Management Report: Improvements Needed in IRS's Financial Reporting and Information System Controls

Fast Facts

Each year, we audit the financial statements of the IRS and issue opinions regarding these statements and related internal controls (i.e., processes in place to ensure the proper authorization and recording of transactions).

Our FY 2022 audit identified new issues related to IT systems, tax refunds, and safeguarding assets. For example, IRS did not adequately correct certain tax return errors according to its own procedures. We recommended that IRS address these new issues.

We also determined that IRS has addressed 28 of the 60 recommendations from our previous reports related to financial reporting and IT systems.

Exterior Internal Revenue Service Building sign

Highlights

What GAO Found

During its audit of the Internal Revenue Service’s (IRS) fiscal years 2022 and 2021 financial statements, GAO identified five new deficiencies in internal control over financial reporting. Two new deficiencies related to information system controls, specifically in access controls and configuration management, and contributed to GAO’s reported continuing significant deficiency in IRS’s internal control over financial reporting systems. In addition, two deficiencies related to tax refunds and one deficiency related to safeguarding assets. Although these deficiencies are not considered material weaknesses or significant deficiencies, they nevertheless warrant IRS management’s attention. GAO is making three new recommendations in this report to address the control deficiencies related to tax refunds and safeguarding assets. In the LIMITED OFFICIAL USE ONLY report, GAO is making 16 new recommendations to address the control deficiencies related to information systems.

In addition, GAO determined that IRS had completed corrective actions on 28 of 60 recommendations from GAO’s prior years’ reports related to internal control over financial reporting that remained open as of September 30, 2021. IRS’s actions addressed five transaction cycle recommendations, 17 information system recommendations, and six safeguarding assets recommendations.

This report provides the status of 19 previously reported recommendations that are not sensitive in nature and IRS’s corrective actions as of September 30, 2022. The LIMITED OFFICIAL USE ONLY report contains the status of the 60 previously reported sensitive and nonsensitive recommendations and IRS’s corrective actions as of September 30, 2022.

IRS has 51 open GAO recommendations related to internal control over financial reporting to address:

seven transaction cycle recommendations (including two that are new),
40 information system recommendations (including 16 that are new), and
four safeguarding assets recommendations (including one that is new).

The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations. The new and continuing control deficiencies related to transaction cycles increase the risk of misstatements on the financial statements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential misstatements on the financial statements.

Why GAO Did This Study

GAO audits IRS's financial statements annually. As part of these audits, GAO assesses IRS's key financial reporting controls, including information system controls.

This report presents the new deficiencies in internal control over financial reporting identified during GAO's audit of IRS's fiscal years 2022 and 2021 financial statements. This report also includes the results of GAO's fiscal year 2022 follow-up on the status of IRS's corrective actions to address recommendations contained in GAO's prior years' reports related to internal control over financial reporting that were open as of September 30, 2021.

Recommendations

GAO is making three recommendations to address the new control deficiencies in tax refunds and safeguarding assets. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 16 new recommendations to address control deficiencies in information systems related to access controls and configuration management. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with all of GAO’s recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security. GAO plans to follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS’s fiscal year 2023 financial statements.

Recommendations for Executive Action

Agency Affected Sort descending	Recommendation	Status
Internal Revenue Service	The Commissioner of the Internal Revenue Service should direct the appropriate officials to establish and implement actions to provide reasonable assurance that requests for information are provided in a timely manner as required. (Recommendation 3)	Open In its written comments on a draft of our report, IRS stated that it agreed with this recommendation and that it will shift staffing to resolve the backlog caused by COVID-19. We will continue to monitor IRS's actions to address this recommendation.
Internal Revenue Service	The Commissioner of the Internal Revenue Service should establish a process to provide reasonable assurance that the System Control Processing and Validation Section certifying officers comply with the requirement to complete the Fiscal Service Certifying Officer Training within 30 days prior to the renewal of their designations. (Recommendation 1)	Open In its written comments on a draft of our report, IRS stated that it agreed with this recommendation and that it will establish a process to provide reasonable assurance that certifying officers comply with the 30-day requirement. We will continue to monitor IRS's actions to address this recommendation.
Internal Revenue Service	The Commissioner of the Internal Revenue Service should review and update IRS's process to provide reasonable assurance that tax examiners comply with the requirement to address and correct error codes 004 and 230. (Recommendation 2)	Open In its written comments on a draft of our report, IRS stated that it agreed with this recommendation and that it had addressed the recommendation by issuing a Servicewide Electronic Research Program Alert. This alert reminded Error Resolution System Unit tax examiners to correct all coding and transcription errors in displayed record fields, including error codes 004 and 230. However, the alert does not sufficiently address the process for monitoring tax examiners to provide reasonable assurance that tax examiners will comply with the requirement. Until IRS addresses the recommendation, an increased risk of processing and disbursing erroneous refunds exists. We will continue to monitor IRS's actions to address this recommendation.

Full Report

Full Report (24 pages)

Accessible PDF (24 pages)

GAO Contacts

Dawn B. Simpson

Director

simpsondb@gao.gov

(202) 512-3406

Jennifer Franks

Director

franksj@gao.gov

(404) 679-1831

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Auditing and Financial Management

Configuration controlFinancial reportingFinancial statementsInformation resources managementInformation systemsInternal controlsPolicies and proceduresRisk assessmentSensitive dataTax refundsTax returnsTaxpayer informationTaxpayersUnauthorized access