Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls
Fast Facts
IRS must keep its computer systems secure to protect sensitive financial and taxpayer information. We assessed whether it had effective controls in place to safeguard this information in the past and again during fiscal year 2018. This report discusses the new deficiencies we found and efforts to fix earlier ones.
We identified 14 new information system security control deficiencies, such as weaknesses in access controls and in procedures to help ensure information systems are operating securely. Weaknesses like these place IRS's systems and data at risk.
Photo of the IRS building
Highlights
What GAO Found
During its audit of the Internal Revenue Service's (IRS) fiscal years 2018 and 2017 financial statements, GAO identified new deficiencies in information system security controls that along with unresolved control deficiencies from prior audits collectively represent a significant deficiency in the agency's internal control over financial reporting systems. Specifically, GAO identified 14 new deficiencies in information system security controls over certain IRS financial and tax processing systems that are relevant to internal control over financial reporting. Of the 14 new deficiencies, eight were related to access controls, four were related to configuration management, one was related to segregation of duties, and one was related to contingency planning. In a separately issued LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management detailed information regarding the 14 new information system security control deficiencies and made 20 recommendations to address them.
In addition, GAO found that as of September 30, 2018, IRS had completed corrective actions to address information system security control deficiencies associated with 46 of the 154 recommendations resulting from GAO's financial audits, and as a result, these recommendations were closed. GAO closed one additional recommendation that was no longer relevant because of changes in the agency's operating environment. In the LIMITED OFFICIAL USE ONLY report, GAO communicated to IRS management the status of previously reported recommendations as of September 30, 2018.
As a result, IRS has 127 GAO recommendations to address—the 107 remaining open recommendations from GAO's prior financial audits and the 20 new recommendations GAO made in the LIMITED OFFICIAL USE ONLY report. Until these new and continuing control deficiencies are fully addressed, IRS financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.
Status of GAO Recommendations to IRS for Addressing Information System Security Control Deficiencies
Information system security control area | Open recommendations from prior audits | Prior recommendations closed as of September 30, 2018 | New recommendations resulting from FY 2018 audit | Total remaining open recommendations |
Access controls | 106 | 24 | 11 | 93 |
Configuration management | 32 | 13 | 7 | 26 |
Segregation of duties | 1 | 1 | 1 | 1 |
Contingency planning | 2 | 2 | 1 | 1 |
Information security program | 13 | 7 | — | 6 |
Total | 154 | 47 | 20 | 127 |
Legend: FY = fiscal year; — = no recommendation made.
Source: GAO analysis of Internal Revenue Service (IRS) data. | GAO-19-474R
Why GAO Did This Study
This report presents the new information system security control deficiencies identified during GAO's audit of IRS's fiscal years 2018 and 2017 financial statements based on its fiscal year 2018 testing of controls over certain IRS financial and tax processing systems relevant to internal control over financial reporting. This report also includes the results of GAO's fiscal year 2018 follow-up on the status of IRS's corrective actions to address information system control deficiencies and associated recommendations contained in GAO's prior years' reports that were open at the beginning of GAO's fiscal year 2018 audit.
Recommendations
In a separately issued LIMITED OFFICIAL USE ONLY report, GAO made 20 recommendations to address the 14 new information system security control deficiencies related to access controls, configuration management, segregation of duties, and contingency planning. In commenting on a draft of the separately issued LIMITED OFFICIAL USE ONLY report, IRS agreed with our recommendations and stated that it will ensure that its corrective actions include root cause analysis for sustainable fixes that implement appropriate security controls. GAO will evaluate the effectiveness of IRS's efforts to address these deficiencies during its audit of IRS's fiscal year 2019 financial statements.