Executive Summary

Objectives and Scope

Background

Results

Conclusion

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

Executive Summary

The Internal Revenue Service (IRS) has not ensured that access to government credit cards and computer systems is timely canceled when employees leave the IRS’ employment. A prior audit report, Assessment of Controls Over the Employee Clearance Process (Reference Number 082102, dated January 26, 1998), outlined similar control weaknesses. When an employee leaves, the IRS needs to take prompt actions to ensure government credit cards are canceled and computer system accesses are removed. These actions are part of a clearance process for employees when they leave IRS employment.

The IRS currently employs over 100,000 people. Half of the IRS employees have access to the computer system containing taxpayer information and about one-third of the employees have government credit cards. Approximately 34,000 employees have left the IRS’ employment since issuance of the prior audit report. About one-fifth of these employees were temporarily hired by the IRS to process income tax returns and may or may not be rehired in subsequent years.

This audit was initiated to follow up on corrective actions for the conditions identified in the prior audit. We determined whether actions had been taken to strengthen process controls and if they were effective in ensuring that when employees left the IRS’ employment, prompt action was taken to terminate their access to government credit cards and computer systems. Additionally, we assessed the re-engineered process that was being piloted in the New Jersey District and the Philadelphia Service Center.

Since issuance of the prior audit report, the Director, Personnel Division has implemented interim and long-term corrective actions to strengthen the controls over the clearance process. The Director designated clearance coordinators, issued a manager’s checklist, and, for the long-term, initiated plans to re-engineer the entire process. In 1998, the IRS’ Senior Council for Management Controls recognized the clearance process as a significant control deficiency and began monitoring the actions planned to improve the controls.

The actions taken to date to address control deficiencies in the employee clearance process have not ensured that the risks from financial loss and access to or destruction of taxpayer data have been sufficiently reduced.

Interim changes to controls over the clearance process did not ensure that functional coordinators took action when employees left the IRS. Although clearance coordinators were named to ensure actions were taken and a manager’s checklist was issued, these actions were not effective. In 4 districts, functional coordinators had not timely canceled travel cards in 81 percent of the employee clearances reviewed and had not timely canceled computer passwords in 48 percent of the employee clearances reviewed.

The IRS piloted the re-engineered clearance procedures at the New Jersey District and the Philadelphia Service Center beginning in July 1999. However, the re-engineered clearance procedures did not ensure former IRS employees’ access to government credit cards and computers was timely canceled during the pilot. The re-engineered guidelines did not require some of the separation actions to be initiated until after the employees left the IRS. At the service center, computer system passwords during the pilot were canceled an average of nine days after separation. At the district, government credit cards assigned to 2 former employees had not been canceled although the employees had left the IRS 28 and 56 days, respectively, prior to the time of this audit. The omissions occurred because the IRS had not effectively monitored the pilot.

The Chief, Agency-Wide Shared Services and the Chief, Management and Finance should provide clearance coordinators with specific interim roles and responsibilities for ensuring former employees’ access to government credit cards and computer systems is timely canceled. Also, the re-engineered clearance procedures should be revised to prevent systemic delays during the clearance process. The interim and re-engineered clearance processes should be monitored to ensure they are effective.

Management’s Response: IRS management agreed to the continued need for improvement after the pilot process. The IRS will use the Totally Automated Personnel System (TAPS) separated employee listing, which can be generated daily, to initiate and monitor clearance actions. The Agency-Wide Shared Services Office of Personnel/Payroll Systems will work with Finance and Information Systems to set up procedures for using TAPS information to timely cancel credit cards and passwords. It will also issue instructions detailing a streamlined process for canceling government credit cards, phone cards, and computer passwords. Clearance coordinators will monitor the process through daily TAPS listings.

Objectives and Scope

This review was initiated to follow up on corrective actions for the conditions identified in a prior audit report, Assessment of Controls Over the Employee Clearance Process (Reference Number 082102, dated January 26, 1998), to determine if the Internal Revenue Service (IRS) has taken effective steps to strengthen clearance process controls. In this regard, our review objective was to determine if the IRS’ clearance process controls ensure that prompt action is taken to terminate separating employees’ access to government credit cards and taxpayer information.

On July 30, 1999, the Director, Personnel Division requested that we assess the re-engineered process being piloted at two sites.

To accomplish these two objectives, we:

• Reviewed the interim efforts to improve the employee clearance process.
• Tested former employee clearances to determine if the process timely terminated access to government credit cards and computer systems.
• Reviewed the re-engineered clearance process pilot procedures and tested the effectiveness of the initial pilot results.

