1.4.32 Internal Control Review Program 1.4.32.1 Program Scope and Objectives 1.4.32.1.1 Background 1.4.32.1.2 Authorities 1.4.32.1.3 Responsibilities 1.4.32.1.3.1 CFO and Deputy CFO 1.4.32.1.3.2 Associate CFO for Internal Controls 1.4.32.1.3.3 Internal Reviews 1.4.32.1.3.4 Business Units 1.4.32.1.4 Program Management and Review 1.4.32.1.5 Program Controls 1.4.32.1.6 Terms/Definitions 1.4.32.1.7 Acronyms 1.4.32.1.8 Related Resources 1.4.32.2 Analytical Support 1.4.32.3 Selection of Program Reviews 1.4.32.4 Review Selection Notification 1.4.32.5 Review Procedures 1.4.32.6 Reporting Process 1.4.32.7 Report Approval Process 1.4.32.8 Business Unit Post Review 1.4.32.9 Records Retention/Accessibility of Reports Part 1. Organization, Finance, and Management Chapter 4. Resource Guide for Managers Section 32. Internal Control Review Program 1.4.32 Internal Control Review Program Manual Transmittal January 19, 2024 Purpose (1) This transmits revised IRM 1.4.32, Resource Guide for Managers, Internal Control Review Program. Material Changes (1) Minor editorial changes made throughout the IRM. Effect on Other Documents IRM 1.4.32, dated January 31, 2022, is superseded. Audience All business units Effective Date (01-19-2024) Teresa R. Hunter Chief Financial Officer 1.4.32.1 (01-31-2022) Program Scope and Objectives This IRM provides general guidance on the Internal Control Review (ICR) program and the established procedures designed to support the CFO’s efforts to improve the quality of IRS internal controls throughout the IRS. The ICR program provides business units with insight into the effectiveness of their implemented corrective actions for audit recommendations issued by the Government Accountability Office (GAO) and TIGTA, which evaluates critical controls over IRS programs that may be high-risk, high-priority or high-visibility. This independent examination assists the business units when they review and evaluate their internal control processes. Purpose: Internal controls include activities used to monitor processes, procedures and programs to ensure they are operating as intended. Effective internal controls are also the first line of defense for safeguarding assets, preventing and detecting errors and mitigating risk. Internal controls are a vital tool allowing each manager to evaluate and monitor programs proactively and eliminate deficiencies timely. Business unit program managers have the primary responsibility for ensuring effective controls over their specific programs. The ICR analyst performs reviews to determine whether there are any internal control deficiencies and provides recommendations to improve or strengthen internal controls. The ICR program assists IRS senior leadership with oversight by providing independent insight into the status of program controls. Audience: IRS managers and employees. Policy Owner: The CFO, Office of Internal Controls (IC), is responsible for this IRM. Program Owner: Internal Reviews, Internal Control Review program, promotes knowledge management and sharing of internal controls throughout the Service by reviewing, testing, measuring and reporting on various controls. Primary Stakeholder: This IRM and its related procedures apply to the entire IRS workforce. It is incumbent upon the program owners to evaluate the effectiveness of their programs. The term “program” in this IRM includes processes, projects, operations and any supporting activities. Program Goals: The Servicewide ICR program supports ongoing program improvements by conducting a thorough analysis of internal controls and identifying potential deficiencies. The process is intended to allow ICR to evaluate the way a program works and make recommendations for improvements to controls and risk mitigation strategies. This, in turn, allows the program owners to develop and implement process improvements and strengthen controls, thereby eliminating deficiencies and mitigating risks before a program failure occurs or external stakeholders are adversely affected. All managers have a responsibility to perform periodic monitoring to review the accuracy and effectiveness of the internal controls. As required by IRM 1.4.2, Monitoring and Improving Internal Control, all program managers are responsible for ensuring their programs have effective controls in place and for monitoring those controls for continued effectiveness over time. 1.4.32.1.1 (01-31-2022) Background This section clarifies ICR’s role throughout the Service: The ICR program partners with the business units to identify gaps, deficiencies, weaknesses or program concerns and to provide the business units with recommendations to improve or strengthen internal controls. The ICR analyst applies a variety of methods (for example, administrative, analytical or technical) when evaluating and examining a program, procedure or process. Once the ICR analyst concludes the review, the Office of Internal Controls issues the relevant business unit’s report to the point of contact (POC). The relevant business report includes results, conclusions, recommendation and findings, if applicable. 