GAO has called on the IRS to further improve internal controls over financial reporting and taxpayer data.
While the agency has implemented many controls and procedures to protect key financial and tax-processing systems, GAO said that control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information.
The agency continues to face challenges controlling access to its information resources, for example, by not always implementing controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time.
It also has not always appropriately restricted access to certain servers, ensured that sensitive data were encrypted when transmitted, audited and monitored systems to ensure that unauthorized activities would be detected, or ensured management validation of access to restricted areas, according to GAO-12-393.
The report said outdated software exposed IRS to known vulnerabilities, and that the agency had not enforced backup procedures for a key system.
While the IRS has established a framework for a comprehensive information security program, and has made strides to address control deficiencies — such as establishing working groups to identify and remediate specific at-risk control areas — it still has yet to fully implement all key components of its program. The IRS agreed to develop a correction a corrective action plan to shore up information security practices.
