GAO Takes IRS to Task on Information Security Control Lapses

By Frank Byrt

Although the IRS has continued to make progress in addressing information security control weaknesses, the Government Accountability Office (GAO) said in a March 2013 report that "serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data."
 
The GAO report, Information Security: IRS Has Improved Controls but Needs to Resolve Weaknesses, is based on its audit of the IRS' fiscal years 2011 and 2012 and assesses the effectiveness of the IRS' key financial and tax-processing systems in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. The report also reviews the progress the IRS has made toward remedying security problems identified in a previous GAO audit.
 
While the report acknowledges that the IRS has dedicated significant assets toward resolving information security controls weaknesses, there are lingering deficiencies in that area along with new ones identified during the latest audit. "While not collectively considered a material weakness [the deficiencies] are important enough to merit the attention of those charged with governance of IRS."
 
An underlying reason for these weaknesses is that the IRS has not effectively implemented portions of its own information security program, the report said.
 
Among the issues cited by the GAO as needing attention are identifying and authenticating control weaknesses that provide access to systems and data. The GAO found: 
  • Authentication controls for some databases were not set to prevent certain types of   vulnerabilities.
  • Passwords were stored without adequate controls to prevent them from being disclosed.
  • Controls over the complexity and age of passwords for some databases were not adequate; sometimes there were passwords that could be easily guessed or that had not been changed in nearly two years.
The GAO said the system's vulnerability was compounded by the fact that the unauthorized access would be virtually undetectable since no unusual system activity would be involved if the unauthorized access would be made via a valid username and password. "As a result of these weaknesses, the IRS had reduced ability to control who was accessing its systems and data."
 
The GAO report concluded that "until the IRS appropriately controls users' access to its systems and effectively implements its procedures for authorization, the agency has limited assurance that its information resources are being protected from unauthorized access, alteration, and disclosure."
 
In a March 11, 2013, response letter amended to the GAO report, IRS Acting Commissioner Steven T. Miller wrote, "The IRS continued to make improving security a top priority during fiscal year 2012. We are pleased the Government Accountability Office recognized our progress in strengthening controls over information security resulting in a downgrade of the information security material weaknesses." 
 
He added, "We will review of all of GAO's reported recommendations to ensure that our actions include sustainable fixes that implement appropriate security controls."
 
Related articles:
 

You may like these other stories...

IRS audits less than 1 percent of big partnershipsAccording to an April 17 report from the Government Accountability Office (GAO), the IRS audits fewer than 1 percent of large business partnerships, Stephen Ohlemacher of the...
Legislation coming out of Washington just might reduce homeowners' burden for disaster insurance. It's a topic very much on everyone's minds since the mudslide in Oso, Washington. The loss of human life was...
Divorce is hard, and the IRS isn't going to make it any easier. The IRS generally says "no" to tax deductions that might ease the pain of divorce. In certain circumstances, however, you might be able to salvage...

Upcoming CPE Webinars

Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.
Apr 30
During the second session of a four-part series on Individual Leadership, the focus will be on time management- a critical success factor for effective leadership. Each person has 24 hours of time to spend each day; the key is making wise investments and knowing what investments yield the greatest return.