IRS Lockbox Banks
More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits are Needed Gao ID: GAO-03-299 January 15, 2003Lockbox banks are commercial banks that process certain taxpayer receipts on behalf of the Internal Revenue Service (IRS). Following an incident at a lockbox site during 2001, which involved the loss and destruction of about 78,000 tax receipts totaling more than $1.2 billion, the Senate Committee on Finance asked GAO to examine whether (1) provisions of the contracts under which lockbox banks operate address previously identified problems or might contribute to mishandling of tax receipts, (2) oversight of lockbox banks is adequate, (3) internal controls are sufficient, and (4) IRS and Treasury's Financial Management Service (FMS) had considered the costs and benefits of contracting out the functions performed by lockbox banks.
FMS has contractual agreements with four lockbox banks, which operate 11 lockbox sites at nine locations on IRS's behalf. Of the more than $2 trillion in tax receipts that IRS collected in fiscal year 2002, lockbox banks processed approximately $268 billion. The findings of GAO's study include the following: (1)Nothing inherent in the lockbox contractual agreements would necessarily contribute to mishandling of tax receipts. Although a desire to avoid negative consequences, such as financial or other penalties allowed for by the agreements, could motivate bank employees to make poor decisions, penalty provisions are necessary to help the government address inadequate performance. The results of an ongoing investigation of the 2001 incident may help IRS and FMS determine whether new provisions or modifications to existing provisions are needed. (2) Although IRS and FMS have significantly increased their presence at lockbox sites, oversight of lockbox banks during fiscal year 2002 was not fully effective to ensure that taxpayer data and receipts were adequately safeguarded and properly processed. Inadequate oversight resulted mainly from a lack of clear oversight directives and policies; failure to perform key oversight functions; and conflicting roles and responsibilities of IRS personnel responsible for day-to-day oversight of lockbox banks. (3) Internal controls, including physical security controls, need to be strengthened at IRS lockbox locations. In addition, the processing guidelines under which IRS lockbox banks operate need to be revised to improve receipt-processing controls, employment screening, and courier security. (4) IRS and FMS have not performed a comprehensive study of the costs and benefits of using lockbox banks. The most recent study, in 1999, omitted some costs that may have affected the result. For example, the study did not consider opportunity costs--benefits foregone that might have resulted from alternative uses of the money. Because of these omissions and several changes that have affected costs and benefits, a new study will be needed before lockbox contracts expire in 2007.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-03-299, IRS Lockbox Banks: More Effective Oversight, Stronger Controls, and Further Study of Costs and Benefits are Needed
This is the accessible text file for GAO report number GAO-03-299
entitled 'IRS Lockbox Banks: More Effective Oversight, Stronger
Controls, and Further Study of Costs and Benefits are Needed' which was
released on February 14, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products‘ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to Chairman and Ranking Minority Member, Committee on Finance,
U.S. Senate:
January 2003:
IRS LOCKBOX BANKS:
More Effective Oversight, Stronger Controls, and Further Study of Costs
and Benefits Are Needed:
GAO-03-299:
Highlights of GAO-03-299, a report to the Committee on Finance, U.S.
Senate
IRS LOCKBOX BANKS
More Effective Oversight, Stronger Controls, and Further Study of
Costs
and Benefits Are Needed:
Why GAO Did This Study:
Lockbox banks are commercial banks that process certain taxpayer
receipts
on behalf of the Internal Revenue Service (IRS). Following an
incident at
a lockbox site during 2001, which involved the loss and destruction
of
about 78,000 tax receipts totaling more than $1.2 billion, the
Committee
asked GAO to examine whether (1) provisions of the contracts under
which
lockbox banks operate address previously identified problems or might
contribute to mishandling of tax receipts, (2) oversight of lockbox
banks
is adequate, (3) internal controls are sufficient, and (4) IRS and
Treasury‘s
Financial Management Service (FMS) had considered the costs and
benefits of
contracting out the functions performed by lockbox banks.
What GAO Found:
FMS has contractual agreements with four lockbox banks, which operate
11
lockbox sites at nine locations on IRS‘s behalf. Of the more than
$2 trillion in tax receipts that IRS collected in fiscal year 2002,
lockbox
banks processed approximately $268 billion. The findings of GAO‘s
study include
the following:
* Nothing inherent in the lockbox contractual agreements would
necessarily
contribute to mishandling of tax receipts. Although a desire to
avoid negative
consequences, such as financial or other penalties allowed for by
the agreements,
could motivate bank employees to make poor decisions, penalty
provisions are
necessary to help the government address inadequate performance.
The results of an
ongoing investigation of the 2001 incident may help IRS and FMS
determine whether
new provisions or modifications to existing provisions are
needed.
* Although IRS and FMS have significantly increased their
presence at lockbox
sites, oversight of lockbox banks during fiscal year 2002 was
not fully effective
to ensure that taxpayer data and receipts were adequately
safeguarded and properly
processed. Inadequate oversight resulted mainly from (1) a lack
of clear oversight
directives and policies, (2) failure to perform key oversight
functions, and (3)
conflicting roles and responsibilities of IRS personnel
responsible for day-to-day
oversight of lockbox banks.
* Internal controls, including physical security controls,
need to be strengthened at
IRS lockbox locations (see table below). In addition, the
processing guidelines under
which IRS lockbox banks operate need to be revised to improve
receipt-processing controls,
employment screening, and courier security.
* IRS and FMS have not performed a comprehensive study of the
costs and benefits of
using lockbox banks. The most recent study, in 1999, omitted
some costs that may have
affected the result. For example, the study did not consider
opportunity costs”benefits
forgone that might have resulted from alternative uses of the
money. Because of these
omissions and several changes that have affected costs and
benefits, a new study will
be needed before lockbox contracts expire in 2007.
Internal Control Issues Found at Lockbox Location in Calendar
Year 2002:
[See PDF for Image]
[End of Figure]
What GAO Recommends:
GAO is making recommendations to improve oversight and internal
controls at IRS lockbox
banks. In addition, GAO is recommending that a study of the benefits
and costs, including
opportunity costs, of using lockbox banks to process tax receipts
be completed before the
current lockbox bank contracts expire in 2007. In commenting on a
draft of this report,
FMS and IRS agreed with our recommendations and have initiated or
plan to initiate actions
to implement them.
To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Steven J. Sebastian (202-512-3406).
Letter:
Results in Brief:
Background:
Scope and Methodology:
It Is Not Known Whether Contract Provisions Could Contribute to
Improper Handling of Taxpayer Receipts:
Oversight of Lockbox Banks Was Not Fully Effective:
Lockbox Banks‘ Internal Control Deficiencies Expose the Federal
Government to Theft and Loss:
A Comprehensive Study Evaluating Costs for IRS Processing Versus Using
Lockbox Banks for All Types of Tax Receipts Has Not Been Performed:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Internal Control Weaknesses:
Appendix II: GAO Analysis of IRS‘s and FMS‘s August 1999 1040 Tax
Payment
Comparitive Cost Benefit Study:
Appendix III: Comments from the Department of the Treasury:
GAO Comments:
Appendix IV: GAO Contacts and Staff Acknowledgements:
GAO Contacts:
Acknowledgments:
Tables Tables:
Table 1: Internal Control Issues Found at Lockbox Locations in Calendar
Year 2002:
Table 2: Comparison of the Cost to the Federal Government of
Alternative
Receipt Processing Approaches, Fiscal Years 2001-2007:
Table 3: IRS and Lockbox Banks Cost and Saving Estimates for the
Federal
Government, Fiscal Years 2001 through 2007:
Table 4: IRS and Lockbox Banks Cost and Saving Estimates Under IRS
Scenario I for the Federal Government, Fiscal Years 2001 through 2007:
Table 5: IRS‘s Fiscal Year 2001 Labor Cost:
Figures:
Figure 1: Flow of lockbox collections and dataFMS formalized the
lockbox:
Figure 2: Fiscal Year 2002 Dollar Value and Volume of Collections for
Three Major Types of Tax Receipt Collection Mechanisms:
Abbreviations:
AES: automated entry system:
AWSS: Agency-Wide Shared Services:
EFTPS: Electronic Federal Tax Payment System:
FAR: Federal Acquisition Regulation:
FMS: Financial Management Service:
FSD: Financial Services Division:
IRM: Internal Revenue Manual:
IRS: Internal Revenue Service:
LPG: Lockbox Processing Guidelines:
NPV: net present value:
OIG: Office of Inspector General:
PCD: program completion date:
TFM: Treasury Financial Manual:
TIGTA: Treasury Inspector General for Tax Administration:
TTB: Treasury Time Balances:
Letter January 15, 2003:
The Honorable Max Baucus
Chairman, Committee on Finance
United States Senate:
The Honorable Charles E. Grassley
Chairman (designate), Committee on Finance
United States Senate:
In its role as the nation‘s tax collector, the Internal Revenue Service
(IRS) collected over $2 trillion during fiscal year 2002. Of that
amount, $1.5 trillion was collected through electronic means,[Footnote
1] financial institutions serving as lockbox banks collected more than
$268 billion, and IRS offices collected $86 billion.
A lockbox bank is a commercial bank with a designated post office box
to which taxpayers are instructed to mail their payments and related
tax documents. Lockbox banks process the documents, deposit the
receipts, and then forward the documents and data to IRS‘s Submission
Processing Centers, which update taxpayers‘ accounts. The Department of
the Treasury‘s Financial Management Service (FMS) has contractual
agreements[Footnote 2] with four lockbox banks, which operate 11
lockbox sites at nine locations on IRS‘s behalf. The intent of the
lockbox program is to accelerate the deposit of tax receipts and
increase interest savings, thus enhancing the efficiency of government
cash management. Lockbox banks have been used since 1984 for this
purpose.
Instances of fraud, waste, and abuse have occurred at IRS lockbox banks
over the years. In 2001, approximately 78,000 federal tax receipts,
valued at more than $1.2 billion, were lost or destroyed at a lockbox
bank operated by the Mellon Financial Corporation in Pittsburgh,
Pennsylvania. Instances of employees stealing and cashing taxpayer
receipts have also occurred at lockbox banks. Although FMS and IRS have
taken steps to increase monitoring of and internal controls at lockbox
banks as a result of the loss and destruction of tax receipts at the
Pittsburgh lockbox site, we and others, including the Treasury
Inspector General for Tax Administration (TIGTA) and offices within IRS
and FMS, continue to find internal control weaknesses at lockbox
banks.[Footnote 3]
The purpose of this report is to respond to your request that we review
existing and planned security and internal control measures at all
lockbox banks that have agreements with FMS to provide tax receipt
processing services for IRS. Specifically, you asked that we:
* determine whether the new lockbox agreements in effect beginning in
2002 address previously identified problems and whether contract
provisions may contribute to improper handling of taxpayer returns,
* determine the adequacy of FMS‘s and IRS‘s oversight in monitoring
lockbox banks‘ adherence to the contractual agreements and lockbox
processing guidelines,
* determine whether controls over processing and safeguarding of
taxpayer receipts and data are in place and are working effectively,
and:
* assess the extent to which IRS and FMS considered the costs and
benefits of contracting out the functions performed by the lockbox
banks instead of using IRS employees.
To meet these objectives, we (1) reviewed reports relevant to oversight
and management of the lockbox program, (2) reviewed laws, regulations,
and guidance related to federal cash management activities, (3)
interviewed FMS and IRS officials, (4) compared the 1993 and 2002
lockbox bank contractual agreements, and (5) reviewed FMS and IRS
policies, guidelines, checklists, and reports from oversight reviews.
We also visited two IRS Submission Processing Centers and all nine
lockbox locations, and reviewed and discussed with FMS and IRS studies
on the costs and benefits of processing tax receipts by lockbox banks.
As agreed with your office, we did not specifically review the
mishandling incident at the Pittsburgh lockbox site since an ongoing
investigation was in process.
Results in Brief:
We found nothing inherent in the new 2002 lockbox bank contractual
agreements or the prior agreements that would necessarily contribute to
mishandling of taxpayer receipts. The agreements do contain penalty
provisions that can lead to negative consequences for banks if their
work does not meet quality standards or is not performed within
required time frames. The consequences range from financial penalties
to termination of the lockbox agreement. Although a desire to avoid
negative consequences could motivate lockbox bank employees to make
poor decisions in handling taxpayer receipts, penalty and termination
provisions are necessary to help the federal government address
inadequate contractor performance. As with any federal contract,
effective oversight of contractor performance is critical.
FMS and IRS made some enhancements to the 2002 agreements, such as the
addition of a new performance penalty and clarification of other
provisions. Because TIGTA‘s investigation of the incident involving the
loss and destruction of tax receipts by employees at the Pittsburgh
lockbox site during the 2001 April peak processing period is still
ongoing, it is unclear whether any provisions in the lockbox agreements
may have contributed to the mishandling incident. When the results of
the investigation are known, FMS and IRS should determine whether
contract provisions need to be modified or whether additional controls
need to be implemented.
Although both IRS and FMS have significantly increased their presence
at lockbox banks and made other improvements, oversight of lockbox
banks was not fully effective for fiscal year 2002 to ensure that
taxpayer data and receipts were adequately safeguarded and properly
processed. The weaknesses in oversight resulted largely from (1) a lack
of clear directives and documented policies and procedures for various
oversight functions, (2) key oversight functions not being performed,
and (3) conflicting roles and responsibilities for IRS lockbox
coordinators. The lack of defined oversight roles and responsibilities
resulted in (1) IRS and FMS failing to take official action on bank
requests for waivers from required processing guidelines, thus
permitting banks to operate for months with internal control
deficiencies, (2) FMS not always obtaining responses from lockbox bank
management to findings and recommendations from FMS on-site reviews,
(3) key IRS officials not always participating in security reviews in
which they had agreed to participate and for which they had the
expertise, and (4) instances of incomplete and inadequate on-site
reviews. In addition, the IRS personnel who perform compliance reviews
at the lockbox sites have conflicting responsibilities--to monitor bank
compliance with the processing guidelines and to assist the banks with
required production goals--that could affect their ability to
objectively oversee lockbox banks for which they have responsibility.
These deficiencies weaken the effectiveness of FMS‘s and IRS‘s
oversight of lockbox banks. Also, without clearly defined and
documented oversight requirements, there is less assurance that the
oversight improvements made during 2002 will be sustained.
We found during our reviews at the nine lockbox bank locations that
internal controls, including physical security controls, need to be
strengthened and that lockbox processing guidelines need to be revised
to ensure that taxpayer data and receipts are adequately safeguarded.
For example, we found required door alarms at several banks that were
barely audible or did not elicit the expected responses from security
guards, and we found prohibited types of personal belongings, such as
bulky coats or carrying bags that could be used to conceal items, in
the tax receipt processing areas of several locations. These weaknesses
increase the risk that taxpayer data or receipts could be stolen from
the processing area. We also found that improvements are needed in the
lockbox processing guidelines with respect to processing controls,
employment screening, and courier security. For example, IRS lockbox
processing guidelines do not require lockbox bank couriers and
permanent employees to undergo the same type of background
investigation that IRS couriers and contractors undergo, even though
lockbox bank couriers and permanent employees have the same access to
taxpayer data and receipts as IRS couriers and contractors. Ensuring
that effective lockbox processing guidelines are in place and being
followed decreases the risk of loss, theft, and mishandling of taxpayer
receipts and data.
IRS and FMS have not performed a comprehensive study that evaluates the
cost of IRS processing tax receipts and the cost of lockbox banks
processing tax receipts for all types of tax receipts currently
processed by the banks. The most recent study, jointly performed by IRS
and FMS in 1999, considered the costs of processing individual tax
receipts only and did not consider all of the costs and benefits of
using lockbox banks rather than IRS to process individual tax receipts.
In addition, the study focused exclusively on the costs and benefits to
the federal government resulting from speedier deposit of tax receipts.
Having adopted this approach using Treasury guidance, IRS and FMS did
not consider certain costs, most notably opportunity costs, or the
benefits forgone that might have resulted from alternative uses of the
money spent to achieve speedier deposits. Agencies receive budgets that
they are expected to use to achieve their missions economically and
efficiently. IRS and FMS did not consider whether forgoing the speedier
deposit of tax receipts and using IRS‘s funds elsewhere, such as within
other high-yield compliance activities, might result in financial
benefits to the government that would be greater than those generated
by accelerating the deposit of tax receipts. FMS and IRS also did not
clearly define in the 1999 study the type of analysis that had been
conducted. Clearly defining the type of analysis undertaken is
important because different types of analyses take into account
different types of costs and benefits. The specific types of costs and
benefits considered can, in turn, affect a study‘s conclusions. Since
the completion of the 1999 study, changes at IRS and the lockbox
network could affect processing and the related costs. Because of these
changes, the 1999 study will not be useful for determining whether IRS
and FMS should continue using lockbox banks to process tax receipts
when the current lockbox agreements expire in 2007.
We are making recommendations to improve both oversight of and internal
controls at lockbox banks. We are also recommending that FMS and IRS
thoroughly review the results of the ongoing TIGTA investigation of the
2001 incident at the Pittsburgh lockbox site and that they implement
additional controls and revise the agreements as necessary to decrease
the likelihood that such an incident will occur again. Because IRS and
FMS will need to decide before 2007 whether to continue using lockbox
banks to process tax receipts, we are recommending that a study be done
in time to support this decision, that the type of study be clearly
defined, and that all appropriate costs be considered. FMS and IRS
agreed with our recommendations and have initiated or plan to initiate
actions to implement them.
Background:
In an effort to expedite receipt processing,[Footnote 4] the IRS
conducted its first pilot project to obtain lockbox services from a
commercial bank in 1984. The receipts processed were limited to tax
receipts for estimated tax payments, which are typically paid by
taxpayers on a quarterly basis. The bank was compensated from the
interest it earned on a compensating balance--funds placed in the
bank‘s account by FMS. Since that time, the IRS lockbox program has
expanded to cover taxpayers in all states and receipts for individual
income tax returns, employment tax returns, and other miscellaneous
types of taxes. Most of the returns are received during the April peak
processing period and the smaller peak periods during January, June,
and September. Certain taxpayers who owe money and are making payments
are instructed to mail returns and payments to post office boxes
maintained by the lockbox banks. The lockbox sites deposit the receipts
to an account with Treasury and send processed documents (tax return
forms and payment vouchers), computer tapes containing taxpayer data,
and unprocessable receipts[Footnote 5] to IRS Submission Processing
Centers for further processing and recording in the taxpayer accounts
(see fig. 1).
