N.H. enacts anti-Wayfair online sales tax nexus bill
Grassley makes a case for tax extenders, which were omitted from budget deal

GAO audit finds IRS security measures need work


The Internal Revenue Service and its Security Summit partners this summer launched a campaign to encourage tax professionals to review and upgrade their security systems.

But it looks like the IRS also needs to do some work, according to a recent Government Accountability Office (GAO) report.

IRS online option breach spurs inquiries: The GAO has been conducting audits on how the IRS manages its security since the agency sustained a data breach in 2015 of its Get Transcript online service.

That attempt by hackers exposed the data of around 104,000 taxpayers to potential identity thieves. The service was offline for more than a year as the IRS investigated and subsequently enhanced its online security measures.

Congress conducted several hearings into the online tool's breach. The Treasury Inspector General for Tax Administration (TIGTA) also investigated the issue.

In the GAO's latest inquiry, an audit of fiscal year 2018 IRS actions that was released July 18, investigators identified 14 new IRS security control shortfalls relating to information technology (IT) security.

GAO also noted that the IRS had not addressed 127 IT security recommendations that the watchdog agency previously issued.

Unsecure access issues: A key area of concern is IRS access controls, such as authentication and encryption.

Eight of the latest 14 security shortfalls identified by GAO relate to access management. An additional four fall in the configuration management. The final two areas where the IRS needs work are related to segregation of duties and a contingency plan deficiency.

Specifically, GAO found that the IRS:

  • Needs to implement several security measures designed to protect critical agency data from unauthorized use.
  • Did not use multifactor authentication for access to certain agency applications, a violation of policy from the Office of Management and Budget.
  • Did not enforce requirements for electronic signatures and password resets.
  • Had several cryptology gaps, including failure to encrypt certain servers and its email service, as well as not enforcing specific encrypted database connections.
  • Was not properly updating or upgrading out-of-date software.

The table below from the GAO report provides the exact numbers of pending security issues.

Status of GAO security recommendations to IRS_old and new 2019

Many, but not serious, risks: While all those items are disturbing, the good news is that the GAO determined the deficiencies are not great risks.

"We identified ongoing and new information system security control deficiencies that while not collectively considered a material weakness, were important enough to merit attention by those charged with governance of IRS and therefore represented a significant deficiency in IRS’s internal control over its financial reporting systems," wrote GAO Director of Financial Management and Assurance Cheryl E. Clark and Managing Director of Applied Research and Methods Nancy R. Kingsbury in a letter to IRS Commissioner Charles P. Rettig.

However, when it comes to interactions with and safeguarding taxpayers' information, any shortfall is concerning and attention is needed.

Old issues still open, new ones added: And the GAO noted that despite some actions cited in the earlier report that still need attention, the IRS has taken considerable steps to address its prior recommendations and has agreed to fix mistakes and flaws within its internal systems.

While the IRS is working on those, the GAO also gave the tax agency a new set of 20 security recommendations to resolve the new issues.

Congressional support and money required: We — government oversight agencies, lawmakers and all of us taxpayers — cannot let the IRS off the hook for security oversights.

It is, after all, our personal and financial data that Uncle Sam's tax collector gathers and should keep as safe as possible.

But there are extenuating circumstances.

The IRS in recent years has been working under severely restricted budgets. Its efforts to upgrade equipment, software and systems, as well as to catch tax and other crooks, particularly in recent years, have been seriously hindered by budget cuts and investigator attrition.

The new Taxpayer First Act will help in the security area somewhat. Several of the IRS reform measure's provisions are designed to discover and stop tax ID theft.

Such efforts, however, as well as upgrades to technology and systems take money.

Let's hope that under the recently reached federal budget agreement, Congress also will allocate some of the new money to the IRS for it to adequately address these old and new security concerns.

You also might find these items of interest:





Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.