IRS Has More Work to Do to Protect Financial and Taxpayer Data

Published: August 03, 2017


According to GAO, IRS has made progress in addressing control deficiencies that effect the security, confidentiality, integrity and availability of key tax processing and financial systems. However, not all vulnerabilities have been addressed and new deficiencies have also been identified.

GAO reviewed IRS security policies, plans and procedures; interviewed agency officials; and tested controls in order to assess the effectiveness of security controls for major tax and financial systems. Their research indicated that IRS made progress in addressing some previously reported control deficiencies, however a number of deficiencies were not addressed and new deficiencies were also identified. During FY 2016, IRS made access control improvements to several system administrator accounts and updated certain software to prevent exposure to known vulnerabilities. But the agency did not always:

  • Limit or prevent unnecessary access to systems
  • Monitor system activities to reasonably assure compliance with security policies
  • Reasonably assure that software was supported by the vendor and was updated to protect against known vulnerabilities
  • Segregate incompatible duties
  • Update system contingency plans to reflect changes to the operating environment

GAO found that the deficiencies were primarily caused by incomplete implementation of IRS’ information security program. Although the IRS information security program was sound, portions of the program were not being carried out.  For example, IRS developed and documented security plans, but in some cases failed to effectively manage risk or update certain policies and procedures.

IRS had 94 recommendations from GAO open at the beginning of FY 2016.  They resolved 26, but received 98 additional recommendations from GAO’s FY 2016 audit, leaving them with a total of 166 outstanding recommendations at the end of the FY 2016 audit.  Unless IRS resolves these control deficiencies key financial reporting and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure, according to GAO.

IRS neither agreed nor disagreed with GAO’s recommendations, but stated that it would review each of the recommendations and ensure that its corrective actions include sustainable fixes that implement appropriate security controls.