From the U.S. Government Accountability Office, www.gao.gov Transcript for: Watchdog Report: The Security of Financial & Taxpayer Data at IRS Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology Related GAO Work: GAO-11-308: Information Security: IRS Needs to Enhance Internal Controls over Financial Reporting and Taxpayer Data Released on: March 15, 2011 [ Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the Government Accountability Office. It's March 15, 2011. The Internal Revenue Service is responsible for collecting and processing taxes and managing all the sensitive personal taxpayer information that entails. Greg Wilshusen, a Director in GAO's Information Technology team, helped lead a recent review of IRS's controls over key financial and tax processing systems. GAO's Jeremy Cluchey sat down with Greg to learn more. [ Jeremy Cluchey: ] Your team looked at IRS's key systems and their ability to ensure the confidentiality, integrity, and availability of sensitive financial information, some of it from taxpayers. What did you find? [ Greg Wilshusen: ] Okay, yes, Jeremy. We did this work as part of our annual audit of the IRS's financial statements. And as you may know, IRS has a very demanding job in terms of collecting taxes, enforcing the nation's tax laws. And we they rely extensively on computer systems to perform this mission. As part of our audit this year, which is an annual recurring audit, we examine issues that we've reported on previously. And last year we identified a number of vulnerabilities in IRS systems. And so we assess what actions they have taken to correct those weaknesses. And we found that IRS had taken some actions to implement security controls over that information, but the majority of the weaknesses that we previously reported remain unresolved and continue to threaten the confidentiality, integrity, and availability of that information. What's more, we also found a number of new vulnerabilities during this year's audit. For example, we found that the agency did not adequately restrict users' access to key information systems and applications. And we also found that the test that IRS conducted over its systems were not that comprehensive. And as a result, they did not identify many of the weaknesses that we reported on in this year's audit. And that speaks to the a weakness in IRS's procedures for validating and verifying the effectiveness of its corrective actions. And that's part of another recommendation that we made this year for them to make improvements in that area. [ Jeremy Cluchey: ] You mentioned that recommendation. And in this report, there are eight actions that are GAO is recommending to address these issues. What are those recommendations and how has IRS responded? [ Greg Wilshusen: ] These include taking better steps to assess the risks to their systems, particularly when changes are made to those systems. We also suggested and recommended that IRS make improvements in their procedures for testing and evaluating the security controls implemented on their systems. And we also recommended that IRS update security plans over a key application that's critical to the implementation of sound financial management practices within the IRS. And in response to our recommendations, the IRS Commissioner stated that IRS was busily working and making progress in implementing a number of corrective actions relative to the information security weaknesses on their systems and that he felt they were making significant progress in eliminating the material weakness. He also indicated that he would then provide a detailed corrective action plan for each of our recommendations in its final response to our report. [ Jeremy Cluchey: ] In terms of actual threats to the data, what are the potential negative repercussions for taxpayers if these issues remain unresolved? [ Greg Wilshusen: ] Well of course, one of the key concerns of taxpayers, I would imagine, is the protection and confidentiality of their sensitive taxpayer information. And with the weaknesses that we identified, we found that there's an increased risk that that information could be compromised by IRS insiders. And so, individuals who have no legitimate business need to view that information may have access to it given some of the weaknesses we've identified. Now IRS is taking a number of actions to help improve the security over that information as well as assuring that the information--the financial information contained in those systems--is adequately reflected in its financial statements. But this will be an area that we will continue to review as part of our ongoing audits of IRS's financial statements. [ Background Music ] [ Narrator: ] To learn more, visit GAO's Web site at GAO.gov and be sure to tune in to the next edition of GAO's Watchdog Report for more from the congressional watchdog, the Government Accountability Office.