TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

 

The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008

 

 

 

July 30, 2009

 

Reference Number:  2009-10-094

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

July 30, 2009

 

 

MEMORANDUM FOR CHIEF FINANCIAL OFFICER

 

FROM:                           Michael R. Phillips  /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008 (Audit # 200910006)

 

This report presents the results of our review of the Federal Financial Management Improvement Act of 1996 (FFMIA).[1]  The overall objective of this review was to report to Congress, as required by the FFMIA, any instances of and reasons for missed intermediate target dates established in the Internal Revenue Service’s (IRS) FFMIA remediation plan as of December 31, 2008.  We also evaluated whether, in general, the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  This review was included in our Fiscal Year (FY) 2009 Annual Audit Plan and was performed to meet our requirement under the FFMIA that states, in general, each Inspector General shall report to Congress instances and reasons when an agency has not met the intermediate target dates established in the remediation plan.  This review is part of our audit coverage under the major management challenge of Improving Performance and Financial Data for Program and Budget Decisions.   

Impact on the Taxpayer

The FFMIA remediation plan is a critical part of the IRS’ efforts to bring its financial management systems into compliance with the FFMIA and to provide reliable, consistent financial data.  Our analysis of the IRS’ December 31, 2008, FFMIA remediation plan found 4 resource estimates relating to Computer Security,[2] totaling $41.3 million, that could not be verified from the supporting documentation provided by the IRS, and 3 remediation actions that did not include complete resource estimates beyond FY 2009, even though the estimated completion dates are not until FY 2013.  Complete financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.

Synopsis

During Calendar Year 2008, the IRS reported that it added 50 remediation actions to the 34 open remediation actions listed in its December 31, 2007, FFMIA remediation plan.  The IRS also reported that it implemented a comprehensive Computer Security action plan during April 2008, which resulted in the cancellation of 25 remediation actions and the implementation of 39 new actions.  During our review, we found that 4 of the 39 new Computer Security remediation actions were extended beyond 3 years.  As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation.  The remaining 11 remediation actions added in Calendar Year 2008 were related to the Custodial Detail Data Base, Redesign Revenue Accounting Control System, and Automated Trust Fund Recovery System.  These additional actions did not materially affect the completion dates for any existing actions.  

The IRS also reported that it completed 18 remediation actions, leaving 41 open remediation actions in its December 31, 2008, FFMIA remediation plan.  Our review of the 41 open remediation actions indicated that the IRS missed no intermediate target dates.  However, our analysis found that the IRS’ December 31, 2008, FFMIA remediation plan did not include remediation actions to address certain Government Accountability Office findings and recommendations related to the IRS’ noncompliance with the FFMIA.  These findings and recommendations related to the IRS’ Integrated Financial System, which provides the IRS with an integrated accounting system to account for and control resources.  We believe it is critical that the IRS maintain and continue to report in its FFMIA remediation plan all significant open findings and recommendations relating to FFMIA noncompliance. 

In addition, we previously reported[3] that some resources listed in the IRS’ December 31, 2006, FFMIA remediation plan were not verifiable to supporting documentation and recommended that the IRS review resources listed in future plans for accuracy.  Although we reported[4] that the IRS took effective steps during Calendar Year 2007 to address this finding, we continue to find instances where the resource information for certain remediation actions is either unsupported or incomplete.  Specifically, during our review of the IRS’ December 31, 2008, remediation plan, the IRS was unable to provide supporting documentation for 4 Computer Security resource estimates totaling $41.3 million.  As a result, we believe the IRS’ current procedures are not effective and that additional procedures are needed to effectively ensure that all remediation actions have verifiable and complete resource estimates. 

The IRS also did not include complete resource estimates for several of the remediation actions included in its December 31, 2007, and December 31, 2008, FFMIA remediation plans.  For instance, during March 2008, we reported[5] that 13 Computer Security remediation actions reported in the IRS’ December 31, 2007, FFMIA remediation plan included estimated resources for FY 2008 only, even though the scheduled completion dates were not until FY 2009 or beyond.  In addition, during our review of the IRS’ December 31, 2008, FFMIA remediation plan, we found three Computer Security remediation actions that did not include complete resource estimates beyond FY 2009, even though the estimated completion dates for these actions are not until FY 2013. 

Accurate and complete resource estimates are necessary to effectively evaluate the commitments needed to fully implement all of the remediation actions presented in the IRS’ FFMIA remediation plan.  Without the appropriate estimates, the remediation actions could be delayed as a result of insufficient resources being available when needed.  Further, until these remediation actions are completed, the weaknesses in the IRS’ financial management system related to Computer Security issues will continue to exist. 

Recommendations

The Chief Financial Officer should ensure that the incomplete and unsupported information identified during our review is appropriately updated in future remediation plans.  In addition, the Chief Financial Officer, along with the owners of the individual remediation actions, should strengthen the policies and procedures for reviewing the IRS’ FFMIA remediation plans to effectively ensure that future plans include 1) complete and verifiable financial resource estimates for each year until the planned actions are completed and 2) all open findings and recommendations relating to FFMIA noncompliance and remediation actions to address such findings.  Further, the Chief Financial Officer should develop a comprehensive system for tracking the remediation actions included in the IRS’ FFMIA remediation plans to effectively ensure that the reason for removing a remediation action is properly documented and maintained, which would provide the users of the FFMIA plan with a consolidated list of open and closed remediation actions as well as an explanation for any additions or deletions.  Additionally, the IRS should obtain written concurrence from the Government Accountability Office and the Department of the Treasury that a recommendation is fully addressed prior to removing the associated remediation action(s) from its FFMIA remediation plan.

Response

The IRS agreed with two of the four recommendations made in our report.  Specifically, the IRS stated that it will ensure that future remediation plans include 1) the necessary supporting documentation for the four identified Computer Security resource estimates and 2) resource estimates for each year until the planned actions are completed.

The IRS partially agreed with one of the remaining recommendations.  Specifically, the IRS obtains written concurrence from the Department of the Treasury when it requests to close a material weakness or significant deficiency.  The IRS also stated that it will continue to work with the Government Accountability Office to demonstrate how the actions it has taken address the material weaknesses and significant deficiencies.  The IRS disagreed with the part of the recommendation that related to the implementation of a comprehensive tracking system.  The IRS stated that it currently has a comprehensive system in place and uses the Joint Audit Management Enterprise System (JAMES) to track all audit recommendations. 

The IRS disagreed with the remaining recommendation to strengthen the policies and procedures for reviewing its FFMIA remediation plans.  IRS management stated that the Financial Management Control Executive Steering Committee, chaired by the Chief Financial Officer, provides policy guidance and oversight of the IRS management controls program.  In FY 2009, the Chief Financial Officer established a business unit working group to ensure corrective actions are current and all remediation plans include actions to address audit findings.  The IRS also stated that the Associate Chief Financial Officer for Corporate Planning and Internal Control and the Deputy Chief Financial Officer review all remediation plans quarterly to ensure actions are addressed.  Management’s complete response to the draft report is included as Appendix VI.

Office of Audit Comment

We agree with the IRS’ establishment of a business unit working group to ensure corrective actions are current and all remediation plans include actions to address audit findings.  However, if these controls were working as intended, the IRS should have identified and addressed the issues included in our report.  We discussed this further with IRS management, and they stated that they had additional documentation to support the closing of certain recommendations that was not provided to the audit team during our review.  As a result, we were not able to evaluate the effectiveness of these controls. 

We also understand that the IRS uses the JAMES as its primary tracking system for all audit report recommendations, including FFMIA recommendations and corrective actions.  However, during our review, we found that the IRS had difficulty researching the recommendations in the JAMES.  As a result, we believe that solely relying on the JAMES does not provide the IRS with adequate assurance that it can effectively track the FFMIA recommendations and actions.  We discussed this further with IRS management and they stated that they have additional internal IRS tracking reports that they use to monitor FFMIA recommendations and actions.  However, this information also was not provided to the audit team during our review.  As a result, we were not able to evaluate the effectiveness of these controls.  We will follow up on these two recommendations during subsequent FFMIA audits. 

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.

 

 

Table of Contents

 

Background

Results of Review

No Intermediate Target Dates Were Extended on Any of the Open Remedies

Progress Was Made in Addressing Material Weaknesses in Internal Controls; However, Improvements Are Still Needed for Compliance With the Federal Financial Management Improvement Act of 1996

Improvements Are Needed to Procedures to Track Open Findings and Recommendations

Recommendation 1:

Recommendation 2:

Resource Information Continues to Be Unsupported and Incomplete

Recommendations 3 and 4:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Financial Management Remediation Action Projects

Appendix VI – Management’s Response to the Draft Report

 

 

Abbreviations

 

FFMIA

Federal Financial Management Improvement Act of 1996

FY

Fiscal Year

GAO

Government Accountability Office

IFS

Integrated Financial System

IRS

Internal Revenue Service

JAMES

Joint Audit Management Enterprise System

 

 

Background

 

The Federal Financial Management Improvement Act of 1996 (FFMIA)[6] established in statute certain financial management systems requirements that were already established by executive branch policies.  The FFMIA was intended to advance Federal Government financial management by ensuring that Federal Government management systems can and do provide reliable, consistent disclosure of financial data.  Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year by consistently using professionally accepted accounting standards.  Specifically, FFMIA Section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

  • Federal Government financial management systems requirements.
  • Applicable Federal Government accounting standards.
  • The Government Standard General Ledger at the transaction level.

Auditors are required to report on agency compliance with the three stated requirements as part of financial statement audit reports.  Agency heads are required to determine, based on the audit report and other information, whether their financial management systems comply with the FFMIA.  If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and to file the plan with the Office of Management and Budget.  In addition, FFMIA Section 804 (b) requires that agency Inspectors General report to Congress instances when and reasons why an agency has not met the intermediate target dates established in its remediation plan.

In the last several years, the Government Accountability Office (GAO) has reported numerous financial management weaknesses in its audits of the Internal Revenue Service’s (IRS) annual financial statements and related assessments of internal control.  Due to these weaknesses, the IRS’ financial management systems have not been in substantial compliance with the requirements of the FFMIA.  Consequently, the IRS has been required to prepare and maintain a remediation plan.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of the Chief Financial Officer during the period December 2008 through April 2009.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The IRS continues to face challenges with reporting complete and verifiable resource estimates in its FFMIA remediation plans.  During our review of the IRS’ December 31, 2008, FFMIA remediation plan, the IRS was unable to provide supporting documentation for certain resource estimates, totaling $41.3 million.  In addition, we found that the IRS did not include complete resource estimates for several remediation actions included in its December 31, 2008, FFMIA remediation plan.  Further, the IRS does not have effective procedures to track and report all open recommendations in its FFMIA remediation plan. 

Accurate and complete resource estimates are necessary to effectively evaluate the commitments needed to fully implement all of the remediation actions presented in the IRS’ FFMIA remediation plan.  Without the appropriate estimates, the remediation actions could be delayed as a result of insufficient resources being available when needed.  Until the IRS develops and completes the necessary remediation actions to address all of the GAO’s open findings and recommendations, the IRS will continue to be noncompliant with the FFMIA. 

No Intermediate Target Dates Were Extended on Any of the Open Remedies

During Calendar Year 2008, the IRS reported that it:

  • Canceled 25 and added 50 remediation actions to the 34 open remediation actions in its December 31, 2007, remediation plan. 
  • Completed 18 remediation actions, leaving 41 open remediation actions in its December 31, 2008, remediation plan. 

The 25 canceled remediation actions were related to Computer Security[7] and resulted from a new Computer Security plan that was approved in April 2008.  These 25 actions were replaced by 39 new expanded remediation actions for the same project.  We found that 4 of the 39 new remediation actions significantly extend the completion dates of the remediation actions related to Computer Security, causing some actions to be extended beyond 3 years.  As required, the IRS, through the Department of the Treasury, properly obtained Office of Management and Budget concurrence to extend its corrective actions beyond the 3-year limitation.  The remaining 11 remediation actions added in Calendar Year 2008 were related to the Custodial Detail Data Base, Redesign Revenue Accounting Control System, and Automated Trust Fund Recovery System.  These additional actions did not materially affect the completion dates for any existing remediation actions.  

All of the 41 open actions were associated with 3 major financial management projects or issues:

  • Custodial Detail Data Base – 4 remediation actions.
  • Redesign Revenue Accounting Control System – 4 remediation actions.
  • Computer Security – 33 remediation actions.

Our review of the 41 open remediation actions indicated that the IRS missed no intermediate target dates.  Although the IRS was able to meet the target dates for all open remedies, any future delays could hinder the IRS’ ability to make timely resolutions of the reported issues that caused its noncompliance with the FFMIA. 

Progress Was Made in Addressing Material Weaknesses in Internal Controls; However, Improvements Are Still Needed for Compliance With the Federal Financial Management Improvement Act of 1996

In November 2008, the GAO reported[8] that the IRS continued to make significant strides in addressing its financial management challenges and material weaknesses in internal controls.  Specifically, the GAO noted that the IRS’ progress to address control deficiencies over the collection of unpaid taxes and the issuance of improper refunds is such that the GAO no longer considers the remaining control deficiencies in this area to constitute a material weakness. 

However, the GAO continued to report that the IRS’ financial management systems did not substantially comply with the requirements of the FFMIA.  The GAO highlighted the following as reasons for the noncompliance:

·        Noncompliance with Federal Financial Management Systems Requirements.

