Management Report
IRS's First-Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123
Gao ID: GAO-07-692R May 18, 2007
This letter summarizes our review of the Internal Revenue Service's (IRS) implementation of the requirements of the Office of Management and Budget's (OMB) revised Circular No. A-123, Management's Responsibility for Internal Control (A-123) during fiscal year 2006. These requirements are applicable to the 24 Chief Financial Officer (CFO) Act agencies, including the Department of the Treasury (Treasury), of which IRS is a significant component. The objectives of our review, which was conducted as part of our audit of IRS's fiscal year 2006 financial statements, were to determine whether (1) IRS appropriately planned and implemented its assessment of internal controls over financial reporting in accordance with the requirements of OMB Circular No. A-123, (2) IRS performed sufficient work to support its related assurance statement to Treasury, and (3) IRS's assurance statement appropriately represented the status of IRS's internal control over financial reporting.
IRS appropriately planned and implemented its first-year assessment of internal controls over financial reporting in accordance with the requirements of OMB Circular No. A-123 sufficient to support its assurance statement to Treasury as of June 30, 2006. However, full implementation of the requirements of the revised OMB Circular No. A-123 at an agency as large and complex as IRS is a major undertaking that will require a significant commitment of resources and several years to achieve. As we noted in our report on our audit of IRS's fiscal year 2006 financial statements and communicated to IRS and communicated to IRS during the course of our audit, we identified several areas where IRS could enhance its A-123 review process. Specifically, we found that IRS did not always clearly document procedures performed or how test results were linked to the resultant conclusions. In addition, although IRS was aware of the findings of audits performed by GAO and the Treasury Inspector General for Tax Administration (TIGTA), we did not always find documentation that these findings were consistently utilized by IRS in planning its A-123 reviews. We also did not find documentation that in planning its A-123 review, IRS appropriately considered the most recent audit of the Department of Agriculture's National Finance Center, which processes IRS's payroll transactions, or the extent to which its own information security work conducted in accordance with the Federal Information Security Management Act of 2002 (FISMA), met the objectives of OMB Circular No. A-123. Identifying existing reviews and audits related to internal controls over financial reporting, determining the extent to which these efforts can be used to complement the A-123 work, and assessing how that use might affect the scope and nature of procedures to be performed are an important part of the related planning process. Clearly documenting procedures conducted and consideration of existing reviews and audits reduces the risk that IRS may provide a degree of assurance on the effectiveness of its control over financial reporting that is not warranted by existing conditions. We also found that while the scope and nature of A-123 procedures performed by IRS during fiscal year 2006 were appropriate in the circumstances, as IRS's A-123 process moves to the next stage, additional work will be required. We found that (1) the tests IRS conducted focused on the execution of controls over individual transaction types, and have not yet effectively addressed the design of controls; (2) IRS has not yet tested controls over compliance with all significant financial-reporting-related laws and regulations; and (3) information security work IRS conducted under FISMA did not identify many of the vulnerabilities we identified during our testing of its information security as part of our fiscal year 2006 financial audit. Consequently, IRS's A-123 process was not at a point where it would have identified all of IRS's existing control deficiencies nor been sufficient to support an unqualified statement of assurance as of June 30, 2006, had that been appropriate in the circumstances. Also, once IRS is in a position to support an unqualified assurance statement, it will become necessary for it to conduct follow-up procedures during the last 3 months of the year subsequent to the June 30 A-123 reporting date to support an unqualified assurance statement as of September 30 to correspond with the date of our opinion on the effectiveness of IRS's internal controls. Because IRS had four material weaknesses in its internal controls in fiscal year 2006, the additional procedures that would be needed to support unqualified assurance were not necessary. However, IRS is working diligently to resolve its material weaknesses. As these issues are resolved, the scope and nature of procedures IRS will need to perform will gradually increase.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-07-692R, Management Report: IRS's First-Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123
This is the accessible text file for GAO report number GAO-07-692R
entitled 'Management Report: IRS's First-Year Implementation of the
Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123' which was released on May 18, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
May 18, 2007:
The Honorable Mark W. Everson:
Commissioner of Internal Revenue:
Subject: Management Report: IRS's First-Year Implementation of the
Requirements of the Office of Management and Budget's (OMB) Revised
Circular No. A-123:
Dear Mr. Everson:
This letter summarizes our review of the Internal Revenue Service's
(IRS) implementation of the requirements of the Office of Management
and Budget's (OMB) revised Circular No. A-123, Management's
Responsibility for Internal Control (A-123) during fiscal year 2006.
These requirements are applicable to the 24 Chief Financial Officer
(CFO) Act agencies, including the Department of the Treasury
(Treasury), of which IRS is a significant component. The objectives of
our review, which was conducted as part of our audit of IRS's fiscal
year 2006 financial statements,[Footnote 1] were to determine whether
(1) IRS appropriately planned and implemented its assessment of
internal controls over financial reporting in accordance with the
requirements of OMB Circular No. A-123, (2) IRS performed sufficient
work to support its related assurance statement to Treasury, and (3)
IRS's assurance statement appropriately represented the status of IRS's
internal control over financial reporting.
