Weak Security Controls Raise Doubts About IRS DataGAO: Confidential Records At Risk Absent Effective IT Security
"As IRS continues to increase the automation of accounting and reporting processes, the need for effective security over the data these systems process becomes increasingly more critical," wrote Steven Sebastia, GAO director of financial management, in a financial audit of the IRS for the past two fiscal years. "Absent effective information security, confidential taxpayer records will remain at risk and both IRS's management and we, as IRS's auditors, will continue to be unable to rely on the automated controls built into these systems to assist in obtaining reasonable assurance that the reported balances generated by them are reliable."
In the audit, released Tuesday, the Government Accountability Office credited the IRS with making great strides in addressing several IT security weaknesses identified in previous audits, by documenting approved access privileges for its mainframe user groups, implementing role-based access controls to reduce the number of users with special privileged access on the system supporting its administrative accounting system and changing vendor-supplied database accounts and passwords to avoid potential use by malicious users.
But, the audit said, persistent, serious deficiencies in IRS's controls over IT security remain uncorrected. Those deficiencies render IRS unable to rely upon these controls to provide reasonable assurance that its financial statements are fairly stated in the absence of effective compensating procedures, have serious adverse implications related to the reliability of other financial management information produced by IRS's systems and increase the risk that confidential IRS and taxpayer information will be compromised, the 113-page report said.
GAO said it has employed alternative audit procedures to compensate for weak security controls, such as reviewing comparisons between automated systems and utilizing remaining hard-copy records, but those alternatives will as IRS's modernization efforts progress. "If IRS does not resolve its information security material weakness before these options disappear, it could have serious adverse implications for our ability to determine whether IRS's financial statements are fairly stated," Sebastia wrote.
IRS Management Reacts
IRS management told GAO that information security continues to be a priority, and noted that it had increased the security of its Interim Revenue Accounting Control System, Integrated Financial System and the Treasury Information Executive Repository environment, by limiting access to a reduced number of authorized staff. IRS managers instituted role-based access in financial management systems and implemented controls to enforce the use of strong passwords in accordance with the Internal Revenue Manual. IRS also recognized that challenges remain, but told GAO that it has a solid management team dedicated to promoting the highest standard of financial management and to continuing to increase the focus on information security and internal controls while improving financial reporting.
Good progress, but not enough, GAO said, noting that despite these actions, previously identified weaknesses in internal control over information security continue to place IRS systems at risk. GAO cited the IRS procurement system, where the tax agency had not restricted users' ability to bypass application controls, and was not removing separated employees' access in a timely manner. Managers did not always follow required procedures to timely review employee access to sensitive areas at data centers to ensure that access was limited only to employees who needed it to perform their jobs, the GAO said. "These unresolved weaknesses increase the risk that data processed by the agency's financial management systems are not reliable," Sebastia said.
During its fiscal year 2009 audit, GAO said it identified additional significant weaknesses in internal control over information security that, along with previously identified weaknesses, continued to jeopardize the confidentiality, availability and integrity of information processed by IRS's key systems, increasing the risk of material misstatement for financial reporting. Among examples sited by GAO:
How did this happen? According to GAO, the IRS hadn't fully implemented its information security program to ensure that controls are effectively established and maintained. For example, GAO said, although IRS has developed and implemented a process to address deficiencies in its information security policies, procedures and practices, it did not sufficiently verify whether remedial actions were implemented or effective in mitigating the vulnerability. To further illustrate, IRS informed GAO that it had corrected about 40 percent of the previously reported weaknesses, but auditors found that IRS had not fully implemented the remedial actions it reported for at least one-third of those that IRS considered corrected.
"Until IRS takes additional steps to fully implement key elements of its information security program ... its facilities, computing resources and information will remain vulnerable to inappropriate use, modification or disclosure, and agency management will have limited assurance of the integrity and reliability of its financial and taxpayer information," Sebastia said.
GAO said the IRS is receptive to its findings, and has several initiatives underway to address its IT security weaknesses. IRS has targeted initiatives covering identity and access management, auditing and monitoring and disaster recovery for the current fiscal year. Still, it will take time to eliminate all of the faults. According to an IRS plan, the last of these weaknesses is scheduled to be resolved in the first quarter of fiscal year 2014. "These efforts," GAO said, "if fully and effectively implemented, are positive steps towards improving the agency's overall information security posture."