From the U.S. Government Accountability Office, www.gao.gov Transcript for: IRS Information Systems Security Description: Vijay D’Souza is on this episode of the Watchdog Report to talk about deficiencies in the Internal Revenue Service’s information system security controls. Related GAO Work: GAO-20-411R, Management Report: Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls Released: May 2020 [ Intro Music ] [Vijay D'Souza:] In an ideal world, IRS would identify and catch all these securityy issues before we, or other auditors, got there. [Matt Oldham:] Welcome to GAO's Watchdog Report, your source for news and information from the US Government Accountability Office. I'm Matt Oldham. Every year, GAO audits the Internal Revenue Service's financial statements and during the most recent audit, GAO identified new weaknesses in information systems used to house taxpayer information. With me to talk about these weaknesses is Vijay D'Souza, and Information Technology and Cybersecurity Director at GAO. Thank you for joining me, Vijay. [Vijay D'Souza:] Thanks. It's great to be here. [Matt Oldham:] Many Americans are looking to the IRS for tax refunds or for stimulus checks. Is this the sort of data that could be a target for hackers? [Vijay D'Souza:] Well, it's certainly a possibility, but information security can include issues broader than that. You know, we want to make sure that the information the IRS has in its own internal systems is accurate and we also want to make sure that the IRS is able to keep its systems up and running in a time of national crisis like we're facing right now. [Matt Oldham:] So, what are some of the information systems security controls the IRS has? [Vijay D'Souza:] Well, the IRS has a number of very complex computer systems, and they're interrelated, so there's all sorts of controls. But I think it's helpful when you think of information security controls to understand that there's technical controls, which is basically how things are set up on a particular software device, and there's also policy and procedure controls relating to personnel and management, and both of those things are very important. [Matt Oldham:] Are there any issues with those controls? [Vijay D'Souza:] Well, every year we do continue to find weaknesses in the IRS's controls. So, for example, this year we identified 11 deficiencies and made 18 recommendations to IRS to improve its information security controls related to its financial audits. This is something we track from year to year, and each year we look at kind of what outstanding issues there were from prior years, what steps IRS has taken to address them, and then what new issues we find. So, for example, as I mentioned, this year we made 18 recommendations about things we found, but if you add those to what we had in the prior years, we have a total of 132 outstanding recommendations. And I should add that, over this last year, IRS was able to close 13 of our old recommendations. So, they do continue to make progress, but then we continue to find additional issues. [Matt Oldham:] So then, are these new issues? [Vijay D'Souza:] Unfortunately, no. We've identified information security as a high-risk area government-wide since 1997, so these types of issues have been around for a long time and we've been doing the IRS financial statement audits for years, so we have continued to track these issues. But they're very important issues, and it's important that they do be addressed. [ Music ] [Matt Oldham:] So, it sounds like information systems security at IRS is designed to keep their data safe and accurate, but GAO found some deficiencies. So, Vijay, what could the IRS do to fix these issues? [Vijay D'Souza:] Well, there's two things. As I mentioned, the IRS does try to fix each of the specific issues we find, and each year they do address a number of them, but what we've also been encouraging IRS to do and, in fact, it's one of our, what we call priority recommendations to the agency, is work on its overall governance. In an ideal world, IRS would identify and catch all these security issues before we, or other auditors, got there. So, to the extent that they can build security into the process when they implement new systems or do upgrades, it saves them and it increases their security and prevents us from catching things kind of after the fact. [Matt Oldham:] Last question, Vijay. What's the bottom line of this report? [Vijay D'Souza:] We want people to know that IRS does take great pains to secure their taxpayer information. However, they do have weaknesses in their systems. It's really important going forward that IRS continue to address these weaknesses to make the taxpayer information more secure. [Matt Oldham:] Vijay D'Souza was talking about GAO's audit of the IRS and information systems security controls. Thank you for your time, Vijay. [Vijay D'Souza:] Thank you. [Matt Oldham:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. Make sure you leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the US Government Accountability Office, visit us at gao.gov.