Management Report: IRS Needs to Improve Financial Reporting and Information System Controls
Fast Facts
We audit and issue opinions annually on IRS's financial statements and on related internal controls (e.g., processes to reasonably assure that transactions are properly authorized and recorded).
During our FY 2021 audit, we identified 4 new deficiencies in information system controls.
We also determined that IRS implemented 68 of the 120 recommendations we made to address previously reported deficiencies in financial reporting and information system controls.
The new and continuing control deficiencies increase the risk of unauthorized access to financial and sensitive taxpayer data and disruption of critical operations.
Highlights
What GAO Found
During its audit of the Internal Revenue Service's (IRS) fiscal years 2021 and 2020 financial statements, GAO identified four new deficiencies in internal control over financial reporting. The new deficiencies related to information system controls, specifically in the areas of access controls and configuration management, and contributed to GAO's reported continuing significant deficiency in IRS's internal control over financial reporting systems. In the LIMITED OFFICIAL USE ONLY report, GAO is making eight new recommendations to address these control deficiencies.
In addition, GAO determined that IRS had completed corrective actions to close 68 of 120 recommendations from GAO's prior years' reports related to internal control over financial reporting that remained open as of September 30, 2020. Specifically, IRS's actions addressed 63 information system recommendations and five safeguarding recommendations.
The report provides the status of 30 previously reported recommendations that are not sensitive in nature and IRS's corrective actions as of September 30, 2021. The LIMITED OFFICIAL USE ONLY report contains the status of the 120 previously reported sensitive and nonsensitive recommendations and IRS's corrective actions as of September 30, 2021.
Including prior and new recommendations, IRS has the following 60 open GAO recommendations related to internal control over financial reporting to address:
- 10 transaction cycle recommendations,
- 41 information system recommendations (including eight new recommendations), and
- nine safeguarding recommendations.
These new and continuing control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential misstatements on the financial statements.
Why GAO Did This Study
GAO audits IRS's financial statements annually. As part of these audits, GAO assesses IRS's key financial reporting controls, including information system controls.
This report presents the new deficiencies in internal control over financial reporting identified during GAO's audit of IRS's fiscal years 2021 and 2020 financial statements. This report also includes the results of GAO's fiscal year 2021 follow-up on the status of IRS's corrective actions to address recommendations contained in GAO's prior years' reports related to internal control over financial reporting that were open as of September 30, 2020.
Recommendations
In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made eight new recommendations to address control deficiencies in information systems related to access controls and configuration management. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with GAO's eight recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO plans to follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS's fiscal year 2022 financial statements.