1.4.32.1.2 (01-19-2024) Authorities Federal Manager’s Financial Integrity Act (FMFIA) of 1982. Under 31 USC Section 3512(c) and (d) of the FMFIA, federal agencies are required to establish internal control over their accounting and administrative (operational) activities and review internal control systems periodically. The FMFIA also requires GAO to prescribe internal control standards to serve as criteria for those reviews. Standards for Internal Control in the Federal Government (also known as the “Green Book”) GAO-14-704G. The GAO issued Standards for Internal Control in the Federal Government (Green Book). The Green Book provides the overall framework for agencies to establish, maintain and assess internal control over agency operations. As part of the monitoring component, the Green Book directs agency personnel to monitor their respective internal control systems, evaluate the results and remediate identified internal control deficiencies timely. Treasury Directive 40-04, Treasury Internal Control Program. Treasury Directive 40-04, Treasury Internal Control Program (TICP) (dated 7/12/2017), requires bureau heads and other officials to take all necessary steps to create an environment within their respective organizations that ensures adherence to all applicable statutory and regulatory standards related to operational, financial, program and administrative internal controls. This includes providing assurances to Treasury that the internal controls within their respective organizations adhere to applicable statutory and regulatory standards and ensure timely completion of corrective actions for identified control deficiencies. 1.4.32.1.3 (01-31-2022) Responsibilities This section provides responsibilities for: CFO and Deputy CFO Associate CFO for Internal Controls Internal Reviews Business units 1.4.32.1.3.1 (09-26-2019) CFO and Deputy CFO The CFO and Deputy CFO manage a portfolio of enterprise-wide activities including budget formulation, budget execution, accounting, financial management, and internal controls. 1.4.32.1.3.2 (09-26-2019) Associate CFO for Internal Controls The Associate CFO for Internal Controls administers the IRS internal controls program and is responsible for coordinating and executing processes that assess the completeness and effectiveness of internal controls and support annual assurance and financial statement audit activities by: Evaluating the effectiveness of internal controls. Partnering with business units to implement and evaluate Office of Management and Budget (OMB) Circular A-123 requirements. Developing detailed procedures, documentation, training for managers and employees and reporting requirements necessary to review, establish, maintain, test, improve and report on the IRS’s control systems. Providing advice and assistance to managers and their internal control coordinators. 1.4.32.1.3.3 (01-31-2022) Internal Reviews Internal Reviews’ (IR) staff responsibilities include: Establishing and documenting the ICR program processes, policies and procedures. Collecting and analyzing data relevant to the program under review. Developing a test plan or a preliminary research memorandum as appropriate for any review, which states the objective, focus areas, related IRM references or external audits, issues identified and any additional comments important to the review. Providing a report outlining the purpose, scope, background analysis, findings, and conclusions, in addition to any recommendations from the ICR team. 1.4.32.1.3.4 (09-26-2019) Business Units Managers are responsible for improving and strengthening internal controls. Program management responsibility with respect to the ICR program is to: Monitor controls with higher risk and greater vulnerabilities. Identify subject matter experts (SMEs) for each program, process, or procedure. Foster communication and develop a strategy to engage staff by encouraging the importance of internal controls. Track and address open GAO, TIGTA, and Financial Assurance Control Testing (FACT) audit findings and recommendations. Managers and SMEs are responsible for: Providing documentation to ICR program staff upon request. Providing comments on potential findings within the report. SMEs are responsible for: Coordinating timely responses to ICR inquiries via the designated ICR POC. Coordinating logistics for ICR team field visits. 1.4.32.1.4 (09-26-2019) Program Management and Review Program reporting includes the following: The ICR team develops a post-review report detailing methodology, testing, findings and recommendations, as appropriate. Internal Controls leadership delivers the report to the owner of the program being reviewed. The report may be provided to external stakeholders under certain circumstances. For example, reports and related materials will be provided upon request to TIGTA or GAO; reports may be provided automatically where the review is being conducted in conjunction with requirements of a larger audit process, such as the annual Campus Physical Security review performed in support of the GAO Financial Statement Audit. Findings may be reported to the Management Controls Executive Steering Committee (MC ESC) if the program is of sufficient scope and the control deficiencies discovered during the review are of sufficient seriousness to warrant a broad leadership discussion. General, aggregated results of reviews performed during the year will be used to support IRS’s annual assurance statement. Results of reviews may be used to support the development of remediation plans where control deficiencies are significant enough to warrant this approach. Qualitative evaluation of this program’s effectiveness is determined by: Whether business units report successful completion of corrective actions related to the ICR team’s recommendations. Whether business units implement new controls or measures based on ICR’s reviews. When applicable, how external stakeholders such as TIGTA and GAO use or interpret the findings and recommendations of the ICR team and whether they find the analysis and recommendations thoughtful, insightful and comprehensive. Whether TIGTA or GAO identify other findings not identified by the ICR team during its reviews. 1.4.32.1.5 (09-26-2019) Program Controls An employee’s access to the ICR SharePoint site is removed when an employee is no longer assigned to ICR. The site is protected by limiting access to those individuals who perform the reviews and manage the program. Final reports are provided to the program owner upon completion of the review. Additional distribution by the program owner is based on specific requests from stakeholders. 1.4.32.1.6 (01-31-2022) Terms/Definitions The following terms and definitions apply to this program: Internal Control - Internal control (IC), which is synonymous with management control, is a major part of managing an organization. IC comprises the plans, methods and procedures used to meet missions, goals, and objectives and in doing so, supports performance-based management. IC also serves as the first line of defense in safeguarding assets and preventing and detecting errors and fraud and helps government program managers to achieve desired results through effective stewardship of public resources. Internal control systems provide reasonable assurance to achieve effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. Reference GAO’s Standards for Internal Control in the Federal Government (GAO-14-704G), page 5, for a more comprehensive definition of internal control. Internal control review - An internal control review assesses internal controls by analyzing programs, policies and procedures and their efficiency and effectiveness. Internal Control Weakness - A finding labeled as an Internal Control Weakness occurs when testing reveals the overall system of internal controls is ineffective. Management Information Only - A finding labeled as Management Information Only is designed to make management aware of a potential future issue that may arise if there are no improvements to controls. Opportunity for Improvement - A finding labeled as an Opportunity for Improvement indicates that one or more individual controls are ineffective, but the overall system of controls is effective. Risk is no longer low but medium and consequently lessens the effectiveness of internal controls in daily operations. Risk - A risk is an event or potential event that may negatively affect the achievement of a business objective. Risk assessment - A risk assessment is an evaluation of the potential hazards, threats, or opportunities which could affect an organization’s ability to conduct business. The reviews help to identify inherent business risks and provide measures, processes, and controls to reduce or mitigate risks to business operations. 1.4.32.1.7 (01-31-2022) Acronyms The following acronyms apply to this program. Acronym Meaning eICR Exploratory Internal Control Review FACT Financial Assurance Control Testing FMFIA Federal Managers’ Financial Integrity Act GAO Government Accountability Office IC Internal Controls ICMA Internal Controls Managerial Assessment ICR Internal Control Review ICW Internal Control Weakness IDRS Integrated Data Retrieval System IPU IRM Procedural Updates IR Internal Reviews MC ESC Management Controls Executive Steering Committee MIO Management Information Only OFI Opportunity for Improvement OMB Office of Management and Budget POC Point-of-Contact QAR Quality Assurance Review SERP Servicewide Electronic Research Program SME Subject Matter Expert SOP Standard Operating Procedure TICP Treasury Directive 40-04, Treasury Internal Control Program 1.4.32.1.8 (09-26-2019) Related Resources IRM 1.4.2, Resource Guide for Managers - Monitoring and Improving Internal Control. 1.4.32.2 (09-26-2019) Analytical Support The ICR analysts consult with SMEs as needed for support and/or comments on testing methodology. 