GAO Audit Reveals IRS Security Weaknesses

The Government Accountability Office recently reported that the Internal Revenue Service has made limited progress toward correcting or mitigating previously reported information security weaknesses. The report found 66 percent of the weaknesses that GAO had previously identified still existed.

As part of its audit of the IRS’s 2005-06 financial statements, the GAO took a look at what the agency was doing to correct previously reported information security weaknesses. To examine whether the controls in place were effective in ensuring the “confidentiality, integrity, and availability of financial and sensitive taxpayer information,” the GAO examined IRS information security policies and procedures, guidance, security plans, reports, and other documents. The office also tested controls over five critical applications at a trio of IRS sites and interviewed key security representatives and management officials.

Specifically, the IRS has corrected or mitigated 25 of the 73 information security weaknesses that the GAO reported as unresolved during its last review. Significant weaknesses in access controls and other information security controls continue to threaten the IRS’s financial and tax processing systems and information.

For example, while the IRS has improved password controls on its servers, it continues to use inadequate account lockout settings for Windows servers and inadequately verify employees’ identities against official IRS photo identification.

A primary reason for the weaknesses is that the IRS has not yet fully implemented its information security program. The GAO recommended, and the IRS agreed, that the agency-wide program -- that includes risk assessments, enhanced policies and procedures, security plans, training, adequate tests and evaluations, and a continuity of operations process for all major systems -- must be implemented.

The full report is available at www.gao.gov/new.items/d07364.pdf.

You may like these other stories...

Could the IRS disallow Ice Bucket Challenge charitable contributions?Unless you’ve been living under a rock, you’ve probably heard of – or participated in – the ALS Ice Bucket Challenge.I was...
As a general rule, a taxpayer can deduct the full amount of monetary contributions made to a qualified charitable organization, as long as certain substantiation requirements are met. These donations are typically made...
Hertz withdraws full-year forecast, cites accounting review, challengesRental car company Hertz Global Holdings Inc. said on Tuesday it is withdrawing its full-year financial forecast and expects 2014 results to be “...

Already a member? log in here.

Upcoming CPE Webinars

Aug 26
This webcast will include discussions of recently issued, commonly-applicable Accounting Standards Updates for non-public, non-governmental entities.
Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.