United States General Accounting Office GAO Report to the Commissioner, Financial Management Service, Department of the Treasury August 1999 INTERNAL CONTROLS FMS’ Monitoring of Lockbox Bank Operations Needs Improvement GAO/AIMD-99-219 United States General Accounting Office Accounting and Information Washington, D.C. 20548 Management Division B-282987 Letter August 20, 1999 Mr. Richard L. Gregg Commissioner, Financial Management Service Department of the Treasury Dear Mr. Gregg: We recently reported on the U.S. government’s financial statements for fiscal year 1998.1 In connection with fulfilling our requirement to audit these statements, we performed audit procedures to evaluate the internal controls over cash receipts processed by the Department of the Treasury’s Financial Management Service (FMS) on behalf of the federal government.2 Our audit included testing the effectiveness of FMS’ internal controls over lockbox collections. The purpose of this report is to provide the results of our work in this area and our recommendations for improvement. On behalf of federal agencies, FMS enters into lockbox service agreements with commercial banks to collect certain payments made to the federal government. FMS uses two lockbox networks: the general lockbox network for all payments except federal taxes and the Internal Revenue Service (IRS) lockbox network for federal tax payments.3 Both networks use the same banks but are under separate lockbox service agreements with FMS. The banks establish post office boxes and electronic accounts to receive payments and are responsible for safeguarding and processing the funds collected in accordance with their agreements with FMS and the federal agencies. In fiscal year 1998, FMS reported that about $259 billion was collected through these banks, of which $242 billion was federal tax payments in the IRS lockbox network and $17 billion was nontax payments in the general lockbox network. Because funds collected through lockbox banks go directly to the banks, FMS must ensure that the banks establish and maintain adequate internal controls over the collections they process. Thus, FMS’ monitoring of lockbox banks’ operations is intended to be a key 1 Financial Audit: 1998 Financial Report of the United States Government (GAO/AIMD-99-130, March 31, 1999). 2 31 U.S.C. 331 (e) (1994). 3 Network is the term used by FMS to describe the group of banks that provide lockbox services. Leter Page 1 GAO/AIMD-99-219 Lockbox Collections B-282987 internal control for ensuring that the funds collected are protected against fraud, waste, and mismanagement. Results in Brief FMS needs to improve its monitoring of lockbox bank operations to ensure that federal collections are adequately safeguarded and properly processed. We found weaknesses in FMS’ monitoring of lockbox bank operations related to on-site reviews and lockbox bank audits. Specifically, we and other auditors found that on-site reviews performed by FMS at IRS lockboxes were not always effective in detecting certain internal control weaknesses at the banks. Also, FMS did not perform periodic on-site reviews of the general lockbox bank operations prescribed in its internal policies and procedures and authorized by its agreements with the banks. In addition, FMS did not have a policy to and did not obtain and review the results of the internal and external audits of general lockbox bank operations, even though these audits were required under the agreements with the banks. Further, FMS did not include any audit requirements in its IRS lockbox agreements. Without performing these key monitoring activities, FMS is not assured of timely identifying and resolving internal control weaknesses at lockbox banks. Such weaknesses increase the risk of loss of federal collections. We and other auditors recently reported on weaknesses in internal controls and instances of actual theft of federal tax payments by employees of banks that provide IRS lockbox services.4 These problems emphasize the importance of establishing adequate controls and effectively monitoring lockbox banks to timely identify and resolve internal control weaknesses that otherwise put billions of dollars of government collections and taxpayer data at risk. Background The lockbox program was established to collect a variety of payments to federal agencies through commercial banks (sometimes called federal depositaries but hereafter referred to as lockbox banks), including income taxes, customs duties, fees, licenses, and payments for goods and services the agencies provide. Lockbox banks establish post office boxes or electronic accounts to receive payments made to agencies, process the 4 Financial Audit: IRS’ Fiscal Year 1998 Financial Statements (GAO/AIMD-99-75, March 1, 1999) and Review of the Effectiveness of Using Commercial Bank Lockboxes for Federal Income Tax Payments (Treasury OIG-98-097, August 20, 1998). Leter Page 2 GAO/AIMD-99-219 Lockbox Collections B-282987 payments, transfer funds to the Treasury General Account at the New York Federal Reserve Bank, submit collection reports to the federal agencies, and report collection data to FMS. FMS is responsible for the overall management of the lockbox program and currently has agreements with four banks to provide lockbox services. Each of the four banks provides general and IRS lockbox services and has multiple lockbox sites. There are a total of 11 lockbox sites nationwide. FMS enters into agreements (called lockbox depositary agreements) with the lockbox banks to provide lockbox services for federal agencies. These agreements set forth the general terms and conditions for lockbox operations and FMS’ rights to examine and audit those operations. FMS, lockbox banks, and each of the federal agencies for whom the lockbox services are to be provided, also establish memorandums of understanding. These three-party agreements set forth procedures for processing collections that are designed to meet the specific processing and reporting requirements of the individual federal agencies. Under these agreements, the banks are required to maintain books, records, reports, and other evidence to support collections processing and deposit activity; FMS has the right to inspect, at all times, all parts of the lockbox bank facilities engaged in performing lockbox services; and the banks are required to have security controls such as security cameras, access logs, and employee identification badges. In addition, the general lockbox agreements require banks to obtain semiannual internal and biannual external audits that cover internal controls over lockbox operations and to submit these audit reports to FMS upon request. FMS did not include this type of requirement in the IRS lockbox agreements. For IRS lockboxes, FMS and IRS monitor and oversee bank operations through regular on-site reviews during peak collection periods (such as in April when individual tax payments are processed) and quarterly performance reviews of the lockbox banks. Scope and To meet our objective of evaluating the effectiveness of FMS’ internal controls over lockbox operations, we reviewed FMS’ policies and Methodology procedures for monitoring lockbox bank operations and discussed these with FMS officials. We also reviewed the standard lockbox depositary agreements for both the general lockbox network and the IRS lockbox network. In addition, we reviewed the related memorandum of understanding for one lockbox bank to identify provisions related to safeguarding lockbox collections. As part of our audit of IRS’ fiscal year Page 3 GAO/AIMD-99-219 Lockbox Collections B-282987 1998 financial statements, we observed physical safeguards and segregation of duties over receipts and related taxpayer data processed at two lockbox bank sites. In addition, we reviewed a Treasury Office of Inspector General (OIG) report on IRS’ lockbox operations to determine if the auditors had identified any internal control problems. We performed our work in accordance with generally accepted government auditing standards as part of our audit of the government’s fiscal year 1998 consolidated financial statements for which our audit report was issued on March 31, 1999. We requested comments on a draft of this report from the Commissioner of the Financial Management Service. The Commissioner’s comments are reprinted in appendix I. Improvements Are FMS needs to improve its monitoring of lockbox banks’ operations to ensure that federal collections are adequately safeguarded and properly Needed in FMS’ processed. The Comptroller General’s Standards for Internal Control in the Monitoring of Lockbox Federal Government require that management establish policies and procedures to provide reasonable assurance that assets are safeguarded Bank Operations against loss from unauthorized use or disposition and transactions are executed accurately and timely in accordance with management directives.5 We found weaknesses in FMS’ monitoring of lockbox banks’ operations related to on-site reviews and lockbox bank audits. On-site Reviews On-site reviews are designed to assist FMS in evaluating the effectiveness of the lockbox banks’ internal controls. FMS’ Regional Financial Center (RFC) customer assistance staff are responsible for and are performing on-site reviews at the IRS lockbox bank sites (6 in 1997 and 30 in 1998). However, because the scope did not include all security-related matters, these reviews did not detect problems that existed such as the following internal control weaknesses we and other auditors identified. In our audit of IRS’ fiscal year 1998 financial statements, we found that internal controls related to receipts and related taxpayer data at certain lockbox bank sites did not adequately safeguard collections. For example, 5 These requirements, along with proposed standards that supersede the standards we issued in 1983, are included in our exposure draft Standards for Internal Control in the Federal Government (GAO/AIMD-99-21.3.1) issued May 1999. Page 4 GAO/AIMD-99-219 Lockbox Collections B-282987 we reported that lockbox banks were using unarmed couriers to transport checks and taxpayer data, and bank personnel whose background checks had not been completed were helping process the checks and taxpayer data. We also reported that in fiscal years 1997 and 1998, IRS’ internal investigation unit had identified numerous cases involving employee theft of hundreds of thousands of dollars of federal funds at lockbox banks. The Treasury OIG also has identified the need for improvements in internal controls related to IRS lockbox receipts and related taxpayer data. In August 1998, after finding that 5 of the 10 IRS lockbox bank sites it visited were not complying with required security measures outlined in the memorandums of understanding, the OIG recommended that FMS ensure banks’ compliance with agreed-upon security measures by making unannounced security inspections. FMS has begun unannounced security inspections at IRS lockbox bank sites in response to the OIG’s recommendation. Specifically, as of March 1999, FMS had completed unannounced inspections at 2 IRS lockbox sites, with a schedule in place to complete reviews at all 10 sites. FMS’ inspection team leader told us that they found instances of noncompliance at both sites visited. For example, one of the banks had not fully tested its contingency and disaster recovery plans. While the bank had tested the automated procedures, it had not tested the process and related controls for transporting checks and related taxpayer data to another location for processing. FMS’ Financial Services Division (FSD) is responsible for performing on-site reviews at the general lockbox bank sites and has established a goal of visiting each bank every 2 years. However, we found that FSD did not perform any on-site reviews in fiscal year 1998 and performed only one on-site review in fiscal year 1997. FSD officials said that on-site reviews were planned for fiscal year 1998 but were canceled when travel funds were diverted to another project. Lockbox Bank Audits Reviewing the results of audits of lockbox operations is another way for FMS to determine if the banks’ controls are adequate. However, we found that FMS did not require internal and external audits of lockbox operations in its IRS lockbox agreements and was not obtaining and reviewing the results of