TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Emergency Preparedness at Internal Revenue Service Facilities Needs to Be Improved

 

 

 

September 17, 2008

 

Reference Number:  2008-10-148

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

September 17, 2008

 

 

MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Emergency Preparedness at Internal Revenue Service Facilities Needs to Be Improved (Audit # 200710043)

 

This report presents the results of our review of emergency preparedness in the Internal Revenue Service (IRS).  The overall objective of this review was to determine whether the IRS Incident Management Plan (IMP) and Occupant Emergency Plan (OEP) are adequate tools to address incidents and emergencies at IRS facilities.  This audit was included in the Treasury Inspector General for Tax Administration Annual Audit Plan for Fiscal Year 2008.  It is part of an overall strategy to evaluate the adequacy and viability of the suite of emergency plans that the IRS has in place.

Impact on the Taxpayer

An IMP and an OEP are designed to protect employees and visitors in IRS facilities; implement a clear command structure; and guide incident stabilization, assessment, and recovery efforts in the event of an emergency.  However, these plans were not always complete or subject to regular exercises or tests to ensure readiness.  As a result, we believe that in the event of an actual emergency such as a terrorist attack or natural disaster, these deficiencies could result in delays in safeguarding employees and visitors and in beginning efforts to recover critical business processes such as collecting tax revenue, processing tax refunds, and responding to taxpayer inquiries. 

Synopsis

Emergency situations are unpredictable and can happen very quickly.  To ensure the safety of its employees and quickly recover critical processes after an incident or emergency, the IRS relies on four integrated plans.[1]  This review focused on the two plans that are normally activated first in the response and recovery process.  The IMP addresses the overall command structure that will be implemented in the event of an emergency to coordinate all aspects of the response and recovery.  The OEP provides instructions needed to safely evacuate people from a facility or to shelter them in place, which is the first priority.  Overall, although the IRS has plans in place for these two critical processes, we believe that the IRS’ emergency preparedness in these two areas is insufficient to ensure a quick response and reaction to emergency situations affecting people, buildings, and services. 

Specifically, our review of the IMPs for 39 randomly selected facilities with IRS employees identified that the plans did not always include the information necessary for a timely and effective response.  For example, the location of the primary Emergency Operations Center and/or the backup Emergency Operations Center was not identified for 28 (72 percent) of the 39 facilities sampled.  In addition, an alternate to the Incident Commander was not identified for 16 (41 percent) of the 39 facilities, and a backup for 1 or more other key incident management staff was not identified in 32 (82 percent) of the 39 facilities.  Finally, a general description of the IRS business functions located at the site and current contact information for the applicable functional Business Resumption Coordinators were not included in the IMPs of 35 (90 percent) of the 39 facilities sampled.  This lack of key information could result in confusion, duplication of effort, and a breakdown in communication and coordination of efforts if IRS staff relied on these plans in the event of an emergency. 

Also, IMP exercises were not routinely performed at large IRS facilities.[2]  Specifically, an IMP exercise was not performed during either Fiscal Year 2006 or 2007 at 3 (50 percent) of the 6 IRS facilities with 250 or more employees included in our sample.  The three facilities at which no exercise was performed included two field offices and a Computing Center.[3]  We also found that where exercises were performed, detailed documentation regarding the scope, deficiencies identified, and actions taken to address those deficiencies was not maintained in two of the three sites.

Finally, although the IRS had prepared an OEP for each of the 15 sampled facilities in which it was the primary tenant, testing of these plans was not routinely performed.  Specifically, occupant evacuation testing was not performed in Calendar Year 2007 in 5 (33 percent) of the 15 buildings.  For buildings where evacuation testing was performed, information regarding key test results (e.g., whether employees were evacuated in a timely manner, disabled employees were properly evacuated, employees properly reported to assigned assembly areas, and alarms functioned properly) was generally not recorded.  In the event of an emergency, properly tested plans can reduce the threat to the safety of IRS employees.

Recommendations

We recommended that the Chief, Agency-Wide Shared Services, 1) revise the IMP template and associated procedures to better emphasize requirements and require that all IMPs be periodically reviewed to ensure that they are complete and accurate, 2) develop procedures requiring that all significant IRS sites perform IMP exercises on a routine basis and document the results, and 3) continue efforts to implement a checklist to record the key results of OEP evacuation testing and to develop a methodology for tracking the completion of this testing.

Response

The Chief, Agency-Wide Shared Services, agreed with all of our recommendations and provided planned actions to address them.  These actions include 1) revising the IMP template and procedures, 2) developing criteria for a multi-year IMP testing, training, and exercise strategy, and 3) continuing to improve the process for monitoring evacuation tests.  Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs), at (202) 622-3837.

