GAO has called on the IRS to establish and document an inventory of the specific systems involved in the agency’s financial reporting process, including describing what role each system plays in the financial reporting process, concluding whether each system is considered to be material to financial reporting and why, and denoting whether each system is controlled by IRS or by an external service provider and, if the latter, identifying the service provider.
The recommendation resulted from an audit of the IRS’s fiscal 2011 financial statements, in which GAO identified control deficiencies including in how the agency monitors information systems material to financial reporting.
It said IRS management had not performed sufficient monitoring of internal control over information systems material to financial reporting to determine whether such control was affected by any deficiencies in internal control that either individually or collectively constitute a material weakness that had not previously been reported, in accordance with OMB requirements.
That’s because the IRS had not yet fully implemented key components of its information security program in fiscal 2011, GAO said. It said monitoring of its systems focused primarily on Federal Information Security Management Act and related National Institute of Standards and Technology requirements, which were not intended to provide assurance over the integrity of financial reporting, and GAO said it has a previously identified material weakness in information security that still existed in fiscal 2011 which rendered it unnecessary for IRS to support an assertion indicating that the related internal controls were effective, according to GAO-12-683R.
