Taxpayer information housed on Internal Revenue Service computers remains at risk of being exposed because of information security control weaknesses, according to a Government Accountability Office report issued Friday.

"These weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place IRS operations at risk of disruption," wrote GAO information security issues director Gregory Wilshusen and chief technologist Keith A. Rhodes in a 33-page report to IRS Commissioner Mark Everson, who didn't challenge the findings.

GAO, the auditing arm of Congress, examined IRS's fiscal 2005 financial statements, assessing the agency's progress in correcting previously reported information security weaknesses at two sites and determining if controls over key financial and tax processing systems at those facilities effectively ensures the confidentiality, integrity, and availability of sensitive taxpayer data.

The GAO noted some progress, but the IRS has failed to fix 40 previously reported flaws discovered in its IT security. Plus, the GAO identified new information security control weaknesses.

For example, the IRS hasn't instituted effective electronic access controls related to network management, user accounts and passwords, user rights and file permissions, and logging and monitoring of security-related events, the Congressional auditors said. Also, the tax agency hasn't effectively implemented other information security controls to physically secure computer resources and to prevent exploitation of vulnerabilities and unauthorized changes to system software.

"Until [the] IRS fully implements a comprehensive agencywide information security program," the GAO report states, "its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable."

Everson assured the GAO that the IRS is pursuing an agencywide approach to address the root cause of the weaknesses, adding that many weaknesses have been corrected and additional controls have been implemented. He characterized the IRS efforts to fix security flaws as aggressive, noting that agency is developing security plans, security documentation, and security testing.