Internal Revenue Service:

Physical Security Over Taxpayer Receipts and Data Needs Improvement

AIMD-99-15: Published: Nov 30, 1998. Publicly Released: Nov 30, 1998.

Additional Materials:

Contact:

Steven J. Sebastian
(202) 512-9521
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO reviewed the Internal Revenue Service's (IRS) physical controls over receipts and taxpayer data.

GAO noted that: (1) IRS' controls over receipts and taxpayer data do not adequately reduce the vulnerability of the federal government and taxpayers to loss from theft; (2) this condition existed because of the length of time required to conduct background investigations, delays in receiving results of fingerprint checks, and processing demands which required the hiring of thousands of employees during the peak filing season; (3) placing new hires in sensitive positions prior to, at a minimum, receiving the results of fingerprint check increases the vulnerability of receipts and taxpayer data to theft; (4) in fact, of the 80 thefts IRS investigated at service centers from January 1995 to July 1997, 12 were committed by individuals who had previous arrest records that were not identified prior to their employment; (5) GAO also noted weaknesses in the physical controls over service center and district office receipts; (6) while service center receipts are required to be processed only by authorized individuals in the Receipt and Control Branch, which is a restricted access area, numerous receipts were found in unrestricted areas accessible to other IRS employees and to non-employees not authorized to handle receipts; (7) receipts particularly vulnerable to theft also were not adequately secured; (8) while it is important to adequately protect cash and checks received at IRS facilities, it is similarly essential to ensure that these receipts are properly protected during transport to depository institutions; (9) GAO found that single, unarmed couriers in ordinary civilian vehicles were used to transport IRS deposits totalling hundreds of millions of dollars to the depository institutions during the peak filing season; (10) the theft of one peak season deposit could place a significant administrative burden on IRS to contact taxpayers and initiate stop payment orders on tens of thousands of checks; (11) although receipts and taxpayer information will always be vulnerable to theft, IRS has a responsibility to protect the government and taxpayers from such losses; (12) many of the actions GAO is recommending to minimize these vulnerabilities and thus better protect taxpayer receipts and data would not result in significant costs, and several other actions GAO is recommending are already required by IRS policy or are currently under consideration by IRS management; and (13) IRS has prepared two corrective action plans to reduce its vulnerability to theft or loss of receipts and taxpayer data.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: GAO confirmed that final candling activities are now located in restricted access areas at all 10 service centers.

    Recommendation: To limit exposure to theft and provide adequate monitoring in accordance with IRM requirements, the Commissioner of Internal Revenue should ensure that all final candling activities are consistently located in a restricted access area.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: IRS reported that each service center campus currently has locked containers to store the discovered remittances. Also, IRS issued instructions to the service centers to emphasize the handling and recording of these remittances to ensure reconciliation. This question is on the Submission Processing Checklist. At least three areas of the service centers are reviewed monthly against the checklist to ensure compliance. During its fiscal year 2002 audit, GAO verified that the two service centers it visited were using locked containers to store discovered remittances. These remittances were immediately recorded on a control log and the log was reconciled.

    Recommendation: To reduce the vulnerability of receipts found outside restricted access areas, the Commissioner of Internal Revenue should provide secure containers for service center employees to store discovered remittances prior to inventory and submission to the Receipt and Control Branch. Immediately upon discovery, the receipts should be recorded into a control log, the receipts secured in a locked container, and the discovered receipts reconciled to the control log prior to submission for processing.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: IRS reported that because these checks were located in Receipt and Control, and they had taken other steps to mitigate the risk of theft in Receipt and Control, no further action was planned. During its fiscal year 2003 financial audit, GAO noted that at two of the four service centers it visited, IRS did store unmatched checks in locked containers. Furthermore, while IRS is not consistently storing unmatched checks in locked containers, it has significantly improved physical security controls over the Receipt and Control Branch, a restricted area.

    Recommendation: To reduce the vulnerability of receipts that are especially susceptible to theft and misuse, the Commissioner of Internal Revenue should ensure that all unmatched checks are stored in locked containers until they can be researched and processed for deposit.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: IRS issued a memorandum to Submission Processing (SP) Field Directors prior to filing season reinforcing the importance of ensuring SP procedures and policies regarding overstamping of returned refund checks are followed. In addition, this requirement is part of the Campus Monthly Security Reviews. All findings are shared with SP Field Directors. Local management continues to remind employees of the importance of overstamping returned refund checks on a regular basis through individual and group meetings to ensure compliance with the Internal Revenue Manual (IRM) and security requirements. During its fiscal year 2005 audit, GAO found no instances where returned refund checks were not stamped "nonnegotiable" upon extraction at the four SCCs visited.

