IRS Financial Reporting: Improvements Needed in Information System and Other Controls

What GAO Found

During GAO’s audits of the Internal Revenue Service’s (IRS) fiscal year 2025 financial statements and of its internal control over financial reporting as of September 30, 2025, GAO identified five new deficiencies in internal control over financial reporting. Four of these new deficiencies are sensitive in nature and related to information systems, consisting of three access control deficiencies and one security management control deficiency. The remaining new deficiency was not sensitive in nature and related to IRS’s nonproduction costs, which are part of the financial reporting transaction cycle.

This report presents detailed information on the new financial reporting transaction cycle control deficiency and associated recommendation. The separately issued LIMITED OFFICIAL USE ONLY report presents detailed information on the new information system control deficiencies and four recommendations to address them.

In addition, GAO determined that IRS had completed corrective actions for 14 of 30 recommendations from GAO’s prior reports related to internal control over financial reporting that were open as of September 30, 2024. IRS’s actions addressed four transaction cycle recommendations, one safeguarding assets recommendation, and nine information system recommendations.

This report provides the status of eight previously reported recommendations that are nonsensitive in nature and IRS’s actions to address them as of September 30, 2025. The LIMITED OFFICIAL USE ONLY report contains the status of the 30 previously reported sensitive and nonsensitive recommendations and IRS’s actions to address them as of September 30, 2025.

As of September 30, 2025, IRS has 21 open GAO recommendations related to internal control over financial reporting to address

• three transaction cycle recommendations (including one that is new),
• one safeguarding assets recommendation, and
• 17 information system recommendations (including four that are new).

The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to and modification of data and programs, disclosure of sensitive data, and disruption of critical operations. The new and continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.

Why GAO Did This Study

GAO annually audits IRS’s financial statements and its internal control over financial reporting, including information system controls. This report presents the new deficiencies in internal control over financial reporting identified during GAO’s audits. This report also includes the results of GAO’s fiscal year 2025 follow-up on IRS’s corrective actions to address recommendations contained in GAO’s prior reports related to internal control over financial reporting that were open as of September 30, 2024.