Figure 1: Flow of lockbox collections and dataFMS formalized the
lockbox:
[See PDF for image]
[End of figure]
FMS formalized the lockbox processing arrangements in 1993 by
establishing contractual agreements with commercial banks to process
tax receipts on behalf of IRS. In 2002, new, but similar, agreements
were established. Like the 1993 agreements, the 2002 agreements are 5-
year agreements with two 1-year extension options.[Footnote 6] The
current lockbox network consists of four banks, three of which operate
multiple sites that support the 10 IRS Submission Processing Centers
across
the country.[Footnote 7] The agreements with FMS require that these
banks
operate their sites according to IRS‘s Lockbox Processing Guidelines
(LPG). The LPGs provide the detailed procedures the banks are required
to follow in providing lockbox services for IRS and are updated as
needed. Both FMS and IRS monitor lockbox bank compliance with the
agreements and the LPGs, and each lockbox site has an IRS employee who
serves as a lockbox coordinator.[Footnote 8] For fiscal year 2002, IRS
lockbox banks processed more than 66 million receipts, totaling about
$268 billion, which accounted for approximately 13 percent of total tax
receipts in dollars and 32 percent in volume.
Figure 2: Fiscal Year 2002 Dollar Value and Volume of Collections for
Three Major Types of Tax Receipt Collection Mechanisms:
[See PDF for image]
[End of figure]
Note: These pie charts exclude 46.1 million and almost $80 billion of
receipts related to Federal Tax Deposits (Coupons) in fiscal year 2002.
The intent of the lockbox program is to enhance federal cash management
by accelerating the deposit of tax receipts, which would increase
interest float savings (or interest cost avoidance) to the government
and reduce the amount Treasury would have to borrow to pay government
obligations. The estimate of interest float savings resulting from
IRS‘s use of lockbox banks has varied throughout the years. In
calculating interest float savings, IRS and FMS assumed, based on a
1988 joint IRS/FMS study,[Footnote 9] that lockbox banks could process
receipts and deposit the funds to a Treasury account 3 days faster than
IRS. However, in a 1998 report, the Treasury Office of Inspector
General (OIG) questioned the validity of this assumption and
recommended that IRS acquire relevant and reliable comparative cost
data on all aspects of the lockbox program to identify the most cost-
effective option to use for processing and depositing tax
receipts.[Footnote 10]
In response to the Treasury OIG report, IRS and FMS hired a contractor
to compare lockbox bank processing to IRS processing for individual tax
(Form 1040) receipts. The contractor reported in July 1998 that lockbox
banks could make funds available to the federal government an average
of 2 days faster than IRS. In 1999, IRS and FMS formed a taskforce to
study the costs and benefits of continuing to use lockbox banks for
processing Form 1040 receipts. Based on its study, the IRS/FMS
taskforce recommended that such processing remain with the lockbox
banks rather than be returned to IRS for fiscal years 2001-
2007.[Footnote 11]
Scope and Methodology:
To accomplish our work, we reviewed reports relevant to oversight and
management of the lockbox program, including reports prepared by FMS,
IRS, GAO, the Treasury OIG, TIGTA, and internal and external auditors
from several lockbox banks. We reviewed laws, regulations, and guidance
related to the cash management activities of the federal government. We
also interviewed FMS and IRS officials from several headquarters
divisions. As agreed with your office, we did not review the incident
involving the loss and destruction of taxpayer receipts and data at the
Pittsburgh lockbox, since an ongoing investigation was in process. The
following procedures were also performed for each of the objectives:
* To determine if new contractual agreements address previously
identified problems and correct provisions that could contribute to
improper handling of taxpayer returns, we reviewed and analyzed the
provisions in the 1993 and 2002 lockbox bank contractual agreements. We
also compared the agreements to determine whether changes had been
made.
* To determine the adequacy of FMS‘s and IRS‘s oversight of lockbox
banks, we reviewed FMS and IRS policies, guidelines, checklists,
schedules of site visits, and reports from oversight reviews. We
performed site visits at two IRS Submission Processing Centers to
observe IRS reviews of documentation received from the lockbox banks.
At each Submission Processing Center, we interviewed relevant
management and staff concerning lockbox bank oversight policies,
procedures, and practices.
* To determine if lockbox banks‘ security and internal controls to
safeguard taxpayer receipts and returns are sound and properly
implemented, we observed physical security and internal controls and
interviewed lockbox personnel at all nine lockbox locations during the
April 2002 peak processing period and at two lockbox sites during the
June 2002 peak processing period. At each site, we also reviewed
lockbox bank employee personnel records for a nonrepresentative
selection of permanent and temporary lockbox employees. In addition, we
compared the 2001 and 2002 LPGs for changes related to safeguarding tax
receipts and data, receipt processing, employee screening, and courier
requirements. We also compared IRS‘s Internal Revenue Manual
(IRM)[Footnote 12] and other directives, which are IRS‘s detailed
policies, with the 2002 LPGs.
* To determine whether the costs and benefits of processing tax
receipts through lockbox banks instead of processing them at IRS were
considered, we reviewed federal guidance and economic literature on
cost-benefit and cost-effectiveness analyses of federal programs and
policies. In addition, we analyzed prior FMS and IRS studies and the
support for the data, assumptions, and methodology used in the 1999
report to estimate the costs and benefits of processing tax receipts
through lockbox banks versus processing them at IRS.
We performed our work from April 2002 through November 2002 in
accordance with U.S. generally accepted government auditing standards.
We requested written comments on a draft of this report from the
Secretary of the Department of the Treasury or his designee. These
comments are discussed in the Agency Comments and Our Evaluation
section of this report, incorporated in the report as applicable, and
reprinted in appendix III.
It Is Not Known Whether Contract Provisions Could Contribute to
Improper Handling of Taxpayer Receipts:
We found nothing inherent in the new 2002 lockbox bank contractual
agreements or the prior agreements that would necessarily contribute to
mishandling of taxpayer receipts. The agreements contain penalty
provisions that can result in negative consequences if banks do not
perform work that meets quality standards or do not perform work within
required time frames. The consequences range from financial penalties
to termination of the lockbox agreement. Although a desire to avoid
negative consequences could motivate lockbox bank employees to make
poor decisions in their handling of taxpayer receipts, the penalty and
termination provisions are necessary to help the federal government
address inadequate contractor performance on the two performance
dimensions--quality and timeliness--deemed critical by IRS and FMS.
FMS and IRS made some enhancements to the 2002 agreements, such as the
addition of a new performance penalty and clarification of other
provisions. Because TIGTA‘s investigation of the incident involving the
loss and destruction of tax receipts by employees at the Pittsburgh
lockbox site during the 2001 April peak processing period is still
ongoing, it is unclear whether any provisions in the lockbox agreements
may have contributed to the mishandling incident. When the results of
the investigation are known, FMS and IRS should determine whether
contract provisions need to be modified or whether additional controls
need to be implemented.
Lockbox Bank Agreements Contain Timeliness and Quality Factors to
Assess Performance:
Factors used to assess contractor performance are cost, timeliness, and
quality of service provided. Contracts often contain specific standards
for acceptable performance as well as provisions for rewarding or
penalizing contractors according to their performance in these areas.
Such provisions may inadvertently encourage contractors to focus their
efforts on one area to the detriment of their performance in other
areas. For example, if a contract‘s provisions reward timely
performance more than they reward high-quality performance, contractors
may be encouraged to take shortcuts that improve timeliness but detract
from quality of work. As a result, it is important that contract
incentives be appropriately designed and balanced to obtain acceptable
levels of performance in all relevant areas. To ensure that contract
provisions are operating as intended, effective oversight of
contractors is essential.
The lockbox banks are paid a fixed price for each item they process,
and their total compensation depends on the number of each type of
receipt they process. Lockbox banks have no direct influence over the
volume of receipts. The compensation paid is therefore not a factor in
measuring IRS lockbox performance, and the lockbox contractual
agreements contain no direct incentives, positive or negative, related
to cost. Lockbox bank performance is measured on timeliness and quality
factors, specifically focusing on expediting the flow of funds to
Treasury and ensuring that receipts are accurately processed.
Because the basis for using lockbox banks was IRS‘s and FMS‘s belief
that the banks could process tax receipts faster than IRS could,
timeliness is a key measure of lockbox bank performance. Except during
peak processing periods, the agreements require that lockbox banks
deposit receipts within 24 hours of their receipt at the lockbox bank.
During peak processing periods, all receipts must be processed and
ready for deposit by the assigned program completion date
(PCD).[Footnote 13] According to the terms of the lockbox contractual
agreements, FMS may assess banks penalties or terminate their
contractual agreements if they fail to meet these deadlines. The
agreements also provide that the amount of any penalty assessed for
late deposit of tax receipts shall be based on the amount of interest
Treasury lost because of the delay. FMS imposed financial penalties on
two lockbox banks for not meeting the PCD during the April 1997 peak
processing period.
Meeting quality standards is another critical aspect of IRS lockbox
banks‘ performance. Processing errors can place unnecessary burdens on
taxpayers and delay processing of tax receipts. For example, a
processing error might cause a lockbox bank to withdraw more funds from
a taxpayer‘s account than the amount actually written on the check. If
the taxpayer‘s account contained inadequate funds to cover the
incorrect withdrawal amount, the taxpayer‘s bank could assess penalties
for insufficient funds. If the error caused the bank to withdraw less
than the amount owed, IRS might erroneously assess the taxpayer
interest and penalties for an incomplete payment. The lockbox agreement
provisions allow FMS to assess lockbox banks financial penalties or to
terminate an agreement for poor performance. FMS added a new provision
to the 2002 lockbox agreements that is designed to facilitate
reimbursement to IRS and FMS for costs they incur due to specific
failures in performance, such as costs resulting from lockbox banks‘
errors in processing tax receipts. In addition, the 2002 agreements
clarified certain existing penalty provisions.
We found nothing inherent in the 1993 or 2002 lockbox contractual
agreements that would necessarily contribute to mishandling of taxpayer
receipts. Although a desire to avoid negative consequences, such as
financial penalties or contract termination, could cause lockbox bank
employees to make poor decisions, penalty and termination provisions
are necessary to help the federal government address inadequate
contractor performance. To help ensure that contractors are adhering to
contract terms and to reduce the risk that lockbox banks might
compromise taxpayer data, effective oversight of lockbox sites is
essential.
Cause of the 2001 Incident Remains Under Investigation:
The exact cause of the 2001 incident involving the loss and destruction
of taxpayer data and receipts at the Pittsburgh lockbox site has yet to
be officially reported. The site had a history of performance problems
for which the bank had been assessed financial and other penalties. In
1997, FMS assessed the bank that operated the Pittsburgh site more than
$1.4 million in penalties for failing to meet the assigned PCD and
therefore delaying availability of funds to the Treasury. In September
2000, FMS placed the site on probation because of numerous uncorrected
security violations, including commingling of corporate and other
government agency processing with IRS processing. FMS, with IRS‘s
concurrence, removed the site from probationary status 2 ½ months
later, after a site review conducted during the probationary period
indicated that bank management had corrected all but one of the
security violations.[Footnote 14] A subsequent, unannounced review by
FMS and IRS 3 ½ months after the site was taken off probation also
found that past violations of security requirements had not recurred
and that the site was, for the most part, in compliance with security
requirements. Nevertheless, approximately 2 months after this review,
the Pittsburgh site was found to have lost or destroyed tens of
thousands of tax returns, and, as a result, FMS terminated its
contractual agreement for the site. As of September 30, 2002, IRS had
spent over $4 million to obtain duplicate receipts and returns from the
affected taxpayers, and the federal government had lost an estimated
$13.5 million in interest as a result of the incident.
In October 2002, Mellon Bank agreed to pay the government $18.1 million
to cover administrative costs and expenses associated with the
incident. However, TIGTA is still investigating the incident to
determine whether criminal charges should be filed against any of the
bank employees. As of November 2002, TIGTA and the applicable U.S.
Attorney‘s Office were unable to discuss this investigation with us.
Until the investigation is completed, we cannot determine whether the
site‘s interpretation of contract provisions was a contributing factor
to the 2001 incident or whether provisions need to be added or revised
to help prevent a similar incident from occurring.
Oversight of Lockbox Banks Was Not Fully Effective:
FMS and IRS oversight of lockbox bank operations is a key control for
ensuring that funds collected through the lockbox banks are protected
against fraud and mismanagement. The oversight functions performed by
FMS and IRS include various on-site and off-site reviews to ensure
compliance with LPGs and contract terms, evaluation of requests for
waivers from LPG requirements and proposed compensating controls, and
enforcement of penalties against banks that fail to meet LPG and
contract terms. In calendar year 2002, the agencies made significant
improvements to their oversight of lockbox operations, mostly in
response to the Pittsburgh lockbox incident. However, we found that the
oversight of lockbox banks was not fully effective in protecting the
government‘s interests due to (1) a lack of clear directives and
documented policies and procedures for various oversight functions, (2)
key oversight functions not being performed, and (3) conflicting roles
and responsibilities for IRS lockbox coordinators. These issues reduce
the overall effectiveness of IRS and FMS oversight of lockbox banks.
Additionally, the lack of clearly defined oversight requirements
increases the risk that the oversight improvements made during 2002 may
not continue in the future. According to IRS officials, they are in
varying stages of completing several memoranda of understanding to
identify and document oversight roles and responsibilities. Until these
roles and responsibilities are agreed to and documented, however,
oversight weaknesses are likely to continue to exist.
FMS and IRS Improved Oversight in 2002 but Have Not Incorporated
Improvements in Agency Policies and Procedures:
FMS and IRS made significant improvements to the oversight of lockbox
banks in 2002 compared with prior years. These improvements include (1)
enhanced monitoring of peak processing operations, (2) involvement of
key IRS officials in security reviews, (3) establishment of a new
office with a full-time FMS official responsible for oversight of
lockbox security, and (4) establishment of a new performance penalty
provision to reimburse the government for poor quality performance.
However, many of the improvements have not yet been institutionalized
in the form of agency policies and procedures. As such, there is less
assurance that this increased oversight will continue in the future.
Monitoring of Peak Period Operations Was Enhanced:
Prior to 2002, FMS‘s on-site presence during peak processing periods
was limited to only a few days each year and occurred near the end of
the peak periods to ensure that production goals were achieved. IRS‘s
on-site presence at lockbox banks was generally limited to a lockbox
coordinator, who was present for the duration of the peak period.
However, these coordinators face competing demands of ensuring that
lockbox sites promptly deposit tax payments, performing quality and
compliance reviews, and assisting with other processing issues, such as
training lockbox staff.
In reaction to the Pittsburgh incident, FMS and IRS concluded that they
needed more on-site presence at lockbox banks during peak operations.
In April 2002, each lockbox site had at least one FMS official, one IRS
headquarters official, and the site‘s designated lockbox coordinator
present for the entire April peak processing period. This increased on-
site presence provided IRS and FMS with more comprehensive coverage of
April peak operations.
During 2002, FMS and IRS also placed a heavier emphasis on monitoring
lockbox sites‘ daily production status. According to IRS and FMS
officials, their focus historically has been on monitoring a lockbox
site‘s ability to meet the overall April peak processing period‘s PCD.
IRS and FMS found that this approach presented problems because lockbox
banks tended to address production problems during the peak processing
period only when meeting the PCD was questionable. The solution
employed by the banks was to bring in additional temporary staff near
the end of the peak period to be able to meet the PCD. FMS and IRS
officials indicated that their limited on-site presence affected the
agencies‘ ability to detect production problems on a real-time basis.
Only after the peak period did the lockbox banks bring production
issues to the attention of IRS and FMS.
In 2002, FMS and IRS officials focused on monitoring lockbox banks‘
daily production by reviewing production reports, observing production
activity on the processing floor, and reporting production issues to
IRS and FMS headquarters as soon as issues arose. During April 2002 and
subsequent smaller peak periods in June and September 2002, each
lockbox site also submitted, on a daily basis, an ’FMS Daily Status
Report.“ These reports noted the daily status of critical production
issues, such as staffing shortages and equipment problems, that could
cause delays in the timely deposit of tax receipts or could affect
performance. FMS and IRS headquarters officials reviewed these reports
for potential problems and contacted lockbox management and on-site
agency officials for follow-up and to facilitate timely resolutions of
the problems.
While these changes enhanced monitoring of peak operating periods,
these improvements have not yet been incorporated into agency policies.
Currently, only the lockbox coordinator is required by IRS policies to
be on-site during the peak processing period. Personnel from FMS and
IRS headquarters are not mandated by agency policies to be at lockbox
sites during this time. Additionally, IRS officials indicated that they
might not have adequate headquarters staff to assist with future on-
site reviews. As a result, there is less assurance that increased on-
site presence of staff at lockbox sites during peak processing periods
will continue.
IRS Personnel with Physical Security Expertise Now Perform Security
Reviews:
After the 2001 Pittsburgh incident, IRS concluded that its
participation in joint IRS/FMS annual unannounced security reviews
should be performed by IRS staff with security expertise. Prior to
2002, personnel from IRS‘s Wage and Investment Division, who have
primary responsibility to manage the lockbox program, performed
physical security reviews but did not have physical security expertise.
During 2002, IRS‘s Agency-Wide Shared Services (AWSS), which has staff
with physical security expertise and performs physical security reviews
at IRS Submission Processing Centers, began participating in the joint
IRS/FMS unannounced security reviews. However, IRS policies only
require the Wage and Investment Division to perform unannounced
security reviews. AWSS‘s participation in lockbox reviews is based only
on an oral agreement to perform such reviews. As such, there is less
assurance that AWSS will continue to perform lockbox security reviews
in the future.
FMS Established the Bank Review Office:
Prior to 2002, FMS‘s Financial Services Division (FSD), which had the
administrative responsibility for negotiating and entering into lockbox
contracts with financial institutions, also had the responsibility to
oversee lockbox banks‘ compliance with contract terms, such as security
requirements. To effectively perform its oversight responsibilities,
FMS recognized a need to establish a full-time position responsible for
oversight of lockbox security. In August 2002, FMS formally established
the Bank Review Office. The director and staff of this office are now
responsible for FMS‘s oversight of the security of federal government
lockbox banks. Their responsibilities now include performing on-site
reviews, following up on corrective actions to address review findings,
and reviewing the adequacy of security requirements for lockbox banks.
