In an examination of the US federal tax agency’s information security controls, the US Government Accountability Office said that, despite recent improvements, significant deficiencies remained. For example, the agency had not always implemented controls for identifying and authenticating users accessing sensitive data, such as applying proper password settings, or appropriately restricting access to data servers.

“An underlying reason for these weaknesses is that IRS has not effectively implemented elements of its information security programme,” the report highlighted.

In addition, outdated software exposed IRS to known vulnerabilities, while the IRS had also not fully addressed previously raised concerns. The agency told auditors it had implemented 28 previous recommendations for improvement, but the GAO then found nine associated weaknesses that had not been effectively corrected.

Until the IRS takes additional steps to resolve both unresolved and newly identified problems, its financial and taxpayer data will remain “unnecessarily vulnerable”, the Information Security report concluded.

It made two specific recommendations to update audit plans and network infrastructure, as well as a further 43 technical recommendations.

The GAO noted that, in commenting on a draft of this report, IRS had agreed with these recommendations.