Most Security Controls Were Adequate at the New Lockbox
Facility in Cincinnati, but Some Improvements Are Needed
July 2002
Reference
Number: 2002-30-126
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
July
10, 2002
MEMORANDUM FOR
COMMISSIONER ROSSOTTI
FROM: (for) Pamela J. Gardiner /s/ Daniel R.
Devlin
Deputy Inspector General for
Audit
SUBJECT: Final Audit Report – Most Security Controls Were Adequate at the New Lockbox Facility in Cincinnati, but Some
Improvements Are Needed (Audit # 200230022)
This
report presents the results of our review of the lockbox program in a Cincinnati bank. Our objectives were to:
·
Evaluate the physical and internal controls of the new
lockbox facility in Cincinnati, Ohio, to determine
whether taxpayer remittances were adequately safeguarded and taxpayer
information was protected from unauthorized disclosure.
·
Determine whether the facility provided for employee safety
and ensured that operations would continue in the event of a disaster or
receipt of hazardous material in the mail.
The Internal Revenue Service
(IRS) lockbox program consists of commercial banks that have contracted with
the Financial Management Service (FMS) to process tax payments. This program was designed to accelerate the
deposit of tax payments by having taxpayers send their payments to commercial
banks rather than to the IRS.
With this acceleration can
come significant risks, however, as was evidenced during 2001 when control
weaknesses contributed to the loss of taxpayer payments and taxpayer
information at a lockbox bank in Pittsburgh, Pennsylvania. Approximately
71,000 taxpayer remittances, valued in excess of $1.2 billion, were lost or
destroyed.
The Cincinnati lockbox
facility began processing tax payments for the Philadelphia Submission
Processing Center in January 2002. The
bank receives payments for U.S. Individual Income Tax Returns (Form 1040
series), employment tax returns (Form 940 series), international tax returns,
and other miscellaneous types of taxes.
In Calendar Year (CY) 2001 lockbox banks processed more than 72 million
payments totaling over $329 billion.
The lockbox bank processing payments for the Philadelphia Submission
Processing Center received approximately 12 percent of the total dollars
processed by lockbox banks in CY 2001.
In summary, the lockbox
facility in Cincinnati was in compliance with most of the security requirements
in the Lockbox Processing Guidelines for 2002.
However, we did find the need for some improvement in courier security
controls, controls over shipments of tax materials, and documentation of
candling reviews. We recommended that
lockbox management implement appropriate parts of the Lockbox Processing
Guidelines addressing these areas.
Management’s response was
due on June 28, 2002. As of July 5,
2002, management had not responded to the draft report.
Copies of this report are also being sent to the IRS managers who are being affected by the report recommendations. Please contact me at (202) 622-6510 if you have questions, or your staff may call Gordon C. Milbourn III, Assistant Inspector General for Audit (Small Business and Corporate Programs), at (202) 622-3837.
The Cincinnati Lockbox Facility Met Most Physical and Data Security Guidelines
Appendix I – Detailed Objectives, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
The Internal Revenue Service (IRS) lockbox program consists of commercial banks that have contracted with the Financial Management Service (FMS) to process tax payments. This program was designed to accelerate the deposit of tax payments by having taxpayers send their payments to commercial banks rather than to the IRS. There are 9 lockbox bank sites nationwide that support the 10 IRS Submission Processing Centers. The lockbox bank sites augment the 10 Submission Processing Centers’ remittance processing capabilities, and were contracted to help the IRS optimize deposits to the Treasury and increase interest savings.
US Bank operates the Cincinnati, Ohio, lockbox facility that processes tax payments for the Philadelphia Submission Processing Center. This is the first year of operation for the Cincinnati facility, which began receiving and processing payments in January 2002. The lockbox receives payments for U.S. Individual Income Tax Returns (Form 1040 series), employment tax returns (Form 940 series), international returns, and other miscellaneous types of taxes. In Calendar Year (CY) 2001, lockbox banks processed more than 72 million payments totaling $329 billion. The Philadelphia Submission Processing Center received approximately 12 percent of the total dollars processed in CY 2001.
The protection of both remittances and associated taxpayer information is a unique requirement for these processing sites. Secure facilities and systems are required, as well as background investigations on the large numbers of temporary employees required to handle the four annual peak periods when the tax payments are due.
The Lockbox Processing Guidelines represent the agreement among the IRS, the FMS, and the banks detailing the specific services that the bank will perform for the IRS. These services include tasks that the IRS would otherwise have to do, such as ensuring checks are properly endorsed and deposited, providing security over the remittances and taxpayer data, and creating computer tapes of payment transactions. The bank also receives, sorts, and ships tax returns to the IRS. The IRS and the FMS are responsible for providing oversight of bank activities to ensure that the lockbox banks adhere to the requirements in the Guidelines.
While the lockbox system is intended to provide the
Government with efficient cash management, there have been instances of fraud,
waste, and abuse that demonstrated a need for increased controls. In 1998, over 400 checks were discovered in
a night shift manager’s desk drawer at a lockbox bank in Charlotte, North
Carolina. In 2001, control weaknesses
contributed to the loss of taxpayer payments and taxpayer information at a
lockbox bank in Pittsburgh, Pennsylvania.
Approximately 71,000 remittances
valued in excess of $1.2 billion were lost or destroyed.
Audit work was performed at the Cincinnati lockbox facility from January to April 2002. The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objectives, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
The Cincinnati lockbox facility was in compliance with most of the CY 2002 Lockbox Processing Guidelines concerning physical and data security.
Employee background screening for personnel security met lockbox processing guidelines
The required Federal Bureau of Investigation (FBI) fingerprint check was completed
prior to the date of employment for each individual included in our judgmental
sample of temporary employees, bank employees, and vendors that were granted
access to the lockbox processing area or to taxpayer information. All required personnel information was
maintained in the employees’ files.
The courier service contract met minimum requirements
Couriers were insured for $1 million,
and emergency contact information was provided to lockbox management as
required. Also, the courier service disaster
contingency plan covered all required situations.
Couriers were attired with a company logo, carried an
identification card, traveled in pairs, were equipped with communication
equipment, and transported packages to their
final destination without intermediary stops in vehicles that met Lockbox Processing Guideline requirements.
Overall, adequate physical security responsibilities and
controls had been established
Security
reviews performed by the IRS and the FMS showed the lockbox bank’s readiness to
begin processing. Proper corrective
actions were taken on security breaches and control weaknesses identified by
the IRS and the FMS.
Also, the intrusion detection system,
duress alarms, automated entry system, perimeter security, and surveillance
equipment all complied with Lockbox Processing Guideline requirements.
Entry into the lockbox processing area
was restricted to properly authorized personnel displaying identification
badges. Lockers were provided outside
of the controlled working areas, and personal items were not allowed in the
processing area.
Further, the
required guards were on duty. The guard service provided for
sign-in/sign-out control for visitors, inspection of incoming packages and mail
deliveries, monitoring of courier deliveries, and escort of mail-out packages
for courier pick-up.
Overall, adequate data security responsibilities and controls had been established
Currency, key cards, keys, and date stamps were properly controlled and stored in containers to deter theft and fraud. Lockbox management was performing required searches for unprocessed remittances and tax returns and properly maintaining a log identifying the desk reviews performed.
The identification badge and access
card were returned timely and access to computer systems was properly removed
for the one lockbox employee terminated in January 2002, our test period. Also, remittances were properly stamped with
“United States Treasury” or contained other acceptable payee designations in
the payee section.
In addition, lockbox employees
certified that they understood disclosure restrictions and security procedures
prior to accessing tax information by signing disclosure statements and
attending security awareness training.
Controls were in place to provide for
employees’ safety and to ensure that operations continued in the event of a
disaster or receipt of hazardous or life-threatening material in the mail
The lockbox facility had properly briefed employees and documented the
handling of incoming mail regarding safety procedures, including the
identification of suspicious letters and packages. The instructions were current and adequate to protect employees
in case of an accident or receipt of contaminated mail. The safety procedures, along with emergency
contact numbers, were posted in the mail receipt area. The lockbox facility
developed and updated an occupant emergency plan that conformed to Lockbox
Processing Guideline requirements.
