Report: IRS dogged by information security lapses that make taxpayer records 'vulnerable'

The Internal Revenue Service remains dogged by serious information security lapses, many of which federal investigators have asked the agency to correct since 2008, according to a new Government Accountability Office report.

Despite multiple warnings, IRS officials still do not "enforce strong password management," limit user access to information and programs appropriately, monitor security events on key computers or "physically protect its computer resources," according to the GAO review, released Friday.

Consequently, GAO officials warn the IRS will remain "unnecessarily vulnerable" to insider threats -- including the "disclosure, modification or destruction of financial and taxpayer information" -- for as long as those crucial security holes persist.

The lapses represent "a material weakness in internal controls over financial reporting related to information security," the GAO wrote Friday in a letter to Douglas Shulman, the commissioner of the IRS.

In previous audits, the GAO pinpointed 89 "weaknesses and deficiencies" in IRS information security procedures, ranging from poorly crafted passwords to a lack of adequate computer protections.

Investigators pointed those security holes out in previous reports, many of which the agency said earlier this year it had corrected, as the GAO prescribed.

But the GAO actually found the IRS had addressed far fewer of its original concerns. Consequently, about 69 percent of the IRS's' security flaws "emain unresolved or unmitigated," according to the GAO.

"A key reason for these weaknesses is that IRS has not yet fully implemented its agency-wide information security program to ensure that controls are appropriately designed and operating effectively," the GAO emphasized.

"These weaknesses -- both old and new -- continue to jeopardize the confidentiality, integrity, and availability of IRS’s systems and were the basis of our determination that IRS had a material weakness in internal controls over financial reporting related to information security in fiscal year 2009," the GAO report continued.

Ultimately, Shulman earlier this month chose not to respond to any of the GAO's specific criticisms.

In a letter back to federal investigators, he merely repeated his agency's commitment to ensuring the security of all of its sensitive tax information and financial systems.

"The security and privacy of all taxpayer and financial information is of utmost importance to us, and the integrity of our financial systems continues to be sound," he wrote. "We are committed to securing our computer environment as we continually evaluate processes, promote user awareness and apply innovative ideas to increase compliance."