1.29.1. Authorities and Responsibilities

(1) The IRS is subject to audits conducted by the Government Accountability Office (GAO) and Treasury Inspector General for Tax Administration (TIGTA) to ensure its programs and activities operate efficiently, effectively and according to established policies and procedures. Tracking issues, findings, recommendations, and the current status of Planned Corrective Actions (PCA) resulting from audits is mandatory to comply with the intent of the GAO standards for internal control. Treasury implemented the Joint Audit Management Enterprise System (JAMES) audit tracking system for use by all bureaus to track, monitor, and report the status of audit results.

(2) Most audit reports contain recommendations for improving internal controls or taking other steps to reduce opportunities for waste, mismanagement or misuse of resources, abuse, and fraud. The IRS is required to respond to these recommendations by stating whether or not the IRS agrees and, if so, what actions the IRS intends to take in order to implement a business solution in response to the recommendation. The steps the IRS intends to take are documented as a PCA and are discussed in attachments to the management response to the TIGTA report and to the 180-Day Letter response to Congress. They are also uploaded into JAMES for tracking and monitoring purposes.

(1) The authorities for the policies and procedures discussed in this IRM include:

• Inspector General Act of 1978, as amended, 5 U.S.C. app. (2012 & Supp. IV 2017).

• Federal Managers Financial Integrity Act of 1982 (FMFIA) (31 U.S.C. § 3512(c),(d).

• Federal Financial Management Improvement Act of 1996, (FFMIA, Pub. L. No. 104- 208, 110 Stat. 3009.

• Chief Financial Officers (CFO) Act of 1990, Pub. L. No. 101-576, 104 Stat. 2838 (Nov. 15, 1990), as amended by the Government Management Reform Act of 1994.

• Pub. L. No. 103-356, 108 Stat. 3410 (Oct. 13, 1994).

• Title 26 authority for IRC for disclosure i.e. 26 U.S.C. 6103 and Delegation Order 11-2.

• Good Accounting Obligation in Government Act of 2019.

(2) Treasury Policy Statements provide authority for the work being done over the audit lifecycle which include:

• Treasury Directive 40-02, Corresponding with the General Accountability Office (GAO).

• Treasury Directive 40-03, Treasury Audit Resolution, Follow-up, and Closure.

• Office of Management and Budget Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control.

• Treasury Order 115-01.

(1) This section list responsibilities for:

1. Chief Risk Officer

2. Enterprise Audit Management

3. Lead Stakeholder Executive

4. Business Unit Program Managers and Subject Matter Experts (SMEs)

5. Business Unit GAO/TIGTA Audit Liaison

6. JAMES Audit Coordinators (JACs)

7. Legislative Affairs

(1) Program Monitoring: EAM participates in all stages of a GAO or TIGTA audit, supporting the affected business unit(s) and monitoring timeliness. EAM ensures that requested information is provided to the auditor on a timely basis, that management responses and planned corrective actions are effectively articulated, and that PCAs are executed and properly documented upon completion and closure.

(2) Program Effectiveness: EAM monitors business unit progress toward completing and closing PCA. EAM provides status and progress reports to IRS leadership on a regular, recurring basis.

(3) JAMES is the system of records used to monitor audit related recommendations and corrective actions taken by each bureau within the Department of Treasury. Access to JAMES is requested by EAM and controlled by Treasury through defined user roles. EAM owns relationship management responsibilities with Treasury for JAMES.

(1) Enterprise Audit Management maintains the Enterprise GAO/TIGTA Audit Database that employs access profiles (read only and read only/update) and specific data field lock down procedures to control access and information updates. Access is requested and granted through Online 5081.

(2) JAMES users are assigned specific privileges based upon their program role. The three main profiles are JAMES Editor (JE), JAMES PO (JPO), for the Bureau Program Office users (referred as JACs), and JAMES User (JU) for Bureau Program Office Read Only. Only the JAMES Editor can approve and validate PCAs for implementation in the JAMES database. JAMES Users must ensure that documentation uploaded into JAMES to support completion of a Planned Corrective Action (PCA) does not include any taxpayer data or Personally Identifiable Information (PII).

(1) 180-Day Letter – The 180-Day Letter is an updated response to a GAO final report with recommendations sent to Congress. The IRS has 180 days from the issuance of the final audit report to respond to Congress with the detailed corrective actions to be taken and time frames within which they will be implemented to carry out the recommendation(s).

(2) A6 Audit Summary Report – A report generated from JAMES is used to verify information entered into JAMES. The report contains a summary of findings, recommendations and PCAs, including the amount of any potential monetary benefits and root cause. Generally, the information in this report, for TIGTA audits, is entered into JAMES by TIGTA. EAM enters relevant data from the GAO final reports for GAO corrective actions.

(3) Agreement to Facts (ATF) – A document issued by TIGTA after fieldwork has been conducted but before any report drafts have been produced. This document represents statements about IRS programs or processes that TIGTA believes to be factually accurate based on their fieldwork and research. The IRS has the opportunity to review this document and provide corrections.

(4) Audit – An examination of government programs, operations, and/or financial records. Audit is interchangeable or synonymous with review.

(5) Audit Liaison – Business unit single point of contact responsible for audit activity within that particular business unit.

(6) Corrective Action – A detailed description of how management will implement a recommendation to address the audit finding(s).

(7) Defense Contract Audit Agency (DCAA) – The Defense Contract Audit Agency is the primary contract audit agency for the Department of Defense, which also services Federal civilian agencies. DCAA audit services are intended to be a key control to help assure that prices paid by the Federal Government for goods and services are fair and reasonable and that contractors bill the Federal Government in accordance with applicable laws, cost accounting standards, and contract terms.

(8) Discussion Draft Report (DDR) – Issued by TIGTA at the conclusion of fieldwork. Provides IRS management an opportunity to review the report for accuracy and discuss findings presented in the report, before issuance of a formal draft report.

(9) Draft Report – A formal report of audit findings and recommendations prepared after completion of an audit. The IRS is given a specified time by GAO and TIGTA to respond to the draft report, typically 30 days. EAM receives this report from GAO or TIGTA and sends an e-mail transmitting the draft report to the business units and provides guidance for developing and routing management’s response.

(10) Engagement Letter/Notification Letter – A letter sent to the IRS from GAO or TIGTA providing notification of a new audit. TIGTA typically uses the term Engagement letter, while GAO uses Notification letter.

(11) Exit/Closing Conference – Meeting to discuss GAO's or TIGTA's preliminary findings and recommendations with business unit executives. IRS provides TIGTA/GAO with their perspective/position on the audit findings and shares draft proposed corrective actions. Discussions during the exit/closing conference often forms the basis for management’s response.

(12) Extended/Delayed – An option in JAMES used to extend a PCA due date, which requires the selection of a reason code from a drop-down listing.

(13) Final Report – The final report is the final version of the GAO or TIGTA draft report that may or may not contain modifications to the findings and recommendations identified in the draft report. The final report contains the IRS management response to the draft report. Final reports are released to the public, unless designated as Sensitive But Unclassified (SBU) or Limited Official Use (LOU).

(14) Findings – Describes the deficiency or opportunity for improvement in the audit report or remediation plan.

(15) Form 13872, Planned Corrective Action (PCA) Status Update for TIGTA/GAO/MW/SD/REM Reports – The form is used by all business units to upload PCAs into JAMES, such as closing, extending the due date, and/or making status updates for audits, material weaknesses and significant deficiencies.

(16) Form 14668, IRS Quality Assurance Review of Closed Planned Corrective Action (PCA) Notification – The form used by EAM to conduct the review of PCA closures as part of the Closed Sample Quality Review.

(17) GAO Status Checkbox – Records an update in JAMES to validate the closure of the recommendation by GAO. While JAMES notates that the IRS has closed a GAO recommendation, the recommendation is not completely closed until GAO validates the closure.

(18) HOLD – The status of the PCA in JAMES when the business unit agrees with the GAO/TIGTA recommendation, deems the PCA to be mission critical but no budget funding is available for its execution.

(19) Inspection & Evaluation (I&E) – TIGTA I&E provides a range of specialized services and products, including inspections of IRS programs compliance with laws, regulations, policies and procedures and more in-depth evaluations. In addition, I&E performs reviews of internal TIGTA programs and controls.

(20) Internal Control – An integral component of an organization’s management that provides reasonable assurance that its program and activities operate according to established policies and procedures.

(21) JAMES Editor – JAMES role with access to all JAMES capabilities used by EAM and CFO-FM (for financial statement audit) to perform the following actions:

• Enter GAO/TIGTA audit report findings, recommendations, and PCAs into JAMES.

• Approve/validate status updates entered by program users.

• Reject status updates if they do not meet all reporting requirements and notify the JAMES Program Office (JAMES PO) user that the status was rejected and the reason for the rejection.

• FM Audit Team Editors are responsible for entering and validating GAO financial statement related audits.

(22) JAMES Program Office (JAMES PO) – The JAMES role used primarily by the business units to read and update PCAs and to upload supporting documentation. The JAMES PO can view LOU and SBU audit reports as long as the PCA is assigned to their organization.

(23) JAMES Recertification – Annual verification of each JAMES user account to confirm that the account is still necessary or should be removed.

(24) JAMES User (JAMES USER) – The JAMES role that provides read-only access to the JAMES database for non-SBU reports and support documentation for all business units. This role also has the capability to view LOU and SBU audit reports or use the supporting documentation feature for their assigned business units only.

(25) Job Code – Job code is the six-digit audit engagement number employed by the GAO auditors to keep track of the time spent on the actual audit.

