Most Security Controls Were Adequate at the New Lockbox
Facility in Dallas, but Some Improvements Are Needed
July
2002
Reference
Number: 2002-30-127
This report has cleared the Treasury
Inspector General for Tax Administration disclosure review process and
information determined to be restricted from public release has been redacted
from this document.
July
5, 2002
MEMORANDUM FOR
COMMISSIONER ROSSOTTI
FROM: (for) Pamela J. Gardiner /s/ Scott E.
Wilson
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Most Security
Controls Were Adequate at the New Lockbox Facility in Dallas, but Some
Improvements Are Needed (Audit # 200230016)
This
report presents the results of our review of security at the Internal Revenue
Service’s (IRS) lockbox facility in Dallas, Texas. The overall objectives of this review were to:
·
Evaluate the physical and internal controls of the new
lockbox facility to determine whether taxpayer remittances were adequately
safeguarded and taxpayer information was protected from unauthorized
disclosure.
·
Determine whether the facility provided for employee safety
and ensured that operations would continue in the event of a disaster or
receipt of hazardous material in the mail.
The
IRS lockbox program consists of commercial banks that have contracted with the
Financial Management Service (FMS) to process tax payments. This program was designed to accelerate the
deposit of tax payments by having taxpayers send their payments to commercial
banks rather than to the IRS.
With
this acceleration can come significant risks, however, as was evidenced during
2001 when control weaknesses contributed to the loss of taxpayer payments and
taxpayer information at a lockbox bank in Pittsburgh, Pennsylvania. Approximately 71,000 taxpayer remittances
valued in excess of $1.2 billion were lost or destroyed.
The
Dallas lockbox facility began receiving tax payments in December 2001. The bank receives payments for U.S.
Individual Income Tax Returns (Form 1040 series), employment tax returns (Form
940 series), and other miscellaneous types of taxes. In Calendar Year (CY)
2001, lockbox banks processed more than 72 million payments totaling over $329
billion. Lockbox banks processing
payments for the Ogden and Austin Submission Processing Centers received
approximately 21.5 percent of the total dollars processed by lockbox banks in
2001.
In
summary, we found the lockbox facility in Dallas was in compliance with most of
the security requirements in the Lockbox Processing Guidelines for 2002. However, improvements were needed in
security for courier services, packaging of remittances, adherence to candling
requirements, documentation of personnel files, and destruction of sensitive
taxpayer information. We made specific
recommendations to improve controls in each of these areas.
Management’s
response was due on June 27, 2002. As
of July 3, 2002, management had not responded to the draft report.
Issues
regarding the adequacy of the Lockbox Processing Guidelines themselves are not
included in this report. These issues
will be addressed in a separate report covering all three lockbox operations
recently reviewed.
Copies of this
report are also being sent to the IRS managers who are affected by the report
recommendations. Please contact me at
(202) 622-6510 if you have questions, or your staff may call Gordon C. Milbourn
III, Assistant Inspector General for Audit (Small Business and Corporate
Programs), at (202) 622-3837.
The Dallas Lockbox Facility Met Most Physical and Data Security
Guidelines
Appendix I – Detailed Objectives, Scope, and Methodology
Appendix II – Major Contributors to This Report
Appendix III – Report Distribution List
The Internal Revenue Service (IRS) lockbox program consists
of commercial banks that have contracted with the Financial Management Service
(FMS) to process tax payments. This
program was designed to accelerate the deposit of tax payments by having
taxpayers send their payments to commercial banks rather than to the IRS. There are 9 lockbox sites nationwide that
support the 10 IRS Submission Processing Centers. The lockbox sites augment the 10 Submission Processing Centers’
remittance processing capabilities, and were contracted to help the IRS
optimize deposits to the Treasury and increase interest savings.
Bank of America operates the Dallas, Texas, lockbox facility
that processes business tax payments for the Ogden Submission Processing Center
and individual tax payments for the Austin Submission Processing Center. This is the first year of operation for the
Dallas facility, which began receiving and processing payments in December
2001. The lockbox receives payments for
U.S. Individual Income Tax Returns (Form 1040 series), employment tax returns (Form
940 series), and other miscellaneous types of taxes. In Calendar Year (CY) 2001, lockbox banks processed more than 72
million payments totaling over $329 billion.
Lockbox banks processing payments for the Ogden and Austin Submission
Processing Centers received approximately 21.5 percent of the total dollars
processed by lockbox banks in 2001.
The protection of both remittances and the associated
taxpayer information is a unique requirement for these processing sites. Secure facilities and systems are required,
as well as background investigations on the large numbers of temporary
employees required to handle the four annual peak periods when the tax payments
are due.
The Lockbox Processing Guidelines represent the agreement
among the IRS, the FMS, and the banks detailing the specific services that the
banks will perform for the IRS. These
services include tasks that the IRS would otherwise have to do, such as
ensuring checks are properly endorsed and deposited, providing security over
the remittances and taxpayer data, and creating computer tapes of payment
transactions. The lockbox also
receives, sorts, and ships tax returns to the IRS. The IRS and the FMS are responsible for providing oversight of
lockbox activities to ensure that the banks adhere to the requirements in the
Guidelines.
While the lockbox system is intended to provide the
government with efficient cash management, there have been instances of fraud,
waste, and abuse that demonstrated a need for increased controls. In 1998, over 400 checks were discovered in
a night shift manager’s desk drawer at a lockbox bank in Charlotte, North
Carolina. In 2001, control weaknesses
contributed to the loss of taxpayer payments and taxpayer information at a lockbox
bank in Pittsburgh, Pennsylvania. Approximately
71,000 remittances valued in excess of $1.2 billion were lost or destroyed.
We conducted audit work at the Dallas lockbox facility and
the Ogden Submission Processing Center from January through April 2002. The audit was conducted in accordance with Government Auditing Standards. Detailed
information on our audit objectives, scope, and methodology is presented in
Appendix I. Major contributors to the
report are listed in Appendix II.
The Dallas lockbox facility was in compliance with most of
the 2002 Lockbox Processing Guidelines concerning physical and data
security.
Employee background screening for personnel security met
processing guidelines
The required Federal Bureau of Investigation (FBI)
fingerprint check was completed prior to the date of access to the lockbox for
each individual included in our judgmental sample of bank employees, temporary
employees, and vendors working in the lockbox processing area.
Most courier requirements were met
Couriers were insured for $1 million, and emergency contact
information was provided to lockbox management as required. The courier services’ disaster contingency
plan covered all significant required situations.
Couriers displayed identification cards, documented pick-ups
and deliveries in appropriate logs, were equipped with communication equipment,
traveled in pairs, and transported packages to the final destination without
intermediary stops in vehicles that met processing guideline requirements.
Overall, adequate physical security responsibilities and
controls had been established
Security reviews performed by the IRS and the FMS showed the
lockbox bank’s readiness to begin processing.
Proper corrective actions were taken on security breaches and control
weaknesses identified by the IRS and the FMS.
The intrusion detection system, duress alarms, automated
entry system, perimeter security, and surveillance equipment all complied with
processing guideline requirements.
Entry into the lockbox processing area was limited to
authorized personnel displaying proper identification badges. Lockers were provided outside of the
controlled working areas, and personal items were not allowed in the processing
area.
The required guards were on duty. The guard service provided for sign-in/sign-out control for all
visitors, inspection of all packages and mail deliveries, monitoring of courier
deliveries, and escort of mail-out packages for courier pick-up.
Overall, adequate data security responsibilities and
controls had been established
Currency, keys, key cards, and date stamps were properly
controlled and stored in containers to deter theft and fraud, as required. Lockbox management was performing required
searches for unprocessed remittances and tax returns and properly maintaining a
log identifying the desk reviews performed.
Further, remittances were properly stamped with “United States Treasury”
or other acceptable payee designations in the payee section.
Lockbox employees certified that they understood disclosure
restrictions and security procedures prior to accessing tax information by
signing disclosure statements and attending security awareness training.
Controls were in place to provide for employees’ safety and
to ensure that operations continued in the event of a disaster or receipt of
hazardous or life-threatening material in the mail
Lockbox management had properly briefed employees who
handled the incoming mail regarding safety procedures, including the identification
of suspicious letters and packages. The
instructions were current and adequate to protect employees in case of an
accident or receipt of contaminated mail.
The safety procedures, along with emergency contact numbers, were posted
in the mail receipt area.
The mail was received and opened at one central
location. All mail receipts were routed
through the United States (U.S.) Post Office.
Facilities for potentially exposed employees to wash were within a
reasonable distance of the mail area.
Lockbox management had developed an occupant emergency plan
that conformed to processing guideline requirements. Lockbox management had also established a business continuity/
contingency plan to ensure that mail and normal work operations continued in
the event of a disaster or receipt of life-threatening material through the
mail.
Additional controls or actions need to be implemented to
reduce the risks associated with processing large volumes of taxpayer
remittances that could lead to financial losses and disclosure of sensitive tax
information.
Controls need strengthening to ensure that only authorized
courier employees have access to taxpayer remittances and sensitive taxpayer
information
The lockbox facility uses two courier services as well as an
air transport company to transport remittances and tax returns among the U.S.
Post Office, the lockbox processing facility, the depository bank, and the IRS
Submission Processing Center. We found
the following weaknesses in controls related to courier services.
·
Couriers
were granted access to IRS materials prior to the lockbox receiving results of
their FBI fingerprint checks.
Three couriers were allowed access
to the lockbox and taxpayer information prior to the receipt of the results of
their FBI fingerprint checks, because lockbox management did not develop and
implement procedures to ensure proper clearance had been granted prior to
couriers receiving IRS data. Two of
these couriers actually had questionable results when the FBI fingerprint
checks were completed. The questionable
items were ultimately resolved, and the couriers were approved for access to
the lockbox.
An FBI fingerprint check must be
performed for each individual who will have access to the lockbox processing
area or taxpayer information. The
results of the fingerprint check must be obtained prior to the date on which an
individual is granted access to IRS data.
·
Couriers with questionable FBI fingerprint results
continued to receive access to the lockbox.
Fingerprint checks for three
couriers with access to the lockbox indicated the couriers had some criminal
history. All three of these couriers
were approved for access to the lockbox based on the investigation of a local
security company, as verified by the National Background Investigation Center
(NBIC). However, the reliability of the
local investigation is questionable because only one week prior to receiving
the FBI fingerprint check indicating a criminal history for one courier, the
security company issued a letter to the courier stating there was “no
indication of Texas criminal history or nationwide warrants for arrest as of
this date.” The courier provided a copy
of the letter to the lockbox bank. In
reality, this courier had two arrests in Texas. More significant, two of these couriers were allowed access to
the lockbox between the dates that the FBI fingerprint check indicated a
criminal history, and the dates that the IRS approved the couriers based on the
follow-up performed by the local security company and the NBIC.
The guidelines and letters
provided to the lockbox bank state that if FBI fingerprint checks indicate a
potential criminal history, further investigation will be required by the NBIC
before a determination can be made regarding an individual’s access to the IRS
lockbox facility. They further state
that all FBI “hits” must be resolved before an individual is allowed access to
the lockbox site. Lockbox management
had not developed and implemented procedures to ensure that couriers with
questionable fingerprint results were restricted from access to lockbox data
until all questionable items were resolved.
·
One courier service did not provide lists of
authorized courier employees or notify the lockbox within 24 hours, via
facsimile transmission, when an employee was hired or discharged from his/her
duties.
Lockbox personnel talked with the
courier service frequently, and learned about staff changes in these informal
conversations. However, courier
services are required to notify the lockbox within 24 hours, via facsimile
transmission, when an employee assigned is discharged or when a new employee is
hired. Lockbox management did not
require the courier service to provide the required documentation for staff
changes.
·
Couriers for one company did not wear company logo
uniforms that allow for proper identification.
The Lockbox Processing Guidelines
require that courier service employees wear a company logo uniform. However, these courier drivers dealt
specifically with personnel from the IRS and the air transport service, but not
with lockbox personnel, so lockbox management was not aware that the couriers
did not wear appropriate uniforms.
·
Shipments of tax returns and remittances from the
lockbox bank to the Submission Processing Center were left unsecured by the air
transport company.
We observed a shipment of tax
returns and unprocessed remittances left unattended on a loading dock at the
air transport company. The tax data was
accessible to employees of the air transport service as well as anyone
accessing the loading dock.
The processing guidelines do not
give specific instructions regarding air transport services. However, in our view the same controls and
precautions to prevent disclosure and theft of taxpayer remittances and tax
data employed by ground courier services and lockbox facilities should apply to
shipments sent by air transport.
Reviews conducted by the IRS and the FMS did not address
courier controls. The weaknesses
discussed above increase the risk of disclosure of sensitive taxpayer data and
theft of remittances.
Remittances were not properly packaged for transport
Remittances were not placed in secured sleeves or locking
containers that provided proper protection and met the minimum processing
guidelines shipping requirements. The
remittances, which included those processed by the lockbox bank and ready for
deposit, as well as those being shipped to the Submission Processing Center for
processing, were instead placed in cardboard boxes that were sealed with tape
and heat strapping.
The Lockbox Processing Guidelines require that remittances
be packaged in cardboard boxes with heat strapping and placed in cloth sleeves
that can be sealed with an identification number or tag. Remittances can also be transported in
secure, locked metal or plastic boxes.
The guidelines were not fully implemented because lockbox
bank staff thought they met packaging requirements agreed to by the IRS by
placing all tax information and remittances in cardboard boxes that were taped
and heat strapped. As a result, the
risk of theft or loss is increased because courier personnel and others could
gain access to tax remittances.
Controls to ensure that all documents were removed from
envelopes were not implemented
To ensure that all documents are identified and removed from
envelopes, the lockbox must either view the envelopes through a light source to
determine if any contents remain in the envelope (this process, referred to as
“candling,” must be performed twice), or split the envelope on three sides and
flatten it. When a check or money order
is found, the bank employee should enter the information from the item found on
Record of Lockbox Discovered Remittance and Correspondence (Form 9535). An entry should be made every day, each
shift, whether items were found or not.
The manager should initial the Form 9535 every day for each shift.
At the time of our review, odd sized envelopes (referred to
as fats and flats) were candled only once.
In addition, results of candling activities were not always documented
in the required logs, and managerial reviews were not always documented for
entries in these logs.
Lockbox management was not aware that they were not meeting
candling requirements. Neither internal
nor external reviews addressed candling operations.
Insufficient candling increases the risk of taxpayer
remittances being lost or destroyed which may result in taxpayer burden and
embarrassment to the government.
Further, unless a record of discovered remittances is maintained, the
IRS and bank management cannot evaluate the effectiveness of manual and machine
mail extraction operations.
Employee personnel files did not contain all required
information
The lockbox bank maintained temporary employee personnel
files without all required information and documents present. Employee files did not contain a current and
valid proof of identification with photograph, results of the FBI fingerprint
check, and documentation of employee security training and orientation.
The Lockbox Processing Guidelines require the lockbox banks to
maintain personal files for employees that contain a signed written waiver to
authorize a fingerprint check; the results of the fingerprint check; name, date
of birth, social security number, and current, valid proof of identification;
hand-writing examples; and photograph.
The lockbox must document employees’ certification of security procedures
and instructions.
Lockbox management had not established procedures to
accumulate and maintain required information in specific personnel files. For example, fingerprint results were in one
location rather than in each individual folder. Lockbox management thought they were meeting requirements
relating to each employee’s identification and photograph because they required
employees to surrender driver’s licenses before receiving temporary
identification badges.
Inadequate information and documentation for employees
exposes the lockbox to increased risks of unauthorized individuals gaining
access to payments and sensitive taxpayer data.
Lockbox management did not receive confirmation that
waste material which could have contained sensitive taxpayer information was
properly destroyed
Waste material generated in the processing of tax documents,
protected data, or other related documents must be properly destroyed by one of
a variety of methods, including shredding.
The purpose of destroying the information is to keep it from being
disclosed to unauthorized individuals.
Generally, the information must be destroyed in the presence of an IRS
employee. However, under certain
conditions, a sub-contractor may collect and destroy the information. One of the conditions imposed is that the
sub-contractor provide a certificate of destruction.
Rather than issuing a separate contract for destruction of
IRS waste, lockbox management used the same contractor hired to destroy
information for the bank’s other operations.
The disposal company did issue a certificate of destruction, but the
certificate went to the bank’s headquarters office, and no confirmation was
provided to management of the lockbox facility. This increased the risk of undetected loss or disclosure of
sensitive taxpayer information.
The Directors, Customer Account Services, Small Business/
Self-Employed and Wage and Investment Divisions should work with the Deputy
Chief, Agency-Wide Shared Services to ensure that lockbox management:
1.
Develops procedures and
implements courier controls as required by Lockbox Processing Guidelines. Subsequent oversight reviews should ensure
that procedures and controls have been implemented.
2.
Requires air transport
services to maintain adequate security at all times over shipments of IRS
materials placed in their charge.
3.
Adheres to requirements for
packaging remittances for transport.
The requirements should be met for remittances transported to the bank
for deposit as well as for deposits shipped to the Submission Processing Center
for processing.
4.
Performs
and documents required reviews of candling practices.
5.
Establishes and implements
procedures to accumulate and maintain adequate information in each employee’s
personnel file to readily determine that the employee has met all necessary
requirements for access to the lockbox.
The review of these files should be included as part of oversight
reviews.
6.
Receives confirmation that
IRS waste material has been destroyed.
Management’s Response: Management’s response was due on June 27,
2002. As of July 3, 2002, management
had not responded to the draft report.
Appendix I
Detailed Objectives, Scope, and Methodology
The overall objectives of this review were to:
·
Evaluate the physical and internal controls of the new
lockbox facility in Dallas, Texas, to determine if taxpayer remittances were
adequately safeguarded and taxpayer information was protected from unauthorized
disclosure.
·
Determine whether the facility provided for employee
safety and ensured that operations would continue in the event of a disaster or
receipt of hazardous material in the mail.
To accomplish these objectives, we:
I.
Determined
the adequacy of employee background screening and controls for personnel
security. From approximately 400 files
maintained by the temporary hiring agencies and the lockbox, we:
A.
Reviewed
a judgmental sample of 61 temporary employees, bank employees, couriers,
cleaning personnel, and others, to ensure that a Federal Bureau of
Investigation (FBI) fingerprint check had been completed prior to the date of
employment for all individuals that had access to the lockbox processing area
or taxpayer information. A judgmental
sample was used because statistical projections were deemed unnecessary.
B.
Reviewed
a judgmental sample of 44 lockbox employee personnel folders to determine
whether required personnel information was present. Again, a judgmental sample was used because statistical
projections were unnecessary.
Samples in A. and B. above were pulled
in the following manner:
·
We
sampled temporary employees by selecting employee folders at random from files
maintained by the temporary employment agencies. The temporary employment agencies maintained these folders in
locking cabinets.
·
We
sampled bank employees by picking names at random from a listing provided by
lockbox management. Lockbox management maintained
files for these employees in individual folders in locking cabinets.
·
We
reviewed all of the couriers included on listings of designated couriers, and
sampled vendors by selecting folders at random from files of vendors maintained
by the lockbox. Lockbox management maintained
files for the couriers and vendors in individual folders in locking cabinets.
II.
Determined whether
remittance and taxpayer information was properly received and delivered by an
authorized courier service.
III.
Determined
whether the Internal Revenue Service (IRS), the Financial Management Service
(FMS), and the lockbox bank had established responsibilities and controls for
physical security.
IV.
Determined
whether the IRS, the FMS, and the lockbox bank had established responsibilities
and controls for data security.
V.
Determined
whether adequate controls were in place to provide for employees’ safety and
ensured that operations continued in the event of disaster or receipt of
hazardous or life-threatening material in the mail.
Appendix II
Major Contributors to This Report
Gordon C. Milbourn III, Assistant Inspector
General for Audit (Small Business and Corporate Programs)
Richard J. Dagliolo, Director
Kyle R. Andersen, Audit Manager
Kyle D. Bambrough, Senior Auditor
Larry Madsen, Senior Auditor
Douglas
C. Barneck, Auditor
Appendix III
Deputy
Commissioner N:DC
Commissioner, Small
Business/Self-Employed Division S
Commissioner,
Wage and Investment Division W
Chief, Agency-Wide
Shared Services A
Deputy
Commissioner, Small Business/Self-Employed Division S
Deputy
Commissioner, Wage and Investment Division
W
Deputy Chief, Agency-Wide Shared Services A
Director, Customer Account Services, Small
Business/Self-Employed Division S:CAS
Director, Customer Account Services, Wage and Investment
Division W:CAS
Chief Counsel CC
National Taxpayer Advocate
TA
Director, Legislative Affairs CL:LA
Director,
Office of Program Evaluation and Risk Analysis
N:ADC:R:O
Office of
Management Controls N:CFO:F:M
Audit
Liaisons:
Commissioner, Small
Business/Self-Employed Division S
Commissioner, Wage and Investment
Division W
Chief, Agency-Wide Shared Services A