IRS Financial Reporting: Improvements Needed in Information System and Other Controls

What GAO Found

During its audit of the Internal Revenue Service's (IRS) fiscal years 2023 and 2022 financial statements, GAO identified three new deficiencies in internal control over financial reporting. These deficiencies, which are sensitive in nature, related to information systems and contributed to GAO's reported continuing significant deficiency in IRS's information system controls. Specifically, GAO identified one security management control deficiency, one access control deficiency, and one configuration management control deficiency. The separately issued LIMITED OFFICIAL USE ONLY report presents detailed information on the new control deficiencies and six recommendations to address them.

In addition, GAO determined that IRS had completed corrective actions on 15 of 51 recommendations from GAO's prior reports related to internal control over financial reporting that were open as of September 30, 2022. IRS's actions addressed one transaction cycle recommendation, two safeguarding assets recommendations, and 12 information system recommendations.

This report provides the status of 10 previously reported recommendations that are not sensitive in nature and IRS's corrective actions as of September 30, 2023. The LIMITED OFFICIAL USE ONLY report contains the status of the 51 previously reported sensitive and nonsensitive recommendations and IRS's corrective actions as of September 30, 2023.

As of September 30, 2023, IRS has 42 open GAO recommendations related to internal control over financial reporting to address:

• six transaction cycle recommendations,
• two safeguarding assets recommendations, and
• 34 information system recommendations (including six that are new).

The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, and disclosure of sensitive data and programs, as well as the disruption of critical operations. The continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.

Why GAO Did This Study

GAO audits IRS's financial statements annually. As part of these audits, GAO assesses IRS's internal control over financial reporting, including information system controls.

This report presents the new deficiencies in internal control over financial reporting identified during GAO's audit of IRS's fiscal years 2023 and 2022 financial statements. This report also includes the results of GAO's fiscal year 2023 follow-up on the status of IRS's corrective actions to address recommendations contained in GAO's prior reports related to internal control over financial reporting that were open as of September 30, 2022.

Public link

Please use the above public link if you want to share this noodl on another website.