What GAO Found
During its audit of the Internal Revenue Service’s (IRS) fiscal years 2021 and 2020 financial statements, GAO identified four new deficiencies in internal control over financial reporting. The new deficiencies related to information system controls, specifically in the areas of access controls and configuration management, and contributed to GAO’s reported continuing significant deficiency in IRS’s internal control over financial reporting systems. In the LIMITED OFFICIAL USE ONLY report, GAO is making eight new recommendations to address these control deficiencies.
In addition, GAO determined that IRS had completed corrective actions to close 68 of 120 recommendations from GAO’s prior years’ reports related to internal control over financial reporting that remained open as of September 30, 2020. Specifically, IRS’s actions addressed 63 information system recommendations and five safeguarding recommendations.
The report provides the status of 30 previously reported recommendations that are not sensitive in nature and IRS’s corrective actions as of September 30, 2021. The LIMITED OFFICIAL USE ONLY report contains the status of the 120 previously reported sensitive and nonsensitive recommendations and IRS’s corrective actions as of September 30, 2021.
Including prior and new recommendations, IRS has the following 60 open GAO recommendations related to internal control over financial reporting to address:
- 10 transaction cycle recommendations,
- 41 information system recommendations (including eight new recommendations), and
- nine safeguarding recommendations.
These new and continuing control deficiencies increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential misstatements on the financial statements.
Why GAO Did This Study
GAO audits IRS’s financial statements annually. As part of these audits, GAO assesses IRS’s key financial reporting controls, including information system controls.
This report presents the new deficiencies in internal control over financial reporting identified during GAO’s audit of IRS’s fiscal years 2021 and 2020 financial statements. This report also includes the results of GAO’s fiscal year 2021 follow-up on the status of IRS’s corrective actions to address recommendations contained in GAO’s prior years’ reports related to internal control over financial reporting that were open as of September 30, 2020.