Taking a blunt approach, the GAO said that the IRS “lacks reasonable assurance as to the accuracy of financial information or the adequate protection of sensitive taxpayer information.”
The report lists many areas of weakness, but says even more bad news may be coming, on just how weak the IRS's security could be.
For example, host-based intrusion detection systems deployed at the IRS to monitor financial applications were configured to spot attack patterns for network security incidents, but were not correctly configured to flag attacks on the specific financial applications themselves. That is just one example of many.
The GAO said that it plans to issue a separate report to the IRS on the information security control deficiencies identified during fiscal year 2011 and the status of actions to address previous recommendations. It also said it would issue a limited distribution report to the IRS that addresses details omitted from this most recent report due to the sensitivity of the information.