Measurable Progress Has Been Made in Addressing Federal Financial Management Improvement Act Noncompliance; However, Significant Challenges Remain
June 4, 2010
Reference Number: 2010-10-065
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number | 202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site |
http://www.tigta.gov
HIGHLIGHTS
MEASURABLE
PROGRESS HAS BEEN MADE IN ADDRESSING FEDERAL FINANCIAL MANAGEMENT IMPROVEMENT ACT
NONCOMPLIANCE; HOWEVER, SIGNIFICANT CHALLENGES REMAIN
Highlights
Final
Report issued on June 4, 2010
Highlights of Reference
Number: 2010-10-065 to the Internal
Revenue Service Chief Financial Officer and Chief Technology Officer.
IMPACT ON TAXPAYERS
The Federal
Financial Management Improvement Act (FFMIA) remediation plan is a critical
part of the Internal Revenue Service’s (IRS) efforts to bring its financial
management systems into compliance with the FFMIA and to provide reliable and
timely financial data. Overall, the IRS
still faces significant challenges in its efforts to comply with the FFMIA. In addition, our analysis of the IRS’
September 30, 2009, FFMIA remediation plan found that the IRS continues to
experience difficulties in developing resource estimates for remediation actions. For example, 5 resource estimates totaling
$84.3 million were not supported by detailed and verifiable documentation. Complete and reliable financial information
is critical to the IRS’ ability to accurately report on the results of its
operations to both internal and external stakeholders, including taxpayers.
WHY TIGTA DID THE AUDIT
The overall objective of this review was to report to
Congress, as required by the FFMIA, any instances of and reasons for missed
intermediate target dates established in the IRS’ FFMIA remediation plan for
the period January 1, 2009, through September 30, 2009. In addition, TIGTA evaluated the effectiveness
of the remedial actions taken by the IRS during the period January 1, 2005,
through September 30, 2009, in resolving the noncompliance reported in the
FFMIA remediation plans and assessed the challenges associated with achieving
substantial compliance.
WHAT
TIGTA FOUND
The IRS has
made measurable progress in addressing the issues causing its noncompliance
with the FFMIA. However, its financial
management systems still do not comply with FFMIA requirements. The IRS informed us that it does not believe
it will become compliant with the FFMIA until approximately November 2014, pending
successful implementation of its strategy to modernize the processes used to
account for the records of individual taxpayers.
Our review also identified that the
IRS continues to experience difficulties in developing resource estimates for
remediation actions related to information security. TIGTA reported in two prior audits that some
resource estimates were unsupported and based on outdated information. TIGTA continued to find similar issues in this
review.
Finally,
the IRS reported 30 open remedial actions in its September 30, 2009, FFMIA remediation
plan. Our review of the 30 open
remediation actions indicated that the IRS did not miss any intermediate target
dates.
WHAT TIGTA RECOMMENDED
TIGTA
recommended that the Chief Financial Officer, in coordination with the Chief
Technology Officer, ensure that incomplete and unsupported information
identified during our review be updated. In addition, the Chief Financial Officer
should develop standard documentation guidelines for resource estimates reported
in the IRS remediation plan.
The IRS
agreed with both recommendations.
Specifically, the IRS stated that its March 31, 2010, FFMIA remediation
plan has been reconciled and annotated with the authoritative supporting
documentation. The IRS also plans to
develop standardized guidance that requires more specific documentation
standards for remediation plan estimates.
June 4, 2010
MEMORANDUM FOR CHIEF FINANCIAL OFFICER
CHIEF TECHNOLOGY OFFICER
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Measurable Progress Has Been Made in Addressing Federal Financial Management Improvement Act Noncompliance; However, Significant Challenges Remain (Audit # 200910027)
This report presents the results of our review of the
Federal Financial Management Improvement Act of 1996 (FFMIA).[1] The overall objective of this review was to report
to Congress, as required by the FFMIA, any instances of and reasons for missed
intermediate target dates established in the Internal Revenue Service’s (IRS)
FFMIA remediation plan for the period January 1, 2009,
through September 30, 2009. In
addition, we evaluated the effectiveness of the remedial actions taken by the
IRS during the period January 1, 2005, through September 30, 2009, in resolving
the noncompliance reported in the FFMIA remediation plans and assessed the
challenges associated with achieving substantial compliance. This review was included in our Fiscal Year
2009 Annual Audit Plan and addresses the major management challenge of Leveraging
Data to Improve Program Effectiveness and Reduce Costs.
Management’s complete response to the draft report is included as Appendix VI.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.
Intermediate Target Dates Were Extended for Some Actions
Appendices
Appendix
I – Detailed Objectives, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix III – Report Distribution List
Appendix V
– Schedule of the Internal Revenue Service’s Remediation Actions From 2005
Through 2009
Appendix
VI – Management’s Response to the Draft Report
Abbreviations
|
CADE 2 |
Customer Account Data Engine 2 |
|
CFO |
Chief Financial Officer |
|
FFMIA |
Federal Financial Management Improvement Act
of 1996 |
|
IRS |
Internal Revenue Service |
As of
November 2009, the Government Accountability Office continued to report that
the IRS’ financial management systems do not comply with FFMIA requirements.
The Federal Financial Management Improvement Act
of 1996 (FFMIA)[2] was established to advance Federal financial
management by ensuring that Federal financial management systems provide
accurate, reliable, and timely financial management information to the Government’s
managers. Further, this disclosure
should be done on a basis that is uniform across the Federal Government from
year to year by consistently using professionally accepted accounting standards. Specifically, FFMIA Section 803 (a) requires
each agency to implement and maintain systems that comply substantially with:
If the agency’s financial systems do not comply,
the agency is required to develop a remediation plan that describes the
resources, remedies, and intermediate target dates for achieving compliance and
to file the plan with the Office of Management and Budget. In addition, FFMIA Section 804 (b)
requires that agency Inspectors General report to Congress instances when and
reasons why an agency has not met the intermediate target dates established in
its remediation plan. Because the
Government Accountability Office has reported noncompliance with the
requirements of the FFMIA in its audits of the Internal Revenue Service’s (IRS)
annual financial statements, the IRS has been required to prepare and maintain
a remediation plan.
As of November 2009, the Government
Accountability Office continued to report[3] that the IRS’ financial management systems do
not comply with FFMIA requirements.
Specifically, the IRS does not post tax-related transactions in
conformance with Federal Government requirements and its records lack adequate
traceability for taxes receivable.[4] In
addition, the IRS has material weaknesses in its internal controls over both
information security and unpaid assessments.
The information security material weakness compromises the accuracy and
availability of the IRS’ financial information and places sensitive information
regarding IRS operations and taxpayers at risk.
The unpaid assessments material weakness impacts the IRS’ ability to
effectively manage these assessments.
For example, the Government Accountability Office reported in November
2009 that the IRS lacks a subsidiary ledger for unpaid assessments that would
allow it to produce reliable and timely financial management information.
Chief Financial Officer (CFO) management stated that the IRS implemented a new accounting system in January 2010, the Redesign Revenue and Accounting Control System, which will allow it to post transactions in compliance with Federal Government requirements, support traceability for revenue transactions, and further assist it in becoming compliant with the FFMIA.
This review was
performed at the IRS National Headquarters in
The IRS has made measurable progress
in addressing the issues causing its noncompliance with the FFMIA. For example, the Government Accountability
Office reported in November 2009 that the IRS substantially completed developing
the capability to trace its revenue and refund transactions from its general
ledger to supporting detailed transaction information. This improvement enhances the reliability of
the information the IRS reports regarding these types of transactions. In addition, the IRS has completed a total of
128 remedial actions since January 1, 2005, and had 30 open remedial actions
remaining in its September 30, 2009, FFMIA remediation plan.
However, the IRS’
financial management systems still do not comply with FFMIA requirements. The IRS informed us that it does not
believe it will become compliant with the FFMIA and address the material
weakness relating to unpaid assessments until approximately November 2014, pending
successful implementation of the Customer
Account Data Engine 2 (CADE 2) strategy.[5] The
CADE 2 strategy, as designed, will allow the IRS to modernize the processes it
uses to account for the records of individual taxpayers and create a single
overall system of record. In addition,
the time to process and update individual taxpayer account data would be
shortened from a weekly to a daily basis, which will improve the timeliness and
accuracy of this information.
The IRS informed us that it plans to add
additional remediation actions to the FFMIA plan related to the CADE 2 strategy
when the timetable for implementation of the CADE 2 strategy is finalized. Until the IRS updates its FFMIA remediation plan
with actions related to the CADE 2 strategy, we will be unable to fully assess
its overall progress in resolving its noncompliance.
