TIGTA Recommends IRS Improve Wireless Device Inventory Control

IMPACT ON TAXPAYERS

In Fiscal Year 2013, the IRS spent more than $13.7 million on wireless telecommunication devices and maintained an inventory of more than 49,000 devices reported as being in use. Effective controls over the assignment of and inventory accounting for these devices is important to ensure proper stewardship of Government funds.

WHY TIGTA DID THE AUDIT

TIGTA's previous work found that IRS processes for assigning and monitoring the use of devices were not adequate to ensure that employees have a business need for the devices. In addition, prior work found that the IRS paid for thousands of devices that were unused. The overall objective of this review was to assess the efficiency and effectiveness of the IRS's inventory control for wireless aircards, cellular phones, and BlackBerry® smartphone devices.

WHAT TIGTA FOUND

Inventory controls over wireless devices could be improved. Federal guidance requires the IRS to assess current device inventories and usage and establish controls to ensure that the IRS is not paying for unused or underutilized devices. TIGTA found that more than 94 percent of IRS employees were appropriately assigned a BlackBerry smartphone, cellular phone, or wireless aircard device, while almost 6 percent were in positions that the IRS had not designated as eligible for the device. However, the IRS's systems of record designed to document wireless device inventory were not consistently updated as changes occurred, which resulted in almost 57 percent of inventory records being inaccurate. For example, serial numbers, barcodes, and telephone numbers were not accurately documented in inventory records.

Ineffective inventory controls resulted in unsupported and duplicate service fees. Specifically, according to monthly vendor billing statements, TIGTA found that the IRS paid monthly service fees for almost 6,800 wireless devices that were not captured in inventory records and for more than 700 employees who had multiple wireless devices that perform the same function. Due to weaknesses in controls, including the thousands of unaccounted for devices, the IRS risks paying service fees for devices that are not authorized, not in use, or duplicative.

WHAT TIGTA RECOMMENDED

TIGTA made several recommendations to improve IRS inventory controls. For example, TIGTA recommended that the IRS perform an inventory reconciliation to ensure that records reflect the correct status of each device. TIGTA also recommended that the IRS implement an inventory process for wireless pagers and consider conducting reconciliations of monthly billing statements to identify users with service fees for devices not in inventory.

In their response, IRS management agreed with the recommendations and stated that they plan to take corrective actions contingent upon funding availability.

Management's complete response to the draft report is included as Appendix VI.

Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Gregory D. Kutz, Assistant Inspector General for Audit, (Management Services and Exempt Organizations).

                    Table of Contents

A 2011 Executive Order⁶ required Federal agencies to assess current device inventories and usage and establish controls to ensure that they are not paying for unused or underutilized information technology equipment, installed software, or services. In addition, Office of Management and Budget Circular A-123⁷ requires general management control standards that provide reasonable assurance that assets are safeguarded against waste, loss, and unauthorized use.

In a prior audit,⁸ we found that the IRS's processes for assigning and monitoring the use of wireless aircards and BlackBerry smartphones were not adequate to ensure that employees have a business need for the devices. Specifically, in our prior work, we reviewed the list of positions the IRS designated as positions in which job duties justified the need for a wireless device and found that some positions did not involve situations in which a wireless device was needed. Our prior work also reviewed usage reports and found thousands of devices that went months without any use, resulting in the IRS wasting funds on devices with no activity. In our prior work, we noted our plans to perform an audit of inventory controls due to concerns identified.

The IRS's Information Technology (IT) organization is responsible for establishing policies and procedures for the management and control of information technology equipment. Within the IT organization, the User and Network Services (UNS) office is responsible for supplying, maintaining, and managing security over wireless devices. The UNS office is also responsible for the accounting and recording of all information technology property and annually certifying the IRS's information technology inventory. To facilitate the inventory process, the IRS uses the Knowledge, Incident/Problem, Service, Asset Management -- Asset Manager (KISAM-AM) to maintain a complete inventory of all information technology assets.⁹ The KISAM-AM is the authoritative source for all hardware asset management and inventory information within the IRS and supersedes all other inventory data sources. CI maintains its own inventory records outside of the KISAM-AM for cellular phones issued to its employees, and CI is responsible for performing an annual certification of cellular phone devices that it inventories. Wireless aircards and BlackBerry smartphones assigned to CI personnel are contained within the IT organization inventory database KISAM-AM.

