TIGTA Recommends IRS Improve Wireless Device Inventory Control
2014-10-075
- Institutional AuthorsTreasury Inspector General for Tax Administration
- Subject Area/Tax Topics
- Jurisdictions
- LanguageEnglish
- Tax Analysts Document NumberDoc 2014-26450
- Tax Analysts Electronic Citation2014 TNT 215-23
September 19, 2014
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
HIGHLIGHTS
Final Report issued on September 19, 2014
Highlights of Reference Number: 2014-10-075 to the Internal Revenue Service Chief, Criminal Investigation, and Chief Technology Officer.
IMPACT ON TAXPAYERS
In Fiscal Year 2013, the IRS spent more than $13.7 million on wireless telecommunication devices and maintained an inventory of more than 49,000 devices reported as being in use. Effective controls over the assignment of and inventory accounting for these devices is important to ensure proper stewardship of Government funds.
WHY TIGTA DID THE AUDIT
TIGTA's previous work found that IRS processes for assigning and monitoring the use of devices were not adequate to ensure that employees have a business need for the devices. In addition, prior work found that the IRS paid for thousands of devices that were unused. The overall objective of this review was to assess the efficiency and effectiveness of the IRS's inventory control for wireless aircards, cellular phones, and BlackBerry® smartphone devices.
WHAT TIGTA FOUND
Inventory controls over wireless devices could be improved. Federal guidance requires the IRS to assess current device inventories and usage and establish controls to ensure that the IRS is not paying for unused or underutilized devices. TIGTA found that more than 94 percent of IRS employees were appropriately assigned a BlackBerry smartphone, cellular phone, or wireless aircard device, while almost 6 percent were in positions that the IRS had not designated as eligible for the device. However, the IRS's systems of record designed to document wireless device inventory were not consistently updated as changes occurred, which resulted in almost 57 percent of inventory records being inaccurate. For example, serial numbers, barcodes, and telephone numbers were not accurately documented in inventory records.
Ineffective inventory controls resulted in unsupported and duplicate service fees. Specifically, according to monthly vendor billing statements, TIGTA found that the IRS paid monthly service fees for almost 6,800 wireless devices that were not captured in inventory records and for more than 700 employees who had multiple wireless devices that perform the same function. Due to weaknesses in controls, including the thousands of unaccounted for devices, the IRS risks paying service fees for devices that are not authorized, not in use, or duplicative.
WHAT TIGTA RECOMMENDED
TIGTA made several recommendations to improve IRS inventory controls. For example, TIGTA recommended that the IRS perform an inventory reconciliation to ensure that records reflect the correct status of each device. TIGTA also recommended that the IRS implement an inventory process for wireless pagers and consider conducting reconciliations of monthly billing statements to identify users with service fees for devices not in inventory.
In their response, IRS management agreed with the recommendations and stated that they plan to take corrective actions contingent upon funding availability.
* * * * *
September 19, 2014
MEMORANDUM FOR
CHIEF, CRIMINAL INVESTIGATION
CHIEF TECHNOLOGY OFFICER
FROM:
Michael E. McKenney
Deputy Inspector General for Audit
SUBJECT:
Final Audit Report -- Wireless Telecommunication Device Inventory
Control Weaknesses Resulted in Inaccurate Inventory Records and
Unsupported Service Fees (Audit # 201310002)
This report presents the results of our review to assess the efficiency and effectiveness of the Internal Revenue Service's (IRS) inventory control for wireless aircards, cellular phones, and BlackBerry® smartphone devices. This audit is included in our Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of Achieving Program Efficiencies and Cost Savings.
Management's complete response to the draft report is included as Appendix VI.
Copies of this report are also being sent to the IRS managers affected by the report recommendations. If you have any questions, please contact me or Gregory D. Kutz, Assistant Inspector General for Audit, (Management Services and Exempt Organizations).
Table of Contents
Background
Results of Review
Inventory Controls Over Wireless Devices Need Improvement
Recommendations 1 through 3:
Wireless Service Fees Were Paid for Devices Not Listed in
Inventory and for Multiple Devices Assigned to a Single User
Recommendations 4 through 7:
Appendices
Appendix I -- Detailed Objective, Scope, and Methodology
Appendix II -- Major Contributors to This Report
Appendix III -- Report Distribution List
Appendix IV -- Outcome Measure
Appendix V -- Cities and States Visited for Inventory Verifications
Appendix VI -- Management's Response to the Draft Report
Abbreviations
CI Criminal Investigation
FY Fiscal Year
IRM Internal Revenue Manual
IRS Internal Revenue Service
IT Information Technology
KISAM-AM Knowledge, Incident/Problem, Service, Asset
Management -- Asset Manager
UNS User and Network Services
In December 2013, according to the Internal Revenue Service (IRS), it had almost 6,400 BlackBerry® smartphones, 12,900 cellular phones, 29,000 wireless aircards,1 and 1,200 wireless pagers designated as in use2 by IRS employees.3 Wireless service providers offer these devices to the IRS at no cost; however, the IRS pays a monthly service fee for each device that is in use. In Fiscal Year4 (FY) 2013, the IRS spent almost $2.5 million in service fees for BlackBerry smartphones, more than $2.8 million for cellular phones, more than $6.4 million for wireless aircards, and more than $230,000 for wireless pagers. IRS Criminal Investigation (CI) pays for its cellular phones and BlackBerry smartphones separately from the rest of the IRS, and it spent almost $1.8 million for cellular phone and BlackBerry smartphone service combined in FY 2013.5
A 2011 Executive Order6 required Federal agencies to assess current device inventories and usage and establish controls to ensure that they are not paying for unused or underutilized information technology equipment, installed software, or services. In addition, Office of Management and Budget Circular A-1237 requires general management control standards that provide reasonable assurance that assets are safeguarded against waste, loss, and unauthorized use.
In a prior audit,8 we found that the IRS's processes for assigning and monitoring the use of wireless aircards and BlackBerry smartphones were not adequate to ensure that employees have a business need for the devices. Specifically, in our prior work, we reviewed the list of positions the IRS designated as positions in which job duties justified the need for a wireless device and found that some positions did not involve situations in which a wireless device was needed. Our prior work also reviewed usage reports and found thousands of devices that went months without any use, resulting in the IRS wasting funds on devices with no activity. In our prior work, we noted our plans to perform an audit of inventory controls due to concerns identified.
