TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster

 

 

 

September 17, 2008

 

Reference Number:  2008-20-178

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

September 17, 2008

 

 

MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster (Audit # 200820013)

 

This report presents the results of our review to determine whether the Internal Revenue Service (IRS) business resumption plans are adequate to restore critical business processes after a disaster or an emergency event.  We reviewed the plans prepared by business functions that perform the IRS’ critical processes at sites where the largest number of employees work.  This review was included in the Treasury Inspector General for Tax Administration Fiscal Year 2008 Annual Audit Plan and was part of the Information Systems Programs business unit’s statutory requirements to annually review the adequacy and security of IRS technology.

Impact on the Taxpayer

Business resumption plans are designed to help the IRS recover, restore, and resume normal business operations after a disaster or an emergency.  However, the IRS business resumption plans we reviewed were not adequately completed and would not facilitate the efficient recovery of critical business processes.  An extended disruption to IRS facilities could affect key processes such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries.  Processing delays could ultimately have a negative impact on the nation’s economy and future taxpayer compliance.

Synopsis

The IRS’ ability to recover its critical processes is strengthened by its extensive redundant operations and its experience in recovering from previous disasters and emergency incidents.  However, most of the sample of 65 business resumption plans prepared by IRS business functions that we reviewed lacked detailed planning and recovery strategies that would facilitate an efficient recovery of the IRS business processes.  For example, several plans did not 1) identify an alternate facility and the amount of space, furniture, and equipment needed at the alternate facility, 2) identify information technology systems and applications that are required to recover critical business processes, and 3) document employees’ emergency contact information and the vital records needed by employees to perform their duties.

Some business resumption team leaders were cognizant of the details and strategies they would follow after a disaster, but they did not document this information in their business resumption plans.  Documentation of the recovery procedures and strategies in the business resumption plans would facilitate recovery and could be crucial if key employees are unavailable after a disaster.

The lack of detail in business resumption plans is generally due to control weaknesses and insufficient oversight.  Some business functions did not establish a review process or a central repository to ensure the quality and control of the plans.  The Physical Security and Emergency Preparedness office created two templates to guide business functions on how to prepare the plans.  However, the business functions often used different templates because use of the templates was not mandatory.  In addition, the Emergency Management and Preparedness Executive Steering Committee, which is responsible for overseeing the business resumption plans, has met only once since being established in July 2004.

Comprehensive testing is also crucial to the viability of business resumption plans.  The plans are required to be tested and updated each year.  However, the business units had not tested 35 (54 percent) of the 65 plans in Calendar Year 2007.  When plans were tested, the scopes were insufficient to identify gaps, omissions, and weaknesses in the plans.  In addition, 25 (38 percent) of the 65 plans we evaluated had not been updated in Calendar Year 2007.  We attributed these conditions to a lack of emphasis by management.

Recommendations

To ensure the viability of business resumption plans, the Chief, Agency-Wide Shared Services, should 1) instruct business units with a significant number of sites to establish a business resumption coordinator position to a) perform a quality review of each business resumption plan within the function and b) create and maintain a central repository to control the plans, 2) mandate use of the Physical Security and Emergency Preparedness office templates and require all business resumption coordinators to periodically brief the Emergency Management and Preparedness Executive Steering Committee on the completeness and adequacy of the business resumption plans, 3) develop specific testing requirements and procedures for business resumption plans based on risk, and 4) instruct the Emergency Management and Preparedness Executive Steering Committee to require business units to plan and conduct testing, document test results, and update business resumption plans annually, as well as monitor testing activities conducted by the business units.

Response

The IRS agreed with our recommendations.  The Chief, Agency-Wide Shared Services will 1) coordinate the establishment of full-time business coordinator positions, as appropriate, to enhance the business unit continuity program, and 2) direct the use of standardized continuity templates that will be developed by the Physical Security and Emergency Preparedness office.  The Emergency Management and Preparedness Executive Steering Committee will receive periodic briefings from select business coordinators.  Lastly, the IRS will develop criteria for a multi-year testing, training, and exercise strategy.  This strategy will be consistent with Federal Government continuity directives.  Management’s complete response to the draft report is included as Appendix V.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at (202) 622-8510.

 

 

Table of Contents

 

Background

Results of Review

The Ability to Recover Critical Processes Is Strengthened by Redundant Operations and Experience With Major Disasters

Resumption of Processes Could Be Delayed Due to Inadequate Planning

Recommendations 1 and 2:

Business Resumption Plans Need Comprehensive Testing

Recommendations 3 and 4:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Business Resumption Plans Evaluated

Appendix V – Management’s Response to the Draft Report

 

 

Abbreviations

 

IRS

Internal Revenue Service

PSEP

Physical Security and Emergency Preparedness

 

 

Background

 

Homeland Security Presidential Directive-20[1] requires that Federal Government agencies develop business continuity plans to enable the recovery of critical functions after a disaster or emergency.  To comply with the Directive, the Internal Revenue Service (IRS) must develop and continually update its business continuity plans to enable the efficient recovery of its critical processes.  This goal is difficult due to the wide range of incidents that could disrupt IRS operations such as natural disasters, accidents, power outages, and terrorist attacks.

An extended disruption to IRS facilities could affect key processes such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries.  In Fiscal Year 2007, the IRS processed more than 235 million tax returns and collected almost $2.7 trillion.  The IRS also issued about 117 million refunds totaling $295 billion.  Processing delays could ultimately have a negative impact on the nation’s economy and future taxpayer compliance.

To recover critical processes after an incident, the IRS uses one or more of the following integrated Plans:

·         Incident Management Plan – The overall coordinated actions management must take to ensure recovery and restoration of critical business processes.

·         Occupant Emergency Plan – A set of response procedures and actions taken during the onset of an emergency to minimize the effect of the incident.  It includes building evacuation, shelter-in-place, and employee safety procedures.

·         Business Resumption Plan – A guide to prioritized reestablishment of business processes after an incident.  It includes the advance planning and preparations necessary to minimize loss and ensure continuity of the critical business processes.

·         Disaster Recovery Plan – A guide to recovery of the information technology infrastructure, network, hardware, systems, applications, and operating systems.

The relationship among the four Plans is represented in Figure 1.

Figure 1:  Relationship of IRS Business Continuity Plans

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

We previously reported the results of our review of IRS disaster recovery plans[2] and are currently performing a separate review of IRS incident management plans and occupant emergency plans.  We plan to consolidate results of those reviews with our results in this report that focus on business resumption plans and present them in a subsequent report on the overall IRS business continuity program.

This review was performed in the Office of Agency-Wide Shared Services at the IRS Headquarters in Washington, D.C., and New Carrollton, Maryland; the IRS campuses[3] in Atlanta, Georgia; Austin, Texas; Fresno, California; and Memphis, Tennessee; and the IRS field office in Dallas, Texas, during the period November 2007 through April 2008.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

Results of Review

 

The Ability to Recover Critical Processes Is Strengthened by Redundant Operations and Experience With Major Disasters

The IRS’ ability to recover its critical processes is strengthened by its extensive redundant operations located throughout the nation.  Each critical process is carried out at multiple locations, allowing the IRS to take advantage of its experienced workforce and similarly situated facilities to recover from an emergency.  Even without adequate business resumption plans, we believe that the IRS could redirect work to other locations by making ad hoc decisions.  However, this ability does not diminish the need for business resumption plans.  Upfront planning is necessary to expedite recovery, particularly considering the criticality of some IRS processes.

The IRS can also benefit from its experience in recovering from previous disasters and emergency incidents.  For example:

·         On June 25, 2006, the IRS National Headquarters building flooded during record rainfall and sustained extensive damage to its infrastructure.  IRS officials reported activating several of the agency’s emergency operations plans.  A review by the Government Accountability Office showed that while the IRS plans helped guide its response to the flood, in more severe emergency events, conditions could be less favorable to recovery.[4]

·         Hurricane Katrina made landfall on August 29, 2005.  It caused unprecedented damage to New Orleans, Louisiana, as well as the coastal areas of Mississippi and Alabama.  Hurricane Rita followed less than 1 month later and further damaged New Orleans and the Gulf Coast area of Texas.  The IRS had 25 offices affected by the Hurricanes, many of which were closed for short durations due to sustained power outages.  Five offices received significant damage, which forced closure for longer periods of time.  By taking aggressive actions after the storms, the IRS was able to relocate its employees and restore operations.

·         In 2001 and 2002, a number of government offices received mail or packages that contained or seemed to contain the anthrax virus.  While no IRS facility received any mail that actually contained anthrax, mail-handling procedures were upgraded to address the possibility.  For example, mailrooms in all facilities were isolated, self-contained ventilation systems were installed at all campus mailrooms so that the rooms could be shut off from the remainder of the facilities, and hazardous material training and protective equipment were provided to pertinent employees.

Resumption of Processes Could Be Delayed Due to Inadequate Planning

The IRS Physical Security and Emergency Preparedness (PSEP) office provides detailed guidance to business functions on how to prepare a business resumption plan.  The guidance includes templates for preparing a comprehensive or a simplified plan.  Large sites with a significant number of employees should use the comprehensive template, and smaller sites with few employees should use the simplified template to prepare their business resumption plans.  The PSEP office also provides a Quick Review Checklist with detailed guidance that is commensurate with the requirements in Homeland Security Presidential Directive-20 and the IRS’ internal procedures.

A complete business resumption plan should include details such as:

  • A list and description of critical business processes that are conducted by the business function at the site.
  • Procedures for recovering each of the critical processes and sub-processes described in the business resumption plan.
  • Other locations that perform the same business processes as those performed at the site covered by the plan.
  • The vital records needed by the employees to perform their duties.
  • The amount of space, furniture, and equipment (e.g., copiers, printers, fax machines) that will be required.

Each IRS business function at each site is responsible for developing its own business resumption plan.  Each plan has a point of contact or business resumption team leader responsible for developing and maintaining the plan.  The business resumption team leader or point of contact for each function at each site should ensure that the key details emphasized by the PSEP office are developed and maintained in the function’s business resumption plan. 

However, most of the plans we evaluated lacked detailed planning and recovery strategies that would facilitate an efficient recovery of the IRS business processes.  Our review of a sample of 65 business resumption plans determined that they did not:

·         Include procedures for recovering each of the critical processes and sub-processes described in the business resumption plans – 16 plans (25 percent).

·         Identify an alternate facility that could be used for recovering critical processes – 40 plans (62 percent).  In some instances, an alternate site was not feasible or was deemed cost-prohibitive.  In these instances, the critical processes would be rerouted to another IRS work site.  However, the plans did not document this recovery strategy.

·         Document the amount of space, furniture, and equipment (e.g., copiers, printers, and fax machines) that would be required at the alternate facility – 25 plans (38 percent).

·         Document other locations that perform the same critical business processes and sub-processes as those performed at the site covered by the plan – 43 plans (66 percent).

·         Identify information technology systems and applications that are required to recover critical business processes – 10 plans (15 percent).

·         Identify the vital records needed by the employees to perform their duties – 13 plans (20 percent).  Some business resumption team leaders informed us that they had no vital records.  Others stated that their vital records were electronic and accessible through the IRS network.  However, the business resumption plans did not document these key details and recovery strategies.

·         Include basic contact information such as a list of internal business contacts and emergency contact information – 20 plans (31 percent).

·         Include a list of the employees and their emergency contact information – 21 plans (32 percent).  IRS officials informed us that they have previously used an automated system available to all IRS managers to contact employees because this system is more current and easier to maintain than a contact list in a business resumption plan.  However, this recovery strategy is not documented in the business resumption plans.

To determine whether planning information was documented elsewhere, we followed up on 15 of the 65 business resumption plans in 6 locations by interviewing the business resumption team leaders and reviewing other available documentation.  The indepth reviews confirmed the results of our initial evaluation because we were able to locate sufficient business resumption information in other documentation for only 2 of the 15 plans.

Based on our interviews, we are confident that some business resumption team leaders knew the necessary details and recovery strategies.  However, when details and strategies are not documented, resumption of critical processes could be delayed, particularly if the team leaders are unavailable after an emergency.

The lack of detail in business resumption plans is generally due to control weaknesses and insufficient oversight.  The business resumption plans lack details for several specific reasons.

·         The Wage and Investment Division, Large and Mid-Size Business Division, Small Business/Self-Employed Division, Tax Exempt and Government Entities Division, and Taxpayer Advocate Service[5] did not establish controls adequate to ensure the completeness of each business resumption plan.  The Wage and Investment Division implemented a certification process for business resumption plans at the IRS campuses.  However, the certification process is not a thorough quality review of the contents and viability of the plans.  It does not provide adequate assurance that the plans would enable the business function to efficiently recover the critical processes.

