The IRS's ability to protect sensitive financial and taxpayer data is limited by its failure to resolve numerous information security deficiencies identified by the Government Accountability Office (GAO).

The continuing “control deficiencies” are identified in a new GAO audit released Wednesday that sheds light on the slow progress the IRS has made on information security despite, its reliance on computer systems to support its operations and store sensitive data.

ADVERTISEMENT

According to the audit, which was completed in fiscal 2016, the IRS has made some progress addressing prior information security recommendations made by the watchdog — but it still has work to do to shore up its systems to prevent sensitive data from being unnecessarily exposed.

“Until IRS takes additional steps to address unresolved and newly-identified control deficiencies and effectively implements components of its information security program, its financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure,” the report says. “These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial reporting systems for fiscal year 2016.”

Specifically, at the end of the latest audit, the IRS still had not resolved 68 of the 94 prior recommendations related to information security, some dated from before 2016. When combined with the new recommendations, the GAO has now issued a total of 166 recommendations to the IRS that have not been fully addressed.

According to the audit, the IRS worked to tighten access controls to accounts and update some software during the past fiscal year, but did not always, for instance, “limit or prevent unnecessary access to systems.” The agency has also not sufficiently monitored its systems to ensure that officials are complying with security policies.

The problems stemmed partially from the IRS’s failure to implement certain components of its comprehensive information security program, the GAO says.

The IRS did not agree nor disagree with the recommendations when responding to the report, but promised to review them, asserting that “the integrity of our financial systems continues to be sound.”

The IRS’s cybersecurity efforts have come under increased scrutiny by lawmakers lately, particularly in the wake of a data breach of an information-sharing tool used in conjunction with the Department of Education that exposed the personal information of up to 100,000 Americans earlier this year.

“The IRS is committed to improving its financial management, internal controls, and the overall effectiveness of information system controls,” IRS Commissioner John Koskinen said in response to the GAO’s report. “We are aware that much work remains to be done to ensure our large and complex IT ecosystem is fully secure and protects our financial and taxpayer data.”