Our review also identified that the IRS continues to experience difficulties in developing resource estimates for remediation actions related to information security. We reported in two prior audits[6] that some resource estimates related to information security were unsupported and based on outdated information. We continued to find similar issues in our current review of the IRS’ September 30, 2009, FFMIA remediation plan. Complete and accurate information related to the IRS’ remediation actions is critical to ensuring the IRS will achieve full compliance with the FFMIA.
Intermediate
Target Dates Were Extended for Some Actions
During the period January 1, 2009,
through September 30, 2009, the IRS reported that it:
Each of the 30 remedial actions
had an intermediate target date that extended more than 3 years from the
initial determination that IRS financial management systems were not in
substantial compliance with the FFMIA. As
required, the IRS obtained concurrence from the Office of Management and Budget
to extend its corrective actions beyond the 3-year limitation.
Our review of the 30 open
remediation actions indicated that the IRS did not miss any intermediate target
dates. However, the IRS did extend
intermediate target dates related to two of the open actions. These intermediate target date extensions
varied from 3 to 11 months. Although
the IRS has reasonable explanations for the extended intermediate target dates, missing an intermediate target date results in the IRS
extending the intermediate target dates of related remedial actions. Consequently, the extension of the
intermediate target dates of these two remedial actions, while necessary, does
put the IRS further behind on resolving its noncompliance.
In addition, we previously reported[7] that the IRS was unable to promptly identify when it had removed open findings and recommendations or ensure all findings and recommendations were accounted for in its remediation plan. We recommended that the IRS strengthen procedures for reviewing plans for completeness and develop a comprehensive system for tracking the status of findings and recommendations.
Although the IRS declined to fully implement our
recommendations and did not develop a comprehensive system for tracking
findings and recommendations, we found that it has improved the documentation
it maintains regarding the status of findings and recommendations. In addition, we did not identify any exceptions of findings
and recommendations not being addressed in the IRS’ September 30, 2009, remediation
plan. Although this enhanced
documentation represents a significant positive step, we continue to believe
that implementing a centralized tracking system would further enhance the
transparency of the FFMIA process and allow the IRS to more quickly provide
information to stakeholders regarding the status of any FFMIA-related findings
and recommendations. Because the
IRS has improved its recordkeeping for the FFMIA remediation plan, we are not
making an additional recommendation on this issue.
The Internal
Revenue Service Has Experienced Difficulties in Developing Remediation Actions
Related to Information Security
Between January 1, 2005, through September 30, 2009, the IRS has had difficulty in both developing the comprehensive remedial actions required to resolve noncompliance related to information security and reliably estimating the resources and time necessary to implement these remedial actions. Complete and reliable financial information is critical to the IRS’ ability to accurately report on the results of its operations to both internal and external stakeholders, including taxpayers. In June 2009, we reported the IRS re-evaluated and substantially revised its FFMIA remediation plan and canceled 25 actions related to computer security and replaced them with 39 new expanded actions.[8] The IRS developed these expanded actions to better identify the comprehensive steps it needs to take to resolve this issue. Although this resulted in a significant extension of the completion date of some of the actions, it resulted in improved accountability and improved the usefulness of the plan to stakeholders. Our review of the September 30, 2009, FFMIA remediation plan did not identify any canceled items relating to information security.
Additional attention is also needed when developing resource estimates for remediation actions related to information security. As reported in our two prior audits, some resource estimates related to information security were unsupported and based on outdated information. In our review of the IRS’ September 30, 2009, FFMIA remediation plan, we continued to find similar issues. Specifically:
§ Five resource estimates totaling $84.3 million were not supported by detailed and verifiable documentation such as a description of how and when the estimate was developed or a general breakdown of the services, hardware, and software being acquired. These five resource estimates related to remediation actions with scheduled completion dates ranging from Fiscal Years 2010 through 2014. The IRS was unable to provide documentation supporting these estimates and informed us they were significantly outdated. During our audit fieldwork, the IRS re-evaluated the estimates associated with these actions and informed us that 1) the costs associated with these 5 resource estimates should actually be $98.3 million, and 2) they plan to update the March 2010 remediation plan with this updated information.
§ Three actions with completion dates ranging from Fiscal Years 2010 to 2012 had resource estimates listed that were $4.3 million more than the support provided by the IRS.
In addition, the September 30, 2009, FFMIA remediation plan contained a preliminary resource estimate of $69 million for an infrastructure initiative related to contingency planning and disaster recovery. Although the estimate included costs related to 23 separate sub-tasks, it did not provide a description of how and when the estimates for the sub-tasks were developed, include timelines, or prioritize the completion of the sub-tasks identified. IRS management informed us that these estimates represented very preliminary calculations and advised us that they plan to update the June 2010 remediation plan with more detailed information, including costs and intermediate target dates in support of the completion of this initiative. Until the IRS updates its FFMIA remediation plan with more information regarding this initiative, we will be unable to fully assess its overall progress in resolving its noncompliance.
