Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS
Highlights
The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal years 2008 and 2007), process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction. As part of its audits of IRS's fiscal years 2008 and 2007 financial statements, GAO assessed (1) the status of IRS's actions to correct previously reported weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures and other documents; tested controls over key financial applications; and interviewed key agency officials.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Internal Revenue Service | In addition to implementing our previous recommendations, and to implement an agencywide information security program, the Commissioner of Internal Revenue should ensure risk assessments for IRS systems are reviewed at least annually. |
In fiscal year 2011, we verified that IRS had ensured that its system risk assessments had been reviewed at least annually
|
Internal Revenue Service | In addition to implementing our previous recommendations, and to implement an agencywide information security program, the Commissioner of Internal Revenue should implement steps to improve the scope of testing and evaluating controls, such as those for weak passwords. |
In 2012, we validated that IRS implemented steps to improve the scope of testing by updating its standard operating procedures for system testing associated with its enterprise continuous monitoring process.
|