·        Noncompliance with Federal Accounting Standards.

·        Noncompliance with United States Government Standard General Ledger.

·        Material weaknesses in information security controls.

·        Reliance on obsolete systems.

·        Lack of interface between systems.

The GAO reported that these financial challenges adversely affect the IRS’ ability to fulfill its responsibilities as the nation’s tax collector and prevents it from routinely obtaining comprehensive, timely, accurate, and useful information for day-to-day decision making.

Improvements Are Needed to Procedures to Track Open Findings and Recommendations

During our review of the IRS’ December 31, 2008, FFMIA remediation plan, we found that the GAO recommendation relating to the development of meaningful cost data was not addressed in that plan.  Specifically, the GAO recommended that the IRS develop the data to support meaningful cost information categories and cost-based performance measures.  On September 30, 2008, the IRS canceled the remediation action intended to address this recommendation and provided the following explanation in its September 30, 2008, FFMIA remediation plan:

The IRS has a detailed cost allocation methodology that provides full cost information to the five operating business units and three complete years of fully allocated cost data in IFS.[9]  The Statement of Net Cost is produced from the Integrated Financial System cost accounting module.  The IRS briefed the GAO on the capability to calculate the full cost of products and services.

During our fieldwork, IRS management informed us that the IRS considers this recommendation to be fully addressed and that funding is currently not available for updates to the IFS.  However, the IRS was unable to provide supporting documentation that the GAO considered the recommendation closed.  In addition, in November 2008, the GAO reported[10] that:

IRS’s financial management systems do not comply with federal accounting standards because IRS did not have reliable, current information on the costs of its activities available to support decision making on a routine basis, consistent with Statement of Federal Financial Accounting Standards No 4, Managerial Cost Accounting.  Although IRS believes its recently completed cost pilots have demonstrated its ability to do so, IRS has not applied the cost information maintained in the cost module of IFS to the tax related activities processed by separate legacy information systems.

Based on the GAO findings noted above, we consider this recommendation to be unaddressed and, as a result, it should be included in the IRS’ FFMIA remediation plans as an open recommendation.  To ensure that the IRS’ FFMIA remediation plans are effective, we believe that the IRS should (1) obtain written concurrence from both the GAO and the Department of the Treasury that a recommendation is fully addressed prior to removing the associated remediation action(s) from its FFMIA remediation plan and (2) include in its FFMIA remediation plan the justification for removing the recommendation(s), the status of the recommendation(s), and whether additional remediation actions will be developed and included in subsequent remediation plans.  It is also important that the IRS continue to report open recommendations regardless of funding availability.  Specifically, the remediation actions associated with the open recommendations should be presented, along with an explanation that resources are currently not available. 

During our fieldwork, we also identified another GAO recommendation[11] that was removed from the IRS’ FFMIA remediation plan and, although this recommendation was no longer associated with a reportable condition, we met with IRS management to determine the status of implementing the recommendation.  IRS management informed us that they were unaware that the remediation action was removed from the IRS’ remediation plan.  After IRS management researched the issue, they discovered that the remediation action was removed several years prior to the December 31, 2008, plan; however, they were not certain of the reason since the GAO considers it to be an open issue that needed to be addressed.  IRS management stated that they planned to research the issue further and would consider adding additional remedies to address this open recommendation.  Because the IRS lacks a comprehensive FFMIA tracking system, it was unable to promptly identify when the recommendation and the associated remediation actions were removed from the IRS’ FFMIA remediation plan and the basis for removal. 

On April 1, 2009, we provided the IRS with a discussion draft of our review, and the IRS provided the following comments relating to this recommendation:

The remediation plan action was incorporated into a higher level action that required IRS to implement Release 2 of the Integrated Financial System (IFS), which included the Asset Management module that provides the functionality for subsidiary ledgers for property and equipment.  The Treasury Department concurred that all IFS Release 2 actions could be canceled due to lack of funding for the IFS upgrade.  The actions were canceled, as approved, and replacement actions will be established once funding is provided so realistic dates for future actions can be determined.  It is not known when funding for the IFS upgrade will occur, and therefore, the recommendation remains closed.