The IRS's Information Technology (IT) organization is responsible for establishing policies and procedures for the management and control of information technology equipment. Within the IT organization, the User and Network Services (UNS) office is responsible for supplying, maintaining, and managing security over wireless devices. The UNS office is also responsible for the accounting and recording of all information technology property and annually certifying the IRS's information technology inventory. To facilitate the inventory process, the IRS uses the Knowledge, Incident/Problem, Service, Asset Management -- Asset Manager (KISAM-AM) to maintain a complete inventory of all information technology assets.9 The KISAM-AM is the authoritative source for all hardware asset management and inventory information within the IRS and supersedes all other inventory data sources. CI maintains its own inventory records outside of the KISAM-AM for cellular phones issued to its employees, and CI is responsible for performing an annual certification of cellular phone devices that it inventories. Wireless aircards and BlackBerry smartphones assigned to CI personnel are contained within the IT organization inventory database KISAM-AM.
In order for an employee to obtain an IRS wireless device, IRS guidance10 requires employees to be in specific positions designated by the IRS that have a need for a wireless telecommunication device based on eligibility factors determined by the IRS and negotiations with the National Treasury Employees Union when applicable.11 Generally, positions eligible for a wireless device include senior executives, management, and employees who, in the normal course of their duties, have the need for but do not have immediate access to Government telephones or Internet access.
This review was performed with information obtained from the IRS's CI Headquarters in Washington, D.C., and in the IT organization Headquarters in Lanham, Maryland, in the UNS office during the period August 2013 through April 2014. We also performed 97 in-person inventory verifications at IRS offices located in 14 States and the District of Columbia. Appendix V provides a list of the States and the specific cities where the verifications were performed. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Detailed information on our audit objective, scope, and methodology is presented in Appendix I. Major contributors to the report are listed in Appendix II.
Results of Review
Inventory Controls Over Wireless Devices Need
Improvement
Most employees with wireless devices worked in positions the IRS designated as eligible for a device
Our review of a statistical sample of 200 devices listed in inventory as of December 2013 revealed that 180 devices were appropriately assigned to IRS employees, while 20 devices were assigned to employees who were in positions that the IRS had not designated as eligible for a device in its eligibility database. While a majority of sampled devices were appropriately assigned to employees whose positions were designated as eligible for the assigned device, we estimate that 5.54 percent12 of all wireless devices were assigned to IRS employees who were not in positions the IRS had designated as eligible for a wireless device. Specifically, three BlackBerry smartphone, nine IRS cellular phone, and eight CI cellular phone users13 from our sample occupied positions that were not designated as eligible for their device and did not have an exception on file. All wireless aircard users from our sample were in positions the IRS had designated as eligible. IRS guidance requires employees to occupy certain jobs in order to be eligible for the use of a wireless telecommunication device. Jobs are designated as eligible for wireless devices based on factors determined by the IRS and negotiations with the National Treasury Employees Union when applicable. The employee's eligibility is documented in an IT organization database. Figure 1 provides an overview of the standard position eligibility criteria for BlackBerry smartphones, cellular phones, and wireless aircards.
Figure 1: Wireless Device Eligibility Criteria
______________________________________________________________________
Device Type Eligibility Criteria
______________________________________________________________________
BlackBerry Smartphone Executives, senior departmental
managers, and other employees
depending on their job series,
grade, and need for such a device.
Cellular Phone Employees who, in the normal
course of their duties, do not
have immediate access to a
Government, commercial, or public
telephone or who are a manager in
need of contacting his or her
employees when no other
conventional method of
communication is available.
Suggested guidelines include
employees who are out of an office
environment at least 25 percent of
the time and require immediate
access to a telephone.
Wireless Aircard Employees who, in the normal
course of their duties, do not
have immediate access to the IRS
network. Suggested guidelines
include employees who are out of
an office environment at least 25
percent of the time and require
immediate access to the IRS network.
______________________________________________________________________
Source: Internal Revenue Manual (IRM) Sections on Wireless Aircards14
and Cellular Phones.15
Providing devices to employees in positions not designated as eligible for a device occurred because the IT organization database containing the list of eligible positions needs to be updated with accurate position descriptions and because employees in a position that did not qualify for a device did not have an exception request on file as required. We also found that the IRS's monthly review of service fees and device usage reports did not timely identify the 20 employees who were in positions not designated as eligible for their devices. IRS personnel stated that for all devices, except those that CI pays for separately, monthly service fees and device usage reports are reconciled each month to information technology databases to identify devices assigned to recently separated IRS employees and employees whose position the IRS has not designated as eligible for a wireless device. The IRS then updates employee positions in the database or cancels service to the device if there is no justification for the employee's use of the wireless device. However, the IRS reconciliation process was not effective for 12 of the 20 employees we identified in our sample. The remaining eight employees were CI employees and CI is not part of the standard monthly reconciliation process, nor does CI have its own monthly review process to ensure that employees are in positions designated by the IRS as eligible for a device.
Inventory records did not match employee devices
Our review of a statistical sample of 200 devices listed in inventory as in use as of December 2013 found errors in inventory records for 67 devices because inventory records were not updated as changes occurred. IRM standards16 require all offices to conduct an inventory of information technology equipment and certify the completion of inventory each fiscal year in order to locate and verify the existence of controlled assets and verify and confirm the accuracy of key KISAM-AM fields. CI, which maintains its own inventory records of CI cellular phones, is also required to complete an annual certification process for its devices. BlackBerry smartphones assigned to CI employees are inventoried and controlled by CI within the KISAM-AM. Wireless aircards assigned to CI employees are inventoried and controlled with the rest of the IRS's wireless aircards.
For our stratified random sample of 200 devices, we conducted in-person and remote verifications of inventory records to the actual device, and we tested the device's functionality.17 Sixty-seven of the 200 sampled devices were not accurately recorded in inventory due to errors such as inaccurate identifiers, devices that were returned or lost but listed as in use in inventory, and devices listed in inventory as in use that were not in service.18 Devices with inaccurate identifiers included instances in which the barcode, serial number, or phone number listed in inventory records did not match the actual device. We could not determine the accuracy of inventory for 15 of 200 devices due to the device identifiers on the physical device being worn to illegibility and due to some devices being replaced between the time that we received the inventory extract and the time that we conducted our verification.19 Figure 2 presents our overall testing results for the sampled devices.
Figure 2: Inventory Verification Results
______________________________________________________________________
Results Total
______________________________________________________________________
Inventory Records Accurate 118
Inventory Records Inaccurate 67
Device Identifiers Inaccurate 36
Device Returned 15
Device Lost 1
Device Not In Service 15
Accuracy Undetermined 15
Total Number of Devices 200
______________________________________________________________________
Source: Our analysis of inventory records for 200 sampled wireless
devices.
Overall, we estimate that 56.79 percent20 of wireless communication device inventory records have errors because inventory records were not updated as changes occurred. The majority of the inconsistencies we identified were with wireless aircards, which were 75.00 percent21 inaccurate due to inconsistencies between the identifiers on the device and identifiers listed in inventory records such as serial numbers. IRS cellular phone records were 41.67 percent22 inaccurate due primarily to devices that were lost, returned, or not in service despite being listed as active in inventory. The least number of inconsistencies identified involved BlackBerry smartphones, with two devices returned and two with inaccurate identifiers such as serial numbers and barcodes, resulting in an 8.70 percent23 inaccuracy rate. Figure 3 represents our testing results by device type.
Figure 3: Inventory Verification Results
by Device Type24
Source: TIGTA analysis of inventory records for 185 sampled wireless devices when the accuracy of inventory records could be determined.
The IRS does not have an effective process to update inventory records as changes occur. The IRS Mobile Devices Program Management Office reorganized in May 2013, and according to the IRS, has been working towards reducing redundancy, reevaluating policies and procedures, and promoting good customer service. UNS office personnel acknowledged that cellular phone and wireless aircard inventory errors are due in part to the discontinuation in May 2013 of a monthly data refresh process that used information from monthly service provider reports to update KISAM-AM inventory records. Also, updates to BlackBerry smartphone inventory records currently rely on a process that requires IT organization personnel to report changes in device status using an electronic change submission process. During our review, we found that two of the four BlackBerry smartphone users we identified with inaccurate inventory records did not have a change request on file to report that they had turned in a device. As such, the electronic change submission process is only as reliable as the personnel filling out the report. We found that errors in CI cellular phone records were due to the fact that CI does not have an effective process to update inventory records monthly or as changes occur. Instead, CI updates its cellular phone inventory records at the end of each fiscal year, when it completes its annual cellular phone inventory certification.
Despite the errors in inventory records for 67 of the 200 sampled devices, we did not identify instances in which the IRS paid for service on a device that was no longer in use or replaced by another device. However, the IRS needs to continue to take appropriate measures to ensure that the data maintained in the inventory systems accurately reflect the devices assigned to employees. Without an effective inventory management system, the IRS may not be able to consistently verify information technology and identify wireless users, and thus risks paying service fees for devices that are not authorized, not in use, or unnecessary.
Wireless pagers are not inventoried
The IRS does not have a process in place to account for almost 1,200 wireless pager users. According to UNS office records, the IRS paid service fees for 1,153 pagers in FY 2013 but did not certify the use of those devices as required. IRM standards require all users of wireless pagers to complete a validation process annually or upon receipt of a newly assigned wireless pager, replacement wireless pager, pager number change, or service provider change.25 The UNS office is responsible for overseeing the validation process; however, discussions with UNS office management revealed that it does not have a process to identify what users have access to a wireless pager.
Although the number of wireless pagers represents only a small part of all wireless devices, the absence of an inventory and certification process for pagers affects the reliability of inventory data and the IRS's ability to ensure that the devices are issued to only employees with a business need. The lack of an inventory and certification process also prevents the IRS from verifying the service fees billed for these devices. Further, we were unable to perform testing of wireless pagers to evaluate the potential for existing waste or misuse because wireless pager users could not be identified. As a result, in FY 2013, the IRS spent more than $230,000 in service fees for 1,153 wireless pagers without any assurance that it was paying for devices that were necessary or in use by IRS employees.
In January 2014, subsequent to the start of our audit, the UNS Mobile Device Program Office initiated the first ever validation process of wireless pagers facilitated by the service provider at no cost to the IRS. The service provider issued a mass page to all pager users requesting responses to a common number and mailbox. IRS officials are in the process of evaluating the responses. They will decide whether to disconnect or return pagers, and reevaluate the use of pagers within the IRS to determine the need to continue pager service.
Recommendations
Recommendation 1: The Chief Technology Officer should perform an inventory reconciliation with device holders to ensure that inventory records reflect the correct status of each device and that device holders are eligible to possess the device, and develop a process to periodically reperform the reconciliation to ensure that inventory records remain accurate.
Management's Response: The IRS agreed with this recommendation. The IRS stated that it currently reconciles monthly billing and usage reports to ensure that service fees apply to devices assigned to authorized users. Contingent upon funding availability, the IRS stated that it will enhance the existing process to include reconciliation of inventory records.
Recommendation 2: The Chief, CI, should consider enacting a process to update the system of CI cellular phone inventory records as changes occur.
Management's Response: The IRS agreed with this recommendation. The IRS stated that its current standard operating procedures for CI's cellular phone inventory will be updated to clarify the requirements of timely inventory updates. Guidance and the updated standard operating procedures for CI's cellular phone inventory will be sent to all cellphone coordinators in CI.
Recommendation 3: The Chief Technology Officer should implement a process to identify pager users and reconcile with inventory records.
Management's Response: The IRS agreed with this recommendation. Contingent upon funding availability, the IRS will develop and implement procedures to identify active pager users and reconcile with inventory records.
