From the U.S. Government Accountability Office, www.gao.gov Transcript for: IRS's Protection of Taxpayer Data Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology Related GAO Work: GAO-12-392: Information Security: IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data Released: March 2012 [ Background Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. It's March 2012. The Internal Revenue Service relies on security controls to protect the sensitive taxpayer data it has on its computer systems. A group co-led by Greg Wilshusen, a director in GAO's Information Technology team, recently reviewed the effectiveness of IRS's controls in protecting this sensitive information. GAO's Jeremy Cluchey sat down with Greg to learn more. [ Jeremy Cluchey: ] What sorts of taxpayer information is IRS responsible for protecting? [ Greg Wilshusen: ] Well, the IRS maintains a vast amount of sensitive personal information about taxpayers. This information includes taxpayer name, home address, Social Security number, as well as income and deductions and all the other information that taxpayers may include on their tax returns, as well as data that is supplied about the taxpayer from those taxpayers' employers. And this information needs to be protected because it has value to those individuals or groups that wish to commit identity theft, fraud, or other financial crimes. [ Jeremy Cluchey: ] And in this report your team looked at IRS's controls and procedures around its financial and tax processing systems to see how this data is handled. What did you find? [ Greg Wilshusen: ] Well, we found that IRS implemented numerous controls and procedures that are intended to protect this information. Nevertheless, weaknesses in these controls jeopardize the confidentiality, integrity, and availability of the IRS's tax systems, financial systems, as well as the taxpayer data. [ Jeremy Cluchey: ] Can you elaborate a little bit on what you mean by control weaknesses that you identified? [ Greg Wilshusen: ] Well, sure. We found that the Internal Revenue Service had not always implemented controls that are intended to prevent, limit, and detect unauthorized access to its systems and data, and these include deficiencies in the controls that are used to identify and authenticate users, such as implementing strong passwords. We also found that IRS did not always restrict unneeded access to certain key information services as well as data servers. And we've also found that IRS did not always encrypt sensitive information as it was being transmitted across its internal networks. [ Jeremy Cluchey: ] This report also follows up on past GAO work that reviewed these controls and made previous recommendations to IRS. To what extent has there been an improvement? [ Greg Wilshusen: ] Well, it's not as much as we had hoped or even IRS had hoped. As you know from our previous report, we had about 105 outstanding recommendations and weaknesses that we've reported. IRS reported that it had corrected about 29 of these, or which is just about a quarter of those previously reported weaknesses. However, when we actually did our test to determine the effectiveness of IRS's corrective actions over these 29 recommendations that they said that they implemented, we found that they hadn't implemented all of them or fully implemented 13, or 45 percent of the 29 that they had indicated they corrected. [ Jeremy Cluchey: ] And in this latest report, what steps is GAO recommending IRS take? [ Greg Wilshusen: ] Well, we're recommending that—in addition to our prior recommendations that we made in our prior reports—we are also recommending that IRS take actions to implement a comprehensive information security program, and in part by enhancing their procedures for monitoring the effectiveness of controls over their systems, as well as expanding the tests that they perform to address access controls as well as system configurations to assure that those controls are effectively implemented. In addition, we are also making 24 recommendations that address specific internal control deficiencies, information security deficiencies, that we identified during the course of the audit. [ Jeremy Cluchey: ] For taxpayers who are right now gearing up for this year's filing season, what's the bottom line here? [ Greg Wilshusen: ] Well, first and foremost, they should certainly obey the tax laws and file their returns, and IRS will endeavor to try to protect that information as best as it can. However, our results have found that IRS still needs to do more in order to appropriately protect the information that taxpayers deserve. [ Background Music ] [ Narrator: ] To learn more, visit gao.gov and be sure to tune in to the next episode of GAO's Watchdog Report for more from the congressional watchdog, the U.S. Government Accountability Office.