IRS Financial Reporting: Improvements Needed in Information System and Other Controls
Fast Facts
We audit and issue opinions annually on IRS's financial statements and related internal controls (e.g., processes to reasonably assure that transactions are properly authorized and recorded).
Our FY 2024 audit identified 5 new deficiencies in internal controls, including in how IRS manages IT system security. Our recommendations address these issues.
Despite the new deficiencies, IRS made significant progress during FY 2024 in addressing the prior deficiencies and resolved the significant deficiency in information system controls we noted in 2023. IRS addressed over 50% of our prior year recommendations related to financial reporting.
Highlights
What GAO Found
During its audits of the Internal Revenue Service's (IRS) fiscal year 2024 financial statements and of its internal control over financial reporting as of September 30, 2024, GAO identified five new deficiencies in internal control over financial reporting. Four of these deficiencies related to information systems and are sensitive in nature, while one of these deficiencies related to the property and equipment transaction cycle and is nonsensitive. Specifically, GAO identified one access control deficiency and three configuration management control deficiencies related to information systems and one property and equipment transaction cycle control deficiency related to IRS's monitoring of depreciation expense calculations.
This report presents detailed information on the new property and equipment transaction cycle control deficiency and associated recommendation. The separately issued LIMITED OFFICIAL USE ONLY report presents detailed information on the new information system control deficiencies and nine recommendations to address them.
In addition, GAO determined that IRS had completed corrective actions for 22 of 42 recommendations from GAO's prior reports related to internal control over financial reporting that were open as of September 30, 2023. IRS's actions addressed one transaction cycle recommendation and 21 information system recommendations.
This report provides the status of eight previously reported recommendations that are nonsensitive in nature and IRS's actions to address them as of September 30, 2024. The LIMITED OFFICIAL USE ONLY report contains the status of the 42 previously reported sensitive and nonsensitive recommendations and IRS's actions to address them as of September 30, 2024.
As of September 30, 2024, IRS has 30 open GAO recommendations related to internal control over financial reporting to address
- six transaction cycle recommendations (including one that is new),
- two safeguarding assets recommendations, and
- 22 information system recommendations (including nine that are new).
Although GAO identified some new control deficiencies, IRS made significant progress during fiscal year 2024 in addressing the significant deficiency in information system controls that GAO reported as of September 30, 2023. As a result, GAO concluded that the remaining control deficiencies, including the new control deficiencies, do not, individually or collectively, represent a significant deficiency in internal control over financial reporting as of September 30, 2024. It will be important for IRS management to continue to build on the progress it has made in addressing the remaining deficiencies in internal control over financial reporting, as well as focusing efforts on strengthening its information security program.
The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to and modification of data and programs, disclosure of sensitive data, and disruption of critical operations. The new and continuing control deficiencies related to transaction cycles increase the risk of financial statement misstatements. IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements.
Why GAO Did This Study
GAO annually audits IRS's financial statements and its internal control over financial reporting, including information system controls. This report presents the new deficiencies in internal control over financial reporting identified during GAO's audits. This report also includes the results of GAO's fiscal year 2024 follow-up on IRS's corrective actions to address recommendations contained in GAO's prior reports related to internal control over financial reporting that were open as of September 30, 2023.
Recommendations
GAO is making one new recommendation in this report. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made nine new recommendations to address control deficiencies in information systems related to access controls and configuration management. In commenting on a draft of this report and the LIMITED OFFICIAL USE ONLY report, IRS agreed with GAO's recommendations, stating that it is committed to implementing improvements to promote the highest standard of financial management, internal controls, and information technology security. GAO plans to follow up on the corrective actions taken on the recommendations as part of its audits of IRS's fiscal year 2025 financial statements and its internal control over financial reporting as of September 30, 2025.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of the Internal Revenue Service should design and implement procedures to monitor the automated depreciation calculations AAM performs through the periodic manual calculation and reconciliation of the depreciation expense for a selection of assets to reasonably assure that depreciation expense is recorded in accordance with IRS's accounting policies. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|