Wireless Service Fees Were Paid for Devices Not Listed in Inventory and for Multiple Devices Assigned to a Single User
Ineffective inventory controls resulted in unverified and duplicate service fees. Specifically, according to monthly billing statements, we found the IRS paid monthly service fees for almost 6,800 wireless devices that were not captured in inventory records and for more than 700 employees who had multiple wireless devices that perform the same function. In addition, the IRS does not currently account for lost or stolen cellular phones or wireless aircards, and it did not follow proper procedures to document some BlackBerry smartphones that were reported as lost or stolen. Office of Management and Budget Circular A-123 requires general management control standards that provide reasonable assurance that assets are safeguarded against waste, loss, and unauthorized use. However, weaknesses in IRS inventory controls resulted in the IRS paying service fees for devices with no corresponding inventory record, putting the IRS at risk of spending thousands of dollars on devices that are not in use.
Some wireless devices for which the IRS paid monthly service fees were not inventoried
The IRS paid monthly service fees for almost 6,800 wireless devices that were not captured in inventory records. In September 2013, the IRS paid more than $1.1 million in monthly service fees for more than 40,300 BlackBerry smartphones, cellular phones, and wireless aircards. We compared September 2013 vendor billing statements to inventory records and determined that almost 6,800 devices (almost 17 percent) of the more than 40,300 devices the IRS paid for were not recorded in IRS inventory records as of December 2013. IRM standards require that all information technology equipment, including BlackBerry smartphones, cellular phones, and wireless aircards, be inventoried and certified on an annual basis in KISAM-AM and CI's cellular phone inventory records.26 IRS guidance states that maintaining the accuracy and completeness of all IRS assets in the KISAM-AM is critical to achieving IRS-wide goals. Figure 4 lists the devices that were included in IRS and CI September 2013 billing statements that were not listed in KISAM-AM or CI's inventory records.27
Figure 4: September 2013 Payments for Wireless Devices
Not in Inventory
______________________________________________________________________
Devices not
Devices Inventoried Charges for Devices
Device Type Billed (Percentage) Not Inventoried
______________________________________________________________________
BlackBerry 301
Smartphones 4,123 (7.30%) $16,235
1,337
Cellular Phones 9,187 (14.55%) $28,972
4,075
Wireless Aircards 23,034 (17.69%) $86,783
CI BlackBerry
Smartphones and 1,077
Cellular Phones* 3,982 (27.05%) $33,386
6,790
Total 40,326 (16.84%) $165,376
______________________________________________________________________
Source: Our analysis of IRS and CI's September 2013 billing
statements.
* CI BlackBerry smartphones and cellular phones are paid for
separately from other IRS wireless devices.
Inconsistencies between vendor billing and IRS inventory data occurred because the IRS does not have an effective process to timely reconcile monthly billing statements to inventory records. In May 2013, the UNS office discontinued its monthly refresh process that used device usage and billing reports to update cellular phone and wireless aircard inventory records, and it is currently working to develop an improved reconciliation method. Also, the UNS office does not have a process to reconcile BlackBerry smartphone billing statements to inventory records on a monthly basis. Further, CI does not have a process in place to review monthly billing statements and reconcile them to inventory.
Because these devices are not tracked in inventory, the IRS does not have assurance that the employees using them have a valid business need. While service fees associated with almost 6,800 devices may be justifiable, the IRS is not in a position to determine which fees are valid because inventory and billing records cannot be reconciled. The total monthly cost of the specific devices that were billed but not listed in inventory was $165,376 in September 2013. The annualized cost equates to nearly $2 million28 in service fees for devices that were not inventoried in FY 2013.
Employees accrued multiple monthly service fees for similar devices
According to monthly billing statements, the IRS paid monthly service fees for more than 700 employees who had multiple wireless devices. Specifically, our analysis of IRS September 2013 wireless billing statements revealed that the IRS spent more than $34,000 in monthly service fees for 635 users who were associated with between two and five wireless devices, and during the same month, CI spent more than $6,000 in monthly service fees for 92 users who were associated with between two and 11 devices.29 IRM standards30 stipulate that employees are not authorized to have multiple wireless devices unless a business justification can be obtained and approved.31
Figure 5: September 2013 Monthly Service Fees
for Multiple Devices
______________________________________________________________________
Number of Total Monthly
Combination of Devices Employees Service Fees
______________________________________________________________________
Multiple BlackBerry Smartphones 18 $2,221
Multiple Cellular Phones 17132 $7,175
Combination of BlackBerry Smartphone(s) 143 $10,969
and Cellular Phone(s)
Multiple Wireless Aircards 303 $13,864
Multiple CI BlackBerry Smartphones 92 $6,045
and/or CI Cellular Phones*33
Total 727 $40,274
______________________________________________________________________
Source: Our analysis of IRS and CI September 2013 wireless vendor
billing statements.
* CI BlackBerry smartphones and cellular phones are paid for
separately from other IRS wireless devices.
Neither the IRS nor CI has a process in place to evaluate monthly vendor billing statements to determine whether users are billed for multiple devices. When we asked the IRS to evaluate our findings, it acknowledged insufficiencies in the cellular phone and wireless aircard inventory records due to the discontinuation in May 2013 of the monthly inventory refresh process that used device usage and billing reports to update cellular phone and wireless aircard inventory records.
Based on the average monthly service fee of $60 for a BlackBerry smartphone, $24 for a cellular phone, and $21 for a wireless aircard, and the average monthly service fee of $39 for a CI BlackBerry smartphone or cellular phone, we estimate that the allowable monthly service costs if these employees were issued only one device would have been almost $24,000. The additional cost incurred by the IRS due to employees being charged monthly service fees for multiple devices was almost $17,000, which represents potential inefficient use of resources in the month of September 2013.34 The total excess cost for the additional devices performing the same function was $16,559 in September 2013. Annualized, this amounts to nearly $199,00035 in excess annual service fees for users with multiple devices that perform the same function in FY 2013.
Lost and stolen wireless devices were not documented
The IRS does not document lost or stolen cellular phones or aircards, and it did not properly document BlackBerry smartphones that were reported lost or stolen. The UNS office provided a list of 67 BlackBerry smartphone devices reported as lost or stolen in FYs 2011, 2012, and 2013. We reviewed incident reports for a judgmental sample36 of 20 of the 67 devices based on the locations with the highest number of devices reported lost or stolen during the time period. We determined that six of the 20 devices we selected did not have an incident report as required.
IRM standards require that if a cellular phone is lost or stolen, the vendor should be contacted so that service may be suspended, and the lost or stolen equipment should be reported to the local security officer, with whom an incident report must be filed.37 The employee, manager, and security officer must sign the report and a copy of the report must be provided to the local IT organization point of contact and the UNS office before a replacement can be issued.
The IRS does not consider cellular phones or wireless aircards to be assets because the wireless service providers provide the devices to the IRS at no cost; therefore, the UNS office does not track whether cellular phones or wireless aircards are reported lost or stolen. The IRS does consider BlackBerry smartphones to be assets, and the UNS office did document those BlackBerry smartphones that were reported lost or stolen. However, employees did not timely fill out the required incident report after reporting the device as lost or stolen to the UNS office. The IRS is unable to track whether employees may be misusing their devices, resulting in multiple lost or stolen devices per employee, because it does not track lost or stolen cellular phones and wireless aircards and does not maintain complete records of incident reports for lost or stolen BlackBerry smartphones.
Recommendations
Recommendation 4: The Chief Technology Officer should implement a process to reconcile monthly wireless service provider billing statements to its inventory records to ensure that the IRS can account for all devices for which it pays a monthly service fee.
Management's Response: The IRS agreed with this recommendation. The IRS stated that it currently reconciles monthly billing and usage reports to ensure that service fees apply to devices assigned to authorized users. Contingent upon funding availability, the IRS will enhance the existing process to include reconciliation of inventory records.
The IRS did not agree with the estimate of funds that could be put to better use associated with this recommendation. Specifically, the IRS stated that it has a monthly process to review and reconcile billed mobile usage for approved mobile users and that the process assures payments are discontinued for devices not in use by authorized users.
Office of Audit Comments: Our estimate is based on a match of devices the IRS was billed for with devices contained in IRS inventory records. Currently, the IRS only reconciles billing reports to usage data. However, the reconciliation of billing reports to usage data does not ensure that these devices are in the IRS's inventory and are actually being used by an authorized IRS employee. We continue to believe that a reconciliation of devices billed for to devices contained in validated inventory records is the only way to ensure that the IRS only pays for approved devices held by IRS employees.
Recommendation 5: The Chief Technology Officer should implement a review of monthly wireless service provider billing statements to determine whether the IRS is paying for employees to have wireless service on multiple devices that perform the same function without an approved business justification.
Management's Response: The IRS agreed with this recommendation. Contingent upon funding availability, the IRS will reinforce existing policy that requires business approval for all exceptions to the Enterprise Standardized Technology Portfolio to be documented and reconciled with monthly billing statements.
Recommendation 6: The Chief, CI, should implement a process to reconcile monthly wireless service provider billing statements to determine whether CI can account for each device it pays a monthly service fee for in its inventory records.
Management's Response: The IRS agreed with this recommendation. The IRS will develop and implement a process to ensure accuracy in matching monthly billing statements to inventory records.
Recommendation 7: The Chief, CI, should implement a review of monthly wireless service provider billing statements to determine whether CI is paying for employees to have wireless service on multiple devices that perform the same function.
Management's Response: The IRS agreed with this recommendation. The IRS stated that the form to request a wireless service will be modified to indicate that an additional device is being requested for the user and must include approval by management.
1 Wireless aircards provide mobile Internet access from laptops when employees are working outside of an IRS office.
2 The IRS has distributed a limited number of iPhones,® iPads,® Android® tablets, Android smartphones, and satellite phones to its employees as part of a pilot demonstration. Due to the limited number in use, we did not include these devices in the scope of testing. In addition, we were unable to perform testing on pagers because the IRS does not keep inventory records of pagers issued to employees.
3 As of December 2013, IRS inventory records included almost 64,000 devices. In addition, the IRS also paid monthly service fees for almost 1,200 pagers but did not maintain inventory records for the pagers. Of those devices, more than 49,000 devices were listed as in use, meaning they had active service on the device. Although the records for wireless pagers and CI's cellular phones did not indicate which devices were in use, we included them in the total number of in use devices because it is likely that those devices had active service.
4 Any yearly accounting period, regardless of its relationship to a calendar year. The Federal Government's fiscal year begins on October 1 and ends on September 30.
5 The wireless provider does not separate its bills for CI cellular phones and BlackBerry smartphones.
6 Exec. Order No. 13589, 3 C.F.R. § 13589 (2011).
7 Office of Management and Budget, OMB Circular No. A-123 (Revised), Management's Responsibility for Internal Control (Dec. 2004).
8 Treasury Inspector General for Tax Administration, Ref. No. 2013-10-010, Inadequate Aircard and BlackBerry Smartphone Assignment and Monitoring Processes Result in Millions of Dollars in Unnecessary Access Fees (Jan. 2013).
9 The IRS does not consider wireless aircards, cellular phones, and pagers to be assets, but for purposes of this report we refer to all wireless devices (BlackBerry smartphones, wireless aircards, cellular phones, and pagers) as assets because the device service fees for each of these devices represent a cost to the IRS.
10 Memorandum of Understanding Between the National Treasury Employees Union and the IRS Regarding the Standardization of Information Technology Equipment Profiles (June 2010).
11 Employees may apply for an exception through their manager when their position does not meet the standard eligibility criteria but the employee has a legitimate business need for a device. Business System Planners review all exception requests for wireless devices and update the IT organization database to reflect the change in status for approved exceptions.
12 We selected a stratified random sample of 200 wireless technology devices, stratified by device type in groups of 50 each of BlackBerry smartphones, wireless aircards, IRS cellular phones, and CI cellular phones in order to give equal attention to each device type. The point estimate projection is based on the overall stratified random sample. We are 95 percent confident that the true error rate is between 2.81 percent and 8.28 percent.
