Risk Management Efforts Could Be Improved With Clearly Defined Procedures and Expanded Information Sharing
September 2, 2011
Reference Number: 2011-10-096
This report has cleared the Treasury Inspector
General for Tax Administration disclosure review process and information
determined to be restricted from public release has been redacted from this
document.
Phone
Number | 202-622-6500
Email Address | TIGTACommunications@tigta.treas.gov
Web Site |
http://www.tigta.gov
HIGHLIGHTS
Risk Management Efforts Could
Be Improved with CLEARLY Defined Procedures and Expanded Information Sharing
Highlights
Final
Report Issued on September 2, 2011
Highlights of Reference Number:
2011-10-096 to the Internal Revenue Service Chief Financial Officer and
Director, Office of Research, Analysis, and Statistics.
IMPACT ON TAXPAYERS
The Federal Government should be effective and spend
taxpayer dollars wisely. The proactive
management of organization-level risks is critical to the Internal Revenue
Service’s (IRS) ability to both meet its strategic objectives and provide
stakeholders with confidence that it is operating effectively and efficiently.
WHY TIGTA DID THE AUDIT
This
audit was initiated to determine whether the IRS has an efficient process for managing
risks to the achievement of its strategic objectives. This review is part of our Fiscal Year 2011
Annual Audit Plan and addresses the major management challenge of Leveraging
Data to Improve Program Effectiveness and Reduce Costs.
WHAT TIGTA FOUND
The
IRS can take additional actions to improve its risk management process. Specifically, TIGTA found that the efficiency
of the Executive Steering Committee’s (ESC) risk management efforts could be
improved by developing guidelines detailing how the ESCs should identify, assess,
address, and monitor risks applicable to their responsible areas. In addition, the IRS should implement a
methodology that supports the timely sharing of identified risks between the
ESCs. Further, regular internal reviews
of the ESCs’ risk management activities would assist management in ensuring the
ESCs are operating effectively. By taking these actions, TIGTA believes the
IRS can better ensure its risk management activities are effectively
coordinated and its resources are allocated efficiently to manage those risks
that may impact its ability to achieve organizational goals.
TIGTA also determined that the IRS’s Modernization
and Information Technology Services (MITS) organization is in the early stages
of developing a more formalized risk management framework supported by a
dedicated executive. This initiative
should be monitored by the IRS to study the potential benefits and the costs
and steps involved in moving long term towards a more formal IRS-wide risk
management process.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief
Financial Officer develop procedures to guide the risk management activities of
the ESCs, require the ESCs to post risk information in a readily accessible
location, and require the ESCs to notify the Chief Financial Officer when a new
ESC is implemented. TIGTA also
recommended that the Director, Office of Research, Analysis, and Statistics,
develop procedures requiring the review of risk management activities of the
ESCs on a routine basis. Finally, TIGTA
recommended that the Chief Financial Officer and the Director, Office of
Research, Analysis, and Statistics, jointly monitor and evaluate the MITS organization’s risk management initiative
to study the potential benefits in moving towards a more formal IRS-wide risk
management process.
IRS management agreed with two recommendations. Management stated they plan to compile a list of ESCs and monitor the MITS organization’s risk management initiative. However, management disagreed with our recommendation to develop procedures to guide the risk management activities of the ESCs, require the ESCs to post risk information, and perform ongoing reviews of the ESCs’ risk management efforts. TIGTA maintains that procedures, better information sharing, and periodic assessments of the IRS risk process would provide additional assurance that it is effectively managing corporate risks.
September 2, 2011
MEMORANDUM FOR CHIEF FINANCIAL OFFICER
DIRECTOR, OFFICE OF RESEARCH, ANALYSIS, AND STATISTICS
FROM: Michael R. Phillips /s/Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Risk Management Efforts Could Be Improved With Clearly Defined Procedures and Expanded Information Sharing (Audit # 201010020)
This report presents the results of our review of the Internal
Revenue Service’s (IRS) risk management process. The overall objective of this review was to
determine whether the IRS has an efficient process for managing risks to the
achievement of its strategic objectives.
Our review focused specifically on the risk management efforts of the IRS’s Executive Steering
Committees as this is the overall vehicle the IRS uses to manage organization-level risks. This review
is part of the Treasury Inspector General for Tax Administration’s Fiscal Year
2011 Annual Audit Plan and addresses the major management challenge of
Leveraging Data to Improve Program Effectiveness and Reduce Costs.