We performed our work from January through October 2006 as part of our
audits of IRS's fiscal years 2006 and 2005 financial statements. We
conducted our work in accordance with U.S. generally accepted
government auditing standards.
Results in Brief:
IRS appropriately planned and implemented its first-year assessment of
internal controls over financial reporting in accordance with the
requirements of OMB Circular No. A-123 sufficient to support its
assurance statement to Treasury as of June 30, 2006. Overall, we were
impressed by IRS's commitment to the successful implementation of OMB
Circular No. A-123, and its diligent efforts to effectively execute the
circular's requirements. IRS's approach was indicative of management's
recognition of its responsibility for the integrity of the
organization's internal control structure and its desire to make the
most of this process and effectively resolve its internal control
issues. However, full implementation of the requirements of the revised
OMB Circular No. A-123 at an agency as large and complex as IRS is a
major undertaking that will require a significant commitment of
resources and several years to achieve.
As we noted in our report on our audit of IRS's fiscal year 2006
financial statements and communicated to IRS during the course of our
audit, we identified several areas where IRS could enhance its A-123
review process. Specifically, we found that IRS did not always clearly
document procedures performed or how test results were linked to the
resultant conclusions. In addition, although IRS was aware of the
findings of audits performed by GAO and the Treasury Inspector General
for Tax Administration (TIGTA), we did not always find documentation
that these findings were consistently utilized by IRS in planning its A-
123 reviews. We also did not find documentation that in planning its A-
123 review, IRS appropriately considered the most recent audit of the
Department of Agriculture's National Finance Center, which processes
IRS's payroll transactions, or the extent to which its own information
security work conducted in accordance with the Federal Information
Security Management Act of 2002 (FISMA),[Footnote 2] met the objectives
of OMB Circular No. A-123. Identifying existing reviews and audits
related to internal controls over financial reporting, determining the
extent to which these efforts can be used to complement the A-123 work,
and assessing how that use might affect the scope and nature of
procedures to be performed are an important part of the related
planning process. Clearly documenting procedures conducted and
consideration of existing reviews and audits reduces the risk that IRS
may provide a degree of assurance on the effectiveness of its control
over financial reporting that is not warranted by existing conditions.
We also found that while the scope and nature of A-123 procedures
performed by IRS during fiscal year 2006 were appropriate in the
circumstances, as IRS's A-123 process moves to the next stage,
additional work will be required. We found that (1) the tests IRS
conducted focused on the execution of controls over individual
transaction types, and have not yet effectively addressed the design of
controls; (2) IRS has not yet tested controls over compliance with all
significant financial-reporting-related laws and regulations; and (3)
information security work IRS conducted under FISMA did not identify
many of the vulnerabilities we identified during our testing of its
information security as part of our fiscal year 2006 financial audit.
Consequently, IRS's A-123 process was not at a point where it would
have identified all of IRS's existing control deficiencies nor been
sufficient to support an unqualified statement of assurance as of June
30, 2006, had that been appropriate in the circumstances. Also, once
IRS is in a position to support an unqualified assurance statement, it
will become necessary for it to conduct follow-up procedures during the
last 3 months of the year subsequent to the June 30 A-123 reporting
date to support an unqualified assurance statement as of September 30
to correspond with the date of our opinion on the effectiveness of
IRS's internal controls.
Because IRS had four material weaknesses in its internal controls in
fiscal year 2006, the additional procedures that would be needed to
support unqualified assurance were not necessary. However, IRS is
working diligently to resolve its material weaknesses. As these issues
are resolved, the scope and nature of procedures IRS will need to
perform will gradually increase. As IRS continues to enhance its A-123
effort, it will need to consider these issues and take appropriate
steps to address them in order to position it to support statements of
unqualified assurance as of June 30 and September 30 as will become
appropriate at such time as IRS fully resolves its material weaknesses.
This report contains seven recommendations intended to assist IRS in
strengthening its A-123 process as it continues to mature, so that once
the process is fully developed, IRS will be able to rely on it to
identify any existing material weaknesses or other significant control
deficiencies. In so doing, IRS will also position itself so that once
its existing material internal control weaknesses are resolved, it will
be able to rely on its A-123 process to support appropriate unqualified
statements of assurance as of June 30 and September 30.
In its comments, IRS agreed with our recommendations and described
actions it had taken or plans to take to address the issues we raised
in this report. At the end of our recommendations for executive action,
we have summarized IRS's related comments and provided our evaluation.
