WEAKNESSES IN BUSINESS RESUMPTION PLANS COULD DELAY RECOVERY FROM A DISASTER

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of Audit

WEAKNESSES IN BUSINESS RESUMPTION PLANS COULD DELAY RECOVERY FROM A DISASTER

Issued on September 17, 2008

Highlights

Highlights of Report Number: 2008-20-178 to the Internal Revenue Service Chief, Agency-Wide Shared Services.

IMPACT ON TAXPAYERS

Business resumption plans are designed to help the IRS recover, restore, and resume normal business operations after a disaster or an emergency. However, the IRS business resumption plans TIGTA reviewed were not adequately completed and would not facilitate the efficient recovery of critical processes. An extended disruption could affect key processes such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries. Processing delays could ultimately have a negative impact on the nation’s economy and future taxpayer compliance.

WHY TIGTA DID THE AUDIT

This audit was initiated as part of TIGTA’s statutory requirements to annually review the adequacy and security of IRS technology. The overall objective was to determine whether the IRS business resumption plans are adequate to restore critical business processes after a disaster or an emergency event.

WHAT TIGTA FOUND

The IRS’ ability to recover its critical processes is strengthened by its extensive redundant operations and its experience in recovering from previous disasters and emergency incidents. However, most of the IRS business resumption plans that TIGTA reviewed lacked detailed planning and recovery strategies that would facilitate an efficient recovery of the IRS business processes.

Some business resumption team leaders were cognizant of the recovery details and strategies, but they did not document this information in their plans. Documentation of the details and strategies in the business resumption plans would facilitate recovery and could be crucial if key employees are unavailable after a disaster.

The lack of detail is generally due to control weaknesses and insufficient oversight. Some business functions did not establish a review process or a central repository to ensure the quality and control of the plans. The IRS created two templates to guide business functions on how to prepare the plans. However, because use of the templates was not mandatory, the business functions often used different templates. In addition, the Emergency Management and Preparedness Executive Steering Committee, which is responsible for overseeing the business resumption plans, had met only once since being established in July 2004.

Plans are required to be tested and updated each year. However, the business units had not tested in Calendar Year 2007 54 percent of the plans that TIGTA reviewed. When plans were tested, the scopes were insufficient to identify gaps, omissions, and weaknesses. In addition, 38 percent of the plans TIGTA evaluated had not been updated in Calendar Year 2007. TIGTA attributed these conditions to a lack of emphasis by management.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief, Agency-Wide Shared Services 1) instruct business units with a significant number of sites to establish a business resumption coordinator position to perform a quality review of each plan within the function and to create a central repository to control the plans, 2) mandate use of the standard templates and require all business resumption coordinators to periodically brief the Emergency Management and Preparedness Executive Steering Committee on the completeness and adequacy of the business resumption plans, 3) develop specific testing requirements and procedures for business resumption plans based on risk, and 4) instruct the Emergency Management and Preparedness Executive Steering Committee to require business units to plan and conduct testing, document test results, and update business resumption plans annually, as well as monitor testing activities conducted by the business units.

In their response to the report, IRS officials stated their agreement with the findings and recommendations. The IRS plans to coordinate the establishment of full-time business coordinator positions and to direct the use of standardized continuity templates. The Emergency Management and Preparedness Executive Steering Committee plans to receive periodic briefings from select business coordinators. The IRS plans to develop criteria for a multi-year testing, training, and exercise strategy that will be consistent with Federal Government continuity directives.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2008reports/200820178fr.html.

Email Address: inquiries@tigta.treas.gov

Phone Number: 202-622-6500

Web Site: http://www.tigta.gov