While improvements have been made in the Internal Revenue Service’s information technology systems over the past year, the IRS still needs to do more to protect sensitive financial and taxpayer data and deliver new systems, according to a new report.

J. Russell George

The report, by the Treasury Inspector General for Tax Administration, was delivered as part of an annual evaluation of the adequacy and security of IRS technology, as required by the IRS Restructuring and Reform Act of 1998.

Since TIGTA’s assessment last year, the IRS implemented the daily processing and database implementation projects of the Customer Account Data Engine 2 and a new release of the Modernized e-File system.

TIGTA said it continues to believe that the IRS’s Modernization Program remains a major risk and that improved controls are needed to ensure long-term success for both of these key systems within the program. In addition, the development and implementation of new systems, which are needed to implement provisions of the Patient Protection and Affordable Care Act, introduce significant risk management challenges.

The annual assessment of the IRS’s IT program stresses the importance of continued improvements in the overall control environment, including processes and performance needed to ensure that IRS systems adequately meet all mission-critical requirements and goals for electronic tax administration.

“The IRS made significant progress in modernizing its system, but it must continue its efforts to ensure that its computer systems are effectively secured to protect sensitive financial and taxpayer data,” said TIGTA Inspector General J. Russell George in a statement.

TIGTA found that the IRS has made progress to improve information security and personnel safety. Nevertheless, the IRS needs to continue to emphasize information and physical security programs to ensure that policies, procedures and practices adequately address security control weaknesses.

TIGTA auditors identified weaknesses over system access controls, configuration management, audit trails, physical security, remediation of security weaknesses, and oversight and coordination on security related issues.

“Until the IRS addresses security weaknesses, it will continue to put the confidentiality, integrity, and availability of financial and taxpayer information and employee safety at risk,” said George.

In addition, TIGTA found that the IRS needs to ensure that it leverages viable technological advances as it improves its overall operational environment. While the IRS implemented virtualization technology to continue to improve operational efficiency, additional improvements are needed.

Because the fiscal year 2012 annual assessment report was based primarily on previously issued reports from TIGTA and other oversight organizations, focusing on the IRS’s IT Program, TIGTA said it did not offer any new recommendations. IRS officials were provided with an opportunity to review and comment on the draft report, but there was no response from IRS officials included in the report released to the public.