Vulnerability Management

GAO office audit finds more vulnerabilities at IRS

An annual Government Accountability Office (GAO) audit has found more security vulnerabilities at the Internal Revenue Service (IRS) and has made more security recommendations to solve the problems. 

Some of the cybersecurity issues included access control vulnerabilities, a lack of encryption, identification and authorization issues, and a lack of contingency planning, GOA Director of Financial Management and Assurance Cheryl E. Clark and Managing Director of Applied Research and Methods Nancy R. Kingsbury said in a letter to IRS Commissioner Charles P. Rettig. 

The majority of the issues are vulnerabilities in access point controls that could permit a high degree of intrusion into IRS programs, data, and other computing resources. 

"We identified 14 new information system security control deficiencies, such as weaknesses in access controls and in procedures to help ensure information systems are operating securely,” GAO investigators said in the online report. “Weaknesses like these place IRS's systems and data at risk." 

The most recent report follows a July 2018 GAO investigation which identified 87 deficiencies and included more than 150 security recommendations. 

The agency addressed only 49 percent of these deficiencies by its September 2018 deadline leaving the total number of issues at 127.

The GAO noted however, the IRS has taken considerable steps to address its prior recommendations and has agreed to fix mistakes and flaws within its internal systems. In addition, the GAO gave the IRS  a new set of 20 security recommendations to resolve the new issues. 

The audits are the result of the 2015 IRS data breach which exposed data on more than 100,000 taxpayers and triggered a series of Congressional hearings and investigations into how the service manages its security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.