IRS Financial Reporting: Improvements Needed in Information System and Other Controls
Fast Facts
Each year, we audit the IRS's financial statements and issue opinions regarding these statements and related internal controls (i.e., processes in place to ensure the proper authorization and recording of transactions).
In our FY 2023 audit we identified new issues related to how IRS manages the security, access, and configuration of its IT systems. For example, IRS did not consistently create a plan of action to address identified IT weaknesses on a timely basis. Our recommendations address these issues.
We also determined that IRS had addressed about 30% of our recommendations from previous reports about information system and other controls.
Highlights
What GAO Found
During its audit of the Internal Revenue Service's (IRS) fiscal years 2023 and 2022 financial statements, GAO identified three new deficiencies in internal control over financial reporting. These deficiencies, which are sensitive in nature, related to information systems and contributed to GAO's reported continuing significant deficiency in IRS's information system controls. Specifically, GAO identified one security management control deficiency, one access control deficiency, and one configuration management control deficiency. The separately issued LIMITED OFFICIAL USE ONLY report presents detailed information on the new control deficiencies and six recommendations to address them.
In addition, GAO determined that IRS had completed corrective actions on 15 of 51 recommendations from GAO's prior reports related to internal control over financial reporting that were open as of September 30, 2022. IRS's actions addressed one transaction cycle recommendation, two safeguarding assets recommendations, and 12 information system recommendations.
This report provides the status of 10 previously reported recommendations that are not sensitive in nature and IRS's corrective actions as of September 30, 2023. The LIMITED OFFICIAL USE ONLY report contains the status of the 51 previously reported sensitive and nonsensitive recommendations and IRS's corrective actions as of September 30, 2023.
As of September 30, 2023, IRS has 42 open GAO recommendations related to internal control over financial reporting to address:
- six transaction cycle recommendations,
- two safeguarding assets recommendations, and
- 34 information system recommendations (including six that are new).
The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, and disclosure of sensitive data and programs, as well as the disruption of critical operations. The continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.
Why GAO Did This Study
GAO audits IRS's financial statements annually. As part of these audits, GAO assesses IRS's internal control over financial reporting, including information system controls.
This report presents the new deficiencies in internal control over financial reporting identified during GAO's audit of IRS's fiscal years 2023 and 2022 financial statements. This report also includes the results of GAO's fiscal year 2023 follow-up on the status of IRS's corrective actions to address recommendations contained in GAO's prior reports related to internal control over financial reporting that were open as of September 30, 2022.
Recommendations
GAO is making no new recommendations in this report. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made six new recommendations to address control deficiencies in information systems related to security management, access control, and configuration management. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with GAO's recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO plans to follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS's fiscal year 2024 financial statements.