TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Risk Management Efforts Could Be Improved With Clearly Defined Procedures and Expanded Information Sharing

 

 

 

September 2, 2011

 

Reference Number: 2011-10-096

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number ††|202-622-6500

Email Address ††|TIGTACommunications@tigta.treas.gov

Web Site†††††† |http://www.tigta.gov

 

 

HIGHLIGHTS

 

Risk Management Efforts Could Be Improved with CLEARLY Defined Procedures and Expanded Information Sharing

 

Highlights

Final Report Issued on September 2, 2011

Highlights of Reference Number:2011-10-096 to the Internal Revenue Service Chief Financial Officer and Director, Office of Research, Analysis, and Statistics.

IMPACT ON TAXPAYERS

The Federal Government should be effective and spend taxpayer dollars wisely.The proactive management of organization-level risks is critical to the Internal Revenue Serviceís (IRS) ability to both meet its strategic objectives and provide stakeholders with confidence that it is operating effectively and efficiently.

WHY TIGTA DID THE AUDIT

This audit was initiated to determine whether the IRS has an efficient process for managing risks to the achievement of its strategic objectives.This review is part of our Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Leveraging Data to Improve Program Effectiveness and Reduce Costs.

WHAT TIGTA FOUND

The IRS can take additional actions to improve its risk management process.Specifically, TIGTA found that the efficiency of the Executive Steering Committeeís (ESC) risk management efforts could be improved by developing guidelines detailing how the ESCs should identify, assess, address, and monitor risks applicable to their responsible areas.In addition, the IRS should implement a methodology that supports the timely sharing of identified risks between the ESCs.Further, regular internal reviews of the ESCsí risk management activities would assist management in ensuring the ESCs are operating effectively.By taking these actions, TIGTA believes the IRS can better ensure its risk management activities are effectively coordinated and its resources are allocated efficiently to manage those risks that may impact its ability to achieve organizational goals.

TIGTA also determined that the IRSís Modernization and Information Technology Services (MITS) organization is in the early stages of developing a more formalized risk management framework supported by a dedicated executive.This initiative should be monitored by the IRS to study the potential benefits and the costs and steps involved in moving long term towards a more formal IRS-wide risk management process.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Financial Officer develop procedures to guide the risk management activities of the ESCs, require the ESCs to post risk information in a readily accessible location, and require the ESCs to notify the Chief Financial Officer when a new ESC is implemented.TIGTA also recommended that the Director, Office of Research, Analysis, and Statistics, develop procedures requiring the review of risk management activities of the ESCs on a routine basis.Finally, TIGTA recommended that the Chief Financial Officer and the Director, Office of Research, Analysis, and Statistics, jointly monitor and evaluate the MITS organizationís risk management initiative to study the potential benefits in moving towards a more formal IRS-wide risk management process.

IRS management agreed with two recommendations.Management stated they plan to compile a list of ESCs and monitor the MITS organizationís risk management initiative.However, management disagreed with our recommendation to develop procedures to guide the risk management activities of the ESCs, require the ESCs to post risk information, and perform ongoing reviews of the ESCsí risk management efforts.TIGTA maintains that procedures, better information sharing, and periodic assessments of the IRS risk process would provide additional assurance that it is effectively managing corporate risks.

 

September 2, 2011

 

 

MEMORANDUM FOR CHIEF FINANCIAL OFFICER

DIRECTOR, OFFICE OF RESEARCH, ANALYSIS, AND STATISTICS

 

FROM:††††††††††††††††††††††††††† Michael R. Phillips /s/Michael R. Phillips

Deputy Inspector General for Audit

 

SUBJECT:††††††††††††††††††† Final Audit Report Ė Risk Management Efforts Could Be Improved With Clearly Defined Procedures and Expanded Information Sharing (Audit # 201010020)

 

This report presents the results of our review of the Internal Revenue Serviceís (IRS) risk management process.The overall objective of this review was to determine whether the IRS has an efficient process for managing risks to the achievement of its strategic objectives.Our review focused specifically on the risk management efforts of the IRSís Executive Steering Committees as this is the overall vehicle the IRS uses to manage organization-level risks.This review is part of the Treasury Inspector General for Tax Administrationís Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Leveraging Data to Improve Program Effectiveness and Reduce Costs.

Managementís complete response to the draft report is included as Appendix IV.††

Copies of this report are also being sent to the IRS managers affected by the report recommendations.Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.

