Information Security: Internal Revenue Service Needs to Remedy Serious Weaknesses over Taxpayer and Bank Secrecy Act Data
GAO-05-482
Published: Apr 15, 2005. Publicly Released: Apr 15, 2005.
Skip to Highlights
Highlights
The Internal Revenue Service (IRS) relies extensively on computerized systems to support its financial and mission-related operations. In addition, IRS provides computer processing support to the Financial Crimes Enforcement Network (FinCEN)--another Treasury bureau. As part of IRS's fiscal year 2004 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported weaknesses at one of its critical data processing facilities and (2) the effectiveness of IRS's information security controls in protecting the confidentiality, integrity, and availability of key financial and tax processing systems.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Treasury | To help fully implement IRS's information security program, the Secretary of the Treasury should direct the IRS Commissioner toensure that established security policies and procedures are consistently followed and implemented. |
Closed – Implemented
Based on recurring audit work at IRS data centers, GAO has observed that the agency has continued to implement its information security program with more consistent implementation of established policies and procedures.
|
| Department of the Treasury | To help fully implement IRS's information security program, the Secretary of the Treasury should direct the IRS Commissioner to ensure that employees with significant information security responsibilities are provided the sufficient training and understand their role in implementing security related policies and controls. |
Closed – Implemented
In fiscal year 2008, GAO verified that IRS had ensured that employees with significant information security responsibilities had been provided appropriate training in accordance with IRS policy.
|
| Department of the Treasury | To help fully implement IRS's information security program, the Secretary of the Treasury should direct the IRS Commissioner to implement an ongoing process of testing and evaluating IRS's information systems to ensure compliance with established policies and procedures. |
Closed – Implemented
IRS has established an ongoing process of testing and evaluating its systems, including periodically testing and evaluating its systems and configurations to determine compliance with established policies and procedures.
|
| Department of the Treasury | The Secretary of the Treasury should direct the IRS Commissioner to perform an assessment to determine whether taxpayer data has been disclosed to unauthorized individuals. |
Closed – Implemented
According to IRS, the agency performed an assessment to determine whether data had been disclosed to any unauthorized individuals.
|
| Department of the Treasury | The Secretary of the Treasury should direct the FinCEN Director to perform an assessment to determine whether Bank Secrecy Act data have been disclosed to unauthorized individuals. |
Closed – Implemented
According to a FinCEN official, the Secretary delegated this recommendation to IRS; IRS performed an assessment to determine whether data had been disclosed to unauthorized individuals.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer securityContinuity of operationsData integrityFinancial statement auditsInformation resources managementInformation securityInternal controlsSystems analysisTax administration systemsCorrective action