Management Report: Internal Revenue Service Needs to Improve Financial Reporting and Information System Controls
Every year we audit IRS's financial statements.
During our FY 2020 audit, we found that corrective actions were not complete for 114 recommendations we made to address previously reported deficiencies in IRS's financial reporting and related information systems. We also identified new deficiencies related to system access controls, security management, and tax credits.
We made recommendations to IRS to address these new issues, such as how to improve its security management.
What GAO Found
During its audit of the Internal Revenue Service’s (IRS) fiscal years 2020 and 2019 financial statements, GAO identified new information system control deficiencies related to access controls and security management that contributed to IRS’s continuing significant deficiency in its internal control over financial reporting systems. These new deficiencies, along with unresolved information system control deficiencies from GAO’s prior audits, increase the risk of unauthorized access to, modification of, or disclosure of financial reporting and taxpayer data and disruption of critical operations. GAO also identified a new control deficiency related to tax credits that although not considered a material weakness or significant deficiency, nonetheless warrants IRS management’s attention in order to help reduce the risk of erroneous and fraudulent refund disbursements.
GAO is making one recommendation in this report to address the control deficiency in security management. In the LIMITED OFFICIAL USE ONLY report, GAO is making five recommendations: four recommendations to address control deficiencies in access controls and one recommendation to address a control deficiency in tax credits.
In addition, GAO found that IRS had completed corrective actions to close 48 of 162 recommendations from GAO’s prior audits related to control deficiencies that remained open as of September 30, 2019. Specifically, IRS’s actions addressed:
- four of 13 transaction cycle recommendations,
- 41 of 132 information system recommendations, and
- three of 17 safeguarding recommendations.
In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2020. As a result, IRS has the following GAO recommendations to address:
- 10 transaction cycle recommendations, which consist of nine prior recommendations and the one new recommendation related to tax credits that GAO is making in the LIMITED OFFICIAL USE ONLY report;
- 96 information system recommendations, which consists of 91 prior recommendations, one new recommendation related to security management that GAO is making in this report, and four new recommendations related to access controls that GAO is making in the LIMITED OFFICIAL USE ONLY report; and
- 14 safeguarding recommendations.
Why GAO Did This Study
GAO audits IRS’s financial statements annually. As part of these audits, GAO assesses the effectiveness of IRS’s internal control over financial reporting.
This report presents the new deficiencies in internal control over financial reporting identified during GAO’s audit of IRS’s fiscal years 2020 and 2019 financial statements. This report also includes the results of GAO’s fiscal year 2020 follow-up on the status of IRS’s corrective actions to address recommendations contained in GAO’s prior years’ reports that were open as of September 30, 2019.
GAO is making one recommendation to address the new control deficiency in security management. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made an additional five recommendations to address control deficiencies in access controls and tax credits. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with all of GAO’s recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO will evaluate the effectiveness of IRS’s efforts to address these deficiencies during its audit of IRS’s fiscal year 2021 financial statements.
Recommendations for Executive Action
|Internal Revenue Service||The Commissioner of the Internal Revenue Service should reasonably assure that reviews of external third parties' systems reference current documentation that supports IRS assessments of risk. (Recommendation 1)||
During our fiscal year 2021 testing, IRS officials indicated that they plan to address this recommendation in the future. As a result, this recommendation remains open as of September 30, 2021.