GAO-07-692R, Management Report: IRS's First-Year Implementation of the Requirements of the Office of Management and Budget's (OMB) Revised Circular No. A-123


This is the accessible text file for GAO report number GAO-07-692R 
entitled 'Management Report: IRS's First-Year Implementation of the 
Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123' which was released on May 18, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

May 18, 2007: 

The Honorable Mark W. Everson: 

Commissioner of Internal Revenue: 

Subject: Management Report: IRS's First-Year Implementation of the 
Requirements of the Office of Management and Budget's (OMB) Revised 
Circular No. A-123: 

Dear Mr. Everson: 

This letter summarizes our review of the Internal Revenue Service's 
(IRS) implementation of the requirements of the Office of Management 
and Budget's (OMB) revised Circular No. A-123, Management's 
Responsibility for Internal Control (A-123) during fiscal year 2006. 
These requirements are applicable to the 24 Chief Financial Officer 
(CFO) Act agencies, including the Department of the Treasury 
(Treasury), of which IRS is a significant component. The objectives of 
our review, which was conducted as part of our audit of IRS's fiscal 
year 2006 financial statements,[Footnote 1] were to determine whether 
(1) IRS appropriately planned and implemented its assessment of 
internal controls over financial reporting in accordance with the 
requirements of OMB Circular No. A-123, (2) IRS performed sufficient 
work to support its related assurance statement to Treasury, and (3) 
IRS's assurance statement appropriately represented the status of IRS's 
internal control over financial reporting. 

We performed our work from January through October 2006 as part of our 
audits of IRS's fiscal years 2006 and 2005 financial statements. We 
conducted our work in accordance with U.S. generally accepted 
government auditing standards. 

Results in Brief: 

IRS appropriately planned and implemented its first-year assessment of 
internal controls over financial reporting in accordance with the 
requirements of OMB Circular No. A-123 sufficient to support its 
assurance statement to Treasury as of June 30, 2006. Overall, we were 
impressed by IRS's commitment to the successful implementation of OMB 
Circular No. A-123, and its diligent efforts to effectively execute the 
circular's requirements. IRS's approach was indicative of management's 
recognition of its responsibility for the integrity of the 
organization's internal control structure and its desire to make the 
most of this process and effectively resolve its internal control 
issues. However, full implementation of the requirements of the revised 
OMB Circular No. A-123 at an agency as large and complex as IRS is a 
major undertaking that will require a significant commitment of 
resources and several years to achieve. 

As we noted in our report on our audit of IRS's fiscal year 2006 
financial statements and communicated to IRS during the course of our 
audit, we identified several areas where IRS could enhance its A-123 
review process. Specifically, we found that IRS did not always clearly 
document procedures performed or how test results were linked to the 
resultant conclusions. In addition, although IRS was aware of the 
findings of audits performed by GAO and the Treasury Inspector General 
for Tax Administration (TIGTA), we did not always find documentation 
that these findings were consistently utilized by IRS in planning its A-
123 reviews. We also did not find documentation that in planning its A-
123 review, IRS appropriately considered the most recent audit of the 
Department of Agriculture's National Finance Center, which processes 
IRS's payroll transactions, or the extent to which its own information 
security work conducted in accordance with the Federal Information 
Security Management Act of 2002 (FISMA),[Footnote 2] met the objectives 
of OMB Circular No. A-123. Identifying existing reviews and audits 
related to internal controls over financial reporting, determining the 
extent to which these efforts can be used to complement the A-123 work, 
and assessing how that use might affect the scope and nature of 
procedures to be performed are an important part of the related 
planning process. Clearly documenting procedures conducted and 
consideration of existing reviews and audits reduces the risk that IRS 
may provide a degree of assurance on the effectiveness of its control 
over financial reporting that is not warranted by existing conditions. 

We also found that while the scope and nature of A-123 procedures 
performed by IRS during fiscal year 2006 were appropriate in the 
circumstances, as IRS's A-123 process moves to the next stage, 
additional work will be required. We found that (1) the tests IRS 
conducted focused on the execution of controls over individual 
transaction types, and have not yet effectively addressed the design of 
controls; (2) IRS has not yet tested controls over compliance with all 
significant financial-reporting-related laws and regulations; and (3) 
information security work IRS conducted under FISMA did not identify 
many of the vulnerabilities we identified during our testing of its 
information security as part of our fiscal year 2006 financial audit. 
Consequently, IRS's A-123 process was not at a point where it would 
have identified all of IRS's existing control deficiencies nor been 
sufficient to support an unqualified statement of assurance as of June 
30, 2006, had that been appropriate in the circumstances. Also, once 
IRS is in a position to support an unqualified assurance statement, it 
will become necessary for it to conduct follow-up procedures during the 
last 3 months of the year subsequent to the June 30 A-123 reporting 
date to support an unqualified assurance statement as of September 30 
to correspond with the date of our opinion on the effectiveness of 
IRS's internal controls. 

Because IRS had four material weaknesses in its internal controls in 
fiscal year 2006, the additional procedures that would be needed to 
support unqualified assurance were not necessary. However, IRS is 
working diligently to resolve its material weaknesses. As these issues 
are resolved, the scope and nature of procedures IRS will need to 
perform will gradually increase. As IRS continues to enhance its A-123 
effort, it will need to consider these issues and take appropriate 
steps to address them in order to position it to support statements of 
unqualified assurance as of June 30 and September 30 as will become 
appropriate at such time as IRS fully resolves its material weaknesses. 

This report contains seven recommendations intended to assist IRS in 
strengthening its A-123 process as it continues to mature, so that once 
the process is fully developed, IRS will be able to rely on it to 
identify any existing material weaknesses or other significant control 
deficiencies. In so doing, IRS will also position itself so that once 
its existing material internal control weaknesses are resolved, it will 
be able to rely on its A-123 process to support appropriate unqualified 
statements of assurance as of June 30 and September 30. 

In its comments, IRS agreed with our recommendations and described 
actions it had taken or plans to take to address the issues we raised 
in this report. At the end of our recommendations for executive action, 
we have summarized IRS's related comments and provided our evaluation. 

Scope and Methodology: 

In conducting our review of IRS's implementation of OMB Circular No. A- 
123, we reviewed documentation and conducted discussions with IRS and 
Treasury officials concerning how the A-123 process was planned, 
implemented, summarized, and reported. Specifically, we reviewed and 
discussed the following: 

² Treasury's and IRS's strategy and overall plans for implementing OMB 
Circular No. A-123 at IRS, including (1) how the process was to be 
organized, staffed, supervised, and conducted, and (2) how the results 
were to be summarized and reported, and appropriate corrective action 
plans developed and implemented; 

² Treasury's and IRS's selection of transaction processes considered 
material to IRS; 

² IRS's workpapers supporting its tests of controls over the 12 of the 
45 transaction processes that we considered to be the most material to 
IRS's financial statements, including internal controls over tax 
revenue, tax refunds, taxes receivable, expenses, and budgetary 
transactions; 

² IRS's evaluation of entitywide controls, such as the overall control 
environment, integrity and ethical values, information and 
communications, and monitoring; and: 

² IRS's A-123 assurance statement to Treasury and its relationship to 
the underlying work and results. 

We also observed IRS's tests of internal controls over (1) tax revenue 
at one service center campus and one Taxpayer Assistance Center, and 
(2) tax refunds at one service center campus. Additional details on our 
scope and methodology are included in our fiscal year 2006 financial 
statement audit report. 

Background: 

The passage of the Sarbanes-Oxley Act of 2002 (SOX)[Footnote 3] served 
as an impetus for the federal government to review its existing 
internal control requirements.[Footnote 4] SOX requires that management 
of publicly traded companies strengthen their processes for assessing 
and reporting on their internal control over financial reporting. 
Consistent with the intent of SOX, the joint Chief Financial Officers 
Council (CFOC)[Footnote 5] and President's Council on Integrity and 
Efficiency (PCIE)[Footnote 6] committee recommended that OMB Circular 
No. A-123 be strengthened to require a more rigorous assessment of 
federal agencies' internal control over financial reporting. OMB 
accepted this recommendation and worked with the CFOC/PCIE working 
group to significantly revise its Circular No. A-123. 

OMB's revised Circular No. A-123, along with its related implementation 
guide,[Footnote 7] were effective for fiscal year 2006. OMB Circular 
No. A-123 provides specific requirements for the 24 major departments 
and agencies covered under the Chief Financial Officers Act of 1990 
(CFO Act)[Footnote 8] to follow in conducting management's assessment 
of the effectiveness of internal control over financial reporting. The 
assessment process requires (1) understanding the control environment 
including the financial reporting process, (2) understanding the design 
of internal controls, (3) identifying and evaluating significant 
classes of transactions and assessing risks, and (4) testing controls 
to assess compliance. Based on the results of the assessment process, 
each CFO Act agency is required to prepare a statement asserting the 
effectiveness of its internal control over financial reporting as of 
June 30 of each fiscal year, which is to be included in the agency's 
Performance and Accountability Report (PAR). 

IRS does not produce its own PAR. As a bureau of Treasury, however, 
IRS's assurance statement is used by Treasury as a basis for its own 
assurance statement, which is included in the department's PAR. The 
assurance provided in this statement can take one of three forms: (1) 
unqualified assurance, indicating that no material weaknesses were 
found, (2) qualified assurance, indicating that one or more material 
weaknesses were identified, or (3) a statement of no assurance, 
indicating that no internal control process was in place or that 
pervasive material weaknesses were found. Based on their A-123 
assessment, agencies are required to develop an appropriate corrective 
action plan to address any control deficiencies identified. OMB 
Circular No. A-123 requires that agencies document their control over 
financial reporting and the related assessment process, including key 
decisions, the assessment methodology and its implementation, the 
testing of controls and related results, and any corrective action 
plan. 

In fiscal year 2006, Treasury established the framework for the 
implementation of the revised OMB Circular No. A-123 for all of its 
bureaus, including IRS. This included establishing an overall 
departmentwide implementation plan, identifying and documenting 
controls significant to Treasury and assessing related risks, and 
establishing milestones for implementation and completion of the A-123 
process. Treasury also established a threshold to determine which of 
the bureaus' transactions were considered material to the department's 
consolidated financial statements.[Footnote 9] Based on this threshold, 
Treasury required its bureaus to test controls over certain specific 
financial transactions. 

Within this overall framework, IRS established a management structure 
under the direction of the CFO to organize and oversee IRS's 
implementation of OMB Circular No. A-123. Major elements of IRS's A-123 
process included: 

* developing an IRS's specific implementation guide for the 
implementation of OMB Circular No. A-123; 

* identifying transaction processes considered material to IRS that had 
not been identified by Treasury; 

* planning and conducting tests of controls over 45 transaction 
processes considered material to Treasury or IRS; 

* reviewing the effectiveness of entitywide controls, including the 
overall control environment, integrity and ethical values, information 
and communications, and monitoring; and: 

* reviewing compliance with certain laws and regulations pertinent to 
financial reporting and internal control, including the Federal 
Financial Management Improvement Act of 1996 (FFMIA);[Footnote 10] 31 
U.S.C. § 3512(c), (d), commonly referred to as the Financial Managers' 
Financial Integrity Act of 1982 (FIA); the CFO Act; and FISMA. 

Based on the results of these procedures and considering the material 
weaknesses reported by us in our previous audit of IRS's financial 
statements,[Footnote 11] IRS provided Treasury qualified assurance that 
its controls over financial reporting were effective as of June 30, 
2006. 

IRS Successfully Implemented the Revised OMB Circular No. A-123 in 
Fiscal Year 2006: 

IRS appropriately planned and implemented its assessments of internal 
controls over financial reporting in accordance with the requirements 
of OMB Circular No. A-123 sufficient to support its assurance statement 
to Treasury as of June 30, 2006. We also noted that IRS elected to 
implement this process using its own staff rather than contractors, 
thereby taking advantage of the opportunity for IRS staff and 
management to gain a better understanding of the intricacies of, and 
issues associated with, the agency's complex internal control 
structure. This, in turn, better positioned management and staff to 
benefit from the lessons learned through this first year of 
implementation. This approach was indicative of management's 
recognition of its responsibility for the integrity of the 
organization's internal control structure and its desire to make the 
most of this process and effectively resolve its internal control 
issues. 

We also found that we were able to use some of the procedures performed 
by IRS, such as its tests of entitywide controls and compliance with 
the statutory requirement regarding the timing of tax lien releases, to 
supplement or reduce the scope of our internal control testing 
conducted as part of our audit of IRS's fiscal years' 2006 and 2005 
financial statements. 

Full implementation of the requirements of the revised OMB Circular No. 
A-123 at an agency as large and complex as IRS is a major undertaking 
that will require a significant commitment of resources and several 
years to achieve. Additionally, due to the presence of four material 
weaknesses in internal controls as of September 30, 2005,[Footnote 12] 
the scope and nature of the A-123 work IRS needed to perform in fiscal 
year 2006 was significantly less than would have been necessary had 
these reported weaknesses not existed. In this context, we found that 
(1) IRS appropriately planned and implemented its assessment of 
internal controls in accordance with the requirements of OMB Circular 
No. A-123, (2) IRS performed sufficient work to support its related 
assurance statement to Treasury, and (3) IRS's assurance statement 
appropriately represented the status of IRS's internal control over 
financial reporting. 

Opportunities for IRS to Enhance the A-123 Process: 

While we found that IRS's first-year implementation of the revised OMB 
Circular No. A-123 enabled it to fully support its June 30, 2006, 
assurance statement, our review identified several opportunities to 
enhance the process to better ensure that future reviews will fully 
address the requirements of the revised OMB Circular No. A-123 as IRS's 
implementation process continues to develop. Specifically, we 
identified opportunities with respect to (1) the documentation of 
completed test procedures and (2) the scope and nature of test 
procedures conducted. 

Documentation of Test Procedures Conducted: 

We found that the conclusions IRS reached concerning the effectiveness 
of its controls were appropriate. Nevertheless, IRS's documentation of 
the results of certain specific transaction tests did not always 
clearly indicate what internal control test procedures were performed 
or how conclusions were reached. For example, IRS's summary of work on 
its tests of invoice or voucher payment and approval noted that there 
were no errors found, and concluded that controls were effective. 
However, the summary also noted that IRS personnel found 3 errors in 
testing 45 sample items, which appeared to indicate that controls were 
not effective.[Footnote 13] Based on discussions with IRS staff, we 
determined that although it was not apparent from the documentation in 
the workpapers, the 3 errors noted were actually not related to the 
control attributes being tested and hence, did not affect the 
conclusion. However, such ambiguity and lack of clarity in test 
documentation and its relationship to the related conclusions increases 
the risk that conclusions may not reflect actual existing control 
conditions. 

As provided for in OMB Circular No. A-123, and in accordance with the 
overall approach defined by Treasury, IRS used the results of existing 
audits and reviews to supplement its testing. We found that, in its 
remediation plans prepared in accordance with FIA, IRS considered the 
findings of the audits of GAO and TIGTA. Also, we noted that several of 
IRS's A-123 test plans incorporated procedures for consideration of 
prior audits and reviews relevant to the controls being tested. 
However, IRS did not always document how it considered these audits and 
reviews in determining the nature, scope, and timing of procedures it 
planned to conduct under OMB Circular No. A-123. For example, the IRS 
planning documents and workpapers did not always document how it 
considered the results of the following audits and reviews in 
formulating the nature, scope, and timing of its test procedures: (1) 
GAO audits, such as our prior audits of IRS's financial statements, (2) 
TIGTA audits or reviews that may have been relevant to IRS's internal 
control over financial reporting, or (3) its own information security 
work conducted under FISMA. We also did not see documentation of IRS's 
consideration of the results of the most recent audit of the controls 
over the Department of Agriculture's National Finance Center, which IRS 
relies on to process its payroll transactions. By consistently 
documenting how it considered these prior audits and reviews, IRS would 
reduce the risk that it may (1) not appropriately consider issues 
significant to IRS's internal control over financial reporting, (2) 
place undue reliance on reviews whose scope and methodology is not well 
suited to the objectives set out in OMB Circular No. A-123, or (3) 
perform unnecessary duplicative work. 

Scope and Nature of Test Procedures Conducted: 

As noted above, the procedures conducted by IRS were adequate to 
support the qualified assurance it provided as of June 30, 2006. 
However, as IRS moves to an unqualified opinion on its internal control 
in the future, its procedures will need to further evolve. 

IRS's control testing approach was not yet at the stage that it fully 
considered the design of control over financial reporting. Rather, the 
approach was largely transaction based. Consequently, IRS's tests would 
not likely have identified some of the significant systemic control 
design deficiencies that we have reported in our audits of IRS's 
financial statements, including IRS's lack of (1) a subsidiary ledger 
for taxes receivable, (2) cost accounting capabilities necessary to 
readily determine the costs of its activities and programs in multiple 
business units, or (3) a U.S. Standard General Ledger-compliant general 
ledger for its tax-related transactions. Because IRS had not yet fully 
considered the design of internal control over financial reporting, the 
risk is increased that in the absence of our annual audit of IRS's 
financial statements, it may not identify all deficiencies in the 
design of its related controls. 

As noted above, IRS reviewed compliance with FFMIA, FIA, the CFO Act, 
and FISMA. IRS also tested compliance with the legal requirement that 
liens on taxpayer property be released within 30 days of the 
satisfaction of the debt.[Footnote 14] However, IRS had not yet tested 
controls over compliance with other significant financial-related laws 
and regulations. For example, its testing did not address controls over 
compliance with the Anti-Deficiency Act, as amended[Footnote 15] or the 
Prompt Payment Act.[Footnote 16] OMB Circular No. A-123 defines the 
scope of assessing and documenting internal control over financial 
reporting to include compliance with laws and regulations. However, 
since IRS did not test controls over compliance with several laws and 
regulations significant to financial reporting, its management could 
not have provided unqualified assurance regarding the design and 
operating effectiveness of controls in this area, had that been 
warranted. 

IRS's use of work it performed under FISMA to meet the requirements of 
OMB Circular No. A-123 as it relates to information technology security 
controls was permitted by A-123 and was in accordance with Treasury's 
overall approach. Such use requires that the work be conducted in a 
manner sufficient to meet the requirements of OMB Circular No. A-123, 
as well as FISMA. However, we did not see evidence that IRS assessed 
whether the work being conducted under FISMA was sufficient to meet the 
objectives set out in OMB Circular No. A-123, for which the FISMA work 
was not originally designed. Our review of IRS's information security 
conducted as part of our fiscal year 2006 financial audit found 
weaknesses indicating that IRS's FISMA work was not always sufficient 
to meet the related objectives of the OMB circular. For example, as 
part of IRS's FISMA work, it tested and evaluated security controls for 
each of the automated systems we reviewed as part of our fiscal year 
2006 financial audit.[Footnote 17] However, we found that IRS's FISMA 
testing did not address many of the vulnerabilities we reported based 
on our work. For example, IRS's test and evaluation plan for its 
procurement system did not include tests for password expiration, 
insecure protocols, or removal of employees' system access after 
separation from the agency. Consequently, the information security work 
IRS conducted in accordance with FISMA did not identify many of the 
vulnerabilities we identified during our audit of IRS's fiscal year 
2006 financial statements, nor assess the risks associated with those 
vulnerabilities. This increases the risk that IRS's information 
security work conducted to comply with FISMA may not satisfy the 
related objectives set out in OMB Circular No. A-123. 

IRS did not perform procedures under OMB Circular No. A-123 during the 
last 3 months of fiscal year 2006 to verify that the state of its 
internal controls had not significantly changed since the date of its 
assurance statement, which was June 30. OMB Circular No. A-123 does not 
require such procedures, but does permit agencies to adjust the "as of" 
date of their assurance statement if the agency is receiving a separate 
audit opinion on its internal controls as of September 30. Given the 
four material weaknesses in IRS's internal control that we had 
identified during our audit of IRS's financial statements,[Footnote 18] 
not testing internal control during the fourth quarter did not affect 
IRS's assurance statement for internal controls as of September 30, 
2006.[Footnote 19] In future years, at such time as IRS has effectively 
resolved its existing material internal control deficiencies, follow-up 
procedures to test controls during the last 3 months of the fiscal year 
will become necessary in order for IRS to assert that its internal 
controls are effective as of September 30. 

As noted above, fiscal year 2006 was the first year IRS implemented the 
requirements of the revised OMB Circular No. A-123, and this process 
will likely take several more years to fully mature. As the process 
continues to develop, IRS will need to overcome a number of significant 
challenges, such as balancing the significant resource needs of this 
process with the ongoing demands of its daily operations. In addition, 
many of the related tasks, such as documenting internal controls, 
assessing related risks, evaluating the design of controls, conducting 
appropriate tests of the operating effectiveness of controls, 
evaluating and reporting the results of these tests, and appropriately 
documenting these internal control procedures, are skills typically 
associated with financial auditors. Implementing OMB Circular No. A-123 
has required IRS's staff to assume responsibilities for which their 
prior training and operational experience had typically not prepared 
them. As it continues to implement OMB Circular No. A-123, IRS will 
need to successfully meet these challenges in order to minimize the 
risk that, in the absence of our annual financial audit, significant 
deficiencies in internal controls might exist and not be identified in 
this process. Should this occur, IRS might provide a level of assurance 
on the effectiveness of its internal controls not warranted by existing 
conditions. 

Conclusion: 

IRS did a commendable job in its first-year implementation of the 
requirements of the revised OMB Circular No. A-123. IRS's decision to 
rely on its own staff to conduct this work, while presenting challenges 
in the short term, also has the potential to pay significant dividends 
in the future in terms of IRS's ability to make effective use of its A- 
123 findings to improve operations. As IRS moves forward, it should 
work to enhance the documentation of the procedures it performs. In 
addition, while IRS's A-123 process in fiscal year 2006 was adequate to 
support its June 30, 2006, assurance statement to Treasury, it is 
important to recognize that additional work will be needed to provide 
the unqualified assurance statement that will become appropriate once 
IRS has addressed the long-standing material weaknesses it is currently 
confronting. IRS is working diligently to correct its material 
weaknesses. It is therefore important that as IRS continues to make 
progress in this regard, it also enhance its A-123 process to be better 
positioned to support an unqualified statement of assurance on the 
effectiveness of its internal control over financial reporting once its 
material weaknesses have been resolved. 

Recommendations for Executive Action: 

To assist IRS in strengthening its implementation of A-123 reviews in 
future years, we recommend that IRS: 

² document the results of internal control tests conducted in a manner 
sufficiently clear and complete to explain how control procedures were 
tested, what results were achieved, and how conclusions were derived 
from those results, without reliance on supplementary oral explanation; 

² clearly document how it considered existing reviews and audits in 
determining the nature, scope, and timing of procedures it planned to 
conduct under its A-123 process; 

² to the extent that it intends to use the information security work 
conducted under FISMA to meet related A-123 requirements, identify the 
areas where the work conducted under FISMA does not meet the 
requirements of OMB Circular No. A-123 and, considering the findings 
and recommendations of our work on IRS's information security, expand 
FISMA procedures or perform additional procedures as part of the A-123 
reviews to augment FISMA work; 

² revise test plans to include appropriate consideration of the design 
of internal controls in addition to implementation of controls over 
individual transactions; 

² work with Treasury to identify laws and regulations that are 
significant to financial reporting, test controls over compliance with 
those laws and regulations, and evaluate and report on the results of 
such control reviews; 

² begin devising appropriate A-123 follow-up procedures for the last 3 
months of the fiscal year to be implemented once the material 
weaknesses identified through the annual financial statement audits 
have been resolved; and: 

² provide A-123 review staff appropriate training, such as that 
available for financial auditors, to enhance their skills in workpaper 
documentation, identification and testing of internal controls, and 
evaluation and documentation of results. 

Agency Comments and Our Evaluation: 

In commenting on a draft of this report, IRS agreed with our 
recommendations and expressed its appreciation that we acknowledged the 
agency's commitment and diligence in implementing the revised OMB 
Circular No. A-123 requirements during fiscal year 2006. IRS noted that 
it had established a credible A-123 program and used the results of the 
tests conducted to improve IRS's internal control environment. 

IRS agreed with our recommendations to clearly document the results of 
tests conducted and how it considered existing reviews and audits in 
determining the extent of its test procedures, and to provide staff 
involved in the A-123 review process with appropriate training. IRS 
indicated that it had provided enhanced training to testers and 
reviewers in preparation for its fiscal year 2007 A-123 process 
covering such aspects as evaluating audit evidence, preparing 
workpapers, reviewing and evaluating internal controls, and evaluating 
the materiality of errors. IRS also agreed with our recommendation that 
it should revise its test plans to include an appropriate consideration 
of the design of internal controls in addition to implementation of 
controls over individual transactions. IRS stated that it will include 
such analysis of the design for each transaction set tested in its 
fiscal year 2008 A-123 process. 

IRS also agreed with our recommendation that it identify the areas 
where its work conducted under FISMA does not meet A-123 requirements, 
and either expand FISMA procedures or perform additional procedures as 
part of the A-123 reviews to augment its FISMA work. IRS stated that it 
will continue to work with Treasury and us to improve its FISMA 
procedures or A-123 test plans. 

Additionally, IRS agreed with our recommendation that it work with 
Treasury to identify laws and regulations that are significant to 
financial reporting, test controls over compliance with laws and 
regulations, and evaluate and report on the results of such control 
reviews. IRS indicated that it has performed an initial crosswalk of 
laws and regulations significant to financial reporting during fiscal 
year 2007 and will further refine this linkage in preparation for the 
fiscal year 2008 A-123 process. Finally, IRS agreed with our 
recommendation that it devise appropriate A-123 follow-up procedures 
for the last three months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. IRS stated that in fiscal year 2008, it will 
begin to develop follow-up procedures that provide assurance for the 
last three months of the fiscal year. We will evaluate the 
effectiveness of IRS's efforts in addressing our recommendations during 
our future audits of IRS financial statements. 

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. § 720 to submit a written statement on 
actions taken on these recommendations. You should submit your 
statement to the Senate Committee on Homeland Security and Governmental 
Affairs and the House Committee on Oversight and Government Reform 
within 60 days of the date of this report. A written statement must 
also be sent to the Senate and House Committees on Appropriations with 
the agency's first request for appropriations made more than 60 days 
after the date of the report. 

This report is intended for use by the management of IRS. We are 
sending copies to the Chairmen and Ranking Minority Members of the 
Senate Committee on Appropriations; Senate Committee on Finance; Senate 
Committee on Homeland Security and Governmental Affairs; Subcommittee 
on Taxation and IRS Oversight, and Long-Term Growth, Senate Committee 
on Finance; House Committee on Appropriations; House Committee on Ways 
and Means; and House Committee on Oversight and Government Reform. We 
are also sending copies of this report to the Chairman and Vice 
Chairman of the Joint Committee on Taxation, the Secretary of the 
Treasury, the Director of OMB, the Chairman of the IRS Oversight Board, 
and other interested parties. Copies will be made available to others 
upon request. In addition, the report is available at no charge on 
GAO's Web site at http://www.gao.gov. 

We acknowledge and appreciate the cooperation and assistance provided 
by IRS officials and staff during our review. If you have any questions 
or need assistance in addressing these matters, please contact me at 
(202) 512-3406 or sebastians@gao.gov. GAO staff who made major 
contributions to this report are listed in enclosure III. 

Sincerely yours, 

Signed by: 

Steven J. Sebastian: 
Director: 
Financial Management and Assurance: 

Enclosures: 

[End of section] 

Enclosure I: Comments from the Department of Treasury: 

Department Of The Treasury:
Internal Revenue Service: 
Washington, D.C. 20224: 
Commissioner: 

May 11, 2007: 

Mr. Steven J. Sebastian, Director: 
Financial Management and Assurance: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Sebastian: 

I am writing in response to the draft Government Accountability Office 
(GAO) report titled "Management Report: IRS's First Year Implementation 
of the Office of Management and Budget's (OMB) Revised Circular No. A- 
123" (GAO-07-692R). 

I appreciate your recognition of our commitment and diligence in 
implementing the revised OMB Circular No. A-123, Management's 
Responsibility for Internal Controls (A-123) in FY 2006. In the first 
year, we established a credible A-123 program within current resources 
and used the test results to improve the internal control environment. 

We have improved our FY 2007 A-123 testing approach through early 
implementation of some of your recommendations, including providing 
enhanced training to testers and reviewers and emphasizing the need for 
thorough documentation of all tests. I have enclosed a response which 
addresses each GAO recommendation. 

We appreciate your recommendations to improve our management controls. 
If you have any questions, please contact Mary E. Davis, Associate 
Chief Financial Officer for Corporate Planning and Internal Control, at 
(202) 622-2955. 

Sincerely, 

Signed for: 

Mark W. Everson: 

Enclosure: 

GAO Recommendations and IRS Responses to GAO Management Report: 

IRS's First Year Implementation of the Office of Management and 
Budget's (OMB) Revised Circular No. A-123 GAO-07-692R: 

Recommendation 1: Document the results of internal control tests 
conducted in a manner sufficiently clear and complete to explain how 
control procedures were tested, what results were achieved, and how 
conclusions were derived from those results, without reliance on 
supplementary oral explanation. 

Comments: We agree with this recommendation. In preparation for the FY 
2007 A-123 process, we delivered a training course on documentation 
requirements for the A-123 testers, incorporating suggestions provided 
by GAO and lessons learned during our FY 2006 implementation. Testers 
also attended an external course focused on the evaluation of audit 
evidence and work paper preparation, and we also instituted additional 
review steps to ensure the work papers provided sufficient support for 
the tea: conclusions. As we prepare for the FY 2008 A-123 cycle, we 
will continue to enhance our in-house training to address the clarity 
and completeness of our explanations. 

Recommendation 2: Clearly document how IRS considered existing reviews 
and audits in determining the nature, scope, and timing of procedures 
it planned to conduct under its A-123 process. 

Comments: We agree with this recommendation. We incorporated 
requirements to document the existing reviews and audits in our FY 2007 
test plan templates. 

Recommendation 3: To the extent that IRS intends to use the information 
security work conducted under FISMA to meet related A-123 requirements, 
identify the areas where the work conducted under FISMA does not meet 
the requirements of OMB Circular No. A-123 and, considering the 
findings and recommendations of our work on IRS's information security, 
expand FISMA procedures or perform additional procedures as part of the 
A-123 reviews to augment FISMA work. 

Comments: We agree with this recommendation. We will continue to work 
with Treasury and GAO to improve either our FISMA procedures or A-123 
test plans. 

Recommendation 4: Revise test plans to include appropriate 
consideration of the design of internal controls in addition to 
implementation of controls over individual transactions. 

Comments: We agree with this recommendation. The FY 2008 A-123 cycle 
will include a requirement to include an analysis of the design for 
each transaction set tested. 

Recommendation 5: Work with Treasury to identify laws and regulations 
that are significant to financial reporting, test controls over 
compliance with those laws and regulations, and evaluate and report on 
the results of such control reviews. 

Comments: We agree with this recommendation. In FY 2007 we performed an 
initial crosswalk of the laws and regulations significant to financial 
reporting to our test plans. We will further refine this linkage in 
preparation for our FY 2008 A-123 process. 

Recommendation 6: Begin devising appropriate A-123 follow-up procedures 
for the last three months of the fiscal year to be implemented once the 
material weaknesses identified through the annual financial statement 
audits have been resolved. 

Comments: We agree with this recommendation. Although implementation of 
such procedures is not necessary until elimination of the outstanding 
material weaknesses, we will begin to develop follow-up procedures in 
FY 2008 that provide assurance for the last three months of the fiscal 
year. 

Recommendation 7: Provide A-123 review staff appropriate training, such 
as that available for financial auditors, to enhance their skills in 
workpaper documentation, identification and testing of internal 
controls, and evaluation and documentation of results. 

Comments: We agree with this recommendation. As indicated under 
recommendation number 1, we provided testers and reviewers with 
enhanced training for the FY 2007 A-123 cycle. The training was 
designed to improve proficiency in documentation and analysis in the 
reviews, including the process to be followed when reviewing or 
performing tests of internal controls, determining if the controls are 
functioning appropriately, and evaluating the materiality of errors. We 
will continue to provide annual training at the beginning of each A-123 
cycle. 

[End of section] 

Enclosure II: Staff Acknowledgments: 

Acknowledgments: 

The following individuals made major contributions to this report: 
Charles Fox, Assistant Director; Charles Ego; Nina Crocker; John Davis; 
Ted Hu; Jerrod O'Nelio; John Sawyer; Angel Sharma; Cynthia Teddleton; 
and Truc Tuck. 

(196151): 

FOOTNOTES 

[1] GAO, Financial Audit: IRS's Fiscal Years 2006 and 2005 Financial 
Statements, GAO-07-136 (Washington, D.C.: Nov. 9, 2006). 

[2] FISMA was enacted as Title III of the E-Government Act of 2002, 
Pub. L. No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[3] Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002). 

[4] OMB Circular No. A-123, at App. A, Part 1, at p. 20 (rev. Dec 21, 
2004). 

[5] The CFOC, established pursuant to the CFO Act of 1990 (Pub. L. No. 
101-576, § 302, 104 Stat. 2838, 2848 [Nov. 15, 1990]), is an 
organization of Chief Financial Officers (CFO) and Deputy CFOs of the 
largest Federal agencies and senior officials of OMB and Treasury. The 
purpose of the council is to advise and coordinate the activities of 
the agencies of its members on such matters as consolidation and 
modernization of financial systems, improved quality of financial 
information, financial data and information standards, internal 
controls, legislation affecting financial operations and organizations, 
and any other financial management matter. The Deputy Director for 
Management of OMB is the CFOC's chair. 

[6] The PCIE--which is governed by Executive Order No. 12805 of May 11, 
1992--was established to (1) address integrity, economy, and 
effectiveness issues that transcend individual government agencies and 
(2) increase the professionalism and effectiveness of inspectors 
general personnel throughout the government. The PCIE is composed 
primarily of the presidentially appointed inspectors general. Officials 
from OMB, the Federal Bureau of Investigation, Office of Government 
Ethics, Office of Special Counsel, and Office of Personnel Management 
serve on the PCIE as well. The PCIE acts as a liaison with the CFOs by 
attending the CFOC meetings and participating and planning joint 
meetings, sessions, and task forces. 

[7] OMB, Implementation Guide for OMB Circular A-123, Management's 
Responsibility for Internal Control. Appendix A, Internal Control Over 
Financial Reporting (Washington, D.C.: July 2005). 

[8] Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 5, 1990). The 24 CFO Act 
agencies are listed at 31 U.S.C. § 901(b). 

[9] Treasury determined that every Treasury's consolidated financial 
statement line item greater than 1.5 percent of the section total is 
material to Treasury. Further, if a bureau contributed 10 percent or 
more of the balance of one of these material line items, Treasury 
directed that the bureau must test the applicable process transaction 
controls for A-123 purposes. 

[10] Pub. L. No. 104-208, div. A, §101(f), title VIII, 110 Stat. 3009, 
3009-389 (Sept. 30, 10996). 

[11] GAO, Financial Audit: IRS's Fiscal Years 2005 and 2004 Financial 
Statements, GAO-06-137 (Washington, D.C.: Nov. 10, 2005). 

[12] GAO-06-137. 

[13] With a sample size of 45 items, the auditor concludes that if more 
than one deviation is found, the controls being tested are not 
operating effectively. GAO/PCIE, Financial Audit Manual, section 
450.13, GAO-01-765G (Washington, D.C.: July 2001). 

[14] 26 U.S.C. § 6325. 

[15] See 31 U.S.C. § 1341(a)(1) and 31 U.S.C. § 1517(a). 

[16] Codified, as amended, in part of at 31 U.S.C. § 3902(a), (b), and 
(f) and 31 U.S.C. § 3904. 

[17] GAO, Information Security: Further Efforts Needed to Address 
Significant Weaknesses at the Internal Revenue Service, GAO-07-364 
(Washington, D.C.: Mar. 30, 2007). 

[18] GAO-06-137. 

[19] In addition to its qualified A-123 statement of assurance on the 
effectiveness of its internal control over financial reporting as of 
June 30, 2006, IRS also provided a statement of qualified assurance 
concerning the effectiveness of its internal control over financial 
reporting, compliance with laws and regulations, and performance 
reporting as of September 30, 2006, in the management representation 
letter it provided to us as part of our audit of IRS's fiscal year 2006 
financial statements. Due to the existence of four material weaknesses 
in IRS's internal control, we rendered our opinion directly on the 
effectiveness of IRS's internal control as of September 30, 2006, 
rather than on its assurance statement. However, once our tests of 
IRS's internal control, including control over financial reporting, 
determine that IRS has resolved all its material weaknesses and IRS 
provides the related unqualified statement of assurance on its overall 
internal control as of September 30, we will render our opinion on 
IRS's internal control based on the appropriateness of IRS's assurance 
statement. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: