Information Security:
IRS Needs to Further Enhance Controls over Taxpayer and Financial Data
GAO-16-590T: Published: Apr 14, 2016. Publicly Released: Apr 14, 2016.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-6244
wilshuseng@gao.gov
James R. McTigue, Jr
(202) 512-9110
MctigueJ@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
In March 2016 GAO reported that the Internal Revenue Service (IRS) had instituted numerous controls over key financial and tax processing systems; however, it had not always effectively implemented safeguards intended to properly restrict access to systems and information. In particular, while IRS had improved some of its access controls, weaknesses remained with identifying and authenticating users, authorizing users' level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing its computing resources. These weaknesses were due in part to IRS's inconsistent implementation of its agency-wide security program, including not fully implementing GAO recommendations. The table below shows the status of prior and new GAO recommendations as of the end of its fiscal year (FY) 2015 audit of IRS's information security. GAO concluded that these weaknesses collectively constituted a significant deficiency for the purposes of financial reporting for fiscal year 2015. Until they are effectively mitigated, taxpayer and financial data will continue to be exposed to unnecessary risk.
Status of GAO Information Security Recommendations to IRS as of March 2016
Information security control area |
Prior GAO recommendations open at the start of FY 2015 audit |
Recommendations closed during FY 2015 audit |
New recommendations |
Outstanding recommendations at end of FY 2015 audit |
Information security program |
12 |
(3) |
2 |
11 |
Access controls |
34 |
(11) |
38 |
61 |
Other controls |
24 |
(7) |
5 |
22 |
Totals |
70 |
(21) |
45 |
94 |
Source: GAO analysis of IRS data. | GAO-16-590T
The importance of protecting taxpayer information is further highlighted by the billions of dollars that have been lost to identity theft refund fraud, which continues to be an evolving threat. While IRS has taken steps to address this issue, as GAO reported in January 2015 it has yet to assess the costs, benefits, and risks of methods for improving the authentication of taxpayers' identity.
The Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) provide government-wide guidance and oversight for federal information security. These agencies have taken a number of actions to carry out these responsibilities. For example:
OMB has prescribed security policies, including direction on ensuring that online services provided by agencies are secure and protect privacy.
NIST has developed standards and guidelines for implementing security controls, including those for authenticating users during online transactions.
DHS has issued a directive requiring departments and agencies to mitigate critical vulnerabilities on their Internet-facing systems. It also assists agencies in monitoring their networks for malicious traffic.
Why GAO Did This Study
In collecting taxes, processing returns, and providing taxpayer service, IRS relies extensively on computerized information systems. Accordingly, it is critical that sensitive taxpayer and other data are protected. Recent data breaches at IRS highlight the vulnerability of taxpayer information. In addition, identity theft refund fraud is an evolving threat that occurs when a thief files a fraudulent tax return using a legitimate taxpayer's identity and claims a refund.
Since 1997, GAO has designated federal information security as a government-wide high-risk area, and in 2015 it expanded this area to include the protection of personally identifiable information. GAO also added identity theft refund fraud to its high-risk area on the enforcement of tax laws.
This statement discusses (1) IRS's information security controls over tax processing and financial systems and (2) roles that federal agencies with government-wide information security responsibilities play in providing guidance and oversight to agencies. This statement is based on previously published GAO work and a review of federal guidance.
What GAO Recommends
In addition to 49 prior recommendations that had not been implemented, GAO made 45 new recommendations to IRS in March 2016 to further improve its information security controls and program. GAO also recommended that IRS assess costs, benefits, and risks of taxpayer authentication options.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or James R. McTigue, Jr. at (202) 512-9110 or mctiguej@gao.gov.
Sep 29, 2016
-
Information Security:
FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at RiskGAO-16-513: Published: Aug 30, 2016. Publicly Released: Sep 29, 2016.
Sep 20, 2016
-
Federal Information Security:
Actions Needed to Address ChallengesGAO-16-885T: Published: Sep 19, 2016. Publicly Released: Sep 20, 2016.
Sep 15, 2016
-
Federal Chief Information Security Officers:
Opportunities Exist to Improve Roles and Address Challenges to AuthorityGAO-16-686: Published: Aug 26, 2016. Publicly Released: Sep 15, 2016.
Jun 29, 2016
-
Information Security:
FDIC Implemented Controls over Financial Systems, but Further Improvements are NeededGAO-16-605: Published: Jun 29, 2016. Publicly Released: Jun 29, 2016.
Jun 21, 2016
-
Information Security:
Agencies Need to Improve Controls over Selected High-Impact SystemsGAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
Apr 28, 2016
-
Information Security:
Opportunities Exist for SEC to Improve Its Controls over Financial Systems and DataGAO-16-493: Published: Apr 28, 2016. Publicly Released: Apr 28, 2016.
Apr 14, 2016
-
Information Security:
IRS Needs to Further Enhance Controls over Taxpayer and Financial DataGAO-16-590T: Published: Apr 14, 2016. Publicly Released: Apr 14, 2016.
Apr 12, 2016
-
Information Security:
IRS Needs to Further Improve Controls over Taxpayer Data and Continue to Combat Identity Theft Refund FraudGAO-16-589T: Published: Apr 12, 2016. Publicly Released: Apr 12, 2016.
Mar 23, 2016
-
Healthcare.gov:
Actions Needed to Enhance Information Security and Privacy ControlsGAO-16-265: Published: Mar 23, 2016. Publicly Released: Mar 23, 2016.
Dec 17, 2015
-
Critical Infrastructure Protection:
Measures Needed to Assess Agencies' Promotion of the Cybersecurity FrameworkGAO-16-152: Published: Dec 17, 2015. Publicly Released: Dec 17, 2015.
Looking for more? Browse all our products here