authorized users.
[10] FINANCIAL AUDIT: IRS’s Fiscal Years 2008 and 2007 Financial Statements (GAO-09-119, dated
November 2008).
[11] Internal Revenue Service: Recommendations to Improve Financial and Operational Management (GAO-01-42, dated November 17, 2000). This recommendation is reported as “open” in the GAO report, Internal Revenue Service: Status of GAO Financial Audit and Related Financial Management Report Recommendations (GAO-08-693, dated July 2008).
[12] The JAMES supports the customers in their management of audit findings and recommendations. It is used to monitor the progress and implementation of planned corrective actions to correct audit findings and material weaknesses. The JAMES is a Department-wide system accessible to the customers, Departmental management, the Department of the Treasury Office of Inspector General, and the Treasury Inspector General for Tax Administration. It contains tracking information on all actions required to address audit findings and recommendations.
[13] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007).
[14] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).
[15] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).
[16] Pub. L. No. 104-208, 110 Stat. 3009.
[17] FINANCIAL AUDIT: IRS’s Fiscal Years 2008 and 2007 Financial Statements (GAO-09-119, dated
November 2008) and INTERNAL REVENUE SERVICE: Status of GAO Financial Audit and Related Financial Management Report Recommendations (GAO-08-693, dated July 2008).
[18] The IFS was acquired by the IRS to provide timely, detailed financial, cost accounting, property accounting, and procurement data to authorized users.
[19] Pub. L. No. 104-208, 110 Stat. 3009.
[20] Pub. L. No. 104-208, 110 Stat. 3009.
[21] When a company does not pay the taxes it withholds from employee wages, such as Social Security or individual income tax, the IRS has the authority to assess all responsible corporate officers individually for the taxes withheld via the Trust Fund Recovery Penalty.
[22] The IRS database that stores various types of taxpayer account information. This database includes individual, business, and employee plans and exempt organizations data.
[23] The IRS system that allows taxpayers to make their Federal tax payments electronically.
[24] The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.
[25] A geographic organizational level used by IRS business units and offices to help their specific types of taxpayers understand and comply with tax laws and issues.