We met with IRS management regarding the comments received, and we were informed that during their initial review they had not researched the status of the recommendation in the Department of the Treasury’s Joint Audit Management Enterprise System (JAMES).[12]  Although the information contained in the JAMES provided the IRS with additional details regarding the closing of the recommendation, we believe the IRS’ exclusive use of the JAMES is not an effective or efficient tracking tool for monitoring the FFMIA remediation actions.  The JAMES is a Department-wide tracking system and, as of January 1, 2008, there were over 4,000 corrective actions recorded in the system.  In addition, we found that sorting through the information contained in the JAMES can be rather cumbersome depending on the number of planned corrective actions associated with each recommendation.  For example, the IRS provided us with a report from the JAMES that included several pages of corrective actions for each recommendation.  Specifically, one recommendation had 16 planned corrective actions that resulted in an 8 page report, and another recommendation had 26 planned corrective actions covering 12 pages.  Reading through the 16 and 26 planned corrective actions, respectively, to obtain information relating to 1 FFMIA corrective action is not an efficient use of resources.

Although the IRS is required to record and track its corrective action plans in the JAMES, we believe that the IRS needs to supplement its use of the system by developing a separate process for tracking key information for each recommendation and corrective action related to the FFMIA.  For example, the IRS needs to document and maintain a high-level synopsis for each recommendation and corrective action, which would include the origination date for each recommendation and corrective action, the date the recommendation and corrective action was closed or canceled, and the date the action was closed in the JAMES.  Overall, the tracking system should provide a high-level summary for IRS management to (1) adequately monitor the status of all current and prior remediation actions and (2) timely respond to inquires regarding the IRS’ FFMIA remediation plans.  This supplemental tracking system would provide more assurance that remediation actions are not removed until the IRS fully addresses the recommendation.  If remediation actions are inappropriately removed, findings and recommendations will remain open and the IRS will continue to be noncompliant with the FFMIA.  We will continue to monitor the FFMIA remediation plan updates throughout Calendar Year 2009.  

Recommendations

Recommendation 1:  The Chief Financial Officer and the owners of the individual remediation actions should strengthen the policies and procedures for reviewing the IRS’ FFMIA remediation plans to effectively ensure that future plans include all open findings and recommendations and that there are remediation actions to address such findings.

Management’s Response:  The IRS disagreed with this recommendation.  The IRS stated that the Financial Management Control Executive Steering Committee, chaired by the Chief Financial Officer, provides policy guidance and oversight of the IRS management controls program.  In Fiscal Year (FY) 2009, the Chief Financial Officer established a business unit working group to ensure corrective actions are current and all remediation plans include actions to address audit findings.  The Associate Chief Financial Officer for Corporate Planning and Internal Control and the Deputy Chief Financial Officer review all remediation plans quarterly to ensure actions are addressed.

Office of Audit Comment:  We agree with the IRS’ establishment of a business unit working group to ensure corrective actions are current and all remediation plans include actions to address audit findings.  However, if these controls were working as intended, the IRS should have identified and addressed the issues included in our report.  We discussed this further with IRS management, and they stated that they believe they have sufficient guidance and oversight for ensuring that all FFMIA open findings and recommendations are included in its FFMIA remediation plans.  In addition, IRS management stated that they had additional documentation to support the closing of certain recommendations that was not provided to the audit team during our review.  As a result, we were not able to evaluate the effectiveness of these controls.  We will follow up on this recommendation during subsequent FFMIA audits.  

Recommendation 2:  The Chief Financial Officer should develop a comprehensive system for tracking the remediation actions included in the IRS’ FFMIA remediation plans to effectively ensure that the reason for removing a remediation action is properly documented and maintained.  This would provide the users of the FFMIA plan with a consolidated list of open and closed remediation actions as well as an explanation for any additions or deletions.  Additionally, the IRS should obtain written concurrence from the GAO and the Department of the Treasury that a recommendation is fully addressed prior to removing the associated remediation action(s) from its FFMIA remediation plan.

Management’s Response:  The IRS agreed with this recommendation, in part.  The IRS stated that it obtains written concurrence from the Department of the Treasury when it requests to close a material weakness or significant deficiency.  The IRS also stated that it will continue to work with the GAO to demonstrate how the actions it has taken address the material weaknesses and significant deficiencies.  The GAO addresses the status of its recommendations in its Annual Audited Financial Statement report and its annual Status of GAO Financial Audit and Related Financial Management recommendations.  The IRS disagreed with the part of the recommendation regarding the comprehensive tracking system.  The IRS stated that it currently has a comprehensive system in place and uses the JAMES to track all audit recommendations issued by the Department of the Treasury’s Office of Inspector General, the Treasury Inspector General for Tax Administration, and the GAO, including auditor reported material weaknesses and significant deficiencies in accordance with Treasury Directive 40-03 (Treasury Audit Resolution, Follow-up, and Closure).  In addition, the Financial Management Control Executive Steering Committee monitors all corrective action plans related to open material weaknesses and significant deficiencies and approves additions and deletions to these plans. 

