Information Security:

IRS Needs to Continue Improving Controls over Financial and Taxpayer Data

GAO-15-337: Published: Mar 19, 2015. Publicly Released: Mar 19, 2015.

Multimedia:

Additional Materials:

Contact:

Nancy R. Kingsbury
(202) 512-2700
KingsburyN@gao.gov

 

Gregory C. Wilshusen
(202) 512-6244
WilshusenG@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Internal Revenue Service (IRS) made progress in implementing information security controls; however, weaknesses limit their effectiveness in protecting the confidentiality, integrity and availability of financial and sensitive taxpayer data. During fiscal year 2014, IRS continued to devote attention to securing its information systems that process sensitive taxpayer and financial information. Key among its actions were improving the security over the software that manages changes to its mainframe environment and upgrading secure communications enterprise-wide for sensitive data. However, significant control deficiencies existed. For example, IRS did not install appropriate security updates on all of its databases and servers, and did not sufficiently monitor control activities that support its financial reporting. In addition, IRS did not effectively maintain the secure configuration of a key application, or appropriately segregate duties by allowing a developer unnecessary access to the application.

An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security program. The agency had a comprehensive framework for its program, such as assessing risk for its systems, developing security plans, and providing employees with security awareness and specialized training. However, aspects of its program were not yet effectively implemented. For example, IRS's testing methodology did not always determine whether required controls were operating effectively; consequently, GAO continued to identify control weaknesses that had not been detected by IRS. Also, IRS had not updated key mainframe policies and procedures to address issues such as comprehensively auditing and monitoring of access, thereby increasing the risk of unauthorized access to tax processing systems not being detected. In addition, IRS did not reassess controls for a key system after significant changes had been made in the operating environment. Further, IRS had not ensured that many of its corrective actions to address previously identified deficiencies were effective. For example, of 69 previously reported weaknesses that remained unresolved at the end of GAO's last audit, IRS indicated it had implemented corrective actions for 24 of them; however, GAO determined that 10 of the 24 weaknesses had not been fully resolved.

Until IRS takes additional steps to (1) address unresolved and newly identified control deficiencies and (2) effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2014.

Why GAO Did This Study

The IRS has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the financial and sensitive taxpayer data that resides on those systems.

As part of its audit of IRS's fiscal year 2014 and 2013 financial statements, GAO assessed whether controls over key financial and tax-processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans and procedures; interviewed key agency officials; and tested controls over key financial applications at four sites.

What GAO Recommends

GAO is recommending that IRS take 5 additional actions to more effectively implement elements of its information security program. In a separate report with limited distribution, GAO is recommending 14 actions that IRS can take to address newly identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop corrective action plans where appropriate to address these recommendations.

For more information, contact Nancy Kingsbury at (202) 512-2700 or kingsburyn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: During our audit of its FY 2016 financial statements, IRS indicated that it had not yet implemented this recommendation.

    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the policy for mainframe security to ensure that it addresses who can administer the security software configurations that control access to mainframe programs.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: During our audit of its FY 2016 financial statements, IRS indicated that it had not yet implemented this recommendation.

    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure contractors receive security awareness training within 5 business days of being granted access to an IRS information system.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: During our audit of its FY 2016 financial statements, IRS indicated that it had not yet implemented this recommendation.

    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should ensure that control testing methodology and results fully meet the intent of the control objectives being tested.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: In 2015, GAO validated that IRS had updated the security authorization for its access request and approval system to reflect changes in the system's operating environment.

    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the security authorization for the access request and approval system to reflect the significant changes to the operating environment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Open

    Comments: During our audit of its FY 2016 financial statements, IRS indicated that it had not yet implemented this recommendation.

    Recommendation: In addition to implementing our previous recommendations, to effectively implement key elements of the IRS information security program, the Commissioner of Internal Revenue should update the remedial action verification process to ensure actions are fully implemented.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Oct 21, 2015

Looking for more? Browse all our products here