13 We sampled from CI cellular phone users separately because CI maintains its own inventory records for cellular phones. One of the eight CI cellular phone users was in a position that CI had requested be listed as eligible in the IRS eligibility database. However, the database was not updated to reflect the position as eligible for the device.
14 IRM 2.13.6.2.3, Wireless Aircards (July 23, 2013).
15 IRM 2.13.6.2.1, Cellular Phones (July 23, 2013) and IRM 2.13.6.2, Wireless Communications (July 23, 2013).
16 IRM 2.14.1.13.19.4, Inventory Reconciliation (Nov. 8, 2011).
17 We conducted 97 in-person verifications for devices from our sample. In addition, 103 remote verifications were performed by having the employee capture and provide us with an image of the device serial number and barcode. We tested the device functionality for BlackBerry smartphones and cellular phones by calling the device telephone number and confirming that the employee answered the device or confirming that the voice mail was associated with the sampled employee for both in-person and remote verifications.
18 Devices not in service were listed as in use per IRS inventory records, but the device actually had no service. The IRS was not paying a service fee for the device, but inventory records did not reflect that the device was no longer in use.
19 The IRS provided an extract of its wireless inventory records as of December 2013; however, we conducted verifications of the inventory records from December 2013 through March 2014. We could not determine whether inventory records were accurate as of the December 2013 inventory record extract when employee wireless devices were replaced between December 2013 and the date of our inventory verification.
20 The point estimate projection is based on the stratified random sample. The 15 sample cases in which the accuracy of the inventory record could not be determined were omitted from the sample. We are 95 percent confident that the true error rate is between 48.24 percent and 65.33 percent. Sample errors from each device type count differently toward the calculation of the overall error rate because there are significantly more of certain devices (e.g., 28,988 wireless aircards but only 6,383 BlackBerry smartphones).
21 The point estimate projection is based on the remaining sample of 44 wireless aircards. We are 95 percent confident that the true error rate is between 59.60 percent and 86.80 percent.
22 The point estimate projection is based on the remaining sample of 48 IRS cellular phones. We are 95 percent confident that the true error rate is between 27.60 percent and 56.80 percent.
23 The point estimate projection is based on the remaining sample of 46 BlackBerry smartphones. We are 95 percent confident that the true error rate is between 2.42 percent and 20.80 percent.
24 Figure 3 exhibits pie charts representing the verification results by device type for 185 of the 200 sampled wireless devices. We were unable to verify identifying information for the remaining 15 devices in our sample.
25 IRM 2.13.6.2.2.8, Yearly Validation (July 23, 2013).
26 IRM 2.14.1, Asset Management, Information Technology Asset Management (Nov. 8, 2011).
27 CI pays for its BlackBerry smartphones and cellular phones separately from the rest of the IRS, and because CI BlackBerry smartphone and cellular phone service charges are on a single billing statement, we were unable to distinguish between a CI BlackBerry smartphone and a CI cellular phone for the purposes of our analysis.
28 See Appendix IV. The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. This number represents potential funds put to better use until the IRS actually reconciles inventory and billing records.
29 According to CI, its personnel may need multiple devices for investigative purposes.
30 IRM 2.13.6.2.1, Cellular Phones (July 23, 2013).
31 An employee may have a cellular phone and a non-voice-activated BlackBerry, to be used for data only, but may not have two devices with voice capabilities. We accounted for this exception in our analysis. In addition, we did not consider it an error if we identified an employee who had a wireless aircard and a BlackBerry smartphone or cellular phone.
32 There were five users that appeared in the multiple cellular phone analysis and the combination analysis. Due to the overlap, we counted those five users and the cost of the multiple devices in only the combination of BlackBerry smartphone and cellular phone results.
33 CI monthly billing statements combine monthly service fees for cellular phones and BlackBerry smartphones, so we were unable to differentiate between the device types assigned to the 92 employees with multiple devices.
34 See Appendix IV. Because we cannot determine which single device the user should have been assigned, we used the average monthly cost of BlackBerry smartphones ($60), cellular phones ($24), and wireless aircards ($21), and used the average monthly service cost for CI BlackBerry smartphones and cellular phones ($39) to estimate the allowed monthly cost and excess monthly cost.
35 See Appendix IV. The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year.
36 A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.
37 IRM 2.13.6, Information Technology, Enterprise Networks, Wireless Communications (July 23, 2013).
END OF FOOTNOTES
* * * * *
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to assess the efficiency and effectiveness of the IRS's inventory control for wireless aircards, cellular phones, and BlackBerry smartphone devices.
I. Determined what controls the IRS has in place to account for its wireless telecommunication devices.
A. Identified and reviewed Federal regulations regarding wireless devices.
B. Identified and reviewed IRS policies and procedures regarding wireless devices.
C. Interviewed IRS officials responsible for overseeing wireless devices.
II. Assessed the effectiveness of the IRS's controls over its assignment and inventory of wireless telecommunication devices.
A. Selected a stratified random sample of wireless devices listed in inventory records as in use as of December 2013.1 We stratified the wireless devices into four subpopulations: BlackBerry smartphones,2 wireless aircards,3 IRS cellular phones,4 and Criminal Investigation cellular phones.5 We used statistical sampling in order to project the results of testing to the population of all wireless devices. Our contracted statistician assisted with developing sampling plans and projections. We assessed the reliability of these data systems prior to selecting our sample by evaluating whether the data fields contained appropriate information and ensuring that we had an accurate record count. Based on these tests and prior audits, these data systems have known errors but are sufficiently reliable for the purposes of our audit.
B. Verified whether the IT organization database that lists employee eligibility for a wireless device based on position description indicated that the employee had authorization to be assigned the device.
C. Verified that the employee had the device in his or her possession and that it was in service.
III. Assessed the risks for inefficiencies and controls over lost or stolen IRS wireless telecommunication devices.
A. Determined whether each device the IRS paid for was listed in inventory.
B. Determined whether users had multiple types of wireless devices that perform the same function or multiples of the same device.
C. Determined whether there were risks for misuse and loss of sensitive data such as from users who reported multiple lost or stolen devices.
