While the IRS has made progress in correcting some of its previously discovered information security weaknesses, control weaknesses over key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information, according to a new
Specifically, the IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its financial systems and information, the GAO found. For example, the agency did not sufficiently restrict users’ access to databases to only the access needed to perform their jobs; secure the system it uses to support and manage its computer access request, approval, and review processes; update database software residing on servers that support its general ledger system; and enable certain auditing features on databases supporting several key systems. In addition, 65 of 88—about 74 percent—of previously reported weaknesses found in earlier GAO audits remain unresolved or unmitigated.
An underlying reason for these weaknesses is that the IRS has not yet fully implemented key components of its comprehensive information security program, according to the GAO. While the IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective, the GAO found. For example, the IRS’s testing did not detect many of the vulnerabilities that the GAO identified during the latest audit and did not assess a key application in its current environment.
Further, the agency had not effectively validated the corrective actions reported to resolve previously identified weaknesses. Although the IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. For example, the agency reported that it had resolved 39 of the 88 previously identified weaknesses; however, 16 of the 39 weaknesses had not been mitigated.
The IRS has various initiatives underway to bolster security over its networks and systems. However, until the agency corrects the identified weaknesses, its financial systems and information remain unnecessarily vulnerable to insider threats, including errors or mistakes and fraudulent or malevolent acts by insiders, the GAO warned. As a result, financial and taxpayer information are at increased risk of unauthorized disclosure, modification, or destruction; financial data is at increased risk of errors that result in misstatement; and the agency’s management decisions may be based on unreliable or inaccurate financial information. These weaknesses, considered collectively, are the basis for GAO’s determination that the IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2010.
The GAO recommended that the IRS take eight actions to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, the GAO is recommending 32 specific actions for correcting newly identified control weaknesses. In commenting on a draft of the report, the IRS agreed to develop a detailed corrective action plan to address each recommendation.
