Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in the agency's internal control over financial reporting systems. Specifically, GAO identified 14 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 14 new deficiencies, eight were related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to contingency planning. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 14 new information system security control deficiencies and made 20 recommendations to address them.

In addition, GAO found that as of September 30, 2018, IRS had completed corrective actions to address information system security control deficiencies associated with 46 of the 154 recommendations resulting from GAO's financial audits, and as a result, these recommendations were closed. GAO closed one additional recommendation that was no longer relevant because of changes in the agency's operating environment. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2018.

As a result, IRS has 127 GAO recommendations to address—the 107 remaining open recommendations from GAO's prior financial audits and the 20 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.

Status of GAO Recommendations to IRS for Addressing Information System Security Control Deficiencies 

Legend: FY = fiscal year; — = no recommendation made.
Source: GAO analysis of Internal Revenue Service (IRS) data.  |  GAO-19-474R

Why GAO Did This Study

This report presents the new information system security control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements based on its fiscal year 2018 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. This report also includes the results of GAO's fiscal year 2018 follow-up on the status of IRS's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open at the beginning of GAO's fiscal year 2018 audit.