TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

The Internal Revenue Service Adequately Prepared for and Responded to the Austin Incident

 

 

 

September 21, 2011

 

Reference Number:  2011-10-098

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Redaction Legend:

1 = Tax Return/Return Information

3(d) = Identifying Information of an Individual or Individuals

 

Phone Number   |  202-622-6500

Email Address   |  TIGTACommunications@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

 

HIGHLIGHTS

 

THE INTERNAL REVENUE SERVICE ADEQUATELY PREPARED FOR AND RESPONDED TO THE AUSTIN INCIDENT

 

Highlights

Final Report issued on September 21, 2011

Highlights of Reference Number:  2011-10-098 to the Internal Revenue Service Chief, Agency-Wide Shared Services.

IMPACT ON TAXPAYERS

On February 18, 2010, a single-engine airplane was intentionally flown into the Echelon I building in Austin, Texas.  The Internal Revenue Service (IRS) adequately prepared for and took the necessary actions to respond to and recover from this incident, which ensured that the IRS timely resumed normal business operations.  An extended disruption to IRS facilities could affect key processes such as assessing and collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries.

WHY TIGTA DID THE AUDIT

This audit was initiated because effective continuity planning and emergency preparedness can facilitate the IRS’s ability to prepare for, respond to, and recover from emergencies.  These efforts include providing personnel services to support employee needs and restoring critical functions.  The audit was requested by the IRS Chief, Agency-Wide Shared Services.  The overall objective was to determine whether the IRS was adequately prepared for and took the necessary actions to protect IRS employees, taxpayer data, and Federal Government property and to resume normal business operations following the airplane crash into the Austin, Texas, Echelon I building (hereafter referred to as the Austin incident).

WHAT TIGTA FOUND

The IRS adequately prepared for and took the necessary actions to evacuate and protect IRS employees, secure taxpayer data and Federal Government property, and timely resume business operations following the Austin incident.  The IRS timely provided extensive personnel services to assess and support affected employee needs, identified temporary office space for the affected employees, awarded several procurements to support the recovery effort in an expedited time period, and provided the furnishings and equipment needed to resume work within 18 calendar days of the incident.  

However, our audit determined that emergency planning for the Echelon I building was not complete, as none of the business resumption plans for the eight business units located at the Echelon I building included all of the required elements.  In addition, the salvage contract used to recover documents, including taxpayer data at the incident site, did not include all of the required security provisions and did not contain an official designation appointing a Contracting Officer’s Technical Representative.  However, these issues did not have a material impact on the response to the Austin incident and, taken as a whole, the IRS preparation and response ensured that the effect of the Austin incident on IRS employees and tax administration was minimized.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief, Agency‑Wide Shared Services:  1) ensure that lessons learned relative to the business resumption plans are applied to the development of the new continuity plans and 2) include on the lessons learned document and the Incident Management Plan template the provisions for emergency procurements.

IRS officials agreed with our recommendations and stated that the IRS has distributed supplemental guidance on the development of continuity plans, initiated annual quality assurance reviews of these plans, and plans to apply the lessons learned in the development of the new continuity plans.  The IRS also plans to update the lessons learned document and the Incident Management Plan template to reflect that emergency procurements are required to comply with the Federal Acquisition Regulation and other procurement policies and procedures.

 

September 21, 2011

 

 

MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES

 

FROM:                   (for)  Michael R. Phillips /s/ Michael E. McKenney

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Internal Revenue Service Adequately Prepared for and Responded to the Austin Incident (Audit # 201110006)

 

This report presents the results of our review to determine whether the Internal Revenue Service was adequately prepared for and took the necessary actions to protect Internal Revenue Service employees, taxpayer data, and Federal Government property and to resume normal business operations following the airplane crash into the Austin, Texas, Echelon I building.  This review is included in our Fiscal Year 2011 Annual Audit Plan and addresses the major management challenge of Security.

Management’s complete response to the draft report is included as Appendix VI. 

Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations), at (202) 622-8500.

 

 

Table of Contents

 

Background

Results of Review

The Internal Revenue Service Effectively Prepared for and Responded to the Austin Incident

Business Resumption Plans for the Austin Echelon I Building Did Not Include All the Required Elements

Recommendation 1:

Actions Are Needed to Better Facilitate Contract Development and Administration

Recommendation 2:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Timeline of Incident Response

Appendix V – Key Lessons Learned From the Incident Response

Appendix VI – Management’s Response to the Draft Report

 

 

Abbreviations

 

BRP

Business Resumption Plan

COTR

Contracting Officer’s Technical Representative

GSA

General Services Administration

IMP

Incident Management Plan

IMT

Incident Management Team

IRS

Internal Revenue Service

OEP

Occupant Emergency Plan

SCR

Senior Commissioner’s Representative

 

 

Background

 

The Internal Revenue Service (IRS) is responsible for helping America’s taxpayers to understand and meet their tax responsibilities and for the enforcement of the Nations’ tax laws as enacted by Congress.  The IRS collects the taxes[1] that fund the Federal budget, supporting public programs (e.g., human services, national defense, Social Security and Medicare, and education) and the payment of the national debt.  The IRS Commissioner describes the IRS as an agency of professionals working to serve the hardworking taxpayers of this country:  processing returns, sending out refunds, answering questions on the phone, and trying to help people navigate a complicated tax system.[2]  

IRS employees provide Americans with a valuable service; however, the dedicated men and women of the IRS are often under-appreciated public servants and increasingly have become the targets of violent threats.[3]  On February 18, 2010, a **1************3(d)*********** intentionally flew an airplane into an IRS building in Austin, Texas, killing himself and an IRS employee and injuring 13 others (hereafter referred to as the Austin incident).[4]  The contents of the building were almost a total loss, and the damage to the building structure was significant enough to require the IRS to immediately find new space for the affected employees.

To facilitate the performance of critical functions in emergency situations, the Federal Government established policies that provide direction to Federal agencies for continuity planning and programs.  In May 2007, National Security Presidential Directive-51[5] was issued by the President to establish and maintain a comprehensive and effective national continuity capability in order to ensure the continuing performance of national essential functions under all conditions.  To provide the operational guidance to implement this policy, the Department of Homeland Security, in coordination with its interagency partners, developed Federal Continuity Directive 1.  The purpose of this Federal Continuity Directive is to provide direction for the development of continuity plans and programs for the Federal Executive Branch.  Effective continuity planning and programs facilitate the performance of critical functions during all hazards, emergencies, or other situations that may disrupt normal operations.

The IRS had a process in place to guide employees when an emergency incident occurred.  The IRS process included a combination of four integrated plans called the Business Continuity Suite of Plans.  These plans were used to prepare for, respond to, and recover from the incident.  The Suite of Plans included the Occupant Emergency Plan (OEP), the Incident Management Plan (IMP), the Business Resumption Plan (BRP), and the Disaster Recovery Plan.

Incident response is a multifunctional activity at the IRS.  When an incident occurs, the local Senior Commissioner’s Representative (SCR)[7] assumes the role of Incident Commander.[8]  The rest of the Incident Management Team (IMT) consists of employees from the different business units at the IRS.  When an emergency occurs, it is important to timely resume business operations because an extended disruption to IRS facilities could affect key processes such as assessing and collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries.

When a disaster affects the IRS, the Suite of Plans are executed and are intended to be continually referenced during the entire incident response and business resumption efforts.  Each function within each IRS building was required to have a BRP.  These plans were used to identify the critical functions at the incident location and the process and resources needed to get the IRS back to normal operations.  In September 2008, the IRS updated its policy and replaced the BRPs with requirements for continuity plans.  We were advised that the IRS started implementing the continuity planning requirements at the end of Calendar Year 2009 and continued throughout Calendar Year 2010.  During this transitional time, the BRPs were used by the business units to respond to the Austin incident.  We did not review the IRS continuity plans as they were not in place at the time of the incident.  However, we plan to conduct a future Treasury Inspector General for Tax Administration audit on IRS continuity planning.

The IMP template is an identical template made up of checklists used by the SCRs for all IRS facilities within their region to ensure continuity.  The portion of the IMP that is more individualized and site-specific is the section of the document that identifies the command and general staffs of the IMT.  When an incident occurs, the IMP identifies the employees accountable for each responsibility area of the incident response.

This review was performed at the IRS National Headquarters in Washington, D.C., in the office of Agency-Wide Shared Services during the period March through June 2011.  Site visits were also made to IRS offices in Austin, Texas, and Nashville, Tennessee.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The IRS adequately prepared for and took the necessary actions to evacuate and protect IRS employees, secure taxpayer data and Federal Government property, and timely resume business operations following the Austin incident.  The IRS provided extensive personnel services to support employee needs, identified temporary office space for the affected employees, awarded several procurements to support the recovery effort in an expedited time period, and provided the furnishings and equipment that facilitated the resumption of work within 18 calendar days of the incident.  

