Skip to main content

IRS in Need of Better Controls to Safeguard Taxpayer Data

Posted on January 31, 2019

Every tax season, you send information to the IRS about your salary, marriage status, and other personal and financial information.

We’ve looked at whether IRS has effective controls in place to protect the sensitive financial and taxpayer data in its computer systems. Today’s WatchBlog explores.

IRS shows some improvement in controls

IRS relies extensively on computer systems to collect taxes, process tax returns, and enforce the nation’s tax laws.

Since fiscal year 2012, we have reported on IRS’s lack of significant internal controls over its own financial reporting systems. We found that IRS made progress in addressing some of the internal control problems we identified, such as restricting unnecessary user access to certain applications and enforcing the use of encryption. The agency also corrected a previously identified contingency planning weakness for one system.

But problems continue to challenge IRS

Despite making improvements, IRS continues to face challenges in correcting previous and ongoing information security control problems in its financial systems that contain taxpayer data. IRS had the most weaknesses in preventing unauthorized access to its systems and proper configuration management (i.e., security features for information systems). For example, IRS has not

  • consistently enforced password expirations or minimum password lengths,
  • installed critical security patches to databases supporting 5 information systems, and
  • replaced outdated software that the vendor no longer supports.

Our recommendations

By the end of fiscal year 2017, IRS had not fully implemented 117 prior GAO recommendations, and we made 37 new recommendations to address information security control problems for a total of 154 outstanding recommendations.

To learn more, read our full report.

Comments on GAO’s WatchBlog? Contact


GAO Contacts

Gregory C. Wilshusen
Gregory C. Wilshusen
Nancy R. Kingsbury
Nancy R. Kingsbury
Managing Director

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to