IRS faces mountain of legacy IT systems issues, risking "disruption of critical operations"

The IRS "uses more than 600 applications, many of them more than 20 years old, custom-built and loosely integrated."

IRS faces mountain of legacy IT systems issues, risking "disruption of critical operations"

The US’s Internal Revenue Service is struggling to get on top of “deficiencies” in controls caused by creaking legacy IT systems, with a watchdog warning these now risk “disruption of critical operations.”

The IRS collected nearly $4.7 trillion in taxes in 2023 and processed 271.5 million tax returns, with its website seeing 880.9 million visits. 

It has earlier admitted that its “core IT infrastructure… includes some of the oldest information systems in the federal government” with over 600 apps in use, many 20+ years old, “custom-built and loosely integrated.”

Over 30 IT issues at the IRS “increase the risk of unauthorized access to… sensitive data and programs” the Government Accountability Office (GAO) said – with issues raised almost a decade ago also still unresolved.

IRS IT systems: Security management issues 

The GAO said on April 25, that it had identified “three new deficiencies in internal control over financial reporting”. All three were classed as “sensitive in nature, related to information systems” and highlighted “significant deficiency in IRS's information system controls.”

IRS management mitigated the deficiencies through “compensating controls” it added. One was related to security management, one to access control, and one to configuration management control. 

The IRS “did not consistently implement security configuration settings for certain servers supporting systems significant to financial reporting,” the GAO found – and was not meeting its own requirements to “review and certify a monthly security report on a timely basis,” it added. 

See also: FAA outage triggered by “damaged database file” – after agency warned on old hardware

The GAO has made six recommendations to address these shortcomings, four of which relate particularly to the configuration management issue.

These add to a stockpile of recommendations and deficiencies that the IRS is clearly struggling with. The latest report said that “As of September 30, 2023, IRS has 42 open GAO recommendations related to internal control over financial reporting to address” including 34 IT ones. 

One issue regarding unpaid assessments was first identified in 2018, but remedial action had been put on hold, “because of limited resources.”

Another issue around procedures for manual tax refunds, first identified in 2015, also remains open after the agency put work to automate the processes “on hold”, again “because of limited resources”. 

Five other issues around tax refunds remain open. Many Americans would regard issuing refunds as the IRS’ most important job.

The IRS's budget has tumbled in recent years and it has lost 15,000 staff says the White House. It has now received a huge new funding boost.

GAO found last year that around 33% of IRS apps, 23% of its software instances and 8% of its hardware were considered “legacy”, with some applications ranging from 25 to 64 years in age.

The latest report from the Government Accountability Office on the US’s tax collection agency echoes concerns it raised last year about the parlous state of critical legacy systems across a range of government departments. A GAO review of ten government agencies in 2019 showed that just two – Defence and the Department of the Interior – had documented modernization plans. The agency said outdated languages were still in use, while some systems were as much as 51 years old.  

An update last year showed that six more agencies had evolved plans, with the Office of Personnel Management and Department of Transportation still lagging. However, the GAO said “system modernizations are dependent on funding”. And a modernization “plan” does nothing to improve security, until it is actually put into action.

Few agencies haven't been skewered by the GAO when it comes to security. Last month it even identified shortcomings at CISA, the US' prime agency for cybersecurity. The IRS’s 2023-2031 operating plan, however, does show that it recognises the issue and has a plan for it.

Better yet, it also now has funding to do so.

The recent Inflation Reduction Act provided $80 billion in additional funding to the IRS. The IRS budget had previously decreased from $15.1 billion to $12.4 billion between fiscal years 2010 and 2021 after accounting for inflation— an 18% decline, the White House said. During the same time, the IRS lost upwards of 15,000 full-time employees. 

In charge of that transformation now is new IRS CIO Rajiv Uppal, who took on the role in January 2024 – joining from the Centers for Medicare & Medicaid Services. To say he has his work cut out is apparently an understatement. He does, however, now have a budget for change...

Join peers following The Stack on LinkedIn