TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster
September 17, 2008
Reference Number: 2008-20-178
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Phone Number |
202-622-6500
Email Address | inquiries@tigta.treas.gov
Web Site | http://www.tigta.gov
September 17, 2008
MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster (Audit # 200820013)
This report presents the results of our review to determine whether the Internal Revenue Service (IRS) business resumption plans are adequate to restore critical business processes after a disaster or an emergency event. We reviewed the plans prepared by business functions that perform the IRS’ critical processes at sites where the largest number of employees work. This review was included in the Treasury Inspector General for Tax Administration Fiscal Year 2008 Annual Audit Plan and was part of the Information Systems Programs business unit’s statutory requirements to annually review the adequacy and security of IRS technology.
Impact on the Taxpayer
Business resumption plans are designed to help the IRS recover, restore, and resume normal business operations after a disaster or an emergency. However, the IRS business resumption plans we reviewed were not adequately completed and would not facilitate the efficient recovery of critical business processes. An extended disruption to IRS facilities could affect key processes such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries. Processing delays could ultimately have a negative impact on the nation’s economy and future taxpayer compliance.
Synopsis
The IRS’ ability to recover its critical processes is strengthened by its extensive redundant operations and its experience in recovering from previous disasters and emergency incidents. However, most of the sample of 65 business resumption plans prepared by IRS business functions that we reviewed lacked detailed planning and recovery strategies that would facilitate an efficient recovery of the IRS business processes. For example, several plans did not 1) identify an alternate facility and the amount of space, furniture, and equipment needed at the alternate facility, 2) identify information technology systems and applications that are required to recover critical business processes, and 3) document employees’ emergency contact information and the vital records needed by employees to perform their duties.
Some business resumption team leaders were cognizant of the details and strategies they would follow after a disaster, but they did not document this information in their business resumption plans. Documentation of the recovery procedures and strategies in the business resumption plans would facilitate recovery and could be crucial if key employees are unavailable after a disaster.
The lack of detail in business resumption plans is generally due to control weaknesses and insufficient oversight. Some business functions did not establish a review process or a central repository to ensure the quality and control of the plans. The Physical Security and Emergency Preparedness office created two templates to guide business functions on how to prepare the plans. However, the business functions often used different templates because use of the templates was not mandatory. In addition, the Emergency Management and Preparedness Executive Steering Committee, which is responsible for overseeing the business resumption plans, has met only once since being established in July 2004.
Comprehensive testing is also crucial to the viability of business resumption plans. The plans are required to be tested and updated each year. However, the business units had not tested 35 (54 percent) of the 65 plans in Calendar Year 2007. When plans were tested, the scopes were insufficient to identify gaps, omissions, and weaknesses in the plans. In addition, 25 (38 percent) of the 65 plans we evaluated had not been updated in Calendar Year 2007. We attributed these conditions to a lack of emphasis by management.
Recommendations
To ensure the viability of business resumption plans, the Chief, Agency-Wide Shared Services, should 1) instruct business units with a significant number of sites to establish a business resumption coordinator position to a) perform a quality review of each business resumption plan within the function and b) create and maintain a central repository to control the plans, 2) mandate use of the Physical Security and Emergency Preparedness office templates and require all business resumption coordinators to periodically brief the Emergency Management and Preparedness Executive Steering Committee on the completeness and adequacy of the business resumption plans, 3) develop specific testing requirements and procedures for business resumption plans based on risk, and 4) instruct the Emergency Management and Preparedness Executive Steering Committee to require business units to plan and conduct testing, document test results, and update business resumption plans annually, as well as monitor testing activities conducted by the business units.
Response
The IRS agreed with our recommendations. The Chief, Agency-Wide Shared Services will 1) coordinate the establishment of full-time business coordinator positions, as appropriate, to enhance the business unit continuity program, and 2) direct the use of standardized continuity templates that will be developed by the Physical Security and Emergency Preparedness office. The Emergency Management and Preparedness Executive Steering Committee will receive periodic briefings from select business coordinators. Lastly, the IRS will develop criteria for a multi-year testing, training, and exercise strategy. This strategy will be consistent with Federal Government continuity directives. Management’s complete response to the draft report is included as Appendix V.
Copies of this report are also being sent to the IRS
managers affected by the report recommendations. Please contact me at (202) 622-6510 if you
have questions or Margaret E. Begg, Assistant Inspector General for Audit
(Information Systems Programs), at (202) 622-8510.
Resumption of Processes Could Be Delayed Due to Inadequate Planning
Business Resumption Plans Need Comprehensive Testing
Appendices
Appendix
I – Detailed Objective, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix IV
– Business Resumption Plans Evaluated
Appendix V
– Management’s Response to the Draft Report
Abbreviations
|
IRS |
Internal Revenue Service |
|
PSEP |
Physical Security and Emergency Preparedness |
Homeland Security Presidential Directive-20[1] requires that Federal Government agencies develop business continuity plans to enable the recovery of critical functions after a disaster or emergency. To comply with the Directive, the Internal Revenue Service (IRS) must develop and continually update its business continuity plans to enable the efficient recovery of its critical processes. This goal is difficult due to the wide range of incidents that could disrupt IRS operations such as natural disasters, accidents, power outages, and terrorist attacks.
An extended disruption to IRS facilities could affect key processes such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries. In Fiscal Year 2007, the IRS processed more than 235 million tax returns and collected almost $2.7 trillion. The IRS also issued about 117 million refunds totaling $295 billion. Processing delays could ultimately have a negative impact on the nation’s economy and future taxpayer compliance.
To recover critical processes after an incident, the IRS uses one or more of the following integrated Plans:
· Incident Management Plan – The overall coordinated actions management must take to ensure recovery and restoration of critical business processes.
· Occupant Emergency Plan – A set of response procedures and actions taken during the onset of an emergency to minimize the effect of the incident. It includes building evacuation, shelter-in-place, and employee safety procedures.
· Business Resumption Plan – A guide to prioritized reestablishment of business processes after an incident. It includes the advance planning and preparations necessary to minimize loss and ensure continuity of the critical business processes.
· Disaster Recovery Plan – A guide to recovery of the information technology infrastructure, network, hardware, systems, applications, and operating systems.
The relationship among the four Plans is represented in Figure 1.
Figure 1: Relationship of IRS Business Continuity Plans
Figure 1 was removed due to its size. To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.
We previously reported the results of our review of IRS disaster recovery plans[2] and are currently performing a separate review of IRS incident management plans and occupant emergency plans. We plan to consolidate results of those reviews with our results in this report that focus on business resumption plans and present them in a subsequent report on the overall IRS business continuity program.
This
review was performed in the Office of Agency-Wide Shared Services at the IRS
Headquarters in
The Ability to Recover Critical Processes Is Strengthened by Redundant Operations and Experience With Major Disasters
The IRS’
ability to recover its critical processes is strengthened by its extensive
redundant operations located throughout the nation. Each critical process is carried out at
multiple locations, allowing the IRS to take advantage of its experienced workforce
and similarly situated facilities to recover from an emergency. Even without adequate business resumption
plans, we believe that the IRS could redirect work to other locations by making
ad hoc decisions. However, this ability
does not diminish the need for business resumption plans. Upfront
planning is necessary to expedite recovery, particularly considering the
criticality of some IRS processes.
The IRS can also benefit from its experience in recovering from previous disasters and emergency incidents. For example:
· On June 25, 2006, the IRS National Headquarters building flooded during record rainfall and sustained extensive damage to its infrastructure. IRS officials reported activating several of the agency’s emergency operations plans. A review by the Government Accountability Office showed that while the IRS plans helped guide its response to the flood, in more severe emergency events, conditions could be less favorable to recovery.[4]
·
Hurricane Katrina made landfall on August 29, 2005. It caused unprecedented damage to
· In 2001 and 2002, a number of government offices received mail or packages that contained or seemed to contain the anthrax virus. While no IRS facility received any mail that actually contained anthrax, mail-handling procedures were upgraded to address the possibility. For example, mailrooms in all facilities were isolated, self-contained ventilation systems were installed at all campus mailrooms so that the rooms could be shut off from the remainder of the facilities, and hazardous material training and protective equipment were provided to pertinent employees.