Scope and Methodology:
In conducting our review of IRS's implementation of OMB Circular No. A-
123, we reviewed documentation and conducted discussions with IRS and
Treasury officials concerning how the A-123 process was planned,
implemented, summarized, and reported. Specifically, we reviewed and
discussed the following:
² Treasury's and IRS's strategy and overall plans for implementing OMB
Circular No. A-123 at IRS, including (1) how the process was to be
organized, staffed, supervised, and conducted, and (2) how the results
were to be summarized and reported, and appropriate corrective action
plans developed and implemented;
² Treasury's and IRS's selection of transaction processes considered
material to IRS;
² IRS's workpapers supporting its tests of controls over the 12 of the
45 transaction processes that we considered to be the most material to
IRS's financial statements, including internal controls over tax
revenue, tax refunds, taxes receivable, expenses, and budgetary
transactions;
² IRS's evaluation of entitywide controls, such as the overall control
environment, integrity and ethical values, information and
communications, and monitoring; and:
² IRS's A-123 assurance statement to Treasury and its relationship to
the underlying work and results.
We also observed IRS's tests of internal controls over (1) tax revenue
at one service center campus and one Taxpayer Assistance Center, and
(2) tax refunds at one service center campus. Additional details on our
scope and methodology are included in our fiscal year 2006 financial
statement audit report.
Background:
The passage of the Sarbanes-Oxley Act of 2002 (SOX)[Footnote 3] served
as an impetus for the federal government to review its existing
internal control requirements.[Footnote 4] SOX requires that management
of publicly traded companies strengthen their processes for assessing
and reporting on their internal control over financial reporting.
Consistent with the intent of SOX, the joint Chief Financial Officers
Council (CFOC)[Footnote 5] and President's Council on Integrity and
Efficiency (PCIE)[Footnote 6] committee recommended that OMB Circular
No. A-123 be strengthened to require a more rigorous assessment of
federal agencies' internal control over financial reporting. OMB
accepted this recommendation and worked with the CFOC/PCIE working
group to significantly revise its Circular No. A-123.
OMB's revised Circular No. A-123, along with its related implementation
guide,[Footnote 7] were effective for fiscal year 2006. OMB Circular
No. A-123 provides specific requirements for the 24 major departments
and agencies covered under the Chief Financial Officers Act of 1990
(CFO Act)[Footnote 8] to follow in conducting management's assessment
of the effectiveness of internal control over financial reporting. The
assessment process requires (1) understanding the control environment
including the financial reporting process, (2) understanding the design
of internal controls, (3) identifying and evaluating significant
classes of transactions and assessing risks, and (4) testing controls
to assess compliance. Based on the results of the assessment process,
each CFO Act agency is required to prepare a statement asserting the
effectiveness of its internal control over financial reporting as of
June 30 of each fiscal year, which is to be included in the agency's
Performance and Accountability Report (PAR).
IRS does not produce its own PAR. As a bureau of Treasury, however,
IRS's assurance statement is used by Treasury as a basis for its own
assurance statement, which is included in the department's PAR. The
assurance provided in this statement can take one of three forms: (1)
unqualified assurance, indicating that no material weaknesses were
found, (2) qualified assurance, indicating that one or more material
weaknesses were identified, or (3) a statement of no assurance,
indicating that no internal control process was in place or that
pervasive material weaknesses were found. Based on their A-123
assessment, agencies are required to develop an appropriate corrective
action plan to address any control deficiencies identified. OMB
Circular No. A-123 requires that agencies document their control over
financial reporting and the related assessment process, including key
decisions, the assessment methodology and its implementation, the
testing of controls and related results, and any corrective action
plan.
In fiscal year 2006, Treasury established the framework for the
implementation of the revised OMB Circular No. A-123 for all of its
bureaus, including IRS. This included establishing an overall
departmentwide implementation plan, identifying and documenting
controls significant to Treasury and assessing related risks, and
establishing milestones for implementation and completion of the A-123
process. Treasury also established a threshold to determine which of
the bureaus' transactions were considered material to the department's
consolidated financial statements.[Footnote 9] Based on this threshold,
Treasury required its bureaus to test controls over certain specific
financial transactions.
Within this overall framework, IRS established a management structure
under the direction of the CFO to organize and oversee IRS's
implementation of OMB Circular No. A-123. Major elements of IRS's A-123
process included:
* developing an IRS's specific implementation guide for the
implementation of OMB Circular No. A-123;
* identifying transaction processes considered material to IRS that had
not been identified by Treasury;
* planning and conducting tests of controls over 45 transaction
processes considered material to Treasury or IRS;
* reviewing the effectiveness of entitywide controls, including the
overall control environment, integrity and ethical values, information
and communications, and monitoring; and:
* reviewing compliance with certain laws and regulations pertinent to
financial reporting and internal control, including the Federal
Financial Management Improvement Act of 1996 (FFMIA);[Footnote 10] 31
U.S.C. § 3512(c), (d), commonly referred to as the Financial Managers'
Financial Integrity Act of 1982 (FIA); the CFO Act; and FISMA.
Based on the results of these procedures and considering the material
weaknesses reported by us in our previous audit of IRS's financial
statements,[Footnote 11] IRS provided Treasury qualified assurance that
its controls over financial reporting were effective as of June 30,
2006.
