Management Report: Internal Revenue Service Needs to Improve Financial Reporting and Information System Controls

Fast Facts

Every year we audit IRS's financial statements.

During our FY 2020 audit, we found that corrective actions were not complete for 114 recommendations we made to address previously reported deficiencies in IRS's financial reporting and related information systems. We also identified new deficiencies related to system access controls, security management, and tax credits.

We made recommendations to IRS to address these new issues, such as how to improve its security management.

Highlights

What GAO Found

During its audit of the Internal Revenue Service’s (IRS) fiscal years 2020 and 2019 financial statements, GAO identified new information system control deficiencies related to access controls and security management that contributed to IRS’s continuing significant deficiency in its internal control over financial reporting systems. These new deficiencies, along with unresolved information system control deficiencies from GAO’s prior audits, increase the risk of unauthorized access to, modification of, or disclosure of financial reporting and taxpayer data and disruption of critical operations. GAO also identified a new control deficiency related to tax credits that although not considered a material weakness or significant deficiency, nonetheless warrants IRS management’s attention in order to help reduce the risk of erroneous and fraudulent refund disbursements.

GAO is making one recommendation in this report to address the control deficiency in security management. In the LIMITED OFFICIAL USE ONLY report, GAO is making five recommendations: four recommendations to address control deficiencies in access controls and one recommendation to address a control deficiency in tax credits.

In addition, GAO found that IRS had completed corrective actions to close 48 of 162 recommendations from GAO’s prior audits related to control deficiencies that remained open as of September 30, 2019. Specifically, IRS’s actions addressed:

four of 13 transaction cycle recommendations,

41 of 132 information system recommendations, and

three of 17 safeguarding recommendations.

In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2020. As a result, IRS has the following GAO recommendations to address:

10 transaction cycle recommendations, which consist of nine prior recommendations and the one new recommendation related to tax credits that GAO is making in the LIMITED OFFICIAL USE ONLY report;

96 information system recommendations, which consists of 91 prior recommendations, one new recommendation related to security management that GAO is making in this report, and four new recommendations related to access controls that GAO is making in the LIMITED OFFICIAL USE ONLY report; and

14 safeguarding recommendations.

Why GAO Did This Study

GAO audits IRS’s financial statements annually. As part of these audits, GAO assesses the effectiveness of IRS’s internal control over financial reporting.

This report presents the new deficiencies in internal control over financial reporting identified during GAO’s audit of IRS’s fiscal years 2020 and 2019 financial statements. This report also includes the results of GAO’s fiscal year 2020 follow-up on the status of IRS’s corrective actions to address recommendations contained in GAO’s prior years’ reports that were open as of September 30, 2019.

Recommendations

GAO is making one recommendation to address the new control deficiency in security management. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made an additional five recommendations to address control deficiencies in access controls and tax credits. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with all of GAO’s recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO will evaluate the effectiveness of IRS’s efforts to address these deficiencies during its audit of IRS’s fiscal year 2021 financial statements.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Internal Revenue Service	The Commissioner of the Internal Revenue Service should reasonably assure that reviews of external third parties' systems reference current documentation that supports IRS assessments of risk. (Recommendation 1)	Closed – Implemented During our fiscal year 2022 testing, we determined that IRS referenced current documentation that supports IRS assessments of risk in its reviews of external third parties' systems. As a result, we concluded that IRS's corrective actions as of September 30, 2022, were adequate to close this recommendation.

Full Report

Full Report (19 pages)

Accessible PDF (19 pages)

GAO Contacts

Cheryl E. Clark

Director

clarkce@gao.gov

(202) 512-9377

Vijay A. D'Souza

Director

dsouzav@gao.gov

(202) 512-7650

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Auditing and Financial Management

Agency evaluationsAuthenticationCompliance oversightConfidential communicationsFinancial reportingFinancial statementsInformation resources managementInformation systemsInternal controlsMaterial weaknessesPersonal identity verificationPhysical securityPolicies and proceduresRisk assessmentSensitive dataTax creditTaxpayer dataTaxpayer informationTaxpayersUnauthorized access