Even though the IRS has made improvements in information security, there are still weak spots in its in system access controls, audit trails, and remediation of security flaws, according to a new report.
The report was the result of an annual assessment of the adequacy and security of IRS information technology conducted by the Treasury Inspector General for Tax Administration, which found that the IRS had made progress on security -- to the point where the Government Accountability Office had downgraded information security at the service from a “material weakness” to a “significant deficiency” -- but that issues still remain.
TIGTA found that, since last year’s assessment report, the IRS has taken important steps to correct system performance issues of the Modernized e-File system, but it identified several systems development issues that should be addressed to further strengthen and support the IRS’s modernization efforts. For example, its review of the Customer Account Data Engine 2 database determined that existing data quality issues prevented the downstream interfaces from being implemented. (See Costs and Delays Mounting for IRS Customer Database.) At the same time, the development and implementation of new systems for the Affordable Care Act present major information technology management challenges. (See IRS Needs to Improve Security for ObamaCare Tax Credits.)
“Since the IRS now relies extensively on its computer systems to carry out the responsibilities of administering our nation’s tax laws, it must ensure that those systems are effectively secured to protect sensitive financial and taxpayer data,” said Inspector General J. Russell George. “TIGTA found that the IRS’s Modernization Program remains at risk.”
Among the other issues discussed in the report were the need for the service to strengthen its hardware and software management processes; the need for improvement of taxpayer access to account information online; and the potential benefits of a “Bring Your Own Device” pilot program.
The assessment did not include any specific recommendations for the IRS, but some of the individual audits mentioned in the assessment did.