 

 

Table of Contents

 

Background

Results of Review

Incident Management Plans Did Not Always Include Information Sufficient to Address Potential Emergencies Effectively and in a Timely Manner

Recommendations 1 and 2:

Occupant Emergency Plans Were Not Routinely Tested

Recommendation 3:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

 

Abbreviations

 

 

 

Background

 

Federal Government agencies are required to develop plans that will enable them to continue their essential functions across a broad spectrum of emergencies.

To address security threats and significant emergencies, including manmade and natural catastrophes, Federal Government agencies are required to develop plans that will enable them to continue their essential functions across a broad spectrum of emergencies.  The types, magnitude, and locations of emergencies are unpredictable, and these situations can happen very quickly.  To be ready for such urgent situations, Federal Government agencies are expected to have effective strategies, people, and mission critical priorities already identified and appropriate plans in place that are readily available and can be used on a moment’s notice.

Homeland Security Presidential Directive-20[4] requires Federal Government agencies to develop business continuity plans to enable the recovery of critical Government functions after a disaster or emergency event.  To comply with the Directive, the Internal Revenue Service (IRS) must develop and continuously update its continuity plans to enable the efficient recovery of its critical processes, such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries.  This goal is complicated by the wide range of incidents that could disrupt IRS operations such as acts of nature, technological failures, or terrorist attacks like chemical, biological, nuclear, or radiological events or accidents.

Because the IRS could redirect work from 1 of its 10 campuses[5] to another campus if needed, the loss of a campus would not cause the IRS to completely lose a critical process nationwide.  However, the inability to efficiently recover a campus or large site would impose a strain on both the IRS and potentially millions of taxpayers.  In Fiscal Year 2007, the IRS processed more than 235 million tax returns and collected almost $2.7 trillion.  The IRS also issued about 117 million refunds totaling $295 billion.  Inefficient recovery at a smaller IRS site, while not having as severe an impact, could still adversely affect ongoing compliance efforts.  At the time of our review in November 2007, the IRS had employees in 667 different facilities across the United States. 

To ensure the safety of its employees and quickly recover critical processes after an incident or emergency, the IRS relies on four integrated plans.  The IRS would execute one or more of the following plans depending on the severity of the incident or emergency:

• Occupant Emergency Plan (OEP) – This plan protects employees and visitors in IRS facilities, who are the first priority in any emergency situation.  It provides instructions needed to safely evacuate people from a facility or to shelter them in place. 
• Incident Management Plan (IMP) – This plan addresses the overall command structure (team) that will be implemented in the event of an emergency.  The focus of this command team is assessment, evaluation, coordination, and strategy development as events occur.  This plan is the umbrella under which all the other plans operate.
• Business Resumption Plan – After the people in the building are taken care of, this plan is used to recover and restore disrupted business processes in affected facilities.  The plan identifies business processes, resumption strategies, people, vital records, information technology systems, and other supporting assets.
• Disaster Recovery Plan – This plan is used to recover and restore disrupted information technology systems and data.  It identifies systems, procedures for recovering them, and the process for restoring operations at an alternate site.

The relationship among the four plans is represented by the following graphic:

The graphic was removed due to its size.  To see the graphic, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

This graphic shows the primary purposes of the four plans, their relationship to one another, and the breadth of the IMP, which addresses the entire incident from the moment it occurs through the eventual resumption of normal IRS processes and activities.  We previously reported the results of our review of the IRS Disaster Recovery Plans[6] and are currently performing a separate review of the IRS Business Resumption Plans.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of Agency-Wide Shared Services during the period November 2007 through May 2008.  Site visits were made to Austin, Texas; Atlanta, Georgia; Covington, Kentucky; Dallas, Texas; Denver, Colorado; Fresno, California; Jacksonville, Florida; Kearneysville, West Virginia; and Nashville, Tennessee.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The IRS has significant experience in recovering from disasters and emergency incidents.  For example, on June 25, 2006, the IRS National Headquarters building flooded during record rainfall and sustained extensive damage to its infrastructure.  A review by the Government Accountability Office indicated that, while the IRS emergency operations plans helped guide its response to the flood, in more severe emergency events, conditions could be less favorable to recovery.

To ensure the safety of its employees and quickly recover critical processes after an incident or emergency, the IRS relies on four integrated plans.  Our review focused on the two plans that are normally activated first in the response and recovery process.  The IMP addresses the overall command structure that will be implemented in the event of an emergency to coordinate all aspects of the response and recovery.  The OEP provides instructions needed to safely evacuate people from a facility or to shelter them in place, which is the first priority. 

Overall, although the IRS has plans in place for these two critical processes, we believe that the IRS’ emergency preparedness in these two areas is insufficient to ensure a quick response and reaction to emergency situations affecting people, buildings, and services.  As a result, we believe that in the event of an actual emergency such as a terrorist attack or natural disaster, these deficiencies could result in delays in safeguarding employees and visitors and in beginning efforts to recover critical business processes such as collecting tax revenue, processing tax refunds, and responding to taxpayer inquiries.

Our review of these plans identified two areas in which the IRS’ emergency preparedness efforts need to be enhanced. 

• IMPs did not always include information sufficient to allow the IRS to address potential emergencies at its facilities effectively and in a timely manner, and the plans were not subject to regular exercises to ensure readiness.
• OEPs were not routinely tested.

Incident Management Plans Did Not Always Include Information Sufficient to Address Potential Emergencies Effectively and in a Timely Manner

The purpose of an IMP is to designate, in advance, the specific personnel and command structure that will be activated in the event of an incident such as a hurricane, flood, or terrorist act affecting a facility with IRS employees.  The IMP accomplishes this by establishing a structure to ensure that requests for services and support are controlled, coordinated, and addressed in priority order.  A critical component of this process is the establishment of an Emergency Operations Center, which is usually an offsite location where the incident management team will meet to begin addressing the emergency.  The incident management team is typically activated following the evacuation of employees and taxpayers from the facility.  The focus of this team is assessment, evaluation, coordination, and strategy development. 

To assist with preparation of the IMPs, the office of Agency-Wide Shared Services Physical Security and Emergency Preparedness function provided general guidance and a standard template for use as a starting point.  Development of the individual plans for each IRS facility is the responsibility of the Directors at the Computing Centers[7] and campuses and the Senior Commissioner’s Representatives[8] for the field offices.  

Our review of the IMPs for 39 randomly selected facilities with IRS employees identified that the plans did not always include the information necessary for the IRS to respond to emergencies effectively and in a timely manner.  Specifically:

• The location of the primary Emergency Operations Center and/or a backup Emergency Operations Center was not identified for 28 (72 percent) of the 39 facilities. 
• An alternate to the Incident Commander,[9] in the event that the Commander is unavailable or cannot be quickly reached, was not identified for 16 (41 percent) of the 39 facilities.  In addition, a backup for 1 or more other key incident management staff was not identified in 32 (82 percent) of the 39 facilities. 
• An Initial Incident Commander, who would manage the response to an emergency until the Incident Commander could take over, was not identified in 12 (34 percent) of the 35 facilities we sampled where the Incident Commander was not physically located in the building.  For example, at 1 site we reviewed, the Incident Commander was located more than 200 miles from the site. 
• A general description of the nature of the IRS business functions located at the site and complete and current contact information for the applicable functional Business Resumption Coordinators were not included in the IMPs of 35 (90 percent) of the 39 facilities.  Business resumption is the process of returning IRS functions located in the facility to operational status.

This lack of key information could result in confusion, duplication of effort, and a breakdown in communication and coordination of efforts if IRS staff relied on these plans in the event of an emergency. 

The Incident Commanders and their staffs we interviewed at nine judgmentally selected IRS facilities generally understood their roles and responsibilities and indicated that IMPs were useful tools to have available.  However, because no one can predict who will and will not be available in the event of a real emergency, it is critical that backup staff be identified and familiar with the position as well.  Similarly, establishing a backup Emergency Operations Center in advance could eliminate potential confusion during an emergency and prevent delays in the initial response to an incident. 

We also found that IMP exercises were not routinely performed at large facilities,[10] which leaves the IRS at risk of being unprepared in the event of an actual emergency.  To ensure readiness for potential emergencies, the IRS relies on two types of IMP exercises.  Functional exercises are conducted annually at each IRS campus and involve the IMP and Business Resumption Plan staffs working through a pre-scripted scenario such as a hurricane or flood to determine if the procedures are valid.  Tabletop exercises are less formal exercises based on a general discussion of how a particular incident would be handled and might involve just one plan such as the IMP.  To facilitate performance of these exercises, the Physical Security and Emergency Preparedness function prepared a list of exercise scenarios.

However, in 3 (50 percent) of the 6 IRS facilities with 250 or more employees included in our random sample, an IMP exercise was not performed during Fiscal Years 2006 and 2007.  The three facilities at which no exercise was performed included two field offices and a Computing Center.  We also found that where exercises were performed, detailed documentation regarding the scope, deficiencies identified, and actions taken to address those deficiencies was not maintained in two of the three sites.  As a result, information accrued from these exercises is not available to assist the IRS in its efforts to assess and improve its overall incident readiness.  Because these plans deal with people and critical IRS operations, deficiencies must be corrected.  If the deficiencies are not addressed, the IRS facility and its occupants could be jeopardized in the event of a real emergency.

We attribute these conditions primarily to the lack of specific guidance regarding 1) the critical information that needs to be included in the IMP for each facility, 2) the need to schedule routine exercises involving IMPs at all large IRS facilities, and 3) the need to document the results of IMP exercises.  For example, although during our fieldwork the IRS did implement a requirement that an exercise be performed at all IRS field offices with more than 100 employees by September 2008, this requirement relates only to Fiscal Year 2008.  In addition, the requirement does not specify that the results of tests should be documented to facilitate analysis of agency-wide trends and best practices and does not address exercises at Computing Centers.

IMPs that are incomplete and/or not routinely tested could result in delays in the stabilization of an incident, which could lead to delays in implementing the Business Resumption Plans and getting the IRS back to full operation after an emergency such as a flood or hurricane.  The first 72 hours of a disaster, as demonstrated by calamities such as Hurricane Katrina, are a critical period in which the appropriate response can make a difference.  Depending on the work done at the building, delays can have a measurable effect on tax administration because the IRS could be forced to divert resources from other areas to make up for the lost work at the building affected by the emergency.

Recommendations

The Chief, Agency-Wide Shared Services, should:

Recommendation 1:  Revise the IMP template and associated procedures to 1) better emphasize the need to ensure that both primary and backup Emergency Operations Center locations are specified, backups are specified for all key incident management staff, an initial Incident Commander is identified where appropriate, a general description of the nature of IRS business functions located at the site is listed, and complete and current contact information for the applicable functional Business Resumption Coordinators is specified, and 2) require that all IMPs be periodically reviewed to ensure that they are complete and accurate.

Management’s Response:  IRS management agreed with the recommendation.  Management in the office of Agency-Wide Shared Services plans to revise the IMP template and procedures to incorporate the actions outlined in this recommendation.

Recommendation 2:  Develop procedures requiring that 1) all significant IRS sites, including Computing Centers, perform IMP exercises on a routine basis, and 2) the results of these exercises, including any plan weaknesses identified, be documented to facilitate an ongoing, agency-wide analysis of trends and best practices.

Management’s Response:  IRS management agreed with the recommendation.  Management in the office of Agency-Wide Shared Services plans to develop criteria for a multi-year testing, training, and exercise strategy consistent with Federal Government continuity directives that will also address action item follow-ups and/or lessons learned.

Occupant Emergency Plans Were Not Routinely Tested

The purpose of an OEP is to protect employees and visitors at IRS facilities by providing the instructions needed to safely evacuate people from the facility in the event of an emergency.  An OEP is a short-term emergency response program that establishes procedures for safeguarding lives and property during emergencies at a specific facility and contains two key components:  1) procedures for evacuation; and 2) formation of an Occupant Emergency Organization.  Occupant Emergency Organizations are comprised of employees of the various Federal Government agencies who occupy a facility. 

The Physical Security and Emergency Preparedness function provides oversight and guidance for the development of OEPs for facilities with IRS employees.  Where facilities are shared with other Federal Government agencies, the other Federal agency might be responsible for preparing the OEP, depending on which agency is the primary tenant.  The Physical Security and Emergency Preparedness function also has overall responsibility for performing exercises related to the OEP, except when another Federal Government agency is the primary tenant and therefore responsible for the OEP and the associated exercises.  The most common type of exercise involving the OEP is an evacuation test, commonly known as a fire drill.  Evacuation tests must be performed annually for all IRS facilities and the results documented.

The IRS had prepared an OEP for each of the 15 facilities we sampled in which it was the primary tenant and therefore responsible for the plan’s preparation.  The plans were current and adequately identified the key personnel and alternates responsible for the facilities’ evacuation in the event of an emergency.  The plans also contained facility-specific emergency contact information and a general description of the facility characteristics.  An OEP had also been prepared for the other 24 facilities we sampled.[11]

However, occupant evacuation testing was not performed in Calendar Year 2007 in 5 (33 percent) of the 15 buildings where the IRS was the primary Federal Government tenant.  For the buildings where evacuation testing was performed, information regarding key test results (e.g., whether employees were evacuated in a timely manner, disabled employees were properly evacuated, employees properly reported to assigned assembly areas, and alarms functioned properly) was generally not recorded.  In the event of an emergency, properly tested plans can reduce the threat to the safety of IRS employees.

We attribute these conditions primarily to the lack of comprehensive guidance regarding the need to adequately document the results of evacuation tests and the lack of a reliable methodology for monitoring the timely completion of these tests.  During our audit fieldwork, the Physical Security and Emergency Preparedness function initiated new procedures to improve controls over OEP exercises.  It developed an emergency evacuation checklist that will provide documentation of the effectiveness of evacuation tests and will address issues such as whether employees quickly exited the building, alarms worked properly, evacuation team members knew their roles, and employees reported to assigned assembly areas.  This checklist will be used for all tests conducted after August 1, 2008.  The Physical Security and Emergency Preparedness function is also improving the overall process for monitoring evacuation tests by better defining roles and responsibilities at each level of involvement and by developing a methodology to track completion of these tests.  These new procedures are scheduled to take effect during the first quarter of Fiscal Year 2009.

Recommendation

Recommendation 3:  The Chief, Agency-Wide Shared Services, should continue efforts to implement a checklist to record the key results of evacuation testing and to develop a methodology for tracking the completion of OEP evacuation testing.

Management’s Response:  IRS management agreed with the recommendation.  Management in the office of Agency-Wide Shared Services plans to continue improving the process for monitoring evacuation tests.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IMP and OEP are adequate tools to address incidents and emergencies at IRS facilities.  This audit was a regularly scheduled review and was included in the Treasury Inspector General for Tax Administration Annual Audit Plan for Fiscal Year 2008.  To accomplish our objective, we:

I.          Determined whether controls and procedures in the office of Agency-Wide Shared Services have ensured that IMPs have been properly developed and implemented.

A.  Contacted managers and obtained IMPs and documentation for any tests or drills for 39 IRS facilities (37 field offices, 1 campus[12] and 1 Computing Center[13]).  We randomly selected a statistically valid attribute sample of 39 facilities from the total population of 667 IRS facilities as of November 2007.  Our sample was selected to achieve a confidence level of 80 percent, an expected rate of occurrence of 10 percent, and a precision level of ±6 percent. 

B.  Determined whether the IRS has implemented adequate policies and procedures to ensure that plans are periodically tested, results of the tests are documented, and corrective actions are implemented in a timely manner.

C.  Interviewed the Senior Commissioner’s Representatives[14] and the incident management staff at nine locations (four campuses, one Computing Center, and four field offices), judgmentally selected from the population of 667 IRS facilities as of November 2007, and obtained their input regarding the usefulness of the IMP as a tool in dealing with incidents at IRS facilities and to verify whether the command staff knew their roles.  We used judgmental sampling to focus the interviews on staff at campuses and large field offices.

II.        Determined whether controls and procedures in the office of Agency-Wide Shared Services have effectively ensured that OEPs have been properly prepared.

A.  Contacted IRS managers and ascertained whether 1) the 39 facilities selected in Step I.A. are covered by an OEP and 2) the plans are complete and current for the 15 facilities in which the IRS is the primary tenant and therefore responsible for preparing the plan.

B.  Determined whether OEPs have been routinely tested and reviewed for the 15 facilities in which the IRS is the primary tenant.

 

Appendix II

 

Major Contributors to This Report

 

Nancy A. Nakamura, Assistant Inspector General for Audit (Headquarters Operations and Exempt Organizations Programs)

Alicia P. Mrozowski, Director

Anthony J. Choma, Audit Manager

Kevin P. Riley, Audit Manager

Tom J. Cypert, Lead Auditor

David P. Robben, Senior Auditor

Angela Garner, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Commissioner, Large and Mid-Size Business Division  SE:LM

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Tax Exempt and Government Entities Division  SE:T

Commissioner, Wage and Investment Division  SE:W

Chief Counsel  CC

National Taxpayer Advocate  TA

Chief Information Officer  OS:CIO

Director, Employee Support Services, Agency-Wide Shared Services  OS:A:ESS

Director, Physical Security and Emergency Preparedness, Agency-Wide Shared Services  OS:A:PSEP

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Chief, Agency-Wide Shared Services  OS:A

Commissioner, Large and Mid-Size Business Division  SE:LM

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Tax Exempt and Government Entities Division  SE:T

Commissioner, Wage and Investment Division  SE:W

 

Appendix IV

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.