E-mail use for business purposes is escalating rapidly as government and private industry increasingly recognize that electronic messaging is faster and cheaper than more traditional methods of communication. Increased use of e-mail as an effective business tool should be encouraged within an organization because many benefits, such as more rapid and accurate communication, accrue due to its use. Along with the benefits, come some risks. While some are widely known, such as the potential spread of computer viruses, others may also lead to negative consequences. Non-business use of e-mail is among these risks. The Internal Revenue Service (IRS) currently has approximately 70,000 computers that can transmit and receive e-mail and will soon almost double this number. We conducted this review to determine whether management had adequate controls for ensuring that employees do not misuse the IRS e-mail system.

Although e-mail records maintained by the IRS and the Treasury Department were limited, we identified strong evidence of significant non-business use of e-mail by IRS employees. In our opinion, management needs to take action to limit the non-business use of e-mail.

Approximately 47 percent of the 82,000 incoming e-mails we reviewed were for non-business purposes. These e-mails had been sent to IRS employees from outsiders and ranged from an online travel magazine to an address providing daily jokes. For example, we identified 1 employee who received 1,151 messages from a "Shared Parenting" organization. Another individual received 450 e-mails from a high school alumni group, while another had 84 messages from a group connected to a popular rock singer.

Due to limitations in the data and difficulty in identifying certain addresses, we could not determine whether e-mails were for business or non-business use for another 47 percent of the incoming e-mails. We considered only six percent of the e-mails as clearly business related since the messages were from sites that provided financial, computer and tax related information. Even though employees cannot always control e-mail received from outsiders, the effect these e-mails are having on productivity, telecommunications capacity, and the potential spread of computer viruses should be addressed.

While data were not available to analyze the addresses of outgoing messages for non-business use, we noted certain e-mail usage that appeared questionable because of the number of messages sent. For example, we identified 1 employee who sent 26,000 messages and another who sent over 13,000 messages during the 75 workdays we reviewed. We were unable to review e-mail sent between IRS employees because the IRS had no standard e-mail storage procedures and the messages were not available for review.

The true extent and effects of non-business e-mails were not known because the IRS did not maintain cost data for telecommunications capacity dedicated to e-mail. However, because of the high number of non-business e-mails in our limited sample and examples from the private sector, we believe the impact on productivity and telecommunications capacity could be significant. The IRS could also be exposed to computer viruses transmitted by e-mail and to lawsuits if e-mail messages contain inappropriate or offensive material.

Management had not yet implemented government and industry recommendations for controlling e-mail misuse by employees. The Technology Security Committee, chaired by the Chief Information Officer, recently issued a policy to employees on the use of all electronic communication, including e-mail. Previously, emphasis had not been placed on the need to use e-mails for business purposes only. Procedures are still needed to enforce the policy.

Actions are needed to identify the extent of inappropriate use of e-mail and to curb the use of non-business e-mails to improve productivity and reduce telecommunications costs. The Chief Information Officer should follow the lead of many in the private sector and develop controls and procedures to enforce the policy prohibiting the use of non-business e-mails. While we recognize that monitoring employees’ e-mails is sensitive due to privacy concerns, management should implement a system to ensure compliance with the recently issued electronic communication policy and emphasize to employees the effects of unauthorized e-mails.

Management's Response: Management's response was due on November 1, 2000. As of November 14, 2000, management had not responded to the draft report.