Persistent, serious deficiencies in the Internal Revenue Service's controls over information security remain uncorrected from the last fiscal year, says the Government Accountability Office.
The GAO, in an annual audit of IRS financial statements and internal controls, chastises the tax agency for not adhering to the least privilege principal of network access and leaving uncorrected an access control weakness in the Redesign Revenue Accounting Control System that compromised the IRS's ability to segregate duties. The RRACS weakness "jeopardized the integrity of the application's data," the GAO audit states.
None of the information security holes undermined the validity of IRS financial statements, but GAO auditors say that manual compensation for information security vulnerabilities is disappearing as an option for the IRS.
As automation takes over the agency--as it's meant to do, under a multi-billion modernization effort--manual options will simply not be possible, the GAO says.
Failing to resolve those deficiencies "could have serious adverse implications for our ability to determine whether IRS's financial statements are fairly stated in the future," auditors warn.
-David Perera, FierceGovernmentIT.com
- download the report, GAO-11-142 (.pdf)