The director of this office now serves as the main FMS contact point on
most oversight issues for IRS and lockbox banks.
New Performance Penalty Provision Established:
A new provision was added to the 2002 contractual agreements to assist
the government in obtaining reimbursement from lockbox banks for direct
costs incurred by IRS to correct performance failures on the part of
lockbox banks. This provision enhances the government‘s ability to
penalize lockbox banks for poor quality work and be reimbursed for the
additional costs IRS incurs to rework transactions erroneously
processed by lockbox banks. Effective use of this provision requires
additional guidelines and procedures to help management decide whether
certain situations merit pursuing the penalty provision. Such
guidelines and procedures should include (1) IRS‘s expectations for
unacceptable error rates, (2) procedures to identify and document
lockbox errors, and (3) procedures to track IRS costs incurred as a
result of rework.
During 2002, IRS had not established guidelines and procedures for
effective use of the new performance penalty provision. IRS cited three
reasons why guidelines and procedures had not yet been established.
First, IRS has not yet determined thresholds for unacceptable error
rates. Second, IRS officials indicated that the agency had spent
significant resources to document and build a legally defensible case
to obtain reimbursement of costs related to the 2001 incident. Based on
lessons learned from this case, IRS concluded that it needed to
establish a more cost-effective means to accurately identify and
document lockbox errors, as opposed to errors caused by taxpayers or
IRS. During 2001, IRS tested a process to identify and document lockbox
errors but concluded that the process was too labor-intensive and might
not provide accurate and legally defensible data. Therefore, IRS is
still exploring other methods to obtain these data. Finally, IRS
officials explained that by law, reimbursements from lockbox banks
would have to be remitted to the U.S. Treasury general fund and that
they had explored legal options to keep the reimbursed funds for IRS‘s
own use.
The reimbursement provision is a critical tool available to the
government as a means to recover from lockbox banks costs incurred as a
result of poor quality work and as an enforcement tool to encourage
banks to implement effective controls and procedures to accurately
process receipts. However, until the necessary guidelines and
procedures are established, IRS and FMS cannot effectively use this
oversight tool. As a result, the government may be paying for poor
quality work and incurring additional costs to correct errors.
FMS and IRS Did Not Perform Certain Key Oversight Functions:
Despite significant improvements, we found several instances where key
oversight functions were not performed, which resulted in an increased
risk of loss to the government and taxpayers. Specifically, (1) IRS and
FMS did not take timely action on lockbox sites‘ requests for waivers
from LPG requirements, (2) IRS did not always participate in
unannounced security reviews, (3) FMS did not always obtain formal
responses from lockbox bank management to unannounced security reviews,
and (4) IRS lockbox coordinators did not always complete reviews for
peak processing periods. Additionally, the guidance used for these
reviews needs to be strengthened.
IRS and FMS Did Not Take Timely Action on Formal Requests for Waivers:
The LPGs set forth security and processing requirements for lockbox
sites. They also allow deviations from these requirements if bank
management submits a written waiver request to IRS and FMS. The bank
must demonstrate its site‘s legitimate inability to meet a requirement
and must implement an alternate procedure or compensating control. In
practice, after a bank submits a written waiver request stating the
reason for its site‘s inability to meet the LPG requirement and
explaining its compensating control to mitigate risks of loss to the
government, IRS and FMS allow the site to operate with its compensating
control while they review the waiver request. However, because some
waiver requests will eventually be denied after FMS and IRS conclude
that the compensating controls are not adequate, some sites with
inadequate controls are, in effect, allowed to operate in noncompliance
with the LPGs until their waiver is officially denied. Therefore, to
protect the government from losses resulting from a site‘s
noncompliance, FMS and IRS have a fiduciary duty to approve or
disapprove waiver requests and effectively and promptly communicate
final decisions.
Prior to April 2002, IRS and FMS approved and disapproved waiver
requests orally. To better coordinate their efforts, the agencies
decided to develop a written joint process to assess waiver requests in
April 2002. However, this process was never formalized in agency
policies. IRS provided us a draft document of the joint waiver
assessment process. According to the draft document, lockbox banks
would submit a waiver request form to FMS. FMS would assess the waiver
request and forward the request with FMS‘s recommendations to an IRS
waiver coordinator. The IRS waiver coordinator would disseminate the
waiver requests to various units within IRS responsible for assessing
the waiver requests. Once appropriate IRS officials had made their
decisions and signed off on the waiver forms, the IRS waiver
coordinator would forward the waiver form with IRS‘s decision to FMS.
FMS would notify the bank of the joint decision by returning the waiver
request form with both agencies‘ responses. The draft document
indicates that the whole process should take about 6 days from FMS‘s
receipt of the waiver request form.
According to our review of waiver requests made from April 16 through
April 22, 2002, FMS forwarded to IRS its recommendations on most of the
requests within 5 days of receiving them from lockbox banks. However,
IRS took 5 months to officially sign half of the waivers. According to
IRS officials, this delay resulted from a misunderstanding on the part
of some IRS officials about whether IRS had to complete the waiver
forms if IRS had already orally informed FMS of its decision. FMS
postponed notifying the banks of a decision on their requests because
it was waiting to receive a formal written decision from IRS for each
request. However, 4 months after FMS received the requests for waivers
and with no official decision from IRS, FMS decided to inform the
lockbox sites of its unilateral disapproval of the banks‘ waiver
requests to mitigate the risk of loss to the government from lockbox
sites not operating in compliance with the LPGs.
Although most of the waiver requests were not related to critical
requirements, one lockbox waiver pertained to a critical LPG security
requirement. Under this requirement, temporary employees must provide
photo identifications to the guards in exchange for badges allowing
them access to the processing area. This control procedure was designed
to validate the identity of individuals claiming to be employees before
they enter the processing area. Bank management at one lockbox bank
believed that its automated entry system provided adequate compensating
controls against unauthorized access to tax data and receipts and that
the manual verification of each employee‘s identity was unnecessary.
The bank therefore did not perform the procedure. FMS and IRS
eventually denied the request, stating that the lockbox bank‘s
compensating controls did not provide sufficient protection against
unauthorized entry. However, because of the breakdown in the joint
waiver assessment process and the resulting delay in notifying the bank
of the agencies‘ decision, tax receipts and data were unnecessarily
exposed to an increased risk of theft. Bank management had informally
requested a waiver for the same issue in August 2001, before FMS and
IRS established their formal waiver process in April 2002. IRS
officials indicated that they had already orally informed the bank that
its initial request for a waiver was denied and had also informed FMS
during a meeting that the subsequent request submitted on the official
waiver request form in April 2002 was denied. Therefore, IRS officials
concluded that it was not necessary to review the April 2002 formal
waiver request. FMS postponed notifying the banks of the decision
because it was waiting for IRS‘s decision in writing. After FMS decided
to inform banks of its unilateral decisions on their formal waiver
requests, it notified this site of its decision to deny the waiver
request in mid-August 2002. As a result, the site operated in
noncompliance with this security requirement for over 7 months, from
January through August 2002. This period included the April 2002 peak
period, when the bank operated in three shifts with as many as 300
employees per shift. IRS and FMS officials indicated that they are
developing several memoranda of understanding between the two agencies
to better coordinate oversight efforts, including the joint waiver
assessment process.
IRS Did Not Always Participate in Unannounced Security Reviews:
In response to a Treasury OIG recommendation,[Footnote 15] IRS and FMS
began performing unannounced security reviews of lockbox bank sites.
IRS‘s IRM requires its Wage and Investment Division to conduct joint
unannounced security reviews with FMS. However, IRS did not participate
in the first three unannounced security reviews in 2002. The IRS
official who would have participated in these security reviews had an
extensive technical background in physical security, which would have
been helpful in detecting physical security deficiencies. According to
IRS officials, IRS did not participate in the reviews because the units
responsible for performing various security reviews for both agencies
were reorganizing during early 2002 and the agencies had failed to
effectively communicate who would be the responsible parties to perform
the unannounced security reviews. IRS officials indicated that they
plan to include coordination of security reviews between the two
agencies in a memorandum of understanding currently being developed.
FMS Did Not Always Obtain Responses from Lockbox Bank Management to
Unannounced Reviews:
Effective oversight of lockbox banks requires appropriate follow-up on
corrective actions taken to address deficiencies found during on-site
reviews. As part of its follow-up procedures, FMS requires lockbox bank
management to provide an official management response to reports on its
unannounced reviews. In their response, bank managers are to indicate
whether corrective actions have been taken or propose corrective
actions and the dates by which the bank intends to implement them.
Personnel from FMS‘s FSD are responsible for obtaining management
responses. However, FSD failed to obtain formal management responses
for three unannounced security review reports issued in 2001 because
FSD staff were preoccupied with the Pittsburgh lockbox incident and
with implementing the 2002 lockbox network. Additionally, the tracking
procedure in place to remind staff to obtain management responses was
ineffective. As a result, FMS did not have sufficient information to
assess the adequacy or timeliness of proposed corrective actions or
corrective actions already taken.
FMS and IRS found the same security problems identified by these
reviews several months later. Although two of the three locations had
closed after 2001, bank managers from one of the closed locations were
transferred to manage a new lockbox location in the 2002 lockbox
network. In a subsequent visit to this new location, FMS found the same
security violation that it had found in 2001 at the closed site
regarding the lack of a seeding program.[Footnote 16] Additionally, a
subsequent visit by FMS and IRS to the location that continued to
operate in 2002 revealed problems with malfunctioning perimeter door
alarms that were similar to problems identified during the previous
unannounced security review. The lack of effective controls to ensure
that bank managers take corrective actions increases the risk that
identified security weaknesses will not be corrected. According to FMS
officials, the recently created Bank Review Office, whose staff have
full-time responsibility for security oversight, is now responsible for
following up on management responses to security reviews. Additionally,
FMS officials indicated that they plan to create an automated tracking
system to better track the status of management responses.
Lockbox Coordinators‘ Reviews Were Not Adequately Performed:
The IRM specifically directs lockbox coordinators to perform on-site
reviews of lockbox banks during peak processing periods. The scope of
these on-site reviews includes assessments of the lockbox site‘s
compliance with critical processing and security requirements. Lockbox
coordinators record the results of their reviews on forms specifically
designed to show results of observations and sampling of transactions
to determine the lockbox site‘s compliance with specific security and
processing requirements.
However, for the January and April 2002 peak processing periods,
lockbox coordinators did not adequately perform these reviews.
Specifically, coordinators did not perform reviews for four lockbox
sites for the January 2002 peak processing period. In addition, some of
the information to be recorded on the forms used by the coordinators to
document their reviews was not provided. For the April 2002 peak
period, all the coordinators submitted the results of their reviews,
but some of the reviews and the forms used to document them were only
partially completed. IRS officials explained that the reviews could not
be completed because several lockbox sites were new to the lockbox
network during 2002 and therefore required full-time support from their
lockbox coordinators. Because the reviews were not always completed,
IRS may not have detected instances of noncompliance and therefore
would not have been able to take immediate corrective actions.
The guidelines for the reviews conducted by lockbox coordinators also
need to be strengthened. To provide adequate oversight of lockboxes,
lockbox coordinator reviews should include steps to assess critical
controls and procedures for lockbox security and processing. In
general, the lockbox coordinators‘ reviews provide coverage for most of
these areas. However, we found other critical controls and procedures
not sufficiently covered by lockbox coordinator reviews because the
guidelines and review procedures were either unclear or did not require
these controls and procedures to be subject to review. These
deficiencies could lead to IRS‘s failure to detect significant
instances of noncompliance.
For example, while TIGTA found that couriers with criminal records at
one lockbox location were given access to taxpayer data before their
FBI fingerprint checks were completed, the lockbox coordinator‘s review
found the same location to be in compliance with courier requirements.
We found that there is no specific step in the lockbox coordinator
review procedures to determine whether all couriers given access to
taxpayer data have completed favorable FBI fingerprint checks, as
required by the LPGs. The review procedures only broadly ask whether
the courier service is in compliance with the LPGs. Additionally, while
the review procedures require coordinators to sample employee files to
determine lockbox compliance with FBI fingerprinting requirements,
there is no similar review step to determine lockbox compliance with
FBI fingerprint checks for couriers and contractors. Lockbox
coordinators we interviewed stated that during their on-site reviews,
they did not verify whether couriers had completed favorable FBI
fingerprint checks before they were given access to taxpayer data.
As discussed later in this report, we also found problems with some
lockbox sites‘ controls to account for cash payments received from
taxpayers and items found during candling.[Footnote 17] For example,
the internal logs used by some lockbox sites to record cash received
and items found during candling did not reconcile with the logs they
submitted to IRS, raising questions about possible missing payments.
Lockbox coordinators did not detect this problem because they are not
required to and do not review internal lockbox logs for cash payments
and candled items.
Lockbox Coordinators‘ Conflicting Roles and Responsibilities Could
Impair Their Objectivity:
IRS lockbox coordinators are responsible for the day-to-day
administration of the lockbox program, including providing guidance and
training to lockbox staff and ensuring that the lockbox banks promptly
address production problems that may delay the deposit of funds to the
Treasury. Lockbox coordinators are also responsible for performing on-
site reviews to assess work quality and the bank‘s compliance with
security requirements. This creates a situation in which lockbox
coordinators have multiple and conflicting responsibilities.
When faced with competing demands, the likelihood increases that the
day-to-day pressures of administering the lockbox program will take
precedence over oversight responsibilities. For example, according to
IRS officials, the lockbox coordinators‘ failure to complete their peak
period reviews resulted from competing demands. Lockbox coordinators
are responsible for performing quality reviews and for assisting
lockbox banks with processing issues. IRS Wage and Investment officials
indicated that some of the lockbox coordinators could not complete
their reviews because more pressing matters concerning lockbox
operations, particularly at new lockbox sites, required most of their
attention.
The close working relationship with bank management that lockbox
coordinators develop while helping bank management meet processing
goals could also impair coordinators‘ objectivity and independence when
they are evaluating the bank‘s compliance with LPG requirements. The
Treasury OIG raised this issue in 1998 when it recommended that
coordinators periodically rotate out of their coordinator positions to
help maintain independence. However, IRS has not yet addressed this
issue, citing its need to retain experienced lockbox coordinators to
assist with the implementation of the 2002 lockbox network. IRS
officials indicated that there are plans to reorganize positions of
lockbox coordinators to address the independence issue. Until this
issue is addressed, IRS has no independent overseers with sole
responsibility for monitoring lockbox bank compliance during peak
processing periods.
Lockbox Banks‘ Internal Control Deficiencies Expose the Federal
Government to Theft and Loss:
The Comptroller General‘s Standards for Internal Control in the Federal
Government[Footnote 18] require that access to resources and records,
such as IRS receipts and taxpayer data, be limited to authorized
individuals to reduce the risk of unauthorized use or loss to the
government. Lockbox banks, working as financial agents of the federal
government, have a responsibility to protect taxpayer receipts and data
entrusted to them. Tax receipts, such as cash and checks, are highly
susceptible to theft, and unauthorized use of taxpayer data could
result in identity theft and financial fraud.[Footnote 19] For example,
from October 1, 2000, to April 30, 2002, TIGTA initiated investigations
of theft of receipts valued at almost $2 million from the IRS lockbox
network.[Footnote 20] It is therefore critical that lockbox banks
implement a strong system of internal controls for the lockbox sites
they operate.
Prior audits by GAO and TIGTA have noted internal control weaknesses at
lockbox sites. For example, in fiscal year 2000, we found that
background screening for a temporary lockbox employee‘s criminal
history was limited to a local police records check and that some
employees were given access to taxpayer data and receipts before
completion of their background screening. We also found that lockbox
couriers were subject to less stringent standards than IRS couriers.
For example, lockbox couriers were not required to travel in pairs when
transporting taxpayer data. We reported that these control weaknesses
could lead to thefts of taxpayer receipts and data at lockbox
banks.[Footnote 21]
IRS and lockbox banks have implemented several additional safeguarding
controls in response to audit findings and the 2001 incident at the
Pittsburgh site. For example, IRS now requires lockbox employees to
have obtained favorable results on their FBI fingerprint checks, which
are nationwide checks of criminal records, before they receive access
to tax data. IRS has also enhanced lockbox courier security guidelines.
Nevertheless, during our recent visits to all nine lockbox locations,
we found internal control deficiencies in the areas of (1) physical
security, (2) processing controls, (3) courier security, and (4)
employment screening. These control weaknesses, if uncorrected, could
lead to significant losses to the government and taxpayers because they
increase the risk of loss, theft, or mishandling of taxpayer receipts
and data. Table 1 demonstrates the pervasiveness of the internal
control issues found during calendar year 2002. These issues are
discussed briefly below and are discussed in more detail in appendix I.
Table 1: Internal Control Issues Found at Lockbox Locations in Calendar
Year 2002:
Lockbox bank location: Physical security issues; 1: X; 2: X; 3: X; 4:
X; 5: X; 6: X; 7: X; 8: X; 9: X.
Lockbox bank location: Processing control issues; 1: X; 2: X; 3: X; 4:
X; 5: X; 6: X; 7: X; 8: X; 9: [Empty].
Lockbox bank location: Courier security issues; 1: [Empty]; 2: X; 3: X;
4: [Empty]; 5: X; 6: [Empty]; 7: [Empty]; 8: [Empty]; 9: [Empty].
Lockbox bank location: Employee screening issues; 1: X; 2: X; 3: X; 4:
[Empty]; 5: [Empty]; 6: [Empty]; 7: X; 8: X; 9: [Empty].
[End of table]
Source: Findings based on reviews at the nine lockbox locations.
Physical Security Weaknesses Could Allow Unauthorized Access to
Taxpayer Data and Receipts:
Given the large volume and assembly-line nature of tax receipt
processing, lockbox operations generally occur in areas with open floor
plans, where taxpayer data and receipts are easily accessible to
individuals on the processing floor. Thus, the vulnerability of
sensitive tax data and receipts to theft or misuse is heightened. This
vulnerability underscores the need for effective controls to deter and
detect unauthorized access to taxpayer data and receipts. However,
during our visit to lockbox locations, we observed numerous physical
security breaches. Of the nine lockbox locations we visited, we found
the following:
* At four locations, perimeter doors leading into processing areas were
unlocked or door alarms did not function effectively.
* At two locations, guards were not responsive to alarms.
* At one location, employee identification was not adequately verified.
* At two locations, employment status of temporary employees was not
adequately verified.
* At two locations, visitor access to and activity in processing areas
were not adequately controlled.
* At six locations, guards did not closely monitor items brought into
or out of the processing areas or prevent unauthorized items, such as
personal belongings, in the processing area.
* At seven locations, camera surveillance needed to be improved.
These security weaknesses increase the risk of theft and mishandling of
taxpayer data and receipts and reduce the possibility of the timely
detection of such incidents.
Processing Controls Need Improvement to Better Account for and Protect
Taxpayer Data and Receipts:
In addition to physical security controls, lockbox banks are required
to implement processing controls to maintain accountability for and
security over transactions as they are processed in the normal course
of operations. During our visits, we found deficiencies in processing
controls designed to account for or protect tax data and receipts at
most of the lockbox locations. Specifically, of the nine locations we
visited, we found the following:
* At four locations, candling procedures were not adequate to minimize
the risk of accidental destruction of tax data and receipts.
* At four locations, lockbox bank management did not reconcile candling
logs to properly account for all items found during candling.
* At six locations, lockbox bank managers did not perform required
reviews of the candling process or did not adequately document results
of their reviews.
* At three locations, controls were not in place to adequately
safeguard and account for cash receipts.
* At seven locations, returned refund checks were not adequately
protected against theft.
* At one location, timely payments were incorrectly processed as
delinquent.
Inadequate accounting and safeguarding of tax payments and related
vouchers or returns could lead to taxpayer burden, such as penalties
and interest for failure to pay tax liabilities, if these items are
accidentally destroyed, stolen, or incorrectly processed.
Additionally, inadequate processing controls could result in errors not
being detected promptly or additional work for IRS employees who must
correct taxpayer accounts as a result of errors.
Courier Security Weaknesses Expose Tax Data and Receipts to Theft and
Loss:
Lockbox banks employ courier services to deliver (1) mail from post
offices to lockbox processing sites, (2) processed checks to depository
banks, and (3) tax data and unprocessable receipts to IRS Submission
Processing Centers. During peak processing periods, couriers are
entrusted with transporting thousands of pieces of mail each day that
contain tax data, cash, checks, and deposits worth millions of dollars.
Given the susceptibility of these items to theft and loss, it is
important that they be carefully safeguarded while in transit to and
from lockbox locations. However, our review and reviews conducted by
TIGTA and IRS found several problems with courier security during
calendar year 2002. These problems relate to failure to comply with
courier security requirements as well as deficiencies in the current
requirements. Specifically, at the nine locations, we and other
reviewers found the following:
* At one location, couriers with criminal records were given access to
tax data before bank management received results of their FBI
fingerprint checks.
* At two locations, couriers were not properly identified.
* At two locations, courier vehicles containing tax data and receipts
were not locked.
* At all locations, background screening requirements for lockbox
couriers were less stringent than screening requirements for IRS
couriers.
* At all locations, courier requirements did not prohibit unauthorized
individuals in courier vehicles or require lockbox staff to inspect
courier vehicles for unauthorized passengers.
Until these courier security weaknesses are addressed, tax data and
receipts in transit to and from lockbox locations are exposed to higher
risks of theft and loss.
Background Screening of Lockbox Employees Needs Further Improvement:
Because lockbox employees are entrusted with handling sensitive
taxpayer information and billions of dollars in receipts annually,
ensuring worker integrity through a carefully managed recruiting and
hiring process is an area that demands special attention from IRS, FMS,
and lockbox management. However, during our review and those performed
by TIGTA and IRS, we found that lockbox banks did not always comply
with the FBI screening requirements and that further refinements to
background investigation requirements for lockbox employees are needed.
Specifically, for the nine locations, we and other reviewers found the
following:
* At five locations, employees were given access to taxpayer data and
receipts before bank management received results of their FBI
fingerprint checks.
* At all locations, requirements for background investigations of
lockbox permanent employees were unclear and resulted in variations in
the scope and documentation of background investigations conducted on
them.
* At all locations, FBI fingerprint checks for lockbox employees who
are not U.S. citizens with lawful permanent residence status may not be
adequate to disclose criminal histories for individuals who have only
recently established residence in the United States.
These weaknesses increase the risk of theft of tax data and receipts by
individuals who may be unsuitable to work at IRS lockbox sites.
A Comprehensive Study Evaluating Costs for IRS Processing Versus Using
Lockbox Banks for All Types of Tax Receipts Has Not Been Performed:
IRS and FMS have not performed a comprehensive study evaluating the
full range of costs and benefits of IRS processing tax receipts versus
the lockbox banks processing the receipts for all types of tax receipts
processed by the banks. Over the years, several studies have been
performed evaluating the degree of interest float savings resulting
from the use of lockbox banks. IRS and FMS jointly performed the most
recent study in 1999 in response to a Treasury OIG recommendation. In
the 1999 joint study, IRS and FMS considered the costs and benefits to
the federal government of using lockbox banks rather than IRS to
process Form 1040 tax receipts more quickly. Having adopted this
perspective in accordance with Treasury regulations, IRS and FMS did
not consider some costs, such as opportunity costs, or the results from
alternative uses of the money spent to achieve speedier deposits.
Foregoing speedier deposit of tax receipts and using the funds
elsewhere could, according to recent IRS data, result in financial
benefits to the government that could be greater, depending on the
study assumptions used. In effect, IRS and FMS did not consider the
implications of such alternatives available to IRS. In addition, the
study did not clearly define the type of analysis done. Differing types
of analysis would require consideration of differing costs and benefits
and could result in different decisions than were made on the basis of
the 1999 study.
Due to changes in IRS, the lockbox bank network, and other factors, the
1999 study will not be useful to support IRS and FMS officials‘ future
decision about whether to continue the lockbox arrangement when the
current agreements expire in 2007. IRS and FMS officials initially
stated that they had not planned to conduct a new study before the
lockbox agreements expire in 2007, but that a new study might be
appropriate given many changes and the passage of time since 1999.
The 1999 Study Results Did Not Consider All Costs and Benefits:
In keeping with instructions in the Treasury Financial Manual (TFM),
the purpose of the IRS/FMS study was to determine whether using lockbox
banks or IRS to process most individual income tax receipts would
minimize the total cost to the federal government. The TFM defines
total cost to include agency costs, the cost of purchased services, and
any loss of interest earnings to the government due to delays in
depositing receipts.[Footnote 22]
The study described three scenarios (described in app. II) in comparing
estimated lockbox bank and IRS processing costs for fiscal years 2001
through 2007 based on different assumptions. The study used scenario I,
the most conservative scenario, to support the decision to continue
using lockbox banks. This scenario showed that IRS could spend about
$56 million to internally process tax receipts, or could join with FMS
to spend a total of $144.9 million to use lockbox banks to process tax
receipts more quickly.[Footnote 23] The study concluded that the
lockbox processing would be more costly but would save the government
$100.5 million in interest that otherwise would be lost due to slower
deposits if IRS processed the receipts. These interest savings more
than offset the additional processing costs, producing net savings over
7 years of $11.6 million to the federal government from using lockbox
banks rather than IRS to process tax receipts. Scenario I is used
throughout this report in the cost comparisons shown, unless otherwise
noted. Table 2 shows these cost comparisons.
Table 2: Comparison of the Cost to the Federal Government of
Alternative Receipt Processing Approaches, Fiscal Years 2001-2007:
[See PDF for Image]
[End of table]
Source: GAO analysis of 1999 IRS/FMS study.
[A] Differences between IRS and lockbox processing costs may be
affected by rounding.
However, IRS and FMS did not consider various costs in these estimates.
Most notably, they did not consider opportunity costs related to
alternate uses of IRS funds to accelerate tax deposits. Each year, the
Congress approves a budget for an agency and provides discretion,
within certain constraints, on agency spending. Given resource
constraints, IRS must effectively choose how to spend its fixed budget.
IRS and FMS decided that it would be worth spending $4.4 million more
out of IRS‘s budget to use lockbox banks to process tax receipts
compared to IRS‘s slower process because net savings to the government
would reach $11.6 million over the 7 years.
IRS and FMS did not consider whether greater financial benefits could
accrue to the government if IRS processed receipts and used the
estimated extra $4.4 million from IRS‘s budget to generate higher
revenues through other programs or activities.[Footnote 24] Recent
estimates by IRS‘s Research Division have pointed to other activities-
-such as tax enforcement--in which spending the extra $4.4 million
would have generated from at least $44 million to well over $100
million. For example, in some enforcement programs for just individual
taxpayers, the ratio of estimated marginal tax revenue gained to
additional spending was:
* 13:1 to pursue known tax debts through phone calls,
* 32:1 to identify unreported income by computer matching tax returns
and information returns, such as Forms W-2 and 1099, and:
* 11:1 to audit tax returns through correspondence.
Our reference to these alternate uses and ratios is for illustrative
purposes. We did not analyze the basis for IRS‘s estimates that
produced these ratios. However, we have found over the years that IRS
has had difficulty readily accumulating the costs of various activities
because IRS lacks a cost accounting system.[Footnote 25] Despite these
caveats, if these estimated ratios and scenario I estimates are
approximately accurate, IRS and FMS might have made a different
decision by considering opportunity costs.[Footnote 26]
Although opportunity costs may be the most significant costs not
considered, the study also excluded certain direct IRS and FMS costs,
as discussed below.
* IRS and FMS costs to oversee lockbox bank processing: As discussed
earlier in this report, these agencies use staff to oversee and review
operations of lockbox banks.
* Costs to reduce the risk in processing tax receipts: This risk became
evident during the 2001 filing season, with the incident at the
Pittsburgh lockbox affecting about 78,000 taxpayer receipts. As of
September 30, 2002, the government had lost an estimated $13.5 million
in interest from missing tax receipts, and IRS has spent about $4.3
million to resolve problems with taxpayer accounts. In October 2002,
Mellon Bank agreed to pay the government $18.1 million to cover
administrative costs and expenses associated with the incident;
however, these costs continue to grow as IRS is still resolving some
issues.
* Costs to process different types of receipts: The study only
considered Form 1040 tax receipts in response to a Treasury OIG report
that questioned having lockbox banks rather than IRS process such tax
receipts. Lockbox banks are also paid to process other types of tax
receipts related to more than 10 other tax forms, such as Forms 1041
and 941.[Footnote 27]
It is not known if these costs would be significant enough to change
the study‘s conclusions. It is also not known to what extent such costs
would be offset by additional direct costs to IRS associated with
returning the receipt processing function to IRS.
Alternate Study Approaches Could Affect the Costs and Benefits
Considered and the Study Results:
IRS and FMS characterized the study at various times as a cost-benefit
analysis and as a cost-effectiveness analysis. These types of studies
would include different costs and benefits from those included in the
1999 study. If IRS and FMS had done a cost-benefit or cost-
effectiveness study, the resulting conclusions may have differed. Being
clear about the type of analyses being done and the limitations and
uses of the related results helps decision makers to interpret and use
those results.
The 1999 study was neither a cost-benefit nor a cost-effectiveness
analysis in economic terms. Cost-benefit and cost-effectiveness
analyses are two tools that are commonly used to determine whether
government investments or programs can be justified on economic
principles. These tools also help to identify the best alternative from
a range of competing investment alternatives. Economists commonly agree
that, when either of these two analyses is used to evaluate federal
programs that affect private citizens or other entities, the analysis
should include costs and benefits to individuals and entities outside
of
the federal government.[Footnote 28]
The IRS/FMS study was not a cost-benefit analysis because it did not
consider costs or benefits to individuals or entities outside the
federal government, such as taxpayers.[Footnote 29] By considering
costs and benefits beyond the government, the study should address
whether the benefits gained by the federal government (on behalf of
society as a whole) outweigh the costs imposed on certain members of
society, such as taxpayers. The lockbox program affects taxpayers and/
or their banks by reducing their interest float benefits through
quicker depositing of their tax receipts. The additional interest
gained by the federal government through accelerated tax deposits comes
with a similar loss of interest to taxpayers who mail in
payments.[Footnote 30] The acceleration of deposits largely shifts who
benefits. This shifting of interest benefits may have some value to
society in terms of a more equitable sharing of the costs of
government; however, it is difficult to put a dollar value on improved
equity and that value is not necessarily equal to the dollar amount of
interest that is transferred from taxpayers and/or banks to the
government. Since these interest gains by the federal government made
the use of lockbox banks beneficial, a different valuation of these
gains could have resulted in a different decision about whether to
contract with the banks.
The study also is not a cost-effectiveness analysis because it did not
compare program alternatives that had the same objectives.[Footnote 31]
Instead, the alternatives of using lockbox banks or IRS staff to
deposit tax receipts assumed that lockbox banks would achieve a faster
speed of depositing receipts than IRS. In order to determine the cost-
effectiveness of the lockbox program, the analysts would have had to
compare the costs of that program to the costs of one or more IRS
alternatives that would achieve the same speed of depositing. It is not
clear that a cost-effectiveness study comparing like processing speeds
would have yielded the same result as the 1999 study.
The specific type of study that should be done to support a decision
about whether to accelerate the deposit of tax receipts through lockbox
banks is a matter of judgment. However, because the type of analysis
that flows from the decision about the type of study to do can affect
the study results, it is important that study leaders clearly define
the type of analysis to be undertaken and why.
1999 Study Will Not Support IRS‘s and FMS‘s Future Decision about
Continuing the Lockbox Bank Arrangement beyond 2007:
Since 1999, many changes have occurred at IRS and the lockbox bank
network that could affect processing and future cost comparisons. For
example, IRS began moving to a new organizational structure in October
2000, which has changed where and how IRS processes certain types of
tax returns and receipts. In addition, the network of lockbox banks (in
terms of how many and which banks are involved) has changed. Starting
in 2002, processing also included new security requirements, such as
having FBI fingerprint checks done for each employee or contractor, to
reduce the risks of thefts. Finally, changes in the 1999 study
assumptions would be likely by 2007. Such assumptions involve:
* the number of days of interest float;
* the number of tax receipts and number of Forms 1040 filed
electronically;
* IRS labor, computer, and space costs;
* lockbox bank charges; and:
* interest rates.
For example, IRS and FMS assumed that lockbox banks would process tax
receipts 1.384 days faster than IRS under scenario I based on a 1998
study by a contractor.[Footnote 32] However, IRS and FMS cannot be
certain that any advantage that lockbox banks might have had in 1999
still exists due to the changes to IRS‘s structure and the lockbox bank
network.
IRS and FMS officials stated that they had not planned to conduct a new
study before the lockbox agreements expire in 2007. However, they have
indicated that such a study may be warranted given many changes and the
passage of time since 1999.
Conclusions:
Approximately $268 billion in tax receipts IRS collected in fiscal year
2002 were processed through lockbox banks. Given the significance of
tax receipts processed by lockbox banks, effective oversight and sound
internal controls at lockbox sites are critical to protect taxpayer
data and receipts. The loss and destruction of tax receipts at the
Pittsburgh lockbox site highlighted the need for increased scrutiny and
oversight of these banks.
Our review of the 1993 and 2002 lockbox contractual agreements revealed
nothing inherent in their provisions that would necessarily encourage
lockbox employees to mishandle taxpayer receipts. It is possible that
in an effort to avoid penalties allowed under the agreements, such as
financial penalties or contract termination, lockbox bank employees
might make poor decisions about handling taxpayer receipts; however,
these are important provisions designed to help the government address
inadequate contractor performance.
While FMS and IRS significantly improved their oversight of lockbox
banks during 2002, oversight and internal control deficiencies impeded
the effectiveness of this oversight in minimizing the risk to the
federal government and taxpayers. These deficiencies need to be
addressed to provide increased assurance that taxpayer data and
receipts are properly safeguarded. IRS‘s and FMS‘s oversight of lockbox
banks has not been fully effective primarily because their oversight
roles and responsibilities have not been sufficiently defined and
documented. Additionally, numerous internal control weaknesses need to
be corrected and certain provisions of the lockbox processing
guidelines need to be revised. Until these oversight and internal
control deficiencies are addressed, the security of taxpayer data and
receipts may be compromised.
The most recent study done by IRS and FMS in 1999 followed Treasury
regulations in considering only the costs and benefits to the federal
government of achieving speedier tax deposits by using lockbox banks to
process individual tax receipts (Form 1040). In doing so, the study did
not consider other types of receipts processed by the lockbox banks or
some relevant direct costs in comparing lockbox and IRS processing
costs nor did it consider opportunity costs. Accounting for opportunity
costs would be consistent with agencies‘ responsibility to use budget
funds economically and efficiently and should be considered regardless
of the type of analysis that IRS and FMS undertake. However, the type
of analysis affects other types of cost and benefit data that should be
considered and therefore may affect the study results. IRS and FMS were
not clear on the type of analysis done in 1999. Because certain data
and assumptions from the 1999 study are now obsolete, IRS and FMS will
need to conduct another study to determine whether to continue using
lockbox banks when the agreement expires in 2007.
Recommendations for Executive Action:
To decrease the likelihood that further incidents involving the loss
and destruction of taxpayer receipts and data will occur, we recommend
that the Commissioner of FMS and Acting Commissioner of IRS thoroughly
review the results of TIGTA‘s investigation of the 2001 incident at the
Pittsburgh lockbox site when it is completed and, if the results
warrant, implement additional controls and modify the lockbox
contractual agreements as appropriate.
To improve the effectiveness of government oversight of lockbox banks,
we recommend that the Commissioner of FMS and the Acting Commissioner
of IRS:
* document IRS‘s and FMS‘s oversight roles and responsibilities in
agency policy and procedure manuals and determine the appropriate level
of IRS and FMS oversight of lockbox sites throughout the year,
particularly during peak processing periods;
* establish and document guidelines and procedures in IRS and FMS
policy and procedure manuals for implementing the new penalty provision
for lockbox banks to reimburse the government for direct costs incurred
in correcting errors made by lockbox banks;
* finalize and document the recently developed waiver process in IRS
and FMS policy and procedure manuals and ensure that decisions on
requests for waivers are formally and promptly communicated to lockbox
management; and:
* establish and document a process in IRS and FMS policy and procedure
manuals to ensure that lockbox bank management formally responds to IRS
and FMS oversight findings and recommendations promptly and that
corrective actions taken by lockbox bank management are appropriate.
