"Although [the] IRS has made progress [over the past year], controls over its key financial and tax processing systems located at two sites were ineffective," the GAO said in the report, which was released late last month.

The report concluded that the tax agency corrected 41 of 81 specific technical weaknesses that the GAO found last year. But the GAO also found that the security system now needs further updates to correct "new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS's financial information systems and the information they process."

According to the GAO, the IRS has not yet implemented effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events. Also, the report said, the IRS doesn't always follow its own policy dealing with password expiration and complexity.

For example, the IRS has not implemented the use of complex passwords on its Windows servers, and it does not adequately control the storage of passwords on its systems, the GAO said. The agency has also failed to restrict users' access to just the information they need to do their jobs, according to the report.

"Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption," the GAO said.