The Internal Revenue Service has two key data security deficiencies related to information access controls and configuration management that warrant attention from agency management, according to a fiscal year 2022 audit by the congressional watchdog.
The two issues contributed to “significant deficiency in IRS’s internal control over financial reporting systems,” according to the director of IT and cybersecurity as well as financial management, respectively, at the Government Accountability Office (GAO)
“The deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations,” the GAO fiscal audit highlighted. “The deficiencies related to transaction cycles increase the risk of financial statement misstatements.”
According to the GAO audit, which was published on May 26, the deficiencies are “not considered material weaknesses or significant deficiencies. Nevertheless, the watchdog has made three new recommendations to the IRS to address the control deficiencies related to tax refunds. Separately, also made 16 recommendations to address control deficiencies related to information systems.
The two key data security deficiencies identified by the GAO audit were one deficiency in access controls related to audit and monitoring where the IRS did not adequately monitor audit logs for certain financial and supporting systems and one deficiency in configuration management related to configuration settings where the IRS did not configure a database to meet a security configuration setting.
The IRS Commissioner Daniel Werfel in an April 28 response to the GAO audit said the IRS acknowledged the new recommendations and was open to working with the GAO to resolve them with due dates in the second half of 2023 and 2024.
The GAO as part of its IRS’s fiscal year 2023 analysis plans to follow up with the IRS to determine the status of corrective actions it has taken on new and prior recommendations made that remain incomplete in this report.