The Internal Revenue Service cannot assure that its financial statements are fairly presented, current, complete, accurate or secure because of material weaknesses in information security controls. Of the 182 recommendations made to the IRS in an audit report (.pdf) published Nov. 10 by the Government Accountability Office, 105 relate to weak internal control over information security.

"In particular, [IRS] had deficiencies in its controls over access to the automated systems and software applications it relies upon to process its financial transactions, produce its internal and external financial reports, and safeguard related sensitive information," write report authors.

Information security has been a recurring problem for IRS financial management systems. However, the agency has made an effort to improve controls--addressing approximately 15 percent of the 105 recommendations for information security identified in GAO's 2010 audit of the system, note report authors.  In the last year IRS acted on GAO recommendations by encrypting data transfer for its Integrated Financial System and upgrading domain name server, says the report.

But known weaknesses in "internal network and physical security controls" continue to plague IRS. "For example, our testing showed that systems used to process tax and financial information did not effectively prevent access from unauthorized users or excessive levels of access for authorized users," note auditors.

Among the known deficiencies cited in the GAO report are access control weaknesses and inconsistent database maintenance, unencrypted protocols for a sensitive tax processing application and physical security control weaknesses.

For more:
- see GAO-12-165 (.pdf)

Related Articles:
IRS doesn't do good job helping tax identity theft victims, says TIGTA
IRS's 'Workforce of Tomorrow' draws TIGTA security concerns
IRS misses cost-saving opportunity to renegotiate mainframe contracts, says IG