Information Security:

IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data

GAO-12-393: Published: Mar 16, 2012. Publicly Released: Mar 16, 2012.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nancy R. Kingsbury
(202) 512-2700
kingsburyn@gao

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

IRS implemented numerous controls and procedures intended to protect key financial and tax-processing systems; nevertheless, control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS’s systems. Specifically, the agency continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.

An underlying reason for these weaknesses is that IRS has not fully implemented a comprehensive information security program. IRS has established a comprehensive framework for such a program, and has made strides to address control deficiencies—such as establishing working groups to identify and remediate specific at-risk control areas; however, it has not fully implemented all key components of its program. For example, IRS’s security testing and monitoring continued to not detect many of the vulnerabilities GAO identified during this audit. IRS also did not promptly correct known vulnerabilities. For example, the agency indicated that 76 of the 105 previously reported weaknesses open at the end of GAO’s prior year audit had not yet been corrected. In addition, IRS did not always validate that its actions to resolve known weaknesses were effectively implemented. Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. Of the 29 weaknesses IRS indicated were corrected, GAO determined that 13 (about 45 percent) had not yet been fully addressed.

Considered collectively, these deficiencies, both new and unresolved from previous GAO audits, along with a lack of fully effective compensating and mitigating controls, impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats. This reduces IRS's assurance that its financial statements and other financial information are fairly presented or reliable and that sensitive IRS and taxpayer information is being sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies are the basis of GAO’s determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2011.

Why GAO Did This Study

The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation’s tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect financial and sensitive taxpayer information that resides on those systems.

As part of its audit of IRS’s fiscal years 2011 and 2010 financial statements, GAO assessed whether controls over key financial and tax-processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at seven sites.

What GAO Recommends

GAO recommends that IRS take 6 actions to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, GAO is recommending that IRS take 23 specific actions to correct newly identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop a detailed corrective action plan to address each recommendation.

For more information, contact Nancy R. Kingsbury at (202) 512-2700 or kingsburyn@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In 2013, we verified that IRS documented a baseline configuration standard for tasks initiated on the mainframe operating system.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should document a baseline configuration standard for tasks initiated on the mainframe operating system

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: In 2012, we validated that IRS documented monitoring procedures that staff use to review audit logs for a key financial application.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should document monitoring procedures that staff use to review audit logs for a key financial system.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: In 2013, we verified that IRS documented monitoring procedures for its procurement system, including management review and definitions of access privileges that constitute incompatible functions.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should fully document monitoring procedures for the procurement system, specifically, supervisory review procedures to ensure access privileges are appropriate for segregation of duties.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: In 2012, we validated that IRS expanded tests associated with its enterprise continuous monitoring process to include more testing of access controls.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should expand tests associated with the agency's enterprise continuous monitoring process to include tests of access controls and system tests, such as testing the system's configuration, where appropriate, to ensure comprehensive testing of key controls for financial and tax-related systems.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Open

    Comments: Action pending

    Recommendation: In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should implement a compliance verification application to ensure appropriate security patches have been applied in the UNIX environment.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Open

    Comments: Action pending

    Recommendation: In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 22, 2014

Sep 18, 2014

Aug 11, 2014

Jul 29, 2014

Jul 22, 2014

Jul 18, 2014

Jul 7, 2014

Jul 2, 2014

Jun 13, 2014

May 30, 2014

Looking for more? Browse all our products here