Skip to main content

IRS in Need of Better Controls to Safeguard Taxpayer Data

Posted on January 31, 2019

Every tax season, you send information to the IRS about your salary, marriage status, and other personal and financial information.

We’ve looked at whether IRS has effective controls in place to protect the sensitive financial and taxpayer data in its computer systems. Today’s WatchBlog explores.

IRS shows some improvement in controls

IRS relies extensively on computer systems to collect taxes, process tax returns, and enforce the nation’s tax laws.

Since fiscal year 2012, we have reported on IRS’s lack of significant internal controls over its own financial reporting systems. We found that IRS made progress in addressing some of the internal control problems we identified, such as restricting unnecessary user access to certain applications and enforcing the use of encryption. The agency also corrected a previously identified contingency planning weakness for one system.

But problems continue to challenge IRS

Despite making improvements, IRS continues to face challenges in correcting previous and ongoing information security control problems in its financial systems that contain taxpayer data. IRS had the most weaknesses in preventing unauthorized access to its systems and proper configuration management (i.e., security features for information systems). For example, IRS has not

  • consistently enforced password expirations or minimum password lengths,
  • installed critical security patches to databases supporting 5 information systems, and
  • replaced outdated software that the vendor no longer supports.

Our recommendations

By the end of fiscal year 2017, IRS had not fully implemented 117 prior GAO recommendations, and we made 37 new recommendations to address information security control problems for a total of 154 outstanding recommendations.

To learn more, read our full report.

Comments on GAO’s WatchBlog? Contact