Appendix I Material Weaknesses, Significant Deficiency, and Compliance Issues Page 109 GAO-12-165 IRS’s Fiscal Years 2011 and 2010 Financial Statements financial information used by management and increase the risk that sensitive agency and taxpayer information may be compromised. These deficiencies also increase the risk that errors or irregularities may affect IRS’s financial information and not be detected and corrected in time to prevent material misstatement of IRS’s financial statements or other internal and external reports. 24 During fiscal year 2011, IRS management devoted attention and resources to addressing the agency’ s information security controls. The agency developed enterprise-wide security initiatives that are designed to improve its controls and provide management with the ability to measure the state of IRS’s controls. For example, IRS formed cross-functional working groups with knowledge ofthe IRS internal systems to address identified areas considered at risk. Nevertheless, the agency made limited progress in corre cting information security weaknesses we identified in previous audits. IRS addressed approximately 15 percent ofthe 105 open recommendations that we had previously reported. For example, IRS took action to address recommendations related to (1) encrypted data transfers for its Integrated Financial System (IFS), 25 thereby decreasing the risk that malicious users could capture sensitive information; (2) upgraded domain name system servers, thereby decreasing the risk that known vulnerabilities may not be mitigated; and (3) improved the infrastructure supporting RRACS, thereby decreasing the risk of exposure to unauthorized access or manipulation through the exploitation of known vulnerabilities. 24 As discussed above, measurements of materiality encompass both quantitative and qualitative considerations. Quantitative considerations refer tothe dollar magnitude of actual or potential misstatements, while qualitative considerations encompass surrounding circumstances which, in the judgment ofthe auditors, may significantly elevate financial statements users' perceptions ofthe importance of actual or potential misstatements and deficiencies in internal control. The deficiencies in internal control over information security discussed in this report increase the risk that errors or omissions may occur and not be timely detected and corrected, which even if not quantitatively material, may nevertheless be considered qualitatively material due tothe sensitive nature ofthe underlying information and its importance to financial statement users. 25 IFS is IRS’s administrative accounting system, which the agency uses to account for core financial management activities, including general ledger, budget formulation, accounts payable, accounts receivable, funds management, cost management, and financial reporting. IFS does not process or report IRS’s tax-related transactions, including tax revenues, tax refunds, and taxes receivable. This is trial version www.adultpdf.com . designed to improve its controls and provide management with the ability to measure the state of IRS’s controls. For example, IRS formed cross-functional working groups with knowledge of the IRS. mitigated; and (3) improved the infrastructure supporting RRACS, thereby decreasing the risk of exposure to unauthorized access or manipulation through the exploitation of known vulnerabilities surrounding circumstances which, in the judgment of the auditors, may significantly elevate financial statements users' perceptions of the importance of actual or potential misstatements