By Jim Kouri
After receiving its 2011 audit report from the Government Accountability Office regarding agency deficiencies, the Treasury Department and the Internal Revenue Service upgraded the controls and procedures intended to protect key financial and tax-processing systems.
Nevertheless, control weaknesses in these systems continue to jeopardize the confidentiality, integrity, and availability of the financial and sensitive taxpayer information processed by IRS’s systems, according to the GAO report released on Friday.
According to GAO analysts, the IRS continues to face challenges in controlling access to its information resources. For example, it had not always implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time. Nor has it appropriately restricted access to certain servers and ensured that sensitive data is encrypted when transmitted.
An underlying reason for these weaknesses is that the IRS has not fully implemented a comprehensive information security program, according to GAO analysts.
The IRS has established a comprehensive framework for such a program, and has made strides to address control deficiencies — such as establishing working groups to identify and mediate specific at-risk control areas. But it hasn’t fully implemented all key components of its program. For example, IRS’s security testing and monitoring continued to not detect many of the vulnerabilities GAO identified during this latest audit.
The IRS also did not promptly correct known vulnerabilities, according to the GAO’s analysis. For example, the agency indicated that 76 of the 105 previously reported weaknesses open at the end of GAO’s prior year audit had not yet been corrected.
“IRS did not always follow-up to ensure that its actions to resolve known weaknesses were effectively implemented,” a forensic accountant told the Law Enforcement Examiner.
“Although IRS had a process in place for verifying whether each weakness had been corrected, this process was not always working as intended. Of the 29 weaknesses IRS indicated were corrected, GAO determined that 13 (about 45 percent) had not yet been fully addressed,” said Tom Haneas, a forensic accountant and security specialist.
Considered collectively, these deficiencies, both new and unresolved from previous GAO audits, along with a lack of fully effective compensating and mitigating controls, impair IRS’s ability to ensure that its financial and taxpayer information is secure from internal threats, according to the GAO report.
This reduces IRS’s assurance that its financial statements and other financial information are fairly presented or reliable and that sensitive IRS and taxpayer information is being sufficiently safeguarded from unauthorized disclosure or modification. These deficiencies are the basis of GAO’s determination that IRS had a material weakness in internal control over financial reporting related to information security in fiscal year 2011 and continues to do so, according to the report summary.