Information Security: IRS Electronic Filing Systems
GAO-01-306
Published: Feb 16, 2001. Publicly Released: Mar 15, 2001.
Skip to Highlights
Highlights
A number of serious control weaknesses in the Internal Revenue Service's (IRS) electronic filing systems placed personal taxpayer data in IRS' electronic filing system at significant risk of unauthorized disclosure, use, and modification during the 2000 tax filing season. IRS recognized the importance of promptly addressing these weaknesses and stated that it has taken steps to correct them prior to the current tax filing season. Ensuring that ongoing controls over electronic filing are effective requires top-management support and leadership, disciplined processes, and consistent oversight. IRS' efforts to achieve the goal that 80 percent of all tax and information returns be filed electronically by 2007 must be balanced with the need to adequately ensure the security, privacy, and reliability of taxpayer and other sensitive information. Failure to maintain adequate security over IRS' electronic filing systems could erode public confidence in electronically filing tax returns, jeopardize IRS' ability to meet the 80 percent goal, and deprive IRS of the many benefits that electronic filing offers.
Recommendations
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer to complete efforts to implement an action plan for strengthening access controls over IRS electronic filing systems and networks. To assist in this effort, GAO has provided technical recommendations that address specific access control weaknesses that IRS should address as part of its efforts. |
Closed – Implemented
IRS has substantially completed its planned efforts to improve safeguards that control external access to its electronic filing systems and networks. It has taken steps to improve perimeter defenses and prevent individuals from gaining unauthorized access to e-file systems and information: To illustrate, IRS has redesigned the e-file system architecture, strengthened modem controls, and installed network control devices that collectively are configured to filter in bound and outbound computer network traffic to e-file computers and allow only authorized traffic through its filters.
|
| Internal Revenue Service | The Chief Information Officer should periodically report to the Commissioner of Internal Revenue on progress made to implement this action plan and on the results of efforts to continually monitor the risks and effectiveness of security controls over IRS electronic filing systems and electronically filed taxpayer data. |
Closed – Implemented
The CIO periodically reports to the Commissioner on progress made to implement the action plan. The Office of Security Services conducts independent reviews to ensure actions have been completed as prescribed by the action plan.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer to complete actions required for the certification and accreditation of an e-file system. |
Closed – Implemented
IRS has completed actions to certify and accredit e-file system.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer to fully implement procedures to assess risks and monitor the effectiveness of security controls over IRS' electronic filing systems on an ongoing basis. |
Closed – Implemented
IRS has implemented procedures to assess risks and monitor the effectiveness of controls over the e-file system.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer to enhance the edit and data validation routines in an e-file system to detect erroneous or invalid data on electronically filed tax returns. |
Closed – Implemented
IRS will continue to enhance edit and validation routines to detect erroneous or invalid data on the system. Tax form was revised to correct situation where system did not validate that taxpayer identification numbers on the form and on an attachment matched.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Chief Information Officer to improve the integrity of the e-file production environment by (1) removing software development tools from the production environment, if feasible, or restricting access to the tools to the minimum number of users who require it and (2) disallowing developers access to production environments and taxpayer data. |
Closed – Implemented
Software compilers were removed from the system and developers no longer have access to the production environment and taxpayer data.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Director of Submission Processing to implement an alternative means for taxpayers to authenticate electronically filed returns or to strengthen procedures for receiving signed Forms 8453 for electronically filed tax returns. |
Closed – Implemented
IRS has implemented an alternative means--nationwide PIN program known as Self-Select PIN--for taxpayers to authenticate electronically filed returns.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should direct the Director of Electronic Tax Administration to provide notice to taxpayers concerning (1) transmitter access to electronic tax return data in clear text and (2) electronic transmission of tax returns to IRS in clear text. |
Closed – Implemented
During its FY 2001 audit of IRS's computer controls over external access points and internal networks and systems, GAO found that most electronically filed tax returns were submitted by third-party transmitters, and that IRS did not accept these returns in encrypted form. As a result, personal taxpayer data was at increased risk of unauthorized disclosure, use, and modification. GAO recommended that IRS notify taxpayers that transmitters have access to tax return data in clear text and that returns are transmitted in clear text. In response, as of January 2003, IRS has notified taxpayers on its Web site that there are inherent risks associated with using third parties to prepare and file tax returns.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Computer crimesComputer securityElectronic formsInformation resources managementSoftwareTax information confidentialityElectronic filingTaxpayersTax returnsTax filing