Skip to main content

Information Security: IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer Data

GAO-18-391 Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jump To:

Fast Facts

IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We assessed whether it had effective controls in place to safeguard this information in fiscal 2016 and 2017.

We found IRS made progress in resolving a number of previously reported deficiencies, such as enforcing the use of encryption. However, we found continuing and new deficiencies, such as unenforced rules for password security.

In this report, we recommended that IRS take 5 additional actions to bolster security. In a separate report with limited distribution, we recommended 32 other actions to address newly identified deficiencies.

 

This is a photo of an IRS building.

This is a photo of an IRS building.

Skip to Highlights

Highlights

What GAO Found

The Internal Revenue Service (IRS) has made progress in resolving a number of previously reported control deficiencies. During fiscal year 2017, the agency made improvements in access controls by, for example, restricting unnecessary user access to certain applications and enforcing strong encryption on certain systems. IRS also corrected a previously identified contingency planning weakness for one system.

Nevertheless, continuing and newly identified control deficiencies limited the effectiveness of security controls for protecting the confidentiality, integrity, and availability of IRS's financial and tax processing systems. For example, IRS did not consistently (1) implement access controls by enforcing password expirations and minimum password lengths or by updating expiration dates for contractor passwords; (2) apply configuration management controls by documenting authorizations and approvals for changes to mainframe data and processing, or by installing critical security patches on multiple devices; and (3) implement certain components of its security program by correcting weaknesses in procedures or by updating system security plans. GAO has made recommendations to IRS to correct the identified security control deficiencies (see table). However, many deficiencies have not been corrected, and a large number of recommendations remained open at the conclusion of the audit of IRS's financial statements for fiscal year 2017.

Status of GAO Information Security Control Recommendations to IRS to Correct Control Deficiencies at the Conclusion of Fiscal Year 2017

Information security control area

Prior recommendations open at the beginning of FY 2017

Prior recommendations closed at the end of FY 2017

New recommendations resulting from FY 2017 audit

Total outstanding recommendations at the end of FY 2017

Access controls

120

(35)

21

106

Configuration management

29

(10)

13

32

Segregation of duties

1

(0)

0

1

Contingency planning

2

(1)

1

2

Security program

14

(3)

2

13

Total

166

(49)

37

154

Legend: FY = fiscal year

Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-18-391

Until IRS takes additional steps to address unresolved and newly identified control deficiencies and effectively implements components of its information security program, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure. These shortcomings were the basis for GAO's determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2017.

Why GAO Did This Study

The IRS has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the sensitive financial and taxpayer information that reside on those systems.

As part of its audit of IRS's fiscal year 2017 and 2016 financial statements, GAO assessed whether controls over financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over selected financial systems and applications; and interviewed key agency officials at four IRS locations.

Recommendations

In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 5 additional actions to more effectively implement security-related policies and plans. In a separate report with limited distribution, GAO is recommending 32 actions that IRS can take to address newly identified control deficiencies. In commenting on a draft of this report, IRS agreed with GAO's recommendations and stated that it would review each of the recommendations and ensure that its corrective actions include a root cause analysis for sustainable fixes that implement appropriate security controls.

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations. (Recommendation 1)
Closed – Implemented
In fiscal year 2020, we verified that the IRS, in response to our recommendation, improved their information security program by entering correct contractor password expiration dates, per IRS's policy, in the system used for managing user access authorizations.
Internal Revenue Service The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by documenting access authorizations for non-unique accounts. (Recommendation 2)
Closed – Implemented
In fiscal year 2021, we verified that IRS, in response to our recommendation, documented access authorizations for non-unique accounts that were approved by the system or application owners.
Internal Revenue Service The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by reviewing non-unique accounts at least annually, per IRS's policy. (Recommendation 3)
Closed – Implemented
In fiscal year 2021, we verified that IRS, in response to our recommendation, reviewed non-unique accounts on a weekly basis.
Internal Revenue Service The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by updating security plans for three systems to reflect changes to their operating environment. (Recommendation 4)
Closed – Implemented
In fiscal year 2019, we verified that IRS, in response to our recommendation, updated the system security plans for the three identified systems to reflect current system changes and all changes to their operating environment. These corrective actions met the intent of our recommendation.
Internal Revenue Service The Commissioner of Internal Revenue should take steps to improve the implementation of IRS's information security program by removing from five systems security plans, references to logging standards that IRS has rescinded. (Recommendation 5)
Closed – Implemented
In fiscal year 2018, we verified that IRS, in response to our recommendation, removed from the five systems security plans we reviewed, references to logging standards that it had rescinded.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Access controlConfidential communicationsFinancial systemsInformation securityInformation systemsInternal controlsSensitive dataTaxpayer dataTaxpayer informationTaxpayers