To improve the effectiveness of government oversight of lockbox banks,
we also recommend that the Acting Commissioner of IRS:
* establish and document a process in IRS policy and procedure manuals
to ensure that IRS officials with the appropriate levels of expertise
continue to participate in announced and unannounced security reviews
of lockbox banks;
* ensure that the results of on-site compliance reviews are completed
and promptly submitted to IRS‘s National Office;
* revise the guidance used for compliance reviews so it requires
reviewers to (1) determine whether lockbox contractors, such as
couriers, have completed and obtained favorable results on IRS
fingerprint checks and (2) obtain and review all relevant logs for cash
payments and candled items to ensure that all payments are accounted
for; and:
* assign individuals, other than the lockbox coordinators,
responsibility for completing on-site performance reviews.
To improve internal controls at lockbox banks, we recommend that the
Commissioner of FMS and the Acting Commissioner of IRS:
* require that internal control deficiencies are corrected by lockbox
bank management and that IRS and FMS take steps through ongoing
monitoring to ensure that the following LPG requirements are routinely
adhered to:
* perimeter doors are locked and alarms on perimeter doors are
functioning,
* guards are responsive to alarms,
* employees‘ identity and employment status are verified prior to
granting access to the processing floor,
* visitor access to and activity in the processing area are adequately
controlled,
* employee access and items brought into and out of processing areas
are closely monitored by guards,
* surveillance cameras and monitors are installed in ways that allow
for effective, real-time monitoring of lockbox operations,
* envelopes are properly candled,
* lockbox bank management perform and adequately document candling
reviews,
* returned refund checks are restrictively endorsed immediately upon
extraction,
* lockbox couriers are properly identified prior to granting them
access to taxpayer data and receipts, and:
* employees have received favorable results on fingerprint checks
before they are granted access to taxpayer data and receipts.
* revise the lockbox processing guidelines to require that:
* before lockbox bank couriers receive access to taxpayer data and
receipts they undergo and receive favorable results on background
investigations that are deemed appropriate by IRS and are consistent
across lockbox banks,
* before permanent lockbox bank employees receive access to taxpayer
data and receipts they undergo and receive favorable results on
background investigations that are deemed appropriate by IRS and are
consistent across lockbox banks,
* lockbox bank guards inspect courier vehicles for unauthorized
passengers and unlocked doors,
* candling procedures for the various types of extraction methods be
clarified,
* during candling, lockbox bank employees record which machines and
which extraction clerks missed items,
* lockbox bank management reconcile items found during candling to the
candling records,
* lockbox bank management reconcile cash payments to internal cash logs
and the cash logs they provide to IRS, and:
* lockbox employees immediately seek processing guidance from the
lockbox coordinator if envelopes with timely postmark dates are
received after the postmark review period has ended.
Because IRS and FMS must decide before 2007 whether to continue using
lockbox banks to process tax receipts or to return that function to
IRS, we recommend to the Secretary of the Treasury that a study be done
in time (1) for its findings to be considered in the decision-making
process and (2) to make any improvements to lockbox processing that the
study indicates are necessary or to return the processing to IRS.
Regardless of the type of analysis chosen, we recommend that the
Secretary of the Treasury:
* clearly define the type of analysis being done and why, and follow
through to identify and analyze costs and benefits relevant to the type
of analysis,
* consider the opportunity costs associated with the proposed
investment in using lockbox banks to accelerate the deposit of tax
receipts, and:
* include the direct costs associated with oversight, risk reduction,
and non-Form 1040 tax receipts.
Agency Comments and Our Evaluation:
Treasury‘s response to a draft of this report was jointly prepared by
IRS and FMS. In responding to the report, IRS and FMS agreed with our
findings and recommendations and stated that they have initiated or
plan to initiate actions to implement our recommendations. IRS and FMS
agreed to continually monitor lockbox banks‘ adherence to internal
controls and to modify the LPGs to improve consistency standards and
clarify instructions. IRS and FMS also agreed to complete an analysis
of lockbox processing prior to the expiration of the current lockbox
agreements to determine how best to satisfy IRS‘s remittance processing
needs. In their response, IRS and FMS indicated many actions they have
taken since October 2001 to improve lockbox operations. We identified
many of these improvements during our review and documented them in our
report, such as the establishment of the Bank Review Office within FMS
and the development of memoranda of understanding concerning oversight
roles and responsibilities. These actions and agreements will need to
be promptly completed and thoroughly documented to satisfactorily
address many of the issues raised in this report. The complete text of
Treasury‘s response is reprinted in appendix III.
As agreed with your office, unless you announce its contents earlier,
we plan no further distribution of this report until 30 days after its
issuance date. At that time, we will send copies to the Chairmen and
Ranking Minority Members of the Senate Committee on Appropriations;
Senate Committee on Governmental Affairs; Senate Committee on the
Budget; Subcommittee on Treasury, General Government, and Civil
Service, Senate Committee on Appropriations; Subcommittee on Oversight
of Government Management, Restructuring, and the District of Columbia,
Senate Committee on Governmental Affairs; House Committee on
Appropriations; House Committee on Ways and Means; House Committee on
Government Reform; House Committee on the Budget; Subcommittee on
Government Efficiency, Financial Management, and Intergovernmental
Relations, House Committee on Government Reform; and Subcommittee on
Oversight, House Committee on Ways and Means. We will also provide
copies to the Chairman and Vice-Chairman of the Joint Committee on
Taxation, the Secretary of the Treasury, the Commissioner of FMS, the
Acting Commissioner of IRS, the Director of the Office of Management
and Budget, the Chairman of the IRS Oversight Board, and other
interested parties. Copies will be made available to others upon
request. In addition, the report will be made available to others at no
charge on GAO‘s Web site at http://www.gao.gov.
If you have any questions about this report, please contact Steve
Sebastian at (202) 512-3406 (SebastianS@gao.gov) or Mike Brostek at
(202) 512-9110 (BrostekM@gao.gov). Additional key contributors to this
assignment are listed in appendix IV.
Steven J. Sebastian
Director
Financial Management and Assurance:
Signed by Steven J. Sebastian:
Michael Brostek
Director
Tax Administration and Justice:
Signed By Michael Brostek:
[End of section]
Appendixes:
Appendix I: Internal Control Weaknesses:
During calendar year 2002, we visited all nine lockbox locations to
review their internal controls designed to protect taxpayer data and
receipts. TIGTA auditors and IRS reviewers also performed reviews of
lockbox controls in 2002. Below are the specific internal control
issues with
(1) physical security, (2) processing controls, (3) courier security,
and
(4) employee screening, that we and other reviewers found at lockbox
sites.
Physical Security Weaknesses Could Allow Unauthorized Access to
Taxpayer Data and Receipts:
The Lockbox Processing Guidelines (LPG) establish physical security and
other processing requirements. Lockbox banks are required by their
agreements with FMS to abide by these guidelines. However, during our
visit to lockbox locations, we observed numerous physical security
breaches in violation of the LPGs. We also identified areas where the
LPGs could be strengthened. These matters are discussed in the
following sections.
Perimeter Doors Were Unlocked and Alarms Did Not Function:
To detect attempted breaches into secured space, lockbox guidelines
require all perimeter doors leading into IRS lockbox space to be
equipped with alarms. The guidelines also require guards to ensure that
such doors are locked. However, at four lockbox locations, we noted
problems with perimeter door security. At one location, we found a
perimeter door unlocked. At another location, a perimeter door was not
equipped with an audible alarm during operating hours. Bank management
did not think an audible alarm was necessary because an additional
interior door that was locked during the day controlled access to the
processing area. However, we observed that this interior door was
propped open during our visit. At this location, we also found that the
alarm for another door was barely audible over the noise from the
production floor and immediately ceased when the door was closed,
limiting the opportunity for security personnel to determine which door
opened and to investigate any possible unauthorized entrance or exit.
At a third location, the alarms for one set of doors were not turned on
during operating hours, and the alarm for another perimeter door failed
to activate because, according to a bank official, the alarm had not
been properly set. At a fourth location, the door alarms were not
audible at the guard post because the guards had turned down the
volume. These security weaknesses could result in unauthorized entry to
and exit from the lockbox processing areas, increasing the risk of
theft of tax data and receipts.
Guards Were Not Responsive to Alarms:
Door alarms serve to alert lockbox staff to a possible breach of
security. To be an effective physical security control, alarms require
quick response time by a security force. However, at two of the lockbox
locations where we found problems with perimeter door security, we also
noted that security guards were not responsive to alarms. For example,
at one location, we tested the alarm twice. On the first test, no guard
responded to the alarm. On the second test, it took 1 minute after the
door was opened before we saw a guard approaching the door. Bank
managers believed that their guards should have responded faster. At
another location, the perimeter door alarm sounded twice, and both
times the guards did not respond. According to the bank manager, the
guards‘ post orders did not instruct guards to respond to alarms. He
also added that it was difficult for the guards to hear the alarms from
the guard station.
The presence of security guards serves to detect unusual activities and
to deter crime. An ineffective security force may not only limit the
overall effectiveness of a security system but also may inadvertently
encourage security breaches from individuals who decide to take
advantage of this weakness.
Employee Identification Was Not Adequately Verified:
Lockbox locations are set up with a main entrance where guards can
observe and control the traffic into and out of the processing area.
The LPGs require that temporary employees provide photo identification
to the guards in exchange for a badge allowing access to the processing
floor. This ensures the identity of temporary employees is validated
prior to entering the processing area.
We found that at one location, guards did not routinely verify
temporary employee identification when they entered the processing
area. Bank management believed that manual, daily verification of
temporary employee identification was not necessary because the
location‘s automated entry system (AES) provided sufficient controls to
limit access to authorized individuals. The AES allowed entry into the
building and processing floor to individuals with AES cards, which
control the door and turnstile locks. AES cards are issued to temporary
employees after the guards have verified the employees‘ identities with
valid photo identification cards on their first day of work. Once these
employees are issued AES cards, guards no longer verify the employees‘
identification before they enter the building and processing floor.
Temporary employees wear handwritten name tags with no photo
identification to easily verify their identity. As a result, if an
unauthorized individual obtains an AES card, the lack of routine
verification of employee identification increases the likelihood that
an individual could gain unauthorized access to the building and the
processing floor, thereby increasing the risk of theft of tax data and
receipts.
Employment Status of Temporary Employees Was Not Adequately Verified:
Effectively limiting access at lockbox locations to authorized
individuals requires controls that not only verify the identity of
employees, but also determine whether individuals who present
themselves as employees are currently authorized to have access to the
site. We found controls over verification of employment status to be
ineffective at two locations.
At one location, the controls implemented to validate an individual‘s
current employment were ineffective.[Footnote 33] The two-step manual
process to identify temporary employees and check their current
employment status before issuing access badges could have allowed
unauthorized individuals to enter the processing area. The first step
required temporary employees to obtain name tags from one station.
Staff at this station checked the employees‘ identification cards
against a roster of current employees and issued them handwritten name
tags. The second step required temporary employees to obtain access
badges from the guard station. The guards issued access badges to
anyone with a valid photo identification and handwritten name tag,
making an assumption that those with name tags were current employees.
As a result, an unauthorized individual could have circumvented these
controls and gained access to the processing floor by making a name tag
and presenting it to the guards. At another location, guards did not
compare temporary employees‘ identification cards to the temporary
agency‘s list of current employees until after the employees were given
access to the processing area. This increases the risk that
unauthorized individuals could gain access to taxpayer data and
receipts and not be promptly detected.
Visitor Access to and Activity in Processing Area Were Not Adequately
Controlled:
Anyone entering the lockbox processing area must wear an identification
badge. In addition, individuals who have not had an FBI fingerprint
check, but require access to the processing floor, must be escorted by
a guard. However, at one lockbox location, we observed a copy machine
repairman with no identification badge who was unescorted in the
processing area. The guards indicated they were unaware whether the
contractor had received an FBI fingerprint and therefore one of the
guards had escorted the repairman into the processing area. However,
during our observation, the guard was across the room, too far away to
effectively observe what the repairman was doing. We also observed that
none of the employees near the repairman challenged his presence. Bank
managers later showed us proof that the repairman had successfully
completed an FBI fingerprint check and explained that the guards should
have given him a visitor badge, but did not need to escort him.
Although in this case the contractor turned out to have an adequate
security clearance, our observation indicated a need for guards to be
better trained on procedures for granting access to contractors and for
guards and employees to be more alert to activities on the processing
floor.
We also found malfunctioning AESs designed to control entrance into and
exit from processing areas. Two lockbox locations use an AES to control
access to the processing area. According to bank management for these
two locations, the AES must register an exit for a specific badge
before it can be used again to enter the processing area. In addition,
the AES should not allow an individual to exit without a registered
entry. In other words, in order for anyone to use an access badge to
exit the processing area through the controlled access points, the
system must first have a record of that badge as having been used to
enter, otherwise exit from the area would be denied. However, due to a
programming error, we found that the AES did not function as intended.
Specifically, we found that a single visitor badge could be used
repeatedly by different individuals, one after another, to gain access
to the processing area, because the AES did not require a registered
exit between registered entries. Moreover, we found that the badges
allowed individuals to exit the processing area even though the AES did
not initially record their entrance. This AES deficiency compromised
the lockbox banks‘ ability to control and monitor visitors‘ entrance
into and exit from the processing floors. At one location, managers
corrected the error before we left; at the other location, managers
agreed to correct the error. As a result of these weaknesses, tax
receipts and data are exposed to an increased risk of theft from
visitors who are not adequately monitored.
Items Brought Into and Out of Processing Areas Were Not Closely
Monitored:
The LPGs prohibit individuals from bringing personal belongings, such
as purses and shopping bags, into processing areas. The guidelines also
prohibit individuals from wearing baggy clothing or bulky outerwear
inside processing areas. Guards stationed at the main entrance of
processing areas enforce this rule.
However, at five lockbox locations, we found that the guards did not
effectively monitor individuals entering the processing floors to
enforce this requirement. At three of these locations, we observed
employees bring personal belongings or wear bulky outerwear inside the
processing area. In one instance, a guard brought a purse inside the
processing area. At four of these locations, we were able to bring
personal belongings, such as purses, into the processing floor and were
not challenged by the guards. The guards we interviewed informed us
that they either failed to observe personal belongings brought into the
processing area or did not know the requirements of the lockbox
guidelines concerning personal belongings.
Guards are also required to question individuals who attempt to remove
property from the lockbox locations. However, at one location, the
guards failed to search papers we carried out of the processing area.
At another location, we found that on the day of our visit there were
no guards present to observe employees leaving the processing area
because bank management had not informed the guards that several
employees would be working beyond their normal work hours. The guards
finished their shift and left before the employees were dismissed.
As a result of these security breaches, individuals could have used
personal belongings and bulky clothing to conceal and remove tax data
and receipts from lockbox locations undetected.
Camera Surveillance Needs Improvement:
The LPGs require surveillance cameras to be installed at lockbox
locations and security guards to monitor the cameras to observe
critical areas, such as the loading docks, secure storage areas,
mailroom, and extraction area. However, we found that the camera
surveillance at seven lockbox locations we visited could be improved.
At two locations, the cameras were stationary and did not have zoom
capability to effectively monitor critical areas. At another three
locations, camera monitors to survey activities on the processing floor
were located in the managers‘ offices; however, because of other
duties, the managers were frequently on the processing floor and were
not able to observe the monitors.[Footnote 34] FMS visited one of these
three locations in early 2002 to perform an unannounced security review
and also reported this as a finding. Additionally, at another of these
three locations, there were no surveillance cameras in the former
administrative offices located within the processing area. Lockbox
managers recently vacated this area and did not consider installing
surveillance cameras because no processing activity occurred there.
However, this area housed unused file cabinets and desks with drawers
where tax data and checks could be hidden. One of the offices was also
used by a computer contractor while on site. At the two other
locations, we found that the monitors used to display the images from
surveillance cameras were ineffective. Specifically, the monitors
displayed up to 16 images on one screen making each individual image
barely visible to effectively monitor or detect illegal activities.
Additionally, since these monitors were visible to employees and
visitors, they were ineffective deterrent controls to those who noticed
that the surveillance could not effectively monitor activities on the
processing floor. The images would be more effective in deterring
criminal activities if they were more visible.
As a result of these weaknesses, lockbox camera surveillance was not
capable of consistently and effectively detecting unusual activity or
unsafe practices and providing early warning of possible security
compromises.
Processing Controls Need Improvement to Better Account for and Protect
Taxpayer Data and Receipts:
In addition to physical security controls, the lockbox guidelines also
provide requirements for processing controls to maintain accountability
for, and security over, transactions as they are processed through the
normal course of operations. During our visits to lockbox locations, we
found deficiencies in processing controls designed to account for or
protect tax data and receipts at several of the lockbox sites.
Specifically, taxpayer information and receipts particularly
vulnerable to theft, such as cash, were not carefully processed and
safeguarded. Moreover, the records to account for items found during
candling, a process to detect overlooked items remaining in envelopes,
and cash payments were inadequate to allow lockbox managers to easily
and promptly detect lost or stolen items.
Candling Procedures and Review Were Not Adequate:
To prevent the accidental destruction of taxpayer data and receipts,
lockbox guidelines require envelopes to undergo a candling process. The
LPGs also require lockbox site managers to periodically review the
effectiveness of their site‘s candling procedures. During our review of
lockbox operations, we found that at some lockbox locations (1)
deficiencies in the candling processes may lead to the accidental
destruction of tax data and receipts, (2) accounting for found items
was insufficient to detect missing checks within a reasonable time, and
(3) management review of candling processes was either lacking or not
clearly documented.
Inadequate Candling Procedures Could Lead to Accidental Destruction of
Tax Data and Receipts:
Lockbox staff open envelopes manually by hand or with the assistance of
a mail extraction machine. Some mail extraction machines slit envelopes
on one side, allow employees to extract their contents, and have the
capability to electronically detect overlooked items remaining in the
envelopes. More advanced machines slit envelopes on three sides and
extract the contents. The method used to open the envelopes determines
how the envelopes should be candled. The LPGs provide guidance on
candling procedures and require all envelopes to be candled twice
before destruction. Envelopes opened with the assistance of a mail
extraction machine are considered to have gone through the first
candling.[Footnote 35] After processing, employees are required to
review each envelope through a source of light, such as a candling
table, to determine if any contents remain in the envelope. This is
considered the second candling. For manually opened envelopes,
envelopes that are slit on three sides and flattened sufficiently meet
candling requirements without further light source viewing. Envelopes
that are manually slit on only one side are reviewed twice on the
candling table.
