Information Security:

IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk

GAO-14-405: Published: Apr 8, 2014. Publicly Released: Apr 8, 2014.

Multimedia:

  • GAO: AskGAOLive Chat on IRS Securing Financial and Taxpayer DataVIDEO: AskGAOLive Chat on IRS Securing Financial and Taxpayer Data
    Online video chat with Gregory Wilshusen, Director, Information Technology.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nancy R. Kingsbury
(202) 512-2700
kingsburyn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Internal Revenue Service (IRS) continued to make progress in addressing information security control weaknesses and improving its internal control over financial reporting; however, weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2013, IRS management devoted attention and resources to addressing information security controls, and resolved a number of the information security control deficiencies that were previously reported by GAO. However, significant risks remained. Specifically, the agency had not always (1) installed appropriate patches on all databases and servers to protect against known vulnerabilities, (2) sufficiently monitored database and mainframe controls, or (3) appropriately restricted access to its mainframe environment. In addition, IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access.

An underlying reason for these weaknesses is that IRS has not effectively implemented portions of its information security program. The agency has established a comprehensive framework for the program, and continued to improve its controls; however, components of the program did not always function as intended. For example, IRS's testing procedures over financial reporting systems were not always thorough in that its testing methodology did not always determine whether required controls were operating effectively. In addition, IRS had not updated key mainframe policies and procedures to address issues such as users accessing files used by one processing environment from a different environment. Further, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.

Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure. These deficiencies, including shortcomings in the information security program, were the basis of our determination that IRS had a significant deficiency in its internal control over its financial reporting systems for fiscal year 2013.

Why GAO Did This Study

The IRS has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the financial and sensitive taxpayer information that resides on those systems.

As part of its audit of IRS's fiscal years 2013 and 2012 financial statements, GAO assessed whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at six sites.

What GAO Recommends

GAO is recommending that IRS take 3 actions to more effectively implement portions of its information security program. In a separate report with limited distribution, GAO recommends that IRS take 23 specific actions to address identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop a detailed corrective action plan to address each recommendation.

For more information, contact Nancy R. Kingsbury at (202) 512-2700 or kingsburyn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update access request policies and procedures to ensure that they contain sufficiently detailed information of access requests and access assignments to facilitate effective review and verification of appropriate access privileges.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update procedures to specify the information required to be recorded in the internal system documentation for important mainframe system processes.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should develop a remedial action plan to address known information system weaknesses or deficiencies in the workload automation software environment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Aug 11, 2014

Jul 29, 2014

Jul 22, 2014

Jul 18, 2014

Jul 7, 2014

Jul 2, 2014

Jun 13, 2014

May 30, 2014

May 20, 2014

Apr 21, 2014

Looking for more? Browse all our products here