Office of Audit Comment:  We understand that the IRS uses the JAMES as its primary tracking system for all audit report recommendations, including FFMIA recommendations and corrective actions.  However, during our review, the IRS had difficulty researching the recommendations in the JAMES.  As a result, we believe that solely relying on the JAMES does not provide the IRS with adequate assurance that it can effectively track the FFMIA recommendations and actions.  We discussed this further with IRS management and they stated that they have additional internal IRS tracking reports that they use to monitor FFMIA recommendations and actions.  However, this information was not provided to the audit team during our review.  As a result, we were not able to evaluate the effectiveness of these controls.  We will follow up on this recommendation during subsequent FFMIA audits. 

Resource Information Continues to Be Unsupported and Incomplete

We previously reported[13] that some resources listed in the IRS’ December 31, 2006, FFMIA remediation plan were not verifiable to supporting documentation and recommended that the IRS Associate Chief Financial Officer for Corporate Planning and Internal Control review resources listed in future plans for accuracy.  Although we reported[14] that the IRS took effective steps during Calendar Year 2007 to address this finding, we continue to find instances where the resource information for certain remediation actions is either unsupported or incomplete.  Therefore, we believe the IRS’ current procedures are not effective and additional procedures are needed to effectively ensure that all remediation actions have verifiable and complete resource estimates.

During our review of the IRS’ December 31, 2008, FFMIA remediation plan, the IRS was unable to provide supporting documentation for 4 Computer Security resource estimates totaling $41.3 million.  During our audit fieldwork, IRS management stated that the $41.3 million was based on outdated estimates and supporting documentation was not maintained.  The IRS also informed us that it will determine the appropriate resource estimates and include the estimates in its March 31, 2009, FFMIA remediation plan.

The IRS also did not include complete resource estimates for several other remediation actions included in its December 31, 2007, and December 31, 2008, FFMIA remediation plans.  For instance, during March 2008, we reported[15] that 13 Computer Security remediation actions reported in the IRS’ December 31, 2007, remediation plan included estimated resources for FY 2008 only, even though the scheduled completion date was not until FY 2009 or beyond.  In addition, the IRS’ December 31, 2008, remediation plan did not include complete resource estimates for three Computer Security remediation actions that had target dates that extended to FY 2013.  Specifically, we found 3 remediation actions that lacked complete resource estimates for 4 years—FY 2010 through FY 2013.  IRS management informed us that the responsibility for these remediation actions had been reassigned to another area within the Modernization and Information Technology Services organization and the resource estimates were not completed beyond FY 2009.  IRS management also informed us that the IRS plans to include the appropriate resource estimates in its June 30, 2009, FFMIA remediation plan.  In the future, it is important that the IRS ensure that each remediation action includes resource estimates for each year until the planned actions are completed.

Accurate and complete resource estimates are necessary for the IRS to effectively evaluate the commitments needed to fully implement all of the remediation actions presented in the FFMIA remediation plan.  Without the appropriate estimates, the completion dates for the remediation actions could be delayed as a result of insufficient resources being available when needed.  Further, until these remediation actions are completed, the weaknesses in the IRS’ financial management system related to Computer Security issues will continue to exist.

Recommendations

Recommendation 3:  The Chief Financial Officer should ensure that the incomplete and unsupported information identified during our review of the IRS’ December 31, 2008, FFMIA remediation plan is appropriately updated in future remediation plans.

Management’s Response:  The IRS agreed with this recommendation and will ensure that future remediation plans include the supporting documentation for the four identified Computer Security resource estimates.

Recommendation 4:  The Chief Financial Officer and the owners of the individual remediation actions should strengthen the policies and procedures for reviewing the IRS’ FFMIA remediation plans to effectively ensure that future plans include complete and verifiable financial resource estimates for each year until the planned actions are completed.

Management’s Response:  The IRS agreed with this recommendation and will ensure that future remediation plans include resource estimates for each year until the planned actions are completed for the identified remediation actions related to the December 31, 2007, and December 31, 2008, remediation plans.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to report to Congress, as required by the FFMIA,[16] any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan as of December 31, 2008.  We also evaluated whether, in general, the IRS was meeting its responsibilities in fulfilling the intent of the FFMIA.  To accomplish our objective, we:

I.                    Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the FFMIA.

A.     Reviewed the FFMIA and all related Office of Management and Budget and Department of the Treasury guidance.

B.     Summarized all relative procedural standards to be used during our audit tests.

II.                 Determined whether the IRS’ remediation plan was consistent with GAO recommendations from prior IRS financial audits and related financial management reports.