Also, the mail was received and opened at one central location. All mail receipts were routed through the United States (U.S.) Post Office. Facilities for potentially exposed employees to wash were within a reasonable distance of the mail area.
In addition, the lockbox facility established an occupant emergency plan, a business
continuity plan, and a contingency plan to ensure normal work operations
continued in the event of a disaster or
receipt of hazardous or life-threatening material through the mail.
Additional controls or actions need
to be implemented to reduce the risks associated with processing large volumes
of taxpayer remittances that could lead to financial losses and erosion of
taxpayer confidence.
Controls need strengthening to ensure that only authorized courier employees have access to taxpayer remittances and sensitive taxpayer information
·
A
courier was granted access to IRS materials prior to receiving FBI clearance
According to the Lockbox Processing Guidelines, an FBI
fingerprint check must be performed for each individual who will have access to
the lockbox processing area or taxpayer information. The results of the fingerprint check must be obtained prior to
the date on which employment commences.
The guards are responsible for verifying the courier identity to a
photograph maintained by the bank for identification purposes.
However, a courier was allowed
access to IRS materials prior to the receipt of a successful FBI fingerprint
clearance, because the guards did not verify whether this courier appeared in
the photograph log of approved couriers maintained at the guard console. As a result, the lockbox bank could have
released IRS materials to an unauthorized person.
·
Courier
badges did not contain the required signatures
Identification badges did not contain the couriers’ signatures as required, because the contractor that created the badges did not provide for the inclusion of the courier signature as requested by the lockbox facility. This increased the risk of a breach in courier security, since security guards could not match the courier pictures and signatures to courier files maintained by the lockbox bank.
The Lockbox Processing Guidelines require the courier service to provide each employee assigned to the contract a printed identification card to include the company name, employee name, signature, identification number, and photograph.
·
Use of related couriers increases the risk of collusion
during transshipment of tax materials
A husband and wife courier team was responsible for a route in which they regularly delivered lockbox bank deposits to the depositary bank and delivered mail from the U.S. Post Office to the lockbox bank.
A prime reason for having couriers travel in pairs was to reduce the opportunity for theft. Theft requiring collusion is less likely to occur when two unrelated couriers are required.
However, the lockbox bank accepted the courier team as provided by the contractor. Hiring a husband and wife team increases the risk of collusion, and the law precludes requiring spouses to testify against one another.
Neither the IRS nor the FMS conducted reviews to identify
the control weaknesses discussed above.
These weaknesses increase the risk of disclosure of sensitive taxpayer
data and theft of remittances.
Increased control over shipments of tax materials to the
Philadelphia Submission Processing Center would reduce the risk of loss
Shipments of tax materials to the Philadelphia Submission Processing Center were not adequately controlled to ensure that they met minimum Lockbox Processing Guideline shipping requirements. Tax materials, consisting of all tax returns, and tax remittances that could not be processed, were packaged for daily shipment to the Submission Processing Center for further processing. This material was packed in cardboard boxes and sealed with clear tape without required heat strapping. Also, the lockbox bank did not maintain a log for daily shipments showing the date and time of pick-up, the number of boxes, and the courier driver’s signature. Further, the lockbox bank did not receive acknowledgement that each shipment was properly and timely received.
The Lockbox Processing Guidelines require, at a minimum, that boxes be taped and heat strapped and that a log be maintained showing the time of pick-up, number of boxes shipped, and the courier driver’s signature. The shipments must contain a Document Transmittal (Form 3210) itemizing the contents of the shipment. Upon receipt, Submission Processing Center personnel should use the enclosed Form 3210 to verify the contents and acknowledge receipt of the shipment by returning a signed copy.
Guidelines were not fully implemented
with regard to packaging and controlling shipments of tax materials. Inadequate
controls in verifying receipt of shipments of tax packages increase the risk of
unidentified theft or loss of taxpayer remittances and documents.
