Why It Matters
The IRS collects roughly $4.7 trillion in federal revenue each year, making its financial systems among the most consequential in the federal government. Yet a new audit from the Government Accountability Office finds that the agency responsible for that collection has significant weaknesses in how it secures and manages the IT systems underpinning its own financial reporting. The findings raise questions not just about accounting hygiene, but about whether sensitive taxpayer data and federal financial infrastructure are adequately protected.
The GAO's FY 2025 audit, released April 30, identified five new problems in IRS financial reporting controls, most of them rooted in how the agency handles information system security. The issues range from failing to revoke employee access to IT systems after it's no longer needed, to missing deadlines for reviewing its own security reports.
The Findings
The GAO audits IRS financial statements every year. Under the Chief Financial Officers Act of 1990, major federal agencies are required to submit to annual financial audits, and the GAO serves as the auditor for the IRS. The result is a recurring report that tracks whether the IRS is managing its books and the systems that support them with sufficient rigor.
This year's notable audit is the volume of new control weaknesses identified. Five new issues in a single audit cycle, primarily concentrated in IT security, represent a meaningful cluster of findings for an agency of the IRS's scale and responsibility.
The GAO frames internal controls as "processes in place to ensure the proper authorization and recording of transactions." When those controls fail, the risk is not abstract. Unauthorized access to financial systems, unreviewed security alerts, and unresolved vulnerability backlogs can expose sensitive data and create conditions for errors, or worse, manipulation of financial records.
Among the most straightforward findings: the IRS did not consistently remove user access to some IT systems for employees. This is a basic cybersecurity principle, often called "access hygiene," and it is a known vulnerability vector. When former employees or employees who have changed roles retain access to systems they no longer need, those credentials become potential entry points for unauthorized activity.
The GAO made a specific recommendation targeting this deficiency, calling on the IRS to establish more consistent procedures for revoking access when it is no longer warranted.
A second finding concerns how the IRS responds once it identifies a security weakness. According to FedScoop's reporting on the audit, the IRS failed to "consistently create a plan of action and milestones for identified weaknesses on a timely basis." In federal cybersecurity practice, these plans, often called POA&Ms, are the standard mechanism for tracking and resolving known vulnerabilities. Delays in creating them mean delays in fixing the underlying problems.
The audit also found that the IRS did not review and certify a monthly security report in a timely fashion. Security monitoring reports exist precisely so that agency leadership can identify emerging threats and anomalies. Failing to review them on schedule undermines the entire purpose of having the monitoring infrastructure in place.
The Pattern
Taken individually, each of the five findings might be characterized as an operational lapse. Taken together, they describe an agency whose IRS information system controls have not kept pace with the demands placed on them.
The IRS manages not only its own financial infrastructure but also the tax records of hundreds of millions of Americans and businesses. Its IT environment is vast, aging in parts, and has been the subject of prior GAO findings over multiple audit cycles. The agency has faced persistent criticism from oversight bodies about its technology modernization efforts, though those broader modernization challenges are a separate matter from the specific IRS internal controls audit findings released this week.
What the FY 2025 audit adds to that picture is a fresh set of data points suggesting that even as the IRS navigates larger technology questions, its day-to-day security and financial reporting controls require tighter management.
The Bottom Line
The GAO issued one recommendation for each specific deficiency it identified. The IRS, as the audited agency, is expected to respond to those recommendations and develop corrective action plans. GAO tracks recommendation implementation over time, and the Treasury Department's own FY 2025 reporting under the GAO-IG Act reflects that broader accountability structure.
Whether the IRS moves quickly to address the new findings will be a test of its internal management capacity at a moment when the agency is already operating under intense public and congressional scrutiny. The agency has faced staffing pressures, budget debates, and technology challenges that have stretched its administrative bandwidth.
The GAO's role is to identify the problems and recommend solutions. The harder work, actually fixing the access control gaps, building out the remediation planning process, and ensuring security reports get reviewed on schedule, falls to IRS leadership.
For taxpayers, the stakes are straightforward. An agency that cannot consistently manage who has access to its own financial systems, or that lets security alerts go unreviewed, is an agency whose ability to safeguard sensitive financial data warrants continued, close oversight.
Access the Legis1 platform for comprehensive political news, data, and insights.