(26) Joint Audit Management Enterprise System (JAMES) – Treasury’s web-based audit tracking system used for tracking issues, findings, recommendations, and PCAs from TIGTA and GAO audit reports.

(27) Lead or Lead Stakeholder – Business unit with primary responsibility for the subject matter of the audit and for specific audit process actions/tasks.

(28) Liaison/Representative/Coordinator – Business unit single point of contact responsible for audit activity within that particular business unit.

(29) Limited Official Use (LOU) Reports/Sensitive But Unclassified (SBU) Report - A draft or final GAO or TIGTA report limited to internal distribution because of its sensitivity. These reports are not released to the public. GAO LOU reports are limited to certain internal IRS audiences and Congress.

(30) Mid-Point Conference – Interim meeting to discuss GAO’s or TIGTA’s audit and findings to date. It gives IRS an early look at audit issues, potential findings and recommendations, and allows IRS to provide further clarification or documentation related to information shared during audit field work. EAM recommends the Lead Stakeholder Executive attends this session.

(31) Opening/Entrance Conference – At the opening conference, GAO or TIGTA outlines the scope of their audit, locations to be visited, anticipated date of completion, the names of auditors working on the job, and background information. GAO typically uses the term Entrance Conference while TIGTA uses the term Opening Conference. The Opening Conference sets the stage for the audit so expectations about recurring meetings, points of contacts, expectation of a mid-point conference, etc. should be discussed.

(32) Planned Corrective Action (PCA) – Contains a detailed description of how management will implement a recommendation to address the audit finding(s). The PCA also includes due date(s) and the responsible official(s).

(33) Recommendation – Addresses the audit finding and provides TIGTA and GAO comments to management that, when implemented, will correct the issue.

(34) Redaction – To redact language contained within a formal audit report means to “edit text for publication, censor or obscure part of the text for legal or security purposes, or to remove text from a document prior to publication or release.” This step in the review process is essential for the protection of sensitive information that could be used to circumvent the law. It is also used to withhold from the public information the disclosure of which is controlled by statute, such as IRC 6103, the Freedom of Information Act, and the Privacy Act. The redaction request is submitted to GAO/TIGTA with the management response to the draft report and should demonstrate the text to be redacted and justification for the redaction.

(35) Significant Deficiency – A deficiency, or a combination of deficiencies, in internal controls that is less severe than a material weakness, yet important enough to merit the attention of those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect and correct misstatements on a timely basis.

(36) Stakeholder – An organization or person with responsibility or a vested interest in the subject matter of an audit.

(37) Statement of Facts – Issued by GAO, similar to the Agreement to the Facts Report issued by TIGTA. Provides IRS management and stakeholders an opportunity to review audit findings in writing for accuracy and discuss findings presented in the report. The Statement of Facts does not always include recommendations so IRS staff should inquire if GAO will be proposing any.

(38) Status Update – Provides actions taken by the business unit that correct identified deficiencies, produce recommended improvements, and/or demonstrate progress made. For a PCA with an initial due date more than 24 months from the date of the final report (long-term PCA), a status update is required every 12 months.

(39) Supporting Business Unit – A business unit that shares some responsibility for programs or processes being audited but is not the audit’s lead stakeholder. A supporting business unit may have a small or large share of the work associated with the process under audit or may indirectly support the process itself through separate work.

(40) Unified Work Request (UWR) – indicates whether Information Technology services are involved in the completion of a PCA. The UWR must be implemented before EAM or CFO-FM will close a related PCA. Submission of the UWR does not constitute closure but should be notated in JAMES. Examples of corrective actions required UWR submissions are forms or system updates, new systems and system enhancements.

(1) The following chart contains acronyms that are used throughout this IRM

(1) Related resources for this IRM include:

1. Office of Management and Budget website at https://www.whitehouse.gov/omb.

2. Government Accountability Office website at https://www.gao.gov.

3. Treasury Inspector General for Tax Administration website at https://www.treasury.gov/tigta.

(2) Treasury Directive 40-02, Government Accountability Office (GAO) Audits.

(3) Treasury Directive 40-03, Treasury Audit Resolution, Follow-Up, and Closure.

(4) Treasury Directive 40-04, Treasury Internal (Management) Control Program.

(5) GAO Green Book.

(6) TIGTA Operating Manual (TOM).

(1) Government Accountability Office (GAO) is an independent nonpartisan agency that works for Congress. GAO supports Congress in meeting its constitutional responsibilities and helping to improve the performance and ensure the accountability of the federal government for the benefit of the American people.

1. GAO gathers information to help Congress determine how well executive branch agencies are performing. GAO routinely answers such basic questions as whether government programs are meeting their objectives or providing good service to the public. Ultimately, GAO ensures that the government is accountable to the American citizens. To that end, GAO provides Congress with the best information available to help them arrive at informed policy decisions – information that is accurate, timely, and balanced.

2. GAO has several audit teams dedicated to IRS activities. This workforce is comprised almost exclusively of career employees who have a strong knowledge of IRS programs and policies.

(2) The Treasury Inspector General for Tax Administration (TIGTA) is organizationally placed within the Department of the Treasury but is independent of the Department of the Treasury and all other Treasury offices, including the Treasury Office of the Inspector General. TIGTA focuses entirely on tax administration, while the Treasury Office of the Inspector General is responsible for overseeing the other Treasury bureaus.

1. TIGTA’s Office of Audit identifies opportunities to improve the administration of the nation’s tax laws by conducting comprehensive, independent performance and financial audits of IRS programs, operations, and activities to: assess efficiency, economy, effectiveness, and program accomplishment; ensure compliance with laws and regulations; prevent, detect, and deter fraud, waste, and abuse.

2. TIGTA’s Office of Audit program consists of reviews mandated by statute or regulation and sometimes at the request of Congress or IRS management, as well as reviews identified through the Office of Audit’s planning and evaluation process. TIGTA publishes an Annual Audit Plan at the beginning of each fiscal year.

3. TIGTA’s Office of Inspections and Evaluations provides a range of specialized services and products, including quick reaction reviews, on-site inspections of an office, and in-depth evaluations of a major departmental function, activity or program. Evaluations often result in recommendations to streamline operations, enhance data quality, and minimize inefficient and ineffective procedures

(1) GAO auditors are authorized access to returns and return information pursuant to 26 U.S.C. § 6103(f)(4)(A) and 26 U.S.C. § 6103(i)(8). GAO must notify the Congressional Joint Committee on Taxation when seeking access to returns or return information requested under 26 U.S.C. § 6103(i)(8). The basis for GAO’s authority to access tax returns and return information must be cited in GAO’s notification letter for the audit, if such access is required for the purposes of the audit. If GAO is not granted this access by Congress, then they are not authorized to receive any returns or return information during the audit. See IRM 11.3.23, Disclosure to the Government Accountability Office (GAO). GAO's access to return information is subject to the safeguarding requirements of 26 U.S.C. 6103(p)(4) and adherence with IRS Publication 1075, Tax Information Security Guidelines for Federal State and Local Agencies. See IRM 11.3.36, Disclosure of Official Information, Safeguards Review Program.

(2) TIGTA auditors have authorized access to returns and return information pursuant to 26 U.S.C. § 6103(h)(1). See IRM 11.3.22.7, The Treasury Inspector General for Tax Administration. TIGTA personnel are authorized access to all facilities, the Oversight Board, and the Office of Chief Counsel (including computer facilities, computer rooms, electronic databases and files, electronic and paper records, reports and records, as well as other material that pertains to the IRS programs and operations). See Treasury Order 115-01 on the Treasury website at https://www.treasury.gov.

1. The Treasury order covers all pre-audit activity and formal audits initiated by an engagement letter.

2. EAM, business unit audit liaisons, and appropriate IRS officials are required to cooperate with TIGTA once the TIGTA auditor shows proper identification. If the business unit audit liaison has questions regarding TIGTA’s presence, the liaison should consult with EAM.

3. TIGTA maintains their procedural guidance for conducting audits in the TIGTA Operating Manual, Chapters 300-900, on their website at https://www.treasury.gov/tigta/.

(1) GAO and TIGTA audit processes are similar. The overall process is described in this IRM in general terms. Where there are significant distinctions between GAO and TIGTA processes, they are specifically noted. See Exhibit 1.29.1-1, Audit Life Cycle.

(2) The term “auditor” will generally be used to describe both GAO and TIGTA unless there is a specific notation otherwise

(1) Using the Pre-Audit Readiness Tool fosters discussion about programs and/or processes subject to audit and identify opportunities for improvement before an audit begins. The use of the PART can assist management in fulfilling its responsibility for monitoring their internal controls and evaluating the results to ensure they are operating effectively.

(2) Conducting a more limited Environmental Scan allows the business unit to identify the program challenges and the potential issues that may arise during the coming audit

(1) Audit agencies will notify the IRS of a new audit by issuing a notification (GAO terminology) or engagement (TIGTA terminology) letter. This letter may be addressed to the responsible program executive, business unit head of office, Chief Risk Officer, one of the Deputy Commissioners, or the Commissioner depending on the scope and nature of the audit. GAO/TIGTA electronically transmits the letter to EAM via the EAM mailbox at *Audit Coordination. EAM is responsible for processing the notification or engagement letter.

(2) EAM will review the letter and identify the appropriate internal stakeholders, delineating the lead stakeholders as well as supporting business units. If the audit’s scope is too broad to clearly identify a lead stakeholder, EAM will engage with the business units who share responsibility for the program(s) being audited to obtain consensus on audit ownership.

(3) EAM will retransmit the letter internally to lead stakeholder(s) and supporting business units and identify individual points of contact within those business units in the event they differ from the designated business unit audit liaisons.

(4) If the auditor provided any additional documentation with the letter, such as Congressional authorization to access tax information or a request for information, it will also be provided to the business units. If the auditor provided any additional documentation with the letter, such as Congressional authorization to access tax information or a request for information, it will also be provided to the business units.

(5) EAM will confirm receipt of the letter with the auditor and provide appropriate contact information for the audit.

(6) EAM will update the Enterprise Audit Database with pertinent information related to the audit.

(7) Auditors will sometimes directly contact business units with notification letters or requests for information related to audits that have not yet been formally initiated. If this happens, then business units should comply with the auditor’s request. However, the business unit must also immediately notify EAM and their embedded audit liaison of the information request. EAM may need to provide special instructions or engage with the auditor, particularly if the information request is from GAO and involves providing protected tax, taxpayer, or other personally identifiable information.

(8) In addition to other recommended additions to this section, if the GAO audit involves returns or return information, the “special instructions” EAM provides to the business unit should include specific guidance for accounting for the disclosures under IRC 6103(p)(3)(A) and IRM 11.3.37. Note neither the Office of Disclosure or EAM are responsible for preparing or submitting the accountings for disclosure. The business unit employee responsible for disclosing returns or return information to the GAO auditors is responsible. If the disclosures to GAO include Privacy Act protected information (example: personnel records, travel vouchers, timekeeping records), 5 U.S.C. 552a(c) also requires an accounting of disclosure. See IRM 11.3.23, Disclosure of Official Information, Disclosure to the Government Accountability Office (GAO). The “special instructions” are contained in the Authority to Disclose letter provided by the Director, EAM to the business unit Head of Office. The Director, EAM has delegated authority to authorize the business unit(s) to disclosure federal tax information under Delegation Order 11-2, IRM 1.2.2.11.2.

(9) Auditors will provide notification to the IRS regarding any significant changes in the audit plan during the audit process, in the event the auditor deems such changes necessary. These may include scope changes, adjusted site visit plans, access to taxpayer information, audit closings or cancellations, temporary suspensions of audit activities, or other changes. If such notification is received, EAM will notify the appropriate IRS stakeholders of the change(s) as soon as possible. If the notification is provided directly to the business unit, they will forward it to EAM.

(10) TIGTA will publish or otherwise make available an annual audit plan describing audits that are scheduled to be conducted during the plan’s fiscal year. This list should not be considered definitive as audits may be cancelled or added during the year, but it is a useful planning tool for the IRS to ensure resources are available to support the audit when the time comes. The IRS is given the opportunity to suggest audits for upcoming fiscal years during an annual TIGTA data call.

(11) TIGTA sometimes engages in pre-audit activities that do not warrant or result in a formal audit notification letter. These situations can include audit planning and research activities (surveys, information gathering, etc.), and integrity projects. These activities may also be focused on a specific audit that they intend to conduct in the future. In these instances, TIGTA sends an email notification to *Audit Coordination mailbox. The e-mail indicates the audit number, if known, the scope of the work and the anticipated time frames. EAM will provide a copy of this electronically to the lead stakeholder. The IRS must provide TIGTA with requested information during pre-audit activities in the same manner as in a formal audit. This includes data as well as access to the appropriate IRS subject matter experts and/or points of contacts.

(12) If TIGTA or the Treasury OIG do not provide an audit or engagement number for the pre-audit activities, EAM will assign an internal control number. For TIGTA, the audit number is FYTRESXXX; for OIC the audit number is FYORESXXX, where FY is the fiscal year and XXX is sequential numbering; and for GAO, the audit number is FYGRESXXX, where FY is the fiscal year and XXX is sequential numbering.

(1) The IRS and auditors will generally convene an entrance (GAO terminology) or opening (TIGTA terminology) conference prior to the start of the audit. The auditor will identify their staff working on the audit, outline the scope of the audit, any locations to be visited, information that is to be requested, provide additional background, and answer questions for the IRS.

(2) The entrance/opening conference is a critical, initial opportunity for the lead IRS executive to discuss background information, provide a perspective on the program or process being audited, set expectations for the audit, including agreeing on a mid-point or other periodic briefings, and establish a positive rapport with the audit team.

(3) The business unit audit liaison for the lead stakeholder is responsible for coordinating and scheduling opening conferences with GAO/TIGTA and appropriate IRS personnel (to include EAM staff via the *Audit Coordination mailbox). EAM records the entrance/opening conference in the Enterprise Audit Database.

(4) Business units involved in the audit are responsible for identifying key staff and subject matter experts, and ensuring they participate in the entrance/opening conference and all subsequent meetings. The business unit audit liaison for the lead stakeholder must also ensure the appropriate executive is available to lead the discussion during the entrance/opening conference and is engaged in other critical audit phase milestones.

(5) Entrance conferences with GAO should be scheduled within 14 calendar days following the request for a meeting. GAO generally will not begin work until the entrance conference has occurred. TIGTA scheduling is more fluid; auditors may begin work prior to an opening conference. It is imperative that business units schedule opening conferences with TIGTA shortly after receipt of the engagement letter; especially when TIGTA has already sent an email notification of planning/research.

(6) The business unit audit liaison for the lead stakeholder is responsible for identifying and coordinating across all supporting business units, including but not limited to, meeting invites, documents and internal coordination discussions. There may be limited circumstances when EAM will serve as the coordinating organization when no one business unit owns more than half of the program or process under audit.

(1) Some auditors will use a document request log, known as an Information Document Request (IDR), for monitoring and tracking. While not a requirement, use of an IDR is mutually beneficial in tracking requests made during an audit. The audit number and title should be listed on the log and the IDR items numbered sequentially. If the auditor does not use an IDR, the business unit audit liaison may wish to create one for their own tracking purposes.

(2) Information requested by auditors should be provided as soon as possible, typically within two weeks. When a response cannot be provided within this time frame, business unit audit liaisons, in conjunction with EAM, should work with the auditor to determine an achievable timeframe.

(3) If returns, return information, Privacy Act protected information and/or PII is requested by an auditor, the IRS program owner of the information is responsible for ensuring:

• The auditor’s authorization to receive that information is properly documented.

• The information is transmitted or otherwise provided in a confidential and secure manner (with appropriate encryptions, if transmitted electronically).

• Extraneous private information is not inadvertently or unnecessarily released.

• Accountings for disclosure (GAO only) are prepared and processed. Business units may contact EAM for additional guidance, if needed.

  Note: GAO's security policy prohibits accepting emails containing return information from IRS employees, even in encrypted attachments. Transmission of SBU information to GAO should be coordinated with EAM.

(4) The audit number (and IDR number, if used) should be included in the email subject line when requested information is provided to an auditor. The business unit audit liaison is responsible for ensuring that the appropriate and correct documentation is provided and for ensuring that the documentation is maintained in accordance with record retention requirements.

(1) Auditors may choose to conduct site visits during the course of an audit. Specific sites may be identified by the auditor at the time of initial engagement, and additional sites may be added during the audit.

(2) The business unit liaison for IRS staff designated by the business unit liaison should be available in the site to ensure auditors have access to the people and information they need to conduct their audit.

(1) TIGTA is organizationally placed within the Department of the Treasury, and part of the Executive Branch of government. TIGTA auditors are authorized access to IRS offices and sites during their audit, following IRS security protocols (such as those applicable to IRS employees.).

(2) The business unit audit liaison for the lead stakeholder is responsible for coordinating site visit activities between TIGTA and the on-site personnel.

(1) GAO is part of the Legislative Branch of government; thus, site visit procedures are more complex.

(2) Site visits take place after the opening conference. GAO auditors who have been authorized to have access to IRS sites and/or tax information are listed on one of two authorization lists:

1. List of GAO personnel designated to have access to returns and return information.

2. List of GAO employees designated as agents of the Joint Committee on Taxation, Senate Committee on Finance and/or the House Committee on Ways and Means authorized to have access to tax return and return information

(3) These lists are provided to the IRS semiannually, with monthly updates, and are stored on the Audit Community Expertise (ACE) SharePoint site.

(4) If the auditor is not on the list, and/or the business unit liaison cannot verify the job code number, then the business unit liaison will notify EAM immediately and must not allow access to information. If the audit is not tax return or return information-related, the auditor may proceed with the audit with proper government identification.

(5) The business unit audit liaison for the lead stakeholder is responsible for coordinating site visit activities between GAO and the on-site personnel. In addition, the area Senior Commissioner’s Representative should also be notified of the GAO site visit.

(6) GAO sometimes contracts out audit services, and their contractors accompany them at local sites. In this instance, an IRS employee must accompany the group during the entire visit to ensure that the contractor is not allowed access to tax information.

(7) If GAO arrives without prior notice, on-site personnel and the business unit liaison should request the audit job code number and reason for the visit and contact EAM as well as the appropriate business unit leadership.

(1) At the conclusion of local site work, the auditor may hold a closeout meeting with business unit officials responsible for operations at the local site. The purpose of the closeout meeting is to:

1. Obtain local management input about observations made while at the site and provide additional information or obtain clarification.

2. Discuss the implications of the information gathered at the site.

3. Identify additional relevant information, potentially leading to further data gathering.

(2) The business unit audit liaison for the lead stakeholder is responsible for coordinating site visit closeout meeting between the auditor and IRS management.

(3) The business unit audit liaison for the lead stakeholder is responsible for notifying EAM of the meetings and elevating to EAM any significant or potentially significant issues that arose from the site visit.

(1) A mid-point conference is an interim meeting to discuss any issues, concerns, or findings the auditor has identified and may wish to share.

(2) Mid-point conferences are not mandatory, but they are good business practice because they allow the IRS an opportunity to hear early issues or preliminary findings identified by TIGTA or GAO and provide clarification, perspective or additional documentation related to the program area being audited. Mid-point conferences are critical opportunities to begin framing management’s response, remediate findings that warrant immediate action, and discern potential corrective actions. For priority or elevated audits, conducting a mid-point conference is strongly recommended.

(3) Mid-point conferences are also good opportunities to review the audit’s timetable and the projected dates for the end of field work and the issuance of reports. This will give business unit staff the opportunity to begin to prepare for the final stages of the audit process.

(4) The business unit audit liaison for the lead stakeholder is responsible for coordinating the mid-point conference and for notifying EAM of the meeting itself, and/or of any significant issues or concerns that may arise from the meeting. EAM records the date of the mid-point conference in the Enterprise Audit Database

(1) An exit (GAO terminology) or closing (TIGTA terminology) conference is held at the conclusion of an audit to verify that all information, as presented is accurate. This ends the information gathering phase. This is also an opportunity for both sides to review the findings, discuss and clarify issues, and reach consensus, if possible. After the exit conference is completed, the auditor uses the additional information gathered to prepare the draft report. EAM records the date of the exit conference in the Enterprise Audit Database.

(2) The business unit audit liaison for the lead stakeholder should schedule an internal meeting to include EAM and all IRS stakeholders prior to the exit/closing conference. The purpose of this internal meeting is to discuss the IRS’s position on the facts, findings and potential recommendations.

(3) The auditor may share a Statement of or Agreement to Facts document with the IRS prior to or for use during the exit/closing conference. This document may not contain recommendations, but the business unit audit liaison for the lead stakeholder should inquire about prospective recommendations. GAO does not typically provide recommendations in writing in advance of their draft report, whereas TIGTA will. However, GAO often verbally communicates planned recommendations during exit conferences. If there are any disagreements or concerns about the proposed recommendations or other aspects of the audit, discuss the disagreement and propose alternatives if possible.

(1) Auditors may provide a Statement of (GAO terminology) or Agreement to (TIGTA terminology) Facts document in the latter stages of an audit. This document will discuss the facts of the program or process under audit, as the auditor understands them, and may provide some insight into the auditor’s pending conclusions.

(2) If the Statement of or Agreement to Facts document is provided directly to the lead stakeholder or business unit audit liaison, it should be retransmitted to EAM via the EAM mailbox at *Audit Coordination. If the document is provided directly to EAM, EAM will retransmit it to the appropriate stakeholders and business unit audit liaisons. In either case, EAM will update the Enterprise Audit Database accordingly.

(3) EAM and the business unit audit liaison for the lead stakeholder must ensure all internal IRS stakeholders review and comment on the Statement of or Agreement to Facts document. The business unit audit liaison for the lead stakeholder may distribute an IRS Comments Matrix to capture comments, corrections, and other information by report section and page number. The matrix is typically emailed to GAO/TIGTA to facilitate discussions.

(4) The business unit audit liaison for the lead stakeholder should arrange an internal IRS stakeholder meeting to discuss comments on the Statement of or Agreement to Facts document prior to the conference with the auditors to discuss the documents to coordinate the lead stakeholder and supporting stakeholder(s) perspective and input.

(5) If a discussion of the Statement of or Agreement to Facts document is not already planned as part of the exit conference, then the business unit audit liaison for the lead stakeholder should schedule a meeting (including EAM and all other appropriate IRS internal stakeholders) with the auditor to discuss the document. EAM will record the date of a Statement of or Agreement to Facts meeting with GAO/TIGTA in the Enterprise Audit Database.

(1) After issuing an Agreement to Facts document, TIGTA will prepare and send a Discussion Draft Report to the IRS. The IRS has five business days to provide responsive comments. A Discussion Draft Report (DDR) is an informal version of an audit report and follows the same format of a Draft Report. It will generally describe the audit background, the auditor’s process, findings, general conclusions, and may include preliminary recommendations. The DDR will be shared with the IRS for review and comment.

1. Recommendations contained in a DDR are subject to change; they may be added, modified, or deleted after the DDR is shared with the IRS.

2. GAO does not issue DDRs; this process is unique to TIGTA.

(2) In some cases, TIGTA will prepare the Discussion Draft Report instead of issuing an Agreement to the Facts document. TIGTA will share the Discussion Draft Report with EAM through the EAM mailbox at *Audit Coordination. EAM will retransmit the Discussion Draft Report to the appropriate business unit audit liaisons for review and will request comments be sent directly to TIGTA (with a copy to EAM) by the designated due date.

(3) The business unit audit liaison for the lead stakeholder may distribute an IRS Comments Matrix to facilitate IRS internal review and feedback on the Discussion Draft Report. The matrix is typically emailed to TIGTA so they can review and respond to IRS comments. Preparation of an IRS Comments Matrix is a helpful tool in guiding the discussion. The matrix is a good starting point for formulating the management response to the Draft Report and identifying appropriate corrective actions.

(4) The business unit audit liaison for the lead stakeholder is responsible for scheduling, coordinating, and leading the DDR meeting to discuss IRS feedback, comments, and concerns with TIGTA. An internal, IRS-only DDR pre-meeting may also be scheduled and conducted to discuss the IRS viewpoint prior to meeting with TIGTA.

(5) Some business units hold the closing conference after receipt of the Discussion Draft Report, not the Agreement to the Facts.

(1) At the conclusion of the audit process, the auditor issues a formal draft report containing the auditor’s conclusions and any applicable recommendations. The draft report requests a formal agency response from the IRS addressing the report’s conclusions, stating agreement or disagreement with the recommendations, and describing corrective actions the IRS plans to take in response to recommendations with which the IRS agrees.

1. A formal written response from the IRS is not required if the report does not contain any recommendations. In this instance, business unit audit liaisons should engage with all stakeholders’ leadership to determine whether a response will be developed and delivered. If the business unit decides not to provide a written response on a draft report not containing any recommendations, the business unit should notify EAM via email.

2. IRS leadership may choose to provide a formal response even if the report does not contain any recommendations.

3. EAM will initiate an e-Trak control for the management response to the Draft Report upon receipt of the Draft Report and transmit this information and associated timeframes for the timely response to the lead business unit.

(2) If the report includes returns, return information, Privacy Act protected information, or PII, the lead business unit is responsible for making a request for appropriate redactions. If they have questions or would like Disclosure to review their recommendations, they (or EAM) should request a review by Disclosure, Policy & Program Operations (D-PPO) or Privacy Policy & Knowledge Management (PPKM), respectively. Guidance on redactions is available on the ACE SharePoint site. See Audit Report Redaction Request document. EAM is responsible for updating the database for the redaction request.

(3) If a business unit requests redactions, they must review the final report issued to the IRS three days before publication (TIGTA) to ensure the redactions were completed. If they were not completed, the business unit should contact EAM and their Lead Auditor from TIGTA immediately. GAO normally does not accept redaction requests; instead, they will reword the report.

(4) Auditors generally allocate 30 calendar days for the IRS to prepare and send a formal response. Under certain circumstances the response period may be considerably shorter. This is often the case near the end of the fiscal year, or when auditors are facing publishing or statutory deadlines, or when other stakeholders (such as Congress) have requested the auditor develop a report by a certain deadline.

1. EAM, business unit audit liaisons and lead stakeholders should be aware of factors that could result in the auditor requesting a short-turnaround response, including a statutory requirement that the audit be completed by a certain date (especially in the case of annual audits) or significant delays that occur during the course of the audit that may put the auditor behind schedule.

2. EAM will record and monitor the due date of the IRS formal response in the Enterprise Audit Database.

(1) The IRS’s response to an audit report generally consists of two parts – the management response (also referred to as cover letter) and the planned corrective actions. The management response is an opportunity for the IRS to address the auditor’s conclusions, provide an enterprise perspective and respond to the audit report. The auditor will publish the IRS’s management response in the final report.

(1) Responses should be developed, cleared for approval, and delivered to TIGTA or GAO within the established timeframe to minimize the need for extensions. Excessive extension requests erode our relationship with auditors, inhibit the auditors’ ability to complete reports by statutory deadlines or the deadlines set by their stakeholders, and create the risk that an auditor will publish a report without IRS input.

(2) If an extension is necessary, the lead stakeholder should:

1. Work with EAM to request the extension as early in the audit response process as possible. If the business unit secures the extension independently, the business unit must inform EAM of the granted extension immediately.

2. Justify the extension, with the reason for the delay described for the auditor.

3. Stipulate a new delivery date for the audit response.

(1) Strategies for preparing a timely response include:

1. Involve the appropriate stakeholders throughout the audit process.

2. Prepare draft response letters/memoranda and planned corrective actions as soon as possible — including before receipt of the draft report —using information from mid-point meetings, discussion draft reports, closing conferences and other audit milestones.

3. Brief the appropriate executives throughout the audit lifecycle to expedite the formal review of the IRS’s response to the draft report.

4. Ensure the executive's perspective and position is known. Ensure the response comprehensively addresses the issues and recommendations in the draft report and that it is correctly addressed, professionally written, properly formatted, and uses an appropriate tone and style to facilitate executive review.

5. Complete the signature package by including an Attachment (TIGTA memorandum) or Enclosure (GAO letter) describing the IRS’s comments in response to the audit recommendations, an Action Routing Sheet (Form 14074), Note to Reviewer For a Signature Package(Form 13839-A) and appropriate source documents.

6. Leverage templates and take advantage of additional guidance from the Audit Community Expertise (ACE) SharePoint site.

(1) The response to TIGTA will be a memorandum with an attachment to address the planned corrective actions. The response to GAO is a letter with an enclosure.

(2) Authors and reviewers should understand that the tone, content, and construction of the IRS’s response must be appropriate for a public document which may be seen by taxpayers, the media, other auditors and oversight organizations, Executive Branch leadership, Congress, and others. In other words, the audience of the response is not limited to TIGTA or GAO.

(3) The content of the response should relate directly to the auditor’s process, findings, and conclusions as stated in the draft report. The response should clearly and articulately communicate the IRS’s response and policy, if appropriate, and should make fact-based statements in support of the IRS’s position. The response should provide an enterprise perspective on the program being audited and not represent only the position of one or more business units.

(4) The audit response should clearly and specifically state the IRS’s position on each of the recommendations. If the IRS disagrees with a recommendation, then clearly and unambiguously describe the rationale for the disagreement in the response. If a partial agreement is necessary, be sure an independent reviewer would understand what the IRS is agreeing to do and what it disagreed with and why.

(5) Authors and reviewers should ensure that the response is properly addressed; i.e., the name and title of the recipient should be correct and accurately spelled.

(6) The response should be prepared to ensure the final version can be placed on the appropriate IRS letterhead and should be formatted according to the IRS Style Guide.

(1) The IRS must address the auditor’s recommendations in the formal response. In addition to discussing the IRS’s general agreement/disagreement in the management response letter, each specific recommendation is addressed in an itemized attachment to the management response letter.

1. For a TIGTA report, if the IRS agrees with a recommendation, the audit response should be clear to indicate the IRS agreement or partial agreement, and articulate the actions the IRS plans to take in response to the recommendation. These actions should be specific, focused on the issue(s) identified in the recommendation, and capable of producing a measurable, attainable and realistic outcome.

2. For a GAO report, if the IRS agrees with a recommendation, the audit response should state so and provide an overview of the actions IRS plans to take. More granular actions will be provided in the 180-Day Letter response to Congress.

3. If the IRS disagrees with a TIGTA or GAO recommendation, the audit response should describe why the IRS does not intend to pursue the matter and what other actions the IRS intends to take, if applicable. This may include changes to business processes, alternative internal controls, or other strategies for mitigating the issue. It may also include a determination by the IRS that no action will be taken because the level of risk is acceptable, or because the IRS disagrees with the auditor’s conclusions about the program and the deficiency in internal controls.

(2) Providing clear responses to recommendations allows the auditors to provide better feedback and fosters transparency as well as improved communication with our external stakeholders.

(3) If there is disagreement between IRS and TIGTA pertaining to an audit recommendation either party may elevate the disagreement to the Deputy Secretary of the Treasury after advising and consulting with the Treasury Deputy Chief Financial Officer. The business unit would contact EAM to initiate internal discussions as part of requesting elevation to Treasury. The Chief Risk Officer will represent the IRS and attempt to negotiate and resolve differences.

(1) PCAs are the specific actions the IRS will undertake in order to address the root cause identified in the auditor’s recommendation. In other words, the PCA should fix the problem or weakness highlighted by the auditors.

(2) PCAs are described in an attachment to the management response letter to TIGTA and to Congress (via the 180-Day Letter response). Generally, the attachment is formatted so each recommendation appears separately, followed by the detailed PCA(s) associated with that recommendation.

(3) Each Recommendation may have one or more associated PCA, unless IRS disagrees with the recommendation.

(4) Each PCA must describe specific steps the IRS is taking to resolve the issue, the responsible IRS official (at an Executive level); and the target implementation date. Business units may develop more detailed corrective actions to facilitate the implementation of a PCA, particularly one that is complex, multi-faceted or impacts multiple business units.

(5) Detailed PCAs are typically not provided in the management response to the GAO Draft Report. The management response should identify if the IRS agrees or disagrees with each recommendation. The 180-Day Letter response to Congress must include a detailed description of the PCA along with a discussion of the recent planning and/or accomplishments and an outline for the next steps for implementation of the recommendation. See Exhibit 1.29.1-2, 180-Day Letter Response.

(1) When preparing a PCA for an audit response, business units should ensure that:

1. The PCA describes the specific, implementable actions that the IRS intends to take to address the recommendation and resolve the control issue.

2. The actions described in the PCA can realistically be accomplished within a set period of time.

3. There is a demonstrable connection between the actions to be taken and the weakness, gap or control issue described in the recommendation. In other words, a non-subject matter expert reading the recommendation and response should be able to clearly understand how the planned actions will mitigate the finding and address the recommendation, if they are properly executed.

4. The PCA strikes an appropriate balance between risk acceptance and mitigation, cost effectiveness and resource utilization, and timeliness and need.

(2) It may not be possible to comprehensively describe all planned corrective actions in the management response due to the limited amount of time afforded to the IRS to prepare and deliver it. This is acceptable; however, as additional actions are identified during the implementation process, they should be documented as part of the PCA in JAMES so that a full record of all remediation activities is created and maintained.

(3) Auditors will sometimes stipulate specific actions they believe should be taken by the IRS to resolve the issue. However, the IRS has discretion to design and implement its own set of actions as long as those actions effectively address the root cause of the finding.

(4) Each PCA should identify (by title, business unit) a responsible official who will oversee and ensure implementation of the PCA.

(5) Each PCA should specify a target date for implementation. Target dates for the implementation of planned corrective actions should be reasonable and achievable. Business units should consider factors that could influence whether the IRS can meet target dates, including coincidence with holiday seasons or high-workload periods of the year, and the planned implementation timing of corrective actions from other audits..

(6) Once the management response is delivered, PCAs must be uploaded to JAMES for tracking and monitoring. TIGTA inputs the data from their final reports into JAMES. EAM inputs the data from the GAO final reports into JAMES.

(1) Audit responses should be prepared under the leadership of the executive with direct authority over the program under audit. In most cases this will be the same executive listed as the primary point of contact for the auditor at the end of the response memorandum/letter.

(2) For TIGTA audits, the executive with comprehensive oversight of the program under audit generally should sign the audit response memorandum or letter. In most cases, this will be the head of a business unit or their deputy. There may be circumstances, such as if the report addresses findings within a specific program that are cross-functional in nature, where it is appropriate for one of the Deputy Commissioners to sign the response.

(3) For GAO audits, the appropriate Deputy Commissioner should sign the audit response letter. The Commissioner should sign if the audit report findings are enterprise or strategic in nature and/or includes recommendations aimed at organizations under both the DCOS and DCSE.

(1) For TIGTA response memoranda, the lead business unit will submit the signed response directly to TIGTA and include EAM in the response email. The transmission email should be directed to *TIGTA Audit IRS Responses and should also copy the audit liaisons for any supporting organizations.

1. All draft management responses to both TIGTA and GAO draft reports as well as the 180-Day Letters must be reviewed by EAM before the business unit audit liaison finalizes the response and routes it for business unit approval.

2. The draft management response package should be provided directly to the EAM Director with a copy to the *Audit Coordination mailbox at the same time that the package is provided to the business unit’s first level executive for review. EAM will review the package for enterprise perspective and provide feedback within 2 business days.

(2) For IRS management responses to GAO draft reports, EAM will coordinate clearance of the signature package through the appropriate signatory executive (Deputy Commissioners or Commissioner), including creating the e-Trak control when the draft report is received. For 180-Day Letters, Legislative Affairs will coordinate clearance of the signature package through the appropriate signatory executive (Deputy Commissioners or Commissioner).

(3) If the response is to be signed by either of the Deputy Commissioners or the Commissioner, the clearance requires a minimum of five (5) business days for review and routing to each of the following: Deputy Commissioners, Chief of Staff and Commissioner for approval and signature. In addition, an additional two (2) business days is needed for processing by EAM or Legislative Affairs. For signature packages going to either Deputy Commissioner, the package needs seven (7) business days for review. For signature packages going to both Deputy Commissioners, the signature package requires twelve (12) business days. For signature packages going to the Commissioner, both Deputy Commissioners must review before it is provided to the Chief of Staff for the Commissioner’s signature, so the signature package requests seventeen (17) business days.

(4) A pen-and-ink signature is preferred but an electronic signature is acceptable.

1. If a pen-and-ink signature is used, after the signature is applied, the signed document should be scanned for electronic transmittal to the auditor. When scanning, ensure that the scanner is set to the highest possible scan resolution (usually expressed as the largest DPI – or Dots Per Inch – number in the scanner’s settings). A high-quality scan is important because the electronic file will be used in the publication of the audit report, and the IRS’s response must be crisp and easy for a reader to see.

2. Once the package is signed, the final version needs to be returned to either EAM or Legislative Affairs (depending upon the package) so that the electronic version may be transmitted to TIGTA or GAO or the appropriate Congressional members (for 180-Day Letters).

3. Once the management response is transmitted, EAM will update the database and ensure that the final version has been uploaded to e-Trak and the e-Trak control closed, which includes the management response and other documents such as the Note to Reviewer and Action Routing Sheet. EAM will also send the final version of the management response to all business units (lead and supporting).

4. For responses to GAO draft reports, EAM will provide a copy of the final version to Legislative Affairs, who will open an e-Trak control for the 180-Day Letter. EAM will use the information from the e-Trak control to update the database pertaining to the due date of the 180-Day Letter.

(5) If the response contains personally identifiable information (PII) or other data that should remain confidential, follow all appropriate procedures to securely transmit the response to the auditor while minimizing the risk of inadvertent disclosure.

(1) Any draft audit report provided to the IRS by any auditor, at any stage of the process prior to publication of the final, public report, is considered privileged information and must not be distributed beyond those with a “need to know.” Draft audit reports may not be shared with entities outside of the IRS. TIGTA and GAO have a separate, independent mechanism for sharing information with one another. The auditors must engage with each other directly; the IRS may not act as a middleman.

(2) If a non-IRS entity, including the Treasury Department or other auditors, asks an IRS stakeholder or business unit audit liaison to share a draft audit report, they must decline to share the document and refer the requestor to EAM.

(1) Auditors will issue the final report to the IRS via the EAM mailbox at *Audit Coordination. EAM will retransmit the final report to appropriate IRS stakeholders.

(2) If a GAO audit contains recommendations, the publication of the final report starts a 180-day period during which the IRS is required to prepare and submit to Congress an update on PCAs. This response is referred to as the “180-Day Letter”. If GAO provides the final report to their Congressional client, at the request of the Congressional client, the report may be held for up to 30 days before the final report is released to the IRS or the public.

(3) In accordance with the Inspector General Empowerment Act of 2016, TIGTA will publicly release an audit report within three calendar days of issuing the final report to the IRS. If TIGTA prepares a press release, TIGTA notifies IRS and shares a copy.

(1) Final audit reports may be classified as Limited Official Use (LOU) or Sensitive But Unclassified (SBU) because the information they contain is sensitive or could compromise IRS operations if widely known. Examples include reports on computer system security, physical security, and compliance activities involving the Law Enforcement Manual. When a report receives an LOU or SBU designation, its distribution will be limited to key IRS offices and personnel, and possibly certain external stakeholders (such as Congressional oversight committees). Auditors may publicly release redacted or otherwise sanitized versions of LOU or SBU reports.

(2) Information in LOU or SBU reports must be safeguarded in accordance with IRM 10.2.15, Minimum Protection Standards and IRM 10.5.1.2.2, Sensitive But Unclassified (SBU) Data. EAM and other IRS offices who receive copies of LOU or SBU reports must ensure that only individuals with a business need to know are privy to the contents of the report.

(3) LOU and SBU reports are not uploaded to the Enterprise Audit Database; they will be stored separately on a restricted-access section of the EAM Shared Drive.

1. If TIGTA disagreed with any portion of the IRS response – particularly the IRS’s response to TIGTA’s recommendations – the audit report will include additional narrative under the heading of “Office of Audit Comments.”

2. TIGTA may also issue a memorandum to the Commissioner requesting a written reply to the Treasury Deputy Secretary if TIGTA considers the disagreement to be significant. If this happens, EAM will provide situation-specific guidance.

(4) Once the final report is received, EAM will update the Enterprise Audit Database.

(5) An audit report with recommendations and associated PCAs requires additional processes and actions on the part of EAM, IRS stakeholders and business unit audit liaisons including validating JAMES input of data from the final report and monitoring the completion of corrective actions.

(1) PCAs are completed timely we the following occurs:

1. The PCA was implemented on or before the assigned due date in JAMES.

2. The complete description of the action taken addresses each specific issue set out in the PCA.

3. The action(s) taken agrees with the stated PCA and is fully implemented.

4. Form 13872 with the official signature of the executive, and the manager responsible for the PCA, or their designee and supporting documentation is uploaded into JAMES for each implemented PCA.

5. Sufficient supporting documentation substantiating completion of the closed PCA is approved by the responsible official and uploaded into JAMES.

(2) Business units may submit PCAs for closure once the business unit has completed the actions required to address the recommendation and mitigate the control issue. In order to close a PCA, the business unit must upload to JAMES the following:

1. A completed Form 13782.

2. Documentation supporting the business unit’s efforts to develop and implement a corrective action plan.

(3) EAM requests a lead time of five business days to evaluate documentation provided by the business unit to support a request to close a PCA. Submitting a PCA for closure to EAM with less than five business days remaining before the due date may result in a missed deadline if EAM is unable to complete an evaluation in time, or if the documentation is deemed insufficient for closure. EAM performs a 100 percent pre-closure review of the documentation submitted to close a PCA.

(4) All material associated with the request to close a PCA must be uploaded to JAMES. The only exception is material that contains PII or other sensitive data that should not be uploaded to a non-IRS information technology system. Material that cannot be stored in JAMES must be stored on EAM's secure Shared Drive and maintained with the same retention standards as material in JAMES.

(5) All PCAs and related materials, including Form 13782 and all supporting documentation, are potentially subject to post-closure evaluation. This includes:

1. Audit activity conducted by GAO or TIGTA.

2. Internal Control Reviews conducted by the CFO, Internal Controls, Outreach, Assessment, and Reporting organization.

3. Quality Assurance Review of Closed PCAs conducted by EAM.

(1) An extension to a PCA due date may be requested when management has determined that the PCA cannot be completed by the scheduled due date. To request an extension, a JAC should:

1. Utilize Form 13872 to select the reason for the delay from the drop-down list (Question 4c Reason for delay) and describe the reasons for the delay under Question 7 Specific action taken.) Form 13872 requires the official signature of the executive and the manager response for the PCA. See Exhibit 1.29.1-3, Categories for Delays/Extensions in JAMES which provides brief definitions of the various reasons for delay.

2. Enters the specific action taken narrative information from the documentation into JAMES, as entered on Form 13872 into JAMES.

3. Upload the documentation into JAMES and select the reason for the extension using the reasons listed in Exhibit 1.29.1-3, Categories for Delays/Extensions in JAMES.

4. The JAC must have the PCA extension request with required official signatures in JAMES on or before the PCA due date otherwise the PCA will be recorded as a “Missed”.

5. Once the Responsible Official(s) in EAM approve/disapprove the extended due date, the action is updated in JAMES as well.

(1) GAO and TIGTA expect the IRS to develop and maintain strong evidentiary documentation demonstrating that appropriate corrective actions were taken. The IRS’s supporting documentation is subject to internal review by Program Managers and follow-up audits by TIGTA or GAO. The IRS must maintain thorough documentation in support of its efforts to address control issues (which are revealed through audit findings and addressed by auditor recommendations).

(2) The Form 13872 will be considered complete if:

1. All applicable fields are completed.

2. Complete descriptions of the specific actions taken to close PCAs are provided on the form.

3. Details on the steps taken to develop and execute the corrective actions are recorded.

4. Appropriate business unit responsible officials have signed the form. This includes both the manager responsible for implementing the PCA and the executive responsible for the PCA. (If this happens to be the same person, the next highest level of executive should sign as the “executive responsible” in order to ensure that a separation of duties exists and a distinct review and approval of the PCA has taken place.).

(3) EAM will consider the following when evaluating whether the supporting documentation is sufficient to justify closure of the PCA, and/or when conducting a closed PCA quality review:

1. Supporting evidentiary documentation accompanying a request to close a PCA should describe the work that the business unit performed to plan and execute corrective actions. For example, it is insufficient to state that a system upgrade was completed; the documentation should show how and when it was completed, and what actions were performed (e.g. migrate to new servers, purchase additional software, etc.) to complete the PCA.

2. PCA outputs should be available as supporting documentation; e.g. if a PCA specifies that a training plan will be completed, the final training plan should be provided as documentation.

3. Business units should also provide materials that support the process used to complete a PCA. Continuing the training plan example, if a business unit used a survey or other tool to evaluate training needs, a copy of that survey or tool may be included as supporting documentation.

4. The results of objective, data-driven analyses used in the creation and execution of a PCA may be included as supporting documentation.

5. Proof that required actions were taken should be included. For example, if a population of employees was supposed to complete a training course, evidence that they all completed the course by a certain date should be included. Similarly, if organizations had to review and certify that security requirements are in place, documentation of that self-certification should be provided.

6. Documentation of purchases, resource reallocations, or other required financial activities should be provided. Examples may include completed purchase orders, funding realignment reports from the Integrated Financial System, or proof of receipt and acceptance.

7. If new controls have been implemented as a result of the corrective action, and if the controls have been tested to demonstrate they are effective, documentation such as test plans and/or results of that testing may be provided as supporting material as well.

8. EAM will consider other potential criteria and sources of documentation not listed here if appropriate to the situation. See Exhibit 1.29.1-4, Evidentiary Documentation Examples for other examples of appropriate documentation.

(4) If EAM deems the supporting documentation to be insufficient when the PCA is submitted for closure, the PCA will not be closed and the business unit will be asked to provide additional and/or stronger supporting documentation before resubmitting the PCA for closure.

(5) If EAM deems the supporting documentation to be insufficient during a closed PCA quality review, EAM will contact the business unit responsible for the PCA and require it to identify and provide additional and/or stronger supporting documentation.

(6) PCA documentation must be stored on JAMES unless it contains PII, in which case it may be stored on the EAM secure internal Shared Drive. In these cases, however, the retention period will still apply to the Shared Drive, and the Shared Drive data must remain accessible to both auditors and appropriately authorized IRS personnel until the retention period expires.

(1) PCA documentation must be properly maintained by the responsible business unit as well as other entities with reason to possess or access this information. This includes both EAM and the Department of the Treasury.

(2) PCA documentation must be retained for a period of time consistent with internal IRS guidance and with Treasury’s JAMES data retention requirements. In the event the length of the required retention periods varies, the longest of the retention periods should be used.

(1) Recognizing the importance of evidence that planned corrective actions were taken in response to TIGTA and GAO findings and recommendations, EAM, in consultation with RAAS, established a process requiring a monthly quality review of closed planned corrective actions. Adequate documentation also provides assurance to our auditors and other external stakeholders that the IRS effectively addressed audit recommendations by designing and implementing appropriate solutions.

(2) PCAs are approved for closure in the JAMES by staff from EAM. The quality review process involves a careful review of the documentation provided by the business unit, including the Form 13872 and any evidentiary documentation provided to support the PCA closure. The reviewer pays careful attention to the quality and completeness of the documentation provided and whether or not the PCA, as outlined in the management response or 180-Day Letter, was fully implemented.

(3) The quality review is performed by a different EAM staff member than the one who originally approved closure, thus ensuring separation of duties.

(1) The Joint Audit Management Enterprise System (JAMES) is the system of record used to monitor audit related recommendations and corrective actions taken by each bureau within the Department of the Treasury. Findings and recommendations extracted from the GAO and TIGTA audit reports are tracked in JAMES. The current status of PCAs for related recommendations, material weaknesses, significant deficiencies, and remediation plans are also tracked. In order to comply with the intent of FMFIA, OMB Circulars, and Treasury Directives, tracking these audits and PCAs is mandatory.

(2) The information contained in JAMES is used by Treasury to assess the effectiveness and progress of bureaus in correcting their internal control deficiencies and implementing audit recommendations. PCAs are entered into JAMES and must be updated on or before their scheduled due date to reflect their current status.

(3) JAMES allows bureau users to run reports to assess the effectiveness of programs, query by topic, and create reports.

(4) JAMES tracks status updates to support timely completion of PCAs for:

1. Audit Reports (GAO and TIGTA)

2. Inspection & Evaluation reports (TIGTA)

3. Material Weaknesses

4. Significant Deficiencies and existing Reportable Conditions

5. FMFIA Remediation Plan Actions

(5) Treasury upgrades the disaster recovery servers annually. This requires EAM to test and verify access to JAMES before and after Treasury has completed the server upgrade to ensure that all JAMES users can access the new URL without interruptions. This also requires that all user identifications and passwords are active while in the disaster recovery environment. EAM works with the Treasury Financial Analysis and Reporting System (FARS) help desk to resolve any discrepancies. This exercise usually lasts about two weeks.

(1) Root Cause is the primary issue identified by the auditors which gave rise to their finding. Audit reports often discuss multiple findings and the process of identifying the finding is subject to interpretation. Audit reports with positive findings and no recommendations will not have a root cause recorded in JAMES. See Exhibit 1.29.1-6, Root Cause for Findings – Definitions & Examples.

1. TIGTA audit report findings are recorded by the TIGTA audit team responsible for producing the report, and the root cause reason code selection will reflect their evaluation.

2. GAO audit report findings are recorded by EAM. Report findings are discussed in the GAO report and the root cause determination is made by EAM based on information contained in the GAO audit report.

3. Business units will have the opportunity to review GAO root causes and request changes during the normal audit report verification process

(1) Background

1. The Hold feature was instituted as a result of IRS senior leadership concerns about committing to corrective action(s) when budgetary or other constraints were likely to inhibit implementation. An IRS recommendation placed on Hold is recorded in JAMES without a planned corrective action or due date. However, the business unit must input appropriate information in the Comments section to outline the actions that would represent the PCA to document the underlying actions for which they are seeking funding. Input from management’s response outlining why the Hold is being utilized is documented in JAMES.

2. A recommendation is placed on Hold when there is agreement with the finding, the recommendation is in an area considered mission-critical and there are no resources available at the time the draft report is issued. Business units are responsible for periodically re-assessing the recommendation during the budget process. Actions taken to attempt to secure funding must be documented.

3. A recommendation can stay in the Hold category for up to 3 years, with the possibility of a 1-year extension, if requested. If funding is not available at the conclusion of the 3-year period (or 4 years, if an extension is granted), the recommendation may be rejected in JAMES which will be determined after the business unit consults with EAM on next steps.

4. At any time during the 4-year period, when funding/resources become available, the business unit responsible official will advise their JAMES audit coordinator that a PCA can now be entered. The business unit JAC will provide all necessary details to EAM. EAM will update the record with the PCA, responsible official and planned implementation date. The PCA must be opened immediately after securing funding or resources and stay in “open” status while the activities associated with the corrective action is being completed and/or implemented.

5. EAM distributes a quarterly monitoring report of all recommendations placed on Hold to ensure leadership maintains awareness, particularly during the budget cycle.

(2) Using the Hold Feature:

1. Executive level approval is required to place a recommendation on Hold; approval is signified by the executive’s signature on management's response to the TIGTA or GAO report.

2. When considering whether to place a recommendation on hold, a business unit should evaluate whether the recommendation will result in a critical and necessary improvement in a mission-critical area, and whether resources are available to implement a corresponding corrective action.

3. If the audit finding is invalid or the recommendation addresses a non-mission-critical area, the recommendation should be rejected as opposed to put on Hold.

4. If resources are available and the audit finding addresses a mission-critical area the recommendation should be agreed to as opposed to put on Hold.

(3) Management Response Letter:

1. Management’s overall position on each recommendation should be clear to any reader. Likewise, it should also be clear if a recommendation is going to be placed on Hold.

2. It is important to note that in JAMES, it is the recommendation that is placed on Hold, not the corrective action. The IRS should not commit to corrective actions when budgetary and resource constraints will prevent their implementation. However, the actions planned should be notated in JAMES comments, detailing what activities will be undertaken if the funding/resources are secured.

   Note: If the IRS placed a corrective action on Hold, and within three years funding becomes available, the corrective action initially committed to may be outdated, technologically obsolete, or no longer considered necessary. Putting the recommendation on hold allows management to fully consider what actions are necessary at the time funding is available.

(4) Management Response Letter - Hold Wording

1. Here is an example to consider when developing a management’s response statement indicating the IRS is putting a recommendation on Hold: "While we agree with this recommendation, we are unable to commit to implementing a corrective action now, due to budgetary constraints. This recommendation will be placed on Hold in JAMES, pending the availability of required funding."

2. This statement or a similar one should be used and will be the key indicator to the auditor that the IRS intends to place the proposed recommendation on Hold until a funding determination is reached.

3. The response will be uploaded into the JAMES database. If TIGTA auditor(s) provide an Office of Audit comment, it too will be uploaded into JAMES. (During discussions with TIGTA/GAO, be sure to share your intent to place the recommendation on Hold. You may also suggest alternative recommendations which do not require funding.).

(5) Hold Resolution:

1. Once the maximum Hold period has expired, the business unit will make one of two required determinations about funding availability.

1. For recommendations where funding is made available, the JAMES recommendation status will be changed to Open and a corrective action will be required to be uploaded into JAMES with the planned completion date.

2. For recommendations where it is evident funding will not be approved or available, the business unit will collaborate with EAM to determine the appropriate next step.

(6) Managing Hold Recommendations:

1. EAM will update the inventory of recommendations placed on Hold as reports are entered into the system and distribute the information quarterly to the appropriate senior management officials of affected business units.

2. EAM will establish an initial hold status internal date for the business unit JAC to update the status of a recommendation placed on Hold. This hold status internal date will be 1 year after entry of the report into the system.

3. Business unit JACs will receive a systemic notification 30 days prior to the hold status internal date. The business unit JAC will be required to report on the actions planned and/or taken to date to identify available funding. Based on the scope of the actions to be addressed as outlined in the Comments field, a follow-up milestone, from 6-8 months will be established by the Responsible Official(s) in EAM.

4. Each business unit JAC will be required to place their status update comments into JAMES utilizing the “Add Status/Comment” functionality. The A6 Audit Summary report can be utilized for sharing this information.

5. For every recommendation placed on Hold, the business unit should coordinate with IT, CFO and/or other support stakeholders to provide status comments for the hold status update. These comments will become part of the audit record.

6. Each business unit should maintain a priority listing that includes all of their Hold recommendations when there is more than one Hold recommendation outstanding. Business units should re-prioritize their Hold recommendations inventory based on mission criticality: when new recommendations are place on Hold, when recommendations are dropped from inventory due to the assignment of a PCA with an actionable due date, and when recommendations are rejected (closed) due to lack of funding availability.

Note: One recommendation will require multiple status updates throughout the three-year period, but only one hold internal status date at a time will be evident in the system.

(7) Updating Hold Recommendations - Funding Availability versus No Funding:

1. When funding becomes available, the JAMES recommendation status must be changed from Hold to Open and a corrective action must be uploaded into JAMES with the planned completion date.

Note: The status for Hold recommendations that require the submission of a Unified Work Request (UWR) to IT must be changed to Open and a corrective action entered when the UWR is approved and a target implementation date has been established.

2. When it becomes evident that no funding will be provided, the business unit and EAM will collaborate to identify next steps and any changes in the JAMES recommendation status

1. The business unit will prepare a Form 13872 indicating that a Planned Corrective Action is to be recorded. The PCA should be entered into Box 6. The planned implementation date should be entered into Box 4b.

2. The business unit must obtain all required approvals for the Form 13872 and submit it to Responsible Official(s) in EAM for recording.

3. Responsible Official(s) in EAM will record the Open status change for the recommendation on Hold, enter the PCA with the established due date, and confirm the information through the A6 review process.

4. Each business unit will be responsible for processing closures/delays following current JAMES/EAM documentation guidelines. When it becomes evident that no funding will be provided, the business unit and EAM will collaborate to identify next steps and any changes in the JAMES recommendation status.

(1) Managing Long-term PCAs or Long-term PCA Extension

1. The Responsible Official(s) in EAM will establish an initial milestone date for the business unit JAC to update the status of PCA with a due date greater than two years. This milestone date will be 12 months after entry of the report into the system.

2. Business unit JACs will receive a systemic notification 30 days prior to the milestone date. The business unit JAC will be required to report on the actions planned and/or taken to date. Based upon the scope of the actions to be addressed as outlined in the Comments field, a follow-up milestone date will be established by EAM. The milestone field will display the most recent date in the field. The history button (located under “Milestone Date”) will display all previous status dates.

3. Each business unit JAC will be required to place their status update comments into JAMES utilizing the “Add Status/Comment” functionality. The A6 Audit Summary report can be utilized for sharing this information.

(2) Requesting Cancellation of a PCA/Rejection of a Recommendation – TIGTA: Business unit management, after consultation with and concurrence from the EAM Director, should submit requests for cancellations of PCAs or rejections of recommendations directly to TIGTA. Any related correspondence must be sent to EAM and uploaded into JAMES as documentation. Approved PCA cancellations must be entered into JAMES by EAM.

1. TIGTA written concurrence is required to reject recommendations and cancel corrective actions that were originally agreed to in the final audit report. Typically, the audit director or executive in TIGTA responsible for the related audit should be contacted. Business unit cancellation or rejection requests must identify the report, finding, recommendation, and PCA., if appropriate.

2. Requests must include the reason the corrective action or recommendation will not be implemented and the effective date for the cancellation or rejection. The JAC, along with the responsible business unit, can work with TIGTA before the official memo is sent because TIGTA may require information before agreeing to the requested action.

3. If TIGTA concurrence is received, the JACs will upload the concurrence memo, and supporting documentation (if applicable) and enter comments. The JAC will send a request to EAM to enter the cancelled or rejected status into JAMES. EAM will validate the request.

(3) Requesting Cancellation of a PCA / Rejection of a Recommendation - GAO: Business unit management, after consultation with and concurrence from the EAM Director, should submit requests for cancellations of PCAs or rejections of Recommendations directly to GAO. Any related correspondence must be sent to EAM and uploaded into JAMES as documentation.

1. The business unit provides GAO a written concurrence request to reject a recommendation or cancel a corrective action that was originally agreed to in a 180-Day Letter. Typically, the executive in GAO responsible for the related audit should be the recipient.

2. The business unit request should be presented to GAO, via memorandum or email, identifying the report, finding, recommendation, and PCA. The request must include the reason the corrective action or recommendation will not be implemented and the effective date for the cancellation or rejection. The JACs along with the responsible business unit can work with GAO before the official memo is sent as GAO may require information before agreeing to the requested action.

3. If GAO concurrence is received, the JAC will upload the concurrence memo and, support documentation (if applicable) and enter comments. The JAC will send a request to EAM to enter the cancelled or rejected status in JAMES and EAM will validate the request.

(4) Re-Opening a PCA

1. To reopen a PCA, the business unit JAC must provide to EAM an email with justification for the reopen request (which usually occurs after dialogue with the auditor) along with Form 13872 with all required approvals. The Form 13872 and email are stored in JAMES.

2. In most cases depending on the action taken/system limitations, the original PCA will remain closed and the BU will request a new (replacement) PCA be added to JAMES (e.g., 1-1-1 will be replaced with 1-1-2 with a new action). Instructions for completing Form 13872:

3. Instructions for completing Form 13872:

i. The new PCA number should be entered into Box 1c.

ii. The status of progress report should be entered in Box 4a.

iii. The new planned implementation date should be entered into Box 4b.

iv. The new PCA should be entered into Box 6.

v. The new PCA request, justification, and responsible organization should be entered into Box 7.

4. After the request is received from the business unit JAC, EAM works with Treasury to reopen the recommendation which allows the PCA to be reopened or new PCA added and confirms the information through the A6 review process. Each business unit will be responsible for processing the closures/delays following current JAMES/EAM documentation guidelines.

(5) Revised/Cancelled - Replaced Corrective Actions

1. Whenever business unit management requests a revision to a TIGTA or GAO PCA, the following must be specified:

i. Reason the action is being revised.

ii. Description of the new action.

iii. Revised due date, unless the original due date is still applicable.

2. If the PCA is being cancelled and replaced with another action, EAM will cancel the original PCA and replace it with a new PCA in JAMES. The new PCA will be linked to the original PCA for tracking purposes. (e.g. 1-1-1 will be cancelled and replaced with 1-1-2 with a new action).

3. Instructions for completing Form 13872.

i. The new PCA number should be entered into Box 1c.

ii. The status of progress report should be entered in Box 4a.

iii. The new planned implementation date should be entered into Box 4b.

iv. The new PCA should be entered into Box 6. The new PCA request, justification, and responsible organization should be entered into Box 7.

v. The Form 13872 and concurrence memo (email) are stored in JAMES.

(6) Transfer of Ownership for Audit Recommendations:

1. A PCA being transferred to a different business unit must have signed concurrence from the receiving executive, accepting responsibility for the PCA. An e-mail from the accepting executive is sufficient.

2. The transferring official will provide the new responsible official with the necessary JAMES reports and any other pertinent documentation to ensure timely reporting.

3. Senior executives can make transfers of responsibility within their subordinate functional area without the required concurrence of the accepting official.

4. When this occurs, the senior executive and/or JAC will need to notify EAM of this change, so that the responsibility codes can be changed in JAMES.

(1) EAM Monthly Audit Reporting - EAM prepares statistics monthly to keep management informed of the progress of PCAs. These statistics reflect current month and year-to-date performance percentages on how well the business operating divisions are doing in implementing their PCAs timely.

(2) EAM provides a quarterly snapshot of the PCA inventory to the Management Controls Executive Steering Committee as well as ad hoc briefings with senior leadership.

(3) Quarterly Forecast - EAM prepares a quarterly forecast of PCAs that projects whether business units plan to meet or extend any PCA due dates. In addition, the business units identify PCAs that require IT involvement, providing clarifying information (i.e. Work Request, Work Order #, and points of contact) that would allow IT staff members to research and identify the status of the action item and determine potential effect, if any, on the successful completion of the PCA. It also requires the business units to assess whether the IT action will prevent closure of the PCA. The Business Units are asked to review the Quarterly Schedule of open PCA’s and 1) Indicate whether they intend to meet “met” or “extend” the due date for each PCA; 2) Identify whether the respective PCA includes any actions that require IT involvement; and 3) If IT Involvement is indicated, describe (i.e. Work Request, Work Order #, POCs, etc.).

(4) On the monthly Scorecard Report, the following definitions are used:

1. MET - PCAs that were implemented on or before the scheduled PCA due date.

2. MET PRIOR PERIOD - PCAs that were implemented before the current PCA due date and before the timeframe of the scorecard reporting.

3. MISSED - PCAs that were never implemented or that were implemented, cancelled, or extended after the scheduled PCA due date.

4. CANCELLED - PCAs that were cancelled on or before the scheduled PCA due date.

5. EXTENDED/DELAYED - PCAs that were extended on or before the scheduled PCA due date and the final implementation was not accomplished by the due date established by the responsible organization.

(1) Only dollar-related outcome measures are tracked in JAMES. These are referred to as monetary benefits and must be addressed before a PCA can be closed. Examples include cost savings, funds better used, and revenue potential. A statement explaining actions taken to realize the amount must be included when the PCA is updated and noted on Form 13872. A thorough explanation as to how the monetary benefit calculation was obtained must be provided, even if the net results are less than what was originally agreed to and/or result in $0 dollars realized.

(2) Simply indicating $0 without an explanation and/or “No Monetary Benefits Realized” is not acceptable and will not be validated EAM. If management disagrees with the TIGTA potential benefits estimate, the disagreement must be stated in the IRS’s official Management’s Response to the Draft Report. When monetary benefits are not addressed by management in the final response, it is concluded that the IRS agrees with the monetary benefits stated in the final audit report.

(3) Any disagreement after the final report is issued must have a signed concurrence (either original or electronic) from TIGTA to close the recommendation/PCA without addressing the realized benefits, and a copy must be provided to EAM.

(4) To document disagreement with TIGTA’s stated potential monetary benefits, $1 is entered in the PCA section of JAMES in the realized monetary benefits field as notification to the Department of the Treasury that management disagreed with TIGTA regarding the estimated monetary benefits. (No further monetary benefit action is required in JAMES).

(5) If a portion of the dollar amount was realized, indicate the amount realized in the appropriate box in the PCA section of JAMES and provide an explanation/calculation in the status field that describes the basis for the amount realized and a reason for the amount not realized, if appropriate.

(6) If monetary benefits have been identified and a PCA contains more than one responsible official, management should determine during the draft stage of the audit report response who will report on the potential benefits.

1. If a recommendation contains multiple PCAs and monetary benefits have been identified for one of the PCAs, the other PCAs related to that recommendation will be affected in JAMES. The responsible official for the PCA containing the monetary benefits must address the benefits before the PCA can be closed in JAMES.

2. The responsible official for the remaining PCAs will enter $0 in the appropriate box and report in the status field that monetary benefit has been or will be addressed in the PCA by another named official.

(7) If management disagreed with the benefits, $1 will appear in JAMES for all related PCAs associated with that recommendation.

(8) If TIGTA issues an audit report where the PCA has been implemented but the recommendation contains monetary benefits, EAM will notify the business operating division(s) that the recommendation is closed but management still needs to address the monetary benefits.

(9) If management cannot provide the realized monetary benefits amount upon request, a due date must be provided indicating when the monetary benefit information will be provided.

(10) If management cannot timely address the monetary benefits and does not provide a due date, EAM will enter a two-month due date for management to provide the necessary data, even though the PCA is considered closed.

(11) Responsibility for addressing the outcome measure(s) must be assigned during the draft audit stage, not when being entered into JAMES.

(12) If cost savings cannot be realized, enter $0 in the appropriate box. This indicates that management agrees with the amount of the questioned costs, but the cost cannot be reimbursed or offset. This should also be reflected on Form 13872 with an explanation stating why the cost cannot be reimbursed or offset.

(13) If unique situations occur, they will be handled on a case-by-case basis and involve all parties concerned.