Recommendation: We recommend that the Commissioner of Internal Revenue update and implement policies and procedures for developing a courier contingency plan to prohibit managers responsible for overseeing the preparation of taxpayer receipts for deposits from also transporting them to financial institutions. (Recommendation 20-01)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The IRS agreed with this recommendation and stated that the Wage and Investment organization will update the Courier Contingency Plan polices and procedures to provide for appropriate segregation of duties or other curative measures.

Recommendation: We recommend that the Commissioner of Internal Revenue establish and implement manual refund procedures to direct (1) initiators to document (e.g., record on the taxpayers' accounts or annotate on the related manual refund forms) the justification for bypassing the IAT tool warning related to potential duplicate tax refunds on taxpayers' accounts and (2) managers to monitor whether such warnings were bypassed and review the justifications for reasonableness prior to approving manual refund forms. (Recommendation 20-02)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The IRS agreed with this recommendation and stated that the Wage and Investment organization agrees that actions need to occur to address duplicate tax refund conditions through improved manual refund procedures to require (1) initiator to document the justification for bypassing the Integrated Automated Technologies (IAT) tool warning related to potential duplicate tax refunds on taxpayers' accounts and (2) managers to review the justification documented for bypassing the IAT tool warning for reasonableness prior to approving manual refund forms. However, IRS also stated that it was unable to commit to implementing a corrective action plan at this time due to budgetary constraints on system enhancements.

Recommendation: We recommend that the Commissioner of Internal Revenue establish and implement actions to provide reasonable assurance that business units record the acceptance of goods and services in a timely manner in accordance with IRS policies and procedures. (Recommendation 20-03)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The IRS agreed with this recommendation and stated that the CFO organization will determine the reasons for business unit(s) non-compliance with established policies and procedures related to timely recording of receipts and acceptance of goods and services and, based on this evaluation, develop an action plan that once completed will provide additional tools to aid the business units in reasonably ensuring compliance with established requirements.

Recommendation: We recommend that the Commissioner of Internal Revenue establish and implement actions to provide reasonable assurance that the future lease payment amounts for non-cancellable operating leases are calculated correctly. (Recommendation 20-04)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: The IRS agreed with this recommendation and stated that the CFO organization will update policies and procedures to include additional instructions needed to calculate the future lease payments due on the non-cancelable leases with terms greater than one year and will also create an automated calculation to determine the number of remaining months of lease payments.

Recommendation: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Agency: Congress
Status: Open

Comments: No action has been taken on this matter as of December 2019.

Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports.

Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with this recommendation and would update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include security elements that are consistent with the FTC Safeguards Rule. IRS plans to update the publication by November 2020.

Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members.

Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it will update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, with a formal memorandum to all internal stakeholders during the annual review process. IRS plans to take this action by November 2020.

Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources.

Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately.

Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS agreed with this recommendation and in November 2019 said that it would develop a standardized process for all Authorized e-file Providers to report security incidents to IRS. IRS said it plans to update IRS Publication 1345, Handbook for Authorized IRS e-File Providers of Individual Income Tax Returns, to include this standardized process by November 2020.

Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In its initial response to our draft report, IRS agreed with this recommendation. In November 2019, IRS said it agreed with this recommendation with respect to the formal process for tax professionals to report data breaches to the IRS through the Stakeholder Liaison function within the Communications and Liaison organization. According to IRS, procedures are documented in the Data Breach Incident Reporting Instructions that are followed during the intake process. IRS said that upon completion, the breach information is disseminated to other offices within the IRS, depending on the nature of the breach incident reported. According to IRS, all 2018 and 2019 Tax Pro Data Breach incidents remain stored in the Data Breach module of the Return Preparer Database. We will follow up to confirm the information IRS described and determine if these procedures cover all of the IRS offices included in our report.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: Based on the estimates developed in Recommendation 1, the Commissioner of Internal Revenue should direct the Identity Assurance Office to prioritize foundational initiatives in its Identity Assurance Strategy and Roadmap. (Recommendation 2)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken preliminary steps to prioritize its foundational initiatives in its Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. For example, IRS documentation stated that initial efforts to update the original Roadmap included collecting implementation documents for the 14 foundational initiatives. IRS stated that this information and progress that IRS has made on the initiatives shows that the initiatives are a priority for IRS leadership. However, IRS has not used this information to clearly prioritize in-progress initiatives or supporting activities going forward. IRS stated that it intends to update its Roadmap annually, including prioritizing new and existing authentication initiatives and capabilities. IRS's continued attention to this action will help ensure that in-progress authentication initiatives are prioritized and completed.

