The IRS still runs on outdated applications and software from 1959, watchdog warns
Around one-third of the digital applications the IRS runs are out of date, raising fresh concerns about cybersecurity issues, workflow management and the agency’s ability to process hundreds of millions of U.S. tax returns, according to the U.S. Government Accountability Office.
GAO said in a recent study that about 33% of applications, 23% of software instances in use and 8% of hardware assets were considered legacy. The list includes applications ranging from 25 to 64 years in age, as well as software with up to 15 versions behind up-to-date versions.
The agency said: “As GAO has previously noted, and IRS has acknowledged, these legacy assets will continue to contribute to security risks, unmet mission needs, staffing issues and increased costs.”
According to the watchdog, IT modernization best practices require agencies to create plans that include milestones, a list of work to be performed and plans for disposing of legacy systems. As of August, IRS had plans for 21 IT system modernization initiatives underway, however, six out of the nine plans did not address disposal of currently operational legacy systems.
Although IRS officials said they would address this, they did not identify a timeframe for doing so.
The watchdog also noted that the IRS has recently suspended six operations, including two that are essential to replacing the 60-year-old Individual Master File, which is the agency’s authoritative data source for individual tax account data.
This latest study comes after the watchdog in September called on the IRS to improve the scope of its inside threat monitoring systems within the agency. According to the inspector general’s report at the time, information was missing for 234 of 351, or 67%, of systems included in a key enterprise security audit trails system list.
That watchdog intervention came shortly after the IRS unintentionally published confidential data relating to business tax return submissions on its website.
Correction, 2/16/22: This article was updated to clarify that the report was carried out by the Government Accountability Office.