During our visits to lockbox locations, we found that at four
locations, envelopes were not sufficiently candled to prevent the
accidental destruction of tax data and receipts because of
malfunctioning machines, careless candling practices, and ineffective
candling guidelines.
* At one location, we found two mail extraction machines that
malfunctioned and failed to detect checks remaining in the envelopes.
Additionally, some envelopes were only candled once because employees
often used the mail extraction machines as desks. Employees manually
opened the envelopes, completely bypassing the first candling step to
be performed by the machines. These envelopes were then candled only
once on the candling table. We also observed that employees were
inattentive when candling envelopes on the candling table, allowing
envelopes to overlap and making it difficult to fully illuminate each
envelope or all parts of an envelope.
* At a second location, envelopes that were manually opened were not
slit on three sides or candled twice.
* Two other locations did not properly candle all envelopes because the
candling requirements in the LPGs do not specify procedures to be used
with more advanced extraction machines that slit the envelopes on three
sides and extract the contents. Management at these locations believed
that because the envelopes were opened on three sides, they met the
candling guidelines for manually opened envelopes. Therefore, they
concluded that no further candling was required. However, an IRS
official subsequently explained that envelopes opened by these types of
machines should be subject to a second candling until IRS performs a
study to determine their effectiveness. The fact that we found a $3,300
check that had not been detected by one of these advanced machines,
located in another site,[Footnote 36] indicates that they can also
malfunction and result in the destruction of taxpayer data and
receipts. As a result, candling procedures did not effectively reduce
the risk of accidental destruction of tax receipts and data.
Accounting for Items Found During Candling Was Insufficient:
Lockbox guidelines require lockbox employees to account for each item
found during candling. Some lockbox locations use two forms to record
items found--an internal candling log and a Form 9535[Footnote 37] or
equivalent, which is required to be submitted to the lockbox
coordinator each month for IRS review. Employees prepare the internal
log while candling and later transfer the data onto the Form 9535.
Since all items found during candling must be reported to IRS, the Form
9535 should record the same number and amounts of checks found as noted
on the internal log being maintained as processing is occurring.
However, the lockbox guidelines do not require a reconciliation of one
set of records to the other, nor do they require a reconciliation of
items found during candling to their candling records.
During our review, we found that lockbox banks did not always have
procedures to ensure that all items found were accurately recorded on
both sets of logs and that bank managers could not properly account for
all items found. At one location, the two sets of logs that bank
management provided to us could not be reconciled. For example, a check
was recorded on the internal log but not on the Form 9535. Management
could not provide an adequate explanation or documentation to explain
the discrepancy. At this location, we also noted delays of up to 6 days
in transferring records of items found from the internal log to the
Form 9535. Lockbox management explained that because of the volume of
work during the April peak, the Form 9535 could not always be completed
or the checks could not always be processed the same day they were
found during candling. Another location‘s internal log only recorded
tallies of the quantity of items found, which did not match the number
of items listed on the log provided to IRS. Because there was not
enough information on the internal log, we could not determine whether
items, such as checks, recorded on the internal log but not on the Form
9535, were ever processed and credited to the taxpayers‘ accounts. We
identified this same issue during a visit to this location in October
2001 as part of our audit of IRS‘s fiscal year 2001 financial
statements.[Footnote 38] After this visit, lockbox management and IRS
agreed to address this problem. However, as of April 2002, this problem
had not been corrected. IRS indicated that it plans to address this
issue in the January 2003 revisions to LPGs. At two other locations, we
also found that no reconciliation occurred between items found during
candling and the candling log. As a result of these weaknesses, lockbox
management and IRS may not promptly detect missing checks.
We also noted that the lockbox guidelines do not specifically require
the banks to determine which machine or which extraction clerk[Footnote
39] missed items that were subsequently found during candling. Such
information would help lockbox bank managers promptly track and repair
malfunctioning machines and provide performance feedback to extraction
clerks.
Management Review of Candling Process Was Insufficient or Not
Adequately Documented:
Because IRS officials are not at lockbox locations daily, IRS relies on
lockbox managers to ensure that their staff complies with lockbox
guidelines. In the case of candling requirements, IRS guidelines
require lockbox managers to sample candled items to determine the
effectiveness of the candling process and to report results of the
reviews to IRS. However, at four locations, we found that lockbox
managers, who indicated they had performed these reviews, failed to
document or clearly document the results. At two additional locations,
managers stated that they did not sample candled envelopes. The manager
at one of these locations believed that her frequent observation of the
candling process was sufficient to ensure that the envelopes were
properly candled. Given the problems we observed with the candling
process at several of the locations we visited, management reviews and
proper documentation of such reviews are critical to help ensure that
problems are promptly identified and corrected.
Controls Were Not in Place to Adequately Safeguard and Account for Cash
Receipts:
Lockbox sites receive tax receipts in the form of cash as well as
checks. Cash receipts are highly susceptible to theft, and lockbox
guidelines have specific requirements for safeguarding and accounting
for cash receipts. The guidelines require cash to be stored in locked
containers to prevent theft. The keys to these containers must not be
left in unsecured places, such as desk drawers. The guidelines also
require cash receipts to be recorded on a log. At three lockbox
locations, we noted weaknesses in the safeguarding and accounting for
cash.
At one location, the locked cash box was stored in a locked drawer.
However, the keys to both the cash box and the locked drawer were
stored in an open drawer because bank management wanted supervisors to
have quick access to the cash box to expedite the deposit of cash. At
another location, cash for the business and individual tax payments
were stored in two separate safes. Three staff members had keys to the
safes, which could be opened by individuals acting alone. Additionally,
the safe used for business payments was small and moveable. The
individual access to the safes and the ease of mobility of one of the
safes compromised the security of the stored cash.
At two locations, we noted discrepancies between the bank‘s safe log
and the log that the lockbox managers were required to provide to IRS.
A safe log is an internal lockbox document that employees complete
before they place cash in the safe or cash box. The safe log should
identify the taxpayer, the amount paid, and date cash was discovered.
When we reviewed the two sets of logs we found that the dates, amounts,
item counts, and taxpayer identification information in the logs did
not agree, and bank managers could not reconcile some of the
discrepancies. For example, at one location, five items on the safe log
were not on the IRS log. One of the items was a $140 cash receipt.
Because the safe log did not record taxpayer information for any of the
receipts, we could not verify whether the receipt was ever posted to
the taxpayer‘s account. There is currently no requirement in the LPGs
for bank managers to reconcile their internal cash logs to the cash log
sent to IRS. Such reconciliation could have quickly detected the
discrepancies we noted. Bank management attributed some of these
discrepancies to human error, inexperienced staff, and staff failure to
take the accounting for cash seriously because the amounts found are
typically small. However, individual taxpayers have made cash payments
totaling hundreds of dollars. Failure to properly secure and account
for cash receipts could result in theft, the untimely detection of
theft, inaccurate posting of tax receipts, and unnecessary burden on
taxpayers whose cash receipts are lost or incorrectly posted.
Therefore, it is critical for lockbox banks to diligently safeguard and
account for cash receipts.
Returned Refund Checks Were Not Adequately Protected Against Theft:
Lockbox banks sometimes receive federal tax refund checks that have
been returned by taxpayers as payment against other tax liabilities.
Some of these checks have been endorsed by taxpayers and are therefore
negotiable. As a safeguard against theft and misuse of returned refund
checks, lockbox guidelines require lockbox extraction clerks to
promptly stamp a restrictive endorsement on returned refund checks.
These checks are subsequently forwarded to IRS for further processing.
At seven locations, however, we observed that returned refund checks
were not always stamped upon extraction and at some locations were set
aside, unsecured, to be stamped later by a different individual. At two
locations, we found the returned refund checks without the required
stamps ready to be shipped to IRS. Lockbox management attributed many
of these exceptions to staff oversight or inadequate training. Several
years ago, IRS investigators discovered the theft of seven returned
refund checks totaling $300,000 at one IRS Submission Processing
Center. Such thefts can also occur at lockbox sites. Thus, it is
critical that restrictive endorsements be placed on returned refund
checks as soon as they are extracted.
Timely Payments Were Incorrectly Processed As Delinquent:
The LPGs, as currently written, have resulted in timely tax payments
being processed as delinquent. To determine timeliness, lockbox
employees are required to examine the postmarks on envelopes in which
tax receipts were received. If the postmark indicates that the receipt
is delinquent (i.e., the postmark is subsequent to the return or
payment due date), the receipt should be processed as delinquent and
the envelope should be attached to the corresponding document and
forwarded to IRS. If lockbox employees determine that the receipt is
timely (i.e., the postmark is prior to the return or payment due date),
the envelope need not be retained. However, beginning with the first
day of the month following the month the payment is due, lockbox
guidelines require lockbox employees to use the date the mail is
received as the transaction date to be recorded in the taxpayer‘s
account as the payment date. Furthermore, the lockbox guidelines do not
require lockbox employees to review and retain the envelopes in which
the tax receipts were enclosed.
At one lockbox location we visited, we observed that on May 1, 2002,
lockbox employees received and extracted tax receipts from two
envelopes postmarked prior to or on the April 15 payment due date.
Because it was already past the period during which lockbox employees
were required to examine postmarks and retain envelopes, lockbox
employees processed the payments as delinquent and would have discarded
the envelopes even though they were aware that the envelopes were
postmarked on or before the payment due date. When we brought these two
transactions to the lockbox coordinator‘s attention, the lockbox
coordinator concluded that, in these instances, the taxpayers had made
timely payments. The lockbox coordinator subsequently adjusted the
taxpayers‘ accounts to reflect these as timely payments. We recognize
that careful examination of postmarks on envelopes for all receipts
received after the payment due dates slows down the payment processing
and we recognize the need to establish reasonable cut-off dates for
this review process. However, lockbox employees should immediately seek
processing guidance from the lockbox coordinator when incidents such as
the ones noted above come to their attention to avoid burdening
taxpayers with erroneous penalties and interest for late payments.
Additionally, as written, the LPGs could lead to potential taxpayer
burden and unnecessary costs to IRS associated with correcting the
status of taxpayer‘s accounts.
Courier Security Is Inadequate to Protect Tax Data and Receipts from
Theft or Loss:
Lockbox banks entrust courier employees with transporting thousands of
pieces of mail containing tax data, cash, checks, and deposits worth
millions of dollars per day. Given the susceptibility of these items to
theft and loss, it is extremely important that they be carefully
safeguarded while in transit to and from lockbox sites.
We previously reported on weaknesses in lockbox courier security and
noted that lockbox courier guidelines were not as stringent as IRS
courier guidelines.[Footnote 40] For example, unlike IRS courier
requirements, the LPGs did not require courier employees to pass a
limited background investigation, thus increasing the risk of theft of
tax data and receipts by couriers with past criminal histories. The
LPGs also did not require lockbox couriers to be insured for $1 million
and to travel in pairs while transporting IRS data. In fact, in past
audits, we found that lockbox banks used only one courier employee to
transport IRS data. These weaknesses in courier security increased the
risk of theft and loss of taxpayer data and receipts.
In response to our audit findings, IRS enhanced the lockbox courier
requirements. The 2002 LPGs now require that couriers used by lockboxes
pass favorable FBI fingerprint checks, be bonded for $1 million, travel
in pairs, transport IRS data from the lockbox facility to its
destination with no stops in between, provide dedicated service to IRS,
and lock and attend courier vehicles while IRS data are contained
within the vehicles. Despite these enhancements, we and other
auditors[Footnote 41] continue to find weaknesses in lockbox courier
security because of the lockbox sites‘ failure to consistently comply
with the revised guidelines. In addition, lockbox courier guidelines
could be further refined to improve the security of tax data and
receipts.
Couriers Given Access to Tax Data Before Fingerprint Check Results
Received:
IRS recently revised the background screening requirements for lockbox
couriers. The revised LPGs, effective January 2002, prohibit couriers
from having access to IRS data until lockbox managers have received
results of their FBI fingerprint checks and resolved any questionable
fingerprint results. However, during a recent TIGTA audit[Footnote 42]
of one lockbox site, auditors found that three couriers were allowed
access to taxpayer information before the lockbox received the results
of their fingerprint checks. Lockbox managers subsequently received
results
of the FBI fingerprint checks, which indicated that two of these
couriers
had criminal histories. Nevertheless, TIGTA found that lockbox
management continued to allow the two couriers and an additional
courier, whose FBI fingerprint check also indicated a criminal history,
access to taxpayer data while follow-up investigations, which
subsequently cleared them, were underway. TIGTA auditors attributed
this weakness to lockbox management‘s failure to develop and implement
procedures to ensure that couriers are granted proper clearance before
they receive access to IRS data.
Lockbox Couriers Not Properly Identified:
Lockbox courier standards require courier employees to wear
identification badges and lockbox banks to implement procedures to
properly identify couriers. However, at two lockbox locations, we found
that couriers did not wear their identification badges. At one of these
locations, lockbox employees did not verify the courier‘s
identification before entrusting him with taxpayer data because the
employees indicated that they were familiar with the courier.
Additionally, at this location, the courier access list, which lists
couriers authorized to access tax data and photo identification of
couriers, was maintained at the guard station and not easily accessible
to employees who must verify couriers‘ identities daily. Although not a
requirement in the LPGs, some locations have posted the courier access
lists by loading dock doors to facilitate the identification of
couriers. Unless lockbox employees diligently perform their duties to
properly identify couriers, tax receipts and data are exposed to higher
risk of theft from former couriers who have recently been terminated or
unauthorized individuals posing as couriers.
Courier Vehicle Containing Tax Data and Receipts Was Not Locked:
The LPGs require courier vehicles to be locked whenever IRS data are
contained in the vehicle until it reaches its destination.
Additionally, the vehicle must always be under the supervision of one
of the couriers and never left unattended. At one lockbox site, we
observed that couriers did not lock the courier vehicle containing tax
data. The couriers stated that they generally did not lock the doors
because they never left the IRS packages unattended. The lockbox guard
did not check to see if the vehicle was locked because there is no
requirement to do so. IRS reviewers also observed couriers failing to
lock courier vehicles during their review of another lockbox location
in April 2002. Failure to ensure that courier vehicles are locked while
in possession of taxpayer data and receipts increases the risk of loss
of such items.
Background Screening of Lockbox Couriers Are Less Stringent Than
Requirements for IRS Couriers:
We also found that background screening requirements continue to be
less stringent for lockbox couriers than for IRS couriers. IRS couriers
are subject to both an FBI fingerprint check and a basic background
investigation for contractors before they are given access to tax
receipts. This background investigation includes a check of other
federal agency and defense clearance investigation databases for
results of previous background investigations and a check for any
outstanding tax liabilities. In contrast, lockbox couriers are only
required to favorably clear an FBI fingerprint check and are subject to
no further background investigations. As a result, IRS may not discover
information, such as outstanding tax liabilities, that might cause IRS
to deny them access to taxpayer data. IRS is aware of the risks
associated with lockbox couriers and is considering enhancing the
lockbox guidelines to require lockbox couriers to undergo basic
background investigations similar to those required of IRS couriers.
Unauthorized Individuals Not Prohibited From Courier Vehicles:
IRS courier standards specifically prohibit the presence of
unauthorized individuals in courier vehicles and require IRS personnel
to inspect courier vehicles daily to ensure that no unauthorized
passengers are in the vehicle. The LPGs, on the other hand, contain no
prohibition of unauthorized individuals in courier vehicles and do not
require lockbox staff or guards to inspect courier vehicles for
unauthorized passengers. The guidelines state only that IRS reserves
the right to inspect courier vehicles and drivers. Because IRS
representatives are not on-site every day and there is no requirement
for lockbox employees to inspect vehicles, unauthorized individuals
could ride in courier vehicles and have access to taxpayer data and
receipts without lockbox management‘s knowledge.
Further Improvements Needed on Background Screening of Lockbox
Employees:
Because lockbox employees are entrusted with handling sensitive
taxpayer information and billions of dollars in receipts annually,
ensuring worker integrity through a carefully managed recruiting and
hiring process is an area that demands special attention from IRS, FMS,
and lockbox management. We previously reported that the screening of
permanent and temporary lockbox employees was inadequate and untimely.
[Footnote 43] Specifically, instead of referring to a national database
to
check for criminal records, lockbox banks limited the screening of
criminal
background investigations for temporary employees to police records
checks in counties that individuals voluntarily disclosed as prior
residences. Therefore, the police records checks may be incomplete for
some individuals who chose not to disclose counties in which they
committed a crime and have criminal records. In addition, lockbox
permanent employees were allowed to handle cash, checks, and taxpayer
data before their fingerprint checks were completed.
IRS management has been responsive to our recommendations and has
enhanced its policy on screening of permanent and temporary lockbox
employees. The LPGs now require permanent and temporary employees to
undergo FBI fingerprint checks. In contrast to the previous police
records checks performed by county, FBI fingerprint checks are national
in scope. An individual‘s fingerprints are matched against fingerprints
maintained in the FBI‘s national database of criminal records. As a
result, criminal records checks performed for lockbox applicants are no
longer dependent on the applicant to accurately and completely disclose
prior residences. The guidelines have also been updated to prohibit
access to taxpayer data and receipts until lockbox management receives
the results of an individual‘s fingerprint checks. Results that show a
possible criminal history must be resolved before the individual in
question is allowed access to the lockbox site. The guidelines also
require permanent lockbox employees to undergo an appropriate
background investigation, as determined by an IRS security officer, in
addition to an FBI fingerprint check. Despite these policy
improvements, we found that lockbox banks did not always comply with
the FBI fingerprint requirements and that further refinements are
needed regarding background investigation requirements for lockbox
employees.
Employees Given Access to Taxpayer Data and Receipts Before Fingerprint
Check Results Received:
Based on our review of lockbox personnel files, we found that lockbox
banks are generally complying with the new guidelines. However, we and
IRS reviewers nonetheless found instances of noncompliance at lockbox
banks. This shows a need for IRS and FMS to ensure that lockbox
management clearly understand the screening requirements and have
implemented effective controls to prevent permanent and temporary
employees‘ access to tax data until they have favorably completed an
FBI fingerprint check.