Recommendation: The Commissioner of Internal Revenue should establish a policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication. This policy should include, for example, the frequency of assessments to be performed and timeframes for addressing deficiencies. (Recommendation 3)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials had developed a draft policy for conducting risk assessments for telephone, in-person, and correspondence channels for authentication, as we recommended. IRS officials stated that once this policy is approved, it will be used to develop a plan to perform risk assessments for these authentication channels. IRS's continued attention to this recommendation will help ensure that it is aware of emerging threats to the tax environment.

Recommendation: Consistent with the policy developed in Recommendation 3, the Commissioner of Internal Revenue should direct the Identity Assurance Office and IRS business owners to develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication. (Recommendation 4)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that they will develop a plan for performing risk assessments for telephone, in-person, and correspondence channels for authentication by May 2020. Until IRS develops and implements this plan, these authentication channels may be more vulnerable to fraudulent activity, including unauthorized attempts to access taxpayer information.

Recommendation: The Commissioner of Internal Revenue should establish a mechanism to collect data on outcomes for telephone, in-person, and correspondence authentication, consistent with federal standards for internal control. (Recommendation 5)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials stated that the agency intends to implement this recommendation by spring 2020. Officials noted that developing a systemic solution for collecting data on all authentication outcomes is complex and involves multiple IRS business divisions. Until IRS fully addresses this recommendation, it will have limited insight into the number of taxpayers who fail authentication and the reason for failure.

Recommendation: The Commissioner of Internal Revenue should revise or establish, as appropriate, procedures to ensure data quality in the Account Management Services (AMS) consistent with federal standards for internal control. (Recommendation 6)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS stated that it has planned enhancements to its authentication data collection procedures in AMS. Officials stated that by June 2020, they intend to implement improvements for ensuring data quality of authentication outcomes. Until IRS fully implements our recommendation, it will be limited in conducting systematic data analysis on taxpayer authentication outcomes.

Recommendation: The Commissioner of Internal Revenue should ensure that IRS business units have access to complete AMS data to monitor authentication performance and identify potential issues. (Recommendation 7)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of November 2019, IRS officials told us that IRS has explored options that will allow the agency to more effectively record, track, and monitor authentication outcomes. IRS officials said that they are developing and testing a tool to document Taxpayer Protection Program interactions, outcomes of taxpayer authentication, and the reasons for authentication failures. Officials stated that IRS plans to have this tool implemented by spring 2020, one year later than originally planned. Officials stated that the delay is due to additional technical programming to fully develop the tool. We will follow up on IRS's actions to determine the extent to which they implement our recommendation.

Recommendation: The Commissioner of Internal Revenue should direct the Identity Assurance Office and other appropriate business partners to develop a plan--including a timeline, milestone dates, and resources needed--for implementing changes to its online authentication programs consistent with new NIST guidance. (Recommendation 8)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to implement this recommendation. Efforts include developing plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials told us that they plan to work with external partners to perform additional testing on its new authentication platform this year, including a usability study to understand user experience. IRS officials also stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. IRS's timely implementation of NIST's guidance is critical to help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: In accordance with the plan developed in Recommendation 8, the Commissioner of Internal Revenue should implement improvements to IRS's systems to fully implement NIST's new guidance. (Recommendation 9)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open
Priority recommendation

Comments: As of January 2020, IRS has taken steps to develop plans for a new authentication capability to authenticate taxpayer's identities online using external partners, consistent with National Institute of Standards and Technology (NIST) guidance. IRS officials stated that they are determining a schedule for fully implementing these NIST-compliant taxpayer authentication capabilities. As noted in our report, IRS's timely implementation of NIST's new guidance is critical, as it can help the agency mitigate potential security weaknesses in its existing online authentication programs.

Recommendation: The Commissioner of Internal Revenue should develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, including technologies in use by industry, states, or other trusted partners. (Recommendation 10)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication, as GAO recommended in June 2018. IRS stated that the draft process was being reviewed by the Chief Privacy Officer and it expects to finalize the process in spring 2020. IRS also stated that the Identity Assurance office will be ready to use the repeatable process once it is approved by IRS leadership. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: Based on the approach developed in Recommendation 10, the Commissioner of Internal Revenue should include and prioritize these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap. (Recommendation 11)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: As of January 2020, the Internal Revenue Service (IRS) had taken steps to develop a repeatable, comprehensive process to identify and evaluate alternative options for improving taxpayer authentication. However, IRS had not yet included and prioritized these options, as appropriate, in IRS's Identity Assurance Strategy and Roadmap (Roadmap), as GAO recommended in June 2018. IRS stated that it expects to finalize its process to evaluate alternative authentication options in spring 2020. IRS documentation states that it plans to update its Roadmap annually, but it has not articulated a timeline for doing so in 2020. IRS's continued attention to this action will help ensure that it has a sound rationale for its investment decisions and the resources it needs to make authentication improvements in a timely manner.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials, based on IRS's research and determination, design and implement the corrective actions necessary to reasonably assure that IRS effectively resolves and records unpostable transactions in a timely manner, including establishing clearly defined time frames in the Internal Revenue Manual (IRM) by which the IRS operating divisions should correct unpostable transactions and appropriate related oversight and review processes. (Recommendation 18-02)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. As of September 30, 2019, three of the four operating divisions involved in this recommendation designed and implemented the corrective actions necessary to reasonably assure that IRS effectively resolved and recorded unpostable transactions in a timely manner. In March 2019, one operating division determined that based on the research performed, no actions needed to be taken by the operating division to effectively resolve and record unpostable transactions in a timely manner. We will continue to evaluate IRS's actions to address this recommendation during our audit of IRS's fiscal year 2020 financial statements.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the Submission Processing internal control review. These policies should include or be accompanied by procedures to (1) assess and update the review questions and cited IRM criteria to reasonably assure they align with the controls under review; (2) periodically evaluate and document a review of the error threshold methodology to assess its current validity based on changes to the operating environment; (3) report findings identified in the Findings and Corrective Actions Report; and (4) assess and monitor (a) safeguarding internal control activities across all work shifts, particularly during peak seasons, (b) safeguarding internal control activities for the appropriate use and destruction of hard copy taxpayer information, and (c) the results of relevant functional level reviews. (Recommendation 18-03)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During fiscal year 2019, IRS developed policies in the Internal Revenue Manual (IRM) for conducting and monitoring the Submission Processing internal control review. Specifically, the IRM addresses the (1) designated roles and responsibilities among IRS business units for ensuring the review questions and associated criteria are assessed and updated to align with internal controls under review; (2) requirements for periodically evaluating the error threshold methodology used in the review; (3) procedures for the review to assess and monitor (a) internal control activities across work shifts and (b) internal control activities for appropriate use and destruction of hard-copy taxpayer information. However, the IRM did not include requirements for reporting findings identified during all components of the internal control review and for assessing and monitoring results of relevant functional level reviews. Since IRS developed the relevant IRM policies and procedures after we had already performed our fiscal year 2019 internal control testing, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the Audit Management Checklist review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review; (2) clarify the minimum requirements for how frequently the review should be completed at its various facilities while considering factors that may affect the most appropriate timing of these reviews, such as changes in personnel, operational processes, or information technology; and (3) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. (Recommendation 18-04)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS notified stakeholders of the added procedures to the Internal Revenue Manual (IRM) for (1) conducting the Audit Management Checklist reviews, including how frequently the reviews should be completed; (2) developing corrective actions for deficiencies; and (3) tracking the status of the corrective actions until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: The Acting Commissioner of Internal Revenue should ensure that the appropriate IRS officials develop and implement policies in the IRM for conducting and monitoring the All Events History Report review. These policies should include or be accompanied by procedures for IRS management responsible for establishing policies related to safeguarding controls to (1) periodically monitor the results of the review and (2) reasonably assure that corrective actions for all identified deficiencies are tracked until fully implemented. (Recommendation 18-05)

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: In September 2019, IRS notified stakeholders of the added procedures to the Internal Revenue Manual (IRM) for conducting the All Events History Report reviews, including developing and monitoring corrective actions for deficiencies until fully implemented. Since IRS provided us the IRM procedures after the end of our fiscal year 2019 audit, we will evaluate IRS's implementation of the established procedures during our fiscal year 2020 audit.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement the audit plans for the 12 systems and applications that we reviewed in the production computing environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, but the agency provided some evidence of its progress in implementing this recommendation. When IRS fully implements this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should ensure that system administrators and security operations analysts are alerted in the event of audit processing failures.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should regularly update configuration standards and guidelines for network devices to incorporate recommendations from industry leaders, security agencies, and key practices from IRS partners to address known vulnerabilities applicable to IRS's environment.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.

Recommendation: To help strengthen information security controls over key financial and tax processing systems, and to more effectively implement security-related policies and plans, the Commissioner of Internal Revenue, in addition to addressing previously made but still unresolved recommendations from our prior audits, should identify and review service organizations' listing of user controls that are deemed relevant and test those controls to appropriately draw conclusions about the operating effectiveness of controls.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: During GAO's audit of FY 2019 IRS financial statements, IRS did not submit this recommendation for closure, nor did the agency provide evidence that it had implemented this recommendation. When IRS indicates that it has implemented this recommendation, we will review relevant IRS actions.