IRS needs to improve taxpayer information security, GAO says

Two-year audit shows IRS's previous security weaknesses remain unresolved

The Government Accountability Office has found that the Internal Revenue Service has made progress in securing taxpayer information, but has been deficient in preventing, limiting and detecting unauthorized access to financial systems.

GAO performed a two-year audit on the IRS to assess whether controls over key financial and tax processing systems were effective in ensuring the confidentiality, integrity and availability of financial and sensitive taxpayer information.

Related coverage:

Treasury budget proposal up four percent with IRS improvements, Wall Street reform

GAO found that the IRS did not sufficiently:

  • Restrict users' access to databases to only the access needed to perform their jobs.
  • Secure the system it uses to support and manage its computer access request, approval and review processes.
  • Update database software residing on servers that support its general ledger system.
  • Enable certain auditing features on databases supporting several key systems.
GAO said 74 percent of the IRS’ previous information security weaknesses (65 of 88) had not been resolved. According to GAO, the reason for this is because the “IRS has not yet fully implemented key components of its comprehensive information security program.” The IRS program for testing its deficiencies did not match up to the criteria used by GAO and thus there was a gap between progress the IRS thought it had made and what GAO found in the audit.

IRS Commissioner Douglas Shulman responded, "The IRS has established enterprise repeatable processes which are overseen by an internal team that performs self-inspections, indentifies and mitigates risks, and provides executive governance over the corrective actions of this material weakness. The combination of all these actions makes us confident that we are steadily progressing toward eliminating this issue as a material weakness.”

GAO recommended that the IRS fully implement key components of the IRS comprehensive information security program. That includes updating the risk assessment for the mainframe environment, whenever there is a change to the system or facility where system resides and update procedures pertaining to password controls to maintain consistency.

All the recommendations are in progress with status changes coming in subsequent GAO audits of the IRS.

About the Author

Dan Rowinski is a staff reporter covering communications technologies.


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.