Although the amount of
documentation maintained by the IRS regarding resource estimates has improved
based on a prior Treasury Inspector General for Tax Administration recommendation,
we believe enhancements are still needed.
Specifically, although the IRS now consistently requires documentation
from the Chief Technology Officer supporting information security resource
estimates, it has not developed specific minimum standards outlining the type
of supporting information needed. For
example, the supporting documentation we reviewed did not consistently include
a breakdown and explanation of costs such as hardware, software, and contractor
support that are included in the estimate, a general description of how the
estimate was developed, or the date of preparation/last update.
Without appropriate
estimates, the remediation actions could be delayed as a result of insufficient
resources being available when needed. Outdated
and/or inaccurate cost information also affects IRS management’s ability to
timely and reliably estimate accurate completion dates for remediation
actions. Until the IRS develops and
completes the necessary remediation actions to address all of the Government
Accountability Office’s open findings and recommendations, the IRS will
continue to be noncompliant with the FFMIA.
Recommendations
Recommendation
1: The CFO, in coordination with the Chief
Technology Officer, should ensure that incomplete and unsupported information identified
during our review of the IRS’ September 30, 2009, FFMIA remediation plan is
appropriately updated in future remediation plans.
Management’s Response: The IRS agreed with this recommendation and stated that its March 31, 2010, FFMIA remediation plan has been reconciled and annotated with the authoritative supporting documentation.
Recommendation 2: The CFO should develop standard documentation guidelines for estimates reported in the IRS remediation plan. Specifically, the supporting documentation should include the following minimum information: 1) a breakdown and explanation of costs such as hardware, software, and contractor support that are included in the estimate; 2) a general description of how the estimate was developed; and 3) the date of preparation and last update.
Management’s Response: The IRS agreed with this recommendation and plans to develop standardized guidance that requires more specific documentation standards for remediation plan estimates, including a breakdown and explanation of estimated costs for hardware, software, and contractor support costs, as well as required dates indicating when the last estimates were calculated.
Appendix I
Detailed Objectives, Scope, and Methodology
The overall objective of this review was to report to Congress, as required by the FFMIA,[9] any instances of and reasons for missed intermediate target dates established in the IRS’ FFMIA remediation plan for the period January 1, 2009, through September 30, 2009.[10] In addition, we evaluated the effectiveness of the remedial actions taken by the IRS during the period January 1, 2005, through September 30, 2009, in resolving the noncompliance reported in the FFMIA remediation plans and assessed the challenges associated with achieving substantial compliance. To accomplish our objectives, we:
I. Gained an understanding of the requirements of the FFMIA, including Office of Management and Budget and Department of the Treasury guidance for compliance with the Act.
II. Determined whether the IRS’ remediation plan was consistent with Government Accountability Office recommendations from prior IRS financial audits and related financial management reports.
III. Determined whether 1) the IRS missed any intermediate target dates established in its remediation plan, 2) intermediate target dates were extended without sufficient documentation to support the revised dates, and 3) proper approval was obtained for remedial actions extending more than 3 years.
A. Verified that all remedial actions had intermediate target dates established.
B. Identified instances when the IRS did not meet the intermediate target dates.
C. If instances of missed dates were identified, inquired of IRS officials the reason the IRS did not meet the intermediate target date.
D. Identified any intermediate target dates extending more than 3 years since the recommendation was reported.
E. If instances of intermediate target dates extending longer than 3 years were identified, verified that the approval was requested and granted from the Office of Management Budget.
IV. Determined whether 1) the IRS remediation plan had established resource needs for remedial actions, and 2) the resources presented were consistent with supporting documentation.
A. Verified that resource requirements were identified for all remedial actions.
B. Obtained budget information.
C. Traced remediation plan resources to budget information.
D. Interviewed the functional financial plan managers associated with all significant cost estimates.
V. Determined whether the IRS had taken adequate corrective actions on prior reported audit findings related to the FFMIA remediation plan.
A. Identified prior open Treasury Inspector General for Tax Administration audit findings and corresponding management responses concerning corrective actions that should have been completed by the time of our audit.
B. Confirmed through discussions/observations that actions had been completed.
C. Evaluated the actions taken by the IRS to improve its tracking of open FFMIA material weaknesses (in evaluating the IRS’ 2008 FFMIA Remediation Plan, the Treasury Inspector General for Tax Administration identified that the IRS was unable to reliably determine the current status of all open issues causing its noncompliance with the FFMIA).
VI. Determined whether the IRS’ remedial actions from January 1, 2005, through September 30, 2009, resulted in measurable progress resolving FFMIA noncompliance and assessed the challenges associated with achieving substantial compliance.
A. Identified the number of FFMIA material weaknesses that were closed and new FFMIA material weaknesses that were added during the period under review.
B. Determined the number of open, added, extended, canceled, and completed remedial actions for the period January 1, 2005, through September 30, 2009, in order to evaluate the progress of the remedial actions in resolving FFMIA noncompliance.
C. Interviewed key IRS business unit stakeholders regarding the status of applicable in-process remediation actions and the risks associated with the outstanding material weaknesses.
Internal controls methodology
Internal controls relate to management’s
plans, methods, and procedures used to meet their mission, goals, and
objectives. Internal controls include
the processes and procedures for planning, organizing, directing, and
controlling program operations. They
include the systems for measuring, reporting, and monitoring program
performance. We determined the following
internal controls were relevant to our audit objective: the IRS’ policies, procedures, and practices
for tracking remediation actions implemented due to identified material
weaknesses. We evaluated these controls
by interviewing management and reviewing applicable documentation.
Appendix II
Major Contributors to This Report
Nancy
A. Nakamura, Assistant Inspector
General for Audit (Management Services and Exempt Organizations)
Jeffrey
M. Jones, Director
Anthony
J. Choma, Audit Manager
Michele
N. Strong, Lead Auditor
Mark
A. Judson, Senior Auditor
Dana
Karaffa, Evaluator
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Chief Information Officer OS:CTO:CIO
Deputy Chief Information Officer for Operations OS:CTO
Associate Chief Financial Officer for Corporate Planning and Internal Control
OS:CFO:CPIC
Associate Chief Information Officer, Cybersecurity OS:CTO:C
Associate Chief Information Officer, End-User Equipment and Services
OS:CTO:EU
Associate
Chief Information Officer,
Acting
Associate Chief Information Officer,
Director, Stakeholder Management Division OS:CTO:SP:S
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief Financial Officer OS:CFO
Chief Technology Officer OS:CTO
Appendix IV
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. This benefit will be incorporated into our Semiannual Report to Congress.
Type and Value of Outcome Measure:
· Reliability of Information – Actual; $18.3 million. This measure represents the difference between the resource estimates reported in the IRS’ September 30, 2009, FFMIA remediation plan and the supporting documentation provided by the IRS (see page 5).
Methodology Used to Measure the Reported Benefit:
To determine whether the IRS reliably reported estimated resources in its September 30, 2009, FFMIA remediation plan, we compared the estimated resources to the supporting documentation and interviewed selected IRS personnel. We found that 5 resource estimates totaling $84.3 million were not supported by detailed and verifiable documentation such as a description of how and when the estimate was developed or a general breakdown of the services, hardware, and software being acquired. The IRS informed us these estimates were significantly outdated. During our audit fieldwork, the IRS re-evaluated the estimates associated with these actions and determined the costs associated with these 5 resource estimates should actually be $98.3 million. The IRS was also able to provide detailed and verifiable documentation in support of this estimate. In order to calculate this outcome measure, we determined that the difference between the estimate in the September 30, 2009, FFMIA remediation plan and the updated estimate was $14.0 million ($98.3 million – $84.3 million = $14.0 million). We also identified that 3 actions with completion dates ranging from Fiscal Years 2010 to 2012 had estimates listed that were $4.3 million more than the support provided by the IRS.
The total measure reported was
calculated by adding these 2 differences together ($14.0 million + $4.3 million
= $18.3 million).
Appendix V
Schedule of the Internal Revenue Service’s Remediation
Actions From 2005 Through 2009
Table 1: Status
of Remedial Actions From January 1, 2005,
Through September 30, 2009
|
Remediation Plan Period |
Open Remedial Actions at Beginning
of Plan Period |
New Remedial Actions Added |
Canceled Remedial Actions |
Completed Remedial Actions |
Open Remedial Actions at End of Plan
Period |
|
January 1, 2005 – December 31, 2005 |
12 |
67 |
1 |
40 |
38 |
|
January 1, 2006 –December 31, 2006 |
38 |
61 |
11 |
37 |
51 |
|
January 1, 2007 – December 31, 2007 |
51 |
6 |
2 |
20 |
35 |
|
January 1, 2008 – December 31, 2008 |
35 |
50 |
26 |
18 |
41 |
|
January 1, 2009 – September 30, 2009 |
41 |
2 |
0 |
13 |
30 |
Source: IRS remediation plans issued from December31, 2005, through September 30, 2009.
