American taxpayer data is “unnecessarily vulnerable” due to dozens of problems identified during a recent audit of Internal Revenue Service computers, the Government Accountability Office reported Thursday.
The GAO said an examination of IRS systems found 14 new security control deficiencies, including weaknesses in access controls and procedures that put financial data at risk.
The IRS has been given 20 recommendations by the GAO meant to bring its systems up to snuff, and the agency has agreed with the watchdog to take corrective action, the report said.
Scores of problems discovered during previous audits of IRS systems still existed when the GAO finished its most recent review, however, according to the report.
“Although IRS made some progress in correcting or mitigating the previously reported information system security control deficiencies, additional corrective actions are needed to resolve deficiencies associated with 107 recommendations that remained open as of September 30, 2018,” wrote Cheryl E. Clark, the director of the GAO’s financial management and assurance team.
Taking into account newly and previously discovered security problems, altogether the GAO has issued a total of 127 recommendations to the IRS, the report said.
“While IRS continued to make progress in addressing information system security control deficiencies and successfully addressed a number of our prior recommendations, these ne and continuing information system security control deficiencies, which collectively represent a significant deficiency, increase the risk that IRS’s financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure,” Ms. Clark wrote in the report.
Among the newly identified deficiencies described in the GAO report are issues with the email system used by the IRS and the agency’s policies for protecting internal data.
The GAO determined the IRS does not encrypt emails in accordance with its policies, and that the agency had assigned only a single person to administer its entire email system. Other systems risk being exploited because the IRS failed to update unsupported database software or apply security updates to certain outdated applications and devices, the report said.
The IRS referred back to the report when reached by The Washington Times for comment. The agency agreed with the GAO’s recommendations and said it is committed to improving its security posture, according to the report.
The IRS processed about 225 million tax returns during fiscal year 2018 and collected about $3.5 trillion in federal payments, the report said.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.