In a recent audit of the IRS’s financial statements, the GAO said that the tax agency allows individuals more access to sensitive information on the network than they need to perform their jobs and has not addressed an information security vulnerability in its procurement system that allows users to bypass application controls.
The government watchdog also identified information security problems with the IRS’s Redesign Revenue Accounting Control System (RRACS), which compromises the agency’s ability to “segregate incompatible duties”, jeopardizing the integrity of the RRACS data. It also cited lax security regarding visitors’ access to sensitive areas in IRS data centers.
“Absent effective information security, confidential taxpayer records will remain at risk and both IRS’s management and we, as IRS’s auditors, will continue to be unable to rely on the automated controls, including those to ensure the integrity of electronic signatures, built into these systems to assist in obtaining reasonable assurance of the reliability of reported balances”, the GAO said.
In addition, the IRS faces a challenge securing taxpayer information contained in hard-copy documents and associated tax payments. “As long as IRS continues to receive such large volumes of hard-copy taxpayer payments and supporting data, there will continue to be a significant risk to the government and taxpayers alike that loss of receipts or inappropriate disclosure or compromise of taxpayer information may occur during this process”, the GAO warned.
In the report, the IRS responded that it made “notable improvements” in information security during fiscal year 2010. These information security improvements included: completing corrective actions in network access controls; implementing standard information security configurations and establishing metrics in the areas of inventory management and configuration management, auditing, access authorization, and change management for network access systems and devices; and upgrading its Integrated Financial System servers and the UNIX operating system to Solaris 10.