The audit work was performed from July through December 1999. Audit tests were performed in the National Office; the New Jersey, North Texas, Northern California, Ohio, and Pacific Northwest Districts; and the Philadelphia Service Center. This audit was performed in accordance with Government Auditing Standards.

Details of our audit objectives, scope, and methodology are presented in Appendix I. Major contributors to this report are listed in Appendix II.

Background

When an employee leaves the IRS, the clearance process consists of actions taken to ensure properties are returned, financial obligations are resolved, and computer system passwords are canceled. Employees in various IRS functions (functional coordinators) are notified when an employee is leaving the IRS and should take the appropriate actions. For example, a functional coordinator in the Information Systems function would remove an employee’s computer systems password, while a functional coordinator in the Support Services function would cancel the employee’s travel credit card. Other coordinators would cancel telephone and purchase credit cards.

The prior audit determined that the employee clearance process lacked sufficient controls to ensure actions were timely and effectively completed. The audit report recommendations addressed both interim and long-term solutions for strengthening clearance process controls. These included assigning a clearance coordinator to ensure actions are taken, issuing guidelines, and re-engineering the process. The Director, Personnel Division was designated responsibility for implementing the corrective actions.

The IRS currently employs over 100,000 people. Half of the IRS employees have access to the computer system containing taxpayer information and about one-third of the employees have government credit cards. Since issuance of the prior report in January 1998, about 34,000 employees have left the IRS’ employment. About one-fifth of these employees were temporarily hired by the IRS to process income tax returns and may or may not be rehired in subsequent years.

Results

Since January 1998, the IRS has implemented a number of corrective actions to improve employee clearance process controls. These changes included interim corrective actions and a long-term re-engineering effort.

In April 1998, the Director, Personnel Division established an executive team to design and implement a new, more effective re-engineered clearance process. The team initiated interim corrective actions by designating "clearance coordinators" and issuing a manager’s clearance checklist.

In July 1999, the re-engineered clearance process procedures were piloted in the New Jersey District and the Philadelphia Service Center. The Personnel Division’s future plans include replacing all paper forms with an automated module and piloting methods for centrally canceling some government credit cards and computer system access.

The Senior Council for Management Controls (SCMC) recognized the clearance process as a significant control deficiency in September 1998 and began monitoring planned actions. The SCMC is an executive body responsible for overseeing actions to correct IRS control deficiencies and for reviewing the effectiveness of the actions taken.

Although the Director, Personnel Division has initiated a number of corrective actions that the SCMC has overseen, these actions have not been totally effective in improving clearance process controls. In particular, the process controls did not ensure that functional coordinators were notified when employees left the IRS or, that when notified, the coordinators timely canceled access to government credit cards and computer systems. The audit tests showed:

• Interim corrective actions were not effective at ensuring prompt, complete clearance actions.
• Re-engineered clearance procedures did not ensure prompt, complete clearance actions during the pilot.

As a result, the IRS had no assurance that former employees did not have access to government credit cards and computer systems.

Interim Corrective Actions Were Not Effective at Ensuring Prompt, Complete Clearance Actions

The Director, Personnel Division made several interim changes to strengthen controls over the clearance process. However, while clearance coordinators had been designated, they were not given roles and responsibilities for ensuring the functional coordinators take timely action. A checklist of items a manager should collect was issued in January 1999, but it did not include roles for the functional or clearance coordinators. Also, the Director made attempts to cancel government credit cards by computer matching lists of former employees to lists of credit card holders. The attempts were not successful because of inconsistencies in how names were recorded.

The IRS’ interim clearance process did not prevent former employees from having continued access to government credit cards and computer systems. We believe employees’ access to government credit cards and computer systems should be canceled on or before their last day of IRS employment. A review of clearances for 568 former employees in 4 districts indicated that there were significant delays before functional coordinators canceled employees’ access to government credit cards and computer systems.

• In 81 percent of the applicable employee clearances, the functional coordinators did not timely cancel the travel cards. Travel cards had been issued to 52 of the 568 employees. The average time to cancel these cards was 45 days after the employees left the IRS.
• In 37 percent of the applicable employee clearances, the functional coordinators did not timely cancel purchase cards. Purchase cards had been issued to 19 of the 568 employees. The average time to cancel these cards was 76 days after the employees left the IRS.
• In 91 percent of the applicable employee clearances, the functional coordinators did not timely cancel telephone cards. Telephone cards had been issued to 104 of the 568 employees. The average time to cancel these cards was 39 days after the employees left the IRS.
• In 48 percent of the applicable employee clearances, the functional coordinators did not timely cancel computer passwords. Computer passwords had been issued to 379 of the 568 employees. The average time to cancel these passwords was eight days after the employees left the IRS.

