Weaknesses in the Internal Revenue Service’s financial and tax-processing systems continue to jeopardize the confidentiality, integrity and availability of sensitive taxpayer information, according to a new report by the Government Accountability Office.
The report acknowledged that the IRS has implemented numerous controls and procedures to protect its financial and tax-processing systems. However, it noted that the agency continues to face challenges in controlling access to its information resources. For example, the IRS has not always implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time, or appropriately restricted access to certain servers.
The IRS also has not ensured that sensitive data was encrypted when transmitted, nor has it audited and monitored its systems to ensure that unauthorized activities would be detected. The IRS has not ensured management validation of access to restricted areas, according to the GAO. In addition, unpatched and outdated software exposes IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.
“An underlying reason for these weaknesses is that IRS has not fully implemented a comprehensive information security program,” said the GAO. “IRS has established a comprehensive framework for such a program, and has made strides to address control deficiencies—such as establishing working groups to identify and remediate specific at-risk control areas; however, it has not fully implemented all key components of its program. For example, IRS’s security testing and monitoring continued to not detect many of the vulnerabilities GAO identified during this audit.”
The IRS also did not promptly correct known vulnerabilities, the GAO noted. For example, the agency indicated that 76 of the 105 previously reported weaknesses open at the end of GAO’s prior-year audit had not yet been corrected. In addition, the IRS did not always validate that its actions to resolve known weaknesses were effectively implemented. While the IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. Of the 29 weaknesses the IRS indicated were corrected, the GAO determined that 13 (about 45 percent) had not yet been fully addressed.
Altogether, the deficiencies, both new and those unresolved from previous GAO audits, along with a lack of fully effective compensating and mitigating controls, impair the IRS's ability to ensure that its financial and taxpayer information is secure from internal threats, according to the GAO. “This reduces IRS's assurance that its financial statements and other financial information are fairly presented or reliable and that sensitive IRS and taxpayer information is being sufficiently safeguarded from unauthorized disclosure or modification,” said the report. “These deficiencies are the basis of GAO’s determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2011.”
The GAO recommended that the IRS take six actions to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, the GAO recommended that the IRS take 23 specific actions to correct the newly identified control weaknesses. In commenting on a draft of the report, the IRS agreed to develop a detailed corrective action plan to address each recommendation.
“The security and privacy of all taxpayer and financial information is of utmost importance to us and the integrity of our financial systems continues to be sound,” wrote IRS Commissioner Douglas H. Shulman in response to the report. “We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance. The IRS has fully implemented a comprehensive information security program, within the spirit and intent of the National Institute of Standards and Technology guidelines.”