    Recommendation: To reduce the vulnerability of returned refund checks to theft, the Commissioner of Internal Revenue should ensure that all returned refund checks are stamped non-negotiable as soon as they are extracted.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: GAO confirmed that IRS has communicated the requirements to the field offices through its new Customer Service Operating Guidelines and that access to the keys to the containers is restricted. However, GAO found issues with the implementation of these requirements. At one of the sites visited during fiscal year 2001, GAO found that walk-in payments were not stored in a locked container for the first 11 months of the fiscal year. Additionally, GAO found that all seven employees at another site it visited had access to the keys to the cabinet used to store receipts during non-operating hours. GAO will continue to evaluate IRS's efforts in its fiscal year 2002 financial audit.

    Recommendation: To better safeguard receipts at district offices, the Commissioner of Internal Revenue should require district office employees to store walk-in payments in secure containers in accordance with IRM 1(16)(41), section 500. District office management should ensure that this policy is followed and should limit the number of employees with access to the keys or combination to these containers.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Closed - Not Implemented

    Comments: Per IRS: Because of organizational restructuring, the recommendation is no longer directly applicable to IRS's current business operations. The Wage and Investment (W&I) Division is no longer organized by districts, and no longer has teller functions. Additionally, IRS addressed the operations aspect of the recommendation and the managerial aspects of the control logs and reviews with procedures and processes in recommendations 99-22, 02-16, and 05-33. Per GAO: The original report issued in November 1998 directs the intent of this recommendation to the Customer Service Units at district offices that collected walk-in payments. Since that time IRS reorganized its operations into four operating divisions with particular responsibility for the collection of individual and corporate taxes, examination of returns, and taxpayer assistance. Specifically, the W&I Division's Taxpayer Assistance Centers (TACs) now handle the collection of walk-in payment receipts. Therefore, we agree that recommendations issued in later GAO reports addressing physical security over taxpayer receipts and data (recommendation numbers 99-22, 02-16 and 05-33 listed in GAO-08-693) address the substance of the weaknesses reported in this November 1998 report. Because those later recommendations are still open, we are closing this recommendation as not implemented. We will continue to monitor those recommendations to assess IRS's corrective actions.

    Recommendation: To improve accountability for walk-in payments received, the Commissioner of Internal Revenue should ensure that these receipts are recorded in a control log prior to depositing the receipts in the locked container and ensure that the control log information is reconciled to receipts prior to the submission of the receipts to another unit for payment processing. To ensure proper segregation of duties, the reconciliation should be performed by an employee not responsible for logging receipts in the control log.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: After studying this issue, IRS issued new policies in April and November 1999, requiring the use of two couriers with proper identification, couriers to be bonded, the use of locked, enclosed vehicles, and deposits to be delivered directly with no stops in between. It also requires all district and post-of-duty offices to send tax receipts by overnight mail to designated service centers for deposit. If effectively implemented, the new courier policies should greatly reduce the vulnerability and risk associated with transporting IRS deposits by courier.

    Recommendation: To ensure that IRS meets its responsibility to protect government assets and taxpayer information, the Commissioner of Internal Revenue should study the feasibility of improving security for its deposits in transit. In conducting this study, IRS should consider a number of alternatives, including the use of depositories in closer proximity to its various field locations and employing security guards to accompany couriers to the depositories.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Closed - Implemented

    Comments: After studying this issue, IRS issued new policies in April and November 1999, requiring the use of two couriers with proper identification, couriers to be bonded, the use of locked, enclosed vehicles, and deposits to be delivered directly with no stops in between. It also requires all district and post-of-duty offices to send tax receipts by overnight mail to designated service centers for deposit. If effectively implemented, the new courier policies should greatly reduce the vulnerability and risk associated with transporting IRS deposits by courier.

    Recommendation: To limit exposure to losses of deposits in transit, the Commissioner of Internal Revenue should develop a policy to ensure that contracts related to courier services do not unduly expose the government to losses in the event of lost, stolen, or damaged deposits in transit.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  9. Status: Closed - Implemented

    Comments: GAO confirmed that couriers are no longer allowed service center access beyond the guard stations.

    Recommendation: To limit courier access to sensitive taxpayer information and unguarded receipts in the Receipt and Control Branch, the Commissioner of Internal Revenue should ensure that courier access is limited to service center premises. Deposit unit employees should deliver the deposits to couriers waiting at the guard station instead of providing couriers badges allowing them unnecessary service center access.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  10. Status: Closed - Implemented

    Comments: IRS determined that reevaluation of positions for reclassification was not needed, and it took other steps to mitigate the risk of theft in Receipt and Control. For instance, IRS issued a new policy requiring fingerprinting of job applicants at the earliest possible time in the application process. IRS issued a subsequent clarification to this policy to further enhance this control procedure.

    Recommendation: To ensure that employees assigned to process receipts and sensitive taxpayer data are subjected to the appropriate level of background check, the Commissioner of Internal Revenue should reevaluate the risk classification of all positions in IRS' Receipt and Control Branch and reclassify such positions where appropriate and in conformance with Office of Personnel Management (OPM) guidelines.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  11. Status: Closed - Implemented

    Comments: GAO confirmed that IRS established procedures requiring local hiring offices to review hiring database reports, to monitor compliance with the fingerprint policy, and to ensure the accuracy of the hiring database. The procedures require managers to take corrective actions when the reports showed instances of noncompliance. However, certain implementation issues exist which continued to result in instances where employees entered on duty but were not fingerprinted until a few days or months later, and a few instances where IRS had no record of completed fingerprint checks.

