Continued weaknesses in information security controls “increase the risk of inappropriate access, alteration, or abuse of proprietary IRS programs and electronic data and taxpayer information”, the GAO warned.
In particular, the GAO expressed concern about internal controls over the IRS’s financial management systems. The agency’s “continued material weakness in information security controls limit IRS’s ability to provide reasonable assurance that (1) the financial statements are fairly presented; (2) financial management information relied on to support day-to-day decision making is current, complete, and accurate; and (3) proprietary information processed by these automated systems is appropriately safeguarded.”
At the same time, the GAO praised the IRS for forming cross-functional working groups to identify and remediate specific at-risk information security control areas and for making improvements in several system-level information security controls.
The IRS responded to the GAO’s audit by asserting that it had made progress in improving the information security of its financial management systems. “We have a solid management team dedicated to promoting the highest standard of financial management, and we continue to increase the focus on information security and internal controls while improving financial reporting”, wrote IRS Commissioner Douglas Shulman.