Information Security: Control Deficiencies Continue to Limit IRS's Effectiveness in Protecting Sensitive Financial and Taxpayer Data, Report to the Commissioner of Internal Revenue [open pdf - 1MB]
"The IRS [Internal Revenue Service] has a demanding responsibility to collect taxes, process tax returns, and enforce the nation's tax laws. It relies extensively on computerized systems to support its financial and mission-related operations and on information security controls to protect the financial and sensitive taxpayer data that resides on those systems. As part of its audit of IRS's fiscal year 2016 and 2015 financial statements, GAO [Government Accountability Office] assessed whether controls over key financial and tax processing systems were effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at four locations. In addition to the prior recommendations that have not been implemented, GAO is recommending that IRS take 10 additional actions to more effectively implement security related policies and plans. In a separate report with limited distribution, GAO is recommending 88 actions that IRS can take to address newly identified control deficiencies. In commenting on a draft of this report, IRS neither agreed nor disagreed with the recommendations, but stated that it would review each of the recommendations and ensure that its corrective actions include sustainable fixes that implement appropriate security controls."
Government Accountability Office: http://www.gao.gov/