While the Internal Revenue Service has made progressing in addressing weaknesses in its information security controls and improving its internal control over financial reporting, the Government Accountability Office said in a new report that serious weaknesses remain that could affect the confidentiality, integrity and availability of financial and sensitive taxpayer data.
The report acknowledged that the IRS management devoted more attention and resources in fiscal year 2012 to addressing information security controls, and resolved a significant number of the information security control deficiencies that GAO previously reported. Among these efforts, the IRS established cross-functional working groups and tasked them with identifying and remediating specific at-risk control areas. The IRS also improved its controls over the encryption of data transferred between accounting systems, and upgraded critical network devices on the agency's internal network system.
Nevertheless, serious weaknesses persist. For example, the IRS has not always implemented effective controls for identifying and authenticating users, such as enforcing password complexity on certain servers. It also has not always appropriately restricted access to its mainframe environment, effectively monitored the mainframe environment, ensured that current software patches had been installed on systems to protect against known vulnerabilities.
An underlying reason for these weaknesses is that IRS has not effectively implemented portions of its information security program, the GAO noted. The IRS has established a comprehensive framework for the program, and continued to make strides with various initiatives designed to improve its controls; however, certain components of the program did not always function as intended.
For example, the IRS's testing procedures over a financial reporting system that the GAO reviewed did not always determine whether required controls were operating effectively and consequently. The GAO identified control weaknesses that had not been detected by IRS.
In addition, the agency has not updated an important policy concerning security standards for the IRS's main tax processing environment to include current software versions and control capabilities. Further, although IRS indicated that it had addressed 58 of the previous information system security-related recommendations the GAO had made, 13 of the 58 (or about 22 percent) have actually not yet been fully resolved.
Continued and consistent management commitment and attention to an effective information security program will be essential to the maintenance of, and continued improvements in, the IRS’s information system controls, the GAO pointed out.
“Until the IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated, and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate use, modification or disclosure, possibly without being detected,” said the report.
These deficiencies, along with shortcomings in the information security program, were the basis of the GAO's determination that the IRS had a significant deficiency in its internal control over financial reporting systems for fiscal year 2012.
“The IRS continued to make improving security a top priority during fiscal year 2012,” wrote IRS Acting Commissioner Steven T. Miller in response to the report. “We are pleased the Government Accountability Office recognized our progress in strengthening controls over information security resulting in a downgrade of the information security material weaknesses.”
He said the IRS would review all of the GAO’s recommendations and develop an action plan to address them. Miller also noted that the security and privacy of all taxpayer information is of the utmost importance to the IRS and the integrity of its financial systems continues to be strong.