In order for an employee to obtain an IRS wireless device, IRS guidance¹⁰ requires employees to be in specific positions designated by the IRS that have a need for a wireless telecommunication device based on eligibility factors determined by the IRS and negotiations with the National Treasury Employees Union when applicable.¹¹ Generally, positions eligible for a wireless device include senior executives, management, and employees who, in the normal course of their duties, have the need for but do not have immediate access to Government telephones or Internet access.

This review was performed with information obtained from the IRS's CI Headquarters in Washington, D.C., and in the IT organization Headquarters in Lanham, Maryland, in the UNS office during the period August 2013 through April 2014. We also performed 97 in-person inventory verifications at IRS offices located in 14 States and the District of Columbia. Appendix V provides a list of the States and the specific cities where the verifications were performed. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.

Our review of a statistical sample of 200 devices listed in inventory as of December 2013 revealed that 180 devices were appropriately assigned to IRS employees, while 20 devices were assigned to employees who were in positions that the IRS had not designated as eligible for a device in its eligibility database. While a majority of sampled devices were appropriately assigned to employees whose positions were designated as eligible for the assigned device, we estimate that 5.54 percent¹² of all wireless devices were assigned to IRS employees who were not in positions the IRS had designated as eligible for a wireless device. Specifically, three BlackBerry smartphone, nine IRS cellular phone, and eight CI cellular phone users¹³ from our sample occupied positions that were not designated as eligible for their device and did not have an exception on file. All wireless aircard users from our sample were in positions the IRS had designated as eligible. IRS guidance requires employees to occupy certain jobs in order to be eligible for the use of a wireless telecommunication device. Jobs are designated as eligible for wireless devices based on factors determined by the IRS and negotiations with the National Treasury Employees Union when applicable. The employee's eligibility is documented in an IT organization database. Figure 1 provides an overview of the standard position eligibility criteria for BlackBerry smartphones, cellular phones, and wireless aircards.

            Figure 1: Wireless Device Eligibility Criteria

Inventory records did not match employee devices

Our review of a statistical sample of 200 devices listed in inventory as in use as of December 2013 found errors in inventory records for 67 devices because inventory records were not updated as changes occurred. IRM standards¹⁶ require all offices to conduct an inventory of information technology equipment and certify the completion of inventory each fiscal year in order to locate and verify the existence of controlled assets and verify and confirm the accuracy of key KISAM-AM fields. CI, which maintains its own inventory records of CI cellular phones, is also required to complete an annual certification process for its devices. BlackBerry smartphones assigned to CI employees are inventoried and controlled by CI within the KISAM-AM. Wireless aircards assigned to CI employees are inventoried and controlled with the rest of the IRS's wireless aircards.

For our stratified random sample of 200 devices, we conducted in-person and remote verifications of inventory records to the actual device, and we tested the device's functionality.¹⁷ Sixty-seven of the 200 sampled devices were not accurately recorded in inventory due to errors such as inaccurate identifiers, devices that were returned or lost but listed as in use in inventory, and devices listed in inventory as in use that were not in service.¹⁸ Devices with inaccurate identifiers included instances in which the barcode, serial number, or phone number listed in inventory records did not match the actual device. We could not determine the accuracy of inventory for 15 of 200 devices due to the device identifiers on the physical device being worn to illegibility and due to some devices being replaced between the time that we received the inventory extract and the time that we conducted our verification.¹⁹ Figure 2 presents our overall testing results for the sampled devices.