internal and external audits required by the general lockbox agreements. An FSD official told us that instead of requiring audits of IRS lockbox operations, FSD relied on the monitoring and oversight performed Page 5 GAO/AIMD-99-219 Lockbox Collections B-282987 by IRS and FMS’ RFC staff through their on-site reviews and quarterly performance reviews. However, in its August 1998 report on lockboxes, the Treasury OIG reported that IRS did not always submit the results of on-site security reviews to FMS timely because there was no regulation in place requiring this. The OIG also reported that IRS had not been timely monitoring the performance of the lockboxes. For the general lockboxes, FSD was relying on bank officials’ verbal assurances that the required semiannual internal audits were being performed but was not requiring the banks to submit audit reports to FSD. Regarding the external audits of these lockboxes, we found that three of the four lockbox banks had not obtained the required biannual audit of their lockbox operations as stipulated in their agreements with FMS. We also found that the agreements do not include the specific type or scope of audit to be performed. This is important because professional standards provide for several different types of audits or other services. Conclusion Without effective monitoring of lockbox bank operations through on-site reviews and review of internal and external audits of such operations, FMS does not know whether the banks are adequately safeguarding and properly processing collections. Also, unless FMS provides the banks with specific guidance as to the type and scope of external audits required, FMS cannot be assured that these audits are consistent as to the level of work being performed. Inadequate monitoring of lockbox bank operations could result in problems like those found in our IRS audit and the OIG review going undetected and unresolved for long periods, thus increasing the risk of the loss of federal collections. Recommendations To correct the internal control weaknesses we identified with lockbox operations, we recommend that you direct the Assistant Commissioner for Federal Finance to ensure that the Financial Services Division • performs the periodic on-site reviews of general lockbox banks as prescribed in its internal policies and procedures; • requires banks to obtain semiannual internal and biannual external audits of their IRS lockbox operations; • develops and provides to the banks specific guidance as to the type and scope of the external audits or other services; Page 6 GAO/AIMD-99-219 Lockbox Collections B-282987 • enforces the requirement for banks to obtain internal and external audits in compliance with their lockbox depositary agreements with FSD; and • develops and implements a policy to obtain and review audit results including procedures to follow up with banks and agencies on any weaknesses identified in lockbox operations to ensure that the problems are corrected. We also recommend that you direct the Assistant Commissioner of Federal Finance to monitor FSD’s efforts in this area and take steps to ensure compliance. Agency Comments In commenting on a draft of this report, the Commissioner of FMS concurred with our findings and noted that FMS has or would be taking actions to address the issues raised. Specifically, the Commissioner indicated that FMS has already implemented an aggressive schedule of on-site reviews. In addition, he stated that FMS intends to strengthen the requirements to receive lockbox bank audits to ensure that FMS is fully apprised of internal and external findings and their subsequent successful closure. We will follow up on these matters during our audit of the federal government’s fiscal year 1999 consolidated financial statements. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. 720 to submit a written statement on actions taken on these recommendations to the Senate Committee on Governmental Affairs and the House Committee on Government Reform within 60 days of the date of the report. A written statement also must be sent to the House and Senate Committees on Appropriations with the agency's first request for appropriations made more than 60 days after the date of this report. We are sending copies of this report to Senator Fred Thompson, Chairman, and Senator Joseph Lieberman, Ranking Minority Member, Senate Committee on Governmental Affairs; Representative Dan Burton, Chairman, and Representative Henry Waxman, Ranking Minority Member, House Committee on Government Reform; the Honorable Lawrence Summers, Secretary of the Treasury; Donald Hammond, Fiscal Assistant Secretary, Department of the Treasury; Lawrence W. Rogers, Acting Inspector General, Department of the Treasury; and the Honorable Jacob J. Lew, Director, Office of Management and Budget. Copies will be made available to others upon request. Page 7 GAO/AIMD-99-219 Lockbox Collections B-282987 If you have any questions regarding this report, please contact me or Christine Robertson at (202) 512-3406. Other key contributors to this assignment were Suzanne Murphy, Jerry Marvin, and Carolyn Voltz. Sincerely yours, Gary T. Engel Associate Director Governmentwide Accounting and Financial Management Issues Page 8 GAO/AIMD-99-219 Lockbox Collections Page 9 GAO/AIMD-99-219 Lockbox Collections Appendix I Comments From the Financial Management Service AppenIx di Page 10 GAO/AIMD-99-219 Lockbox Collections Appendix I Comments From the Financial Management Service Page 11 GAO/AIMD-99-219 Lockbox Collections Appendix I Comments From the Financial Management Service (919375) Letr Page 12 GAO/AIMD-99-219 Lockbox Collections Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary, VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Orders by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touchtone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send an e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Correction Requested
Internal Controls: FMS' Monitoring of Lockbox Bank Operations Needs Improvement
Published by the Government Accountability Office on 1999-08-20.
Below is a raw (and likely hideous) rendition of the original report. (PDF)