Clearance coordinators were not provided with specific roles and responsibilities to ensure functional coordinators took timely actions. The current controls over the clearance process do not protect the IRS from former employees potentially misusing government credit cards or having access to taxpayer information. Telephone card records showed that 2 former employees may have placed a total of 18 inappropriate calls after they left the IRS. These control weaknesses expose the IRS to potential harm.

1. The Chief, Agency-Wide Shared Services and the Chief, Management and Finance should provide clearance coordinators with specific roles and responsibilities to ensure functional coordinators timely cancel access to government credit cards and computer systems when employees leave the IRS. The clearance actions should be taken on or before the employee’s last day or immediately upon notification that an employee has left the IRS. These controls should be monitored to ensure they are effectively preventing former employees from having access to government credit cards and computer systems.

Management’s Response: IRS management will use the Totally Automated Personnel System (TAPS) separated employee listing, which can be generated daily, to initiate and monitor clearance actions. Using this data, the Agency-Wide Shared Services Office of Personnel/Payroll Systems will work with Finance and Information Systems to cancel government credit cards and computer passwords. Clearance coordinators will monitor the process through daily TAPS listings.

Re-engineered Clearance Procedures Did Not Ensure Prompt, Complete Clearance Actions During the Pilot

The re-engineered clearance process for the IRS is outlined in the Employee Separation Handbook. The IRS piloted the new handbook process at the New Jersey District and the Philadelphia Service Center beginning in July 1999.

A review of the pilot and its effect on clearance actions indicated the process did not ensure former employees’ access to government credit cards and computer systems was timely canceled. In the 3 months since the pilot began, 153 employees left the service center and 3 employees left the district. At the service center, computer system passwords were canceled an average of nine days after separation. At the district, travel and telephone credit cards assigned to 2 former employees had not been canceled, even though the employees had left the IRS 28 and 56 days, respectively, prior to the time of this audit. One former district employee’s computer password was not canceled until seven days after leaving the IRS. The review did not identify any inappropriate computer access or credit card charges by the former employees.

The re-engineered clearance process did not ensure timely, complete clearance actions for several reasons. For example:

• The Handbook established centralized functional coordinators to cancel access to government credit cards and computer systems, but the functional coordinators were not assigned for the pilot.
• Even if the functional coordinators had been in place, the new guidelines delayed the canceling of phone and travel credit cards by requiring coordinators to use personnel lists. These lists were generated bi-weekly after employees had left the IRS and could delay action up to 14 days.
• The Handbook also instructed managers to initiate action to cancel computer access within two days after the employee left the IRS.
• The Handbook did not specify time frames for canceling purchase cards.

The IRS did not monitor the effectiveness of the pilot at reducing the risk of former employees having access to government credit cards and computer systems. Instead, the pilot’s effectiveness was determined by surveying the IRS participants about their perceptions of the new guidelines and related training.

Waiting until after an employee leaves before initiating clearance action exposes the IRS to risks of financial loss and access to or destruction of taxpayer data. As a result, the re-engineered clearance process will not reduce the risk of former employees having continued access to government credit cards and taxpayer information.

2. The Chief, Agency-Wide Shared Services and Chief, Management and Finance should revise the re-engineered clearance process to prevent systemic delays in canceling access to government credit cards and computer systems. The clearance actions should be taken on or before the employee’s last day, or upon notification that an employee has left the IRS. The revised process should be monitored to ensure it is effectively preventing former employees from having access to government credit cards and computer systems.

Management’s Response: The Agency-Wide Shared Services Office of Personnel/Payroll Systems will work with Finance and Information Systems to set up procedures for using the TAPS separated employee listing to cancel credit cards and passwords timely. The Agency-Wide Shared Services will also issue instructions detailing a streamlined process for canceling credit cards, phone cards, and systems passwords.

Conclusion

Effective controls in the employee clearance process are essential to ensure former employees do not have access to government credit cards and taxpayer information. The IRS should take immediate corrective action to reduce the IRS’ risk of financial loss or unauthorized access to IRS and taxpayer information.

