Office of Audit
Access to Facilities and
Sensitive Taxpayer Information
Was Not Always Revoked for Separated Employees
Final Report issued on June 25, 2020
Highlights of Reference Number: 2020-10-034 to the Commissioner of Internal Revenue.
IMPACT ON TAXPAYERS
During Fiscal Year 2018, more than 4,400 full-time, permanent employees separated from the IRS, including more than 300 employees who separated during a pending disciplinary case. It is important for the IRS to recover security items, such as Government identification, to prevent former employees from unauthorized entry to IRS facilities and workspaces, accessing IRS computers and taxpayer information, or potentially misrepresenting themselves to taxpayers.
WHY TIGTA DID THE AUDIT
TIGTA previously reported that IRS controls to prevent access to Government facilities and computers after employees separated were ineffective. This audit was initiated to determine if the IRS implemented corrective actions to timely remove access to IRS facilities and computers when employees separate.
WHAT TIGTA FOUND
The IRS updated procedures in response to TIGTA’s prior report; however, these changes were not effective in preventing access to facilities and computers after employees separated. For example, TIGTA identified processing delays in over 1,200 separations. These delays contributed to the untimely removal of former employees’ access to IRS facilities and taxpayers’ sensitive information, although there were valid reasons for some of the delays.
Even when managers processed separation paperwork on time, Facilities Management and Security Services personnel did not remove building access within the then-required 18 hours of the separation date for 79 percent of randomly sampled separated employees.
Most IRS managers properly collected departing employees’ identification cards and timely processed their removal. However, during Fiscal Year 2018, the IRS never recovered identification cards from 396 separated employees, including 26 former employees who separated under adverse conditions. Furthermore, 19 managers were responsible for 91 (23 percent) of the unrecovered identification cards, including three managers who failed to recover nine cards each.
The IRS managers responsible for collecting these unrecovered identification cards did not always report that the cards had not been collected as required. Furthermore, management advised us that the IRS does not have the authority to compel departing employees to turn in their identification cards.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief, Facilities Management and Security Services, work with the Human Capital Officer to (1) share pending retirement information; (2) notify supervisors of managers who input late separation personnel action requests; (3) encourage supervisors to hold managers accountable; (4) update employee separation guidance; (5) explore options to secure employees’ unrecovered identification cards; and (6) ensure that required reports were filed and access was terminated for 396 unrecovered identification cards. In addition, the Chief, Facilities Management and Security Services, should (7) review overdue clearance module records every month and (8) determine if the clearance module can systemically alert the IRS of approaching access termination deadlines.
The IRS agreed with all of our recommendations and plans to take corrective actions.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to:
Phone Number / 202-622-6500
E-mail Address / TIGTACommunications@tigta.treas.gov
Website / https://www.treasury.gov/tigta