What GAO Found
During its audit of the Internal Revenue Service’s (IRS) fiscal years 2023 and 2022 financial statements, GAO identified three new deficiencies in internal control over financial reporting. These deficiencies, which are sensitive in nature, related to information systems and contributed to GAO’s reported continuing significant deficiency in IRS’s information system controls. Specifically, GAO identified one security management control deficiency, one access control deficiency, and one configuration management control deficiency. The separately issued LIMITED OFFICIAL USE ONLY report presents detailed information on the new control deficiencies and six recommendations to address them.
In addition, GAO determined that IRS had completed corrective actions on 15 of 51 recommendations from GAO’s prior reports related to internal control over financial reporting that were open as of September 30, 2022. IRS’s actions addressed one transaction cycle recommendation, two safeguarding assets recommendations, and 12 information system recommendations.
This report provides the status of 10 previously reported recommendations that are not sensitive in nature and IRS’s corrective actions as of September 30, 2023. The LIMITED OFFICIAL USE ONLY report contains the status of the 51 previously reported sensitive and nonsensitive recommendations and IRS’s corrective actions as of September 30, 2023.
As of September 30, 2023, IRS has 42 open GAO recommendations related to internal control over financial reporting to address:
- six transaction cycle recommendations,
- two safeguarding assets recommendations, and
- 34 information system recommendations (including six that are new).
The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, and disclosure of sensitive data and programs, as well as the disruption of critical operations. The continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.
Why GAO Did This Study
GAO audits IRS’s financial statements annually. As part of these audits, GAO assesses IRS’s internal control over financial reporting, including information system controls.
This report presents the new deficiencies in internal control over financial reporting identified during GAO’s audit of IRS’s fiscal years 2023 and 2022 financial statements. This report also includes the results of GAO’s fiscal year 2023 follow-up on the status of IRS’s corrective actions to address recommendations contained in GAO’s prior reports related to internal control over financial reporting that were open as of September 30, 2022.
Recommendations
GAO is making no new recommendations in this report. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made six new recommendations to address control deficiencies in information systems related to security management, access control, and configuration management. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with GAO’s recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO plans to follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS’s fiscal year 2024 financial statements.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.