Taxpayer data is at risk as disgruntled insiders or malicious outsiders can exploit security weaknesses and the Internal Revenue Service (IRS) should take action, the US Treasury Inspector General For Tax Administration (TIGTA) said in a report released on Thursday.
Based on its annual audit, the TIGTA found that 42 percent (eight) of 19 planned corrective actions (PCA) to address reported security weaknesses determined in prior TIGTA audits had not been fully implemented. The PCAs involved taxpayer data.
“Examples of corrective actions that were not fully implemented include servers not being scanned for critical and major vulnerabilities, such as default and blank passwords; databases without the latest software updates; and user accounts with long periods of inactivity that were not locked,” the audit found.
“As a result, the IRS is increasing its exposure to risk for malicious users exploiting accounts with default or blank passwords to steal taxpayer identities and carry out fraud schemes,” the report stated.
The annual audits to review the adequacy and security if IRS technology. The latest audit was aimed at assessing whether corrective actions to security weaknesses and findings reported in earlier audits had been fully implemented, validated and documented.
In addition, the report also found that the IRS needed to do a better job at tracking its efforts of eliminating already identified weakeness, stating that documents did not support the closure of the PCAs.
The TIGTA made several recommendations to the IRS, including:
- Further strengthen its management controls to adhere to internal control requirements
- Provide refresher training to employees involved in the Joint Audit Management Enterprise System (JAMES) process
- Audit the corrective actions for closed PCAs, and change the status of closed PCAs to open for those that were only partially implemented.
The IRS, which agreed with all but one recommendation, only partially agreed when it came to changing the status to open of previously closed PCAs and to retroactively upload documentation. The IRS cited the need to first conduct a cost/benefit analysis and risk-based approach.