The IRS is coming under fire from two government watchdogs that say the agency needs stronger IT controls to safeguard taxpayer data, and that the agency misspent funds designated for business systems modernization.
In a report issued March 18, the Government Accountability Office (GAO) said it had identified five new deficiencies in internal control involved with IRS financial reporting, and that four of them related to information systems and are sensitive in nature.
While GAO officials provided limited public detail about the deficiencies – which were uncovered during an audit of the IRS’s fiscal year 2024 financial statements – the GAO report makes clear that the consequences could be weighty if the issues are not corrected.
“The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to and modification of data and programs, disclosure of sensitive data, and disruption of critical operations,” the GAO report says.
GAO added that “appropriately designed and implemented access controls reduce the risk of unauthorized access to and modification of data and programs, disclosure of sensitive taxpayer data, and disruption of critical operations.”
This week’s report was not the first time GAO found flaws in IRS internal controls specific to financial reporting. The report recounts numerous other flags and says that 42 GAO recommendations related to deficiencies in financial controls at IRS remained open as of Sept. 30, 2023.
IRS has now completed corrective actions for 22 of the 42 recommendations and is working on addressing the remaining 20, GAO said.
In a written response, acting IRS Commissioner Melanie Krause said she looked forward to working with GAO to resolve the newly identified deficiencies. “We are committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security,” she said.
The GAO report, along with a second IT-related report from the Treasury Inspector General for Tax Administration (TIGTA), is focusing renewed attention on the IRS’s notoriously antiquated legacy technology systems.
IRS officials have said the agency recently made some strides in technology modernization due to an infusion of funds from the 2022 Inflation Reduction Act (IRA). Under that measure, Congress provided the IRS with about $79 billion in additional funding over a 10-year period to help with modernization efforts.
But Congress rescinded $20 billion of the IRA funding in 2023 and repealed another $20 billion when it approved the latest continuing resolution funding bill in December of last year.
And former IRS employees recently said the modernization gains are further imperiled by the mass firings of nearly 7,000 IRS employees starting in February amid tax filing season.
The TIGTA report, released on March 10, talks about how IRS has used funding under the IRA. Of those funds, $4.8 billion was designated for business systems modernization (BSM) – developing technology to provide more personalized customer service – and was not supposed to be used to operate and maintain legacy IT systems.
But Treasury auditors determined that the IRS “inappropriately” spent $4.6 million of IRA BSM funding to operate and maintain three legacy systems. Based on these results, the auditors estimated that the agency spent about $21 million of IRA BSM funding on legacy systems overall.
The IRS agreed with Treasury’s recommendations for fixing the issue and “plans to track legacy system contracts, correct fund codes, (and) update guidance and training to comply with the IRA,” the report says.