Resumption of Processes Could Be Delayed Due to Inadequate Planning
The IRS Physical Security and Emergency Preparedness (PSEP) office provides detailed guidance to business functions on how to prepare a business resumption plan. The guidance includes templates for preparing a comprehensive or a simplified plan. Large sites with a significant number of employees should use the comprehensive template, and smaller sites with few employees should use the simplified template to prepare their business resumption plans. The PSEP office also provides a Quick Review Checklist with detailed guidance that is commensurate with the requirements in Homeland Security Presidential Directive-20 and the IRS’ internal procedures.
A complete business resumption plan should include details such as:
Each IRS business function at each site is
responsible for developing its own business resumption plan. Each plan has a point of contact or business
resumption team leader responsible for developing and maintaining the plan. The
business resumption team leader or point of contact for each function at each
site should ensure that the key details emphasized by the PSEP office are developed
and maintained in the function’s business resumption plan.
However, most of the plans we evaluated lacked detailed planning and recovery strategies that would facilitate an efficient recovery of the IRS business processes. Our review of a sample of 65 business resumption plans determined that they did not:
· Include procedures for recovering each of the critical processes and sub-processes described in the business resumption plans – 16 plans (25 percent).
· Identify an alternate facility that could be used for recovering critical processes – 40 plans (62 percent). In some instances, an alternate site was not feasible or was deemed cost-prohibitive. In these instances, the critical processes would be rerouted to another IRS work site. However, the plans did not document this recovery strategy.
· Document the amount of space, furniture, and equipment (e.g., copiers, printers, and fax machines) that would be required at the alternate facility – 25 plans (38 percent).
· Document other locations that perform the same critical business processes and sub-processes as those performed at the site covered by the plan – 43 plans (66 percent).
· Identify information technology systems and applications that are required to recover critical business processes – 10 plans (15 percent).
· Identify the vital records needed by the employees to perform their duties – 13 plans (20 percent). Some business resumption team leaders informed us that they had no vital records. Others stated that their vital records were electronic and accessible through the IRS network. However, the business resumption plans did not document these key details and recovery strategies.
· Include basic contact information such as a list of internal business contacts and emergency contact information – 20 plans (31 percent).
· Include a list of the employees and their emergency contact information – 21 plans (32 percent). IRS officials informed us that they have previously used an automated system available to all IRS managers to contact employees because this system is more current and easier to maintain than a contact list in a business resumption plan. However, this recovery strategy is not documented in the business resumption plans.
To determine whether planning information was documented elsewhere, we followed up on 15 of the 65 business resumption plans in 6 locations by interviewing the business resumption team leaders and reviewing other available documentation. The indepth reviews confirmed the results of our initial evaluation because we were able to locate sufficient business resumption information in other documentation for only 2 of the 15 plans.
Based on our interviews, we are confident that some business resumption team leaders knew the necessary details and recovery strategies. However, when details and strategies are not documented, resumption of critical processes could be delayed, particularly if the team leaders are unavailable after an emergency.
The lack of detail in business resumption plans is generally due to control weaknesses and insufficient oversight. The business resumption plans lack details for several specific reasons.
· The Wage and Investment Division, Large and Mid-Size Business Division, Small Business/Self-Employed Division, Tax Exempt and Government Entities Division, and Taxpayer Advocate Service[5] did not establish controls adequate to ensure the completeness of each business resumption plan. The Wage and Investment Division implemented a certification process for business resumption plans at the IRS campuses. However, the certification process is not a thorough quality review of the contents and viability of the plans. It does not provide adequate assurance that the plans would enable the business function to efficiently recover the critical processes.
The Criminal Investigation Division, Chief Financial Officer organization, and Office of Chief Counsel have implemented adequate controls. These organizations established an independent quality review process for their business resumption plans. The plans were more complete and included more of the key details and required information. These functions are also smaller and have fewer employees, sites, and business resumption plans.
· Inconsistent use of business resumption templates by business functions contributed to preparation of incomplete and inadequate plans. The PSEP office does not mandate use of its two business resumption plan templates. Twelve different templates were used by the 8 IRS business functions that prepared the 65 business resumption plans we evaluated. Some functions used different templates within their own organizations. Inconsistent use of developed templates increases the risk that plans will be incomplete.
