Skip to main content

Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data

GAO-12-393 Published: Mar 16, 2012. Publicly Released: Mar 16, 2012.
Jump To:
Skip to Highlights

Highlights

What GAO Found

IRS implemented numerous controls and procedures intended to protect key financial and tax-processing systems; nevertheless, control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS’s systems. Specifically, the agency continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed IRS to known vulnerabilities, and the agency had not enforced backup procedures for a key system.

An underlying reason for these weaknesses is that IRS has not fully implemented a comprehensive information security program. IRS has established a comprehensive framework for such a program, and has made strides to address control deficiencies—such as establishing working groups to identify and remediate specific at-risk control areas; however, it has not fully implemented all key components of its program. For example, IRS’s security testing and monitoring continued to not detect many of the vulnerabilities GAO identified during this audit. IRS also did not promptly correct known vulnerabilities. For example, the agency indicated that 76 of the 105 previously reported weaknesses open at the end of GAO’s prior year audit had not yet been corrected. In addition, IRS did not always validate that its actions to resolve known weaknesses were effectively implemented. Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. Of the 29 weaknesses IRS indicated were corrected, GAO determined that 13 (about 45 percent) had not yet been fully addressed.

Considered collectively, these deficiencies, both new and unresolved from previous GAO audits, along with a lack of fully effective compensating and mitigating controls, impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats. This reduces IRS's assurance that its financial statements and other financial information are fairly presented or reliable and that sensitive IRS and taxpayer information is being sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies are the basis of GAO’s determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2011.

Why GAO Did This Study

The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation’s tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect financial and sensitive taxpayer information that resides on those systems.

As part of its audit of IRS’s fiscal years 2011 and 2010 financial statements, GAO assessed whether controls over key financial and tax-processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at seven sites.

Recommendations

GAO recommends that IRS take 6 actions to fully implement key components of its comprehensive information security program. In a separate report with limited distribution, GAO is recommending that IRS take 23 specific actions to correct newly identified control weaknesses. In commenting on a draft of this report, IRS agreed to develop a detailed corrective action plan to address each recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should document a baseline configuration standard for tasks initiated on the mainframe operating system
Closed – Implemented
In 2013, we verified that IRS documented a baseline configuration standard for tasks initiated on the mainframe operating system.
Internal Revenue Service In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should document monitoring procedures that staff use to review audit logs for a key financial system.
Closed – Implemented
In 2012, we validated that IRS documented monitoring procedures that staff use to review audit logs for a key financial application.
Internal Revenue Service In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should fully document monitoring procedures for the procurement system, specifically, supervisory review procedures to ensure access privileges are appropriate for segregation of duties.
Closed – Implemented
In 2013, we verified that IRS documented monitoring procedures for its procurement system, including management review and definitions of access privileges that constitute incompatible functions.
Internal Revenue Service In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should expand tests associated with the agency's enterprise continuous monitoring process to include tests of access controls and system tests, such as testing the system's configuration, where appropriate, to ensure comprehensive testing of key controls for financial and tax-related systems.
Closed – Implemented
In 2012, we validated that IRS expanded tests associated with its enterprise continuous monitoring process to include more testing of access controls.
Internal Revenue Service In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should implement a compliance verification application to ensure appropriate security patches have been applied in the UNIX environment.
Closed – Implemented
In 2015, we verified that IRS had implemented a verification application to determine whether appropriate security patches had been applied in its UNIX environment.
Internal Revenue Service In addition to implementing our previous recommendations, and to fully implement key components of the IRS comprehensive information security program, the Commissioner of Internal Revenue should implement a compliance verification application, or other appropriate process, to ensure configuration policies are comprehensively tested on the mainframe.
Closed – Not Implemented
The condition continued to exist for our 2016 audit. IRS did not submit this recommendation for closure at the start of our 2016 audit. We performed subsequent testing in 2016 and confirmed that the agency still had not implemented a compliance verification application, or other appropriate process, to ensure configuration policies were comprehensively tested on the mainframe. IRS provided no information on whether it plans to address this specific recommendation in the future.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Taxpayer informationFinancial reportingInternal controlsInformation securityInformation systemsSensitive dataContingency plansConfidential communicationsDatabase management systemsUnauthorized access