IRS Successfully Implemented the Revised OMB Circular No. A-123 in
Fiscal Year 2006:
IRS appropriately planned and implemented its assessments of internal
controls over financial reporting in accordance with the requirements
of OMB Circular No. A-123 sufficient to support its assurance statement
to Treasury as of June 30, 2006. We also noted that IRS elected to
implement this process using its own staff rather than contractors,
thereby taking advantage of the opportunity for IRS staff and
management to gain a better understanding of the intricacies of, and
issues associated with, the agency's complex internal control
structure. This, in turn, better positioned management and staff to
benefit from the lessons learned through this first year of
implementation. This approach was indicative of management's
recognition of its responsibility for the integrity of the
organization's internal control structure and its desire to make the
most of this process and effectively resolve its internal control
issues.
We also found that we were able to use some of the procedures performed
by IRS, such as its tests of entitywide controls and compliance with
the statutory requirement regarding the timing of tax lien releases, to
supplement or reduce the scope of our internal control testing
conducted as part of our audit of IRS's fiscal years' 2006 and 2005
financial statements.
Full implementation of the requirements of the revised OMB Circular No.
A-123 at an agency as large and complex as IRS is a major undertaking
that will require a significant commitment of resources and several
years to achieve. Additionally, due to the presence of four material
weaknesses in internal controls as of September 30, 2005,[Footnote 12]
the scope and nature of the A-123 work IRS needed to perform in fiscal
year 2006 was significantly less than would have been necessary had
these reported weaknesses not existed. In this context, we found that
(1) IRS appropriately planned and implemented its assessment of
internal controls in accordance with the requirements of OMB Circular
No. A-123, (2) IRS performed sufficient work to support its related
assurance statement to Treasury, and (3) IRS's assurance statement
appropriately represented the status of IRS's internal control over
financial reporting.
Opportunities for IRS to Enhance the A-123 Process:
While we found that IRS's first-year implementation of the revised OMB
Circular No. A-123 enabled it to fully support its June 30, 2006,
assurance statement, our review identified several opportunities to
enhance the process to better ensure that future reviews will fully
address the requirements of the revised OMB Circular No. A-123 as IRS's
implementation process continues to develop. Specifically, we
identified opportunities with respect to (1) the documentation of
completed test procedures and (2) the scope and nature of test
procedures conducted.
Documentation of Test Procedures Conducted:
We found that the conclusions IRS reached concerning the effectiveness
of its controls were appropriate. Nevertheless, IRS's documentation of
the results of certain specific transaction tests did not always
clearly indicate what internal control test procedures were performed
or how conclusions were reached. For example, IRS's summary of work on
its tests of invoice or voucher payment and approval noted that there
were no errors found, and concluded that controls were effective.
However, the summary also noted that IRS personnel found 3 errors in
testing 45 sample items, which appeared to indicate that controls were
not effective.[Footnote 13] Based on discussions with IRS staff, we
determined that although it was not apparent from the documentation in
the workpapers, the 3 errors noted were actually not related to the
control attributes being tested and hence, did not affect the
conclusion. However, such ambiguity and lack of clarity in test
documentation and its relationship to the related conclusions increases
the risk that conclusions may not reflect actual existing control
conditions.
As provided for in OMB Circular No. A-123, and in accordance with the
overall approach defined by Treasury, IRS used the results of existing
audits and reviews to supplement its testing. We found that, in its
remediation plans prepared in accordance with FIA, IRS considered the
findings of the audits of GAO and TIGTA. Also, we noted that several of
IRS's A-123 test plans incorporated procedures for consideration of
prior audits and reviews relevant to the controls being tested.
However, IRS did not always document how it considered these audits and
reviews in determining the nature, scope, and timing of procedures it
planned to conduct under OMB Circular No. A-123. For example, the IRS
planning documents and workpapers did not always document how it
considered the results of the following audits and reviews in
formulating the nature, scope, and timing of its test procedures: (1)
GAO audits, such as our prior audits of IRS's financial statements, (2)
TIGTA audits or reviews that may have been relevant to IRS's internal
control over financial reporting, or (3) its own information security
work conducted under FISMA. We also did not see documentation of IRS's
consideration of the results of the most recent audit of the controls
over the Department of Agriculture's National Finance Center, which IRS
relies on to process its payroll transactions. By consistently
documenting how it considered these prior audits and reviews, IRS would
reduce the risk that it may (1) not appropriately consider issues
significant to IRS's internal control over financial reporting, (2)
place undue reliance on reviews whose scope and methodology is not well
suited to the objectives set out in OMB Circular No. A-123, or (3)
perform unnecessary duplicative work.
Scope and Nature of Test Procedures Conducted:
As noted above, the procedures conducted by IRS were adequate to
support the qualified assurance it provided as of June 30, 2006.
However, as IRS moves to an unqualified opinion on its internal control
in the future, its procedures will need to further evolve.
