"Specifically, the [IRS] continues to face challenges in controlling access to its information resources," states the Government Accountability Office in its report published Friday. "For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas."

BACKGROUND:

The GAO also notes its audit found the IRS did not always "promptly correct known vulnerabilities" in its systems, saying that "76 out of 105 previously reported weaknesses open at the end of the GAO's prior year audit had not yet been corrected."

Taken collectively, these failings "impair IRS's ability to ensure that its financial and taxpayer information is secure from internal threats," or that it's being "safeguarded from unauthorized disclosure or modification."

The GAO handed the IRS a list of six recommended actions for improvement that include monitoring access control and ensuring appropriate security patches have been applied, saying it would be looking at actions taken and reporting back to Congress on it in the future.