 

 

Table of Contents

 

Background

Results of Review

Procedures and Better Information Sharing Could Improve the Efficiency of the Executive Steering Committees

Recommendation 1:

Recommendation 2:

Additional Analyses of the Internal Revenue Serviceís Risk Management Practices May Identify Potential Improvements

Recommendation 3:

Recommendation 4:

Appendices

Appendix I Ė Detailed Objective, Scope, and Methodology

Appendix II Ė Major Contributors to This Report

Appendix III Ė Report Distribution List

Appendix IV Ė Managementís Response to the Draft Report

 

 

Abbreviations

 

CFO

Chief Financial Officer

ERM

Enterprise Risk Management

ESC

Executive Steering Committee

IRS

Internal Revenue Service

MITS

Modernization and Information Technology Services

OPERA

Office of Program Evaluation and Risk Analysis

 

 

 

 

Background

 

In general, risk management can be defined as the identification of possible future events which may impact the ability of an organization to meet its objectives and the implementation of actions to address those events.In January 2005, the Government Accountability Office identified risk management as an area of concern in the Federal Government.For example, challenges facing the Internal Revenue Service (IRS) include the impact of significant tax law changes, growing impact of international tax law issues, increased sophistication of efforts to evade compliance, and increased service expectations by American taxpayers and tax practitioners.

The IRS is a large and complex organization, comprised of 4 operating divisions and 16 functional offices, with a total staff of more than 94,000 employees.In order to address areas of significant organization-level concerns, IRS senior management utilizes 26 Executive Steering Committees (ESC) that are generally comprised of representatives from multiple IRS functions.The ESCs cover a broad scope of issue areas, including human capital, data security, infrastructure enhancements, taxpayer compliance, operational readiness, and legislative changes (such as implementation of the recently enacted health care legislation).The IRSís risk management efforts are also broadly supported by its 5-year strategic plan, which identifies its overall program goals and anticipated general risk areas.

Enterprise risk management (ERM) is an emerging discipline whereby an organization implements a process across the organization designed to identify potential events that may affect the organization and manage risk to provide reasonable assurance regarding the achievement of organizational objectives.A fundamental concept of ERM is that it considers activities at all levels of the organization and identifies entity-wide risks.This structure is supported in some organizations, especially those that are larger and more complex, by a dedicated executive and staff specifically responsible for organizational risk management.

Guidance regarding ERM practices has been developed by a number of private and government organizations and continues to be expanded.For example, the Committee of Sponsoring Organizations[1] published an ERM framework in September 2004 to assist entities in moving towards a fuller risk management process.According to the Committee of Sponsoring Organizations, a proactive approach to risk management is necessary and includes processes and activities that are intertwined within an organizationís core activities so that risk management is performed on an ongoing, consistent basis by employees throughout an organization.

This review was performed at the IRS Headquarters offices of the Chief Financial Officer (CFO); the Office of Research, Analysis, and Statistics; and the Tax Exempt and Government Entities Division in Washington, D.C.; the Modernization and Information Technology Services (MITS) organization and the Small Business/Self-Employed Division in New Carrollton, Maryland; the Wage and Investment Division in Atlanta, Georgia; and the Large Business and International Division in Chicago, Illinois, during the period September 2010 through May 2011.We conducted this performance audit in accordance with generally accepted government auditing standards.Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.Detailed information on our audit objective, scope, and methodology is presented in Appendix I.Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

We believe the IRS can take additional actions to improve its risk management process.Specifically, we found that the efficiency of the ESCsí risk management efforts could be improved by developing guidelines detailing how the ESCs should identify, assess, address, and monitor risks applicable to their responsible areas.In addition, the IRS should implement a methodology that supports the timely sharing of identified risks between the ESCs.Further, regular internal reviews of the ESCsí risk management activities would assist management in ensuring the ESCs are operating effectively and coordinating appropriately.By taking these actions, we believe the IRS can better ensure its risk activities are effectively coordinated and its resources are allocated efficiently to manage risks that may impact its ability to achieve organizational goals.

We determined that the MITS organization is in the early stages of developing a formalized, integrated risk management framework to manage information technology risks.Specifically, MITS management is implementing a dedicated group, headed by a senior executive, to specifically focus on managing risks applicable to IRS information technology.We believe this initiative should be continually monitored by the IRS to study the potential benefits, costs, and steps involved in moving long term towards a more formal IRS‑wide risk management process supported by a dedicated senior executive and supporting staff.

