Taxpayer information held by the Internal Revenue Service (IRS) is vulnerable to access by unauthorized people, according to a report released today from the Government Accountability Office (GAO). The report cites "information security deficiencies" at the IRS, which also compromise the agency's ability to guarantee that "financial statements are fairly presented."

"In fiscal year 2011, IRS continued to have a material weakness in internal control over information security," wrote Steven Sebastion, GAO director of Financial Management and Assurance. "In particular, it had deficiencies in its controls over access to the automated systems and software applications it relies upon to process its financial transactions, produce its internal and external financial reports, and safeguard related sensitive information."

These deficiencies hamper IRS ability to guarantee that "its financial statements, taken as a whole, were fairly presented" and that "proprietary financial and taxpayer information were appropriately safeguarded."

Among other things, the report faulted the IRS for "continu[ing] to use unencrypted protocols for a sensitive tax processing application." Testing by the GAO revealed that "systems used to process tax and financial information did not effectively prevent access from unauthorized users or excessive levels of access for authorized users."

"IRS’s financial management systems did not substantially comply with (1) Federal Financial Management System Requirements (FFMSR) and (2) federal accounting standards (U.S. generally accepted accounting principles)," GAO noted.