MD&A: Improvements Needed to Strengthen Internal Revenue Service Information System Security Controls

0


What GAO found

During its audit of the Internal Revenue Service’s (IRS) fiscal 2019 and 2018 financial statements, GAO identified new weaknesses in information systems security controls that, along with unresolved control weaknesses of previous audits, collectively represent a significant deficiency in the agency’s internal control over reporting systems. Specifically, GAO has identified 11 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 11 new deficiencies, five were related to access controls, three to configuration management, one to segregation of duties, and two to information security management program controls. In a separate report for OFFICIAL USE ONLY, GAO provided IRS management with detailed information regarding the 11 new deficiencies in information system security controls and made 18 recommendations to address them.

Additionally, GAO found that as of September 30, 2019, the IRS had implemented corrective actions to address information system security control deficiencies associated with 13 of 127 recommendations resulting from previous GAO financial audits. . The GAO closed these recommendations. In the OFFICIAL LIMITED USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2019.

As a result, the IRS has 132 GAO recommendations to address – the 114 remaining open recommendations from previous GAO financial audits and the 18 new GAO recommendations made in the report for OFFICIAL LIMITED USE ONLY. Until these new and continuing control deficiencies, which collectively represent a significant deficiency, are fully corrected, IRS financial reports and taxpayer data will remain unnecessarily vulnerable to access, modification or modification. unauthorized disclosure.

Summary of GAO’s Recommendations to the IRS to Address Gaps in Information Systems Security Controls

Information system security control area

Open recommendations from audits prior to September 30, 2018

Previous recommendations closed on September 30, 2019

New recommendations from the FY 2019 audit

Total

open recommendations remaining

Access controls

93

8

7

92

Configuration management

26

3

7

30

Segregation of Duties

1

1

2

Contingency planning

1

1

Information Security Management Program

6

1

3

8

Total

127

13

18

132

Legend: FY = fiscal year; – = no recommendation made.

Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-20-411R

Why GAO did this study

This report presents the new gaps in information system security controls identified during GAO’s audit of the IRS’s 2019 and 2018 financial statements based on its fiscal 2019 tests on the IRS. controls of certain IRS financial and tax processing systems relevant to internal control over financial reporting. The report also includes the results of GAO’s fiscal year 2019 follow-up on the status of IRS corrective actions to address deficiencies in information system security controls and the associated recommendations contained in the years reports. previous GAO events that were open as of September 30, 2018.


Share.

About Author

Comments are closed.