Skip to main content

Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS

GAO-09-136 Published: Jan 09, 2009. Publicly Released: Jan 09, 2009.
Jump To:
Skip to Highlights

Highlights

The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes (about $2.7 trillion in fiscal years 2008 and 2007), process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction. As part of its audits of IRS's fiscal years 2008 and 2007 financial statements, GAO assessed (1) the status of IRS's actions to correct previously reported weaknesses and (2) whether controls were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies and procedures and other documents; tested controls over key financial applications; and interviewed key agency officials.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service In addition to implementing our previous recommendations, and to implement an agencywide information security program, the Commissioner of Internal Revenue should ensure risk assessments for IRS systems are reviewed at least annually.
Closed – Implemented
In fiscal year 2011, we verified that IRS had ensured that its system risk assessments had been reviewed at least annually
Internal Revenue Service In addition to implementing our previous recommendations, and to implement an agencywide information security program, the Commissioner of Internal Revenue should implement steps to improve the scope of testing and evaluating controls, such as those for weak passwords.
Closed – Implemented
In 2012, we validated that IRS implemented steps to improve the scope of testing by updating its standard operating procedures for system testing associated with its enterprise continuous monitoring process.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Access controlComputer securityData encryptionData integrityInformation classificationInformation disclosureInformation managementInformation securityInternal controlsPasswordsProgram evaluationReporting requirementsRisk assessmentRisk managementSystem vulnerabilitiesSystems analysisSystems integrityTax administration systemsTax information confidentialityTaxpayersCorrective action