Appendix VI
Management’s Response to the Draft Report
DEPART'MENT OF THE TREASURY
INTERNAL REVENUE SERVICE
May 11, 2010
CHIEF
FINANCIAL OFFICER
MEMORANDUM FOR MICHAEL R. PHILLIPS
DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM: Alison L. Doone /s/ Alison L. Doone
Chief Financial Officer
SUBJECT: Draft Audit Report - Measurable Progress Has Been Made in Addressing Federal Financial Management Improvement Act Noncompliance; However, Significant Challenges Remain (Audit # 200910027)
We reviewed the draft report and agree with your recommendations to address documentation improvements and standard documentation guidelines for remediation plan estimates.
Attached are our detailed comments to your recommendations. If you have any questions, please contact Peter Rose, Acting Associate Chief Financial Officer, Corporate Planning and Internal Control, at (202) 622-4508.
Attachment
Attachment
RECOMMENDATION 1
The CFO, in coordination with the Chief Technology Officer (CTO), should ensure that incomplete and unsupported information identified during the TIGTA's review of the IRS' September 30, 2009, FFMIA remediation plan is appropriately updated in future remediation plans.
CORRECTIVE ACTION
The IRS agrees with the recommendation. The March 31, 2010 FFMIA remediation plan contains information that has been reconciled and annotated with the authoritative supporting documentation. The CTO will comply with the CFO standard documentation guidelines.
IMPLEMENTATION DATE
September 30, 2010
RESPONSIBLE OFFICIAL
Chief Financial Officer
CORRECTIVE ACTION
MONITORING PLAN
N/A
RECOMMENDATION 2
The CFO should develop standard documentation guidelines for estimates reported in the IRS remediation plan. Specifically, the supporting documentation should include the following minimum information: 1) a breakdown and explanation of costs such as hardware, software, and contractor support that are included in the estimate; 2) a general description of how the estimate was developed; and 3) the date of preparation and last update.
CORRECTIVE ACTION
The IRS agrees with the recommendation. The CFO currently provides guidance to the IRS remediation plan owners through a data call that addresses FFMIA Remediation Plan Review and Reporting Requirements. Future plans include developing of standardized guidance that requires more specific documentation standards for the remediation plan estimates including a breakdown and explanation of estimated costs for hardware, software, and contractor support costs, as well as required dates indicating when the last estimates were calculated.
IMPLEMENTATION DATE
September 30, 2010
RESPONSIBLE OFFICIAL
Chief Financial Officer
CORRECTIVE ACTION
MONITORING PLAN
N/A
[1] Pub. L. No. 104-208, 110 Stat. 3009.
[2] Pub. L. No. 104-208, 110 Stat. 3009.
[3] Financial Audit: IRS’s Fiscal Years 2009 and 2008 Financial Statements (GAO-10-176, dated November 2009).
[4] Federal taxes receivable consist of tax assessments, penalties, and interest not paid or abated which were agreed to by the taxpayer and the IRS or upheld by the courts.
[5] In January 2010, we initiated an audit focusing on the CADE 2 strategy entitled, Review of the CADE 2 Prototype Activities (Audit Number 201020004).
[6] The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2006 (Reference Number 2007-10-077, dated May 21, 2007) and The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008 (Reference Number 2009-10-094, dated July 30, 2009).
[7] The Internal Revenue Service’s Federal Financial Management Improvement Act Remediation Plan As of December 31, 2008 (Reference Number 2009-10-094, dated July 30, 2009).
[8] In order to provide the IRS with more detailed information regarding
the status of its actions relating to computer and information security
weaknesses, we initiated an audit in November 2009 to assess the IRS’ progress
in resolving the vulnerabilities regarding security roles and responsibilities. This review is entitled Review of the Roles and
Responsibilities of Selected Computer Security Material Weaknesses (Audit Number 200920016).
[9] Pub. L. No. 104-208, 110 Stat. 3009.
[10] Our previous three FFMIA reports to Congress were annual reviews of the IRS’ actions as of December 31st (2008, 2007, and 2006). This report has changed the period of review to the end of the fiscal year (September 30, 2009).