1.4.32.3 (01-31-2022) Selection of Program Reviews Each fiscal year, the ICR team updates the inventory of program reviews and selects a sample at its discretion. The ICR list is an inventory from: The Exploratory Internal Control Review (eICR) process, which requests preliminary information from the business units pertaining to program internal controls in a focus area predetermined by the ICR program. ICRs, including eICRs, are driven based on the risk profile, managerial interests, public interests and congressional priorities, which determine whether to initiate a full ICR or an eICR. The Annual Assurance process, which requests verification of reviews on the Quality Assurance Review (QAR) listing. The sampling of selected managers who completed the ICMA. New IRS initiatives that the MC ESC or the Senior Executive Team has identified. GAO and TIGTA audits identified as closed by Enterprise Audit Management (EAM). Each fiscal year, the ICR team obtains a list of reviews that the IC QAR and FACT teams plan to perform to eliminate any duplication of efforts by the ICR team. 1.4.32.4 (09-26-2019) Review Selection Notification The ICR program notifies by email each business unit executive whose program has been selected for review by the ICR team. The review notification: Identifies the business unit selected for review; Designates the review period; Requests the names of SMEs and/or audit liaisons who will provide the necessary documentation and overview of the program; and Provides a list of the documents that ICR will need for the review. 1.4.32.5 (01-31-2022) Review Procedures The ICR process consists of four phases: Planning: 1-2 weeks Fieldwork: 1-4 weeks Reporting: 1-3 weeks Close-out: 2-5 weeks Review takes between 5 and 14 weeks to complete. Should reporting delays occur, ICR managers and the respective business unit managers will be notified by their subordinate staff. In the event that a review is put on hold (either by ICR or the business unit), all participants will be notified of the hold, why the hold occurred and when the review will resume. Prior to initiating a program review, the ICR team will spend time getting to know and understand the program and the key program controls. The ICR team will use the following sources: A description of key processes, which includes examples of the processing documents (for example, flowcharts, cycle memos and desk guides). Policies and procedures governing transactions such as laws, regulations, IRMs, interim guidance memoranda, Servicewide Electronic Research Program (SERP) IRM procedural updates (IPU), and standard operating procedures (SOP). External and internal reporting reviews (for example, reports issued by GAO or TIGTA). Congressional hearings or testimonies. The ICR team uses the information obtained to construct a framework and general review plan. This framework will outline the objectives and scope of the review and identifies areas that the review team will evaluate. Additionally, the framework provides the review team the flexibility to identify and pursue new leads or areas of significant concern identified during the review. The framework and review plan guides the overall review but should not constrain it. To conduct the review, the ICR team will: Conduct an opening conference with the POC or designated liaison; Request that the POC provide contact information for the SME along with an overview of the controls currently in place and how often management reviews the controls; Obtain procedural manuals from the POC and/or SME (for example, IRMs, SOPs and desktop/technical manuals) and back up documentation from external audit sources (for example, internal examination reports and TIGTA or GAO audit reports); Request source documents such as raw data, transcripts, tax forms, logs, and case files; Observe demonstrations of the program activity utilizing various media (for example, face-to-face and video technology) and transaction reporting; Conduct walkthrough procedures including a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls. In performing a walkthrough, the ICR analyst will question personnel about their understanding of the prescribed procedures and controls involved in performing the daily work; Re-perform activities using source documents to check the procedural steps (for example, re-adding the total of a line of numbers to determine consistency); Evaluate the operating effectiveness of key internal controls; and Conduct a closing conference at the end of the review with management to discuss draft review findings and recommendations. 1.4.32.6 (01-31-2022) Reporting Process After the review, the ICR team will analyzes the data gathered and draft a report. The report will provide findings and/or recommendations identified during the review. Once ICR leadership sends a report draft to an approval authority and the approval authority provides edits and feedback (within five business days), the report author has a maximum of three business days to make any necessary changes. Once the report author makes the changes, the report is returned to the appropriate approval authority. This step is conducted as many times as needed until a report is released to the business unit. The ICR analyst shares the report with the appropriate officials. If the ICR analyst noted findings during the review, the report addresses the findings as one of the following: Management Information Only (MIO) - Designed to make management aware of a potential future issue that may arise if there are no improvements to controls. Opportunity for Improvement (OFI) - Indicates that one or more individual controls are ineffective, but overall system of controls is effective. Risk is no longer low but medium and consequently lessens the effectiveness of internal controls in daily operations. Internal Control Weakness (ICW) - Occurs when testing reveals the overall system of internal controls to be ineffective. Recommendations will follow the conclusions and opinions that are supported by the analysis. 1.4.32.7 (01-31-2022) Report Approval Process The ICR analyst will submit all draft review reports for review, edits, and/or final approval for the eICR or full ICR by completing Form 14074, Action Routing Slip. The draft report and Form 14074, Action Routing Slip, should be submitted as follows: eICR - Respective ICR Section Chief and then the Director of Internal Reviews. ICR - Respective ICR Section Chief, Director of Internal Reviews, CFO Internal Controls, Executive Assistant, and then the Associate CFO for Internal Controls. For reviews with Deputy Commissioner- or Commissioner-level information, ICRs will be approved by CFO. Anything requiring CFO approval will be transmitted via e-Trak. Each approving official has five business days to review, edit, and/or approve the final report. If edits are necessary, the approving official returns the document to the review report author for corrections. If no edits are warranted, the approving official signs Form 14074, Action Routing Slip, and send it back to the review report author. 1.4.32.8 (09-26-2019) Business Unit Post Review Business unit program owners and executives receive a report from the ICR team describing the team’s findings and recommendations once the review is complete. ICR provides recommendations to help business units to identify areas where they should address control deficiencies and to provide a general framework that business units may use for strengthening internal controls. Business units generally have one week to review the report and provide comments for ICR to consider before issuing the final report. Business units should take the following steps once they receive the ICR team’s report: Develop and implement corrective actions to address the findings and recommendations provided in the final report. Assess and document the degree to which a control deficiency represents a risk if the business unit(s) will not take corrective actions. Include any risks identified in the business unit’s risk register. Retain any documentation created as part of post-review corrective actions or risk documentation/mitigation activities. The ICR team may conduct a follow-up engagement with the business unit to ascertain the outcome of the steps described above. This follow-up engagement may include review of the corrective actions and accompanying documentation by the business unit, or other steps up to and including an additional subsequent comprehensive ICR. The timing and nature of any follow-up will depend on several factors, including the severity of control deficiencies, the nature of the program that ICR reviewed and the likelihood external that stakeholders will subject the program to significant scrutiny. Business units should also consider these internal control improvement tips: Reevaluate controls periodically, especially when there are changes to personnel, work processes, business operations, and regulations that may affect the business unit. Streamline monitoring processes to reduce burden and improve accountability. Monitor and mitigate risk using data-driven approaches. Involve employees in identifying and mitigating risk. Examples of control monitoring: Considering Disclosure/Privacy Act implications in all activities, including reviews of files and personnel folders. Performing risk reviews. Conducting quality assurance reviews. Initiating timely background and security investigations and taking appropriate action based on the outcome of the investigations. Monitoring telephone traffic volumes to ensure timely customer service. Reviewing access to sensitive Integrated Data Retrieval System (IDRS) command codes. Reviewing assignment of portable electronic devices such as laptop computers, cellular/personal communications’ system devices, audio/video/data recording or playback devices, scanning devices, and messaging devices to ensure safeguarding of these devices and the data that they contain and/or to ensure that the employees who possess them still have a business need for them. 1.4.32.9 (09-26-2019) Records Retention/Accessibility of Reports ICR maintains its reports on the ICR SharePoint site. ICR maintains its electronic records in accordance with the following IRS electronic records retention policies: IRM 1.15.1 , Records and Information Management IRM 2.25.2, IRS Portal and Extranet Usage Standard IRM 10.5.1, Privacy Policy IRM 10.5.2.3.1, FISMA Reporting IRM 11.1.4, Content Policies and Standards for Intranet Sites Records retention should be in accordance with the National Archives and Records Administration (NARA), General Records Schedule 5.7: Agency Accountability Records (https://www.archives.gov/records-mgmt/grs.html). More Internal Revenue Manual