GAO Identifies New IRS Information System Security Deficiencies

Published: July 25, 2019


During an audit of IRS FY 2017 and 2018 financial statements, GAO identified new information system security control deficiencies that potentially put taxpayer data and IRS financial reporting at risk.

Specifically, GAO found 14 new IT security control deficiencies in the areas of access control (8), configuration management (4), segregation of duties (1) and contingency planning (1). GAO made 20 recommendations to remedy these problems.

GAO’s audit was conducted through:

  • Review of IRS information security policies, plans, procedures
  • Testing of controls over selected financial reporting systems
  • Review of previously identified control deficiencies
  • Assessment of corrective actions by IRS
  • Interviews of agency officials involved with the management and operation of selected systems

Access controls include both logical and physical controls related to:

  • Protection of system boundaries
  • Identification and authentication of users
  • Authorization of access permissions
  • Encryption of sensitive information
  • Audit and monitoring of system activity
  • Physical security of facilities and computing resources

Configuration management ensures that systems are operating securely and as intended, and can be described as the administration of security features for all hardware, software, and firmware components of an information system. When configuration management is not consistently executed, system vulnerability increases.

Segregation of duties provides a method of checks and balances in an organization by not providing total authority or responsibility to one group or individual.  

Contingency planning ensures continuity of the key operations for information systems in the event of an emergency, disaster or outage.

Due to the sensitive nature of IRS systems, GAO did not publically release their entire report or findings. Instead, they issued a public version of a LIMITED OFFICIAL USE ONLY report that was concurrently issued.

GAO also found that IRS had remedied 46 out of 154 deficiencies it had identified in a July 2018 audit. IRS now has a total of 127 open recommendations from GAO related to IT control deficiencies, 107 of which are outstanding from the previous year. Most of the outstanding recommendations are in the area of access control (93).

The IRS agreed with GAO’s recommendations and plans to proceed with corrective actions to address the outstanding deficiencies.