GAO identifies new infosec deficiencies in IRS system controls

Sarah Silbiger for The Washington Post via Getty Images

The watchdog's annual audit of the agency turned up new recommendations on system access controls and security configurations, alongside a limited release report and previous recommendations.

The Government Accountability Office levied new recommendations Thursday for how the IRS can address deficiencies found in the operation of its information systems and how it protects assets. 

The annual audit covers the agency's financial statements for fiscal 2021 and 2022, but also examined critical financial reporting controls, such as information system controls, as well as open recommendations from previous audits. 

Thursday's report added 19 new recommendations including 16 directives related to control deficiencies in information systems that were published in a separate limited official use only report due to sensitive information, "which must be protected from public disclosure." Overall, IRS is facing 51 open recommendations from the congressional watchdog agency.

Thursday's GAO report included notice of five new deficiencies in the internal control of the agency's financial reporting, with two centered on security configurations and access controls within IRS information system controls. Another deficiency touched on safeguarding assets and two referenced tax refund operations. 

"Although these deficiencies are not considered material weaknesses or significant deficiencies, they nevertheless warrant IRS management's attention," the report said. 

GAO officials said they found one access control deficiency where IRS officials "did not adequately monitor audit logs for certain financial and supporting systems," and another where a database wasn't properly configured to meet a required security setting.

Regarding asset management, the report found that IRS officials didn't supply timely information needed "a variety of financial transactions for refunds, abatements and tax assessments."

GAO noted that IRS officials completed corrective actions for 28 open recommendations from previous years, but still had 32 open recommendations in addition to the 19 new ones. 

IRS officials told the GAO that limited resources had led them to pause corrective action on the two significant recommendations, which remained open as of Sept. 30, 2022. Officials at the tax agency agreed with all recommendations in both the public audit and the limited official use only report.