Internal controls relate to management's plans, methods, and procedures used to meet their mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. We determined that the following internal controls were relevant to our audit objective: IRS policies, procedures, and practices for assigning and inventory accounting for wireless telecommunications devices. We evaluated these controls by interviewing management and analysts responsible for executing the wireless program, reviewing applicable documentation, testing the effectiveness of the current wireless program controls, and testing additional areas of potential control weakness.
FOOTNOTES TO APPENDIX I
1 We selected a stratified random sample of 200 wireless devices from a population of 48,241 wireless devices listed as in use in inventory records as of December 2013. The 200 devices sampled included BlackBerry smartphones, cellular phones, and wireless aircards. However, 15 sample cases in which the accuracy of the inventory record could not be determined were omitted from the sample. We are 95 percent confident that the overall error rate is between 48.24 percent and 65.33 percent. Sample errors from each device type count differently toward the calculation of the overall error rate because there are significantly more of certain devices than others.
2 We selected a random sample of 50 BlackBerry smartphones from a population of 6,383 listed as in use in inventory records as of November 2013. The point estimate projection is based on the remaining sample of 46 BlackBerry smartphones. We are 95 percent confident that the true error rate is between 2.42 percent and 20.80 percent.
3 We selected a random sample of 50 wireless aircards from a population of 28,988 listed as in use in inventory records as of December 2013. The point estimate projection is based on the remaining sample of 44 wireless aircards. We are 95 percent confident that the true error rate is between 59.60 percent and 86.80 percent.
4 We selected a random sample of 50 IRS cellular phones from a population of 11,574 listed as in use in inventory records as of December 2013. The point estimate projection is based on the remaining sample of 48 IRS cellular phones. We are 95 percent confident that the true error rate is between 27.60 percent and 56.80 percent.
5 We selected a random sample of 50 CI cellular phones from a population of 1,296 recorded in CI's inventory records as of November 2013. The point estimate projection is based on the remaining sample of 47 CI cellular phones. We are 95 percent confident that the true error rate is between 10.70 percent and 35.70 percent. Wireless aircards and BlackBerry smartphones assigned to CI personnel are contained within the overall IT organization inventory database.
END OF FOOTNOTES TO APPENDIX I
* * * * *
Appendix II
Major Contributors to This Report
Gregory D. Kutz, Assistant Inspector General for Audit (Management Services and
Exempt Organizations)
Jonathan T. Meyer, Director
Deanna G. Lee, Audit Manager
Jamelle L. Pruden, Lead Auditor
Lara E. Phillippe, Senior Auditor
Trisa M. Brewer, Auditor
* * * * *
Appendix III
Report Distribution List
Commissioner C
Office of the Commissioner -- Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Commissioner for Services and Enforcement SE
Associate CIO, User and Network Services OS:CTO:UNS
Director, Technical Operations and Investigative Service SE:CI:TOIS
Director, Operations Service Support OS:CTO:UNS:OS
Director, Unified Communications OS:CTO:UNS:UC
Chief Counsel CC
National Taxpayer Advocate TA
Director, Office of Legislative Affairs CL:LA
Director, Office of Program Evaluation and Risk Analysis RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Associate CIO, Strategy and Planning OS:CTO:SP
Director, Strategy SE:CI:S
Appendix IV
Outcome Measure
This appendix presents detailed information on the measurable impact that our recommended corrective actions will have on tax administration. This benefit will be incorporated into our Semiannual Report to Congress.
Type and Value of Outcome Measure:
Cost Savings: Funds Put to Better Use -- Potential; $2,183,2201 for Fiscal Year 2013 (see page 10).
Methodology Used to Measure the Reported Benefit:
We compared September 2013 monthly vendor billing statements for BlackBerry smartphones, cellular phones, and wireless aircards to the KISAM-AM and CI cellular phone inventory records obtained in December 2013. Our criteria used to join the data sources were the standard employee identifier, IRS billing statements, and first and last name for CI billing statements. Our analysis identified 6,790 devices that were billed for service in September 2013 that were not in inventory as of December 2013. The total monthly cost of the specific devices that were billed but not listed in inventory was $165,376. This amounts to almost $2 million2 in annual service fees for devices that were not inventoried. This number represents potential funds put to better use until the IRS actually reconciles inventory and billing records.
We also analyzed September 2013 monthly billing statements for BlackBerry smartphones, cellular phones, and wireless aircards to determine whether users were billed for multiple devices of the same type. Our criteria used to identify users with multiple service fees were the standard employee identifier for IRS billing statements and first and last name for CI billing statements. Our analysis identified 727 users who were billed for two or more devices that perform the same function. Because we could not determine which single device the user should have been assigned, we used the average monthly cost of BlackBerry smartphones ($60), cellular phones ($24), and wireless aircards ($21), and used the average monthly service cost for CI BlackBerry smartphones and cellular phones ($39) to estimate the allowed monthly cost and excess monthly cost. The total allowable monthly cost for the 727 users was $23,715, and the total excess cost for the additional devices performing the same function was $16,559 in September 2013. This amounts to almost $199,0003 in excess annual service fees for users with multiple devices that perform the same function.
FOOTNOTES TO APPENDIX IV
1 The one-year estimate for funds put to better use is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. The one-year estimate was rounded to the nearest hundred thousand.
2 The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. The one-year estimate was rounded to the nearest hundred thousand.
3 The one-year estimate is based on multiplying the base month by 12 and assumes, among other considerations, that cellular phone usage patterns and service fees were substantially the same over the fiscal year. The one-year estimate was rounded to the nearest thousand.
END OF FOOTNOTES TO APPENDIX IV
* * * * *
Appendix V
Cities and States Visited for Inventory Verifications
California
Camarillo, Fresno, Laguna Niguel, Los Angeles, Oakland, San Diego, San Jose, San Mateo, San Rafael, Santa Rosa
Colorado
Denver
D.C.
