Treasury Inspector General for Tax Administration

Office of Audit

BETTER EMERGENCY PREPAREDNESS PLANNING COULD IMPROVE BUSINESS CONTINUITY EFFORTS

Issued on February 13, 2009

Highlights

Highlights of Report Number:  2009-20-038 to the Internal Revenue Service Commissioner.

IMPACT ON TAXPAYERS

The Internal Revenue Service’s (IRS) ability to protect its employees and provide taxpayers service during and after a major disruption is dependent on the effective preparation of four integrated plans called the Business Continuity “Suite of Plans.”  However, many of the plans TIGTA reviewed were not up to date, have not been adequately tested, and did not contain sufficient detail to be effective.  These deficiencies could affect the IRS’ ability to process 235 million tax returns, issue $295 billion in refunds, and collect $2.7 trillion in revenue each year.

WHY TIGTA DID THE AUDIT

This audit was included in the TIGTA Fiscal Year 2008 Annual Audit Plan and was part of an overall strategy to evaluate the adequacy and viability of the suite of emergency plans that the IRS has in place.  TIGTA recently completed three separate reviews related to the business continuity program.  The Government Accountability Office has also performed a recent review of IRS emergency planning.  This report presents TIGTA’s overall assessment of the IRS business continuity program based on those reviews.

WHAT TIGTA FOUND

Redundant operations and experience with major disasters have strengthened the IRS business continuity program.  However, many business continuity plans were incomplete and did not provide assurance that the IRS could efficiently respond to the full range of potential disasters or emergency incidents.  In addition, the plans were not routinely tested or were informally tested using tabletop exercises during which participants met and discussed the procedures they would follow.  Lessons learned from testing disaster recovery plans were not always documented, and subsequent testing did not ensure that weaknesses were retested to determine whether the plan weaknesses had been corrected.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the IRS Commissioner appoint an executive with cross-organizational authority to oversee the IRS business continuity program and serve as the chairperson of the Emergency Management and Preparedness Executive Steering Committee.  TIGTA also recommended that the IRS Commissioner require the executive responsible for business continuity planning to monitor and ensure that comprehensive testing is conducted and documented for all business continuity plans, and consider testing business continuity plans concurrently as opposed to testing the plans separately.

In their response to the report, IRS officials agreed with the findings and recommendations.  The Emergency Management and Preparedness Executive Steering Committee is now chaired by the Chief, Agency-Wide Shared Services, who will direct and execute the
cross-functional IRS-wide emergency management program.  An executive has been appointed to lead the Physical Security and Emergency Preparedness Continuity Operations staff and focus exclusively on the oversight and enforcement of the continuity planning program.  Lastly, the IRS plans to develop a Test and Exercise Program that requires integrated exercises of all four business continuity plans.  The Program will require that exercises be scheduled and conducted with after-action reports and improvement plans completed and documented.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:  

http://www.treas.gov/tigta/auditreports/2009reports/200920038fr.html.

Email Address:   inquiries@tigta.treas.gov

Phone Number:   202-622-6500

Web Site:   http://www.tigta.gov