      The Criminal Investigation Division, Chief Financial Officer organization, and Office of Chief Counsel have implemented adequate controls.  These organizations established an independent quality review process for their business resumption plans.  The plans were more complete and included more of the key details and required information.  These functions are also smaller and have fewer employees, sites, and business resumption plans.

·         Inconsistent use of business resumption templates by business functions contributed to preparation of incomplete and inadequate plans.  The PSEP office does not mandate use of its two business resumption plan templates.  Twelve different templates were used by the 8 IRS business functions that prepared the 65 business resumption plans we evaluated.  Some functions used different templates within their own organizations.  Inconsistent use of developed templates increases the risk that plans will be incomplete.

·         In July 2004, the IRS established the Emergency Management and Preparedness Executive Steering Committee to help develop agency-wide policies, standards, and guidelines for continuity planning.  However, this Committee has met only once since December 2007 and has not taken actions sufficient to ensure that business functions adhere to business resumption guidelines.

·         Four of the eight business functions have not established a central repository to control their business resumption plans.  A central repository is necessary to account for all of the plans that should be completed at sites where the business function has operations and to monitor the business resumption program.  A central repository would facilitate the review of the plans, help manage updates to the plans, and ensure ready access to the most current plan in the event of a disaster or an emergency event.

Recommendations

The Chief, Agency-Wide Shared Services, should:

Recommendation 1:  Instruct business units with a significant number of sites to establish a business resumption coordinator position to 1) perform a quality review of each business resumption plan prepared by the business resumption team leader at a site within the function, and 2) create and maintain a central repository in each business unit to account for and control the business resumption plans.

Management’s Response:  The IRS agreed with this recommendation.  The Chief, Agency-Wide Shared Services, will coordinate the establishment of full-time business coordinator positions, as appropriate, to enhance the business unit continuity program.

Recommendation 2:  Require all business functions to use the PSEP office business resumption plan templates and require all functions’ business resumption coordinators to periodically brief the Emergency Management and Preparedness Executive Steering Committee on the completeness and adequacy of the business resumption plans.

Management’s Response:  The IRS agreed with this recommendation.  The Chief, Agency-Wide Shared Services, will direct the use of standardized continuity templates developed by the Physical Security and Emergency Preparedness office.  In addition, the Emergency Management and Preparedness Executive Steering Committee will receive periodic briefings from select business coordinators.

Business Resumption Plans Need Comprehensive Testing

Testing business resumption plans is critical to ensuring the viability of the plans.  Testing validates the recovery strategies, assumptions, and procedures against likely disasters or emergency events.  The gaps and weaknesses in the plans should be identified and documented during comprehensive testing, which allows management to update and strengthen the plans.

Homeland Security Presidential Directive-20 requires Federal Government agencies to conduct annual tests of business resumption plans.  To comply with this Directive and other Directives from the Department of Homeland Security,[6] the PSEP office provided testing guidance to the IRS business functions.  It advised IRS business functions that the best way to determine whether business resumption plans are viable is to train those who have roles and responsibilities identified in the plan and then conduct tests to determine whether the plans work.  This guidance is designed to determine whether team members know and understand their roles and responsibilities and how they relate to those of others.

Generally, five types of tests can be conducted to assess business resumption plans:[7]

  • Checklist test – This test involves reviewing the plan for content, completeness, and adherence to criteria.
  • Tabletop test – The business resumption team meets and verbally describes what activities, procedures, and tasks it will follow.
  • Parallel test – This test evaluates the recovery of processes at alternate sites without disrupting operations at the normal work site.
  • Simulation test – This test is a combination of simulations and actual operations transfers and might require some units to cease operations for the test period.
  • Full-interruption test – The organization activates all components of the business resumption plan.

The IRS does not conduct complete tests in a timely manner to ensure the viability of its business resumption plans.  The business units had not tested 35 (54 percent) of the 65 business resumption plans during Calendar Year 2007.  For the 30 plans that were tested, the scopes consisted of tabletop exercises.  Participants, such as a Senior Commissioner’s Representative,[8] a site coordinator, and a business resumption team leader, met and discussed how they would handle various emergencies or disasters.  This type of testing is insufficient to identify gaps, omissions, and weaknesses in the plans.  In addition, the results and weaknesses identified during the tests were not documented.  As discussed previously, the results of testing should be documented and the business resumption plans should be updated.  In our sample of 65 business resumption plans, 25 (38 percent) had not been updated during Calendar Year 2007.

We attribute the insufficient testing to a lack of emphasis by IRS management.  The IRS procedures for business resumption do not address testing.  The PSEP office web site does not provide specific testing requirements.  The PSEP office acknowledges that tabletop exercises are the most common type of testing at the IRS, but it does not require or encourage more comprehensive testing of the business resumption plans.

Lack of comprehensive testing results in weak plans that will not facilitate the efficient recovery of the IRS’ critical business processes.  The weaknesses in the plans will become evident after a disaster or an emergency occurs.

Recommendations

The Chief, Agency-Wide Shared Services, should:

Recommendation 3:  Develop specific testing requirements and procedures for business resumption plans based on risk.  Critical processes such as those we reviewed should be tested using comprehensive testing techniques such as parallel, simulation, or full-interruption tests.

Management’s Response:  The IRS agreed with this recommendation.  The Chief, Agency-Wide Shared Services, will develop criteria for a multi-year testing, training, and exercise strategy.  This strategy will be consistent with Federal Government continuity directives.

Recommendation 4:  Instruct the Emergency Management and Preparedness Executive Steering Committee to 1) require business units to plan and conduct testing, document test results, and update business resumption plans annually, and 2) monitor testing activities conducted by the business units to ensure that the scopes of tests are sufficient to identify gaps and weaknesses in the plans.

Management’s Response:  The IRS agreed with this recommendation.  The Chief, Agency-Wide Shared Services, will develop a multi-year testing, training, and exercise strategy that is consistent with Federal Government continuity directives.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS business resumption plans are adequate to restore critical business processes after a disaster or an emergency event.  To accomplish this objective, we:

I.                   Determined whether the IRS had prepared business resumption plans that addressed all critical processes.

A.    For the 2,643 business resumption plans required by the IRS, determined the number of plans that had not been completed.

B.     For those plans that had not been completed, determined the cause and whether the plans should have addressed any of the critical processes.

II.                Determined whether business resumption plans were prepared in accordance with Federal Emergency Management Agency, Department of the Treasury, and IRS guidelines.

A.    Identified prior (IRS, Treasury Inspector General for Tax Administration, and Government Accountability Office) business resumption plan recommendations and determined the status of their implementation.

B.     Reviewed the templates developed by the IRS for preparation of a business resumption plan to determine whether they were complete, adhered to guidance and criteria, and addressed each of the IRS’ 18 critical business processes.

C.     Selected a sample of locations carrying out critical business processes and reviewed their business resumption plans to determine whether a plan existed, was current, and was complete.  To select the plans, we identified the IRS’ critical processes, the business units that perform these processes, and the buildings in which the highest number of employees who perform these critical processes are located.  We selected 70 business resumption plans (from a population of 2,643 plans) for locations where critical processes are performed by the largest number of employees.  We used judgmental sampling because a random sample would have yielded some sites where few employees work.  We selected only sites where a disaster would affect the most number of employees and cause the biggest disruption.  Because some plans covered more than 1 location, we received and reviewed 65 plans (see Appendix IV for details about the plans selected).

1.      Determined whether a committee or working group was established to prepare the plan and, if so, determined the members of the committee.

2.      Determined whether the plans contained the following elements:

·         List of critical personnel.

·         Identification of vital records and backup location.

·         Critical equipment needs.

·         Names and telephone numbers for purposes of recovery/replacement/repair of equipment, records, etc.

·         Emergency telephone numbers.

·         Security requirements.

·         Communication needs.

III.             Determined whether the IRS conducted timely and complete tests to ensure the viability of business resumption plans in the event of an incident.

A.    Determined whether the IRS had implemented adequate policies and procedures to ensure that plans are tested and maintained.

1.      Identified the methodology used by IRS management to monitor the status of business resumption plan training and testing nationwide.

2.      For the 65 sampled business resumption plans, determined whether they had been properly tested.  For any plan that had not been tested, we determined the cause.

3.      Evaluated the methods used to assess the test results to ensure timely implementation of plan modifications as necessary.

B.     Reviewed the results of tests on sampled business resumption plans to determine whether weaknesses identified during testing were corrected in a timely manner.

1.      Identified who was responsible for taking corrective actions on weaknesses identified during testing of the business resumption plans.

2.      Reviewed the results of documented training, testing, and exercises and determined whether the actions to correct the weaknesses were completed in a timely manner.

IV.             Evaluated the National Headquarters office methodology for monitoring the business resumption plan program.

A.    Determined where and how business resumption plans were maintained.

B.     Determined whether business resumption plans were reviewed for quality independently of the preparer.

C.     Determined whether a “change control process” was used to update and revise plans.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)

Preston Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)

Stephen Mullins, Director

William Allen Gray, Audit Manager

David Brown, Senior Auditor

George Franklin, Senior Auditor

Michelle Griffin, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Chief Counsel  CC

National Taxpayer Advocate  TA

Commissioner, Large and Mid-Size Business Division  SE:LM

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Tax Exempt and Government Entities Division  SE:T

Commissioner, Wage and Investment Division  SE:W

Chief, Criminal Investigation  SE:CI

Chief Financial Officer  OS:CFO

Chief Information Officer  OS:CIO

Director, Agency-Wide Shared Services, Employee Support Services  OS:A:ESS

Director, Agency-Wide Shared Services, Physical Security and Emergency Preparedness  OS:A:PSEP

Director, Program Oversight  OS:CIO:SM:PO

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Chief, Agency-Wide Shared Services  OS:A

Chief Information Officer  OS:CIO

 

Appendix IV

 

Business Resumption Plans Evaluated

 

We reviewed 65 business resumption plans from 8 IRS business operating divisions that perform the highest number of critical processes.  We also selected plans at sites where the highest number of employees would be affected by a disaster or an emergency event.  Figure 1 identifies the number of plans we evaluated from each of the eight business operating divisions.  Figure 2 identifies the specific office locations for the plans reviewed.

Figure 1:  Business Resumption Plans Reviewed
(by Business Operating Division)

Chief Financial Officer

2

Criminal Investigation Division

5

Large and Mid-Size Business Division

11

Office of Chief Counsel

4

Small Business/Self-Employed Division

13

Tax Exempt and Government Entities Division

5

Taxpayer Advocate Service[9]

12

Wage and Investment Division

13

Total

65

Source:  Our review of a sample of business resumption plans.

Figure 2:  Business Resumption Plans Reviewed (by Location)

Business Operating Division

Bldg. No.

City

State

Chief Financial Officer

WV0171

Beckley

West Virginia

 

DC0022

Washington

District of Columbia

Criminal Investigation Division

DC0022

Washington

District of Columbia

 

KY2020

Florence

Kentucky

 

CA7347

Fresno

California

 

IL0236

Chicago

Illinois

 

PA0277

Philadelphia

Pennsylvania

Large and Mid-Size Business Division

NY7013

New York

New York

 

TX0298

Houston

Texas

 

TX0302

Farmers Branch

Texas

 

IL0236

Chicago

Illinois

 

CA6218

Glendale

California

 

CA0154

San Francisco

California

 

GA2004

Atlanta

Georgia

 

DC9914

Washington

District of Columbia

 

CA6116

San Jose

California

 

IL2337

Downers Grove

Illinois

 

CA0521

Laguna Niguel

California

Office of Chief Counsel

DC0022

Washington

District of Columbia

 

NY7282

New York

New York

 

TX0302

Farmers Branch

Texas

 

IL2177

Chicago

Illinois

Small Business/Self-Employed Division

NY0376

Holtsville

New York

 

PA0462

Philadelphia

Pennsylvania

 

TN0005

Memphis

Tennessee

 

KY3005

Covington

Kentucky

 

UT1434

Ogden

Utah

 

MD0278

New Carrollton

Maryland

 

MI1951

Detroit

Michigan

 

CA0281

Oakland

California

 

NY7013

New York

New York

 

CA0150

Los Angeles

California

 

IL0236

Chicago

Illinois

 

CO1656

Denver

Colorado

 

PA6520

Philadelphia

Pennsylvania

Taxpayer Advocate Service

GA2014

Atlanta

Georgia

 

DC0022

Washington

District of Columbia

 

PA0727

Philadelphia

Pennsylvania

 

TX0058

Dallas

Texas

 

TX2038

Austin

Texas

 

WA0101

Seattle

Washington

 

NY7243

Holtsville

New York

 

TN0005

Memphis

Tennessee

 

KY3005

Covington

Kentucky

 

FL0067

Jacksonville

Florida

 

GA0087

Atlanta

Georgia

 

MO1937

Kansas City

Missouri

Tax Exempt and Government Entities Division

OH0189

Cincinnati

Ohio

 

DC0560

Washington

District of Columbia

 

NY6470

Brooklyn

New York

 

MD0055

Baltimore

Maryland

 

TX0284

Dallas

Texas

Wage and Investment Division

MO1937

Kansas City

Missouri

 

CA4664

Fresno

California

 

TX2038

Austin

Texas

 

GA1016

Atlanta

Georgia

 

KY0085

Covington

Kentucky

 

UT0036

Ogden

Utah

 

MA0137

Andover

Massachusetts

 

GA0010

Atlanta

Georgia

 

CA7456

Fresno

California

 

TX1962

Austin

Texas

 

KY2032

Covington

Kentucky

 

UT1428

Ogden

Utah

 

NY0376

Holtsville

New York

Source:  Our review of a sample of business resumption plans.

To determine whether required planning details were documented in peripheral business resumption plan documents, we visited the locations identified in Figure 3 and interviewed the point of contact or business resumption team leader.  We requested the key business resumption information we had found lacking in the business resumption plans and conducted an indepth review for the 15 business resumption plans, which we selected from the above list of 65 plans.

Figure 3:  Offices Visited to Review Business Resumption Plans

Business Operating Division

Bldg. No.

City

State

Large and Mid-Size Business Division

GA2004

Atlanta

Georgia

Taxpayer Advocate Service

GA2014

 

 

Taxpayer Advocate Service

GA0087

 

 

Wage and Investment Division

GA1016

 

 

Wage and Investment Division

GA0010

 

 

 

 

 

 

Taxpayer Advocate Service

TX2038

Austin

Texas

Wage and Investment Division

TX2038

 

 

Wage and Investment Division

TX1962

 

 

 

 

 

 

Large and Mid-Size Business Division

TX0302

Dallas

Texas

Taxpayer Advocate Service

TX0058

 

 

 

 

 

 

Wage and Investment Division

CA4664

Fresno

California

Wage and Investment Division

CA7456

 

 

 

 

 

 

Small Business/Self-Employed Division

TN0005

Memphis

Tennessee

Taxpayer Advocate Service

TN0005

 

 

 

 

 

 

Small Business/Self-Employed Division

MD0278

New Carrollton

Maryland

Source:  Our review of a sample of business resumption plans.

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 



[1] National Continuity Policy, dated May 4, 2007 (also known as National Security Presidential Directive–51).  This Directive establishes a comprehensive national policy on the continuity of Federal Government structures and operations and a single National Continuity Coordinator responsible for coordinating the development and implementation of Federal Government continuity policies.

[2] Disaster Recovery Issues Have Not Been Effectively Resolved, but Progress Is Being Made (Reference Number 2008-20-061, dated February 29, 2008).

[3] Campuses are the data processing arm of the IRS.  They process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.

[4] IRS EMERGENCY PLANNING:  Headquarters Plans Supported Response to 2006 Flooding, but Additional Guidance Could Improve All Hazard Preparedness (GAO-07-579, dated April 2007).

[5] The Taxpayer Advocate Service is an independent organization within the IRS created by Congress to help taxpayers resolve problems with the IRS and recommend changes to prevent the problems.

[6] Homeland Security Presidential Directive-5, Management of Domestic Incidents; Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and Protection; and Homeland Security Presidential Directive-8, National Preparedness.

[7] Akhtar Syed and Afsar Syed, Business Continuity Planning Methodology (Mississauga, Ontario, Canada:  Sentryx, 2004), 203-213.

[8] The individual designated by the IRS Commissioner to serve as the point of contact on matters affecting more than one IRS Division in a specified geographical area.

[9] The Taxpayer Advocate Service is an independent organization within the IRS created by Congress to help taxpayers resolve problems with the IRS and recommend changes to prevent the problems.