Office of Audit
ACCESS TO GOVERNMENT FACILITIES AND COMPUTERS IS NOT ALWAYS REMOVED WHEN EMPLOYEES SEPARATE
Final Report issued on June 30, 2016
Highlights of Reference Number: 2016-10-038 to the Internal Revenue Service Deputy Commissioner for Operations Support.
IMPACT ON TAXPAYERS
During Fiscal Year 2014, more than 4,100 full‑time, permanent employees separated from the IRS, including 186 who separated during a pending disciplinary case (including criminal misconduct). It is important for the IRS to recover security items, such as Government identification, to prevent former employees from unauthorized entry to IRS facilities and workspaces, accessing IRS computers and taxpayer information, or potentially misrepresenting themselves to taxpayers.
WHY TIGTA DID THE AUDIT
The overall objective of this audit was to determine whether IRS management implemented policies and procedures designed to provide reasonable assurance that physical access to Government facilities is secure when employees separate from the IRS.
WHAT TIGTA FOUND
The IRS designed controls to verify that physical access to Government facilities is secured when employees separate. The controls include a computer process to document if security items are recovered from separating employees, including a third-party verification and deactivation of the returned item. However, these controls were not effective to prevent access to Government facilities and computers after employees separated.
Based on a random sample of Fiscal Year 2014 employee separations, TIGTA estimates that the IRS could not verify that all security items were recovered for more than 2,700 (66 percent) of the more than 4,100 employee separations. TIGTA also reviewed a judgmental sample of 10 employees who separated during a pending disciplinary case. The IRS could not verify the recovery of the security items for six of these employees and could not provide evidence that these cases were referred to the TIGTA Office of Investigations as required. When the IRS did not collect security items, some were later used to enter IRS buildings.
In addition, managers did not document all security items that should be recovered and listed some items for recovery that were not assigned to the separating employees. For example, 87 managers from our random sample of separated employees indicated former employees were issued keys; however, only one of these managers listed keys as a recoverable item. In addition, 65 managers indicated that non‑enforcement pocket commissions were recovered, although records indicated that these items were never assigned to the employees.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief, Agency‑Wide Shared Services, update separating employee clearance guidance; validate and inventory non‑enforcement pocket commission assignments to employees; develop an inventory process to include documenting the issuance of manual keys and key cards and changing combination locks; and confirm that computer and building access is deactivated when an employee separates.
In their response, IRS management agreed with all the recommendations. The IRS plans to develop and implement a strategy to review and update current separating employee clearance policies and procedures; complete an inventory verification of non-enforcement pocket commissions; revise and implement key custody policies and procedures; and develop procedures to ensure the deactivation of computer and building access when identification cards are terminated and destroyed.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta