IRS' Security Program Requires Improvements To Protect Confidentiality of Income Tax Information

The Internal Revenue Service (IRS) designed a security program to protect the confidentiality of tax data under its control. However, weaknesses in carrying out the program are widespread, and some essential procedures and controls are totally lacking.

Inadequate controls over computer operations afforded IRS employees and others many opportunities to unlawfully disclose tax data. Computer programmers could easily run an unauthorized program or make an unauthorized program change without detection. Controls were exercised inadequately over the IRS primary computerized data retrieval system. Employees were able to get unneeded tax data because IRS was not enforcing its policy of limiting employee access to only that data needed to perform official duties. IRS employees were also able to get unneeded tax data due to equipment shortages. There is the potential for unauthorized tax data disclosure due to IRS methods for assessing the integrity of employees and others having access to its facilities. Although the facility's physical features and guard services were adequate to deter general access by unauthorized persons to IRS facilities, other aspects of physical security were weak and precluded maximum protection of tax data. Thirty-two recommendations designed to correct specific weaknesses were made by GAO. IRS agreed with most of the recommendations.