Each year, we audit the financial statements of the IRS and issue opinions regarding these statements and related internal controls (i.e., processes in place to ensure the proper authorization and recording of transactions).
Our FY 2022 audit identified new issues related to IT systems, tax refunds, and safeguarding assets. For example, IRS did not adequately correct certain tax return errors according to its own procedures. We recommended that IRS address these new issues.
We also determined that IRS has addressed 28 of the 60 recommendations from our previous reports related to financial reporting and IT systems.
What GAO Found
During its audit of the Internal Revenue Service’s (IRS) fiscal years 2022 and 2021 financial statements, GAO identified five new deficiencies in internal control over financial reporting. Two new deficiencies related to information system controls, specifically in access controls and configuration management, and contributed to GAO’s reported continuing significant deficiency in IRS’s internal control over financial reporting systems. In addition, two deficiencies related to tax refunds and one deficiency related to safeguarding assets. Although these deficiencies are not considered material weaknesses or significant deficiencies, they nevertheless warrant IRS management’s attention. GAO is making three new recommendations in this report to address the control deficiencies related to tax refunds and safeguarding assets. In the LIMITED OFFICIAL USE ONLY report, GAO is making 16 new recommendations to address the control deficiencies related to information systems.
In addition, GAO determined that IRS had completed corrective actions on 28 of 60 recommendations from GAO’s prior years’ reports related to internal control over financial reporting that remained open as of September 30, 2021. IRS’s actions addressed five transaction cycle recommendations, 17 information system recommendations, and six safeguarding assets recommendations.
This report provides the status of 19 previously reported recommendations that are not sensitive in nature and IRS’s corrective actions as of September 30, 2022. The LIMITED OFFICIAL USE ONLY report contains the status of the 60 previously reported sensitive and nonsensitive recommendations and IRS’s corrective actions as of September 30, 2022.
IRS has 51 open GAO recommendations related to internal control over financial reporting to address:
- seven transaction cycle recommendations (including two that are new),
- 40 information system recommendations (including 16 that are new), and
- four safeguarding assets recommendations (including one that is new).
The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations. The new and continuing control deficiencies related to transaction cycles increase the risk of misstatements on the financial statements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential misstatements on the financial statements.
Why GAO Did This Study
GAO audits IRS's financial statements annually. As part of these audits, GAO assesses IRS's key financial reporting controls, including information system controls.
This report presents the new deficiencies in internal control over financial reporting identified during GAO's audit of IRS's fiscal years 2022 and 2021 financial statements. This report also includes the results of GAO's fiscal year 2022 follow-up on the status of IRS's corrective actions to address recommendations contained in GAO's prior years' reports related to internal control over financial reporting that were open as of September 30, 2021.
GAO is making three recommendations to address the new control deficiencies in tax refunds and safeguarding assets. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 16 new recommendations to address control deficiencies in information systems related to access controls and configuration management. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with all of GAO’s recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO plans to follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS’s fiscal year 2023 financial statements.
Recommendations for Executive Action
|Internal Revenue Service||The Commissioner of the Internal Revenue Service should establish a process to provide reasonable assurance that the System Control Processing and Validation Section certifying officers comply with the requirement to complete the Fiscal Service Certifying Officer Training within 30 days prior to the renewal of their designations. (Recommendation 1)|
|Internal Revenue Service||The Commissioner of the Internal Revenue Service should review and update IRS's process to provide reasonable assurance that tax examiners comply with the requirement to address and correct error codes 004 and 230. (Recommendation 2)|
|Internal Revenue Service||The Commissioner of the Internal Revenue Service should direct the appropriate officials to establish and implement actions to provide reasonable assurance that requests for information are provided in a timely manner as required. (Recommendation 3)|