Many people probably don’t give the IRS’s information technology much thought—until client refunds are months late or an audit that never should have happened proceeds aggressively to a lien.
Now, a new report by U.S. General Accountability Office auditor David Hinchman has sounded the alarm on the agency's IT vulnerabilities.
It turns out that a third of the custom-built software applications critical to the IRS’s operations—including collecting taxes and distributing refunds—are “legacy IT,” meaning they rely on archaic code that is older than some of the U.S.’s most senior members of Congress, according to the report.
The agency's IT is particularly prone “to increased cyber security risks, unmet missions needs, staffing issues and increased costs,” Hinchman said in the report.
GAO's analysis showed that about 33% of the applications, 23% of the software instances in use and 8% of hardware assets are considered legacy technology. This includes applications ranging from 25 to 64 years old, as well as software up to 15 versions behind the current version, the report found.
As of August 2022, the IRS had 21 modernization initiatives, including nine to replace its outdated IT systems. However, six of those nine initiatives did not specify how they would dispose of outdated systems—a key element in IT modernization. Officials stated they would address this element at the appropriate time. But Hinchman argued that the time is now. Congress last year provided the IRS with $80 billion to spend over the next decade. Last week, the IRS unveiled its strategic plan for spending a sizeable portion of the budget on a digital transformation.
The plan calls for rewriting tech in today’s programming languages and offers a more precise timeline for retiring the databases that are almost 65 years old.
“We must take steps to modernize the agency’s technology infrastructure,” Danny Werfel, the new IRS commissioner, said in a statement when the plan was released last week.
The blueprint promises real-time tax alerts, a shifting of more taxpayer interactions to digital platforms and more audits of wealthy taxpayers and corporations, Werfel said.
The IRS’s so-called modernization best practices also calls for documenting plans to show milestones, work that stills needs to be performed and disposition of legacy systems.
The IRS’s plans for six of the nine initiatives it is undertaking do not address the disposition of legacy systems—the most pernicious problem the IRS faces, Hinchman said.
“Officials stated they would address this key element at the appropriate time in the initiatives' lifecycle; however, they did not identify time frames for doing so,” he noted.
Even the most important applications used by the IRS requires employees to be fluent in a programming language that is no longer taught in schools, according to the report.