Just in time for tax season, the Government Accountability Office is warning that weak financial controls at the Internal Revenue Service leave taxpayer information at risk.

In a report released Monday to IRS Commissioner John Koskinen, the GAO noted the agency’s progress in information security but said “weaknesses in the controls limited their effectiveness in protecting the confidentiality, integrity, and availability of financial and sensitive taxpayer data.”

The GAO chided the IRS, saying it “has not effectively implemented elements of its information security program.”

Unless the IRS takes additional steps, including updating test and evaluation procedures, the GAO said, “financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.”

The GAO determined that the IRS “had a significant deficiency in internal control over financial reporting in its information security in fiscal year 2015.”

The report stated:

For example, the agency had not always (1) implemented controls for identifying and authenticating users, such as applying proper password settings; (2) appropriately restricted access to servers; (3) ensured that sensitive user  authentication data were encrypted; (4) audited and monitored systems to ensure compliance with agency policies ; and (5) ensured access to restricted areas was appropriate. In addition, unpatched and outdated software exposed IRS to known vulnerabilities.

In response, Koskinen said, “IRS is committed to improving its financial management, internal controls, information technology security posture, and the overall effectiveness of information system controls.”

He closed a letter to the GAO by saying that “the security and privacy of all taxpayer information is of utmost importance to us, and the integrity of our financial systems continues to be sound.”

Taxpayers hope he’s right, because as the GAO said, maintaining the public’s trust is “especially important for government agencies such as IRS.”