Information Security:

IRS Electronic Filing Systems

GAO-01-306: Published: Feb 16, 2001. Publicly Released: Mar 15, 2001.

Contact:

Gregory C. Wilshusen
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

A number of serious control weaknesses in the Internal Revenue Service's (IRS) electronic filing systems placed personal taxpayer data in IRS' electronic filing system at significant risk of unauthorized disclosure, use, and modification during the 2000 tax filing season. IRS recognized the importance of promptly addressing these weaknesses and stated that it has taken steps to correct them prior to the current tax filing season. Ensuring that ongoing controls over electronic filing are effective requires top-management support and leadership, disciplined processes, and consistent oversight. IRS' efforts to achieve the goal that 80 percent of all tax and information returns be filed electronically by 2007 must be balanced with the need to adequately ensure the security, privacy, and reliability of taxpayer and other sensitive information. Failure to maintain adequate security over IRS' electronic filing systems could erode public confidence in electronically filing tax returns, jeopardize IRS' ability to meet the 80 percent goal, and deprive IRS of the many benefits that electronic filing offers.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Commissioner of Internal Revenue should direct the Director of Submission Processing to implement an alternative means for taxpayers to authenticate electronically filed returns or to strengthen procedures for receiving signed Forms 8453 for electronically filed tax returns.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has implemented an alternative means--nationwide PIN program known as Self-Select PIN--for taxpayers to authenticate electronically filed returns.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer to improve the integrity of the e-file production environment by (1) removing software development tools from the production environment, if feasible, or restricting access to the tools to the minimum number of users who require it and (2) disallowing developers access to production environments and taxpayer data.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: Software compilers were removed from the system and developers no longer have access to the production environment and taxpayer data.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer to enhance the edit and data validation routines in an e-file system to detect erroneous or invalid data on electronically filed tax returns.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS will continue to enhance edit and validation routines to detect erroneous or invalid data on the system. Tax form was revised to correct situation where system did not validate that taxpayer identification numbers on the form and on an attachment matched.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer to fully implement procedures to assess risks and monitor the effectiveness of security controls over IRS' electronic filing systems on an ongoing basis.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has implemented procedures to assess risks and monitor the effectiveness of controls over the e-file system.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer to complete actions required for the certification and accreditation of an e-file system.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has completed actions to certify and accredit e-file system.

    Recommendation: The Chief Information Officer should periodically report to the Commissioner of Internal Revenue on progress made to implement this action plan and on the results of efforts to continually monitor the risks and effectiveness of security controls over IRS electronic filing systems and electronically filed taxpayer data.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: The CIO periodically reports to the Commissioner on progress made to implement the action plan. The Office of Security Services conducts independent reviews to ensure actions have been completed as prescribed by the action plan.

    Recommendation: The Commissioner of Internal Revenue should direct the Chief Information Officer to complete efforts to implement an action plan for strengthening access controls over IRS electronic filing systems and networks. To assist in this effort, GAO has provided technical recommendations that address specific access control weaknesses that IRS should address as part of its efforts.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: IRS has substantially completed its planned efforts to improve safeguards that control external access to its electronic filing systems and networks. It has taken steps to improve perimeter defenses and prevent individuals from gaining unauthorized access to e-file systems and information: To illustrate, IRS has redesigned the e-file system architecture, strengthened modem controls, and installed network control devices that collectively are configured to filter in bound and outbound computer network traffic to e-file computers and allow only authorized traffic through its filters.

    Recommendation: The Commissioner of Internal Revenue should direct the Director of Electronic Tax Administration to provide notice to taxpayers concerning (1) transmitter access to electronic tax return data in clear text and (2) electronic transmission of tax returns to IRS in clear text.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: During its FY 2001 audit of IRS's computer controls over external access points and internal networks and systems, GAO found that most electronically filed tax returns were submitted by third-party transmitters, and that IRS did not accept these returns in encrypted form. As a result, personal taxpayer data was at increased risk of unauthorized disclosure, use, and modification. GAO recommended that IRS notify taxpayers that transmitters have access to tax return data in clear text and that returns are transmitted in clear text. In response, as of January 2003, IRS has notified taxpayers on its Web site that there are inherent risks associated with using third parties to prepare and file tax returns.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here