Procedures and Better Information Sharing Could Improve the Efficiency of the Executive Steering Committees

An integral part of the IRSís efforts to address and monitor organization-level risks to its strategic objectives is the work performed by its ESCs.The dynamic and cross organizational nature of the ESCs allows the IRS the opportunity to quickly apply resources to address and monitor IRS-wide risks in emerging areas of high concern via the creation of new ESCs.In addition, because the ESCs are comprised of a cross section of senior managers representing the IRSís various functions, this approach helps ensure strong executive involvement in risk management activities performed.However, we found the efficiency of the ESCsí risk management efforts could be improved by developing clearly defined procedures and a methodology supporting the timely sharing of information on risks identified.

Specifically, we found the IRS has not developed policies and procedures to guide the risk management activities of the ESCs.As a result, each ESC must develop its own approach for determining how risks will be identified, assessed, addressed, and monitored.††

During our review, the IRS was unable to provide us with a comprehensive list of the ESCs currently in operation and whether any risks were being addressed by those ESCs.Based on our research, we determined that there were 26 ESCs active (i.e., meeting regularly) at the time of our review.We reviewed the charters of 16 sampled ESCs and found that only 10 charters included a reference to the ESCsí responsibilities regarding risk management.Further, we reviewed the risk management of five randomly selected ESCs and found the methodologies used by the five ESCs to identify, assess, address, and monitor the risks identified varied significantly in form and level of detail.For example, only one of the five ESCs we evaluated had a clearly defined methodology for assessing risk.

In addition, we determined that the ESCs can more effectively coordinate their efforts to share risk management practices with other ESCs and senior IRS operating division management.Specifically, the ESCs we reviewed generally did not post information regarding risks in a location readily accessible to other ESCs or other IRS organizational users, including its operating divisions and functional offices.As a result, it is difficult for IRS managers to timely identify crosscutting organizational risks.Although the sharing of risk information is somewhat supported by the IRSís practice of having some senior managers participate in multiple ESCs, we do not believe that this practice alone is sufficient to fully support the sharing of risk information.In addition, the lack of a centralized inventory of the active ESCs (and the risks they are addressing) significantly impacts the efficiency of the risk management process.

A risk management program should include developing policies and procedures that outline the organizationís expectations regarding the management of risks and document the process to ensure it operates effectively.Although the IRS CFO has overall responsibility for supporting the risk management efforts of the IRS, he or she has not yet developed guidelines and procedures to guide the efforts of the ESCs in identifying, assessing, addressing, and monitoring organizational risks or a methodology supporting the sharing of information on risks identified.Further complicating the CFOís efforts, there are no specific procedures that require any function within the IRS to notify the CFO when a new ESC is being formed.As a result, neither the CFO nor any other function within the IRS maintains a current list of all active ESCs, their areas of focus, and specific risks they are responsible for addressing.

The ESCs play a critical role in the IRSís efforts to both meet its objectives and provide stakeholders with confidence that it is operating effectively and efficiently.Without clearly defined procedures that outline the IRSís expectations regarding how risks to organizational objectives should be identified, assessed, addressed, and monitored, each new ESC must expend valuable time and resources developing its own risk management process rather than focusing directly on the concern it was created to address.Similarly, the lack of readily available ESC risk information impedes the sharing of this information among senior IRS executive management.The need to share risk information is significant given the interrelated nature of the areas addressed by the IRSís various ESCs.Clearly defined procedures and increased coordination will assist the IRS in effectively managing corporate risks that may impact its ability to achieve organizational goals.

Recommendations

Recommendation 1:The CFO should develop policies and procedures to support the risk management activities of the ESCs.These procedures should clearly define the process ESCs should follow in identifying, assessing, addressing, and monitoring risks.In addition, the procedures should require the ESCs to post the risks they are addressing in a location readily accessible to other ESCs and other users.††

Managementís Response:CFO management disagreed with this recommendation.Management stated that each ESC uses risk processes appropriate to its function and requiring all ESCs to adhere to a rigid set of policies and procedures may constrain the options for addressing those challenges.However, management did agree to develop limited guidance that allows for flexibility in assessing risks, as needed.CFO management disagreed with establishing procedures that require the ESCs to post the risks they are addressing in a location readily accessible to other ESCs and other users, stating it would not be beneficial.Management stated that ESCs share information, including risks as appropriate, with relevant business units, and variances in issue and risk tracking are addressed separately when ESCs have overlap on pertinent issues.Management also stated that IRS risks and their resolutions change frequently, and having a repository would make the Governance process burdensome and would not add value.Management also believes that the resources required to maintain such a repository are not justifiable.