However, our audit determined that emergency planning for the Echelon I building was not complete, as none of the BRPs for the eight business units located at the Echelon I building included all of the required elements.  In addition, a salvage contract used to recover documents, including taxpayer data, at the incident site did not include all of the required security provisions and did not contain an official designation appointing a Contracting Officer’s Technical Representative (COTR).  However, these issues did not have a material impact on the response to the Austin incident and, taken as a whole, the IRS preparation and response ensured that the effect of the Austin incident on IRS employees and tax administration was minimized.

The Internal Revenue Service Effectively Prepared for and Responded to the Austin Incident

Prior to the incident, the IRS prepared for emergency situations at the Echelon I building by performing drills for the evacuation of employees from the facility and by conducting IMT exercises that focused on the resumption of business operations subsequent to an emergency incident.[9]  The IRS prepared and tested an OEP for the Echelon I building, which facilitated a prompt evacuation of the building after the incident.  The IRS had also developed an IMP for responding to, recovering from, and mitigating the effects of incidents at the Echelon I building.  Following the incident and building evacuation, the IRS ensured that security of the building was sufficient to protect taxpayer data and Federal Government property, employees’ needs were assessed and addressed, new temporary office space was identified, procurement activities were expedited, and business operations resumed as early as was practical given the severity of the incident.  In addition, IRS executives took actions IRS-wide as a result of the Austin incident.  Additional details on the IRS preparation and response to the Austin incident follow.  See Appendix IV for a timeline of the incident response.

The Echelon I building was promptly evacuated

The IRS reported that there were 198 IRS employees assigned to the Echelon I building and 101 employees were in the building on the day the incident occurred.  The building occupants were able to evacuate to safety within a matter of minutes due to the courageous actions of IRS onsite personnel, other first responders, and a local citizen.[10]

Federal law[11] mandates the use of OEPs,[12] and IRS guidance requires the development of an OEP as well as annual testing of the plans by performing evacuation drills.  Our audit determined that the IRS had an OEP in place and that the OEP had been tested within 1 year (11 months) prior to the incident.  The OEP for the Echelon I building provided instructions for actions to be taken in the event of an emergency, the assignments and duties of the Occupant Emergency Organization,[13] and contact information for key members of the emergency response.  Our discussions with local IRS management and review of the incident timeline found that the Echelon I building was promptly evacuated.  Based on witness accounts, the building was evacuated in approximately 5 minutes.  The IRS credited the seriousness that the Echelon I building employees applied towards the evacuation drills as an important factor in the rapid building evacuation and in keeping injuries as a result of the incident to a minimum.

The response to the incident was effectively coordinated

In December 2008, the Department of Homeland Security issued the National Incident Management System, which provides a consistent nationwide template to enable the Federal Government to prevent, protect against, respond to, recover from, and mitigate the effects of incidents.  While IRS policy does not include any requirements addressing what should be included in its IMPs, the National Incident Management System contains requirements for responding to incidents, and the IRS’s IMP we reviewed met those requirements relating to the IMT command structure and the duties and responsibilities of the team members.

The IRS developed and then adequately implemented the IMP to coordinate its response to the incident.  Our review of the IMP determined that the IRS had an IMP organization chart for the Echelon I building that identified the IMT responsible for an emergency at that location.  We met with the general staff of the IMT and the Incident Commander and determined that they understood their responsibilities when responding to emergency situations.  In addition, local IRS managers affected by the incident had high praise for the IMT and the response as a whole.

Due to the severity of the Austin incident, the Incident Commander made a decision to bring in two additional SCRs to assume the roles of the Planning Section and Operation Section Chief of the IMT.  This staffed these vital roles with IRS employees who had prior experience in providing support and direction in emergency response situations.  The IMT also documented the actions they took during the incident through the use of an incident response timeline, minutes of IMT meetings, and status reports.  In our discussions with IRS executives, they expressed that the level of cooperation within the IRS was an essential aspect in responding to the incident.  They indicated that everyone in the organization worked together, and there was never a concern for an individual employee’s rank or business unit, which resulted in a highly motivated, effective, and cohesive team.  From a Headquarters perspective, the IMT was fully empowered to handle the incident response.

When the incident response was complete, the IMT solicited input from key participants involved with the response and prepared a list of lessons learned.  Some of the lessons learned were used to update the IMP template in preparation for future incidents.  The updates covered issues such as communications with taxpayers, changes to the asset retrieval team within the IMT command structure, use of a floor plan to identify the location of vital records, and the use of a single location to address employee needs and other pay and benefit-related issues.  In addition, all SCRs were briefed on the lessons learned from the incident.  See Appendix V for a list of key lessons learned.

Employee needs were identified and addressed

Federal Continuity Directive 1 addresses the unique human capital requirements that are needed to support an effective emergency response.  Agencies must implement a process to communicate their human capital guidance for emergencies (pay, leave, staffing, and other human resources flexibilities) to managers and make staff aware of that guidance in an effort to help agencies continue critical functions during an emergency.  The IRS used its personnel services to provide support to the employees affected by the incident.  After the incident, the IRS placed the affected employees on 2 to 3 weeks of administrative leave, during which time the IRS made counselors available through its Employee Assistance Program[14] and held twice daily conference calls to brief employees on the incident response and to field any questions or concerns from affected employees.

The IRS also set up a “One-Stop Shop” employee assistance center at the Austin Campus[15] and staffed it with Human and Employee Relations specialists from the IRS Benefits and Services Team, Employee Assistance Program, and IRS Worker’s Compensation Center.  The employee assistance center had employees onsite to talk with affected employees and provide individual assistance.  Within 4 days of the incident, the IRS prepared and distributed a survey to the affected employees to determine equipment needs, reasonable accommodation needs, and any other special needs.  The IRS used the results of the surveys as the basis for ensuring that employees had the tools and resources they needed to return to work.

The assistance center provided packets of information to address various employee issues, including:

As the Echelon I building employees returned to work, the IRS continued to provide the employees with access to individual counseling to support their recovery from the Austin incident.  The IRS also expanded the number of individual counseling sessions normally provided as an employee benefit through the Employee Assistance Program.

Additionally, the IRS assisted employees in the recovery of personal items due to the incident, such as purses, briefcases, office memorabilia, professional certificates, and photos.  In addition, the IRS Office of General Legal Services processed and paid claims under the Military Personnel and Civilian Employee Compensation Act[16] in cases where employees experienced loss or damage of personal property.

Taxpayer data and Federal Government property were generally protected

IRS guidance requires the protection of vital resources, facilities, records, and taxpayer data.  It also requires that the IRS follow certain procedures when disposing of computer equipment.  Because of smoke and fire damage, it was necessary for the IRS to replace all of the computers in the Echelon I building.  The IRS took appropriate preventative measures to secure and protect taxpayer data and Federal Government property following the incident.

After the incident, the Echelon I building was immediately secured by a perimeter fence and 24‑hour guard service to prevent access to the taxpayer data still located in the damaged building.  The contractor who performed the salvage work,[17] including the removal of the surface soot and dirt from computers, laptops, CPUs, and personal computers, moved the computers from the damaged areas to a safe area of the building.  At this juncture, IRS Modernization and Information Technology Services organization representatives took control of the computers, salvaged data when possible, removed hard drives, and then subsequently disposed of the damaged computer equipment.  Our evaluation of the IRS’s process to recover and dispose of the data in the damaged computers found that the IRS took the necessary steps to ensure that taxpayer data were secure during the disposal process.

In addition, the IRS and the vendor properly controlled the damaged paper documents and other recovered items during the salvage process.[18]  The vendor placed the damaged items in boxes, and the boxes were numbered and labeled with the location of the recovery.  The box numbers allowed the IRS to ensure that all of the boxes were returned.  We judgmentally selected an inventory sheet of 40 boxes sent to the contractor and traced these box numbers to the list of boxes returned to the IRS.  We determined that the 40 boxes in the salvage inventory were returned to the IRS.  The location listed on the box label also enabled the IRS to determine which employee the recovered items belonged to.  The IRS set up a secure area at the Austin Campus to store cleaned items returned by the contractor.  The employees were then notified to report to this area to claim their items.

New office space for affected employees was quickly obtained

The IRS identified interim office space at the Austin Campus for the affected employees and provided the furnishings and equipment needed to resume work within 18 calendar days of the incident.  We determined the security over the Austin Campus met the Interagency Security Committee security standards and that the Echelon I building employees were provided adequate security while at this interim location.  The IRS then worked with the General Services Administration (GSA) to conduct a market survey and identified suitable office space for all displaced Echelon I building employees.  The Echelon I building employees moved into the new office building within 5 months[19] of the Austin incident.

When the 2-year lease for this building was signed on March 30, 2010, the new building met the Interagency Security Committee security standards in place at that time.  Subsequently, on April 12, 2010, the Department of Homeland Security issued new security standards for Federal Government facilities.  Although the newly leased site does not comply with the more stringent requirements under the new Interagency Security Committee standards, the IRS is not required to conform to these new standards as they were not in effect when the lease was finalized.  We were advised by the IRS that it plans to consider these revised security standards when selecting a permanent office space location when the current lease expires in July 2012.

Additional actions were taken IRS-wide in response to the incident

Our discussions with IRS executives identified other actions taken to address security and emergency preparedness at a national level.  This included but was not limited to:

Our discussions with IRS executives also identified lessons learned at the IRS executive level.  This included issues such as:

Business Resumption Plans for the Austin Echelon I Building Did Not Include All the Required Elements

IRS policy states that the objective of the BRP is to resume processing of critical functions as quickly as possible and eventually the resumption of full, normal operations.[21]  To achieve this objective, the business units must identify and include lists in the BRPs of its vital records[22] and critical business processes.[23]  When planning for an emergency situation, a complete BRP is necessary for the IMT to prioritize business resumption needs.  In a previous audit,[24] we reported that the IRS BRPs were not complete and would not facilitate the efficient recovery of critical business processes.  Our review of the BRPs for the business units located at the Echelon I building found that none of the eight BRPs included all of the required elements.  The missing information included a list of the vital records of the business unit, the critical functions performed at the location, and the equipment needed to perform the critical functions. 

IRS policy does not identify who is responsible for an independent review of the BRPs.  The IRS informed us it was the responsibility of the business units; however, a review process was not implemented.  For example, in one IRS business unit, the review of the plans was limited to determining whether all of the information was present and not whether it was accurate.  This IRS business unit was in the process of developing a certification process through which an executive would certify completeness of the BRPs.  However, this process was discontinued as a result of the IRS’s migration away from BRPs to continuity plans.

Despite the incomplete BRPs, the IMT was able to quickly obtain the missing information from the business unit representatives on the IMT in responding to the Austin incident, and we did not identify an adverse effect on the Austin response or subsequent recovery.  The IRS’s ability to timely recover its critical processes in Austin were grounded in its experience in recovering from previous disasters and emergency incidents and the foresight it demonstrated by putting the right people in place without delay who were cognizant of the details and strategies they should follow after a disaster.  Lesser experienced personnel may have found themselves at a disadvantage without current, complete BRPs.  When BRPs do not include all of the required information, there is an increased risk that the BRPs will not facilitate the efficient recovery of critical business processes.  The IMT members recognized that the BRPs were incomplete and included this concern as part of their lessons learned document.

Recommendation

Recommendation 1:  The Chief, Agency-Wide Shared Services, should ensure that lessons learned relative to the BRPs are applied to the development of the new continuity plans.

Management’s Response:  The Chief, Agency-Wide Shared Services, agreed with our recommendation and stated that the IRS has distributed supplemental guidance on the development of continuity plans, initiated annual quality assurance reviews of these plans, and plans to apply the lessons learned from the Austin incident in the development of the new continuity plans.     

Actions Are Needed to Better Facilitate Contract Development and Administration

On March 3, 2010, the IRS placed a task order against a GSA contract with a vendor for cleanup and recovery services of sensitive documents and employee personal effects damaged in the Austin incident.  Some of the documents salvaged included taxpayer data.  IRS policy states that procurement solicitations and contracts shall include a clause that requires position risk designations for contractor employee background investigation or screening for access to IRS facilities or sensitive taxpayer data.  Department of the Treasury Acquisition Regulations also require contracting officers[25] to formally delegate authority to a COTR for all contractual actions exceeding the simplified acquisition threshold[26] of $150,000.  This step ensures that COTRs are fully informed of what they must do and also what they cannot do on a particular contract.  It also protects the Federal Government from the harmful effects of COTRs acting beyond the scope of their authority or acting without authority, which could lead to unauthorized commitments and work that is not completed in full compliance with contractual terms and conditions.

The COTR is also responsible for designating and documenting the risk level of each position within the contract.  Additionally, the policy requires that IRS personnel determine whether sensitive taxpayer data to which contractor personnel require access warrants execution of a nondisclosure agreement.  For these situations, the IRS uses a standard nondisclosure agreement for its procurements.

