The Government Accountability Office (GAO) said in a new report that its Fiscal Year 2021 audit found information system control problems at the Internal Revenue Service (IRS) that increase the risk of unauthorized access to financial and sensitive taxpayer data and disruption of critical operations.
GAO said it identified four new deficiencies in the tax agency’s information system controls related to access controls and configuration management, in addition to previously identified deficiencies. The watchdog agency said those findings “contributed to GAO’s reported continuing significant deficiency in IRS’s internal control over financial reporting systems,” the new report says.
“These new and continuing control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations,” the report states.
GAO made eight new recommendations to address control deficiencies in information systems related to access controls and configuration management.
The IRS agreed with GAO’s eight recommendations, and stated that it is “committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security,” the report notes.
Despite the latest findings, IRS has not been sitting on its hands regarding GAO’s lengthy list of suggested improvements. GAO did acknowledge that the IRS implemented 68 of 120 previously offered recommendations it made to address deficiencies in financial reporting and information system controls.
Counting the new and outstanding recommendations, GAO determined that the IRS still needs to deal with 60 open recommendations related to internal controls over financial reporting, including:
- 10 transaction cycle recommendations,
- 41 information system recommendations (including eight new recommendations), and
- nine safeguarding recommendations.
GAO said it will follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS’s FY 2022 financial statements.