Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls, July 18, 2019

During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in the agency's internal control over financial reporting systems. Specifically, GAO identified 14 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 14 new deficiencies, eight were related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to contingency planning. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 14 new information system security control deficiencies and made 20 recommendations to address them. In addition, GAO found that as of September 30, 2018, IRS had completed corrective actions to address information system security control deficiencies associated with 46 of the 154 recommendations resulting from GAO's financial audits, and as a result, these recommendations were closed. GAO closed one additional recommendation that was no longer relevant because of changes in the agency's operating environment. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2018. As a result, IRS has 127 GAO recommendations to address—the 107 remaining open recommendations from GAO's prior financial audits and the 20 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. Status of GAO Recommendations to IRS for Addressing Information System Security Control Deficiencies  Information system security control area Open recommendations from prior audits  Prior recommendations closed as of September 30, 2018 New recommendations resulting from FY 2018 audit Total  remaining open recommendations    Access controls 106 24 11 93 Configuration management 32 13 7 26 Segregation of duties 1 1 1 1 Contingency planning 2 2 1 1 Information security program 13 7 — 6 Total 154 47 20 127 Legend: FY = fiscal year; — = no recommendation made. Source: GAO analysis of Internal Revenue Service (IRS) data.  |  GAO-19-474R This report presents the new information system security control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements based on its fiscal year 2018 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. This report also includes the results of GAO's fiscal year 2018 follow-up on the status of IRS's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open at the beginning of GAO's fiscal year 2018 audit. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 20 recommendations to address the 14 new information system security control deficiencies related to access controls, configuration management, segregation of duties, and contingency planning. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, IRS agreed with our recommendations and stated that it will ensure that its corrective actions include root cause analysis for sustainable fixes that implement appropriate security controls. GAO will evaluate the effectiveness of IRS's efforts to address these deficiencies during its audit of IRS's fiscal year 2019 financial statements. For more information, contact Cheryl E. Clark at (202) 512-9377 or This email address is being protected from spambots. You need JavaScript enabled to view it. or Nancy R. Kingsbury at (202) 512-2700 or This email address is being protected from spambots. You need JavaScript enabled to view it..