Washington
Georgia
Atlanta, Chamblee
Kentucky
Covington
Maryland
Lanham, Oxon Hill
Massachusetts
Andover, Lowell, Stoneham
Missouri
Kansas City
New York
Holtsville, New York
Ohio
Cincinnati
Oklahoma
Oklahoma City, Tulsa
Pennsylvania
Philadelphia
Tennessee
Memphis
Texas
Dallas, Farmers Branch, Fort Worth, Houston, Longview
Utah
Ogden
* * * * *
Appendix VI
Management's Response to the Draft Report
August 28, 2014
MEMORANDUM FOR
DEPUTY INSPECTOR GENERAL FOR AUDIT
FROM:
Terence V. Milholland
Chief Technology Officer
SUBJECT:
Draft Audit Report -- TIGTA Draft
Report-Wireless Telecommunication Device
Inventory Control Weaknesses Resulted in Inaccurate Inventory Records
and Unsupported Service Fees (Audit #201310002) (e-trak # 2014-58280)
Thank you for the opportunity to review the subject draft audit report and to discuss the report observations with the audit team. We appreciate your acknowledgement of the IRS's overall effectiveness in managing wireless services and ensuring that mobile devices are only issued to employees designated as eligible by the IRS.
In response to your recommendations, we have attached our corrective action plan. The IRS is in agreement with most of the recommendations provided by TIGTA and will take corrective actions contingent upon funding availability. However, we disagree with the outcome measure related to $2 million in service fees for devices that are not recorded in inventory and devices performing duplicate functions. The IRS has a monthly process to review and reconcile billed mobile usage for approved mobile users. This process assures payments are discontinued for devices not in use by approved users. Additionally, the IRS continues to enhance our device assessment and selection process as technology advances and intelligent devices perform dual functions. Our existing policy to evaluate mobile costs monthly provides controls to discontinue unnecessary service and/or devices.
We acknowledge that maintaining more accurate inventory records for devices will improve the efficiency and effectiveness of our mobile device program and we have already taken actions to implement many of the recommendations.
We value your continued support and the assistance your organization provides. If you have any questions, please contact me at (240) 613-9373 or a member of your staff may contact Lisa Starr, Senior Manager, Program Oversight Coordination at (240) 613-4219.
RECOMMENDATION #1:
The Chief Technology Officer should perform an inventory reconciliation with device holders to ensure that inventory records reflect the correct status of each device and that device holders are eligible to possess the device, and develop a process to periodically reperform the reconciliation to ensure that inventory records remain accurate.
CORRECTIVE ACTION #1:
The IRS agrees with this recommendation. The current IRS process reconciles monthly billing and usage reports to ensure that service fees apply to devices assigned to authorized users. Contingent upon funding availability, we will enhance the existing process to include reconciliation of inventory records.
IMPLEMENTATION DATE:
November 25, 2014
RESPONSIBLE OFFICIAL:
Associate Chief Information Officer, User & Network Services
RECOMMENDATION #2:
The Chief, CI, should consider enacting a process to update the system of CI cellular phone inventory records as changes occur.
CORRECTIVE ACTION #2:
The IRS agrees with this recommendation. The current standard operating procedures (SOP) for CI's cellular phone inventory will be updated to clarify the requirements of timely inventory updates. Guidance and the updated SOP for CI's cellular phone inventory will be sent to all Cellphone Coordinators in CI.
IMPLEMENTATION DATE:
December 15, 2014
RESPONSIBLE OFFICIAL:
Chief, Criminal Investigation
RECOMMENDATION #3:
The Chief Technology Officer should implement a process to identify pager users and reconcile with inventory records.
CORRECTIVE ACTION #3:
The IRS agrees with this recommendation. Contingent upon funding availability, the IRS will develop and implement procedures to identify active pager users and reconcile with inventory records.
IMPLEMENTATION DATE:
November 25, 2014
RESPONSIBLE OFFICIAL:
Associate Chief Information Officer, User & Network Services
RECOMMENDATION #4:
The Chief Technology Officer should implement a process to reconcile monthly wireless service provider billing statements to its inventory records to ensure that the IRS can account for all devices for which it pays a monthly service fee.
CORRECTIVE ACTION #4:
The IRS agrees with this recommendation. The current IRS process reconciles monthly billing and usage reports to ensure that service fees apply to devices assigned to authorized users. Contingent upon funding availability, we will enhance the existing process to include reconciliation of inventory records.
IMPLEMENTATION DATE:
November 25, 2014
RESPONSIBLE OFFICIAL:
Associate Chief Information Officer, User & Network Services
RECOMMENDATION #5:
The Chief Technology Officer should implement a review of monthly wireless service provider billing statements to determine whether the IRS is paying for employees to have wireless service on multiple devices that perform the same function without an approved business justification.
CORRECTIVE ACTION #5:
The IRS agrees with this recommendation. Contingent upon funding availability, the IRS will reinforce existing policy that requires business approval for all exceptions to the Enterprise Standardized Technology Portfolio to be documented and reconciled with monthly billing statements.
IMPLEMENTATION DATE:
November 25, 2014
RESPONSIBLE OFFICIAL:
Associate Chief Information Officer, User & Network Services
RECOMMENDATION #6:
The Chief, Cl, should implement a process to reconcile monthly wireless service provider billing statements to determine whether Cl can account for each device it pays a monthly service fee for in its inventory records.
CORRECTIVE ACTION #6:
The IRS agrees with this recommendation. We will develop and implement a process to ensure accuracy in matching monthly billing statements to inventory records.
IMPLEMENTATION DATE:
December 15, 2014
RESPONSIBLE OFFICIAL:
Chief, Criminal Investigation
RECOMMENDATION #7:
The Chief, CI, should implement a review of monthly wireless service provider billing statements to determine whether CI is paying for employees to have wireless service on multiple devices that perform the same function.
CORRECTIVE ACTION #7:
The IRS agrees with this recommendation. The form to request a wireless device will be modified to indicate that an additional device is being requested for the user and must include approval by management.
IMPLEMENTATION DATE:
December 15, 2014
RESPONSIBLE OFFICIAL:
Chief, Criminal Investigation
- Institutional AuthorsTreasury Inspector General for Tax Administration
- Subject Area/Tax Topics
- Jurisdictions
- LanguageEnglish
- Tax Analysts Document NumberDoc 2014-26450
- Tax Analysts Electronic Citation2014 TNT 215-23