GAO Report: IRS Security Controls Continue to Languish

Wednesday, November 16, 2011



The Government Accountability Office (GAO) has released yet another report that is critical of the lack of consistent application of security controls at the Internal Revenue Service (IRS).

The report concludes that "serious internal control and financial management systems deficiencies continued to make it necessary for IRS to use resource-intensive compensating processes," according to the GAO report.

The "IRS did not, in GAO’s opinion, maintain effective internal control over financial reporting as of September 30, 2011, and thus did not have reasonable assurance that losses and misstatements material to the financial statements would be prevented or detected and corrected timely," the report states.

The GAO report further asserts that the "IRS’s continued material weakness in information security controls limit IRS’s ability to provide reasonable assurance that (1) the financial statements are fairly presented; (2) financial management information relied on to support day-to-day decision making is current, complete, and accurate; and (3) proprietary information processed by these automated systems is appropriately safeguarded."

“These issues increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information,” the report contends.

A previous audit released last spring noted that the IRS fails to limit employee access to sensitive systems and information in accordance with employee's job duties, leaving the agency vulnerable to malicious insider threats.

The report had also found that the IRS had failed to update critical database software and enable key auditing capabilities. Vulnerabilities persist because the IRS has not completely implemented its own comprehensive security policies.

The GAO estimates that less than half of the security vulnerabilities previously identified by the agency have been resolved. Of those deficiencies, less than one-fifth have actually been mitigated.

Possibly Related Articles:
Insider Threats Access Control Government Security Audits Headlines Network Security Controls IRS GAO
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked