The IRS sometimes uses old software without key security patches that leave its computer systems vulnerable and could endanger taxpayers’ private information, the Government Accountability Office said Thursday.
GAO investigators raised the issue last year, identifying 69 weaknesses. The IRS said it had corrected two dozen of them, but the new audit found just 14 of them were actually fixed, leaving dozens of weaknesses still to be resolved.
Part of the problem is that the IRS hasn’t even always followed its own guidelines for assessing risks and creating information security plans, the GAO said.
The findings forced the GAO to list the IRS as having “a significant deficiency” in financial reporting systems.
Among the specific problems investigators found were that the IRS was lax in requiring good passwords and forcing employees to change them frequently and the agency allowed too many people to ave access to critical tax-payment data.
Investigators also said the agency didn’t cancel some accounts in a timely fashion — with one still active, though it was supposed to have been removed in April 2009.
SEE ALSO: IRS blames Obamacare for shoddy customer service
“As a result of these weaknesses, IRS had reduced ability to control who was accessing its systems and data,” the GAO said.
The GAO said some progress had been made since its initial report in 2014, and the IRS took heart from that. But Commissioner John Koskinen also asserted that the agency’s systems are solid.
“The security and privacy of taxpayer information and the integrity of our financial systems continues to be sound,” he said.
Mr. Koskinen has complained to Congress of aging systems and too little money to update them.
On Wednesday, he told lawmakers that he had to take money that would normally have gone to customer service and shift it to information-technology improvements to handle Obamacare. He said that’s part of the reason the agency is answering just 43 percent of taxpayers’ phone calls this tax season.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.
Please read our comment policy before commenting.