Information Security: IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk
Highlights
What GAO Found
The Internal Revenue Service (IRS) continued to make progress in addressing information security control weaknesses and improving its internal control over financial reporting; however, weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data. During fiscal year 2013, IRS management devoted attention and resources to addressing information security controls, and resolved a number of the information security control deficiencies that were previously reported by GAO. However, significant risks remained. Specifically, the agency had not always (1) installed appropriate patches on all databases and servers to protect against known vulnerabilities, (2) sufficiently monitored database and mainframe controls, or (3) appropriately restricted access to its mainframe environment. In addition, IRS had allowed individuals to make changes to mainframe data processing without requiring them to follow established change control procedures to ensure changes were authorized, and did not configure all applications to use strong encryption for authentication, increasing the potential for unauthorized access.
An underlying reason for these weaknesses is that IRS has not effectively implemented portions of its information security program. The agency has established a comprehensive framework for the program, and continued to improve its controls; however, components of the program did not always function as intended. For example, IRS's testing procedures over financial reporting systems were not always thorough in that its testing methodology did not always determine whether required controls were operating effectively. In addition, IRS had not updated key mainframe policies and procedures to address issues such as users accessing files used by one processing environment from a different environment. Further, IRS did not include sufficient detail in its authorization procedures to ensure that access to systems was appropriate.
Until IRS takes additional steps to (1) more effectively implement its testing and monitoring capabilities, (2) ensure that policies and procedures are updated, and (3) address unresolved and newly identified control deficiencies, its financial and taxpayer data will remain vulnerable to inappropriate and undetected use, modification, or disclosure. These deficiencies, including shortcomings in the information security program, were the basis of our determination that IRS had a significant deficiency in its internal control over its financial reporting systems for fiscal year 2013.
Why GAO Did This Study
The IRS has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the financial and sensitive taxpayer information that resides on those systems.
As part of its audit of IRS's fiscal years 2013 and 2012 financial statements, GAO assessed whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at six sites.
Recommendations
GAO is recommending that IRS take 3 actions to more effectively implement portions of its information security program. In a separate report with limited distribution, GAO recommends that IRS take 23 specific actions to address identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop a detailed corrective action plan to address each recommendation.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update access request policies and procedures to ensure that they contain sufficiently detailed information of access requests and access assignments to facilitate effective review and verification of appropriate access privileges. |
Closed – Implemented
In fiscal year 2018, we verified that IRS, in response to our recommendation, created procedures for reconciling users access authorizations. These procedures contained sufficiently detailed information of access requests and access assignments for effectively reviewing and verifying appropriate access privileges.
|
| Internal Revenue Service | To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should update procedures to specify the information required to be recorded in the internal system documentation for important mainframe system processes. |
Closed – Implemented
In fiscal year 2016, we verified that IRS, in response to our recommendation, had updated procedures to specify the information required to be recorded in the internal system documentation for important mainframe system processes.
|
| Internal Revenue Service | To effectively implement key components of the IRS information security program, the Commissioner of Internal Revenue should develop a remedial action plan to address known information system weaknesses or deficiencies in the workload automation software environment. |
Closed – Implemented
In 2014, GAO verified that IRS developed a remedial action plan that addressed known information security weaknesses in its workload automation software environment.
|