Information Security:

IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data

GAO-11-308: Published: Mar 15, 2011. Publicly Released: Mar 15, 2011.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect financial and sensitive taxpayer information that resides on those systems. As part of its audit of IRS's fiscal years 2010 and 2009 financial statements, GAO assessed whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at four sites.

Although IRS made progress in correcting previously reported information security weaknesses, control weaknesses over key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. Specifically, IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its financial systems and information. For example, the agency did not sufficiently (1) restrict users' access to databases to only the access needed to perform their jobs; (2) secure the system it uses to support and manage its computer access request, approval, and review processes; (3) update database software residing on servers that support its general ledger system; and (4) enable certain auditing features on databases supporting several key systems. In addition, 65 of 88--about 74 percent--of previously reported weaknesses remain unresolved or unmitigated. An underlying reason for these weaknesses is that IRS has not yet fully implemented key components of its comprehensive information security program. Although IRS has processes in place intended to monitor and assess its internal controls, these processes were not always effective. For example, IRS's testing did not detect many of the vulnerabilities GAO identified during this audit and did not assess a key application in its current environment. Further, the agency had not effectively validated corrective actions reported to resolve previously identified weaknesses. Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. For example, the agency reported that it had resolved 39 of the 88 previously identified weaknesses; however, 16 of the 39 weaknesses had not been mitigated. IRS has various initiatives underway to bolster security over its networks and systems; however, until the agency corrects the identified weaknesses, its financial systems and information remain unnecessarily vulnerable to insider threats, including errors or mistakes and fraudulent or malevolent acts by insiders. As a result, financial and taxpayer information are at increased risk of unauthorized disclosure, modification, or destruction; financial data is at increased risk of errors that result in misstatement; and the agency's management decisions may be based on unreliable or inaccurate financial information. These weaknesses, considered collectively, are the basis for GAO's determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2010. GAO recommends that IRS take eight actions to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, GAO is recommending 32 specific actions for correcting newly identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop a detailed corrective action plan to address each recommendation.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should update risk assessments whenever there is a significant change to the system, the facilities where the system resides, or other conditions that may affect the security or status of system accreditation.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2012, we validated that IRS had appropriately updated risk assessments.

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should update the risk assessment for the mainframe environment supporting the general ledger for tax-related activities and tax processing applications to include all portions of the environment that could affect security.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2012, we validated that IRS had updated the risk assessment for the mainframe environment that supports the general ledger.

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should update policies and procedures pertaining to password controls to ensure they are consistent.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2012, we validated that IRS updated policies and procedures pertaining to password controls.

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should document and implement policy and procedures for how systems-managed storage as an access control mechanism should be administered, managed, and monitored.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Open

    Comments: Action pending

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should update the application security plan to describe controls in place in its current mainframe operating environment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2012, we validated that IRS updated the application security plan to describe controls in place for the current mainframe operating environment.

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should perform comprehensive testing of the key network component considered to be a high-risk system, at least annually.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that IRS established a Memorandum of Understanding with Treasury to conduct testing of this key network component and verified that Treasury tested the component.

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should test the application security for the general ledger system for tax-related activities in its current operating environment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2012, we validated that IRS tested application security for the general ledger system in its current operating environment.

    Recommendation: To fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should perform comprehensive testing of security controls over the mainframe environment to include all portions of the operating environment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2012, we validated that IRS performed comprehensive testing of security controls over the mainframe environment to include all portions of the operating environment.

    Aug 11, 2014

    Jul 29, 2014

    Jul 22, 2014

    Jul 18, 2014

    Jul 7, 2014

    Jul 2, 2014

    Jun 13, 2014

    May 30, 2014

    May 20, 2014

    Apr 21, 2014

    Looking for more? Browse all our products here