The report, released this month, is entitled Information Security: IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk. The objective of the audit was to determine whether “IRS’s controls over its key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information.”
The GAO found that the IRS “had not always effectively implemented access and other controls to protect the confidentiality, integrity, and availability of its financial systems and information. These weaknesses and others in IRS’s security program increase the risk that taxpayer and other sensitive information could be disclosed or modified without authorization.”
“In addition, authorized users could intentionally or unintentionally read, add, delete, or modify data or execute changes that are outside their span of authority.” Also, access privileges allowed all users of the IRS’s internal network to read files and gave administrators more access than needed in certain instances. (pg 8)
The GAO found that the IRS has made some progress in addressing the security issues, but the risk to taxpayer data still exists.
“IRS continued to make progress in addressing information security control weaknesses, improving its internal control over financial reporting,” reads the audit. “[H]owever, serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”