The Government Accountability Office (GAO) released a report addressed to IRS Commissioner Danny Werfel which “is intended for IRS management’s use and presents new control deficiencies” identified during fiscal year 2023 testing of the agency’s internal control over financial reporting. (GAO-24-107185)
The report also presented the results of a follow-up on the status of the IRS’ corrective actions to address recommendations from prior reports related to internal control over financial reporting that remained open as of September 30, 2023.
As previously reported by GAO, although improvements could be made, “the IRS maintained, in all material respects,” effective internal control over financial reporting through the end of FY 2023. “Those controls provided reasonable assurance that misstatements material to IRS’ financial statements would be prevented, or detected and corrected, on a timely basis,” GAO said.
The FY 2023 audit identified two “continuing significant deficiencies” in control over financial reporting concerning unpaid assessments and information system controls. A significant deficiency is defined as a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.”
The audit also identified three new deficiencies in internal control over financial reporting. As described by GAO, “a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.”
These deficiencies, which are deemed sensitive in nature, related to information systems and contributed to GAO’s reported continuing significant deficiency in the IRS’ information system controls. “Specifically, we identified one security management control deficiency, one access control deficiency, and one configuration management control deficiency. In the LIMITED OFFICIAL USE ONLY report, we made six recommendations to address these sensitive control deficiencies,” GAO said.
In addition, GAO assessed the IRS’ corrective actions to address 51 recommendations related to deficiencies in internal control over financial reporting identified as open as of September 30, 2022. “We determined that IRS completed corrective actions for 15 of the 51 recommendations and was in the process of taking corrective actions for the remaining 36 recommendations,” the report said.
“The new and continuing control deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, and disclosure of sensitive data and programs, as well as the disruption of critical operations,” GAO cautioned. “IRS mitigated the potential effect of these control deficiencies primarily through compensating controls that management designed to help detect potential financial statement misstatements,” it added.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.