During its audit of the Internal Revenue Service’s (IRS) fiscal years 2022 and 2021 financial statements, the Government Accountability Office (GAO) found that the tax agency has been operating with two new deficiencies related to information system controls.
The watchdog’s May 25 report finds the IRS’s information systems deficiencies specifically in access controls and configuration management.
The GAO reports that the new findings are part of continuing significant deficiency in IRS’s internal control over financial reporting systems.
“A basic management objective for any agency is to protect the resources that support its critical operations from unauthorized access,” the watchdog report says. “An agency accomplishes this by designing and implementing controls to prevent, limit, and detect unauthorized access to data, programs, equipment, and facilities.”
Access controls include both logical and physical controls, like protection of system boundaries, identification and authentication, authorization of access permissions, or physical security of facilities and computing resources.
“Appropriately designed and implemented access controls reduce the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations,” the report says. “We identified one deficiency in access controls related to audit and monitoring where IRS did not adequately monitor audit logs for certain financial and supporting systems.”
The GAO also identified one deficiency in configuration management related to configuration settings where IRS did not configure a database to meet a security configuration setting.
“Configuration management involves identifying and managing security features for all hardware, software, and firmware components of an information system at a given point, and systematically controlling changes to that configuration during the system’s life cycle,” the report says. “Appropriately designed and implemented configuration management controls provide reasonable assurance that systems are operating securely and as intended.”
Configuration management controls encompass policies, plans, and procedures that call for proper authorization, testing, approval, and tracking of all configuration changes and for timely software updates to protect against known vulnerabilities.
In addition, the report finds two deficiencies related to tax refunds and one deficiency related to safeguarding assets. Although these deficiencies are not considered material weaknesses or significant deficiencies, they nevertheless warrant IRS management’s attention, the GAO said.
Finally, GAO determined that IRS had completed corrective actions on 28 of 60 recommendations from GAO’s prior years’ reports related to internal control over financial reporting that remained open as of 2021.
GAO is making three recommendations to address the new control deficiencies in tax refunds and safeguarding assets, including establishing a process to provide reasonable assurance that the system controls officers complete training 30 days prior to the renewal of their designations.
“IRS agreed with all of GAO’s recommendations and stated that it is committed to implementing improvements dedicated to promoting the highest standard of financial management, internal controls, and information technology security,” the watchdog said.
GAO plans to follow up to determine the status of corrective actions taken on the recommendations as part of its audit of IRS’s fiscal year 2023 financial statements.