The Internal Revenue Service (IRS) has a demanding responsibility in collecting taxes, processing tax returns, and enforcing the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations. Effective information security controls are essential for ensuring that information is adequately protected from inadvertent or deliberate misuse, disruption, or destruction. As part of its audit of IRS's fiscal year 2005 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported information security weaknesses at two sites and (2) whether controls over key financial and tax processing systems located at the facilities are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer data.

IRS has made progress in correcting or mitigating previously reported information security weaknesses and in implementing controls over key financial and tax processing systems that are located at two of its critical data processing sites. It has corrected or mitigated 41 of the 81 specific technical weaknesses that we reported as unresolved at the time of our last review at those selected sites. Although IRS has made progress, controls over its key financial and tax processing systems located at two sites were ineffective. In addition to the 40 previously reported weaknesses for which IRS has not completed actions, GAO identified new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS's financial information systems and the information they process. For example, IRS has not implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. In addition, it has not effectively implemented other information security controls to physically secure computer resources, and to prevent exploitation of vulnerabilities and unauthorized changes to system software. Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption. A key reason for IRS's weaknesses in information security controls is that it has not yet fully implemented an information security program to ensure that effective controls are established and maintained. Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.

Click here for the full GAO Report, PDF Version