Internal Revenue ServicePhysical Security Over Taxpayer Receipts and Data Needs Improvement Gao ID: AIMD-99-15 November 30, 1998
The Internal Revenue Service's (IRS) controls over receipts and taxpayer data do not adequately reduce the vulnerability of the federal government and taxpayers to loss from theft. For example, employees were hired and worked in jobs requiring the handling of cash, checks, or sensitive taxpayer information before IRS received the results of these employees' required background and fingerprint checks. Of the 80 thefts IRS investigated at service centers from January 1995 to July 1997, 12 (15 percent) were committed by persons who had previous arrest records or convictions that were not identified prior to their employment and thus may have influenced IRS' decision to hire these persons. GAO also found weaknesses in the physical controls over service center and district office receipts. For example, at one service center receipts and returns were stored in an uncontrolled hallway that individuals can enter unchallenged from an adjoining fitness center. GAO also found that single, unarmed couriers in ordinary civilian vehicles took IRS deposits totaling hundreds of millions of dollars to banks during the peak filing season. In fact, one courier left a deposit totaling more than $200 million unattended in an open vehicle while he returned to the service center. At one district office, IRS used a bicycle messenger to deliver daily deposits ranging as high as $100 million.
GAO noted that: (1) IRS' controls over receipts and taxpayer data do not adequately reduce the vulnerability of the federal government and taxpayers to loss from theft; (2) this condition existed because of the length of time required to conduct background investigations, delays in receiving results of fingerprint checks, and processing demands which required the hiring of thousands of employees during the peak filing season; (3) placing new hires in sensitive positions prior to, at a minimum, receiving the results of fingerprint check increases the vulnerability of receipts and taxpayer data to theft; (4) in fact, of the 80 thefts IRS investigated at service centers from January 1995 to July 1997, 12 were committed by individuals who had previous arrest records that were not identified prior to their employment; (5) GAO also noted weaknesses in the physical controls over service center and district office receipts; (6) while service center receipts are required to be processed only by authorized individuals in the Receipt and Control Branch, which is a restricted access area, numerous receipts were found in unrestricted areas accessible to other IRS employees and to non-employees not authorized to handle receipts; (7) receipts particularly vulnerable to theft also were not adequately secured; (8) while it is important to adequately protect cash and checks received at IRS facilities, it is similarly essential to ensure that these receipts are properly protected during transport to depository institutions; (9) GAO found that single, unarmed couriers in ordinary civilian vehicles were used to transport IRS deposits totalling hundreds of millions of dollars to the depository institutions during the peak filing season; (10) the theft of one peak season deposit could place a significant administrative burden on IRS to contact taxpayers and initiate stop payment orders on tens of thousands of checks; (11) although receipts and taxpayer information will always be vulnerable to theft, IRS has a responsibility to protect the government and taxpayers from such losses; (12) many of the actions GAO is recommending to minimize these vulnerabilities and thus better protect taxpayer receipts and data would not result in significant costs, and several other actions GAO is recommending are already required by IRS policy or are currently under consideration by IRS management; and (13) IRS has prepared two corrective action plans to reduce its vulnerability to theft or loss of receipts and taxpayer data.Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.Director: Team: Phone: