All activity of the IRS relating to implementation of Recovery Act tax provisions is overseen by an Executive Steering Committee consisting of the highest-level executives in IRS, representing every major function and business. This committee, which met weekly through the end of March and now meets monthly, reviews all progress on program activity. Initial risk assessments and analyses were performed and documented timely, and all required mitigation actions identified. Risk assessments and analyses will continue during implementation. All Recovery Act expenditures are tracked via a unique code and reported weekly. In addition, the Department of the Treasury will provide an estimate of benefits to individuals, businesses, and state and local governments as data becomes available.
All risk management activities as outlined below were completed timely (by April 15, 2009) for ARRA tax provisions being implemented in Fiscal Year 2009, including: Making Work Pay/Advanced EITC, First Time Homebuyer Credit, COBRA, Build America Bonds, Tribal Economic Bonds, and Tax Credit Bonds.
Risk Management/Internal Control Actions for Agency and Program Plans
The American Recovery and Reinvestment Act of 2009
U.S. Department of the Treasury
5.1 RISK MANAGEMENT/INTERNAL CONTROL PLAN
• For each Recovery Act program involving implementation of provisions or obligations of Recovery Act funds in FY 2009, the bureaus will perform actions 5.1.1 through 5.1.4 by April 15, 2009, with completion of 5.1.6 shortly thereafter
• Step 5.1.5 will be ongoing
• Supporting documentation will be maintained by each bureau so that it is readily accessible in the event of an audit or other needs
5.1.1 Identify and Document Program-Specific Risks
• Review pertinent existing risk assessments
• Review pertinent OMB Circular A-123/Appendix A test results, Improper Payments Information Act assessments, etc.
• Review pertinent GAO/OIG/TIGTA audit reports and related corrective action plans
5.1.2 Identify and Document Applicable Current Process Internal Controls
5.1.3 Assess Program-Specific Risks in View of Existing Controls
• Take the Risk/Impact Questionnaire to rate risks and impacts, taking into consideration the findings identified in 5.1.1 and all OMB-prescribed Recovery Act transparency and accountability objectives
• Use the “Consequence-Probability Table” (Risk/Impact Matrix) to determine the overall (combined) Risk/Impact rating
• Document assessments
5.1.4 Mitigate Risks and Impacts
• For each Program with an overall Risk/Impact rating of “High” or “Medium”:
• Identify and update existing risk mitigation plans to implement Recovery Act-related controls; plans should include regularly scheduled monitoring and testing of risk mitigation plans and controls
• Develop and execute new risk mitigation plans as needed; plans should include regularly scheduled monitoring and testing of risk mitigation plans and controls
5.1.5 Monitor Risk Mitigation Plans
• As outlined in each risk mitigation plan (per 5.1.4), each risk mitigation plan must be monitored regularly for timely and effective implementation of corrective actions and testing of controls
• Bureaus with responsibility for Recovery Act programs will leverage existing organizations and entities (e.g., A-123/Appendix A Senior Assessment Team, Senior Management Council, et al) to review, assess, and manage Recovery Act risk
• Bureaus will provide monthly progress reports on risk management to the Treasury DCFO for each program
5.1.6 Certify Completion of Risk Assessment/Development of Mitigation Plan
• Bureau Recovery Act Senior Accountable Official will sign/date a certification for each program
• Submit signed certification to Treasury DCFO