Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls

GAO-19-474R: Published: Jul 18, 2019. Publicly Released: Jul 18, 2019.

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Nancy R. Kingsbury
(202) 512-2700
kingsburyn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We assessed whether it had effective controls in place to safeguard this information in the past and again during fiscal year 2018. This report discusses the new deficiencies we found and efforts to fix earlier ones.

We identified 14 new information system security control deficiencies, such as weaknesses in access controls and in procedures to help ensure information systems are operating securely. Weaknesses like these place IRS's systems and data at risk.

Photo of the IRS building

Photo of the IRS building

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Nancy R. Kingsbury
(202) 512-2700
kingsburyn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in the agency's internal control over financial reporting systems. Specifically, GAO identified 14 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 14 new deficiencies, eight were related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to contingency planning. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 14 new information system security control deficiencies and made 20 recommendations to address them.

In addition, GAO found that as of September 30, 2018, IRS had completed corrective actions to address information system security control deficiencies associated with 46 of the 154 recommendations resulting from GAO's financial audits, and as a result, these recommendations were closed. GAO closed one additional recommendation that was no longer relevant because of changes in the agency's operating environment. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2018.

As a result, IRS has 127 GAO recommendations to address—the 107 remaining open recommendations from GAO's prior financial audits and the 20 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.

Status of GAO Recommendations to IRS for Addressing Information System Security Control Deficiencies 

Information system security control area Open recommendations from prior audits  Prior recommendations closed as of September 30, 2018 New recommendations resulting from FY 2018 audit Total 
remaining open recommendations 

 
Access controls 106 24 11 93
Configuration management 32 13 7 26
Segregation of duties 1 1 1 1
Contingency planning 2 2 1 1
Information security program 13 7 6
Total 154 47 20 127

Legend: FY = fiscal year; — = no recommendation made.
Source: GAO analysis of Internal Revenue Service (IRS) data.  |  GAO-19-474R

Why GAO Did This Study

This report presents the new information system security control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements based on its fiscal year 2018 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. This report also includes the results of GAO's fiscal year 2018 follow-up on the status of IRS's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open at the beginning of GAO's fiscal year 2018 audit.

What GAO Recommends

In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 20 recommendations to address the 14 new information system security control deficiencies related to access controls, configuration management, segregation of duties, and contingency planning. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, IRS agreed with our recommendations and stated that it will ensure that its corrective actions include root cause analysis for sustainable fixes that implement appropriate security controls. GAO will evaluate the effectiveness of IRS's efforts to address these deficiencies during its audit of IRS's fiscal year 2019 financial statements.

For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov or Nancy R. Kingsbury at (202) 512-2700 or kingsburyn@gao.gov.

Sep 25, 2019

Jul 26, 2019

Jul 25, 2019

Jun 14, 2019

Mar 27, 2019

Dec 20, 2018

Dec 18, 2018

Dec 6, 2018

Nov 13, 2018

Sep 17, 2018

Looking for more? Browse all our products here