Information Security:

IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer Data

GAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nancy R. Kingsbury
(202) 512-2700
kingsburyn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We assessed whether it had effective controls in place to safeguard this information in fiscal 2016 and 2017.

We found IRS made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption. However, we found continuing and new deficiencies, such as unenforced rules for password security.

In this report, we recommended that IRS take 5 additional actions to bolster security. In a separate report with limited distribution, we recommended 32 other actions to address newly identified deficiencies.

 

This is a photo of an IRS building.

This is a photo of an IRS building.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nancy R. Kingsbury
(202) 512-2700
kingsburyn@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Internal Revenue Service (IRS) has made progress in resolving a number of previously reported control deficiencies. During fiscal year 2017, the agency made improvements in access controls by, for example, restricting unnecessary user access to certain applications and enforcing strong encryption on certain systems. IRS also corrected a previously identified contingency planning weakness for one system.

Nevertheless, continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS's financial and tax processing systems. For example, IRS did not consistently (1) implement access controls by enforcing password expirations and minimum password lengths or by updating expiration dates for contractor passwords; (2) apply configuration management controls by documenting authorizations and approvals for changes to mainframe data and processing, or by installing critical security patches on multiple devices; and (3) implement certain components of its security program by correcting weaknesses in procedures or by updating system security plans. GAO has made recommendations to IRS to correct the identified security control deficiencies (see table). However, many deficiencies have not been corrected, and a large number of recommendations remained open at the conclusion of the audit of IRS's financial statements for fiscal year 2017.

Status of GAO Information Security Control Recommendations to IRS to Correct Control Deficiencies at the Conclusion of Fiscal Year 2017

Information security control area

Prior recommendations open at the beginning of FY 2017

Prior recommendations closed at the end of FY 2017

New recommendations resulting from FY 2017 audit

Total outstanding recommendations at the end of FY 2017

Access controls

120

(35)

21

106

Configuration management

29

(10)

13

32

Segregation of duties

1

(0)

0

1

Contingency planning

2

(1)

1

2

Security program

14

(3)

2

13

Total

166

(49)

37

154

Legend: FY = fiscal year

Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-18-391

Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017.

Why GAO Did This Study

The IRS has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the sensitive financial and taxpayer information that reside on those systems.

As part of its audit of IRS's fiscal year 2017 and 2016 financial statements, GAO assessed whether controls over financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over selected financial systems and applications; and interviewed key agency officials at four IRS locations.

What GAO Recommends

In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 5 additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, GAO is recommending 32 actions that IRS can take to address newly identified control deficiencies. In commenting on a draft of this report, IRS agreed with GAO's recommendations and stated that it would review each of the recommendations and ensure that its corrective actions include a root cause analysis for sustainable fixes that implement appropriate security controls.

For more information, contact Nancy R. Kingsbury at (202) 512-2700 or kingsburyn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov

Recommendations for Executive Action

  1. Status: Open

    Comments: In its comments on our draft report, IRS agreed with our recommendation and stated that it planned to take corrective actions that implement appropriate security controls. As of October 2018, IRS had not provided evidence that it had implemented the recommendation.

    Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Open

    Comments: In its comments on our draft report, IRS agreed with our recommendation and stated that it planned to take corrective actions that implement appropriate security controls. As of October 2018, IRS had not provided evidence that it had implemented the recommendation.

    Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: In its comments on our draft report, IRS agreed with our recommendation and stated that it planned to take corrective actions that implement appropriate security controls. As of October 2018, IRS had not provided evidence that it had implemented the recommendation.

    Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: In its comments on our draft report, IRS agreed with our recommendation and stated that it planned to take corrective actions that implement appropriate security controls. As of October 2018, IRS had not provided evidence that it had implemented the recommendation.

    Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by updating security plans for three systems to reflect changes to their operating environment. (Recommendation 4)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that IRS, in response to our recommendation, removed from the five systems security plans we reviewed, references to logging standards that it had rescinded.

    Recommendation: The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by removing from five systems security plans, references to logging standards that IRS has rescinded. (Recommendation 5)

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Dec 6, 2018

Nov 13, 2018

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Jul 25, 2018

Jul 12, 2018

Jun 14, 2018

May 14, 2018

Apr 24, 2018

Looking for more? Browse all our products here