The IRS Cancelled Contracts Potentially Saving Hundreds of Millions of Dollars, but the Impact on Taxpayer Service Remains Unknown
Why did we do this audit? In early 2025, the President directed federal agencies to review their contracts and reduce spending where possible. As part of this effort, GSA identified contracts that could be cancelled or modified and shared that list with Treasury, which then asked the IRS for further evaluation. How does the IRS calculate potential costs savings from a cancelled contract? When the IRS cancels a contract, it avoids future spending because any remaining option periods will never be used. When only part of a contract is cancelled (descoped), it is treated like a cancellation but applies to a portion of the contract. For example, a contract might include requirements for both design and ongoing maintenance of a software application, and the contract is then descoped to remove the maintenance portion. Each time a contractor invoices the IRS for completed work, it reduces the open obligations amount by the same amount. The remaining open obligations represent potential savings from cancelling a contract. Hypothetical Example of a $100 Million Contract
and Potential Savings  What did we find? Between January and May of 2025, the IRS reviewed over 3,000 contracts and identified 501 for possible cancellation. By July 2025, it had cancelled 344 of those contracts. However, the actual cost savings from these actions were either limited or unknown because most of the obligated funds had already been expended or the contracts had no obligated values. Potential Cost Savings Associated with 344 Cancelled Contracts  More than 100 of the cancelled and descoped contracts supported taxpayer-facing services. Cancelling taxpayer-facing contracts may create service gaps, delay assistance, and require the IRS to adjust its resources to meet its mission. The IRS Has Made Limited Progress Implementing Zero Trust Data Principles
Why did we do this audit? A data governance strategy outlines how an organization manages, protects, and uses its data. It sets the policies and processes to ensure data is accurate, secure, and accessible throughout its lifecycle. The Zero Trust Architecture is an end-to-end approach focused on resource protection and the premise that
trust is never granted implicitly and must be continually evaluated. We reviewed the IRS's data governance strategy to determine if the IRS has the right controls, processes, and plans in place to meet its Zero Trust data goals. What did we find? The IRS is in the first stages of development for its Data Inventory Management and Categorization. The IRS developed the Enterprise Data Platform for its data inventory and has onboarded 41 (22 percent) of the 187 data repositories as of October 2025. The IRS has deployed two commercial software solutions for data categorization. However, the IRS has not implemented automated categorization of data due to challenges establishing related policies. The IRS encrypts data in transit between its locations, and we confirmed that encryption configuration settings are enabled for data transmitted between IRS locations. However, management stated that they cancelled plans to encrypt any more systems past June 2025 due to changing priorities at the Department of the Treasury. In addition, we found that the IRS did not follow its internal policies to ensure the security of encryption keys. Specifically, the combinations for the cabinet locks that contain access cards necessary to log on to the encryption servers were not changed as required and our auditors were allowed to enter limited access areas without signing the appropriate log.
Having trouble viewing this email? View it as a Web page.
| 
No comments:
Post a Comment