GAO: IRS financial IT security needs more oversight
The IRS isn’t managing and safeguarding its financial IT systems properly, congressional investigators said Thursday.
In its audit of the agency’s financial statements from fiscal years 2014 and 2015, the Government Accountability Office said IRS didn’t have “effective internal control” of its financial systems, which forced the agency to devote an undue amount of staff hours to fixing the systems to meet the audit’s requirements.
The report found various problems in the IRS ledger system, including the inability to separate taxes receivable, compliance assessments and write-offs. This error led to a “labor intensive, and manual estimation process,” with IRS employees testing statistical samples of data to estimate year-end balances.
Due to the errors, the GAO is unable to accurately account for balances through the IRS general ledger.
“Such traceability is necessary to enable IRS to ensure that recorded transactions are complete, accurate, and supported by underlying records,” the report reads.
Additionally, GAO said the IRS didn’t install appropriate security updates on certain databases, including a database supporting tax account administration that hadn’t had a security update since June 2011.
The agency was also found to have poor password security, with employees found to be storing and sharing passwords through desktop files, shared files and instant messaging; and using weak passwords, including in one instance where the account user name and password were the same.
“Such deficiencies make systems and their databases more susceptible to compromise,” the auditors stated.
“In light of the control risks created by IRS’s ongoing information security deficiencies, continued and consistent management commitment and attention to an effective information security program will be essential to the maintenance of, and continued improvements in, its information system controls,” the report reads. “Until IRS takes the necessary steps to address these control deficiencies, its financial and taxpayer data will remain at increased risk of inappropriate and undetected use, modification, or disclosure.”
The IRS has taken its lumps in the past few months when it comes to technology. In May, the agency announced that data taken from third-party sources has been used to access 100,000 accounts through the IRS’ “Get Transcript” application. It upped that figure in August, bring the grand total to 320,000.
In July, the Treasury Inspector General for Tax Administration released a report saying the IRS has not given enough attention to features that would provide “dynamic online account access.”
In response to the GAO’s report, IRS commissioner John Koskinen said he is confident in the agency’s ability to “consistently produce accurate and reliable financial statements” and will increase scrutiny on information security controls.
Read the full GAO report here.