IRS Information Systems

Weaknesses Increase Risk of Fraud and Impair Reliability of Management Information Gao ID: AIMD-93-34 September 22, 1993

Two main shortcomings have limited the effectiveness of Internal Revenue Service (IRS) controls over the agency's computer systems. First, IRS did not restrict access to taxpayer data to only those computer support staff who needed it and did not adequately monitor the thousands of employees who were authorized to read and change taxpayer files. In some cases, IRS employees manipulated taxpayer records to generate unauthorized refunds; accessed taxpayer records to monitor the processing of fraudulent returns; and browsed taxpayer accounts, including those of friends, relatives, and celebrities. Second, controls did not guarantee that IRS used only authorized versions of its computer programs. As a result, programmers have been able to introduce unauthorized software changes, either inadvertently or deliberately, thus increasing the risk that taxpayer data may be processed inappropriately. In addition, an unexpected interruption in operations at IRS' main computer center could impede the agency's ability to maintain accurate and up-to-date taxpayer account records.

GAO found that: (1) IRS does not adequately restrict access to taxpayer data to those computer support staff who need it and does not adequately monitor the activities of employees who are authorized to read and change taxpayer files; (2) there are no adequate controls to ensure that IRS uses only authorized versions of its computer programs; (3) unauthorized software changes could impair the reliability of all data processed, result in costly processing errors and destruction of programs and data, and hinder prevention and detection of fraudulent acts; (4) IRS ability to maintain taxpayer accounts during an interruption in operations may be impeded because the capacity of the computers at its backup site is not adequate to run all of the critical applications at the same time; and (5) IRS has not tested the effectiveness of its revised disaster recovery plan.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.