Security flaws in IRS systems pose risk to financial statements, GAO says

The congressional watchdog found new deficiencies in the tax agency’s security management, access and configuration management controls.
(Getty Images)

A handful of security deficiencies in IRS information systems elevate the tax agency’s risk of inaccuracies in financial statements, the Government Accountability Office said Thursday.

In its report, the congressional watchdog highlighted “new and continuing” shortcomings with information systems and the safeguarding of assets, issues that increase the likelihood of unauthorized access to sensitive IRS data. The security deficiencies also pose a threat of disruption to critical agency operations, the GAO warned.

“The continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements,” the GAO said in its report. “IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.”

The GAO’s audit of fiscal years 2022 and 2023 financial statements from the IRS revealed three new deficiencies, after the agency had taken “corrective actions” to address 51 previous recommendations from the watchdog — 15 of which have been completed and the remaining 36 are in progress.


Those newly identified deficiencies, which the GAO characterized as “sensitive in nature,” cover control problems in security management, access and configuration management. 

Configuration management appeared to present the most significant issues for the IRS, according to the report. Security settings for specific servers that support financial reporting-related systems were not consistently implemented; the watchdog delivered four recommendations to address that deficiency. 

For the security management control problem, the IRS failed to “consistently create a plan of action and milestones for identified weaknesses on a timely basis.” On access controls tied to monitoring and audits, the agency didn’t review and certify a monthly security report in a timely fashion. The GAO made one recommendation apiece for those deficiencies. 

IRS Commissioner Danny Werfel said in a letter responding to a draft version of the GAO’s report that the agency is “committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security.”

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at

Latest Podcasts