Monday, April 18, 2016
Government Accountability Office, IRS Needs to Further Enhance Controls over Taxpayer and Financial Data (GAO-16-590T):
In March 2016 GAO reported that the Internal Revenue Service (IRS) had instituted numerous controls over key financial and tax processing systems; however, it had not always effectively implemented safeguards intended to properly restrict access to systems and information. In particular, while IRS had improved some of its access controls, weaknesses remained with identifying and authenticating users, authorizing users' level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing its computing resources. These weaknesses were due in part to IRS's inconsistent implementation of its agency-wide security program, including not fully implementing GAO recommendations. The table below shows the status of prior and new GAO recommendations as of the end of its fiscal year (FY) 2015 audit of IRS's information security. GAO concluded that these weaknesses collectively constituted a significant deficiency for the purposes of financial reporting for fiscal year 2015. Until they are effectively mitigated, taxpayer and financial data will continue to be exposed to unnecessary risk.
The importance of protecting taxpayer information is further highlighted by the billions of dollars that have been lost to identity theft refund fraud, which continues to be an evolving threat. While IRS has taken steps to address this issue, as GAO reported in January 2015 it has yet to assess the costs, benefits, and risks of methods for improving the authentication of taxpayers' identity.