Management Report:

Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls

GAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.

Multimedia:

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Vijay A. D’Souza
(202) 512-6240
dsouzav@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internal Revenue Service must keep its computer systems secure to protect financial and taxpayer data. Every year since FY 1997, we have assessed whether the IRS had effective controls in place to safeguard this information.

During this year’s audit, we identified new and continuing deficiencies in information system security controls. These deficiencies affect IRS’s ability to help ensure systems are operating securely. These risks involve the potential for unauthorized access to, modification of, or disclosure of, sensitive data and programs.

Internal Revenue Service Building sign

Internal Revenue Service Building sign

Multimedia:

Additional Materials:

Contact:

Cheryl E. Clark
(202) 512-9377
clarkce@gao.gov

 

Vijay A. D’Souza
(202) 512-6240
dsouzav@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During its audit of the Internal Revenue Service’s (IRS) fiscal years 2019 and 2018 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency in the agency’s internal control over financial reporting systems. Specifically, GAO identified 11 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 11 new deficiencies, five were related to access controls, three were related to configuration management, one was related to segregation of duties, and two were related to information security management program controls. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 11 new deficiencies in information system security controls and made 18 recommendations to address them.

In addition, GAO found that as of September 30, 2019, IRS had completed corrective actions to address deficiencies in information system security controls associated with 13 of the 127 recommendations resulting from GAO’s prior financial audits. GAO closed these recommendations. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2019.

As a result, IRS has 132 GAO recommendations to address—the 114 remaining open recommendations from GAO’s prior financial audits and the 18 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies, which collectively represent a significant deficiency, are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to unauthorized access, modification, or disclosure.

Summary of GAO Recommendations to IRS for Addressing Deficiencies in Information System Security Controls

Information system security control area

Open recommendations from prior audits as of September 30, 2018

Prior recommendations closed as of September 30, 2019

New recommendations resulting from FY 2019 audit

Total

remaining open recommendations

Access controls

93

8

7

92

Configuration management

26

3

7

30

Segregation of duties

1

1

2

Contingency planning

1

1

Information security management program

6

1

3

8

Total

127

13

18

132

Legend: FY = fiscal year; — = no recommendation made.

Source: GAO analysis of Internal Revenue Service (IRS) data.  |  GAO-20-411R

Why GAO Did This Study

This report presents the new deficiencies in information system security controls identified during GAO’s audit of IRS’s fiscal years 2019 and 2018 financial statements based on its fiscal year 2019 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. The report also includes the results of GAO’s fiscal year 2019 follow-up on the status of IRS’s corrective actions to address deficiencies in information system security controls and associated recommendations contained in GAO’s prior years’ reports that were open as of September 30, 2018.

What GAO Recommends

In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 18 recommendations to address 11 new deficiencies in information system security controls related to access controls, configuration management, segregation of duties, and information security management program. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, IRS agreed with GAO’s recommendations and stated that it will ensure that its corrective actions include root cause analysis for sustainable fixes. GAO will evaluate the effectiveness of IRS’s efforts to address these deficiencies during its audit of IRS’s fiscal year 2020 financial statements.

For more information, contact Cheryl E. Clark at (202) 512-9377 or clarkce@gao.gov or Vijay A. D’Souza at (202) 512-6240 or dsouzav@gao.gov.

May 27, 2020

Apr 24, 2020

Apr 13, 2020

Feb 11, 2020

Dec 12, 2019

Sep 25, 2019

Jul 26, 2019

Jul 25, 2019

Jul 18, 2019

Jun 14, 2019

Looking for more? Browse all our products here