Specifically at three lockbox locations, we noted noncompliance related
to the screening of permanent staff. At one location, we found that 4
out of a nonrepresentative selection of 25 permanent employees whose
personnel files we reviewed began working at the lockbox location
before bank management received their fingerprint check results. Bank
management and IRS personnel explained that this situation occurred
because IRS had verbally waived compliance with the screening
requirements due to the fact that the bank was experiencing delays in
obtaining timely responses on fingerprint checks at the beginning of
2002. At the second location, weak controls to ensure that all
employees successfully complete FBI fingerprint checks allowed a
permanent bank employee to process receipts and taxpayer data for 3
months before lockbox managers discovered that the employee had not
undergone a fingerprint check. The employee was removed from the
processing floor until the fingerprint check was completed and
approved. At the third location, a permanent employee was allowed to
work for several days before the FBI fingerprint check was completed
because bank management misunderstood the fingerprint check requirement
for lockbox employees. During its April 2002 peak review, IRS officials
found similar problems at two other lockbox locations. One location
allowed a temporary employee access to tax data before the completion
of the employee‘s fingerprint check. At the other location, the
temporary agencies listed 12 employees as eligible to work, of which 6
were already working, even though they had not received their FBI
clearance checks or were denied clearance to access tax data.
As discussed earlier, taxpayer information and receipts are easily
accessible to anyone on the processing floor. Therefore, it is critical
for lockbox banks to ensure that these items are properly safeguarded
by diligently complying with all aspects of the LPGs, which include
screening lockbox employees. Late screening of lockbox employees could
result in theft or loss in instances where bank management unknowingly
allows individuals with criminal backgrounds access to IRS data and
receipts.
Guidelines for Background Investigations of Lockbox Permanent Employees
Need Improvement:
The current LPGs require permanent lockbox employees to favorably
complete an FBI fingerprint check and an appropriate background
investigation, as determined by an IRS personnel security officer.
However, the LPGs do not define what is considered an appropriate
background investigation for permanent lockbox employees and what
information regarding the results of the background investigation
should be provided to IRS. As a result, the scope of and documentation
for background investigations performed on permanent lockbox employees
varies greatly among lockbox banks and is not consistent with
background investigations required of other IRS contractors.
According to IRS officials, while some lockbox banks subject their
permanent employees to the required FBI fingerprint check and
additional background investigation, such as county criminal records
and credit history checks, other lockbox banks subject their permanent
employees to FBI fingerprint checks with no further background
screening. Additionally, IRS officials found that investigation results
they receive from banks do not provide adequate information to
determine whether the individual should be allowed access to taxpayer
data. For example, background investigation results may indicate that a
criminal records check was completed but not whether any arrests or
convictions were found. Other results of background investigations may
indicate that an arrest or conviction was found during a criminal
records check but not the basis for the arrest or how recently or
frequently the offense occurred. IRS officials also explained that some
lockbox banks could not provide documentation of results of background
investigations performed on their permanent employees because, as a
result of recent bank mergers, lockbox management did not have access
to those records.
According to IRS officials, IRS did not foresee the problems with
background investigations for permanent lockbox employees. As the
variance in the scope of background investigations and in the adequacy
of documentation of their results became evident, IRS made a decision
to accept favorable results of FBI fingerprint checks as the minimum
criterion for allowing permanent lockbox employees access to taxpayer
data. As a result, the level of background screening performed on
permanent employees is inconsistent among lockbox banks and with
requirements for other IRS contractors, such as IRS contracted couriers
whose backgrounds are checked against other investigation databases and
for tax liabilities, as previously discussed. Additionally, permanent
employees who were granted access to tax data based only on the results
of favorable FBI fingerprint checks, in effect, received the same level
of background screening as temporary employees and less than that of
IRS contracted couriers, even though permanent employees have more
influence and authority over lockbox operations, and are granted more
access rights to various sections of the lockbox sites. Because some
banks subject their permanent employees to less scrutiny when
performing background investigations than other banks, IRS may not be
aware of critical information that could have been uncovered by a more
thorough background investigation, such as recent criminal records not
yet reported to the FBI, which might cause IRS to deny them access to
taxpayer data.
FBI Checks May Be Inadequate for Lockbox Employees Who Have Recently
Established Residency in the United States:
TIGTA auditors recently reported that lockbox banks often employ non-
U.S. citizens with lawful permanent residence to process IRS tax
payments.[Footnote 44] Although the IRS hires only U.S. citizens, IRS
and FMS have allowed lockbox banks to hire non-U.S. citizens. TIGTA
auditors found this policy to be consistent with guidelines from the
Department of the Treasury regarding the hiring of contract employees.
However, this hiring practice may pose unnecessary risks to IRS
materials because the FBI fingerprint check, which is national in
scope, may have very little information to disclose if these
individuals lived in this country for only a short period of time. The
Department of State and the Immigration and Naturalization Service
perform some background checks before issuing visas to nonresidents or
upgrading visas that may allow individuals to achieve lawful permanent
resident status. However, neither the TIGTA auditors nor the IRS know
the extent of these background checks. In response to this finding, IRS
agreed to form a task group to review the current standards. If IRS
determines that the standards do not provide adequate protection or the
risk is not reduced by other security measures, IRS will incorporate
more stringent requirements into the LPGs after coordinating with FMS
and the Department of the Treasury. The uncertainty of criminal
histories of non-U.S. citizens hired by lockbox banks may lead to
hiring of individuals with criminal histories which, in turn, increases
the risk of theft of receipts or misuse of tax data. For instance,
TIGTA auditors reported that evidence regarding the theft of checks
from one lockbox site indicates the involvement of a crime ring from a
foreign country in the negotiation of and possibly in the actual theft
of taxpayer checks.
[End of section]
Appendix II: GAO Analysis of IRS‘s and FMS‘s August 1999 1040 Tax
Payment Comparative Cost Benefit Study:
In August 1999, an IRS/FMS taskforce issued a study entitled 1040 Tax
Payment Comparative Cost Benefit Study. The study estimated the costs
and interest savings from processing Form 1040 tax receipts at IRS
compared to lockbox banks using three different IRS scenarios. Table 3
shows the IRS/FMS taskforce results for all three IRS scenarios for
each of 7 fiscal years (fiscal years 2001 through 2007) and overall.
Table 3: IRS and Lockbox Banks Cost and Saving Estimates for the
Federal Government, Fiscal Years 2001 through 2007:
[See PDF for Image]
[End of table]
Source: GAO analysis of 1999 IRS/FMS study.
Note: Totals for net savings may not add due to rounding.
All three IRS scenarios used the same estimated lockbox bank processing
costs of $144.9 million. IRS interest float savings and processing
costs varied because assumptions differed across scenarios. Scenario I
estimated a 1.384 interest float savings while scenarios II and III
used 3 days and 10.6 days, respectively. Processing costs for scenario
I assumed additional processing equipment, additional staff, additional
space, and a 10 percent increase in processing productivity. Scenario
II assumptions were the same as I except for assuming no increase in
processing productivity. Scenario III assumptions were the same as II
except for assuming no additional processing equipment, staff, or
space.
We focused on IRS scenario I for further analysis because it was the
one used to justify the decision to continue using lockbox banks to
process tax receipts. Table 4 shows the IRS/FMS taskforce results for
scenario I in more detail for each of 7 fiscal years (2001 through
2007).
Table 4: IRS and Lockbox Banks Cost and Saving Estimates Under IRS
Scenario I for the Federal Government, Fiscal Years 2001 through 2007:
[See PDF for Image]
Source: GAO analysis of 1999 IRS/FMS study.
Note: Totals may not add due to rounding.
[A] Labor includes costs to sort, process, and deposit tax receipts
plus benefits, overhead, and inflation.
[B] Basic support includes costs for service and supplies, equipment,
and printing.
[C] Basic and standard includes costs for depositing tax receipts in
the bank.
[D] Ancillary includes costs for other services, such as sorting and
shipping tax returns to IRS.
[End of table]
We analyzed the documented support for the data used to develop
estimates in the study. The support often came from historical data on
lockbox banks and IRS‘s processing. We generally found some documented
support on the methodology and assumptions used for the costs and
revenue estimates. We could not compare support for the specific cost
estimates, however, because the lockbox banks only had a basic charge
for processing tax receipts and an additional charge to sort tax
returns and ship them to IRS.
The estimation methodology and assumptions used in the study were the
same for each year. To illustrate the methodology and assumptions, we
reviewed how the estimates were developed for the first year--fiscal
year 2001. For example, as shown in table 4, the net saving of $1.2
million is the difference between IRS and lockbox bank costs and IRS
and lockbox bank interest savings. For costs, the study estimated that
processing the tax receipts through lockbox banks would cost $11.3
million more than processing them through IRS. For interest savings,
the study estimated that using lockbox banks would save $12.5 million
more than using IRS.
For cost estimates, a key factor was the estimated number of tax
receipts, which was based on the actual number of 1998 tax receipts and
projected for future years using expected growth rates. To understand
IRS‘s costs for fiscal year 2001, we analyzed its four components--
labor costs, basic support costs, equipment depreciation, and site
preparation depreciation. A discussion of each of the four cost
components follows.
IRS labor costs were often estimated from IRS‘s Cost Estimate Reference
guide that provides estimated costs for particular activities at
IRS.[Footnote 45] The guide includes estimated labor cost and staff
hours for processing tax returns.[Footnote 46] We traced each cost
estimate in the study to the IRS cost guide. We also discussed the cost
estimates with the IRS analyst who made and documented the computations
for the study. Table 5 breaks down the IRS labor cost estimate for
fiscal year 2001.
Table 5: IRS‘s Fiscal Year 2001 Labor Cost:
Activity: Sorting returns; Volume: 10,093,903; Rate per hour: 103.9;
Staff hours: 97,150; Hourly staff pay: $9.24; Cost: $897,666.
Activity: Processing receipts; Volume: 7,831,622[A]; Rate per hour:
171.4; Staff hours: 45,692; Hourly staff pay: $10.24; Cost: $467,886.
Activity: Depositing receipts; Volume: 10,093,903; Rate per hour:
267.9; Staff hours: 37,678; Hourly staff pay: $10.17; Cost: $383,185.
Activity: Quality assurance[B]; Volume: [Empty]; Rate per hour:
[Empty]; Staff hours: [Empty]; Hourly staff pay: $13.94; Cost: $80,531.
Activity: Overhead [C]; Volume: [Empty]; Rate per hour: [Empty]; Staff
hours: [Empty]; Hourly staff pay: $13.81; Cost: $1,862,679.
Activity: Benefits[D]; Volume: [Empty]; Rate per hour: [Empty]; Staff
hours: [Empty]; Hourly staff pay: [Empty]; Cost: $886,067.
Activity: Labor inflation [E]; Volume: [Empty]; Rate per hour: [Empty];
Staff hours: [Empty]; Hourly staff pay: [Empty]; Cost: $710,651.
Activity: Total labor cost; Volume: [Empty]; Rate per hour: [Empty];
Staff hours: [Empty]; Hourly staff pay: [Empty]; Cost: $5,288,665.
[End of table]
Source: GAO analysis of the 1999 study estimates.
[A] Processing tax receipts involves a lower volume because the study
estimated IRS could process 2,262,281 more receipts without a cost
impact, assuming an estimated 10 percent productivity increase from
using new processing equipment.
[B] Quality assurance cost is computed by multiplying the staff hours
for sorting, processing, and depositing (180,520 hours) by 3.2 percent
and by $13.94 hourly staff pay (factors from IRS cost guide).
[C] Overhead cost is computed by multiplying staff hours for sorting,
processing, depositing, and quality assurance (186,297 hours) by 72.4
percent and by $13.81 hourly staff pay (factors from IRS cost guide).
[D] Benefits are computed by adding the costs for the first five
activities and multiplying by 24 percent (benefit rate from IRS cost
guide).
[E] Labor inflation is estimated from federal pay increases, with a
compounded rate of 15.5 percent through fiscal year 2001 applied to the
cost of the first six activities ($4,578,014).
Explanations of the other three components in IRS‘s processing cost
estimates follow.
* Basic support cost: $291,679
Consists of service and supplies, equipment, and printing on the basis
of rates listed in the IRS cost guide.
* Equipment depreciation: $1,317,796
IRS would need to spend an estimated $6,588,980 on hardware, furniture,
and software if IRS processed Form 1040 tax receipts instead of lockbox
banks. This cost was depreciated over a 5-year period in equal annual
amounts.
* Site preparation depreciation: $120,000
IRS would need to spend $600,000--$300,000 at each of two IRS
locations--to prepare space to accommodate new equipment required to
process the increased volume of tax receipts. This cost was depreciated
over a 5-year period in equal annual amounts.
We also analyzed the added interest savings if lockbox banks processed
the tax receipts instead of IRS. The IRS/FMS taskforce study followed a
formula in Treasury regulations to compute this estimate. For fiscal
year 2001, the factors in that formula included:
* total tax receipts = $45,224,421,259 divided by:
* total deposit days of 250 multiplied by:
* interest float of 1.384 days multiplied by:
* an estimated federal funds rate of 5 percent.
The number of deposit days was specified in the Treasury regulations.
The interest float represents how much faster lockbox banks could
process tax receipts compared to IRS in three areas, totaling 1.384
days:
* Mail float 0.035 days:
* Availability float 0.349 days:
* Compressing the program completion date (PCD) 1.000 day:
Mail float is measured from the time a taxpayer mails a payment until
it arrives at a lockbox bank or IRS. Availability float is measured
from the time a receipt is deposited until the funds are credited to
the Treasury. The PCD is the day when lockbox banks must finish
processing during peak workload periods and return to a schedule of
depositing receipts within 24 hours.
We examined the basis for each of these three estimates. Mail and
availability float figures were taken from a July 1998 interest float
study done by a contractor for FMS. The PCD figure came from an
agreement by lockbox banks to compress PCD by 1 day while the study
concluded that IRS could not match the compression for a number of
reasons. A new interest float study would have to be done to know the
actual float advantage, if any, from using lockbox banks rather than
IRS to process the tax receipts.
[End of section]
Appendix III Comments from the Department of the Treasury:
DEPARTMENT OF THE TREASURY WASHINGTON:
December 20, 2002:
Mr. Steven J. Sebastian:
Director, Financial Management and Assurance U.S. General Accounting
Office:
441 G Street, N.W. Washington, D.C. 20548:
Dear Mr. Sebastian:
This letter is in response to GAO‘s Draft Report ’IRS LOCKBOXBANKS.
More Fffective Oversight, Stronger Controls, and Further Study of Costs
and Benefits Needed (GAO-03-299)“.
In partnership, the Internal Revenue Service (IRS), Financial
Management Service (FMS) and the lockbox banks have substantially
improved lockbox program administration and execution during Fiscal
Year (FY) 2002. In October 2001, IRS‘s Office of Program Evaluation and
Risk Analysis (OPERA) began a comprehensive effort to assess the
lockbox environment, identify control weaknesses, recommend
enhancements, and evaluate the effectiveness of enhancements during the
April peak processing period. The OPERA-led team, with representation
from the IRS operating divisions and FMS, has served as a focal point
for many of our efforts.
As a result of the efforts and cooperation of all partners we have:
* Strengthened the working relationship between IRS, FMS, and the
lockbox banks.
* Substantially increased IRS and FMS monitoring activities and on-site
reviews.
* Developed a closer relationship with banks to stress early
problem identification - partnering for success.
* Established the Bank Review Office in FMS to oversee lockbox
security.
* Drafted Memoranda of Understanding (MOU) for:
* FMS and IRS roles and responsibilities;
* IRS functional roles and responsibilities for security activities (in
clearance);
* IRS Research support for lockbox activity.
* Established a new operating branch in the IRS responsible for lockbox
activities.
* Revised and updated the Lockbox Processing Guide (LPG) for
clarity and additional requirements as directed by the Operation
Security Committee.
We all recognize that we cannot eliminate all vulnerabilities
associated with remittance and return processing. Although we have
accomplished much, we recognize that we can do more. We appreciate the
efforts of your staff during the review and your report that provides
the IRS and the FMS with additional insight and guidance we will use to
further improve this critical program. This response represents both
agencies‘ perspectives on the draft report.
We noted the need for a technical clarification concerning the General
Accounting Office‘s (GAO) reference to ’contracts,“ ’contractor“ and
’contractual agreements“ with lockbox banks. From a legal standpoint,
lockbox banks act as designated depositaries and financial agents of
the United States, performing tax collection lockbox services in a
financial agent capacity on behalf of the IRS and the FMS, as
principal. When lockbox banks perform these services, they act in
Treasury‘s ’stead for the stated purpose,“ a function that does not
constitute a procurement or contract within the meaning of the Federal
Property and Administration Services Act or the Federal Acquisition
Regulation (FAR). This is an important legal distinction that defines
the relationship between the FMS and lockbox banks.
We recommend that GAO delete all references in the Draft Report to
’contracts“ and ’contractors“ and that such terms be replaced with more
accurate phrases such as ’Designation of Financial Agent Agreements“ or
’DFAs“ and ’financial agent banks“. This change would not impact the
FMS‘ and the IRS‘ continuing responsibility to monitor the performance
of lockbox banks.
We have addressed the recommendations below:
Recommendation 1:
To decrease the likelihood that further incidents involving the loss
and destruction of taxpayer receipts and data will occur again, we
recommend that the Commissioner of FMS and the Acting Commissioner of
IRS thoroughly review the results of Treasury Inspector General for Tax
Administration (TIGTA) investigation of the 2001 incident at the
Pittsburgh lockbox site when it is completed and, if the results
warrant, implement additional controls and modify the lockbox
contractual agreements as appropriate.
Resnonse:
We agree with this recommendation and will initiate the review when
TIGTA releases the investigative results. If appropriate, we will
implement additional controls and change the Designation of Financial
Agent Agreements.
Recommendation 2:
To improve the effectiveness of government oversight of lockbox banks,
we recommend that * The Commissioner of FMS and the Acting Commissioner
of IRS:
* document IRS‘s and FMS‘s oversight roles and responsibilities in
agency policy and procedure manuals and determine the appropriate level
of IRS and FMS oversight of lockbox sites throughout the year,
particularly during peak processing periods;
* establish and document guidelines and procedures in IRS and FMS
policy
and procedure manuals for implementing the new penalty provision for
lockbox banks to reimburse the government for direct costs incurred in
correcting
errors made by lockbox banks;
* finalize and document the recently developed waiver process in IRS
and
FMS policy and procedure manuals and ensure that decisions on requests
for waivers are formally communicated to lockbox management in a timely
manner; and o establish and document a process in IRS and FMS policy and
procedure manuals to ensure that lockbox bank management formally
responds to IRS and FMS oversight findings and recommendations in a
timely manner and that corrective actions taken by lockbox bank
management are appropriate.
* The Acting Commissioner of IRS:
* establish and document a process in the IRS policy and procedure
manuals to ensure that IRS officials with the appropriate levels of
expertise continue to participate in announced and unannounced security
reviews of lockbox banks;
* ensure that the results of onsite compliance reviews are completed
and
timely submitted to IRS‘s National Office;
* revise the guidance used for compliance reviews so it requires
reviewers to (1) determine whether lockbox contractors, such as
couriers, have completed and obtained favorable results on the IRS
fingerprint checks, and (2) obtain and review all relevant logs for
cash payments and candled items to ensure that all payments are
accounted for, and:
* assign individuals, other than the lockbox coordinators
responsibility
for completing onsite performance reviews.
Response:
We agree with these recommendations, and both the IRS and the FMS have
already begun addressing many of your observations. The MOU we are
developing will address the issues that are the joint responsibilities
of the IRS and the FMS. In addition, the FMS will develop a Program
Policy and Procedure Manual that will specifically address the
administration of the IRS lockbox program. The FMS Manual will include
policy and procedural guidance on:
* the appropriate level of FMS oversight of lockbox sites throughout
the
year, particularly during peak processing periods;
* implementing the new penalty provision for lockbox banks to reimburse
the government for direct costs incurred in correcting errors made by
lockbox banks;
* implementing the new waiver process as it relates to FMS;
* responding to FMS oversight findings and recommendations in a timely
manner and monitoring corrective actions taken by lockbox bank
management.
We redesigned the waiver process to improve efficiency and timeliness
of providing responses to the waiver requests and assigned process
ownership to the IRS lockbox branch, with support by other subject
matter experts. The revision reduced the levels of approval thereby
improving response time. We shared this new design with the Lockbox
bank site managers and relationship officers at the November 2002
Lockbox Conference in Washington, D.C. This new design will be
documented
in the January 2003 release of the LPG. We will also update
the appropriate Internal Revenue Manuals and other agency guidelines to
incorporate the additional procedural changes contained from this
recommendation.
To improve bank corrective action monitoring, the FMS is developing an
incident reporting and security/audit finding tracking system. This
tracking system will automate the lockbox incident reporting and
tracking process and ensure that the FMS can accurately monitor bank
corrective actions from audit and review findings. The system will be
available to the FMS by the end of March 2003.
The IRS MOU will further delineate the security responsibilities of the
various IRS organizations. Security experts from the FMS and the IRS
will conduct announced and unannounced onsite security reviews during
FY 2003. We will also increase IRS support for the lockbox program by
establishing the Headquarters Lockbox Branch of Submission Processing.
Field lockbox coordinators will no longer be involved in conducting
security reviews and will report directly to the new branch. This will
alleviate the potential conflict of competing responsibilities when
they perform their duties.
Recommendation 3:
To improve internal controls at lockbox banks, we recommend that the
Commissioner of FMS and the Acting Commissioner of IRS:
Recommendation 3(a):
Require that internal control deficiencies are corrected by lockbox
bank management and that the IRS and FMS take steps through ongoing
monitoring to ensure that the following LPG requirements are routinely
adhered to:
* perimeter doors are locked and alarms on perimeter doors are
functioning; o guards are responsive to alarms;
* employees‘ identity and employment status are verified prior to
granting access to the processing floor;
* visitor access to and activity in the processing area are adequately
controlled;
* employee access and items brought into and out of processing areas
are
closely monitored by guards;
* surveillance cameras and monitors are installed in ways that allow
for
effective, real-time monitoring of lockbox operations;
* envelopes are properly candled;
* lockbox bank management perform and adequately document candling
reviews;
* returned refund checks are restrictively endorsed immediately upon
extraction;
* lockbox couriers are properly identified prior to granting them
access
to taxpayer data and receipts; and:
* employees have received favorable results on fingerprint checks
before
they are granted access to taxpayer data and receipts.
Response:
We agree we need to continually monitor lockbox banks‘ adherence to
internal controls. We will reinforce the stringent adherence to the
internal controls guidelines through our on-going oversight activity
and frequent communication with responsible bank officials. A team of
IRS and FMS security experts and representatives of IRS Headquarters
Revenue Section will make announced and unannounced onsite reviews of
lockbox sites. These onsite reviews will verify adherence to the
existing security and internal control requirements. As part of the
preparation for announced security reviews, the FMS requires the banks
have building maintenance personnel, security vendors, security
equipment technicians, and key facility personnel present during the
review to fix as many identified security weaknesses as possible while
the review team is present. This is a standard practice that has
resulted in many on the spot corrections that ensure improvements are
completed quickly.
Recommendation 3(b):
Revise the lockbox processing guidelines to require that:
* before lockbox couriers receive access to taxpayer data and receipts
they undergo and receive favorable results on background investigations
that are deemed appropriate by IRS and are consistent across lockbox
banks;
* before permanent lockbox bank employees receive access to taxpayer
data and receipts they undergo and receive favorable results on
background investigations that are deemed appropriate by IRS and are
consistent across lockbox banks;
* lockbox bank guards inspect courier vehicles for unauthorized
passengers and unlocked doors;
* candling procedures for the various types of extraction methods be
clarified,
* during candling, lockbox bank employees record which machines and
which extraction clerks missed items;
* lockbox bank management reconcile cash payments to internal cash logs
and the cash logs they provide to the IRS; and:
* lockbox employees immediately seek processing guidance from the
lockbox coordinator if envelopes with timely postmark dates are
received after the postmark review period has ended.
Response:
We agree and will modify the lockbox processing guidelines to improve
consistency standards and clarify instructions based on the
observations in this recommendation. We will issue ’Lockbox Alerts“ to
all LPG users for the last five recommendations. We will complete this
by February 1, 2003. We will need additional coordination efforts to
address the two recommendations on background investigations. We will
try to resolve these two recommendations by October 1, 2003.
Recommendation 4:
Because IRS and FMS must decide before 2007 whether to continue using
lockbox banks to process tax receipts or to return the function to IRS,
we recommend to the Secretary of the Treasury that a study be done in
time
(1) for its findings to be considered in the decision-making process
and (2)
to make any improvements to lockbox processing that the study indicates
are
necessary or to return the processing to IRS. Regardless of the type of
analysis chosen, we recommend that the Secretary of the Treasury:
* clearly define the type of analysis being done and why, and follow
through to identify and analyze costs and benefits relevant to the type
of analysis,
* consider the opportunity cost associated with the proposed investment
in using lockbox banks to accelerate the deposit of tax receipts, and:
* include the direct costs associated with the oversight, risk
reduction, and non-Form 1040 tax receipts.
Response:
We agree that an analysis should be completed in order to make a sound
business decision. The latitude your recommendation gives to us on how
best to design an analysis will allow us to recognize the advances
taking place in cash management and remittance processing. These
advances and changes being made due to the IRS modernization will
impact our operating environment and must be considered when
determining the appropriate design and rigor of the analysis. The IRS
and the FMS will collaborate on an analysis design and complete the
analysis in advance of the expiration of the current lockbox agreements
(Designation of Financial Agent Agreements). This plan will provide the
basis for decisions on how best to satisfy the IRS‘s remittance
processing needs after 2007.
Again, we appreciate your observations and recommendations. If you have
questions or comments, please call Floyd Williams, IRS, Director,
Office of Legislative Affairs, at (202) 622-3720 or Alvina McHale, FMS,
Director, Office of Legislative and Public Affairs, at (202) 874-6740.
Sincerely,
Bob Wenzel, Acting Commissioner Internal Revenue Service:
Signed by Bob Wenzel:
Richard L. Gregg, Commissioner Financial Management Service:
Signed by Richard L. Gregg:
The following are GAO‘s comments on the Department of the Treasury‘s
letter dated December 20, 2002.
GAO Comments:
1. See ’Agency Comments and Our Evaluation“ section.
2. IRS and FMS indicated the need for one technical clarification
regarding our use of the terms ’contracts,“ ’contractor,“ and
’contractual agreements“ with respect to lockbox banks and recommended
that we delete all references to ’contracts“ and ’contractors.“ IRS and
FMS stated that when lockbox banks perform services for IRS, they act
in a financial agent capacity on behalf of Treasury and that this
function does not constitute a procurement or contract within the
meaning of the Federal Property and Administrative Services Act or the
Federal Acquisition Regulation (FAR). We recognize that the lockbox
agreements are not procurements for purposes of the act or the FAR, but
we did not change the language used in the report for ease of
reference. It should be noted that Treasury also uses contract
terminology in discussing lockbox agreements. Specifically, the
Treasury Financial Manual gives FMS ’the exclusive authority to
contract for lockbox services with the selected bank and the agency“
and further states that ’an agency is prohibited from entering into new
contractual agreements — without the prior approval of FMS.“ In
addition, in the IRM, IRS defines a lockbox depositary agreement as a
’contractual agreement signed by IRS, FMS and the Lockbox that provides
the requirements of the activities performed as the commercial
depositories.“ Our use of contract terminology in this report is
consistent with Treasury‘s use of such terminology in the TFM and the
IRM. We did add a footnote (see footnote 2) to clarify that while the
agreements with the lockbox banks are legally binding, they are not
procurements subject to the provisions of the Federal Property and
Administrative Services Act or the FAR, and to indicate that we use the
terms ’contracts“ and ’contractors“ in the report for ease of
reference.
[End of section]
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Steve Sebastian (202) 512-3406
Mike Brostek (202) 512-9110:
Acknowledgments:
In addition to those named above, Larry Dandridge, Marshall Hamlett,
Aaron Holling, Jeffrey Jacobson, Casey Keplinger, Laurie King, Delores
Lee, Yola Lewis, Larry Malenich, Julia Matta, Tom Short, and Esther
Tepper made key contributions to this report.
FOOTNOTES
[1] Business and individual taxpayers use the Electronic Federal Tax
Payment System (EFTPS) to pay taxes. EFTPS is an electronic system
managed by two financial agent banks chosen by the Department of the
Treasury.
[2] Pursuant to 12 U.S.C. 265 and other authorities, the Secretary of
the Treasury has authority to designate financial institutions as
depositaries and financial agents of the U.S. government to perform
certain financial services, including lockbox services. These
agreements are legally binding but are not considered procurements
subject to the provisions of the Federal Property and Administrative
Services Act (41 U.S.C. §§ 251-260) or the Federal Acquisition
Regulation (FAR). In this report, we refer to them as contractual
agreements and use the terms ’contracts“ and ’contractors“ for ease of
reference.
[3] See U.S. General Accounting Office, Internal Revenue Service:
Progress Made, but Further Actions Needed to Improve Financial
Management, GAO-02-35 (Washington, D.C.: Oct. 19, 2001); U.S.
Department of the Treasury, Treasury Inspector General for Tax
Administration, Nationwide Guidelines and Controls for Lockbox Banks
Need Further Improvement, 2002-30-180 (Washington, D.C.: Sept. 18,
2002).
[4] Lockbox collection services are recognized by 31 U.S.C. 3720(a) as
a procedure executive agencies may use to comply with requirements for
the collection and timely deposit of funds.
[5] Unprocessable receipts are tax receipts that lack adequate
information, such as taxpayer identification numbers, to be processed
by the lockbox bank and are forwarded to IRS Submission Processing
Centers for further research.
[6] The lockbox agreements entered into in 1993 took effect in calendar
year 1994. The agreements had 5-year terms and allowed for two 1-year
extensions. After both 1-year extensions were exercised, the agreements
were extended by FMS for an additional 8 months.
[7] The four banks operate at a total of nine locations. Because two of
the locations have 2 sites each--1 for individual returns and 1 for
business returns--there are a total of 11 lockbox sites.
[8] Each lockbox site is assigned a lockbox coordinator from the IRS
Submission Processing Center for which it processes tax payments. The
coordinator is primarily responsible for ensuring that his or her
designated lockbox promptly deposits tax payments. The coordinator is
also responsible for performing compliance and quality reviews and for
coordinating lockbox oversight and operating activities between lockbox
management, FMS, and IRS National Office and the Submission Processing
Center.
[9] U.S. Department of the Treasury, Internal Revenue Service,
Evaluation of Alternative Systems for Collecting Form 1040 Estimated
Tax Payments (Washington, D.C.: May 1988).
[10] U.S. Department of the Treasury, Office of Inspector General,
Review of the Effectiveness of Using Commercial Bank Lockboxes for
Federal Income Tax Payments, OIG-98-097 (Washington, D.C.: Aug. 20,
1998).
[11] IRS/FMS Joint Taskforce, 1040 Tax Payment Comparative Cost Benefit
Study (Washington, D.C.: August 1999).
[12] The IRM is IRS‘s internal operating manual that sets forth the
agency‘s various operating policies and procedures.
[13] The program completion date is the date by which the banks must
finish processing all tax receipts associated with the April peak
processing period and when they return to the nonpeak workload
requirement to process each receipt within 24 hours of receiving it.
[14] One violation remained, which was to be corrected when the bank
moved into a new facility in December 2000.
[15] OIG 98-097.
[16] A seeding program is a control procedure used by bank management
to discourage and detect employee theft. Bank managers or TIGTA place
cash or checks with blank payee names among IRS tax payments without
the employees‘ knowledge and closely monitor employees to determine
whether they steal the cash or checks or promptly report their
discovery to bank managers.
[17] Candling is a process that uses a light source to determine if any
contents remain in envelopes before their destruction. Items found
during candling must be recorded on a log.
[18] U.S. General Accounting Office, Standards for Internal Control in
the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November
1999).
[19] Taxpayer data on tax forms could include taxpayer name, social
security number, and address.
[20] This is in addition to the approximately $1.2 billion in receipts
that were lost or destroyed at the Pittsburgh site.
[21] GAO-02-35.
[22] Volume 1, Part 6, Section 8025.30 Collection Mechanisms.
[23] IRS would pay for $60.3 million of this cost out of its budget;
FMS would use Treasury Time Balances (TTB) to compensate the banks for
the remaining $84.5 million. TTBs are deposited in lockbox banks and
the interest that banks earn on those deposits is their compensation.
We did not analyze these funding sources. The estimated federal funds
rate used for this study was 5 percent.
[24] The $84.5 million of funding provided by FMS through TTBs could
not be reallocated to other IRS activities because Treasury permits
TTBs to be used solely to pay for depository services that expedite
deposits to the Treasury.
[25] U.S. General Accounting Office, Financial Audit: IRS‘s Fiscal
Years 2002 and 2001 Financial Statements, GAO-03-243 (Washington, D.C.:
Nov. 15, 2002).
[26] If IRS and FMS chose the internal processing alternative, the
federal government would have lost the estimated $100.5 million in
interest earnings but would have saved the $84.5 million paid through
the TTBs and an additional $4.4 million from IRS‘s budget. This choice
would have been better from a federal budget standpoint as long as IRS
generated at least $16 million (the difference between $100.5 million
and $84.5 million) by investing the $4.4 million elsewhere.
[27] The study did not consider whether lockbox banks instead of IRS
should process certain types of forms, or whether lockbox banks should
process all or none of the forms.
[28] See OMB, Circular A-94 Revised, Guidelines and Discount Rates for
Benefit-Cost Analysis of Federal Programs (Washington, D.C.: Oct. 29,
1992), section 6; and OMB, Circular A-130, Management of Federal
Information Resources (Washington, D.C.: Nov. 30, 2000), section 7.
[29] A cost-benefit analysis estimates the discounted values of the
expected benefits and costs of an investment or program and then
subtracts the costs from the benefits to determine the net present
value (NPV). The costs and benefits associated with an investment or
program are typically spread over many years. Discounting (the
computation of present values) is necessary to reflect the fact that a
dollar of benefit or cost in a future year is worth less than a dollar
of benefit or cost in the current year. Programs with larger positive
NPVs are generally preferred over those with smaller or negative NPVs.
[30] Some or all of the interest loss actually may be incurred by the
taxpayers‘ banks.
[31] A cost-effectiveness analysis is used to determine the least-cost
approach for achieving a specified objective. This analysis does not
provide a justification for pursuing the objective but simply
identifies the best approach after deciding on the objective. A
fundamental characteristic of a cost-effectiveness analysis is that the
specified objective does not vary across alternatives being compared.
[32] The contractor concluded that lockbox banks processed tax receipts
on average 2 days faster than IRS. However, IRS and FMS revised the 2-
day lockbox advantage in each of the three scenarios in the 1999 study
on the basis of assumptions, such as a promise by the lockbox banks to
compress processing by 1 day. See appendix II for further explanation
of the three scenarios that IRS and FMS used in the 1999 study.
[33] Unlike the previous example, this location did not use an
automated entry system to control access to the processing area.
Instead, temporary employees were manually issued access badges and
name tags each day.
[34] One of these locations also maintained a monitor at the guard
station. However, the monitor only surveyed activity at the parking lot
and docking area. The monitor used to survey the processing floor was
maintained at the site manager‘s office.
[35] Based on the LPG s, the first candling occurs when envelopes are
processed through the mail extraction machines. The second required
candling occurs on the lighted table used to perform candling.
[36] This location candled their envelopes twice even though they used
the advanced mail extraction machine.
[37] Form 9535 is the Record of Lockbox Discovered Remittance and
Correspondence. A discovered remittance is a tax receipt discovered
outside the normal check processing operation, such as during candling.
[38] U.S. General Accounting Office, Management Report: Improvements
Needed in IRS‘s Accounting Procedures and Internal Controls, GAO-02-
746R (Washington D.C.: July 18, 2002).
[39] An extraction clerk is an individual responsible for manually
extracting contents from envelopes. Due to the nature of the work,
extraction clerks are among the first individuals who handle tax data
and receipts at lockbox sites.
[40] GAO-02-35.
[41] TIGTA 2002-30-127.
[42] TIGTA 2002-30-127.
[43] GAO-02-35.
[44] TIGTA 2002-30-180.
[45] Internal Revenue Service, Cost Estimate Reference, Document 6746,
revision November 1998.
[46] We made no attempt to analyze IRS‘s data collection systems that
support the data in the cost guide.
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select ’Subscribe to daily E-mail alert for newly
released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