Management’s
complete response to the draft report is included as Appendix IV.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix
IV – Management’s Response to the Draft Report
Abbreviations
|
CFO |
Chief Financial Officer |
|
ERM |
Enterprise Risk Management |
|
ESC |
Executive Steering Committee |
|
IRS |
Internal Revenue Service |
|
MITS |
Modernization and Information
Technology Services |
|
OPERA |
Office of Program Evaluation and Risk
Analysis |
|
|
|
In
general, risk management can be defined as the identification of possible
future events which may impact the ability of an organization to meet its
objectives and the implementation of actions to address those events. In January 2005, the Government
Accountability Office identified risk management as an area of concern in the
Federal Government. For example,
challenges facing the Internal Revenue Service (IRS) include the impact of
significant tax law changes, growing impact of international tax law issues,
increased sophistication of efforts to evade compliance, and increased service
expectations by American taxpayers and tax practitioners.
The IRS
is a large and complex organization, comprised of 4 operating divisions and 16 functional
offices, with a total staff of more than 94,000 employees. In order to address areas of significant
organization-level concerns, IRS senior management utilizes 26 Executive
Steering Committees (ESC) that are generally comprised of representatives from
multiple IRS functions. The ESCs cover a
broad scope of issue areas, including human capital, data security,
infrastructure enhancements, taxpayer compliance, operational readiness, and
legislative changes (such as implementation of the recently enacted health care
legislation). The IRS’s risk management
efforts are also broadly supported by its 5-year strategic plan, which
identifies its overall program goals and anticipated general risk areas.
Enterprise
risk management (ERM) is an emerging discipline whereby an organization
implements a process across the organization designed to identify potential
events that may affect the organization and manage risk to provide reasonable
assurance regarding the achievement of organizational objectives. A fundamental concept of ERM is that it considers
activities at all levels of the organization and identifies entity-wide
risks. This structure is supported in
some organizations, especially those that are larger and more complex, by a
dedicated executive and staff specifically responsible for organizational risk
management.
Guidance
regarding ERM practices has been developed by a number of private and
government organizations and continues to be expanded. For example, the Committee of Sponsoring
Organizations[1] published an ERM framework in September
2004 to assist entities in moving towards a fuller risk management
process. According to the Committee of
Sponsoring Organizations, a proactive approach to risk management is necessary
and includes processes and activities that are intertwined within an
organization’s core activities so that risk management is performed on an
ongoing, consistent basis by employees throughout an organization.
This review was performed at the IRS Headquarters offices of the Chief Financial Officer (CFO); the Office of Research, Analysis, and Statistics; and the Tax Exempt and Government Entities Division in Washington, D.C.; the Modernization and Information Technology Services (MITS) organization and the Small Business/Self-Employed Division in New Carrollton, Maryland; the Wage and Investment Division in Atlanta, Georgia; and the Large Business and International Division in Chicago, Illinois, during the period September 2010 through May 2011. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
We believe the IRS can take additional actions to improve its risk management process. Specifically, we found that the efficiency of the ESCs’ risk management efforts could be improved by developing guidelines detailing how the ESCs should identify, assess, address, and monitor risks applicable to their responsible areas. In addition, the IRS should implement a methodology that supports the timely sharing of identified risks between the ESCs. Further, regular internal reviews of the ESCs’ risk management activities would assist management in ensuring the ESCs are operating effectively and coordinating appropriately. By taking these actions, we believe the IRS can better ensure its risk activities are effectively coordinated and its resources are allocated efficiently to manage risks that may impact its ability to achieve organizational goals.
We
determined that the MITS organization is in
the early stages of developing a formalized, integrated risk management
framework to manage information technology risks. Specifically, MITS management is implementing
a dedicated group, headed by a senior executive, to specifically focus on managing
risks applicable to IRS information technology.
We believe this initiative should be continually monitored by the IRS to
study the potential benefits, costs, and steps involved in moving long term towards a more
formal IRS‑wide risk management process supported by a dedicated senior
executive and supporting staff.
Procedures and Better Information Sharing Could Improve the Efficiency of the Executive Steering Committees
An
integral part of the IRS’s efforts to address and monitor organization-level
risks to its strategic objectives is the work performed by its ESCs. The dynamic and cross organizational nature
of the ESCs allows the IRS the opportunity to quickly apply resources to
address and monitor IRS-wide risks in emerging areas of high concern via the
creation of new ESCs. In addition,
because the ESCs are comprised of a cross section of senior managers
representing the IRS’s various functions, this approach helps ensure strong
executive involvement in risk management activities performed. However, we found the efficiency of the ESCs’
risk management efforts could be improved by developing clearly defined
procedures and a methodology supporting the timely sharing of information on
risks identified.
Specifically,
we found the IRS has not developed policies and procedures to guide the risk
management activities of the ESCs. As a
result, each ESC must develop its own approach for determining how risks will
be identified, assessed, addressed, and monitored.
During
our review, the IRS was unable to provide us with a comprehensive list of the
ESCs currently in operation and whether any risks were being addressed by those
ESCs. Based on our research, we
determined that there were 26 ESCs active (i.e., meeting regularly) at the time
of our review. We reviewed the charters
of 16 sampled ESCs and found that only 10 charters included a reference to the ESCs’
responsibilities regarding risk management.
Further, we reviewed the risk management of five randomly selected ESCs
and found the methodologies used by the five ESCs to identify, assess, address,
and monitor the risks identified varied significantly in form and level of
detail. For example, only one of the
five ESCs we evaluated had a clearly defined methodology for assessing
risk.
In
addition, we determined that the ESCs can more effectively coordinate their
efforts to share risk management practices with other ESCs and senior IRS operating
division management. Specifically, the
ESCs we reviewed generally did not post information regarding risks in a
location readily accessible to other ESCs or other IRS organizational users,
including its operating divisions and functional offices. As a result, it is difficult for IRS managers
to timely identify crosscutting organizational risks. Although the sharing of risk information is
somewhat supported by the IRS’s practice of having some senior managers
participate in multiple ESCs, we do not believe that this practice alone is
sufficient to fully support the sharing of risk information. In addition, the lack of a centralized
inventory of the active ESCs (and the risks they are addressing) significantly
impacts the efficiency of the risk management process.
A risk management program should
include developing policies and procedures that outline the organization’s
expectations regarding the management of risks and document the process to
ensure it operates effectively. Although the IRS CFO has overall
responsibility for supporting the risk management efforts of the IRS, he or she
has not yet developed guidelines and procedures to
guide the efforts of the ESCs in identifying, assessing, addressing, and
monitoring organizational risks or a methodology supporting the sharing of information
on risks identified. Further
complicating the CFO’s efforts, there are no specific procedures that require
any function within the IRS to notify the CFO when a new ESC is being formed. As a result, neither the CFO nor any other
function within the IRS maintains a current list of
all active ESCs, their areas of focus, and specific risks they are responsible
for addressing.
The ESCs
play a critical role in the IRS’s efforts to both meet its objectives and
provide stakeholders with confidence that it is operating effectively and
efficiently. Without clearly defined
procedures that outline the IRS’s expectations regarding how risks to
organizational objectives should be identified, assessed, addressed, and
monitored, each new ESC must expend valuable time and resources developing its
own risk management process rather than focusing directly on the concern it was
created to address. Similarly, the lack
of readily available ESC risk information impedes the sharing of this
information among senior IRS executive management. The need to share risk information is
significant given the interrelated nature of the areas addressed by the IRS’s
various ESCs. Clearly defined procedures
and increased coordination will assist the IRS in effectively managing
corporate risks that may impact its ability to achieve organizational
goals.
Recommendations
Recommendation
1: The CFO should develop policies and procedures to support the risk
management activities of the ESCs. These
procedures should clearly define the process ESCs should follow in identifying,
assessing, addressing, and monitoring risks.
In addition, the procedures should require the ESCs to post the risks
they are addressing in a location readily accessible to other ESCs and other
users.
Management’s
Response: CFO management disagreed with
this recommendation. Management stated
that each ESC uses risk processes appropriate to its function and requiring all ESCs to adhere to a rigid set
of policies and procedures may constrain the options for addressing those
challenges. However, management did
agree to develop limited guidance that allows for flexibility in assessing
risks, as needed. CFO management disagreed with
establishing procedures that require the ESCs to post the risks they are
addressing in a location readily accessible to other ESCs and other users,
stating it would not be beneficial.
