Patient Protection and Affordable Care Act:

IRS Managing Implementation Risks, but Its Approach Could Be Refined

GAO-12-690, Jun 13, 2012

Additional Materials:

Contact:

James R. White
(202) 512-9110
whitej@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Internal Revenue Service (IRS) has implemented one of GAO’s four recommendations from June 2011 to strengthen the Patient Protection and Affordable Care Act (PPACA) implementation efforts by scheduling the development of performance measures for the PPACA program. IRS has made varying degrees of progress on the other three recommendations:

  • develop program goals and an integrated project plan;

  • develop a cost estimate consistent with GAO’s published guidance; and

  • assure that IRS’s risk management plan identifies strategic level risks and evaluates associated mitigation options.

IRS’s revised risk management plan meets three of five criteria for risk management plans, but the plan does not have specific guidance for evaluating and selecting potential risk mitigation options, such as how to

  • identify who conducts and reviews the analysis,

  • determine the availability of resources for a given strategy, and

  • document for future users the rationale behind decisions made.

IRS applied its risk management plan when identifying, tracking, and reporting on implementation risks. Although the risk plan calls for risk mitigation strategies to be evaluated, these evaluations have not been done. IRS officials said that evaluating these strategies would require varying levels of effort because the probability and magnitude of risks differ. However, the plan was silent on this point; it provided no guidance as to when and to what extent an evaluation should be done. Without evaluating potential strategies, IRS may not consider critical factors that impact the program’s success.

IRS’s risk management plan was not used when IRS’s Office of Chief Counsel was responsible for implementing two provisions GAO reviewed. Although these provisions primarily required legal counsel and guidance, IRS officials said that one of the provisions also affected IRS operations and could have risks that need to be managed. Additionally, GAO did not find evidence that a risk plan was used to track and mitigate risks when coordinating with partner agencies, such as the Department of Health and Human Services. Without a system for tracking shared risks, IRS is more likely to overlook risks or duplicate efforts.

Why GAO Did This Study

PPACA is a significant effort for IRS, with expected costs of $881 million from fiscal years 2010 to 2013 and work planned through 2018. To implement PPACA, IRSmust work closely with partner agencies to develop information technology systems that can share data with other agencies. Additionally, IRS is responsible for providing guidance to taxpayers, employers, insurers, and others to ensure compliance with new tax aspects of the law. Furthermore, it will be important for IRS to have systems to consistently identify, assess, mitigate, and monitor potential risks to the program’s success.

As requested, this report (1) describes IRS’s progress in addressing GAO recommendations from June 2011 on PPACA implementation, (2) assesses IRS’s revised risk management plan, and (3) assesses how IRS applies its plan in practice. GAO compared IRS’s revised risk plan to GAO’s criteria for risk management and selected 9 provisions of the law in which IRS had a role to determine whether IRS used the risk plan consistently. Because selection focused on provisions that had the most risks and highest dollar impacts, the results are not generalizable but are relevant to how IRS managed risks.

What GAO Recommends

GAO recommends that IRS (1) enhance its guidance on evaluating risk mitigation alternatives and documenting decisions, (2) use a risk management plan for work led by its Office of Chief Counsel, and (3) develop agreements with external parties to record and track risks that threaten shared goals and objectives. IRS officials agreed with all of GAO’s recommendations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To ensure more consistent implementation of the risk management plan, the Commissioner of Internal Revenue should develop agreements with HHS (and other external parties as needed) on a system to record and track details on decisions made or to be made to ensure that risks are identified and mitigated.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure more consistent implementation of the risk management plan, the Commissioner of Internal Revenue should ensure that the PPACA risk management plan is applied to provisions in which the Office of Chief Counsel assumes lead responsibility for implementation.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to document the mitigation alternatives considered and rationale(s) for the decisions made.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to assure that resources are available for the chosen mitigation strategy.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to clarify who is responsible for doing the evaluation and making decisions based on the results as well as how they might do the evaluation.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.