IRS's control testing approach was not yet at the stage that it fully
considered the design of control over financial reporting. Rather, the
approach was largely transaction based. Consequently, IRS's tests would
not likely have identified some of the significant systemic control
design deficiencies that we have reported in our audits of IRS's
financial statements, including IRS's lack of (1) a subsidiary ledger
for taxes receivable, (2) cost accounting capabilities necessary to
readily determine the costs of its activities and programs in multiple
business units, or (3) a U.S. Standard General Ledger-compliant general
ledger for its tax-related transactions. Because IRS had not yet fully
considered the design of internal control over financial reporting, the
risk is increased that in the absence of our annual audit of IRS's
financial statements, it may not identify all deficiencies in the
design of its related controls.
As noted above, IRS reviewed compliance with FFMIA, FIA, the CFO Act,
and FISMA. IRS also tested compliance with the legal requirement that
liens on taxpayer property be released within 30 days of the
satisfaction of the debt.[Footnote 14] However, IRS had not yet tested
controls over compliance with other significant financial-related laws
and regulations. For example, its testing did not address controls over
compliance with the Anti-Deficiency Act, as amended[Footnote 15] or the
Prompt Payment Act.[Footnote 16] OMB Circular No. A-123 defines the
scope of assessing and documenting internal control over financial
reporting to include compliance with laws and regulations. However,
since IRS did not test controls over compliance with several laws and
regulations significant to financial reporting, its management could
not have provided unqualified assurance regarding the design and
operating effectiveness of controls in this area, had that been
warranted.
IRS's use of work it performed under FISMA to meet the requirements of
OMB Circular No. A-123 as it relates to information technology security
controls was permitted by A-123 and was in accordance with Treasury's
overall approach. Such use requires that the work be conducted in a
manner sufficient to meet the requirements of OMB Circular No. A-123,
as well as FISMA. However, we did not see evidence that IRS assessed
whether the work being conducted under FISMA was sufficient to meet the
objectives set out in OMB Circular No. A-123, for which the FISMA work
was not originally designed. Our review of IRS's information security
conducted as part of our fiscal year 2006 financial audit found
weaknesses indicating that IRS's FISMA work was not always sufficient
to meet the related objectives of the OMB circular. For example, as
part of IRS's FISMA work, it tested and evaluated security controls for
each of the automated systems we reviewed as part of our fiscal year
2006 financial audit.[Footnote 17] However, we found that IRS's FISMA
testing did not address many of the vulnerabilities we reported based
on our work. For example, IRS's test and evaluation plan for its
procurement system did not include tests for password expiration,
insecure protocols, or removal of employees' system access after
separation from the agency. Consequently, the information security work
IRS conducted in accordance with FISMA did not identify many of the
vulnerabilities we identified during our audit of IRS's fiscal year
2006 financial statements, nor assess the risks associated with those
vulnerabilities. This increases the risk that IRS's information
security work conducted to comply with FISMA may not satisfy the
related objectives set out in OMB Circular No. A-123.
IRS did not perform procedures under OMB Circular No. A-123 during the
last 3 months of fiscal year 2006 to verify that the state of its
internal controls had not significantly changed since the date of its
assurance statement, which was June 30. OMB Circular No. A-123 does not
require such procedures, but does permit agencies to adjust the "as of"
date of their assurance statement if the agency is receiving a separate
audit opinion on its internal controls as of September 30. Given the
four material weaknesses in IRS's internal control that we had
identified during our audit of IRS's financial statements,[Footnote 18]
not testing internal control during the fourth quarter did not affect
IRS's assurance statement for internal controls as of September 30,
2006.[Footnote 19] In future years, at such time as IRS has effectively
resolved its existing material internal control deficiencies, follow-up
procedures to test controls during the last 3 months of the fiscal year
will become necessary in order for IRS to assert that its internal
controls are effective as of September 30.
As noted above, fiscal year 2006 was the first year IRS implemented the
requirements of the revised OMB Circular No. A-123, and this process
will likely take several more years to fully mature. As the process
continues to develop, IRS will need to overcome a number of significant
challenges, such as balancing the significant resource needs of this
process with the ongoing demands of its daily operations. In addition,
many of the related tasks, such as documenting internal controls,
assessing related risks, evaluating the design of controls, conducting
appropriate tests of the operating effectiveness of controls,
evaluating and reporting the results of these tests, and appropriately
documenting these internal control procedures, are skills typically
associated with financial auditors. Implementing OMB Circular No. A-123
has required IRS's staff to assume responsibilities for which their
prior training and operational experience had typically not prepared
them. As it continues to implement OMB Circular No. A-123, IRS will
need to successfully meet these challenges in order to minimize the
risk that, in the absence of our annual financial audit, significant
deficiencies in internal controls might exist and not be identified in
this process. Should this occur, IRS might provide a level of assurance
on the effectiveness of its internal controls not warranted by existing
conditions.
Conclusion:
IRS did a commendable job in its first-year implementation of the
requirements of the revised OMB Circular No. A-123. IRS's decision to
rely on its own staff to conduct this work, while presenting challenges
in the short term, also has the potential to pay significant dividends
in the future in terms of IRS's ability to make effective use of its A-
123 findings to improve operations. As IRS moves forward, it should
work to enhance the documentation of the procedures it performs. In
addition, while IRS's A-123 process in fiscal year 2006 was adequate to
support its June 30, 2006, assurance statement to Treasury, it is
important to recognize that additional work will be needed to provide
the unqualified assurance statement that will become appropriate once
IRS has addressed the long-standing material weaknesses it is currently
confronting. IRS is working diligently to correct its material
weaknesses. It is therefore important that as IRS continues to make
progress in this regard, it also enhance its A-123 process to be better
positioned to support an unqualified statement of assurance on the
effectiveness of its internal control over financial reporting once its
material weaknesses have been resolved.
Recommendations for Executive Action:
To assist IRS in strengthening its implementation of A-123 reviews in
future years, we recommend that IRS:
² document the results of internal control tests conducted in a manner
sufficiently clear and complete to explain how control procedures were
tested, what results were achieved, and how conclusions were derived
from those results, without reliance on supplementary oral explanation;
² clearly document how it considered existing reviews and audits in
determining the nature, scope, and timing of procedures it planned to
conduct under its A-123 process;
² to the extent that it intends to use the information security work
conducted under FISMA to meet related A-123 requirements, identify the
areas where the work conducted under FISMA does not meet the
requirements of OMB Circular No. A-123 and, considering the findings
and recommendations of our work on IRS's information security, expand
FISMA procedures or perform additional procedures as part of the A-123
reviews to augment FISMA work;
² revise test plans to include appropriate consideration of the design
of internal controls in addition to implementation of controls over
individual transactions;
² work with Treasury to identify laws and regulations that are
significant to financial reporting, test controls over compliance with
those laws and regulations, and evaluate and report on the results of
such control reviews;
² begin devising appropriate A-123 follow-up procedures for the last 3
months of the fiscal year to be implemented once the material
weaknesses identified through the annual financial statement audits
have been resolved; and:
² provide A-123 review staff appropriate training, such as that
available for financial auditors, to enhance their skills in workpaper
documentation, identification and testing of internal controls, and
evaluation and documentation of results.
Agency Comments and Our Evaluation:
In commenting on a draft of this report, IRS agreed with our
recommendations and expressed its appreciation that we acknowledged the
agency's commitment and diligence in implementing the revised OMB
Circular No. A-123 requirements during fiscal year 2006. IRS noted that
it had established a credible A-123 program and used the results of the
tests conducted to improve IRS's internal control environment.
IRS agreed with our recommendations to clearly document the results of
tests conducted and how it considered existing reviews and audits in
determining the extent of its test procedures, and to provide staff
involved in the A-123 review process with appropriate training. IRS
indicated that it had provided enhanced training to testers and
reviewers in preparation for its fiscal year 2007 A-123 process
covering such aspects as evaluating audit evidence, preparing
workpapers, reviewing and evaluating internal controls, and evaluating
the materiality of errors. IRS also agreed with our recommendation that
it should revise its test plans to include an appropriate consideration
of the design of internal controls in addition to implementation of
controls over individual transactions. IRS stated that it will include
such analysis of the design for each transaction set tested in its
fiscal year 2008 A-123 process.
IRS also agreed with our recommendation that it identify the areas
where its work conducted under FISMA does not meet A-123 requirements,
and either expand FISMA procedures or perform additional procedures as
part of the A-123 reviews to augment its FISMA work. IRS stated that it
will continue to work with Treasury and us to improve its FISMA
procedures or A-123 test plans.
Additionally, IRS agreed with our recommendation that it work with
Treasury to identify laws and regulations that are significant to
financial reporting, test controls over compliance with laws and
regulations, and evaluate and report on the results of such control
reviews. IRS indicated that it has performed an initial crosswalk of
laws and regulations significant to financial reporting during fiscal
year 2007 and will further refine this linkage in preparation for the
fiscal year 2008 A-123 process. Finally, IRS agreed with our
recommendation that it devise appropriate A-123 follow-up procedures
for the last three months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved. IRS stated that in fiscal year 2008, it will
begin to develop follow-up procedures that provide assurance for the
last three months of the fiscal year. We will evaluate the
effectiveness of IRS's efforts in addressing our recommendations during
our future audits of IRS financial statements.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on these recommendations. You should submit your
statement to the Senate Committee on Homeland Security and Governmental
Affairs and the House Committee on Oversight and Government Reform
within 60 days of the date of this report. A written statement must
also be sent to the Senate and House Committees on Appropriations with
the agency's first request for appropriations made more than 60 days
after the date of the report.
This report is intended for use by the management of IRS. We are
sending copies to the Chairmen and Ranking Minority Members of the
Senate Committee on Appropriations; Senate Committee on Finance; Senate
Committee on Homeland Security and Governmental Affairs; Subcommittee
on Taxation and IRS Oversight, and Long-Term Growth, Senate Committee
on Finance; House Committee on Appropriations; House Committee on Ways
and Means; and House Committee on Oversight and Government Reform. We
are also sending copies of this report to the Chairman and Vice
Chairman of the Joint Committee on Taxation, the Secretary of the
Treasury, the Director of OMB, the Chairman of the IRS Oversight Board,
and other interested parties. Copies will be made available to others
upon request. In addition, the report is available at no charge on
GAO's Web site at http://www.gao.gov.
We acknowledge and appreciate the cooperation and assistance provided
by IRS officials and staff during our review. If you have any questions
or need assistance in addressing these matters, please contact me at
(202) 512-3406 or sebastians@gao.gov. GAO staff who made major
contributions to this report are listed in enclosure III.
Sincerely yours,
Signed by:
Steven J. Sebastian:
Director:
Financial Management and Assurance:
Enclosures:
[End of section]
Enclosure I: Comments from the Department of Treasury:
Department Of The Treasury:
Internal Revenue Service:
Washington, D.C. 20224:
Commissioner:
May 11, 2007:
Mr. Steven J. Sebastian, Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Sebastian:
I am writing in response to the draft Government Accountability Office
(GAO) report titled "Management Report: IRS's First Year Implementation
of the Office of Management and Budget's (OMB) Revised Circular No. A-
123" (GAO-07-692R).
I appreciate your recognition of our commitment and diligence in
implementing the revised OMB Circular No. A-123, Management's
Responsibility for Internal Controls (A-123) in FY 2006. In the first
year, we established a credible A-123 program within current resources
and used the test results to improve the internal control environment.
We have improved our FY 2007 A-123 testing approach through early
implementation of some of your recommendations, including providing
enhanced training to testers and reviewers and emphasizing the need for
thorough documentation of all tests. I have enclosed a response which
addresses each GAO recommendation.
We appreciate your recommendations to improve our management controls.
If you have any questions, please contact Mary E. Davis, Associate
Chief Financial Officer for Corporate Planning and Internal Control, at
(202) 622-2955.
Sincerely,
Signed for:
Mark W. Everson:
Enclosure:
GAO Recommendations and IRS Responses to GAO Management Report:
IRS's First Year Implementation of the Office of Management and
Budget's (OMB) Revised Circular No. A-123 GAO-07-692R:
Recommendation 1: Document the results of internal control tests
conducted in a manner sufficiently clear and complete to explain how
control procedures were tested, what results were achieved, and how
conclusions were derived from those results, without reliance on
supplementary oral explanation.
Comments: We agree with this recommendation. In preparation for the FY
2007 A-123 process, we delivered a training course on documentation
requirements for the A-123 testers, incorporating suggestions provided
by GAO and lessons learned during our FY 2006 implementation. Testers
also attended an external course focused on the evaluation of audit
evidence and work paper preparation, and we also instituted additional
review steps to ensure the work papers provided sufficient support for
the tea: conclusions. As we prepare for the FY 2008 A-123 cycle, we
will continue to enhance our in-house training to address the clarity
and completeness of our explanations.
Recommendation 2: Clearly document how IRS considered existing reviews
and audits in determining the nature, scope, and timing of procedures
it planned to conduct under its A-123 process.
Comments: We agree with this recommendation. We incorporated
requirements to document the existing reviews and audits in our FY 2007
test plan templates.
Recommendation 3: To the extent that IRS intends to use the information
security work conducted under FISMA to meet related A-123 requirements,
identify the areas where the work conducted under FISMA does not meet
the requirements of OMB Circular No. A-123 and, considering the
findings and recommendations of our work on IRS's information security,
expand FISMA procedures or perform additional procedures as part of the
A-123 reviews to augment FISMA work.
Comments: We agree with this recommendation. We will continue to work
with Treasury and GAO to improve either our FISMA procedures or A-123
test plans.
Recommendation 4: Revise test plans to include appropriate
consideration of the design of internal controls in addition to
implementation of controls over individual transactions.
Comments: We agree with this recommendation. The FY 2008 A-123 cycle
will include a requirement to include an analysis of the design for
each transaction set tested.
Recommendation 5: Work with Treasury to identify laws and regulations
that are significant to financial reporting, test controls over
compliance with those laws and regulations, and evaluate and report on
the results of such control reviews.
Comments: We agree with this recommendation. In FY 2007 we performed an
initial crosswalk of the laws and regulations significant to financial
reporting to our test plans. We will further refine this linkage in
preparation for our FY 2008 A-123 process.
Recommendation 6: Begin devising appropriate A-123 follow-up procedures
for the last three months of the fiscal year to be implemented once the
material weaknesses identified through the annual financial statement
audits have been resolved.
Comments: We agree with this recommendation. Although implementation of
such procedures is not necessary until elimination of the outstanding
material weaknesses, we will begin to develop follow-up procedures in
FY 2008 that provide assurance for the last three months of the fiscal
year.
Recommendation 7: Provide A-123 review staff appropriate training, such
as that available for financial auditors, to enhance their skills in
workpaper documentation, identification and testing of internal
controls, and evaluation and documentation of results.
