Watchdog: IRS Tech Still Puts Taxpayer Data at Risk

Mark Van Scyoc/

Featured eBooks

The Government's Artificial Intelligence Reality
What’s Next for Federal Customer Experience
Cloud Smarter

The IRS' information systems are still deficient, a Government Accountability Office report says.

Deficiencies in the Internal Revenue Service's information security could put taxpayer information at risk of exposure or modification, a new watchdog report claims. 

The "collective effect" of security flaws from past years, many of which persist in 2015 -- including weak passwords and insufficient system monitoring -- is that the IRS doesn't have sufficient control over its financial reporting system, according to a new Government Accountability Office financial audit.

For instance, its financial system can't immediately distinguish between write-offs, compliance assessments and taxes receivable to classify them in reports, GAO wrote. The IRS also did not update the security of some databases and servers, thereby increasing the risk that vulnerabilities in the financial systems could be exploited.

One system contained an account that used a password that was the same as its account name, and administrators used desktop files and instant messaging to exchange server-access passwords. Auditors also found a database, no longer supported by the technology vendor, whose security hadn't been updated since 2011. 

The IRS' information security practices have recently come under fire, especially after it disclosed earlier this year a massive data breach could have affected the accounts of hundreds of thousands of taxpayers.

Earlier this month, a report from the Treasury inspector general pointed out that IRS wasn't keeping detailed records of which other entities it was sharing data with. 

In the audit, GAO claimed it had made several recommendations about information security over the past few years, but many had still not been addressed. 

The report noted that while the IRS did have a framework for its information security program, "some aspects of it continued to be ineffectively implemented." In one case, IRS information security testing wasn't sufficient, and GAO auditors turned up security flaws the IRS had missed, GAO wrote. (In 2015, the IRS did address some concerns by restricting access privileges for some financial applications and is moving to multifactor authentication for financial systems for employees, GAO admitted.)

In a comment appended to the report, IRS Commissioner John Koskinen admitted "challenges remain," but that the IRS "has established its ability to consistently produce accurate and reliable financial statements."

(Image via Mark Van Scyoc/