    Recommendation: To reduce the incidence of applicants not subjected to fingerprint checks, the Commissioner of Internal Revenue should: (1) establish procedures to review the applications and associated documents for all applicants given job offers to ensure that fingerprint checks are initiated on these individuals; and (2) implement procedures to provide supervisory feedback on these reviews as necessary to ensure that personnel staff are aware of and follow IRS' policy requiring fingerprint checks on all applicants prior to their reporting for duty.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  12. Status: Closed - Implemented

    Comments: GAO confirmed that IRS issued policies requiring fingerprinting for all filing season applicants at the earliest possible time in the job application process. However, GAO continued to find issues with the implementation of these policies, such as instances where new hires were not fingerprinted until several days or months after their entry on duty dates. These new hires were assigned to positions, such as data transcription and mail clerks, which gave them access to taxpayer data and receipts. GAO will continue to evaluate the effectiveness of IRS's efforts to implement these policies during its fiscal year 2002 financial audit.

    Recommendation: To assist in the prompt receipt of fingerprint results of applicants, the Commissioner of Internal Revenue should continue with the agency's plans to develop and implement a policy to fingerprint filing season applicants on their first personal contact with the agency.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  13. Status: Closed - Implemented

    Comments: In April 2000, IRS issued a policy memo requiring fingerprint checks be received and results be evaluated before employees in any IRS office can begin working, and it issued a further clarifying memo in August 2000. While IRS and Office of Personnel Management hiring data showed that IRS continued to hire employees who had access to taxpayer receipts and data in fiscal year 2002, before it received the results of their fingerprint checks, GAO noted significant improvement over fiscal year 2001, in implementing the April 2000 policy. GAO will continue to evaluate the effectiveness of IRS's efforts in its fiscal year 2003 financial audit.

    Recommendation: To reduce the opportunity for employees with unsuitable backgrounds to steal receipts, until the problems with delays in fingerprint checks are resolved, the Commissioner of Internal Revenue should develop and implement a policy prohibiting new employees from being assigned to process receipts until results of fingerprint checks are received and reviewed by management.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  14. Status: Closed - Implemented

    Comments: In November 1999, IRS implemented the Integrated Automated Fingerprint Identification System (IAFIS) to reduce the turnaround time for IRS to receive FBI fingerprint check results. GAO confirmed that the implementation of IAFIS reduced the turnaround time for IRS to receive the FBI fingerprint check results to about 11 days, thus reducing the need to obtain earlier indications of potential background problems, which was the impetus for this recommendation. Effective implementation of an April 2000 policy, prohibiting the employment of new hires until the results of FBI fingerprint checks have been received and evaluated, would further improve this process.

    Recommendation: To provide suitability information on a more timely basis, the Commissioner of Internal Revenue should continue the agency's efforts to explore the feasibility of obtaining local police checks on IRS applicants and evaluate the efficiency and effectiveness of Philadelphia Service Center's electronic fingerprinting system in order to supplement the Federal Bureau of Investigations (FBI) fingerprint checks and to ensure that, at a minimum, local arrest records are brought immediately to IRS' attention.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  15. Status: Closed - Implemented

    Comments: IRS reported that as of April 2000, all service centers were in compliance with this recommendation. During the fiscal year 2000 financial audit, GAO noted marked improvement in IRS's storage of receipts and returns in overflow areas.

    Recommendation: To ensure that the mail extraction process takes place in a secure and restricted access area, as required by the Internal Revenue Manual (IRM), the Commissioner of Internal Revenue should improve the physical security controls over receipts and returns stored in unsecured overflow areas. These controls might include limiting unnecessary traffic by temporarily designating these overflow areas as restricted access areas and posting additional security guards over such areas during peak filing season.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  16. Status: Closed - Implemented

    Comments: IRS reported that it installed IAFIS equipment at OPM and 22 IRS sites, including the 10 service centers. GAO confirmed that IRS is participating in IAFIS, and found that IAFIS significantly reduced IRS's turnaround time for receiving the results of fingerprint checks.

    Recommendation: In the long term, to decrease the turnaround time for FBI fingerprint check results, the Commissioner of Internal Revenue should continue the agency's efforts to negotiate with OPM and the FBI and procure the necessary equipment so that it can participate in the FBI's Integrated Automated Fingerprint Identification System program by August 1999.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 30, 2016

Sep 29, 2016

Sep 28, 2016

Sep 27, 2016

Sep 26, 2016

Sep 23, 2016

Sep 21, 2016

Sep 7, 2016

Aug 30, 2016

Looking for more? Browse all our products here