TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

 

Measurable Progress Has Been Made in Addressing Federal Financial Management Improvement Act Noncompliance; However, Significant Challenges Remain

 

 

 

June 4, 2010

 

Reference Number:  2010-10-065

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

HIGHLIGHTS

MEASURABLE PROGRESS HAS BEEN MADE IN ADDRESSING FEDERAL FINANCIAL MANAGEMENT IMPROVEMENT ACT NONCOMPLIANCE; HOWEVER, SIGNIFICANT CHALLENGES REMAIN

Highlights

Final Report issued on June 4, 2010

Highlights of Reference Number:  2010-10-065 to the Internal Revenue Service Chief Financial Officer and Chief Technology Officer.

IMPACT ON TAXPAYERS

The Federal Financial Management Improvement Act (FFMIA) remediation plan is a critical part of the Internal Revenue Service’s (IRS) efforts to bring its financial management systems into compliance with the FFMIA and to provide reliable and timely financial data.  Overall, the IRS still faces significant challenges in its efforts to comply with the FFMIA.  In addition, our analysis of the IRS’ September 30, 2009, FFMIA remediation plan found that the IRS continues to experience difficulties in developing resource estimates for remediation actions.  For example, 5 resource estimates totaling $84.3 million were not supported by detailed and verifiable documentation.  Complete and reliable financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.

WHY TIGTA DID THE AUDIT

The overall objective of this review was to report to Congress, as required by the FFMIA, any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan for the period January 1, 2009, through September 30, 2009.  In addition, TIGTA evaluated the effectiveness of the remedial actions taken by the IRS during the period January 1, 2005, through September 30, 2009, in resolving the noncompliance reported in the FFMIA remediation plans and assessed the challenges associated with achieving substantial compliance.

WHAT TIGTA FOUND

The IRS has made measurable progress in addressing the issues causing its noncompliance with the FFMIA.  However, its financial management systems still do not comply with FFMIA requirements.  The IRS informed us that it does not believe it will become compliant with the FFMIA until approximately November 2014, pending successful implementation of its strategy to modernize the processes used to account for the records of individual taxpayers.

Our review also identified that the IRS continues to experience difficulties in developing resource estimates for remediation actions related to information security.  TIGTA reported in two prior audits that some resource estimates were unsupported and based on outdated information.  TIGTA continued to find similar issues in this review.

Finally, the IRS reported 30 open remedial actions in its September 30, 2009, FFMIA remediation plan.  Our review of the 30 open remediation actions indicated that the IRS did not miss any intermediate target dates.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Financial Officer, in coordination with the Chief Technology Officer, ensure that incomplete and unsupported information identified during our review be updated.  In addition, the Chief Financial Officer should develop standard documentation guidelines for resource estimates reported in the IRS remediation plan.

The IRS agreed with both recommendations.  Specifically, the IRS stated that its March 31, 2010, FFMIA remediation plan has been reconciled and annotated with the authoritative supporting documentation.  The IRS also plans to develop standardized guidance that requires more specific documentation standards for remediation plan estimates.

 

June 4, 2010

 

 

MEMORANDUM FOR CHIEF FINANCIAL OFFICER

                                         CHIEF TECHNOLOGY OFFICER

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Measurable Progress Has Been Made in Addressing Federal Financial Management Improvement Act Noncompliance; However, Significant Challenges Remain (Audit # 200910027)

 

This report presents the results of our review of the Federal Financial Management Improvement Act of 1996 (FFMIA).[1]  The overall objective of this review was to report to Congress, as required by the FFMIA, any instances of and reasons for missed intermediate target dates established in the Internal Revenue Service’s (IRS) FFMIA remediation plan for the period January 1, 2009, through September 30, 2009.  In addition, we evaluated the effectiveness of the remedial actions taken by the IRS during the period January 1, 2005, through September 30, 2009, in resolving the noncompliance reported in the FFMIA remediation plans and assessed the challenges associated with achieving substantial compliance.  This review was included in our Fiscal Year 2009 Annual Audit Plan and addresses the major management challenge of Leveraging Data to Improve Program Effectiveness and Reduce Costs. 

Management’s complete response to the draft report is included as Appendix VI.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.

 

 

Table of Contents

 

Background

Results of Review

Intermediate Target Dates Were Extended for Some Actions

The Internal Revenue Service Has Experienced Difficulties in Developing Remediation Actions Related to Information Security

Recommendations 1 and 2:

Appendices

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Outcome Measure

Appendix V – Schedule of the Internal Revenue Service’s Remediation Actions From 2005 Through 2009

Appendix VI – Management’s Response to the Draft Report

 

 

Abbreviations

 

CADE 2

Customer Account Data Engine 2

CFO

Chief Financial Officer

FFMIA

Federal Financial Management Improvement Act of 1996

IRS

Internal Revenue Service

 

 

Background

 

As of November 2009, the Government Accountability Office continued to report that the IRS’ financial management systems do not comply with FFMIA requirements.

The Federal Financial Management Improvement Act of 1996 (FFMIA)[2] was established to advance Federal financial management by ensuring that Federal financial management systems provide accurate, reliable, and timely financial management information to the Government’s managers.  Further, this disclosure should be done on a basis that is uniform across the Federal Government from year to year by consistently using professionally accepted accounting standards.  Specifically, FFMIA Section 803 (a) requires each agency to implement and maintain systems that comply substantially with:

  • Federal Government financial management systems requirements. 
  • Applicable Federal Government accounting standards.
  • The United States Government Standard General Ledger at the transaction level.

If the agency’s financial systems do not comply, the agency is required to develop a remediation plan that describes the resources, remedies, and intermediate target dates for achieving compliance and to file the plan with the Office of Management and Budget.  In addition, FFMIA Section 804 (b) requires that agency Inspectors General report to Congress instances when and reasons why an agency has not met the intermediate target dates established in its remediation plan.  Because the Government Accountability Office has reported noncompliance with the requirements of the FFMIA in its audits of the Internal Revenue Service’s (IRS) annual financial statements, the IRS has been required to prepare and maintain a remediation plan.

As of November 2009, the Government Accountability Office continued to report[3] that the IRS’ financial management systems do not comply with FFMIA requirements.  Specifically, the IRS does not post tax-related transactions in conformance with Federal Government requirements and its records lack adequate traceability for taxes receivable.[4]  In addition, the IRS has material weaknesses in its internal controls over both information security and unpaid assessments.  The information security material weakness compromises the accuracy and availability of the IRS’ financial information and places sensitive information regarding IRS operations and taxpayers at risk.  The unpaid assessments material weakness impacts the IRS’ ability to effectively manage these assessments.  For example, the Government Accountability Office reported in November 2009 that the IRS lacks a subsidiary ledger for unpaid assessments that would allow it to produce reliable and timely financial management information. 

Chief Financial Officer (CFO) management stated that the IRS implemented a new accounting system in January 2010, the Redesign Revenue and Accounting Control System, which will allow it to post transactions in compliance with Federal Government requirements, support traceability for revenue transactions, and further assist it in becoming compliant with the FFMIA.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of the CFO during the period August 2009 through January 2010.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.  Detailed information on our audit objectives, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

The IRS has made measurable progress in addressing the issues causing its noncompliance with the FFMIA.  For example, the Government Accountability Office reported in November 2009 that the IRS substantially completed developing the capability to trace its revenue and refund transactions from its general ledger to supporting detailed transaction information.  This improvement enhances the reliability of the information the IRS reports regarding these types of transactions.  In addition, the IRS has completed a total of 128 remedial actions since January 1, 2005, and had 30 open remedial actions remaining in its September 30, 2009, FFMIA remediation plan. 

However, the IRS’ financial management systems still do not comply with FFMIA requirements.  The IRS informed us that it does not believe it will become compliant with the FFMIA and address the material weakness relating to unpaid assessments until approximately November 2014, pending successful implementation of the Customer Account Data Engine 2 (CADE 2) strategy.[5]  The CADE 2 strategy, as designed, will allow the IRS to modernize the processes it uses to account for the records of individual taxpayers and create a single overall system of record.  In addition, the time to process and update individual taxpayer account data would be shortened from a weekly to a daily basis, which will improve the timeliness and accuracy of this information.

The IRS informed us that it plans to add additional remediation actions to the FFMIA plan related to the CADE 2 strategy when the timetable for implementation of the CADE 2 strategy is finalized.  Until the IRS updates its FFMIA remediation plan with actions related to the CADE 2 strategy, we will be unable to fully assess its overall progress in resolving its noncompliance. 

Our review also identified that the IRS continues to experience difficulties in developing resource estimates for remediation actions related to information security.  We reported in two prior audits[6] that some resource estimates related to information security were unsupported and based on outdated information.  We continued to find similar issues in our current review of the IRS’ September 30, 2009, FFMIA remediation plan.  Complete and accurate information related to the IRS’ remediation actions is critical to ensuring the IRS will achieve full compliance with the FFMIA.

Intermediate Target Dates Were Extended for Some Actions

During the period January 1, 2009, through September 30, 2009, the IRS reported that it:

  • Added 2 remedial actions to the 41 open custodial remedial actions in its December 31, 2008, remediation plan. 
  • Completed 13 remedial actions, leaving 30 open remedial actions in its September 30, 2009, remediation plan. 

Each of the 30 remedial actions had an intermediate target date that extended more than 3 years from the initial determination that IRS financial management systems were not in substantial compliance with the FFMIA.  As required, the IRS obtained concurrence from the Office of Management and Budget to extend its corrective actions beyond the 3-year limitation.

Our review of the 30 open remediation actions indicated that the IRS did not miss any intermediate target dates.  However, the IRS did extend intermediate target dates related to two of the open actions.  These intermediate target date extensions varied from 3 to 11 months.  Although the IRS has reasonable explanations for the extended intermediate target dates, missing an intermediate target date results in the IRS extending the intermediate target dates of related remedial actions.  Consequently, the extension of the intermediate target dates of these two remedial actions, while necessary, does put the IRS further behind on resolving its noncompliance.

In addition, we previously reported[7] that the IRS was unable to promptly identify when it had removed open findings and recommendations or ensure all findings and recommendations were accounted for in its remediation plan.  We recommended that the IRS strengthen procedures for reviewing plans for completeness and develop a comprehensive system for tracking the status of findings and recommendations. 

Although the IRS declined to fully implement our recommendations and did not develop a comprehensive system for tracking findings and recommendations, we found that it has improved the documentation it maintains regarding the status of findings and recommendations.  In addition, we did not identify any exceptions of findings and recommendations not being addressed in the IRS’ September 30, 2009, remediation plan.  Although this enhanced documentation represents a significant positive step, we continue to believe that implementing a centralized tracking system would further enhance the transparency of the FFMIA process and allow the IRS to more quickly provide information to stakeholders regarding the status of any FFMIA-related findings and recommendations.  Because the IRS has improved its recordkeeping for the FFMIA remediation plan, we are not making an additional recommendation on this issue. 

The Internal Revenue Service Has Experienced Difficulties in Developing Remediation Actions Related to Information Security

Between January 1, 2005, through September 30, 2009, the IRS has had difficulty in both developing the comprehensive remedial actions required to resolve noncompliance related to information security and reliably estimating the resources and time necessary to implement these remedial actions.  Complete and reliable financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers.  In June 2009, we reported the IRS re-evaluated and substantially revised its FFMIA remediation plan and canceled 25 actions related to computer security and replaced them with 39 new expanded actions.[8]  The IRS developed these expanded actions to better identify the comprehensive steps it needs to take to resolve this issue.  Although this resulted in a significant extension of the completion date of some of the actions, it resulted in improved accountability and improved the usefulness of the plan to stakeholders.  Our review of the September 30, 2009, FFMIA remediation plan did not identify any canceled items relating to information security. 

Additional attention is also needed when developing resource estimates for remediation actions related to information security.  As reported in our two prior audits, some resource estimates related to information security were unsupported and based on outdated information.  In our review of the IRS’ September 30, 2009, FFMIA remediation plan, we continued to find similar issues.  Specifically: 

§         Five resource estimates totaling $84.3 million were not supported by detailed and verifiable documentation such as a description of how and when the estimate was developed or a general breakdown of the services, hardware, and software being acquired.  These five resource estimates related to remediation actions with scheduled completion dates ranging from Fiscal Years 2010 through 2014.  The IRS was unable to provide documentation supporting these estimates and informed us they were significantly outdated.  During our audit fieldwork, the IRS re-evaluated the estimates associated with these actions and informed us that 1) the costs associated with these 5 resource estimates should actually be $98.3 million, and 2) they plan to update the March 2010 remediation plan with this updated information. 

§         Three actions with completion dates ranging from Fiscal Years 2010 to 2012 had resource estimates listed that were $4.3 million more than the support provided by the IRS.

In addition, the September 30, 2009, FFMIA remediation plan contained a preliminary resource estimate of $69 million for an infrastructure initiative related to contingency planning and disaster recovery.  Although the estimate included costs related to 23 separate sub-tasks, it did not provide a description of how and when the estimates for the sub-tasks were developed, include timelines, or prioritize the completion of the sub-tasks identified.  IRS management informed us that these estimates represented very preliminary calculations and advised us that they plan to update the June 2010 remediation plan with more detailed information, including costs and intermediate target dates in support of the completion of this initiative.  Until the IRS updates its FFMIA remediation plan with more information regarding this initiative, we will be unable to fully assess its overall progress in resolving its noncompliance. 

Although the amount of documentation maintained by the IRS regarding resource estimates has improved based on a prior Treasury Inspector General for Tax Administration recommendation, we believe enhancements are still needed.  Specifically, although the IRS now consistently requires documentation from the Chief Technology Officer supporting information security resource estimates, it has not developed specific minimum standards outlining the type of supporting information needed.  For example, the supporting documentation we reviewed did not consistently include a breakdown and explanation of costs such as hardware, software, and contractor support that are included in the estimate, a general description of how the estimate was developed, or the date of preparation/last update.

Without appropriate estimates, the remediation actions could be delayed as a result of insufficient resources being available when needed.  Outdated and/or inaccurate cost information also affects IRS management’s ability to timely and reliably estimate accurate completion dates for remediation actions.  Until the IRS develops and completes the necessary remediation actions to address all of the Government Accountability Office’s open findings and recommendations, the IRS will continue to be noncompliant with the FFMIA. 

Recommendations

Recommendation 1:  The CFO, in coordination with the Chief Technology Officer, should ensure that incomplete and unsupported information identified during our review of the IRS’ September 30, 2009, FFMIA remediation plan is appropriately updated in future remediation plans. 

Management’s Response:  The IRS agreed with this recommendation and stated that its March 31, 2010, FFMIA remediation plan has been reconciled and annotated with the authoritative supporting documentation.  

Recommendation 2:  The CFO should develop standard documentation guidelines for estimates reported in the IRS remediation plan.  Specifically, the supporting documentation should include the following minimum information: 1) a breakdown and explanation of costs such as hardware, software, and contractor support that are included in the estimate; 2) a general description of how the estimate was developed; and 3) the date of preparation and last update.

Management’s Response:  The IRS agreed with this recommendation and plans to develop standardized guidance that requires more specific documentation standards for remediation plan estimates, including a breakdown and explanation of estimated costs for hardware, software, and contractor support costs, as well as required dates indicating when the last estimates were calculated.  

 

Appendix I

 

Detailed Objectives, Scope, and Methodology

 

The overall objective of this review was to report to Congress, as required by the FFMIA,[9] any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan for the period January 1, 2009, through September 30, 2009.[10]  In addition, we evaluated the effectiveness of the remedial actions taken by the IRS during the period January 1, 2005, through September 30, 2009, in resolving the noncompliance reported in the FFMIA remediation plans and assessed the challenges associated with achieving substantial compliance.  To accomplish our objectives, we:

I.          Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the Act.

II.                 Determined whether the IRS’ remediation plan was consistent with Government Accountability Office recommendations from prior IRS financial audits and related financial management reports.

III.               Determined whether 1) the IRS missed any intermediate target dates established in its remediation plan, 2) intermediate target dates were extended without sufficient documentation to support the revised dates, and 3) proper approval was obtained for remedial actions extending more than 3 years.

A.     Verified that all remedial actions had intermediate target dates established.

B.     Identified instances when the IRS did not meet the intermediate target dates.

C.     If instances of missed dates were identified, inquired of IRS officials the reason the IRS did not meet the intermediate target date.

D.     Identified any intermediate target dates extending more than 3 years since the recommendation was reported. 

E.      If instances of intermediate target dates extending longer than 3 years were identified, verified that the approval was requested and granted from the Office of Management Budget.

IV.              Determined whether 1) the IRS remediation plan had established resource needs for remedial actions, and 2) the resources presented were consistent with supporting documentation.

A.     Verified that resource requirements were identified for all remedial actions.

B.     Obtained budget information.

C.     Traced remediation plan resources to budget information.

D.     Interviewed the functional financial plan managers associated with all significant cost estimates.

V.                 Determined whether the IRS had taken adequate corrective actions on prior reported audit findings related to the FFMIA remediation plan.