Office of Audit Comment:While the IRS disagreed with the recommendation, it did agree to develop limited guidance for assessing risks, as needed.This type of guidance would meet the intent of our recommendation if it assists the ESCs in considering how risks will be identified, assessed, addressed, and monitored. We believe this type of guidance would help the IRS in better managing corporate risks by ensuring a more comprehensive approach to risk management and minimizing duplication of effort by allowing the ESCs to customize a risk management approach based on the general guidance rather than developing one on their own.In addition, we still believe making ESC risk information readily available will facilitate senior IRS executive management in identifying and sharing crosscutting organizational risks in a more timely and efficient manner and prevent potential conflicting solutions for addressing these risks.The ESCs can also benefit from prior attempts by other ESCs to address crosscutting risks, including successes and lessons learned.During the course of our review, we found that many ESCs already post key information (such as their meeting minutes) in a location readily accessible to other IRS users.As such, we believe that the ESCs could post applicable risk information in a similar manner without expending significant additional resources.If the postings are dated, other ESCs can easily determine if the risk information is current.

Recommendation 2:The CFO should develop procedures requiring any function within the IRS to notify the CFO whenever a new ESC is being implemented.The CFO should use this information to maintain a current list of all active ESCs and their areas of focus.

Managementís Response:CFO management agreed with our recommendation.The CFO coordinates completion of the annual Government Accountability Office Internal Control Management and Evaluation Checklist to evaluate internal controls and reports their status to the Department of the Treasury and the Government Accountability Office.In future checklist updates, the CFO plans to add a series of questions designed to identify current ESC status as well as identify any new ESCs formed, to serve as the basis for compiling a current list of active ESCs annually.The business units will also be given guidance outlining specific documentation that should be maintained for all active ESCs.

Additional Analyses of the Internal Revenue Serviceís Risk Management Practices May Identify Potential Improvements

We believe regular internal reviews of the ESCsí risk management activities would assist management in ensuring the ESCs are operating effectively and coordinating appropriately.In addition, IRS management should carefully monitor the efforts of the MITS business unit in establishing a formal risk management framework led by a dedicated executive to study the potential benefits, costs, and steps involved in moving long term towards a more formal IRS-wide risk management process.

Monitoring the effectiveness of risk management activities is a key component of a properly functioning risk management process.The Standards for Internal Control in the Federal Government state that control activities are an integral part of an entityís planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.One key activity in this area is management reviews to compare actual performance to planned or expected results throughout the organization and analyze significant differences.

Regular reviews of the ESCs would assist management in identifying potential improvements in their risk management practices

Within the IRS, the Office of Program Evaluation and Risk Analysis (OPERA), which is located within the Office of Research, Analysis, and Statistics, has overall responsibly for evaluating risk management.However, we found that the OPERA has not performed a review of the risk management efforts of the ESCs since April 2006.[2]

Although IRS procedures assign responsibility for the performance of risk management reviews to the OPERA, they do not specifically require periodic internal reviews of the IRSís risk management process.The reviews could serve a critical purpose by allowing the IRS to ensure risks are continually identified, assessed, addressed, and monitored to effectively and efficiently achieve organizational objectives.OPERA management informed us they perform their reviews primarily based on requests from IRS management rather than on an ongoing or routine basis.In addition, the general lack of uniform and readily available risk tracking information hinders the OPERAís ability to fully review the risk management activities of the ESCs.

Evaluation of the IRSís risk management process will provide the IRS additional assurance that risks are timely identified, assessed, addressed, and monitored to effectively and efficiently achieve organizational objectives.These reviews would also allow the IRS to evaluate the implementation of any enhancements it makes to its risk management process as a result of implementing actions to address our first report recommendation.

