The IRS relies extensively on IT systems to collect more than $3 trillion in taxes and distribute over $400 billion in refunds annually. In FY 2020, the IRS expects to spend approximately $3.2 billion on IT investments.
We testified on several IT problems that could make it harder for the IRS to do its job (e.g., security control deficiencies that could result in unauthorized access to taxpayer data; computer freezes that cause service delays).
We also noted that the IRS needed to manage its IT systems better—particularly the oldest ones. Our previous recommendations, most of which the IRS has yet to implement, would address these issues.
What GAO Found
Information technology (IT) operational challenges have hampered the Internal Revenue Service's (IRS) ability to effectively carry out its responsibilities. For example:
In May 2020, GAO reported that new and continuing deficiencies in information system security controls over financial and tax processing systems included deficiencies related to access controls, segregation of duties, and other areas. These collectively represented a significant deficiency in risks of unauthorized access to, modification of, or disclosure of financial reporting and taxpayer data and disruption of critical operations. GAO made 18 new recommendations to address these deficiencies, bringing the total number of GAO cybersecurity recommendations that IRS has not yet implemented to 132.
A January 2020 GAO report stated that customer service representatives and frontline managers reported frequently experiencing computer problems that adversely affected their ability to serve taxpayers. Specifically, they reported their computers freezing or taking excessive time to reboot. These computer problems could cause phone calls to disconnect before taxpayer issues were resolved, which required taxpayers to call back and wait in the queue again. GAO recommended that IRS address this challenge; IRS now has actions underway to implement GAO's recommendation.
GAO has also issued several reports identifying numerous opportunities for the IRS to improve the management of its IT investments. IRS has addressed some of the related recommendations but other important ones are not yet implemented. For example:
In June 2018, GAO reported that IRS had not fully implemented key risk management practices for three mission critical systems facing significant risks due to their reliance on legacy programming languages, outdated hardware, and a shortage of human resources with needed skills. For example, for one of the systems, the more than 50-year old Individual Master File, IRS was using assembly language and Computer Business Oriented Language (COBOL)—languages that were both developed in the 1950s. As a result of these and other findings in its report, GAO made 21 recommendations to IRS. As of September 2020, IRS had implemented three of the 21 recommendations.
In June 2016, GAO reported that IRS had established IT investment priorities that supported two types of activities—operations and modernization. While IRS had developed a process for prioritizing operations activities, it did not have such a process for modernization. Accordingly, GAO recommended that IRS develop this process to better assure Congress and other decision makers that the highest priorities are funded. In September 2020, the agency told GAO that it expected to implement this process for the fiscal year 2022 budget cycle.
Why GAO Did This Study
The IRS, a bureau of the Department of the Treasury, relies extensively on IT to annually collect more than $3 trillion in taxes, distribute more than $400 billion in refunds, and carry out its mission of providing service to America's taxpayers in meeting their tax obligations. This year, IRS also relied on IT to process and disburse economic impact payments totaling hundreds of billions of dollars to millions of Americans in accordance with the Coronavirus Aid, Relief, and Economic Security Act. IRS expects to spend $3.2 billion on IT for fiscal year 2020.
GAO was asked to testify about IT management at IRS. Specifically, this testimony summarizes GAO's prior reports on IT challenges that IRS has faced in carrying out its operational responsibilities and on opportunities for the agency to improve the management of its IT investments.
To do so, GAO reviewed its previously issued reports identifying IT operational challenges and opportunities to improve the management of its systems, and incorporated information on the agency's actions in response to related recommendations.
GAO has made a number of recommendations to IRS to address IT challenges and needed improvements. While IRS has generally agreed with these, it still needs to implement the numerous critical recommendations that remain outstanding.