               Figure 2: Inventory Verification Results

 

Figure 3: Inventory Verification Results

 

by Device Type²⁴

 

 

 

The IRS does not have an effective process to update inventory records as changes occur. The IRS Mobile Devices Program Management Office reorganized in May 2013, and according to the IRS, has been working towards reducing redundancy, reevaluating policies and procedures, and promoting good customer service. UNS office personnel acknowledged that cellular phone and wireless aircard inventory errors are due in part to the discontinuation in May 2013 of a monthly data refresh process that used information from monthly service provider reports to update KISAM-AM inventory records. Also, updates to BlackBerry smartphone inventory records currently rely on a process that requires IT organization personnel to report changes in device status using an electronic change submission process. During our review, we found that two of the four BlackBerry smartphone users we identified with inaccurate inventory records did not have a change request on file to report that they had turned in a device. As such, the electronic change submission process is only as reliable as the personnel filling out the report. We found that errors in CI cellular phone records were due to the fact that CI does not have an effective process to update inventory records monthly or as changes occur. Instead, CI updates its cellular phone inventory records at the end of each fiscal year, when it completes its annual cellular phone inventory certification.

Despite the errors in inventory records for 67 of the 200 sampled devices, we did not identify instances in which the IRS paid for service on a device that was no longer in use or replaced by another device. However, the IRS needs to continue to take appropriate measures to ensure that the data maintained in the inventory systems accurately reflect the devices assigned to employees. Without an effective inventory management system, the IRS may not be able to consistently verify information technology and identify wireless users, and thus risks paying service fees for devices that are not authorized, not in use, or unnecessary.

Wireless pagers are not inventoried

The IRS does not have a process in place to account for almost 1,200 wireless pager users. According to UNS office records, the IRS paid service fees for 1,153 pagers in FY 2013 but did not certify the use of those devices as required. IRM standards require all users of wireless pagers to complete a validation process annually or upon receipt of a newly assigned wireless pager, replacement wireless pager, pager number change, or service provider change.²⁵ The UNS office is responsible for overseeing the validation process; however, discussions with UNS office management revealed that it does not have a process to identify what users have access to a wireless pager.

Although the number of wireless pagers represents only a small part of all wireless devices, the absence of an inventory and certification process for pagers affects the reliability of inventory data and the IRS's ability to ensure that the devices are issued to only employees with a business need. The lack of an inventory and certification process also prevents the IRS from verifying the service fees billed for these devices. Further, we were unable to perform testing of wireless pagers to evaluate the potential for existing waste or misuse because wireless pager users could not be identified. As a result, in FY 2013, the IRS spent more than $230,000 in service fees for 1,153 wireless pagers without any assurance that it was paying for devices that were necessary or in use by IRS employees.

In January 2014, subsequent to the start of our audit, the UNS Mobile Device Program Office initiated the first ever validation process of wireless pagers facilitated by the service provider at no cost to the IRS. The service provider issued a mass page to all pager users requesting responses to a common number and mailbox. IRS officials are in the process of evaluating the responses. They will decide whether to disconnect or return pagers, and reevaluate the use of pagers within the IRS to determine the need to continue pager service.

Recommendations

Recommendation 1: The Chief Technology Officer should perform an inventory reconciliation with device holders to ensure that inventory records reflect the correct status of each device and that device holders are eligible to possess the device, and develop a process to periodically reperform the reconciliation to ensure that inventory records remain accurate.

Ineffective inventory controls resulted in unverified and duplicate service fees. Specifically, according to monthly billing statements, we found the IRS paid monthly service fees for almost 6,800 wireless devices that were not captured in inventory records and for more than 700 employees who had multiple wireless devices that perform the same function. In addition, the IRS does not currently account for lost or stolen cellular phones or wireless aircards, and it did not follow proper procedures to document some BlackBerry smartphones that were reported as lost or stolen. Office of Management and Budget Circular A-123 requires general management control standards that provide reasonable assurance that assets are safeguarded against waste, loss, and unauthorized use. However, weaknesses in IRS inventory controls resulted in the IRS paying service fees for devices with no corresponding inventory record, putting the IRS at risk of spending thousands of dollars on devices that are not in use.

Some wireless devices for which the IRS paid monthly service fees were not inventoried

The IRS paid monthly service fees for almost 6,800 wireless devices that were not captured in inventory records. In September 2013, the IRS paid more than $1.1 million in monthly service fees for more than 40,300 BlackBerry smartphones, cellular phones, and wireless aircards. We compared September 2013 vendor billing statements to inventory records and determined that almost 6,800 devices (almost 17 percent) of the more than 40,300 devices the IRS paid for were not recorded in IRS inventory records as of December 2013. IRM standards require that all information technology equipment, including BlackBerry smartphones, cellular phones, and wireless aircards, be inventoried and certified on an annual basis in KISAM-AM and CI's cellular phone inventory records.²⁶ IRS guidance states that maintaining the accuracy and completeness of all IRS assets in the KISAM-AM is critical to achieving IRS-wide goals. Figure 4 lists the devices that were included in IRS and CI September 2013 billing statements that were not listed in KISAM-AM or CI's inventory records.²⁷

        Figure 4: September 2013 Payments for Wireless Devices

Because these devices are not tracked in inventory, the IRS does not have assurance that the employees using them have a valid business need. While service fees associated with almost 6,800 devices may be justifiable, the IRS is not in a position to determine which fees are valid because inventory and billing records cannot be reconciled. The total monthly cost of the specific devices that were billed but not listed in inventory was $165,376 in September 2013. The annualized cost equates to nearly $2 million²⁸ in service fees for devices that were not inventoried in FY 2013.

Employees accrued multiple monthly service fees for similar devices

According to monthly billing statements, the IRS paid monthly service fees for more than 700 employees who had multiple wireless devices. Specifically, our analysis of IRS September 2013 wireless billing statements revealed that the IRS spent more than $34,000 in monthly service fees for 635 users who were associated with between two and five wireless devices, and during the same month, CI spent more than $6,000 in monthly service fees for 92 users who were associated with between two and 11 devices.²⁹ IRM standards³⁰ stipulate that employees are not authorized to have multiple wireless devices unless a business justification can be obtained and approved.³¹

             Figure 5: September 2013 Monthly Service Fees

Based on the average monthly service fee of $60 for a BlackBerry smartphone, $24 for a cellular phone, and $21 for a wireless aircard, and the average monthly service fee of $39 for a CI BlackBerry smartphone or cellular phone, we estimate that the allowable monthly service costs if these employees were issued only one device would have been almost $24,000. The additional cost incurred by the IRS due to employees being charged monthly service fees for multiple devices was almost $17,000, which represents potential inefficient use of resources in the month of September 2013.³⁴ The total excess cost for the additional devices performing the same function was $16,559 in September 2013. Annualized, this amounts to nearly $199,000³⁵ in excess annual service fees for users with multiple devices that perform the same function in FY 2013.

Lost and stolen wireless devices were not documented

The IRS does not document lost or stolen cellular phones or aircards, and it did not properly document BlackBerry smartphones that were reported lost or stolen. The UNS office provided a list of 67 BlackBerry smartphone devices reported as lost or stolen in FYs 2011, 2012, and 2013. We reviewed incident reports for a judgmental sample³⁶ of 20 of the 67 devices based on the locations with the highest number of devices reported lost or stolen during the time period. We determined that six of the 20 devices we selected did not have an incident report as required.

IRM standards require that if a cellular phone is lost or stolen, the vendor should be contacted so that service may be suspended, and the lost or stolen equipment should be reported to the local security officer, with whom an incident report must be filed.³⁷ The employee, manager, and security officer must sign the report and a copy of the report must be provided to the local IT organization point of contact and the UNS office before a replacement can be issued.

The IRS does not consider cellular phones or wireless aircards to be assets because the wireless service providers provide the devices to the IRS at no cost; therefore, the UNS office does not track whether cellular phones or wireless aircards are reported lost or stolen. The IRS does consider BlackBerry smartphones to be assets, and the UNS office did document those BlackBerry smartphones that were reported lost or stolen. However, employees did not timely fill out the required incident report after reporting the device as lost or stolen to the UNS office. The IRS is unable to track whether employees may be misusing their devices, resulting in multiple lost or stolen devices per employee, because it does not track lost or stolen cellular phones and wireless aircards and does not maintain complete records of incident reports for lost or stolen BlackBerry smartphones.

Recommendations

Recommendation 4: The Chief Technology Officer should implement a process to reconcile monthly wireless service provider billing statements to its inventory records to ensure that the IRS can account for all devices for which it pays a monthly service fee.

² The IRS has distributed a limited number of iPhones,® iPads,® Android® tablets, Android smartphones, and satellite phones to its employees as part of a pilot demonstration. Due to the limited number in use, we did not include these devices in the scope of testing. In addition, we were unable to perform testing on pagers because the IRS does not keep inventory records of pagers issued to employees.