Comments: We agree with this recommendation. As indicated under
recommendation number 1, we provided testers and reviewers with
enhanced training for the FY 2007 A-123 cycle. The training was
designed to improve proficiency in documentation and analysis in the
reviews, including the process to be followed when reviewing or
performing tests of internal controls, determining if the controls are
functioning appropriately, and evaluating the materiality of errors. We
will continue to provide annual training at the beginning of each A-123
cycle.
[End of section]
Enclosure II: Staff Acknowledgments:
Acknowledgments:
The following individuals made major contributions to this report:
Charles Fox, Assistant Director; Charles Ego; Nina Crocker; John Davis;
Ted Hu; Jerrod O'Nelio; John Sawyer; Angel Sharma; Cynthia Teddleton;
and Truc Tuck.
(196151):
FOOTNOTES
[1] GAO, Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial
Statements, GAO-07-136 (Washington, D.C.: Nov. 9, 2006).
[2] FISMA was enacted as Title III of the E-Government Act of 2002,
Pub. L. No. 107-347, 116 Stat. 2946 (Dec. 17, 2002).
[3] Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002).
[4] OMB Circular No. A-123, at App. A, Part 1, at p. 20 (rev. Dec 21,
2004).
[5] The CFOC, established pursuant to the CFO Act of 1990 (Pub. L. No.
101-576, § 302, 104 Stat. 2838, 2848 [Nov. 15, 1990]), is an
organization of Chief Financial Officers (CFO) and Deputy CFOs of the
largest Federal agencies and senior officials of OMB and Treasury. The
purpose of the council is to advise and coordinate the activities of
the agencies of its members on such matters as consolidation and
modernization of financial systems, improved quality of financial
information, financial data and information standards, internal
controls, legislation affecting financial operations and organizations,
and any other financial management matter. The Deputy Director for
Management of OMB is the CFOC's chair.
[6] The PCIE--which is governed by Executive Order No. 12805 of May 11,
1992--was established to (1) address integrity, economy, and
effectiveness issues that transcend individual government agencies and
(2) increase the professionalism and effectiveness of inspectors
general personnel throughout the government. The PCIE is composed
primarily of the presidentially appointed inspectors general. Officials
from OMB, the Federal Bureau of Investigation, Office of Government
Ethics, Office of Special Counsel, and Office of Personnel Management
serve on the PCIE as well. The PCIE acts as a liaison with the CFOs by
attending the CFOC meetings and participating and planning joint
meetings, sessions, and task forces.
[7] OMB, Implementation Guide for OMB Circular A-123, Management's
Responsibility for Internal Control. Appendix A, Internal Control Over
Financial Reporting (Washington, D.C.: July 2005).
[8] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 5, 1990). The 24 CFO Act
agencies are listed at 31 U.S.C. § 901(b).
[9] Treasury determined that every Treasury's consolidated financial
statement line item greater than 1.5 percent of the section total is
material to Treasury. Further, if a bureau contributed 10 percent or
more of the balance of one of these material line items, Treasury
directed that the bureau must test the applicable process transaction
controls for A-123 purposes.
[10] Pub. L. No. 104-208, div. A, §101(f), title VIII, 110 Stat. 3009,
3009-389 (Sept. 30, 10996).
[11] GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005).
[12] GAO-06-137.
[13] With a sample size of 45 items, the auditor concludes that if more
than one deviation is found, the controls being tested are not
operating effectively. GAO/PCIE, Financial Audit Manual, section
450.13, GAO-01-765G (Washington, D.C.: July 2001).
[14] 26 U.S.C. § 6325.
[15] See 31 U.S.C. § 1341(a)(1) and 31 U.S.C. § 1517(a).
[16] Codified, as amended, in part of at 31 U.S.C. § 3902(a), (b), and
(f) and 31 U.S.C. § 3904.
[17] GAO, Information Security: Further Efforts Needed to Address
Significant Weaknesses at the Internal Revenue Service, GAO-07-364
(Washington, D.C.: Mar. 30, 2007).
[18] GAO-06-137.
[19] In addition to its qualified A-123 statement of assurance on the
effectiveness of its internal control over financial reporting as of
June 30, 2006, IRS also provided a statement of qualified assurance
concerning the effectiveness of its internal control over financial
reporting, compliance with laws and regulations, and performance
reporting as of September 30, 2006, in the management representation
letter it provided to us as part of our audit of IRS's fiscal year 2006
financial statements. Due to the existence of four material weaknesses
in IRS's internal control, we rendered our opinion directly on the
effectiveness of IRS's internal control as of September 30, 2006,
rather than on its assurance statement. However, once our tests of
IRS's internal control, including control over financial reporting,
determine that IRS has resolved all its material weaknesses and IRS
provides the related unqualified statement of assurance on its overall
internal control as of September 30, we will render our opinion on
IRS's internal control based on the appropriateness of IRS's assurance
statement.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548: