Achieving the IRS’ strategic goals will require change at every level of the organization, from front-line employees to top managers. During this process, it is helpful to articulate principles that guide our actions. These five guiding principles are a link between our goals and the actions we take to achieve them.

Purpose of the Management Controls Accountability Program Handbook for Managers

As IRS managers, you are responsible for ensuring that your programs and organizations are managed effectively, and that financial, information, property, and human resource assets are protected and used wisely. The purpose of the Management Controls Accountability Program (MCAP) Handbook is to provide managers with a methodology for implementing management controls within their program to ensure effective management and protection of assets.

The Service’s Guiding Principles emphasize that managers must be accountable, acknowledge and address problems, and perform with integrity. The MCAP supports these principles as well. The MCAP fits the Service’s overall Management Model. The Management Model and the MCAP are based on a linked system of management processes (Plan, Do, Review, and Revise). Both the MCAP and the Management Model support the new mission, strategic goals, and guiding principles of the Service and offer a framework for managing in a Balanced Measurement System environment.

The Handbook provides an overview of the MCAP, which supports the Federal Managers Financial Integrity Act (FMFIA) process. It was developed for managers at all levels of the organization and takes a “one-size-fits-all” approach. It is designed to help managers understand their responsibility for implementing, maintaining, and reporting on management controls. Management controls are the programs, policies, and procedures established to ensure that:
• mission and program objectives are efficiently and effectively accomplished;
• programs and resources are protected from waste, fraud, abuse, mismanagement, and misappropriation of funds;
• laws and regulations are followed;
• financial reporting is reliable; and
• reliable information is obtained and used for decision making.

This Handbook conforms with the General Accounting Office (GAO) Standards for Internal Control in the Federal Government, issued November 1999 and describes and explains the:
• definition of management controls;
• importance of management controls;
• manager’s roles and responsibilities;
• MCAP Process;
• Annual Assurance Reporting Process; and
• tracking and follow-up system for Corrective Action Plans.

All IRS managers must have a copy of this Handbook.

This Handbook refers to the duties of the MCAP Coordinator. The MCAP Coordinator provides support and guidance to executives and managers on conducting the MCAP. Placement and extent of involvement of the MCAP Coordinator may vary depending on the structure, size, and complexity of your organization. This Handbook is not intended as a desk guide or manual for the Coordinator. A separate document and training materials will be developed specifically to meet the needs of MCAP Coordinators. Where the Handbook uses the term “Head of Office,” it refers to the appropriate executive level within your organization.

The importance of management controls cannot be overstated. As IRS transitions into the re-engineered core business activities and our modernization plans become a reality, all managers must continue their commitment to implementing effective and efficient management controls. Without effective controls, the Service risks wasting program dollars, and worse, losing public confidence. In addition, Treasury and GAO continue to mandate that IRS vigorously pursue management control strategies that mitigate risk in program and administrative operations.

There are numerous risks to the organization if proper controls are not in place. These include the possibility of:
• legislative and administrative goals not being achieved;
• laws or regulations being violated;
• operations that are ineffective, inefficient, or misdirected;
• unauthorized activities;
• inaccurate reports to management and others;
• waste, fraud, and abuse occurring or being concealed;
• assets being stolen or lost; and
• ultimately, risk to the achievement of tax administration goals.

Management controls are often misrepresented to be the sole responsibility of financial, procurement, or other organizations managing processes with tangible dollar assets. This is not the case; management controls are the responsibility of every manager. You are accountable for, and have stewardship of, all IRS operations within your organization, including program, administrative, and financial areas under your control. Your responsibilities include:
• ensuring that controls are in place to protect government assets from waste, fraud, abuse, mismanagement, or misappropriation of funds;
• designing and using controls that provide ‘reasonable assurance’ that programs are being accomplished as intended;
• continuously assessing management controls to prevent and solve problems, improve products, and provide quality service;
• where the IRS is at risk, designing and implementing remedies to mitigate risk, and measuring the results of these actions; and
• documenting your activities regarding management controls and sharing them with others as needed.

The MCAP is designed to enable managers to identify and promptly correct management control deficiencies. A continuing assessment of management controls will help you identify opportunities to prevent and solve problems, improve your products, and provide quality customer service.

Managers’ Accountability

It is beneficial to both the Service and managers to be proactive in identifying problem areas and taking appropriate corrective actions before external audit sources, such as GAO and Treasury Inspector General for Tax Administration (TIGTA), issue findings or before problems escalate into serious control weaknesses. However, you must strike an appropriate balance of controls in your programs and operations. For example, an over-controlled process or program may be costly to implement and interfere with program accomplishment. Similarly, an uncontrolled or under-controlled situation may allow problems to go unnoticed and assets to be wasted.

Being focused and aware of management controls should be an integral part of the daily activities of all IRS managers and employees. By fostering open, honest communications and promoting problem-solving within your organization, you create an environment where management controls are acknowledged as tools to achieving our goals.

Legal Background

In addition to being a good business practice, management control accountability is mandated by law. In 1982, Congress passed the FMFIA requiring:
• agencies to evaluate their internal controls annually;
• GAO to issue internal controls standards; and
• Office of Management and Budget (OMB) to issue Federal guidelines, including OMB Circulars A-123 Management Accountability and Control (Rev. June 1995) and A-127 Financial Management Systems (Rev. July 1999).

Since the Act was established, all federal agencies have been required to report annually to the President and the Congress as to whether their management controls comply with the GAO’s standards. Although the FMFIA reporting requirements changed at the end of FY 1999, Treasury bureaus are still mandated to evaluate and report annually on their management controls.

Congress enacted other statutes that provide a framework for management accountability. These include the Chief Financial Officers (CFO) Act of 1990, as expanded by the Government Management Reform Act (GMRA) of 1994; the Government Performance and Results Act (GPRA) of 1993; and the Federal Financial Management Improvement Act (FFMIA) of 1996.

The following defines specific manager and employee responsibilities for maintaining effective management control systems.

Managers at all levels
• Provide a positive control environment;
• Identify potential risk areas;
• Ensure that adequate and effective controls are in place;
• Report results of reviews to the next level of supervision;
• Ensure reports are supportable, accurate, and candid;
• Provide adequate resources to correct identified control deficiencies; and
• Implement corrective actions timely and validate outcomes.

Heads of Office

In addition to the above responsibilities for all managers, Heads of Office must also:
• Provide oversight and direction of management controls within their organization;
• Designate an MCAP coordinator as the single point of contact for management controls;
• Review and assess subordinate managers’ reports of control deficiencies;
• Approve proposed Corrective Action Plans to correct identified deficiencies;
• Report periodically on the progress of corrective action plans; and
• Report annually on the status of management controls.

MCAP Coordinators
• Assist managers in the administration of and emphasis on management controls;
• Provide process support and advice to managers;
• Coordinate and analyze management control reports;
• Make recommendations to Heads of Office on management control issues;
• Consolidate and prepare the Annual Assurance Certification Letter for their organization; and
• Maintain tracking systems to monitor Corrective Action Plans and advise management on the status of deficiencies.

Office of Management Controls (OMC)
• Administers IRS’ process for the Management Controls Accountability Program;
• Prepares the Commissioner’s Annual Assurance statement;
• Monitors development and progress of Corrective Action Plans for Material Weaknesses and National Significant Control Deficiencies;
• Provides direction and assistance to Heads of Office and MCAP Coordinators;
• Develops training courses and materials on management controls; and
• Prepares and maintains management controls guidance (e.g., IRM, Handbook, OMC web page).

Chief Financial Officer/Director, Financial Analysis
• Provides leadership and has operational responsibility for IRS management controls program;
• Issues annual call letters to guide the annual certification reporting process; and
• Oversees timely completion of OMB Circular A-123 and A-127 reviews.

Financial and Management Controls Executive Steering Committee (FMC ESC)
• Strategically manages IRS initiatives aimed at strengthening financial and management accountability;
• Ensures that appropriate controls are an integral part of all IRS programs; and
• Provides top leadership perspective and direction in addressing important cross-functional issues.

Commissioner of Internal Revenue
• Responsible for ensuring management accountability throughout the IRS; and
• Reports the status of management controls to the Secretary of the Treasury via the Service’s Annual Report.

The Secretary of the Treasury
• Responsible for ensuring management accountability throughout the Department of the Treasury; and
• Reports annually to the President and Congress on the status of management controls via Treasury’s Annual Report.

The MCAP process is an ongoing practice that encompasses all aspects of IRS operations. The MCAP process steps are:
• Identify Risk;
• Determine Existing Controls;
• Establish New Controls or Revise Existing Controls;
• Assess/Review Management Controls;
• Document Results of Reviews;
• Document, Report, and Correct Significant Control Deficiencies; and
• Validate Outcomes.

This chapter addresses each step and explains use of the MCAP process to:
1. understand the risks associated with your operation;
2. ensure that controls are in place and operating effectively to mitigate known risks; and
3. provide candid, reliable and supportable reports on the status of those controls.

Risk is nothing more than the probability of a negative, unanticipated occurrence. Risk is inherent in every activity; therefore, it is essential that you identify the probability of risk within your operations and activities. Unacceptable or highly undesirable risk becomes the basis for establishing and maintaining management controls.

You should be primarily concerned with the risk areas within your program authority. This can vary from manager to manager, even within the same function. For example, all Collection managers would identify the timely filing of Federal tax liens as a potential risk area. However, the manager of the Offers-in-Compromise group would have an additional risk associated with maintaining proper documentation to support the acceptance or rejection of an offer that other managers would not.

Some areas or occurrences with higher potential for risk include:
• Changes in organizational structure, processes, procedures, personnel, and systems;
• Cash handling activities;
• Procurement activity;
• Security;
• Stakeholder interest in your operation;
• Level of reliance on computerization; and
• Staffing.

Research Sources to Identify Risk

The assessment of risk is based on your organizational knowledge, knowledge gained from other organizations, and communication with your employees. Risk can often be identified in previous reviews of the organization rather than requiring the manager to perform a new review. To identify risk, you must:
a. Review findings from previous reviews and reports, such as:
• GAO and TIGTA audit reports;
• Operational reviews or Special Assurance reviews;
• Office of Security and Privacy Oversight reviews;
• Balanced Measures reviews; and
• Other reviews performed by management in the course of their duties.

b. Ensure that organizational processes are performed in accordance with written policies and procedures, such as:
• Legislation;
• OMB Circulars;
• Treasury Department Directives;
• Internal Revenue Manual (IRM);
• Internal Revenue Service Policy Statements;
• Delegation Orders;
• Integrated Data Retrieval System (IDRS) Operations Handbook; and
• Systems Users Manuals.

c. Involve your employees in identifying risk. Since employees are often closest to the organization’s daily operations, they may become aware of risks and can alert you to problems as they arise. Examples of actions a manager might take to identify risks include:
• Verification of Form 809, Receipt for Payment of Taxes;
• Post review of case files (e.g., seizure and sale files to ensure conformity with statutes, regulations, and IRM);
• Consideration of Disclosure/Privacy Act implications in all activities, including review of files and personnel folders;
• Timely initiation of background and security investigations and appropriate action taken based on outcome of the investigation;
• Monitoring of telephone traffic volumes to ensure timely customer service; and
• Periodic reviews of access to sensitive command codes on IDRS.

Assess Level of Risk

You need to make informed judgments in order to determine the level of risk for the activities within your organization. Depending on the impact of negative occurrences, the level of risk will vary from activity to activity. For instance, an activity that violates statutory or regulatory requirements would be assessed at a high level of risk while missing one step in standard operating procedures might have lesser consequences.

Your assessment of the level of risk will guide you in determining where management controls need to be strengthened or established.

Management controls provide “reasonable assurance” that:
• revenue and expenditures are properly recorded and accounted for,
• wrongful acts are extremely difficult, abuses are discouraged, and safeguards against carelessness are in place, and
abusive or careless acts are detected shortly after they occur and trigger necessary corrective actions.

Controls are not separate systems or processes; they are tools routinely used by managers to manage their operations. The focus is not to have more controls but to have effective controls that mitigate risks. Some examples of management controls are:
• separation of duties;
• adequate supervision;
• reconciliation of records from two sources, (e.g., matching travel receipts against the travel vouchers);
• reconciliation of records against physical inventories;
• limiting access, (e.g., passwords on data systems);
• verification of data entry;
• documentation of processes and procedures (e.g., IRM, Standard Operating Procedures);
• written delegations of authority; and
• logs/checklists.

To determine existing controls, begin by comparing current practices and processes against existing procedures, policies and guidelines. Also consult your peers and employees to ensure that existing controls have been identified and that they do not overlap or conflict with other controls that are in place. It is as important to eliminate unnecessary or duplicative controls as it is to establish new controls.

Some “red flags” that may indicate a need for assessing existing controls are:
• costs mis-charged
• management turnover
• geographic dispersion
• one or a small group of employees handling all steps of a process
• training not provided
• infrequent reviews
• reorganization
• old or new automated systems
• security incidents
• environmental control problems
• adverse publicity
• inadequate reports
• increase in errors
• customer dissatisfaction
• employee dissatisfaction

Examples of control methods for specific areas of concern are listed below.

If controls are needed and none currently exist, you may be responsible for establishing them (see Chapter 3.C). In cases where you determine that the level of risk does not justify establishing a formal control mechanism, you should still document your findings and decisions for future reference and use in the Annual Assurance Review Process (see Chapter 4).

Once you have decided that a process needs a control, determine whether you own the process. If you do not own the process at risk but it impacts your operation, proactively coordinate with the process owners or other stakeholders to encourage them to improve those management controls. You may also find it necessary to elevate the issue to higher levels. The control you are using may be a standardized control for your organization. However, if you find that it is not working properly, you should still inform the next higher organizational level although you may not have the authority to change the control. A lack of controls in one process may be impacting other processes, and a change to procedures may benefit several parts of the organization. Once you have determined what controls exist or have established new controls, the next step is to assess their effectiveness (see Chapter 3.D). The assessment and review of your management controls is an ongoing process.

If you do own the process, determine the appropriate method of control to mitigate the risk (see Chapter 3.B). In selecting control methods, consider the following criteria:
• the control must be consistent with operational objectives or legislative requirements; and
• the control must be cost effective.

Ensure that control costs do not exceed the benefit to be derived. It may be cost prohibitive to implement a control that fully eliminates risk, but a cost-effective control could be implemented that mitigates risk to an acceptable level. For instance, it would not be cost effective to buy a $500 locking cabinet to protect $300 worth of calculators. Although that might fully eliminate the risk of theft, you could, at no cost, store the calculators in a locked office each night, thereby mitigating the risk to an acceptable level. On the other hand, if you have purchased ten laptops valued at $2,500 each, it might be appropriate and cost effective to purchase a $500 locking cabinet to secure the laptops.

Circumstances that should cause you to initiate a review are:
• Changing conditions (e.g., reorganization, phase-out of operations, personnel turnover);
• Current controls do not appear to be effective or cost beneficial;
• Assumption of a new responsibility, organization, or program;
• Conditions indicate reduced level of quality or customer satisfaction;
• External sources (e.g., taxpayers, Congress, GAO, TIGTA) express concern that may indicate control problems;
• Policy or procedures change; or
• Policy or procedure (local or national, internal or external) mandates a review.

When conducting control reviews, determine the dependencies or effects the control has on other areas of the organization. Identifying dependencies often reflects a need for input from other organizations and/or personnel.

Conducting Review

To test the adequacy of management controls, determine whether they are:
• Implemented as designed and meet the control objectives of mitigating risk to an acceptable level;
• Performed by competent personnel;
• Consistent with operational objectives or legislative requirements; and
• Efficient and cost effective.

There are various techniques for testing the adequacy of controls. However, before applying any of these techniques, examine the results of past reviews that address the adequacy of your controls. These include both internal reviews (e.g., operational reviews of records/cases/processes; reviews for compliance with OMB Circulars A-127 and A-130, Management of Federal Information Resources, (Rev. February 1996)); and external reviews (e.g., reviews conducted by GAO, TIGTA).

Other techniques for testing the adequacy of controls are:

Walk-Through - A walk-through of operations is made to observe how the control functions in actual practice. During the walk-through, determine how the control is meeting the objective. Any facet of operations that raises a concern should be identified for further analysis as to whether a control deficiency exists.

Individual and/or Group Interviews - Interviews are an important testing technique to facilitate an understanding of how controls are functioning. Often, the best sources of information are personnel performing the operation. Combining inquiry and observation can often provide valuable insights into problem areas, such as a lack of financial and personnel resources necessary to effectively meet control objectives.

Sampling - If there are a considerable number of documents or transactions performed, you may review a sample of them. If no discrepancies are noted, then a reasonable conclusion is that the control is adequate. If discrepancies are identified, you should examine additional documents/transactions to confirm whether the control is functioning as designed.

Analysis of Source Document Processing - Select a sample of source documents and follow them through each step of the process. Source document analysis can often disclose improper procedures, failure to follow procedures, or breakdowns among processing steps.

A combination of test procedures - You may want to combine several methods of review to ensure that your controls are adequate.

Assessing Review Results

At the conclusion of your review, assess whether the existing control:
• provides reasonable assurance that the objectives are being achieved in an efficient and effective manner; or
• is deficient and needs to be corrected.

For each deficiency identified, assess the degree of seriousness using one of the categories explained below. This assessment is critical in helping you determine the next step in the process.

Control Deficiency -
A control deficiency is an instance of weak, missing, or improper controls that is of local concern. A control deficiency may occur as part of the day-to-day activities. These deficiencies could result from policies and procedures not being followed, mistakes, work habits/conditions, system breakdowns, or other routine operating occurrences. Ideally, deficiencies within your control should be resolved as quickly as possible and at the lowest possible level. However, if it is not within your authority to correct the deficiency, you should elevate the deficiency to the next level of management for action (See Chapter 3.F).

Significant Control Deficiency -
A significant control deficiency is a control deficiency that is of sufficient importance to be reported to the next level of management. To qualify as significant, the control deficiency may:
• Impair the fulfillment of the organization’s mission;
• Deprive the public of needed services;
• Violate statutory or regulatory requirements;
• Greatly weaken safeguards against waste, fraud, abuse, mismanagement or misappropriation of funds, property or other assets;
• Result in adverse publicity and erosion of public confidence in the Service’s integrity; or
• Result in a conflict of interest.

If you are in doubt about the significance of the deficiency, elevate the issue as a potential significant control deficiency to the next level of management and inform your MCAP Coordinator.

Material Weakness -
A material weakness is a significant control deficiency of sufficient importance to be reported annually to the Department of Treasury and, ultimately, to the President and Congress until corrected. The determination that a significant control deficiency is a material weakness is only made by top Service executives on the Financial & Management Controls Executive Steering Committee (FMC ESC).

If no deficiencies have been identified in the course of your review, document the results of your reviews and retain them for use in preparing your Annual Assurance Certification Letter (see Chapter IV). The documentation can be as simple as a memorandum explaining the review methods and results. It normally does not require a separate formal report. Your documentation may also be incorporated into other management reports as long as it is identified as the results of a management control review.

If deficiencies have been identified and you are able to correct them, take the appropriate action and retain the documentation for the Annual Assurance Certification Letter. If you determine that the deficiency falls into the category of a significant control deficiency and must be elevated to the next level of management, additional documentation is required (see Chapter 3.F).

Documenting and Reporting Significant Control Deficiencies

All significant control deficiencies or potential significant control deficiencies should be reported as soon as identified on a Report of Significant Control Deficiency form (see Exhibit 3-F-1). These issues are then elevated to the next level of management with a copy to the MCAP Coordinator. Your report will provide management with the information necessary to clearly understand the problem and assess the level of risk.

In some instances, you may identify a potential significant control deficiency but have no control over the actions necessary to correct it. In this case, you would elevate the issue to the next level of management for possible action and review. For example, you become aware of deficiencies in the clearance process for separating employees. You do not own the process, but the issue should be provided to the owner of the process for appropriate action. In this case, you only need to submit Part I of the Report of Significant Control Deficiency to the next level of management with as much information as is available.

You may not have the expertise to provide all the information in detailed, technical terms. Once the issue is shared with the appropriate program area, they may consult with you and others for additional information. If the deficiency is determined to be valid and requires a Corrective Action Plan, the process owner will be responsible for finalizing Part I and preparing Part II of the Report of Significant Control Deficiency.

If it is appropriate to develop the corrective action plan at your level, your proposed plan will include all the actions needed to correct the deficiency. (see Exhibit 3-F-2) When preparing the corrective action plan:
• Develop actions that are specific and describe the end result. For example, the action should be: “Revise and issue procedures to the field,” not “Review current procedures.”
• Ensure commitment of other stakeholders before establishing any action that requires activity outside your control.
• Set realistic due dates. Successful plan completion may be dependent upon available resources, functional interdependencies, labor negotiations, legislation, or modernization issues. Therefore, consult with others as necessary in establishing realistic completion dates. Do not use “ongoing” as a completion date; always set a specific due date, e.g., MM/DD/YYYY. If completion date is long term, it may be necessary to establish interim milestone dates.
• Describe the goal and establish performance measures. Performance measures and goals serve as progress indicators for correcting the deficiency.
• Describe the validation process. This is a description of how you propose to collect the data supporting the performance measure(s) that will determine if the deficiency has been successfully corrected. Describe the type and quantity of data to be gathered, the method of collection, and the source of the data.

Once the Report of Significant Control Deficiency is completed, elevate it to the next level of management, and provide a copy to the MCAP Coordinator. If you are the manager at the next level, you are responsible for reviewing the report and determining the validity of the issue, based on your knowledge and expertise. As a second-level manager, you will need to decide which one of the following actions is appropriate:
• return the report to the preparer if the issue is not valid or if additional information/clarification is needed;
• develop a Corrective Action Plan if it is appropriate at your level and obtain approval from your manager;
• approve the corrective actions for implementation;
• elevate the issue to the next higher level of management or process owner.

Correcting Significant Control Deficiencies

Approved plans will be returned to the appropriate-level manager for implementation. The manager must then monitor and regularly report progress to the approving official. Periodically, the manager must also assess whether the Corrective Action Plan is achieving the desired goal(s) and continues to be relevant under current operational conditions.

Managers must document and obtain the appropriate level of approval to complete or revise an action or reschedule a target date. Provide a copy of all approved documentation to the MCAP Coordinator for tracking purposes.

Indicators

Indicators (or measures) assist in determining how well the process is now working compared to past performance. They can also help you identify positive/negative factors affecting program and administrative performance/effectiveness.

In developing an appropriate Results Indicator (or performance measure), first consider the deficiency you are trying to correct or improve, such as timeliness of certain actions, reduction in the error rate of a particular process, decrease in the number of security lapses at a site, etc. Examples of an appropriate Results Indicator include:
• average timeliness of cash deposits,
• error rate for processing clearance forms,
• number of security lapses at XX site.

If the Results Indicator selected does not directly tie to the specific deficiency, the corrective actions may fix the problem but may not be reflected in the performance results. Therefore, ensure that the Results Indicator is relevant to the problem being fixed and is based on observable performance measures, either quantitative or qualitative.

Goals

Goals are used to tie the Results Indicator to the improvement of a particular product, process, or Service deficiency. Goals can be qualitative or quantitative. Qualitative goals are general in nature and suggest a desired direction but do not establish a specific numeric target (e.g., “Improve timely filing of travel vouches” ). Qualitative goals may be appropriate for new processes or processes for which no baseline data exists. However, without baseline data and quantitative measures, it will be difficult to assess whether your goals have been met.

Quantitative goals are more focused and establish a specific numeric target (e.g., “Travel Vouchers will be filed within five business days after the end of the month.” ). Quantitative goals should be based on statistically valid results of previous reviews or a compilation of information or numerical/quantitative recordation.

In establishing quantitative goals, consider the anticipated level of available resources to implement your corrective action plan, organizational priorities and initiatives, and the interaction between multiple organizational goals. For instance, raising the quality level as a goal may inadvertently decrease timeliness unless additional resources are provided to accomplish the task. Examples of Results Indicators with quantitative goals include:
• Increase the “average timeliness of cash deposits” from 48 hours to 24 hours
• Reduce the “error rate for processing clearance forms” from 20% to less than 3%
• Reduce the “number of security lapses at XX site” from 25 per year to 0.
For additional information on establishing Results Indicators, performance measures, and goals, consult the Balance Checking Matrix and related steps of the problem solving process described in IRM 1.5.2, Managing Statistics in a Balanced Measurement System and the IRS Balanced Measurement Approach to Leadership, Training Course 9015.

When all corrective actions are completed, apply the validation process in your plan to evaluate whether the actions taken achieved the desired outcome as indicated by your Results Indicator. If the measure of the Results Indicator implies that the deficiency has not been corrected, examine whether the corrective actions were effective and/or the validation process was appropriate. If the Corrective Action Plan was not effective, review, revise, and implement a new plan.

Once your Results Indicator validates that your corrective actions have effectively cured the significant control deficiency, forward documentation to the approving official for concurrence. This concurrence represents management’s assurance that the problem/deficiency has been successfully corrected. A copy should be submitted to the MCAP Coordinator and retained for use in preparing the Annual Assurance Certification Letter.

Under no circumstances should management concur that a deficiency has been corrected until they are certain the risk has been mitigated to an acceptable level. This process is continuous; periodically reassess your risks against current conditions to ensure that controls are effective.

The Commissioner is required to provide an Assurance Statement as part of the Annual Report to the Secretary of the Treasury. The Annual Assurance Statement includes information on open and closed material weaknesses and Servicewide management accountability issues.

To begin the Annual Assurance Review process, the Chief Financial Officer issues a call letter each spring requiring Heads of Office to:
• certify that management controls in their organization are in place and working as intended;
• provide the status of all open material weaknesses and significant control deficiencies for which they are responsible; and
• provide additional information requested in the call letter on other accountability issues.

The response must contain a specific statement describing the level of assurance for the organization. The Head of Office must select the appropriate level of assurance from the following:
• Reasonable assurance that controls are effective and operating as intended;
• Qualified assurance that controls are effective and operating as intended, considering the exceptions described in the report; and
• No reasonable assurance can be provided that controls are in place and effective.

Managers’ responses are rolled up to the Head of Office, through the MCAP Coordinator, for submission to the Chief Financial Officer. At the discretion of the Head of Office, individual certifications may be required from subordinate managers to support their level of assurance.

The manager’s ongoing review of management controls is vital to the Service’s assurance process, as depicted below.

All Corrective Action Plans require local tracking and follow-up. However, some Significant Control Deficiency and all Material Weakness Corrective Action Plans are tracked by the CFO’s Office of Management Controls for periodic reporting to Treasury.

These Corrective Action Plans are entered into Treasury’s Inventory, Tracking and Closure System (ITCS). The information is used by Treasury to assess the Service’s effectiveness and progress in correcting weaknesses. The ITC entries are updated monthly to reflect current status.