What GAO Found
The Internal Revenue Service (IRS) has implemented one of GAOs four recommendations from June 2011 to strengthen the Patient Protection and Affordable Care Act (PPACA) implementation efforts by scheduling the development of performance measures for the PPACA program. IRS has made varying degrees of progress on the other three recommendations:
develop program goals and an integrated project plan;
develop a cost estimate consistent with GAOs published guidance; and
assure that IRSs risk management plan identifies strategic level risks and evaluates associated mitigation options.
IRSs revised risk management plan meets three of five criteria for risk management plans, but the plan does not have specific guidance for evaluating and selecting potential risk mitigation options, such as how to
identify who conducts and reviews the analysis,
determine the availability of resources for a given strategy, and
document for future users the rationale behind decisions made.
IRS applied its risk management plan when identifying, tracking, and reporting on implementation risks. Although the risk plan calls for risk mitigation strategies to be evaluated, these evaluations have not been done. IRS officials said that evaluating these strategies would require varying levels of effort because the probability and magnitude of risks differ. However, the plan was silent on this point; it provided no guidance as to when and to what extent an evaluation should be done. Without evaluating potential strategies, IRS may not consider critical factors that impact the programs success.
IRSs risk management plan was not used when IRSs Office of Chief Counsel was responsible for implementing two provisions GAO reviewed. Although these provisions primarily required legal counsel and guidance, IRS officials said that one of the provisions also affected IRS operations and could have risks that need to be managed. Additionally, GAO did not find evidence that a risk plan was used to track and mitigate risks when coordinating with partner agencies, such as the Department of Health and Human Services. Without a system for tracking shared risks, IRS is more likely to overlook risks or duplicate efforts.
Why GAO Did This Study
PPACA is a significant effort for IRS, with expected costs of $881 million from fiscal years 2010 to 2013 and work planned through 2018. To implement PPACA, IRSmust work closely with partner agencies to develop information technology systems that can share data with other agencies. Additionally, IRS is responsible for providing guidance to taxpayers, employers, insurers, and others to ensure compliance with new tax aspects of the law. Furthermore, it will be important for IRS to have systems to consistently identify, assess, mitigate, and monitor potential risks to the programs success.
As requested, this report (1) describes IRSs progress in addressing GAO recommendations from June 2011 on PPACA implementation, (2) assesses IRSs revised risk management plan, and (3) assesses how IRS applies its plan in practice. GAO compared IRSs revised risk plan to GAOs criteria for risk management and selected 9 provisions of the law in which IRS had a role to determine whether IRS used the risk plan consistently. Because selection focused on provisions that had the most risks and highest dollar impacts, the results are not generalizable but are relevant to how IRS managed risks.
GAO recommends that IRS (1) enhance its guidance on evaluating risk mitigation alternatives and documenting decisions, (2) use a risk management plan for work led by its Office of Chief Counsel, and (3) develop agreements with external parties to record and track risks that threaten shared goals and objectives. IRS officials agreed with all of GAOs recommendations.
Recommendations for Executive Action
|Internal Revenue Service||1. To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to clarify who is responsible for doing the evaluation and making decisions based on the results as well as how they might do the evaluation.|
|Internal Revenue Service||2. To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to assure that resources are available for the chosen mitigation strategy.|
|Internal Revenue Service||3. To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to document the mitigation alternatives considered and rationale(s) for the decisions made.|
|Internal Revenue Service||4. To ensure more consistent implementation of the risk management plan, the Commissioner of Internal Revenue should ensure that the PPACA risk management plan is applied to provisions in which the Office of Chief Counsel assumes lead responsibility for implementation.|
|Internal Revenue Service||5. To ensure more consistent implementation of the risk management plan, the Commissioner of Internal Revenue should develop agreements with HHS (and other external parties as needed) on a system to record and track details on decisions made or to be made to ensure that risks are identified and mitigated.|