Weak Security Controls Raise Doubts About IRS Data

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

To understanding the synergy between financial reporting and information security in government, there's no better example than the Internal Revenue Service. Simply, because of the significance of IRS tax collections to overall federal receipts and the confidentiality of its records, if security controls aren't properly implemented, financial information the IRS reports can't be fully trusted.

"As IRS continues to increase the automation of accounting and reporting processes, the need for effective security over the data these systems process becomes increasingly more critical," wrote Steven Sebastia, GAO director of financial management, in a financial audit of the IRS for the past two fiscal years. "Absent effective information security, confidential taxpayer records will remain at risk and both IRS's management and we, as IRS's auditors, will continue to be unable to rely on the automated controls built into these systems to assist in obtaining reasonable assurance that the reported balances generated by them are reliable."

In the audit, released Tuesday, the Government Accountability Office credited the IRS with making great strides in addressing several IT security weaknesses identified in previous audits, by documenting approved access privileges for its mainframe user groups, implementing role-based access controls to reduce the number of users with special privileged access on the system supporting its administrative accounting system and changing vendor-supplied database accounts and passwords to avoid potential use by malicious users.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

But, the audit said, persistent, serious deficiencies in IRS's controls over IT security remain uncorrected. Those deficiencies render IRS unable to rely upon these controls to provide reasonable assurance that its financial statements are fairly stated in the absence of effective compensating procedures, have serious adverse implications related to the reliability of other financial management information produced by IRS's systems and increase the risk that confidential IRS and taxpayer information will be compromised, the 113-page report said.

GAO said it has employed alternative audit procedures to compensate for weak security controls, such as reviewing comparisons between automated systems and utilizing remaining hard-copy records, but those alternatives will as IRS's modernization efforts progress. "If IRS does not resolve its information security material weakness before these options disappear, it could have serious adverse implications for our ability to determine whether IRS's financial statements are fairly stated," Sebastia wrote.

IRS Management Reacts

IRS management told GAO that information security continues to be a priority, and noted that it had increased the security of its Interim Revenue Accounting Control System, Integrated Financial System and the Treasury Information Executive Repository environment, by limiting access to a reduced number of authorized staff. IRS managers instituted role-based access in financial management systems and implemented controls to enforce the use of strong passwords in accordance with the Internal Revenue Manual. IRS also recognized that challenges remain, but told GAO that it has a solid management team dedicated to promoting the highest standard of financial management and to continuing to increase the focus on information security and internal controls while improving financial reporting.

Good progress, but not enough, GAO said, noting that despite these actions, previously identified weaknesses in internal control over information security continue to place IRS systems at risk. GAO cited the IRS procurement system, where the tax agency had not restricted users' ability to bypass application controls, and was not removing separated employees' access in a timely manner. Managers did not always follow required procedures to timely review employee access to sensitive areas at data centers to ensure that access was limited only to employees who needed it to perform their jobs, the GAO said. "These unresolved weaknesses increase the risk that data processed by the agency's financial management systems are not reliable," Sebastia said.