Compliance with candling documentation requirements is needed
The Lockbox Processing Guidelines require that:
· When a check or money order is found, the bank employee should enter the information from the item found on the Record of Lockbox Discovered Remittance and Correspondence. An entry should be made to this candler log every day, each shift, whether items were found or not. The manager should initial the candler log everyday for each shift.
Results of daily candling were not sufficiently documented. Entries to the candler log for discovered remittances and correspondence were not made every working day as required, nor were managerial initials shown for all log entries. Neither internal nor external reviews identified the oversights in the maintenance of candler logs.
Unless a record of discovered remittances is maintained,
neither the IRS nor the bank management can evaluate the effectiveness of
machines used for mail extraction. Any
loss of taxpayer remittances or taxpayer documents may result in taxpayer
burden and embarrassment to the Government.
The Directors, Customer Account Services,
Small Business/Self-Employed and Wage and Investment Divisions, should work with the Deputy Chief, Agency-Wide Shared Services to
ensure that lockbox management:
1. Implements courier controls as required by the Lockbox Processing Guidelines.
2.
Adheres to
security requirements for both packaging and tracking of tax material shipments
to the Philadelphia Submission Processing Center.
3.
Performs and documents
required candling reviews.
Management’s Response: Management’s response to the draft report was due on June 28, 2002. As of July 5, 2002, management had not responded to the draft report.
Appendix I
The overall objectives of this review were to:
· Evaluate the physical and internal controls of the new lockbox facility in Cincinnati, Ohio, to determine if taxpayer remittances were adequately safeguarded and taxpayer information was protected from unauthorized disclosure.
· Determine whether the facility provided for employee safety and ensured that operations would continue in the event of a disaster or receipt of hazardous material in the mail.
To accomplish our objectives, we:
I. Determined the adequacy of employee background screening and controls for personnel security.
A. Reviewed a judgmental sample of 59 of 1,681 temporary employees, bank employees, couriers, cleaning personnel, and other contractors, with access to the processing site or Internal Revenue Service (IRS) materials, to determine whether a Federal Bureau of Investigation fingerprint check had been completed prior to the date of employment for all individuals that had access to the lockbox processing area or taxpayer information. A judgmental sample was used because statistical projections were unnecessary.
B. Reviewed the same judgmental sample of 59 lockbox employee personnel folders to determine whether required personnel information was present.
II. Determined whether remittance and taxpayer information was properly received and delivered by an authorized courier service.
III.
Determined
whether the IRS, the Financial Management Service (FMS), and the lockbox bank
had established responsibilities and controls for physical security.
IV. Determined whether the IRS, the FMS,
and the lockbox bank had established responsibilities and controls for data
security.
V.
Determined
whether adequate controls were in place to provide for employees’ safety and
ensure that operations would continue in the event of disaster or receipt of
hazardous or life-threatening material in the mail.
Appendix II
Major Contributors to This Report
Gordon C. Milbourn III, Assistant
Inspector General for Audit (Small Business and Corporate Programs)
Richard J. Dagliolo, Director
Robert K. Irish, Audit Manager
Daniel A. Zaloom, Senior Auditor
Carol C. Gerkens, Auditor
Stephen A. Wybaillie, Auditor
Appendix III
Deputy
Commissioner N:DC
Commissioner, Small
Business/Self-Employed Division S
Commissioner, Wage and Investment Division W
Chief, Agency-Wide
Shared Services A
Deputy
Commissioner, Small Business/Self-Employed Division S
Deputy Commissioner, Wage and Investment Division W
Deputy Chief, Agency-Wide Shared Services A
Director, Customer Account Services, Small
Business/Self-Employed Division S:CAS
Director, Customer Account Services, Wage and Investment
Division W:CAS
Chief Counsel CC
National Taxpayer Advocate TA
Director, Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis
N:ADC:R:O
Office of Management Controls N:CFO:F:M
Audit Liaisons:
Commissioner, Small Business/Self-Employed Division S
Commissioner, Wage and Investment Division W
Chief, Agency-Wide Shared Services A