GAO: IRS Not Maintaining Effective Internal Control Over its Financial Reporting

By Thomas Cloud | March 26, 2012 | 6:15 PM EDT

ype="node" title="IRS logo

( – Two Government Accountability Office (GAO) reports have identified weaknesses in the Internal Revenue Service’s financial reporting controls.

A report on information security, detailing the findings of an audit performed between April 2011 and March 2012 and released on March 16, is entitled, “IRS Need to Further Enhance Internal Control over Financial Reporting and Taxpayer Data.”

“Despite IRS’s efforts, weaknesses in controls over key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and taxpayer information,” the report said.

Steven Sebastian, the GAO Director of Financial Management and Assurance, told the weaknesses could impact taxpayers.

“They [the IRS] run the risk of not being able to identify any errors made in the processing of transactions, recording and then reporting those out, but the data is also susceptible to inappropriate access and possibly manipulation,” he said. “And that would go just beyond information related to normal financial transactions, it would also cover sensitive taxpayer information.”

Asked about the possibility of taxpayers being targeted for identity theft because of the IRS’s internal control issues, Sebastian replied, “It’s not impossible. The vulnerabilities could increase the risk that that could occur.”

According to Sebastian, the IRS is secure from outside threats but internal threats pose a danger.

“The outside controls they have in place, their firewalls, we’ve not identified significant issues with respect to that in a number of years. In fact the issues we had identified they had taken corrective action on,” he said. “So this would primarily be insider threats – although that umbrella is not just employees but contracted personnel.”

“In some instances the IRS is providing excessive authorities to individuals, beyond what they need to perform their normal work,” Sebastian added.

Attached to the March report is a thank you letter to the GAO from IRS Commissioner Douglas Shulman. “The security and privacy of all taxpayer information is of utmost importance to us and the integrity of our financial systems continues to be sound,” Shulman wrote in the letter, dated March 7.

The GAO report refers to Shulman’s letter but also says that “although IRS has provided a comprehensive framework for its information security program, an underlying reason for the information security weaknesses in IRS’s financial and tax-processing systems is that it has not yet fully implemented critical components of its comprehensive information security program.”

The March report follows up on information the GAO released in a November 2011 report, detaining the GAO’s financial audit of the IRS for fiscal years 2010-2011.

The Nov. 2011 report states, “IRS did not, in GAO’s opinion, maintain effective internal control over financial reporting as of September 30, 2011, and thus did not have reasonable assurance that losses and misstatements material to the financial statements would be prevented or detected and corrected timely.”

The IRS is audited annually and this year’s audit, which is just beginning, will reveal to what extent the IRS has successfully implemented the GAO’s recommendations for improving internal controls.