“Ensuring cybersecurity” remains at the top of the Internal Revenue Service’s (IRS) list of priorities issued annually by the Government Accountability Office (GAO) for the fifth year in a row.
GAO’s 2023 Priority Open Recommendations for the IRS outlines 24 open recommendations that the tax agency should give precedence to, according to the watchdog. The list consists of the “most important recommendations to help the federal government save money and improve operations.”
Cybersecurity has been recommended as a top priority for the IRS since May of 2019.
“Strong cybersecurity and protections for taxpayers’ personal and financial information are critical to maintaining public confidence in the tax system, avoiding data breaches that expose sensitive information to fraudsters, and minimizing disruptions to IRS operations,” the GAO’s report says.
“One priority recommendation in this area is for IRS to centralize leadership in its efforts to oversee cybersecurity practices of third-party providers, such as paid tax return preparers and tax software providers,” the report adds.
Specifically, the recommendation calls on the agency’s commissioner to develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS’s efforts to protect taxpayer information while at third-party providers.
According to the watchdog, IRS agreed with the intent of this recommendation but did not agree to implement it.
During his confirmation hearing earlier this year, IRS Commissioner Danny Werfel pledged his commitment that cybersecurity will be a “top priority” of his once he takes on the role. Werfel was confirmed as the 50th commissioner of the IRS in March.
“When I sat down to think about what are the most important elements of tax administration that I could think of, data security was the first thing I wrote down,” Werfel said during his confirmation hearing. “What is our baseline right now in terms of our cyber resiliency and our cyber performance? What are the risks? What is the, as we update the technology, that technology backbone? What changes do we need to make, not so that it’s bolted on and therefore potentially less robust, but deep in the roots of the system itself?”
“It is a top priority to understand it because it’s mission-critical,” Werfel added.
This year, ensuring cybersecurity is one of the GAO’s six areas of recommendations to the IRS.
The other five recommendation areas include improving taxpayer services; reducing tax fraud and improper payments; enhancing information reporting; improving audit effectiveness; and enhancing strategic human capital management.
In last year’s 2022 report, GAO identified 25 priority recommendations for the IRS.
Since then, IRS has implemented four of those recommendations by, among other things, reporting improper payment estimates for the Premium Tax Credit, and migrating 30 applications onto its new online taxpayer authentication platform. GAO closed one other recommendation for IRS to revise its estimated time frames for resolving the backlog of work from the 2020 tax filing season as not implemented because IRS reported it has cleared this inventory, the report says.
For the July 2023 report, GAO identified four additional priority recommendations for IRS, bringing the total number to 24.
The four new priority recommendations are related to improving taxpayer services, reducing tax fraud and improper payments, and enhancing information reporting.
As of July 2023, the tax agency had 253 recommendations that were either open or partially implemented. Since 2015, GAO has sent out reports to heads of agencies highlighting lists of open recommendations that should be each organization’s highest priority.