Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Taxpayer data"

    5 publications with a total of 20 open recommendations including 2 priority recommendations
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    10 open recommendations
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should update information contingency plan test procedures to include updating contingency plans to reflect changes to the current operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that approved risk-based decisions pertaining to database configurations are based on suitable justification.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop, document, and implement the use of detailed procedures to facilitate the periodic review and analysis of audit records for its financial systems.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should develop an enterprise-wide system owner procedural document to control critical mainframe operating system commands.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that all known significant audit findings and recommendations related to financial reporting, which includes those in GAO's public and limited official use only reports, that directly relate to the objective of A-123 internal control tests are reviewed and monitored.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    2 open recommendations
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update system and application audit plans based on the current version of referenced policies and guidelines and when significant changes are made to a system or application.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: The IRS concurred with the recommendation and stated that it plans to implement it. Subsequent to IRS informing us that it has taken action on this recommendation, we plan to evaluate their implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: In addition to implementing our previous recommendations, to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue should update the security plan for systems that provide network infrastructure services to IRS personnel and information systems to reflect changes to the operating environment.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: On March 28, 2017, IRS officials informed us of the actions they were taking to address this recommendation. Upon receiving information from IRS, we plan to evaluate IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Director: Kingsbury, Nancy R
    Phone: (202) 512-2700

    3 open recommendations
    including 2 priority recommendations
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: During the audit of IRS' FY 2017 financial statements, IRS indicated that it had not yet implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed these actions. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open
    Priority recommendation

    Comments: During the audit of IRS's FY 2017 financial statements, IRS indicated that it has not completed actions to implement the recommendation. When IRS indicates that it has implemented the recommendation, we will evaluate the effectiveness of its actions.
    Director: James R.McTigue, Jr.
    Phone: (202) 512-9110

    3 open recommendations
    Recommendation: Congress should consider expanding the mandate for 501(c)(3) organizations to electronically file their tax returns to cover a greater share of filed returns.

    Agency: Congress
    Status: Open

    Comments: The threshold over which Treasury/IRS can require electronic reporting is still 250 returns. As of February 18, 2016, there is no proposed legislation in the current Congress which would amend this threshold.
    Recommendation: To improve oversight of charitable organizations, the Commissioner of Internal Revenue should direct EO to develop quantitative, results-oriented compliance goals and additional performance measures and indicators that can be used to assess impact of exams and other enforcement activities on compliance.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: IRS reported it has taken a series of actions to implement this recommendation. First, in FY 2016, IRS implemented a new data-driven case selection model to identify the most non-compliant returns based upon what is reported. Starting in FY 2017, IRS plans to measure the effectiveness of these new data-analytic models and use that performance information as the basis for ongoing discussions with EO Examinations managers on which queries are yielding results and which need to be modified or deleted from the work plan. IRS also developed a weighted disposal code measure, which is intended to help examiners prioritize case selection according to criteria that give more weight to more consequential outcomes. For example, a data mining query generating a lot of revocations would take priority over a query that may only generate written advisories. IRS incorporated the new measure into its current and future work plan monitoring and projections. IRS also began discussions with TE/GE Research and SOI to figure out how to define compliance for the EO population, establish a compliance baseline, and how to develop methods to measure the impact of enforcement actions on voluntary compliance levels in the EO population. Once all these actions are fully implemented, IRS will be in a better position to use this information to develop quantitative, results-oriented compliance goals and additional performance measures and indicators that can be used to assess impact of exams and other enforcement activities on compliance.
    Recommendation: To improve oversight of charitable organizations, the Commissioner of Internal Revenue should continue to work with Treasury officials to do the following: review the flexibility afforded under the Pension Protection Act of 2006 consistent with statutory protections of taxpayer data, clarify what flexibility state regulators have in how they protect and use federal tax data, make modifications to guidance, policies, or regulations as warranted, and clearly communicate this information with state charity regulators.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: In 2016, IRS reported taking three actions to implement this recommendation. First, IRS coordinated a training session for State Charity Regulators on safeguards. The training included a review of the Safeguards Security Report (SSR) and covered several topics including current period safeguard activities, changes to safeguarding procedures, and disposal of information. According to IRS, there were 53 participants representing 45 different states. IRS also revised the 6104 (c)Memorandum of Understanding (MOU) inserting a new paragraph that instructs state charity regulators to contact the Tax Exempt/Government Entities (TEGE) Liaison if there are questions about whether an administrative or judicial proceeding has been initiated. This puts in place a mechanism to provide assurance to the regulator if they have concerns. Third, TEGE officials met with the Department of the Treasury and Office of Chief Counsel to discuss the Priority Guidance Plan for 2015-2016. According to IRS, this meeting included a discussion about flexibility afforded under the PPA and how state regulators can protect and use federal tax data consistent with statutory protections of taxpayer data. More recently, IRS informed us that they made additional changes to the MOU to address concerns raised by state charity officials about re-disclosures. IRS also reported on information-sharing efforts to publicize these changes among state charity regulators including a presentation at the annual National Association of State Charity Officials conference and a virtual presentation that reached over 100 participants representing 33 states. IRS informed state charity regulators that the MOU had been revised to address their concerns about re-disclosures in proceedings had been addressed in the MOU. The TEGE Liaison made a presentation at the Annual NASCO Conference in Washington DC on October 6, 2015 and included this information in the presentation.
    Director: Wilshusen, Gregory C
    Phone: (202)512-6244

    2 open recommendations
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update policies and procedures to ensure that they address (1) both methods available for granting all users access to mainframe resources, (2) audit and monitoring of access from one processing environment to another, (3) use of appropriate accounts by multiple databases on a single server, (4) data storage shared between systems, (5) out-of-date security standards, and (6) reconciliation of access privileges.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.
    Recommendation: To effectively implement key components of the IRS information security program, the Acting Commissioner of Internal Revenue should update mainframe test and evaluation processes to improve periodic monitoring of compliance with IRS policies.

    Agency: Department of the Treasury: Internal Revenue Service
    Status: Open

    Comments: We are evaluating IRS's implementation of this recommendation as part of the audit of IRS's FY 2017 financial statements.