Management stated that ESCs share information, including risks as
appropriate, with relevant business units, and variances in issue and risk
tracking are addressed separately when ESCs have overlap on pertinent
issues. Management also stated that IRS
risks and their resolutions change frequently, and having a repository would
make the Governance process burdensome and would not add value. Management also believes that the resources
required to maintain such a repository are not justifiable.
Office
of Audit Comment: While
the
IRS disagreed with the recommendation, it did agree
to develop limited
guidance for assessing risks, as needed.
This type of guidance would meet the intent of our recommendation if it
assists the ESCs in considering how risks will be identified, assessed, addressed, and monitored. We
believe this type of guidance would help the IRS in better managing corporate risks by ensuring a
more comprehensive approach to risk management and minimizing duplication of
effort by allowing the ESCs to customize a risk management approach based on
the general guidance rather than developing one on their own. In addition, we still believe making ESC risk
information readily available will facilitate senior IRS executive management
in identifying and sharing crosscutting organizational risks in a more timely
and efficient manner and prevent potential conflicting solutions for addressing
these risks. The ESCs can also benefit
from prior attempts by other ESCs to address crosscutting risks, including
successes and lessons learned. During
the course of our review, we found that many ESCs already post key information
(such as their meeting minutes) in a location readily accessible to other IRS
users. As such, we believe that the ESCs
could post applicable risk information in a similar manner without expending
significant additional resources. If the
postings are dated, other ESCs can easily determine if the risk information is
current.
Recommendation 2: The CFO should develop procedures requiring any function
within the IRS to notify the CFO whenever a new ESC is being implemented. The CFO should use this information to
maintain a current list of all active ESCs and their areas of focus.
Management’s Response: CFO management agreed
with our recommendation. The CFO
coordinates completion of the annual Government
Accountability Office Internal Control Management and Evaluation Checklist to
evaluate internal controls and reports their status to the Department of the
Treasury and the Government Accountability Office. In future checklist updates, the CFO plans to
add a series of questions designed to identify current ESC status as well as
identify any new ESCs formed, to serve as the basis for compiling a current
list of active ESCs annually. The
business units will also be given guidance outlining specific documentation
that should be maintained for all active ESCs.
Additional Analyses of the Internal Revenue Service’s Risk Management Practices May Identify Potential Improvements
We
believe regular internal reviews of the ESCs’ risk management activities would
assist management in ensuring the ESCs are operating effectively and
coordinating appropriately. In addition,
IRS management should carefully monitor the efforts of the MITS business unit
in establishing a formal risk management framework led by a dedicated executive
to study the potential benefits, costs, and
steps involved in moving
long term towards a more formal IRS-wide risk management process.
Monitoring the effectiveness of risk management activities is a key component of a properly functioning risk management process. The Standards for Internal Control in the Federal Government state that control activities are an integral part of an entity’s planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. One key activity in this area is management reviews to compare actual performance to planned or expected results throughout the organization and analyze significant differences.
Regular reviews of the ESCs would assist management in identifying potential improvements in their risk management practices
Within the IRS, the Office of
Program Evaluation and Risk Analysis (OPERA), which is located within the
Office of Research, Analysis, and Statistics, has overall responsibly for
evaluating risk management. However, we found that the OPERA
has not performed a review of the risk management efforts of the ESCs since April
2006.[2]
Although
IRS procedures assign responsibility for the performance of risk management
reviews to the OPERA, they do not specifically require periodic internal
reviews of the IRS’s risk management process.
The reviews could serve a critical purpose by allowing the IRS to ensure
risks are continually identified, assessed, addressed, and monitored to
effectively and efficiently achieve organizational objectives. OPERA management informed us they perform their
reviews primarily based on requests from IRS management rather than on an
ongoing or routine basis. In addition,
the general lack of uniform and readily available risk tracking information
hinders the OPERA’s ability to fully review the risk management activities of
the ESCs.
Evaluation of the
IRS’s risk management process will provide the IRS additional assurance that
risks are timely identified, assessed, addressed, and monitored to effectively
and efficiently achieve organizational objectives. These reviews would also allow the IRS to
evaluate the implementation of any enhancements it makes to its risk management
process as a result of implementing actions to address our first report
recommendation.
Continued monitoring of the MITS’ risk management process may identify potential benefits for a more formal IRS-wide risk management process
During
our review, we determined that the MITS organization
is in the early stages of developing a formalized, integrated risk management
framework to manage information technology risks. Specifically, MITS organization management is
implementing a dedicated group, headed by a senior executive, to focus on
managing risks applicable to IRS information technology.
Although the OPERA provided early input in April 2010 on the MITS organization’s initiative, Office of Research, Analysis, and Statistics management informed us that they have no plans to further review this initiative or review the ESCs’ risk management practices. We believe this initiative should be monitored by the IRS in order to fully evaluate the potential benefits, costs, and steps involved in moving long term towards a more formal IRS-wide risk management process supported by a dedicated senior executive and supporting staff. Without a plan to monitor this initiative, the IRS cannot effectively leverage lessons learned from the implementation of the MITS organization initiative in any future improvements it decides to make in IRS-wide risk management efforts.
Recommendations
Recommendation 3: The Director, Research, Analysis, and Statistics, should develop procedures
requiring that the OPERA review the risk management activities of the ESCs on a
periodic basis.
Management’s Response: IRS management disagreed
with our recommendation. Specifically,
management stated that the OPERA’s role in risk management has been to evaluate
opportunities for applying risk management and conduct risk analyses at the
request of IRS senior leadership. The
OPERA serves in an advisory and support role at the request of senior
leadership and does not have primary responsibility for identifying and
mitigating risks. The recommendation to develop
procedures requiring the review of ESC risk management activities on a periodic
basis may not provide additional value unless focused on specific needs of IRS
senior leadership.
Office of Audit Comment: We recognize that, in
general, the OPERA performs its work in response to requests from various
senior leaders. However, much has
changed within the IRS’s risk environment since the April 2006 review,
including new legislative requirements, new executives and managers, and new
technology. In addition, ERM practices
have continued to evolve. Given the
OPERA’s extensive past experience in reviewing the IRS’s risk management
processes, we believe an updated review of the current IRS-wide risk management
process would provide both IRS executives and external stakeholders with
additional assurance that the ESCs are operating effectively and coordinating
appropriately.
Recommendation
4: The CFO and the Director, Research,
Analysis, and Statistics, should jointly monitor and evaluate the MITS organization risk
management initiative in order to incorporate
lessons learned from the implementation and study of the potential benefits,
costs, and steps involved in moving towards a more formal IRS-wide risk management process.
Management’s
Response: IRS management agreed
with our recommendation and stated that the OPERA plans to serve as an advisor
to MITS organization senior management in monitoring and evaluating the MITS organization
risk management initiative. The MITS organization
initiative is expected to clarify MITS organization Enterprise Governance
committee responsibilities and create downstream dependence on its ESCs to
provide input to support investment recommendations. To address anticipated increased emphasis on
the ESC role in investment management, the MITS organization Governance office
is compiling information on the roles and responsibilities outlined in each ESC
charter. The results will be used to
identify improvement opportunities for information technology governance and to
develop recommended enhancements (if any) for consideration by the MITS organization
Enterprise Governance committee. The CFO
will review the MITS organization findings and consider their applicability to
an overall IRS-wide risk management process.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS has an efficient process for managing risks to the achievement of its strategic objectives. To accomplish this objective, we:
I. Determined whether the IRS has established an overall framework to guide its efforts to manage risks to the achievement of its strategic objectives.
A. Researched the IRS intranet (including the OPERA and the CFO web sites) and the Internal Revenue Manual to identify any applicable policies and procedures that guide the IRS’s risk management process.
B.
Analyzed
the policies and procedures that guide the IRS’s overall risk management process.
C.
Identified
and evaluated any guidance or support provided by the OPERA in assisting the
IRS with its development of an overall ERM framework.
D.
Identified
and evaluated any guidance or support provided by the CFO related to the IRS’s
ERM framework.
II. Assessed whether the IRS has implemented a comprehensive risk management process to effectively and proactively identify, assess, address, and monitor risks to the achievement of its strategic objectives.
A. Determined the ESCs’ role in proactively identifying, assessing, addressing, and monitoring risks.
1. Based on our research and information provided by the CFO and the OPERA, we identified a population of 26 ESCs that were active in Fiscal Year 2010. Of the 26 active ESCs, we found that 9 were crosscutting and 17 were non-crosscutting. We selected a random sample of seven non-crosscutting ESCs. We further analyzed the charter and meeting minutes of the seven sampled non-crosscutting ESCs and all nine of the crosscutting ESCs.
2. Utilizing a questionnaire, evaluated the methods used by the ESCs in managing risks. The questionnaire was provided to a random sample of five crosscutting ESCs.
B. Evaluated coordination between the ESCs and the IRS’s four operating divisions and the MITS organization in the management of risks to strategic objectives.
C. Evaluated how the OPERA and the CFO provide oversight over the management of risks by the ESCs.
III. Determined whether the IRS is effectively communicating and coordinating risk information developed as a result of the efforts of the ESCs.
A.
Reviewed
the OPERA’s relationship with CFO management in regards to sharing risk
information.
B.
Evaluated
whether five randomly selected ESCs have a risk reporting relationship with CFO
management and whether the results of their risk management activities are
shared with key stakeholders.
C.
Determined
how CFO management uses strategic planning information in the risk management
activities of the ESCs.
Internal controls methodology
Internal controls relate to management’s
plans, methods, and procedures used to meet their mission, goals, and
objectives. Internal controls include
the processes and procedures for planning, organizing, directing, and
controlling program operations. They
include the systems for measuring, reporting, and monitoring program
performance. We determined the following
internal controls were relevant to our audit objective: the IRS’s policies and procedures for
managing risks to the achievement of its strategic objectives. We evaluated these controls by interviewing
management, reviewing a sample of the ESCs, and reviewing applicable
documentation.
Appendix II
Major Contributors to This Report
Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations)
Jeffrey M. Jones, Director
Anthony J. Choma, Audit Manager
Kanika Kals, Lead Auditor
Yasmin Ryan, Senior Auditor
Autumn Gill, Evaluator
Dana Karaffa, Evaluator
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Chief Technology Officer OS:CTO
Deputy Chief Financial Officer OS:CFO
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and
Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief Financial Officer OS:CFO
Director, Office of Research, Analysis and Statistics OS:RAS
Appendix IV
Management’s Response to the Draft Report
DEPARTMENT OFTHE
TREASURY
INTERNAL REVENUE SERVICE
WASHINGTON, D.C. 20224
CHIEF
FINANCIAL OFFICER
August 3, 2011
MEMORANDUM FOR MICHAEL R. PHILLIPS
DEPUTY INSPECTOR GENERAL FOR
AUDIT
FROM: Pamela J. LaRue
/s/ Pamela J. LaRue
Chief Financial Officer
SUBJECT: Draft
Audit Report -Risk Management Efforts Could Be Improved With Clearly Defined
Procedures and Expanded Information Sharing (Audit # 201010020)
Thank you for the opportunity to comment
on the subject draft report. We appreciate that your report recognizes the
benefit of using Executive Steering Committees (ESCs) as an integral part of
our risk management process. Furthermore, we agree with the recommendations to
compile a listing of active ESCs and to monitor and evaluate the Modernization
& Information Technology Services risk management initiative for
applicability in establishing a more formal IRS-wide risk management process;
however, we do not agree with those recommendations that require the ESCs to
post risks in a central location and to direct the Office of Program Evaluation
and Risk Analysis (OPERA) to monitor risk management activities of the ESCs on
a periodic basis.
Attached are our detailed comments to
your recommendations. If you have any questions, please contact Peter Rose,
Acting Associate Chief Financial Officer, Corporate Planning and Internal
Control, at (202) 622-4508.
Attachment
Attachment
RECOMMENDATION
1
The
CFO should develop policies and procedures to support the risk management
activities of the ESCs. These procedures should clearly define the process ESCs
should follow in identifying, assessing, addressing and monitoring risks. In
addition, the procedures should require the ESCs to post the risks they are
addressing in a location readily accessible to other ESCs and other users.
CORRECTIVE
ACTION
The
IRS disagrees with this recommendation. The IRS organizational culture is vital
to effective risk management, and its risk-averse culture is conducive to risk
mitigation at multiple levels of the organization. The IRS addresses risk
through an extensive use of cross-organizational governance processes -both
standing and ad hoc Executive Steering Committees (ESCs). Each ESC uses various
risk reporting and assessment processes appropriate to its charter and
function. Requiring all ESCs to adhere to a rigid set of policies and
procedures may constrain the options for addressing those challenges; however,
the IRS will develop limited guidance that allows for flexibility in assessing
risks, as needed.
