The Internal Revenue Service has continued to make progress in addressing weaknesses in its information security control and improving its internal control over financial reporting, but weaknesses remain that could affect the confidentiality, integrity and availability of financial and sensitive taxpayer data, according to a new report by the Government Accountability Office.
During fiscal year 2013, IRS management devoted attention and resources to addressing information security controls, and resolved a number of the information security control deficiencies that were previously reported by the GAO. However, significant risks remained, according to the GAO.
Specifically, the agency had not always installed appropriate patches on all databases and servers to protect against known vulnerabilities, sufficiently monitored database and mainframe controls, or appropriately restricted access to its mainframe environment.
In addition, the IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access.
An underlying reason for these weaknesses is that the IRS has not effectively implemented portions of its information security program, said the GAO. The agency has established a comprehensive framework for the program, and continued to improve its controls; however, components of the program did not always function as intended.
For example, the IRS's testing procedures over financial reporting systems were not always thorough in that its testing methodology did not always determine whether required controls were operating effectively, the report noted. In addition, the IRS had not updated key mainframe policies and procedures to address issues such as users accessing files used by one processing environment from a different environment. Further, the IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.
Until the IRS takes additional steps to more effectively implement its testing and monitoring capabilities, ensure that policies and procedures are updated, and address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification or disclosure, said the GAO.
These deficiencies, including shortcomings in the information security program, were the basis of our determination that IRS had a significant deficiency in its internal control over its financial reporting systems for fiscal year 2013.
The GAO recommended that the IRS take three actions to more effectively implement portions of its information security program. In a separate report with limited distribution, the GAO also recommended that the IRS take 23 specific actions to address identified control weaknesses.
In commenting on a draft of this report, the IRS agreed to develop a detailed corrective action plan to address each recommendation.
“The security and privacy of all taxpayer information is of the utmost importance to us, and the integrity of our financial systems continues to be sound,” IRS commissioner John Koskinen wrote in response to the report.