Continued monitoring of the MITSí risk management process may identify potential benefits for a more formal IRS-wide risk management process

During our review, we determined that the MITS organization is in the early stages of developing a formalized, integrated risk management framework to manage information technology risks.Specifically, MITS organization management is implementing a dedicated group, headed by a senior executive, to focus on managing risks applicable to IRS information technology.

Although the OPERA provided early input in April 2010 on the MITS organizationís initiative, Office of Research, Analysis, and Statistics management informed us that they have no plans to further review this initiative or review the ESCsí risk management practices.We believe this initiative should be monitored by the IRS in order to fully evaluate the potential benefits, costs, and steps involved in moving long term towards a more formal IRS-wide risk management process supported by a dedicated senior executive and supporting staff.Without a plan to monitor this initiative, the IRS cannot effectively leverage lessons learned from the implementation of the MITS organization initiative in any future improvements it decides to make in IRS-wide risk management efforts.

Recommendations

Recommendation 3:The Director, Research, Analysis, and Statistics, should develop procedures requiring that the OPERA review the risk management activities of the ESCs on a periodic basis.

Managementís Response: IRS management disagreed with our recommendation. Specifically, management stated that the OPERAís role in risk management has been to evaluate opportunities for applying risk management and conduct risk analyses at the request of IRS senior leadership. The OPERA serves in an advisory and support role at the request of senior leadership and does not have primary responsibility for identifying and mitigating risks. The recommendation to develop procedures requiring the review of ESC risk management activities on a periodic basis may not provide additional value unless focused on specific needs of IRS senior leadership.

Office of Audit Comment:We recognize that, in general, the OPERA performs its work in response to requests from various senior leaders.However, much has changed within the IRSís risk environment since the April 2006 review, including new legislative requirements, new executives and managers, and new technology.In addition, ERM practices have continued to evolve.Given the OPERAís extensive past experience in reviewing the IRSís risk management processes, we believe an updated review of the current IRS-wide risk management process would provide both IRS executives and external stakeholders with additional assurance that the ESCs are operating effectively and coordinating appropriately.

Recommendation 4:The CFO and the Director, Research, Analysis, and Statistics, should jointly monitor and evaluate the MITS organization risk management initiative in order to incorporate lessons learned from the implementation and study of the potential benefits, costs, and steps involved in moving towards a more formal IRS-wide risk management process.

Managementís Response:IRS management agreed with our recommendation and stated that the OPERA plans to serve as an advisor to MITS organization senior management in monitoring and evaluating the MITS organization risk management initiative. The MITS organization initiative is expected to clarify MITS organization Enterprise Governance committee responsibilities and create downstream dependence on its ESCs to provide input to support investment recommendations. To address anticipated increased emphasis on the ESC role in investment management, the MITS organization Governance office is compiling information on the roles and responsibilities outlined in each ESC charter. The results will be used to identify improvement opportunities for information technology governance and to develop recommended enhancements (if any) for consideration by the MITS organization Enterprise Governance committee. The CFO will review the MITS organization findings and consider their applicability to an overall IRS-wide risk management process.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS has an efficient process for managing risks to the achievement of its strategic objectives.To accomplish this objective, we:

I.                   Determined whether the IRS has established an overall framework to guide its efforts to manage risks to the achievement of its strategic objectives.

A.    Researched the IRS intranet (including the OPERA and the CFO web sites) and the Internal Revenue Manual to identify any applicable policies and procedures that guide the IRSís risk management process.

B.     Analyzed the policies and procedures that guide the IRSís overall risk management process.

C.     Identified and evaluated any guidance or support provided by the OPERA in assisting the IRS with its development of an overall ERM framework.

D.    Identified and evaluated any guidance or support provided by the CFO related to the IRSís ERM framework.

II.                Assessed whether the IRS has implemented a comprehensive risk management process to effectively and proactively identify, assess, address, and monitor risks to the achievement of its strategic objectives.

A.    Determined the ESCsí role in proactively identifying, assessing, addressing, and monitoring risks.

1.      Based on our research and information provided by the CFO and the OPERA, we identified a population of 26 ESCs that were active in Fiscal Year 2010.Of the 26 active ESCs, we found that 9 were crosscutting and 17 were non-crosscutting.We selected a random sample of seven non-crosscutting ESCs.We further analyzed the charter and meeting minutes of the seven sampled non-crosscutting ESCs and all nine of the crosscutting ESCs.

2.      Utilizing a questionnaire, evaluated the methods used by the ESCs in managing risks.The questionnaire was provided to a random sample of five crosscutting ESCs.

B.     Evaluated coordination between the ESCs and the IRSís four operating divisions and the MITS organization in the management of risks to strategic objectives.

C.     Evaluated how the OPERA and the CFO provide oversight over the management of risks by the ESCs.

III.             Determined whether the IRS is effectively communicating and coordinating risk information developed as a result of the efforts of the ESCs.

A.    Reviewed the OPERAís relationship with CFO management in regards to sharing risk information.

B.     Evaluated whether five randomly selected ESCs have a risk reporting relationship with CFO management and whether the results of their risk management activities are shared with key stakeholders.

C.     Determined how CFO management uses strategic planning information in the risk management activities of the ESCs.

Internal controls methodology

Internal controls relate to managementís plans, methods, and procedures used to meet their mission, goals, and objectives.Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.They include the systems for measuring, reporting, and monitoring program performance.We determined the following internal controls were relevant to our audit objective:the IRSís policies and procedures for managing risks to the achievement of its strategic objectives.We evaluated these controls by interviewing management, reviewing a sample of the ESCs, and reviewing applicable documentation.

 

Appendix II

 

Major Contributors to This Report

 

Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations)

Jeffrey M. Jones, Director

Anthony J. Choma, Audit Manager

Kanika Kals, Lead Auditor

Yasmin Ryan, Senior Auditor

Autumn Gill, Evaluator

Dana Karaffa, Evaluator

 

Appendix III

 

Report Distribution List

 

CommissionerC

Office of the Commissioner Ė Attn:Chief of StaffC

Deputy Commissioner for Operations SupportOS

Chief Technology OfficerOS:CTO

Deputy Chief Financial OfficerOS:CFO

Chief CounselCC

National Taxpayer AdvocateTA

Director, Office of Legislative AffairsCL:LA

Director, Office of Program Evaluation and Risk AnalysisRAS:O

Office of Internal ControlOS:CFO:CPIC:IC

Audit Liaisons:

†††††††††† Chief Financial OfficerOS:CFO

Director, Office of Research, Analysis and StatisticsOS:RAS

Appendix IV

 

Managementís Response to the Draft Report

 

DEPARTMENT OFTHE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

 

CHIEF FINANCIAL OFFICER

 

 

August 3, 2011

 

 

MEMORANDUM FOR MICHAEL R. PHILLIPS

†† DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM: ††††††††††††††††††††† †††Pamela J. LaRue /s/ Pamela J. LaRue

††††††††††††††††††††††††††††††††††† †† Chief Financial Officer

 

SUBJECT: ††††††††††††††††† Draft Audit Report -Risk Management Efforts Could Be Improved With Clearly Defined Procedures and Expanded Information Sharing (Audit # 201010020)

 

Thank you for the opportunity to comment on the subject draft report. We appreciate that your report recognizes the benefit of using Executive Steering Committees (ESCs) as an integral part of our risk management process. Furthermore, we agree with the recommendations to compile a listing of active ESCs and to monitor and evaluate the Modernization & Information Technology Services risk management initiative for applicability in establishing a more formal IRS-wide risk management process; however, we do not agree with those recommendations that require the ESCs to post risks in a central location and to direct the Office of Program Evaluation and Risk Analysis (OPERA) to monitor risk management activities of the ESCs on a periodic basis.

 

Attached are our detailed comments to your recommendations. If you have any questions, please contact Peter Rose, Acting Associate Chief Financial Officer, Corporate Planning and Internal Control, at (202) 622-4508.

 

Attachment

Attachment

 

RECOMMENDATION 1

The CFO should develop policies and procedures to support the risk management activities of the ESCs. These procedures should clearly define the process ESCs should follow in identifying, assessing, addressing and monitoring risks. In addition, the procedures should require the ESCs to post the risks they are addressing in a location readily accessible to other ESCs and other users.

 

CORRECTIVE ACTION

The IRS disagrees with this recommendation. The IRS organizational culture is vital to effective risk management, and its risk-averse culture is conducive to risk mitigation at multiple levels of the organization. The IRS addresses risk through an extensive use of cross-organizational governance processes -both standing and ad hoc Executive Steering Committees (ESCs). Each ESC uses various risk reporting and assessment processes appropriate to its charter and function. Requiring all ESCs to adhere to a rigid set of policies and procedures may constrain the options for addressing those challenges; however, the IRS will develop limited guidance that allows for flexibility in assessing risks, as needed.

 

The IRS disagrees that posting risks in a central location is beneficial. The IRS has elements of risk management firmly embedded in its business practices which actively address the risk culture. The ESCs are led by IRS senior executives who have experience in applying management and leadership methods to specific problems. The degree to which risk management should be a component of each ESC should be determined by the leadership and be based upon enterprise implications. The IRS ESCs share information, including risks as appropriate, with relevant business units, and variances in issue and risk tracking are addressed separately when ESCs have overlap on pertinent issues. Most ESCs meet quarterly, if not more frequently, and risk monitoring and remediation are integral parts of their Governance process. The IRS risks and their resolutions change frequently, and having a repository would make the Governance process burdensome and would not add value. The IRS also believes that the resources required to maintain such a repository are not justifiable.

 

IMPLEMENTATION DATE

N/A

 

RESPONSIBLE OFFICIAL

N/A

 

CORRECTIVE ACTION MONITORING PLAN

N/A

RECOMMENDATION 2

The CFO should develop procedures requiring any function within the IRS to notify the CFO whenever a new ESC is being implemented. The CFO should use this information to maintain a current listing of all active ESCs and their areas of focus.

 

CORRECTIVE ACTION

The IRS agrees with this recommendation. The CFO coordinates completion of the annual Government Accountability Office Internal Control Management and Evaluation Checklist to evaluate internal controls and reports their status to the Department of the Treasury and GAO as required by Office of Management and Budget Circular A-123, Management's Responsibility for Internal Control.

 

In future checklist updates, the CFO will add a series of questions designed to identify current ESC status as well as identify any new ESCs formed, to serve as the basis for compiling a current listing of active ESCs annually. The business units will also be given guidance outlining specific documentation that should be maintained for all active ESCs.

 

IMPLEMENTATION DATE

June 30, 2012

 

RESPONSIBLE OFFICIAL

Chief Financial Officer

 

CORRECTIVE ACTION MONITORING PLAN

N/A

 

RECOMMENDATION 3

The Director, Research, Analysis, and Statistics, should develop procedures requiring that the OPERA review the risk management activities of the ESCs on a periodic basis.

 

CORRECTIVE ACTION

The IRS disagrees with this recommendation. The Office of Program Evaluation and Risk Analysis (OPERA) role in risk management has been to evaluate opportunities for applying risk management and conduct risk analyses at the request of IRS senior leadership. The OPERA serves in an advisory and support role at the request of senior leadership and does not have primary responsibility for identifying and mitigating risks. The recommendation to develop procedures requiring the review of ESC risk management activities on a periodic basis may not provide additional value unless focused on specific needs of IRS senior leadership.

IMPLEMENTATION DATE

N/A

 

RESPONSIBLE OFFICIAL

N/A

 

CORRECTIVE ACTION MONITORING PLAN

N/A

 

RECOMMENDATION 4

The CFO and the Director, Research, Analysis, and Statistics, should jointly monitor and evaluate the MITS organization risk management initiative in order to incorporate lessons learned from the implementation and study the potential benefits, costs, and steps involved in moving towards a more formal IRS-wide risk management process.

 

CORRECTIVE ACTION

The IRS agrees with this recommendation. The OPERA will serve as an advisor to MITS senior management in monitoring and evaluating the MITS risk management initiative. The MITS initiative is expected to clarify MITS Enterprise Governance (MEG) committee responsibilities and create downstream dependence on its ESCs to provide input to support investment recommendations. To address anticipated increased emphasis on the ESC role in investment management, the MITS Governance office is compiling information on the roles and responsibilities outlined in each ESC charter. The results will be used to identify improvement opportunities for IT governance, and to develop recommended enhancements (if any) for consideration by the MEG. The CFO will review the MITS findings and consider their applicability to an overall IRS-wide risk management process.

 

IMPLEMENTATION DATE

September 30, 2012

 

RESPONSIBLE OFFICIAL

Chief Financial Officer

 

CORRECTIVE ACTION MONITORING PLAN

N/A



[1] The Committee of Sponsoring Organizations is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.

[2] In performing the 2006 review, the OPERA collaborated with the National Academy of Science to evaluate, via case studies and observations, the IRSís ERM capabilities.