Detailed Objectives, Scope, and Methodology

The objectives of this audit were to determine if the Internal Revenue Service (IRS) had taken steps to strengthen employee clearance process controls and if the steps were effective. To accomplish this, we conducted the following audit tests:

1. Determined what changes the IRS had made to the clearance process since issuance of a prior audit report titled, Assessment of Controls Over the Employee Clearance Process (Reference Number 082102, dated January 26, 1998).

1. Assessed whether interim directives and documents adequately defined roles, responsibilities, and time frames.

2. Assessed long-range changes to the clearance process, piloted or planned.
3. Reviewed Application Change Requests submitted for programming enhancements to the Totally Automated Personnel System automated clearance module.

4. Reviewed the Senior Council for Management Controls’ minutes, Federal Manager’s Financial Integrity Act reports, Re-engineering Team status reports, and the Inventory, Tracking, and Closure System report from January 1998 through September 1999 to assess IRS management’s involvement in improving the clearance process.

2. Determined if the IRS’ corrective actions improved controls over the clearance process by ensuring former employees’ access to government credit cards and computer systems was timely canceled.

1. Selected the North Texas, Northern California, Ohio, and Pacific Northwest Districts for our audit tests because they were included in the prior audit.
2. Interviewed District Directors, local heads of office for Support Services and Information Systems, the Controller, 4 Designated Agents, and a random sample of 40 managers to determine if clearance coordinators had been designated and if they had received nationally directed clearance process changes.
3. Interviewed the Employee Clearance Coordinators responsible for the selected offices to determine when they were designated and what their roles and responsibilities were.
4. Identified the 568 district employees who had separated from the sampled offices during October 1, 1998, through July 3, 1999, using a Treasury Integrated Management Information System Focus Report.
5. Determined if the IRS requested timely cancellation of all travel, purchase, and telephone credit cards issued to any of the 568 former employees.
6. Determined if the IRS timely canceled all Integrated Data Retrieval System (IDRS) and Examination and Returns Control System (ERCS) passwords issued to any of the 568 former employees.
7. Determined if there was any inappropriate activity by the 183 employees whose passwords were not timely canceled, 144 employees whose government credit cards were not timely canceled, and 8 employees whose functional coordinator did not maintain credit card cancellation records.

3. Determined if the re-engineered IRS clearance process piloted from July 19 to September 18, 1999, at the New Jersey District and the Philadelphia Service Center improved the timeliness of canceling separating employees’ government credit cards and computer passwords.

1. Interviewed functional coordinators and designated clearance representatives to determine how their clearance process was changed.
2. Determined if all IDRS passwords assigned to any of the 153 service center employees who left during the pilot were canceled timely.
3. Determined if travel and telephone credit cards and IDRS passwords assigned to any of the three district employees who left during the pilot were canceled timely.
4. Determined if there was any inappropriate activity by the 48 employees who did not have their passwords timely canceled and by the 2 employees who did not have their government credit cards timely canceled. The September 1999 telephone credit card records were not available for review.

4. Measured the risk to the IRS of having ineffective clearance process controls.

1. Determined how many IRS employees left from January 26, 1998, through July 3, 1999.
2. Determined how many individuals the IRS employed as of July 1999, the start of our fieldwork.
3. Determined how many employees had government purchase, travel, and phone credit cards and IDRS capabilities as of July 1999, the start of our fieldwork.
4. Determined how many employees had ERCS capabilities as of December 1999. ERCS data was only available as of December 1999.

Major Contributors to This Report

Maurice S. Moody, Associate Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs)

John R. Wright, Director

Mary V. Baker, Deputy Director

Deadra M. English, Senior Auditor

Bret D. Hunter, Senior Auditor

Abraham B. Millado, Senior Auditor

Joanola Rose, Senior Auditor

Matthew W. Miller, Auditor

Daniel B. Peterson, Auditor

Ahmed M. Tobaa, Auditor

Report Distribution List

Deputy Commissioner Operations C:DO

Chief, Agency-Wide Shared Services A

Chief Information Officer IS

Chief, Management and Finance M

Chief Financial Officer M:CFO

Assistant Commissioner (Program Evaluation and Risk Analysis) M:OP

Director, Personnel Division M:S:P

Director, Personnel Services A:PS

National Director for Legislative Affairs CL:LA

Office of the Chief Counsel CC

Office of Management Controls M:CFO:A:M

Audit Liaisons:

Chief, Agency-Wide Shared Services A

Chief, Management and Finance M

Management’s Response to the Draft Report

Response has been removed due to its size. To see the complete Response, please go to the Adobe PDF version of this report on the TIGTA Public Web Page.