What GAO found
During its audit of the Internal Revenue Service’s (IRS) fiscal 2019 and 2018 financial statements, GAO identified new weaknesses in information systems security controls that, along with unresolved control weaknesses of previous audits, collectively represent a significant deficiency in the agency’s internal control over reporting systems. Specifically, GAO has identified 11 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 11 new deficiencies, five were related to access controls, three to configuration management, one to segregation of duties, and two to information security management program controls. In a separate report for OFFICIAL USE ONLY, GAO provided IRS management with detailed information regarding the 11 new deficiencies in information system security controls and made 18 recommendations to address them.
Additionally, GAO found that as of September 30, 2019, the IRS had implemented corrective actions to address information system security control deficiencies associated with 13 of 127 recommendations resulting from previous GAO financial audits. . The GAO closed these recommendations. In the OFFICIAL LIMITED USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2019.
As a result, the IRS has 132 GAO recommendations to address – the 114 remaining open recommendations from previous GAO financial audits and the 18 new GAO recommendations made in the report for OFFICIAL LIMITED USE ONLY. Until these new and continuing control deficiencies, which collectively represent a significant deficiency, are fully corrected, IRS financial reports and taxpayer data will remain unnecessarily vulnerable to access, modification or modification. unauthorized disclosure.
Summary of GAO’s Recommendations to the IRS to Address Gaps in Information Systems Security Controls
|
Information system security control area |
Open recommendations from audits prior to September 30, 2018 |
Previous recommendations closed on September 30, 2019 |
New recommendations from the FY 2019 audit |
Total open recommendations remaining |
|
Access controls |
93 |
8 |
7 |
92 |
|
Configuration management |
26 |
3 |
7 |
30 |
|
Segregation of Duties |
1 |
– |
1 |
2 |
|
Contingency planning |
1 |
1 |
– |
– |
|
Information Security Management Program |
6 |
1 |
3 |
8 |
|
Total |
127 |
13 |
18 |
132 |
Legend: FY = fiscal year; – = no recommendation made.
Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-20-411R
Why GAO did this study
This report presents the new gaps in information system security controls identified during GAO’s audit of the IRS’s 2019 and 2018 financial statements based on its fiscal 2019 tests on the IRS. controls of certain IRS financial and tax processing systems relevant to internal control over financial reporting. The report also includes the results of GAO’s fiscal year 2019 follow-up on the status of IRS corrective actions to address deficiencies in information system security controls and the associated recommendations contained in the years reports. previous GAO events that were open as of September 30, 2018.
