A handful of managers in the D.C. Office of Tax and Revenue had the ability to alter the assessed values of property in the city without leaving any trace of changes that were made, according to an internal audit obtained by The Washington Post.

The 25-page audit points to a vulnerability in the way managers — dubbed “super-users” — interact with the city’s mass appraisal computer system. The system is the main repository of information on the District’s property values and is used to calculate tax bills.

The audit cites no examples of wrongdoing by the tax office’s staff members, but it describes a “significantly flawed” system in which supervisors can access property records and alter them without being detected.

Weak internal controls have long been an issue at the tax office, where officials promised sweeping reforms after a 2007 scandal involving a manager who stole $48 million through fraudulent refunds, the largest embezzlement scheme in D.C. history.

The audit, written by the internal affairs unit of the Office of the Chief Financial Officer, was delivered in March to the District’s finance chief, Natwar M. Gandhi. It was made public after The Post, which had obtained a draft, submitted questions about its content.

The news of the audit comes as the tax office is under increased scrutiny for its handling of commercial property tax appeals. The Post reported this month that officials in the tax office had cut $2.6 billion from the proposed taxable value of more than 500 commercial properties after settling with owners.

Gandhi said that the settlements were necessary to avoid the expense of litigation and to correct errors by appraisers, and that they represented only a small fraction of the city’s tax base. The FBI and internal auditors are looking into complaints about the settlements, according to sources with knowledge of the inquiries.

The audit examined the computer-assisted mass appraisal system, finding that appraisers’ supervisors can essentially write over assessment data without leaving any record of changes.

Supervisors can lower the assessed value of a property, for example, or change the way it is classified under the city’s tax tiers, which could reduce an owner’s tax bill, the audit found.

The lack of internal controls, auditors wrote, “significantly increases the possibility that an erroneous or improper transaction could occur and remain undetected.”

In response to the audit’s findings, agency chief Stephen Cordi — hired four years ago to clean up the office after the $48 million embezzlement — promised in March to make the process more “transparent” by revising procedures to clarify that data should not be overwritten.

The tax office also “recently modified its procedures and processes to ensure better separation of duties,” Cordi wrote to auditors at the time. “. . . These new procedures include an additional level of approval to ensure that no one person can modify a record and then act as the approver of the change.”

An agency spokeswoman said last week that steps have been taken to address the problems pointed out in the audit. “Our procedures no longer allow for the over-writing of data,” the spokeswoman said in a written statement.

The agency declined to elaborate or to make officials available for interviews.

In the statement, the agency also disputed auditors’ findings that in the past, supervisors could make untracked changes in the system. “The change does leave an audit trail,” the spokeswoman said. “The individual who made the change would be identified.”

The data behind tax bills

The mass appraisal system has been used by the tax office for years. It calculates property values after appraisers enter data such as prior sales, property size, the number of apartments in a building and the number of bathrooms in a home. That information drives the city’s tax bills.

Appraisers make changes in the system throughout the year to account for such things as data-entry errors or sudden changes in tax classifications. Vacant properties, for example, are taxed at a higher rate than office buildings, and office buildings are taxed at a higher rate than homes.

Entries made by staff appraisers require supervisory approval and a documented reason for the change, though in their study of 5,100 changes from 2009 to 2011, auditors found that those procedures were not always followed. The tax office was unable to locate supporting documents for nearly 20 percent of 225 changes sampled by auditors, their report said.

Auditors also criticized the office for the extent of control given to a handful of super-users, writing: “A long standing business practice is that no individual should have complete control over any transaction from beginning to end. This standard reduces the chance of error or improper transaction occurring.”

The District’s former chief appraiser, David Fitzgibbon, who left the city last year for the same position in Fulton County, Ga., said he was surprised by the audit’s findings. He said he had always believed that the system tracked changes by anyone who used it, including supervisors.

“I don’t know why we would want to have a supervisor or a chief or a department head have the capability to just make a change without having a record of it,” Fitzgibbon said.

The $48 million fraud

Gandhi has been told before about similar vulnerabilities in the tax office.

Five years ago, a manager in the tax office, Harriette Walters, was caught cutting $48 million in refund checks to herself and her friends in a fraud scheme that lasted nearly 20 years. She processed the refunds manually and attached supporting documentation that often did not relate to the property or to the owners who were supposedly receiving the refund. Her supervisors would approve refunds without reviewing them; in some cases, they did not sign off at all.

After Walters was caught, internal auditors conducted a series of reviews, including one that analyzed a computer system used in conjunction with the mass appraisal system. That system, known as the Integrated Tax System (ITS), is used for processing tax bills and refunds.

In January 2008, auditors issued a “management alert” that found that some agency staff members could adjust taxpayer accounts, eliminate penalties and interest, or apply credits with “minimal and inconsistent management supervision.” Auditors also found that the system did not properly track users and potentially allowed employees in other divisions to adjust taxpayer accounts or approve refunds.

“This is a serious internal control issue,” auditors wrote at the time. “With this widespread ability to adjust taxpayer accounts, [the tax office] runs the risk of creating erroneous refunds as well as improperly reducing or removing a taxpayer’s liability.”

In response to the report, newly hired tax chief Cordi said the agency had begun a comprehensive security review and would modify the system to better track users and remove those not authorized to make changes. In a Post story that year, he said, “You’re always vulnerable to an enterprising employee who knows how the controls work.”

Agency officials said this week that changes were made to the ITS system in response to the audit. “We have strict controls over user rights . . . and threshold levels for refund approval,” according to a written statement.

Jennifer Jenkins contributed to this report.