What GAO Found
In GAO's opinion, the Internal Revenue Service's (IRS) fiscal years 2016 and 2015 financial statements are fairly presented in all material respects. However, in GAO's opinion, IRS did not maintain effective internal control over financial reporting as of September 30, 2016, because of a continuing material weakness in internal control over unpaid assessments. GAO's tests of IRS's compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements detected no reportable instances of noncompliance in fiscal year 2016.
The continuing material weakness in internal control over unpaid assessments was primarily caused by financial system limitations and other control deficiencies that rendered IRS's systems unable to properly distinguish between taxes receivable, compliance assessments, and write-offs, as necessary to determine reliable balances for financial reporting purposes. These deficiencies necessitated the use of a compensating estimation process to determine the amount of taxes receivable, the largest asset on IRS's balance sheet. Through this compensating process, IRS made over $9 billion in adjustments to the 2016 fiscal year-end gross taxes receivable balance produced by its financial systems. In response to GAO's recommendations from prior audits, IRS has taken actions over the years to address this material weakness, including developing a long-term corrective action plan. However, the plan does not include milestones or related completion dates for most of the actions, so it is unclear when IRS will fully address the issues that cause significant inaccuracies in the unpaid assessments information it maintains.
During fiscal year 2016, IRS continued to make progress in addressing deficiencies in internal control over its financial reporting systems. However, continuing and newly identified control deficiencies in IRS's information security placed IRS systems and data at risk. Collectively, these deficiencies represent a significant deficiency in IRS's internal control over financial reporting systems. Until IRS takes the necessary steps to address these deficiencies in controls, its financial reporting and taxpayer data will remain at increased risk of inappropriate and undetected use, modification, or disclosure.
In addition to its internal control deficiencies, IRS faces significant ongoing financial management challenges related to (1) safeguarding taxpayer receipts and associated information, (2) preventing and detecting fraudulent refunds based on identity theft, and (3) implementing the tax-related provisions of the Patient Protection and Affordable Care Act. The difficulties confronting IRS in its efforts to effectively manage each of these challenges are further magnified by the need to do so in an environment of diminished budgetary resources.
Why GAO Did This Study
In accordance with the authority conferred by the Chief Financial Officers Act of 1990, as amended, GAO annually audits IRS's financial statements to determine whether (1) the financial statements are fairly presented and (2) IRS management maintained effective internal control over financial reporting. GAO also tests IRS's compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements.
IRS's tax collection activities are significant to overall federal receipts, and the effectiveness of its financial management is of substantial interest to Congress and the nation's taxpayers.
Based on prior financial statement audits, GAO made numerous recommendations to IRS to address internal control deficiencies. GAO will continue to monitor and will report separately on IRS's progress in implementing prior recommendations that remain open. Consistent with past practice, GAO will also be separately reporting on the new internal control deficiencies identified in this year's audit and providing IRS recommendations for corrective actions to address them.
In commenting on a draft of this report, IRS stated that it is dedicated to continuing to improve its financial management, internal controls, and information security.