The
IRS disagrees that posting risks in a central location is beneficial. The IRS
has elements of risk management firmly embedded in its business practices which
actively address the risk culture. The ESCs are led by IRS senior executives
who have experience in applying management and leadership methods to specific
problems. The degree to which risk management should be a component of each ESC
should be determined by the leadership and be based upon enterprise
implications. The IRS ESCs share information, including risks as appropriate,
with relevant business units, and variances in issue and risk tracking are
addressed separately when ESCs have overlap on pertinent issues. Most ESCs meet
quarterly, if not more frequently, and risk monitoring and remediation are
integral parts of their Governance process. The IRS risks and their resolutions
change frequently, and having a repository would make the Governance process
burdensome and would not add value. The IRS also believes that the resources
required to maintain such a repository are not justifiable.
IMPLEMENTATION
DATE
N/A
RESPONSIBLE
OFFICIAL
N/A
CORRECTIVE
ACTION MONITORING PLAN
N/A
RECOMMENDATION
2
The
CFO should develop procedures requiring any function within the IRS to notify
the CFO whenever a new ESC is being implemented. The CFO should use this
information to maintain a current listing of all active ESCs and their areas of
focus.
CORRECTIVE
ACTION
The
IRS agrees with this recommendation. The CFO coordinates completion of the
annual Government Accountability Office Internal Control Management and
Evaluation Checklist to evaluate internal controls and reports their status to
the Department of the Treasury and GAO as required by Office of Management and
Budget Circular A-123, Management's Responsibility for Internal Control.
In
future checklist updates, the CFO will add a series of questions designed to
identify current ESC status as well as identify any new ESCs formed, to serve
as the basis for compiling a current listing of active ESCs annually. The
business units will also be given guidance outlining specific documentation
that should be maintained for all active ESCs.
IMPLEMENTATION
DATE
June
30, 2012
RESPONSIBLE
OFFICIAL
Chief
Financial Officer
CORRECTIVE
ACTION MONITORING PLAN
N/A
RECOMMENDATION
3
The
Director, Research, Analysis, and Statistics, should develop procedures
requiring that the OPERA review the risk management activities of the ESCs on a
periodic basis.
CORRECTIVE
ACTION
The IRS disagrees with this recommendation. The Office of
Program Evaluation and Risk Analysis (OPERA) role in risk management has been
to evaluate opportunities for applying risk management and conduct risk
analyses at the request of IRS senior leadership. The OPERA serves in an
advisory and support role at the request of senior leadership and does not have
primary responsibility for identifying and mitigating risks. The recommendation
to develop procedures requiring the review of ESC risk management activities on
a periodic basis may not provide additional value unless focused on specific
needs of IRS senior leadership.
IMPLEMENTATION
DATE
N/A
RESPONSIBLE
OFFICIAL
N/A
CORRECTIVE
ACTION MONITORING PLAN
N/A
RECOMMENDATION
4
The
CFO and the Director, Research, Analysis, and Statistics, should jointly
monitor and evaluate the MITS organization risk management initiative in order
to incorporate lessons learned from the implementation and study the potential
benefits, costs, and steps involved in moving towards a more formal IRS-wide
risk management process.
CORRECTIVE
ACTION
The IRS agrees with this
recommendation. The OPERA will serve as an advisor to MITS senior management in
monitoring and evaluating the MITS risk management initiative. The MITS
initiative is expected to clarify MITS Enterprise Governance (MEG) committee
responsibilities and create downstream dependence on its ESCs to provide input
to support investment recommendations. To address anticipated increased
emphasis on the ESC role in investment management, the MITS Governance office
is compiling information on the roles and responsibilities outlined in each ESC
charter. The results will be used to identify improvement opportunities for IT
governance, and to develop recommended enhancements (if any) for consideration
by the MEG. The CFO will review the MITS findings and consider their
applicability to an overall IRS-wide risk management process.
IMPLEMENTATION
DATE
September
30, 2012
RESPONSIBLE
OFFICIAL
Chief
Financial Officer
CORRECTIVE
ACTION MONITORING PLAN
N/A
[1] The Committee of Sponsoring Organizations is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting.
[2] In performing the 2006 review, the OPERA collaborated with the National Academy of Science to evaluate, via case studies and observations, the IRS’s ERM capabilities.