Source · Select Committees · Public Accounts Committee
Recommendation 24
24
Accepted
HMRC’s legacy IT systems pose security, reliability, and cost risks.
Conclusion
HMRC explained that there are three key risks that arise from operating legacy systems: lower levels of security; lower reliability and resilience; and higher costs of system changes. HMRC said that its executive team and its digital team track how up to date its systems are and how that is changing over time. HMRC told us that it now has a tolerable level of risk in its IT estate, but progress on remediation was not as fast as it would like.44
Government Response Summary
The government agrees with the committee's finding and commits to writing to the Committee by September 2025 with plans, forecast costs, and expected savings for remediating its legacy IT systems, with progress to be reported in Annual Report and Accounts.
Government Response
Accepted
HM Government
Accepted
4.1 The government agrees with the Committee’s recommendation. Target implementation date: September 2025 4.2 HMRC will write to the Committee on its plans to address the remediation of its legacy IT systems with a forecast cost of investments and expected savings. Progress and spending on remediation will be available within the Annual Report and Accounts.