A GAO audit of the tax agency found that it “did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its financial systems and information.”
The government watchdog slammed the agency for failing to fix 74% of previously identified information security weaknesses, as well as for saying it fixed 16 information security flaws that it in fact had not addressed.
According to the GAO, the IRS did not sufficiently restrict users' access to databases to only the access needed to perform their jobs; secure the system it uses to support and manage its computer access request, approval, and review processes; update database software residing on servers that support its general ledger system; or enable certain auditing features on databases supporting several key systems.
“As a result, financial and taxpayer information are at increased risk of unauthorized disclosure, modification, or destruction; financial data is at increased risk of errors that result in misstatement; and the agency's management decisions may be based on unreliable or inaccurate financial information”, the audit said.
In a limited distribution report, the GAO proposed a whopping 32 actions for the IRS to take in order to secure its information systems.
In a response to the audit, IRS Commissioner Douglas Shulman said: "The IRS has established enterprise repeatable processes which are overseen by an internal team that performs self-inspections, identifies and mitigates risks, and provides executive governance over the corrective actions of this material weakness. The combination of all these actions makes us confident that we are steadily progressing toward eliminating this issue as a material weakness.”
Shulman added that his agency would develop a corrective action plan to address each of the GAO’s recommendations.