Security flaws in IRS systems pose risk to financial statements, GAO says
A handful of security deficiencies in IRS information systems elevate the tax agency’s risk of inaccuracies in financial statements, the Government Accountability Office said Thursday.
In its report, the congressional watchdog highlighted “new and continuing” shortcomings with information systems and the safeguarding of assets, issues that increase the likelihood of unauthorized access to sensitive IRS data. The security deficiencies also pose a threat of disruption to critical agency operations, the GAO warned.
“The continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements,” the GAO said in its report. “IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.”
The GAO’s audit of fiscal years 2022 and 2023 financial statements from the IRS revealed three new deficiencies, after the agency had taken “corrective actions” to address 51 previous recommendations from the watchdog — 15 of which have been completed and the remaining 36 are in progress.
Those newly identified deficiencies, which the GAO characterized as “sensitive in nature,” cover control problems in security management, access and configuration management.
Configuration management appeared to present the most significant issues for the IRS, according to the report. Security settings for specific servers that support financial reporting-related systems were not consistently implemented; the watchdog delivered four recommendations to address that deficiency.
For the security management control problem, the IRS failed to “consistently create a plan of action and milestones for identified weaknesses on a timely basis.” On access controls tied to monitoring and audits, the agency didn’t review and certify a monthly security report in a timely fashion. The GAO made one recommendation apiece for those deficiencies.
IRS Commissioner Danny Werfel said in a letter responding to a draft version of the GAO’s report that the agency is “committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security.”