· In July 2004, the IRS established the Emergency Management and Preparedness Executive Steering Committee to help develop agency-wide policies, standards, and guidelines for continuity planning. However, this Committee has met only once since December 2007 and has not taken actions sufficient to ensure that business functions adhere to business resumption guidelines.
· Four of the eight business functions have not established a central repository to control their business resumption plans. A central repository is necessary to account for all of the plans that should be completed at sites where the business function has operations and to monitor the business resumption program. A central repository would facilitate the review of the plans, help manage updates to the plans, and ensure ready access to the most current plan in the event of a disaster or an emergency event.
Recommendations
The Chief, Agency-Wide Shared Services, should:
Recommendation 1: Instruct business units with a significant number of sites to establish a business resumption coordinator position to 1) perform a quality review of each business resumption plan prepared by the business resumption team leader at a site within the function, and 2) create and maintain a central repository in each business unit to account for and control the business resumption plans.
Management’s Response: The IRS agreed with this recommendation. The Chief, Agency-Wide Shared Services, will coordinate the establishment of full-time business coordinator positions, as appropriate, to enhance the business unit continuity program.
Recommendation 2: Require all business functions to use the PSEP office business resumption plan templates and require all functions’ business resumption coordinators to periodically brief the Emergency Management and Preparedness Executive Steering Committee on the completeness and adequacy of the business resumption plans.
Management’s Response: The IRS agreed with this recommendation. The Chief, Agency-Wide Shared Services, will direct the use of standardized continuity templates developed by the Physical Security and Emergency Preparedness office. In addition, the Emergency Management and Preparedness Executive Steering Committee will receive periodic briefings from select business coordinators.
Business Resumption Plans Need Comprehensive Testing
Testing business resumption plans is critical to ensuring the viability of the plans. Testing validates the recovery strategies, assumptions, and procedures against likely disasters or emergency events. The gaps and weaknesses in the plans should be identified and documented during comprehensive testing, which allows management to update and strengthen the plans.
Homeland Security Presidential Directive-20 requires Federal Government agencies to conduct annual tests of business resumption plans. To comply with this Directive and other Directives from the Department of Homeland Security,[6] the PSEP office provided testing guidance to the IRS business functions. It advised IRS business functions that the best way to determine whether business resumption plans are viable is to train those who have roles and responsibilities identified in the plan and then conduct tests to determine whether the plans work. This guidance is designed to determine whether team members know and understand their roles and responsibilities and how they relate to those of others.
Generally,
five types of tests can be conducted to assess business resumption plans:[7]
The IRS does not conduct complete tests in a timely manner to ensure the viability of its business resumption plans. The business units had not tested 35 (54 percent) of the 65 business resumption plans during Calendar Year 2007. For the 30 plans that were tested, the scopes consisted of tabletop exercises. Participants, such as a Senior Commissioner’s Representative,[8] a site coordinator, and a business resumption team leader, met and discussed how they would handle various emergencies or disasters. This type of testing is insufficient to identify gaps, omissions, and weaknesses in the plans. In addition, the results and weaknesses identified during the tests were not documented. As discussed previously, the results of testing should be documented and the business resumption plans should be updated. In our sample of 65 business resumption plans, 25 (38 percent) had not been updated during Calendar Year 2007.
We attribute the insufficient testing to a lack of emphasis by IRS management. The IRS procedures for business resumption do not address testing. The PSEP office web site does not provide specific testing requirements. The PSEP office acknowledges that tabletop exercises are the most common type of testing at the IRS, but it does not require or encourage more comprehensive testing of the business resumption plans.
Lack of comprehensive testing results in weak plans that will not facilitate the efficient recovery of the IRS’ critical business processes. The weaknesses in the plans will become evident after a disaster or an emergency occurs.
Recommendations
The Chief, Agency-Wide Shared Services, should:
Recommendation 3: Develop specific testing requirements and procedures for business resumption plans based on risk. Critical processes such as those we reviewed should be tested using comprehensive testing techniques such as parallel, simulation, or full-interruption tests.
Management’s
Response:
The IRS agreed with this recommendation.
The Chief, Agency-Wide Shared Services, will develop criteria for a multi-year
testing, training, and exercise strategy.
This strategy will be consistent with Federal Government continuity
directives.
Recommendation 4: Instruct the Emergency Management and Preparedness Executive Steering Committee to 1) require business units to plan and conduct testing, document test results, and update business resumption plans annually, and 2) monitor testing activities conducted by the business units to ensure that the scopes of tests are sufficient to identify gaps and weaknesses in the plans.
Management’s
Response:
The IRS agreed with this recommendation.
The Chief, Agency-Wide Shared Services, will develop a multi-year
testing, training, and exercise strategy that is consistent with Federal Government
continuity directives.
Appendix I
Detailed Objective, Scope, and Methodology
The overall objective of this review was to determine whether the IRS business resumption plans are adequate to restore critical business processes after a disaster or an emergency event. To accomplish this objective, we:
I. Determined whether the IRS had prepared business resumption plans that addressed all critical processes.
A. For the 2,643 business resumption plans required by the IRS, determined the number of plans that had not been completed.
B. For those plans that had not been completed, determined the cause and whether the plans should have addressed any of the critical processes.
II. Determined whether business resumption plans were prepared in accordance with Federal Emergency Management Agency, Department of the Treasury, and IRS guidelines.
A. Identified prior (IRS, Treasury Inspector General for Tax Administration, and Government Accountability Office) business resumption plan recommendations and determined the status of their implementation.
B. Reviewed the templates developed by the IRS for preparation of a business resumption plan to determine whether they were complete, adhered to guidance and criteria, and addressed each of the IRS’ 18 critical business processes.
C.
Selected
a sample of locations carrying out critical business processes and reviewed their
business resumption plans to determine whether a plan existed, was current, and
was complete. To select the plans, we identified the IRS’ critical processes, the business
units that perform these processes, and the buildings in which the highest number
of employees who perform these critical processes are located. We selected 70 business resumption plans (from a population of 2,643 plans) for locations
where critical processes are performed by the largest number of employees. We used judgmental sampling because a random
sample would have yielded some sites where few employees work. We selected only sites where a disaster would
affect the most number of employees and cause the biggest disruption. Because some plans covered more than 1 location,
we received and reviewed 65 plans (see Appendix IV for details about the plans
selected).
1. Determined whether a committee or working group was established to prepare the plan and, if so, determined the members of the committee.
2. Determined whether the plans contained the following elements:
· List of critical personnel.
· Identification of vital records and backup location.
· Critical equipment needs.
· Names and telephone numbers for purposes of recovery/replacement/repair of equipment, records, etc.
· Emergency telephone numbers.
· Security requirements.
· Communication needs.
III. Determined whether the IRS conducted timely and complete tests to ensure the viability of business resumption plans in the event of an incident.
A. Determined whether the IRS had implemented adequate policies and procedures to ensure that plans are tested and maintained.
1. Identified the methodology used by IRS management to monitor the status of business resumption plan training and testing nationwide.
2. For the 65 sampled business resumption plans, determined whether they had been properly tested. For any plan that had not been tested, we determined the cause.
3. Evaluated the methods used to assess the test results to ensure timely implementation of plan modifications as necessary.
B. Reviewed the results of tests on sampled business resumption plans to determine whether weaknesses identified during testing were corrected in a timely manner.
1. Identified who was responsible for taking corrective actions on weaknesses identified during testing of the business resumption plans.
2. Reviewed the results of documented training, testing, and exercises and determined whether the actions to correct the weaknesses were completed in a timely manner.
IV. Evaluated the National Headquarters office methodology for monitoring the business resumption plan program.
A. Determined where and how business resumption plans were maintained.
B. Determined whether business resumption plans were reviewed for quality independently of the preparer.
C. Determined whether a “change control process” was used to update and revise plans.
Appendix II
Major Contributors to This Report
Margaret
E. Begg, Assistant Inspector General for Audit (Information Systems Programs)
Stephen
Mullins, Director
William
Allen Gray, Audit Manager
David
Brown, Senior Auditor
George
Franklin, Senior Auditor
Michelle
Griffin, Senior Auditor
Appendix III
Commissioner C
Office of the Commissioner – Attn: Chief of Staff C
Deputy Commissioner for Operations Support OS
Deputy Commissioner for Services and Enforcement SE
Chief Counsel
CC
National Taxpayer Advocate TA
Commissioner,
Large and Mid-Size Business Division
SE:LM
Commissioner, Small Business/Self-Employed
Division SE:S
Commissioner, Tax Exempt and Government
Entities Division SE:T
Commissioner, Wage and Investment
Division SE:W
Chief, Criminal Investigation SE:CI
Chief Financial Officer OS:CFO
Chief Information Officer OS:CIO
Director, Agency-Wide Shared Services,
Employee Support Services OS:A:ESS
Director, Agency-Wide Shared Services,
Physical Security and Emergency Preparedness
OS:A:PSEP
Director,
Program Oversight OS:CIO:SM:
Director, Office of Legislative Affairs CL:LA
Director, Office of
Program Evaluation and Risk Analysis
RAS:O
Office of Internal Control OS:CFO:CPIC:IC
Audit Liaisons:
Chief, Agency-Wide Shared Services OS:A
Chief Information Officer OS:CIO
Appendix IV
Business Resumption Plans Evaluated
We reviewed 65 business resumption plans from 8 IRS business operating divisions that perform the highest number of critical processes. We also selected plans at sites where the highest number of employees would be affected by a disaster or an emergency event. Figure 1 identifies the number of plans we evaluated from each of the eight business operating divisions. Figure 2 identifies the specific office locations for the plans reviewed.
Figure 1: Business Resumption Plans Reviewed
(by Business Operating Division)
|
Chief Financial Officer |
2 |
|
Criminal Investigation Division |
5 |
|
Large and Mid-Size Business Division |
11 |
|
Office of Chief Counsel |
4 |
|
Small Business/Self-Employed Division |
13 |
|
Tax Exempt and Government Entities Division |
5 |
|
Taxpayer Advocate Service[9] |
12 |
|
Wage and Investment Division |
13 |
|
Total |
65 |
Source:
Our review of a sample of business resumption plans.
Figure 2: Business Resumption Plans Reviewed (by Location)
|
Business Operating
Division |
Bldg. No. |
City |
State |
|
Chief
Financial Officer |
WV0171 |
|
|
|
|
DC0022 |
|
|
|
Criminal
Investigation Division |
DC0022 |
|
|
|
|
KY2020 |
|
|
|
|
CA7347 |
|
|
|
|
IL0236 |
|
|
|
|
PA0277 |
|
|
|
Large and Mid-Size
Business Division |
NY7013 |
|
|
|
|
TX0298 |
|
|
|
|
TX0302 |
|
|
|
|
IL0236 |
|
|
|
|
CA6218 |
|
|
|
|
CA0154 |
|
|
|
|
GA2004 |
|
|
|
|
DC9914 |
|
|
|
|
CA6116 |
|
|
|
|
IL2337 |
|
|
|
|
CA0521 |
Laguna Niguel |
|
|
Office of Chief Counsel |
DC0022 |
|
|
|
|
NY7282 |
|
|
|
|
TX0302 |
|
|
|
|
IL2177 |
|
|
|
Small
Business/Self-Employed Division |
NY0376 |
Holtsville |
|
|
|
PA0462 |
|
|
|
|
TN0005 |
|
|
|
|
KY3005 |
|
|
|
|
UT1434 |
|
|
|
|
MD0278 |
New |
|
|
|
MI1951 |
|
|
|
|
CA0281 |
|
|
|
|
NY7013 |
|
|
|
|
CA0150 |
|
|
|
|
IL0236 |
|
|
|
|
CO1656 |
|
|
|
|
PA6520 |
|
|
|
Taxpayer
Advocate Service |
GA2014 |
|
|
|
|
DC0022 |
|
|
|
|
PA0727 |
|
|
|
|
TX0058 |
|
|
|
|
TX2038 |
|
|
|
|
WA0101 |
|
|
|
|
NY7243 |
Holtsville |
|
|
|
TN0005 |
|
|
|
|
KY3005 |
|
|
|
|
FL0067 |
|
|
|
|
GA0087 |
|
|
|
|
MO1937 |
|
|
|
Tax Exempt and Government
Entities Division |
OH0189 |
|
|
|
|
DC0560 |
|
|
|
|
NY6470 |
|
|
|
|
MD0055 |
|
|
|
|
TX0284 |
|
|
|
Wage and Investment
Division |
MO1937 |
|
|
|
|
CA4664 |
|
|
|
|
TX2038 |
|
|
|
|
GA1016 |
|
|
|
|
KY0085 |
|
|
|
|
UT0036 |
|
|
|
|
MA0137 |
|
|
|
|
GA0010 |
|
|
|
|
CA7456 |
|
|
|
|
TX1962 |
|
|
|
|
KY2032 |
|
|
|
|
UT1428 |
|
|
|
|
NY0376 |
Holtsville |
|
Source:
Our review of a sample of business resumption plans.
To determine whether required planning details were documented in peripheral business resumption plan documents, we visited the locations identified in Figure 3 and interviewed the point of contact or business resumption team leader. We requested the key business resumption information we had found lacking in the business resumption plans and conducted an indepth review for the 15 business resumption plans, which we selected from the above list of 65 plans.
Figure 3: Offices Visited to Review Business Resumption Plans
|
Business Operating
Division |
Bldg. No. |
City |
State |
|
Large and Mid-Size Business Division |
GA2004 |
|
|
|
Taxpayer Advocate Service |
GA2014 |
|
|
|
Taxpayer Advocate Service |
GA0087 |
|
|
|
Wage and Investment Division |
GA1016 |
|
|
|
Wage and Investment Division |
GA0010 |
|
|
|
|
|
|
|
|
Taxpayer Advocate Service |
TX2038 |
|
|
|
Wage and Investment Division |
TX2038 |
|
|
|
Wage and Investment Division |
TX1962 |
|
|
|
|
|
|
|
|
Large and Mid-Size Business Division |
TX0302 |
|
|
|
Taxpayer Advocate Service |
TX0058 |
|
|
|
|
|
|
|
|
Wage and Investment Division |
CA4664 |
|
|
|
Wage and Investment Division |
CA7456 |
|
|
|
|
|
|
|
|
Small Business/Self-Employed Division |
TN0005 |
|
|
|
Taxpayer Advocate Service |
TN0005 |
|
|
|
|
|
|
|
|
Small Business/Self-Employed Division |
MD0278 |
New |
|
Source:
Our review of a sample of business resumption plans.
Appendix V
Management’s
Response to the Draft Report
The
response was removed due to its size. To
see the response, please go to the Adobe PDF version of the report on the TIGTA
Public Web Page.
[1] National
Continuity Policy, dated May 4, 2007 (also known as
National Security Presidential Directive–51). This Directive
establishes a comprehensive national policy on the continuity of Federal
Government structures and operations and a single National Continuity
Coordinator responsible for coordinating the development and implementation of
Federal Government continuity policies.
[2] Disaster Recovery Issues Have Not Been Effectively Resolved, but Progress Is Being Made (Reference Number 2008-20-061, dated February 29, 2008).
[3] Campuses are the data processing arm of the IRS. They process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts.
[4] IRS EMERGENCY PLANNING: Headquarters Plans Supported Response to 2006 Flooding, but Additional Guidance Could Improve All Hazard Preparedness (GAO-07-579, dated April 2007).
[5] The Taxpayer Advocate Service is an independent organization within the IRS created by Congress to help taxpayers resolve problems with the IRS and recommend changes to prevent the problems.
[6] Homeland Security Presidential Directive-5, Management of Domestic Incidents; Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and Protection; and Homeland Security Presidential Directive-8, National Preparedness.
[7] Akhtar
Syed and Afsar Syed, Business Continuity
Planning Methodology (
[8] The individual designated by the IRS Commissioner to serve as the point of contact on matters affecting more than one IRS Division in a specified geographical area.
[9] The Taxpayer Advocate Service is an independent organization within the IRS created by Congress to help taxpayers resolve problems with the IRS and recommend changes to prevent the problems.