The Internal Revenue Service (IRS) relies extensively on computerized systems to support its financial and mission-related operations. In addition, IRS provides computer processing support to the Financial Crimes Enforcement Network (FinCEN)--another Treasury bureau. As part of IRS's fiscal year 2004 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported weaknesses at one of its critical data processing facilities and (2) the effectiveness of IRS's information security controls in protecting the confidentiality, integrity, and availability of key financial and tax processing systems.

IRS has made progress in correcting or mitigating previously reported information security weaknesses and in implementing controls over key financial and tax processing systems that are located at one of its critical data processing facilities. It has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition to the remaining 21 previously reported weaknesses for which IRS has not completed actions, 39 newly identified information security control weaknesses impair IRS's ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data and FinCEN's Bank Secrecy Act data. For example, IRS has not implemented effective electronic access controls over its mainframe computing environment to logically separate its taxpayer data from FinCEN's Bank Secrecy Act data--two types of data with different security requirements. In addition, IRS has not effectively implemented certain other information security controls relating to physical security, segregation of duties, and service continuity at the facility. Collectively, these weaknesses increase the risk that sensitive taxpayer and Bank Secrecy Act data will be inadequately protected from unauthorized disclosure, modification, use, or destruction. Moreover, weaknesses in service continuity and business resumption plans heighten the risk that assets will be inadequately protected and controlled to ensure the continuity of operations when unexpected interruptions occur. An underlying cause of these information security control weaknesses is that IRS has not fully implemented certain elements of its agencywide information security program. Until IRS fully implements a comprehensive agencywide information security program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.

Click here for the full GAO Report, PDF Version, 30pgs. 394K