Patient Protection and Affordable Care Act: IRS Managing Implementation Risks, but Its Approach Could Be Refined
Highlights
What GAO Found
The Internal Revenue Service (IRS) has implemented one of GAO’s four recommendations from June 2011 to strengthen the Patient Protection and Affordable Care Act (PPACA) implementation efforts by scheduling the development of performance measures for the PPACA program. IRS has made varying degrees of progress on the other three recommendations:
develop program goals and an integrated project plan;
develop a cost estimate consistent with GAO’s published guidance; and
assure that IRS’s risk management plan identifies strategic level risks and evaluates associated mitigation options.
IRS’s revised risk management plan meets three of five criteria for risk management plans, but the plan does not have specific guidance for evaluating and selecting potential risk mitigation options, such as how to
identify who conducts and reviews the analysis,
determine the availability of resources for a given strategy, and
document for future users the rationale behind decisions made.
IRS applied its risk management plan when identifying, tracking, and reporting on implementation risks. Although the risk plan calls for risk mitigation strategies to be evaluated, these evaluations have not been done. IRS officials said that evaluating these strategies would require varying levels of effort because the probability and magnitude of risks differ. However, the plan was silent on this point; it provided no guidance as to when and to what extent an evaluation should be done. Without evaluating potential strategies, IRS may not consider critical factors that impact the program’s success.
IRS’s risk management plan was not used when IRS’s Office of Chief Counsel was responsible for implementing two provisions GAO reviewed. Although these provisions primarily required legal counsel and guidance, IRS officials said that one of the provisions also affected IRS operations and could have risks that need to be managed. Additionally, GAO did not find evidence that a risk plan was used to track and mitigate risks when coordinating with partner agencies, such as the Department of Health and Human Services. Without a system for tracking shared risks, IRS is more likely to overlook risks or duplicate efforts.
Why GAO Did This Study
PPACA is a significant effort for IRS, with expected costs of $881 million from fiscal years 2010 to 2013 and work planned through 2018. To implement PPACA, IRSmust work closely with partner agencies to develop information technology systems that can share data with other agencies. Additionally, IRS is responsible for providing guidance to taxpayers, employers, insurers, and others to ensure compliance with new tax aspects of the law. Furthermore, it will be important for IRS to have systems to consistently identify, assess, mitigate, and monitor potential risks to the program’s success.
As requested, this report (1) describes IRS’s progress in addressing GAO recommendations from June 2011 on PPACA implementation, (2) assesses IRS’s revised risk management plan, and (3) assesses how IRS applies its plan in practice. GAO compared IRS’s revised risk plan to GAO’s criteria for risk management and selected 9 provisions of the law in which IRS had a role to determine whether IRS used the risk plan consistently. Because selection focused on provisions that had the most risks and highest dollar impacts, the results are not generalizable but are relevant to how IRS managed risks.
Recommendations
GAO recommends that IRS (1) enhance its guidance on evaluating risk mitigation alternatives and documenting decisions, (2) use a risk management plan for work led by its Office of Chief Counsel, and (3) develop agreements with external parties to record and track risks that threaten shared goals and objectives. IRS officials agreed with all of GAOs recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to clarify who is responsible for doing the evaluation and making decisions based on the results as well as how they might do the evaluation. |
Closed – Implemented
During our review of the Internal Revenue Service's (IRS) implementation of the Patient Protection and Affordable Care Act (PPACA), we found that IRS's risk management plan did not specify who was responsible for evaluating mitigation strategies and making decisions based on the analysis, as well as how the evaluation should be completed. In June 2012, we recommended that IRS enhance its PPACA risk management plan to clarify who is responsible for evaluating mitigation alternatives and making decisions based on the results, as well as how to complete the evaluation. On May 3, 2013, IRS provided a revised risk management plan that states which parties are responsible for performing and reviewing analysis of mitigation alternatives. It also included guidance on selecting the strategies and documenting the decisions, including the rationale for the decisions. These steps will help ensure that analysis of mitigation alternatives is conducted and reviewed.
|
| Internal Revenue Service | To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to assure that resources are available for the chosen mitigation strategy. |
Closed – Implemented
During our review of the Internal Revenue Service's (IRS) implementation of the Patient Protection and Affordable Care Act (PPACA), we found that IRS's risk management plan did not list resource availability as a factor when selecting risk mitigation strategies. In June 2012, we recommended that IRS revise its PPACA risk management plan to assure that resources are available for a chosen risk mitigation strategy. In response to our recommendation, IRS provided a revised risk management plan in May 2013 that accounts for considering whether proper resources are available to commit to the implementation of the chosen mitigation strategy. With this guidance in place, IRS is more likely to select risk mitigation strategies for which sufficient resources are available.
|
| Internal Revenue Service | To strengthen the PPACA risk management plan, the Commissioner of Internal Revenue should enhance guidance on evaluating risk mitigation alternatives to document the mitigation alternatives considered and rationale(s) for the decisions made. |
Closed – Implemented
During our review of the Internal Revenue Service's (IRS) implementation of the Patient Protection and Affordable Care Act (PPACA), we found that IRS's risk management plan did not specify who was responsible for evaluating mitigation strategies and making decisions based on the analysis, as well as how the evaluation should be completed. In June 2012, we recommended that IRS enhance its PPACA risk management plan to clarify who is responsible for evaluating mitigation alternatives and making decisions based on the results, as well as how to complete the evaluation. In response to our recommendation, IRS provided a revised risk management plan in May 2013 that states which parties are responsible for performing and reviewing analysis of mitigation alternatives. It also included guidance on selecting the strategies and documenting the decisions, including the rationale for the decisions. These steps will help ensure that analysis of mitigation alternatives is conducted and reviewed.
|
| Internal Revenue Service | To ensure more consistent implementation of the risk management plan, the Commissioner of Internal Revenue should ensure that the PPACA risk management plan is applied to provisions in which the Office of Chief Counsel assumes lead responsibility for implementation. |
Closed – Implemented
During our review of the Internal Revenue Service's (IRS) implementation of the Patient Protection and Affordable Care Act (PPACA), we found that IRS did not follow its risk management plan for two sample provisions that IRS believed primarily required legal guidance and the IRS assigned primary responsibility for implementing to its Office of Chief Counsel. In June 2012, we recommended that IRS ensure that the PPACA risk management plan is applied to provisions in which the Office of Chief Counsel assumes lead responsibility for implementation. In response to our recommendation, IRS provided a revised risk management plan in May 2013 that requires that the risk management plan be used for provisions of the law that have operational impacts and are assigned to the Office of Chief Counsel. With this guidance in place, IRS is more likely to identify, mitigate, and track risks related to the work completed by the Office of Chief Counsel.
|
| Internal Revenue Service | To ensure more consistent implementation of the risk management plan, the Commissioner of Internal Revenue should develop agreements with HHS (and other external parties as needed) on a system to record and track details on decisions made or to be made to ensure that risks are identified and mitigated. |
Closed – Implemented
In April 2013, IRS officials said that the body overseeing efforts to coordinate HHS, IRS, Labor, and other agencies in implementing the sections of PPACA related to health care exchanges determined that each agency should track its own risks and report to the other agencies as necessary. We asked for evidence that risks are reported this way. The recommendation remains open until we see further evidence that agencies are tracking and communicating their shared risks. We were still waiting for evidence to show how risks are being reported in October 2014, especially with HHS. In July 2015, IRS provided evidence that these agencies are tracking and communicating their shared risks related to PPACA. We discuss this in GAO-15-540.
|