IRS corrected just 29 of 105 weaknesses it previously identified. GAO also found 13 of the 29 fixes were incomplete or done improperly.The problem, auditors said, was not lack of policy but a lack of follow-through. The weaknesses mostly dealt with inside threats and weak internal controls on taxpayer information rather than outside breaches or attacks.
GAO said the IRS should take six steps in order to implement its overall information security program. It also listed 23 specific actions to fix newly detected control weaknesses. The IRS agreed to develop a plan of action to address all of these issues.