A.     Obtained the following IRS financial statement-related reports issued by the GAO[17] since the last remediation plan audit.

1.      Opinion Report.

2.      Recommendation Report.

3.      Management Letter.

B.     Identified any financial management recommendations meeting FFMIA criteria from the GAO reports obtained in Step II.A.

C.     Mapped the identified GAO recommendations to the current IRS remediation plan to identify any recommendations not included in the plan.

D.     If instances were identified, inquired of IRS officials as to why the GAO recommendations were not included.

III.               Determined whether 1) the IRS missed any intermediate target dates established in its remediation plan, 2) intermediate target dates were extended without sufficient documentation to support the revised dates, and 3) proper approval was obtained for remediation actions extending more than 3 years.

A.     Verified that all remedial actions have intermediate target dates established.

B.     Identified instances when the IRS has not met the intermediate target dates.

C.     If instances of missed dates were identified, inquired of IRS officials as to the reason the IRS did not meet the intermediate target date.

D.     Evaluated the impact the missed intermediate target date had on the IRS in meeting the established goal of the remedial action.

E.      Compared the December 31, 2008, IRS FFMIA remediation plan to prior plans to identify intermediate target dates that have changed since the previous Treasury Inspector General for Tax Administration review, and obtained and analyzed documentation in support of any changes.

F.      Identified any intermediate target dates extending more than 3 years since the recommendation was reported. 

G.     If instances of intermediate target dates extending longer than 3 years were identified, verified that approval was requested of the Office of Management Budget.

IV.              Determined whether 1) the IRS remediation plan had established resource needs for remediation actions and 2) the resources presented were consistent with supporting documentation.

A.     Verified that resource requirements were identified for all remedial actions.

B.     Obtained budget information.

C.     Traced remediation plan resources to budget information.

D.     If differences were identified, inquired of IRS officials as to the reason the resource needs did not match budget information.

E.      Evaluated the impact, if any, of deferring additional releases of the IFS[18] on the IRS’ FFMIA remedial actions and whether the IRS has plans to reduce the impact.

V.                 Determined whether the IRS had taken adequate corrective actions on prior reported audit findings related to the FFMIA remediation plan.

A.     Identified prior audit findings and corresponding management responses concerning corrective actions that should have been completed by the time of our audit.

B.     Confirmed through discussions/observations that actions had been completed.

C.     Performed tests, to the extent needed, to determine the effectiveness of the corrective actions.

 

Appendix II

 

Major Contributors to This Report

 

Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations)

Alicia P. Mrozowski, Director

Michelle Philpott, Audit Manager

Kenneth E. Henderson, Lead Auditor

William E. Thompson, Lead Auditor

Seth A. Siegel, Senior Auditor

 Rashme Sawhney

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Chief Financial Officer  OS:CFO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons: 

Chief Financial Officer  OS:CFO

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective action will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

·        Reliability of Information – Actual; $41.3 million of the resource estimates reported in the IRS’ December 31, 2008, FFMIA[19] remediation plan could not be verified from the supporting documentation provided by the IRS (see page 9).

Methodology Used to Measure the Reported Benefit:

To determine whether the IRS reliably reported estimated resources in its December 31, 2008, FFMIA remediation plan, we compared the estimated resources to the supporting documentation and interviewed selected IRS personnel.  Our analysis determined that $41.3 million of the reported resources could not be verified from the supporting documentation provided by the IRS.

 

Appendix V

 

Financial Management Remediation Action Projects

 

The IRS initiated five financial management projects in response to the various material weaknesses identified by the GAO and the Treasury Inspector General for Tax Administration relating to the FFMIA.[20]  The IRS described the functionality of the projects contained in its remediation plan as follows.

Custodial Detail Data Base:  To more accurately report a single balance due for Trust Fund Recovery Penalty[21] assessments and determine areas for improvement, the IRS Chief Financial Officer developed a Trust Fund Recovery Penalty database.  This database is the first release of the Financial Management Information System enhancement to the Custodial Detail Data Base that will enable the IRS to address many of the outstanding financial management recommendations.  Full Custodial Detail Data Base functionality will be accomplished in four releases. 

  • Release I – Unpaid Assessments subledger.
  • Release II – Master File[22] transactions and Electronic Funds Transfer Payment System[23] preposted transactions.
  • Release III – All other preposted revenue receipt transactions and refund transactions.
  • Release IV – Frozen Credit subledger and Excise Tax Allocations.

The Redesign Revenue Accounting Control System:  The current Redesign Revenue Accounting Control System records financial transactions pertaining to taxpayer processing and is the IRS custodial accounting system of record.  Although the IRS has received 11 consecutive clean opinions on its financial reports, the GAO continues to cite several material weaknesses with custodial accounting pertaining to traceability and noncompliance with the United States Standard General Ledger, among other issues.  The IRS Submissions Processing function also requested that the Redesign Revenue Accounting Control System consolidate reporting due to campus[24] consolidation and to relieve the campus directors’ burden to certify monthly reports.  In addition, the Redesign Revenue Accounting Control System does not conform to the current IRS Enterprise Architecture.

Automated Trust Fund Recovery System:  This system provides the capability to systematically upload Trust Fund Recovery Penalty assessments from the Area Offices[25] and properly cross-references payments received for assessments made.  The Automated Trust Fund Recovery System replaced manual processes for assessing penalties and cross-referencing payments and is designed to ensure compliance with the GAO requirements and accounting standards. 

Integrated Financial System:  This system provides the IRS with an integrated accounting system to account for and control resources.  It includes a Core Financial System (General Ledger, Accounts Receivable, Accounts Payable, Funds and Cost Management, and Financial Reporting) as well as a Budget Formulation system and a 3-year rolling forecast. 

Computer Security:  This project addresses internal control deficiencies cited in various audits; initiates efforts to develop controls implemented at campuses, field offices, and post-of-duty offices to ensure uniformity and consistency; develops appropriate means through which the IRS can carry out periodic reviews of the effectiveness of policies and procedures, along with means to address security breaches; updates access control standards to reflect changes in technology and operating environments; provides computer security training to personnel; and conducts computer security self-assessment reviews that identify and alleviate vulnerabilities on a proactive basis.

 

Appendix VI

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.


[1] Pub. L. No. 104-208, 110 Stat. 3009.

[2] See Appendix V for a description of the projects mentioned in the report.

[3] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007).

[4] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).

[5] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).

[6] Pub. L. No. 104-208, 110 Stat. 3009.

[7] See Appendix V for a description of the projects mentioned in the report.

[8] FINANCIAL AUDIT:  IRS’s Fiscal Years 2008 and 2007 Financial Statements (GAO-09-119, dated November 2008).

 

[9] The Integrated Financial System (IFS) was acquired by the IRS to provide timely, detailed financial, cost accounting, property accounting, and procurement data to authorized users.

[10] FINANCIAL AUDIT:  IRS’s Fiscal Years 2008 and 2007 Financial Statements (GAO-09-119, dated

November 2008).

[11] Internal Revenue Service:  Recommendations to Improve Financial and Operational Management (GAO-01-42, dated November 17, 2000).  This recommendation is reported as “open” in the GAO report, Internal Revenue Service:  Status of GAO Financial Audit and Related Financial Management Report Recommendations (GAO-08-693, dated July 2008).

[12] The JAMES supports the customers in their management of audit findings and recommendations.  It is used to monitor the progress and implementation of planned corrective actions to correct audit findings and material weaknesses.  The JAMES is a Department-wide system accessible to the customers, Departmental management, the Department of the Treasury Office of Inspector General, and the Treasury Inspector General for Tax Administration.  It contains tracking information on all actions required to address audit findings and recommendations.

[13] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007).

[14] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).

[15] The Internal Revenue Service’s Federal Financial Management Act Remediation Plan As of December 31, 2007 (Reference Number 2008-10-096, dated March 28, 2008).

[16] Pub. L. No. 104-208, 110 Stat. 3009.

[17] FINANCIAL AUDIT:  IRS’s Fiscal Years 2008 and 2007 Financial Statements (GAO-09-119, dated

November 2008) and INTERNAL REVENUE SERVICE:  Status of GAO Financial Audit and Related Financial Management Report Recommendations (GAO-08-693, dated July 2008).

[18] The IFS was acquired by the IRS to provide timely, detailed financial, cost accounting, property accounting, and procurement data to authorized users.

[19] Pub. L. No. 104-208, 110 Stat. 3009.

[20] Pub. L. No. 104-208, 110 Stat. 3009.

[21] When a company does not pay the taxes it withholds from employee wages, such as Social Security or individual income tax, the IRS has the authority to assess all responsible corporate officers individually for the taxes withheld via the Trust Fund Recovery Penalty.

[22] The IRS database that stores various types of taxpayer account information.  This database includes individual, business, and employee plans and exempt organizations data.

[23] The IRS system that allows taxpayers to make their Federal tax payments electronically.

[24] The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.

[25] A geographic organizational level used by IRS business units and offices to help their specific types of taxpayers understand and comply with tax laws and issues.