³ As of December 2013, IRS inventory records included almost 64,000 devices. In addition, the IRS also paid monthly service fees for almost 1,200 pagers but did not maintain inventory records for the pagers. Of those devices, more than 49,000 devices were listed as in use, meaning they had active service on the device. Although the records for wireless pagers and CI's cellular phones did not indicate which devices were in use, we included them in the total number of in use devices because it is likely that those devices had active service.

⁴ Any yearly accounting period, regardless of its relationship to a calendar year. The Federal Government's fiscal year begins on October 1 and ends on September 30.

⁵ The wireless provider does not separate its bills for CI cellular phones and BlackBerry smartphones.

⁶ Exec. Order No. 13589, 3 C.F.R. § 13589 (2011).

⁷ Office of Management and Budget, OMB Circular No. A-123 (Revised), Management's Responsibility for Internal Control (Dec. 2004).

⁸ Treasury Inspector General for Tax Administration, Ref. No. 2013-10-010, Inadequate Aircard and BlackBerry Smartphone Assignment and Monitoring Processes Result in Millions of Dollars in Unnecessary Access Fees (Jan. 2013).

⁹ The IRS does not consider wireless aircards, cellular phones, and pagers to be assets, but for purposes of this report we refer to all wireless devices (BlackBerry smartphones, wireless aircards, cellular phones, and pagers) as assets because the device service fees for each of these devices represent a cost to the IRS.

¹⁰ Memorandum of Understanding Between the National Treasury Employees Union and the IRS Regarding the Standardization of Information Technology Equipment Profiles (June 2010).

¹¹ Employees may apply for an exception through their manager when their position does not meet the standard eligibility criteria but the employee has a legitimate business need for a device. Business System Planners review all exception requests for wireless devices and update the IT organization database to reflect the change in status for approved exceptions.

¹² We selected a stratified random sample of 200 wireless technology devices, stratified by device type in groups of 50 each of BlackBerry smartphones, wireless aircards, IRS cellular phones, and CI cellular phones in order to give equal attention to each device type. The point estimate projection is based on the overall stratified random sample. We are 95 percent confident that the true error rate is between 2.81 percent and 8.28 percent.

¹³ We sampled from CI cellular phone users separately because CI maintains its own inventory records for cellular phones. One of the eight CI cellular phone users was in a position that CI had requested be listed as eligible in the IRS eligibility database. However, the database was not updated to reflect the position as eligible for the device.

¹⁴ IRM 2.13.6.2.3, Wireless Aircards (July 23, 2013).

¹⁵ IRM 2.13.6.2.1, Cellular Phones (July 23, 2013) and IRM 2.13.6.2, Wireless Communications (July 23, 2013).

¹⁶ IRM 2.14.1.13.19.4, Inventory Reconciliation (Nov. 8, 2011).

¹⁷ We conducted 97 in-person verifications for devices from our sample. In addition, 103 remote verifications were performed by having the employee capture and provide us with an image of the device serial number and barcode. We tested the device functionality for BlackBerry smartphones and cellular phones by calling the device telephone number and confirming that the employee answered the device or confirming that the voice mail was associated with the sampled employee for both in-person and remote verifications.

¹⁸ Devices not in service were listed as in use per IRS inventory records, but the device actually had no service. The IRS was not paying a service fee for the device, but inventory records did not reflect that the device was no longer in use.

¹⁹ The IRS provided an extract of its wireless inventory records as of December 2013; however, we conducted verifications of the inventory records from December 2013 through March 2014. We could not determine whether inventory records were accurate as of the December 2013 inventory record extract when employee wireless devices were replaced between December 2013 and the date of our inventory verification.

²⁰ The point estimate projection is based on the stratified random sample. The 15 sample cases in which the accuracy of the inventory record could not be determined were omitted from the sample. We are 95 percent confident that the true error rate is between 48.24 percent and 65.33 percent. Sample errors from each device type count differently toward the calculation of the overall error rate because there are significantly more of certain devices (e.g., 28,988 wireless aircards but only 6,383 BlackBerry smartphones).

²¹ The point estimate projection is based on the remaining sample of 44 wireless aircards. We are 95 percent confident that the true error rate is between 59.60 percent and 86.80 percent.

²² The point estimate projection is based on the remaining sample of 48 IRS cellular phones. We are 95 percent confident that the true error rate is between 27.60 percent and 56.80 percent.

²³ The point estimate projection is based on the remaining sample of 46 BlackBerry smartphones. We are 95 percent confident that the true error rate is between 2.42 percent and 20.80 percent.

²⁴ Figure 3 exhibits pie charts representing the verification results by device type for 185 of the 200 sampled wireless devices. We were unable to verify identifying information for the remaining 15 devices in our sample.

²⁵ IRM 2.13.6.2.2.8, Yearly Validation (July 23, 2013).

²⁶ IRM 2.14.1, Asset Management, Information Technology Asset Management (Nov. 8, 2011).

²⁷ CI pays for its BlackBerry smartphones and cellular phones separately from the rest of the IRS, and because CI BlackBerry smartphone and cellular phone service charges are on a single billing statement, we were unable to distinguish between a CI BlackBerry smartphone and a CI cellular phone for the purposes of our analysis.

²⁸ See Appendix IV. The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. This number represents potential funds put to better use until the IRS actually reconciles inventory and billing records.

²⁹ According to CI, its personnel may need multiple devices for investigative purposes.

³⁰ IRM 2.13.6.2.1, Cellular Phones (July 23, 2013).

³¹ An employee may have a cellular phone and a non-voice-activated BlackBerry, to be used for data only, but may not have two devices with voice capabilities. We accounted for this exception in our analysis. In addition, we did not consider it an error if we identified an employee who had a wireless aircard and a BlackBerry smartphone or cellular phone.

³² There were five users that appeared in the multiple cellular phone analysis and the combination analysis. Due to the overlap, we counted those five users and the cost of the multiple devices in only the combination of BlackBerry smartphone and cellular phone results.

³³ CI monthly billing statements combine monthly service fees for cellular phones and BlackBerry smartphones, so we were unable to differentiate between the device types assigned to the 92 employees with multiple devices.

³⁴ See Appendix IV. Because we cannot determine which single device the user should have been assigned, we used the average monthly cost of BlackBerry smartphones ($60), cellular phones ($24), and wireless aircards ($21), and used the average monthly service cost for CI BlackBerry smartphones and cellular phones ($39) to estimate the allowed monthly cost and excess monthly cost.

³⁵ See Appendix IV. The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year.

³⁶ A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.

³⁷ IRM 2.13.6, Information Technology, Enterprise Networks, Wireless Communications (July 23, 2013).

Internal controls relate to management's plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: IRS policies, procedures, and practices for assigning and inventory accounting for wireless telecommunications devices. We evaluated these controls by interviewing management and analysts responsible for executing the wireless program, reviewing applicable documentation, testing the effectiveness of the current wireless program controls, and testing additional areas of potential control weakness.

² We selected a random sample of 50 BlackBerry smartphones from a population of 6,383 listed as in use in inventory records as of November 2013. The point estimate projection is based on the remaining sample of 46 BlackBerry smartphones. We are 95 percent confident that the true error rate is between 2.42 percent and 20.80 percent.

³ We selected a random sample of 50 wireless aircards from a population of 28,988 listed as in use in inventory records as of December 2013. The point estimate projection is based on the remaining sample of 44 wireless aircards. We are 95 percent confident that the true error rate is between 59.60 percent and 86.80 percent.

⁴ We selected a random sample of 50 IRS cellular phones from a population of 11,574 listed as in use in inventory records as of December 2013. The point estimate projection is based on the remaining sample of 48 IRS cellular phones. We are 95 percent confident that the true error rate is between 27.60 percent and 56.80 percent.

⁵ We selected a random sample of 50 CI cellular phones from a population of 1,296 recorded in CI's inventory records as of November 2013. The point estimate projection is based on the remaining sample of 47 CI cellular phones. We are 95 percent confident that the true error rate is between 10.70 percent and 35.70 percent. Wireless aircards and BlackBerry smartphones assigned to CI personnel are contained within the overall IT organization inventory database.

Exempt Organizations)

Jonathan T. Meyer, Director

Deanna G. Lee, Audit Manager

Jamelle L. Pruden, Lead Auditor

Lara E. Phillippe, Senior Auditor

Trisa M. Brewer, Auditor

Office of the Commissioner -- Attn: Chief of Staff C

Deputy Commissioner for Operations Support OS

Deputy Commissioner for Services and Enforcement SE

Associate CIO, User and Network Services OS:CTO:UNS

Director, Technical Operations and Investigative Service SE:CI:TOIS

Director, Operations Service Support OS:CTO:UNS:OS

Director, Unified Communications OS:CTO:UNS:UC

Chief Counsel CC

National Taxpayer Advocate TA

Director, Office of Legislative Affairs CL:LA

Director, Office of Program Evaluation and Risk Analysis RAS:O

Office of Internal Control OS:CFO:CPIC:IC

Audit Liaisons:

Type and Value of Outcome Measure:

• Cost Savings: Funds Put to Better Use -- Potential; $2,183,220¹ for Fiscal Year 2013 (see page 10).

We compared September 2013 monthly vendor billing statements for BlackBerry smartphones, cellular phones, and wireless aircards to the KISAM-AM and CI cellular phone inventory records obtained in December 2013. Our criteria used to join the data sources were the standard employee identifier, IRS billing statements, and first and last name for CI billing statements. Our analysis identified 6,790 devices that were billed for service in September 2013 that were not in inventory as of December 2013. The total monthly cost of the specific devices that were billed but not listed in inventory was $165,376. This amounts to almost $2 million² in annual service fees for devices that were not inventoried. This number represents potential funds put to better use until the IRS actually reconciles inventory and billing records.

We also analyzed September 2013 monthly billing statements for BlackBerry smartphones, cellular phones, and wireless aircards to determine whether users were billed for multiple devices of the same type. Our criteria used to identify users with multiple service fees were the standard employee identifier for IRS billing statements and first and last name for CI billing statements. Our analysis identified 727 users who were billed for two or more devices that perform the same function. Because we could not determine which single device the user should have been assigned, we used the average monthly cost of BlackBerry smartphones ($60), cellular phones ($24), and wireless aircards ($21), and used the average monthly service cost for CI BlackBerry smartphones and cellular phones ($39) to estimate the allowed monthly cost and excess monthly cost. The total allowable monthly cost for the 727 users was $23,715, and the total excess cost for the additional devices performing the same function was $16,559 in September 2013. This amounts to almost $199,000³ in excess annual service fees for users with multiple devices that perform the same function.

² The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. The one-year estimate was rounded to the nearest hundred thousand.

³ The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. The one-year estimate was rounded to the nearest thousand.

Camarillo, Fresno, Laguna Niguel, Los Angeles, Oakland, San Diego, San Jose, San Mateo, San Rafael, Santa Rosa

Colorado

Denver

D.C.

Washington

Georgia

Atlanta, Chamblee

Kentucky

Covington

Maryland

Lanham, Oxon Hill

Massachusetts

Andover, Lowell, Stoneham

Missouri

Kansas City

New York

Holtsville, New York

Ohio

Cincinnati

Oklahoma

Oklahoma City, Tulsa

Pennsylvania

Philadelphia

Tennessee

Memphis

Texas

Dallas, Farmers Branch, Fort Worth, Houston, Longview

Utah

Ogden

In response to your recommendations, we have attached our corrective action plan. The IRS is in agreement with most of the recommendations provided by TIGTA and will take corrective actions contingent upon funding availability. However, we disagree with the outcome measure related to $2 million in service fees for devices that are not recorded in inventory and devices performing duplicate functions. The IRS has a monthly process to review and reconcile billed mobile usage for approved mobile users. This process assures payments are discontinued for devices not in use by approved users. Additionally, the IRS continues to enhance our device assessment and selection process as technology advances and intelligent devices perform dual functions. Our existing policy to evaluate mobile costs monthly provides controls to discontinue unnecessary service and/or devices.

We acknowledge that maintaining more accurate inventory records for devices will improve the efficiency and effectiveness of our mobile device program and we have already taken actions to implement many of the recommendations.

We value your continued support and the assistance your organization provides. If you have any questions, please contact me at (240) 613-9373 or a member of your staff may contact Lisa Starr, Senior Manager, Program Oversight Coordination at (240) 613-4219.

RECOMMENDATION #1:

The Chief Technology Officer should perform an inventory reconciliation with device holders to ensure that inventory records reflect the correct status of each device and that device holders are eligible to possess the device, and develop a process to periodically reperform the reconciliation to ensure that inventory records remain accurate.

CORRECTIVE ACTION #1:

The IRS agrees with this recommendation. The current IRS process reconciles monthly billing and usage reports to ensure that service fees apply to devices assigned to authorized users. Contingent upon funding availability, we will enhance the existing process to include reconciliation of inventory records.

IMPLEMENTATION DATE:

November 25, 2014

RESPONSIBLE OFFICIAL:

Associate Chief Information Officer, User & Network Services

RECOMMENDATION #2:

The Chief, CI, should consider enacting a process to update the system of CI cellular phone inventory records as changes occur.

CORRECTIVE ACTION #2:

The IRS agrees with this recommendation. The current standard operating procedures (SOP) for CI's cellular phone inventory will be updated to clarify the requirements of timely inventory updates. Guidance and the updated SOP for CI's cellular phone inventory will be sent to all Cellphone Coordinators in CI.

IMPLEMENTATION DATE:

December 15, 2014

RESPONSIBLE OFFICIAL:

Chief, Criminal Investigation

RECOMMENDATION #3:

The Chief Technology Officer should implement a process to identify pager users and reconcile with inventory records.

CORRECTIVE ACTION #3:

The IRS agrees with this recommendation. Contingent upon funding availability, the IRS will develop and implement procedures to identify active pager users and reconcile with inventory records.

IMPLEMENTATION DATE:

November 25, 2014

RESPONSIBLE OFFICIAL:

Associate Chief Information Officer, User & Network Services

RECOMMENDATION #4:

The Chief Technology Officer should implement a process to reconcile monthly wireless service provider billing statements to its inventory records to ensure that the IRS can account for all devices for which it pays a monthly service fee.

CORRECTIVE ACTION #4:

The IRS agrees with this recommendation. The current IRS process reconciles monthly billing and usage reports to ensure that service fees apply to devices assigned to authorized users. Contingent upon funding availability, we will enhance the existing process to include reconciliation of inventory records.

IMPLEMENTATION DATE:

November 25, 2014

RESPONSIBLE OFFICIAL:

Associate Chief Information Officer, User & Network Services

RECOMMENDATION #5:

The Chief Technology Officer should implement a review of monthly wireless service provider billing statements to determine whether the IRS is paying for employees to have wireless service on multiple devices that perform the same function without an approved business justification.

CORRECTIVE ACTION #5:

The IRS agrees with this recommendation. Contingent upon funding availability, the IRS will reinforce existing policy that requires business approval for all exceptions to the Enterprise Standardized Technology Portfolio to be documented and reconciled with monthly billing statements.

IMPLEMENTATION DATE:

November 25, 2014

RESPONSIBLE OFFICIAL:

Associate Chief Information Officer, User & Network Services

RECOMMENDATION #6:

The Chief, Cl, should implement a process to reconcile monthly wireless service provider billing statements to determine whether Cl can account for each device it pays a monthly service fee for in its inventory records.

CORRECTIVE ACTION #6:

The IRS agrees with this recommendation. We will develop and implement a process to ensure accuracy in matching monthly billing statements to inventory records.

IMPLEMENTATION DATE:

December 15, 2014

RESPONSIBLE OFFICIAL:

Chief, Criminal Investigation

RECOMMENDATION #7:

The Chief, CI, should implement a review of monthly wireless service provider billing statements to determine whether CI is paying for employees to have wireless service on multiple devices that perform the same function.

CORRECTIVE ACTION #7:

The IRS agrees with this recommendation. The form to request a wireless device will be modified to indicate that an additional device is being requested for the user and must include approval by management.

IMPLEMENTATION DATE:

December 15, 2014

RESPONSIBLE OFFICIAL:

Chief, Criminal Investigation