A.     Identified prior open Treasury Inspector General for Tax Administration audit findings and corresponding management responses concerning corrective actions that should have been completed by the time of our audit.

B.     Confirmed through discussions/observations that actions had been completed.

C.     Evaluated the actions taken by the IRS to improve its tracking of open FFMIA material weaknesses (in evaluating the IRS’ 2008 FFMIA Remediation Plan, the Treasury Inspector General for Tax Administration identified that the IRS was unable to reliably determine the current status of all open issues causing its noncompliance with the FFMIA).

VI.              Determined whether the IRS’ remedial actions from January 1, 2005, through September 30, 2009, resulted in measurable progress resolving FFMIA noncompliance and assessed the challenges associated with achieving substantial compliance.

A.     Identified the number of FFMIA material weaknesses that were closed and new FFMIA material weaknesses that were added during the period under review.

B.     Determined the number of open, added, extended, canceled, and completed remedial actions for the period January 1, 2005, through September 30, 2009, in order to evaluate the progress of the remedial actions in resolving FFMIA noncompliance. 

C.     Interviewed key IRS business unit stakeholders regarding the status of applicable in-process remediation actions and the risks associated with the outstanding material weaknesses.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  the IRS’ policies, procedures, and practices for tracking remediation actions implemented due to identified material weaknesses.  We evaluated these controls by interviewing management and reviewing applicable documentation.

 

Appendix II

 

Major Contributors to This Report

 

Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations)

Jeffrey M. Jones, Director

Anthony J. Choma, Audit Manager

Michele N. Strong, Lead Auditor

Mark A. Judson, Senior Auditor

Dana Karaffa, Evaluator

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief Information Officer  OS:CTO:CIO

Deputy Chief Information Officer for Operations  OS:CTO

Associate Chief Financial Officer for Corporate Planning and Internal Control 

OS:CFO:CPIC

Associate Chief Information Officer, Cybersecurity  OS:CTO:C

Associate Chief Information Officer, End-User Equipment and Services 

OS:CTO:EU

Associate Chief Information Officer, Enterprise Networks  OS:CTO:EN

Acting Associate Chief Information Officer, Enterprise Operations  OS:CTO:EO

Director, Stakeholder Management Division  OS:CTO:SP:S

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Chief Financial Officer  OS:CFO         

Chief Technology Officer  OS:CTO     

 

Appendix IV

 

Outcome Measure

 

This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration.  This benefit will be incorporated into our Semiannual Report to Congress.

Type and Value of Outcome Measure:

·        Reliability of Information – Actual; $18.3 million.  This measure represents the difference between the resource estimates reported in the IRS’ September 30, 2009, FFMIA remediation plan and the supporting documentation provided by the IRS (see page 5).

Methodology Used to Measure the Reported Benefit:

To determine whether the IRS reliably reported estimated resources in its September 30, 2009, FFMIA remediation plan, we compared the estimated resources to the supporting documentation and interviewed selected IRS personnel.  We found that 5 resource estimates totaling $84.3 million were not supported by detailed and verifiable documentation such as a description of how and when the estimate was developed or a general breakdown of the services, hardware, and software being acquired.  The IRS informed us these estimates were significantly outdated.  During our audit fieldwork, the IRS re-evaluated the estimates associated with these actions and determined the costs associated with these 5 resource estimates should actually be $98.3 million.  The IRS was also able to provide detailed and verifiable documentation in support of this estimate.  In order to calculate this outcome measure, we determined that the difference between the estimate in the September 30, 2009, FFMIA remediation plan and the updated estimate was $14.0 million ($98.3 million – $84.3 million = $14.0 million).  We also identified that 3 actions with completion dates ranging from Fiscal Years 2010 to 2012 had estimates listed that were $4.3 million more than the support provided by the IRS. 

The total measure reported was calculated by adding these 2 differences together ($14.0 million + $4.3 million = $18.3 million).

 

Appendix V

 

Schedule of the Internal Revenue Service’s Remediation Actions From 2005 Through 2009

 

Table 1:  Status of Remedial Actions From January 1, 2005,
Through September 30, 2009

Remediation Plan Period

Open Remedial Actions at Beginning of Plan Period

New Remedial Actions Added

Canceled Remedial Actions

Completed Remedial Actions

Open Remedial Actions at End of Plan Period

January 1, 2005 – December 31, 2005

12

67

1

40

38

January 1, 2006 –December 31, 2006

38

61

11

37

51

January 1, 2007 – December 31, 2007

51

6

2

20

35

January 1, 2008 – December 31, 2008

35

50

26

18

41

January 1, 2009 – September 30, 2009

41

2

0

13

30

Source:  IRS remediation plans issued from December31, 2005, through September 30, 2009.

 

Appendix VI

 

Management’s Response to the Draft Report

 

DEPART'MENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

May 11, 2010

 

CHIEF FINANCIAL OFFICER

 

 

MEMORANDUM FOR MICHAEL R. PHILLIPS

    DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                            Alison L. Doone /s/ Alison L. Doone

    Chief Financial Officer

 

SUBJECT:                        Draft Audit Report - Measurable Progress Has Been Made in Addressing Federal Financial Management Improvement Act Noncompliance; However, Significant Challenges Remain (Audit # 200910027)

 

We reviewed the draft report and agree with your recommendations to address documentation improvements and standard documentation guidelines for remediation plan estimates.

Attached are our detailed comments to your recommendations. If you have any questions, please contact Peter Rose, Acting Associate Chief Financial Officer, Corporate Planning and Internal Control, at (202) 622-4508.

Attachment

 

Attachment

RECOMMENDATION 1

The CFO, in coordination with the Chief Technology Officer (CTO), should ensure that incomplete and unsupported information identified during the TIGTA's review of the IRS' September 30, 2009, FFMIA remediation plan is appropriately updated in future remediation plans.

CORRECTIVE ACTION

The IRS agrees with the recommendation. The March 31, 2010 FFMIA remediation plan contains information that has been reconciled and annotated with the authoritative supporting documentation. The CTO will comply with the CFO standard documentation guidelines.

IMPLEMENTATION DATE

September 30, 2010

RESPONSIBLE OFFICIAL

Chief Financial Officer

CORRECTIVE ACTION MONITORING PLAN

N/A

RECOMMENDATION 2

The CFO should develop standard documentation guidelines for estimates reported in the IRS remediation plan. Specifically, the supporting documentation should include the following minimum information: 1) a breakdown and explanation of costs such as hardware, software, and contractor support that are included in the estimate; 2) a general description of how the estimate was developed; and 3) the date of preparation and last update.

CORRECTIVE ACTION

The IRS agrees with the recommendation. The CFO currently provides guidance to the IRS remediation plan owners through a data call that addresses FFMIA Remediation Plan Review and Reporting Requirements. Future plans include developing of standardized guidance that requires more specific documentation standards for the remediation plan estimates including a breakdown and explanation of estimated costs for hardware, software, and contractor support costs, as well as required dates indicating when the last estimates were calculated.

IMPLEMENTATION DATE

September 30, 2010

RESPONSIBLE OFFICIAL

Chief Financial Officer

CORRECTIVE ACTION MONITORING PLAN

N/A



[1] Pub. L. No. 104-208, 110 Stat. 3009.

[2] Pub. L. No. 104-208, 110 Stat. 3009.

[3] Financial Audit:  IRS’s Fiscal Years 2009 and 2008 Financial Statements (GAO-10-176, dated November 2009).

[4] Federal taxes receivable consist of tax assessments, penalties, and interest not paid or abated which were agreed to by the taxpayer and the IRS or upheld by the courts.  

[5] In January 2010, we initiated an audit focusing on the CADE 2 strategy entitled, Review of the CADE 2 Prototype Activities (Audit Number 201020004).

[6] The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007) and The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008 (Reference Number 2009-10-094, dated July 30, 2009).

[7]  The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008 (Reference Number 2009-10-094, dated July 30, 2009).

[8] In order to provide the IRS with more detailed information regarding the status of its actions relating to computer and information security weaknesses, we initiated an audit in November 2009 to assess the IRS’ progress in resolving the vulnerabilities regarding security roles and responsibilities.  This review is entitled Review of the Roles and Responsibilities of Selected Computer Security Material Weaknesses (Audit Number 200920016).

[9] Pub. L. No. 104-208, 110 Stat. 3009.

[10] Our previous three FFMIA reports to Congress were annual reviews of the IRS’ actions as of December 31st (2008, 2007, and 2006).  This report has changed the period of review to the end of the fiscal year (September 30, 2009).