Our review of the document salvage contract identified several concerns.  These include:

As is often the case in attempting to award procurements in an emergency environment, the urgency of the situation and short time periods resulted in contractual errors.  However, we found no evidence that the sensitive taxpayer data that were the subject of the salvage operation were treated improperly by the contractors.  The IRS believed that the contract provisions for officially appointing a COTR and the nondisclosure of taxpayer data were overlooked because of the emergency conditions that were present at the time of the contract award.  In addition, the IRS believes that the provision for background checks of the contractor personnel was not included in the contract because they did not have the time to conduct the investigations due to the urgent nature of the contract.  The IRS requested an expedited awarding of the contract because the Echelon I building’s windows were blown out and the contents of the building were exposed to weather conditions.  As a result, the IRS Office of Procurement completed the procurement action in a very short period of time in an effort to support the Austin recovery efforts.  In addition, the IRS believed that the contractor’s employees may have had the required background checks because of prior reclamation work they had performed for other Federal Government agencies.

While we are not aware of any instances of contractor employees disclosing taxpayer data, the failure to have contractor employees sign the correct nondisclosure form may make it more likely that the employees may disclose taxpayer data because they may not have an understanding of its sensitivity.  The lack of the required security provisions (i.e., a security assessment for the contractor and the background investigations for contractor employees) and proper contract administration (i.e., the failure to appoint a COTR to oversee these requirements and obtain the proper nondisclosure statements) were not included as part of the incident response lessons learned document.  The lessons learned document and the IMP template should be updated to include the security and administration aspects of emergency procurements to guide the future IMTs.

Recommendation

Recommendation 2:  The Chief, Agency-Wide Shared Services, should ensure that the lessons learned document and the IMP template are updated to reflect the required provisions that emergency procurements include compliance with the Federal Acquisition Regulation and other applicable procurement procedures and policies, including required security provisions.

Management’s Response:  The Chief, Agency-Wide Shared Services, agreed with our recommendation and stated that the IRS will update the lessons learned document and the IMP template to reflect that emergency procurements must include the required provisions to be in compliance with the Federal Acquisition Regulation and other applicable procurement procedures and policies, including all required security provisions. 

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective was to determine whether the IRS was adequately prepared for and took the necessary actions to protect IRS employees, taxpayer data, and Federal Government property and to resume business operations following the airplane crash into the Austin, Texas,[27] Echelon I building.  To accomplish this objective, we:

I.                   Determined whether the IRS took adequate preventative measures to protect IRS employees and whether IRS employees were adequately supported following the incident.

A.    Obtained the OEP for the Echelon I building to determine whether it helped the IRS and its employees prepare for an evacuation of the building.

B.     Determined whether IRS employees were evacuated from the premises to the designated evacuation location and accounted for within a reasonable time following the incident.

C.     Evaluated the personnel services that were provided to the employees after the incident and determined whether the IRS adequately supported the employees in dealing with the incident and with returning to work.

D.    Reviewed the physical security and emergency preparedness risk/vulnerability assessments and evaluated the security at the Echelon I building, Austin Campus,[28] and Research Park Plaza IV building.

II.                Determined whether the IRS took adequate preventative measures to secure the Echelon I building and protect taxpayer data and Federal Government property following the incident.

A.    Identified the Internal Revenue Manual requirements for the protection of Federal Government property and assets, taxpayer data, and other sensitive information, including the security of the building and contractors with access to taxpayer records and computer data and storage equipment.

B.     Identified measures used to limit access to the building to ensure that taxpayer data and other sensitive information in the Echelon I building following the incident were secured and protected from unauthorized disclosure.

C.     Identified measures used to protect taxpayer records and computer data and storage equipment during cleanup efforts.

III.             Determined whether the IRS complied with Interagency Security Committee standards for the protection of employees, property, and taxpayer data at the temporary work location (Austin Campus) and at the new Austin site.

A.    Determined whether the IRS complied with Interagency Security Committee standards for the protection of former Echelon I building employees housed in temporary space at the Austin Campus.

B.     Determined whether the IRS complied with Interagency Security Committee standards at the new Austin site.

IV.             Determined whether the IRS had previously developed and then adequately implemented the IMP to coordinate its response to the incident.

A.    Obtained the IMP for the Echelon I building and determined whether the contents of the plan were current and included all of the items contained in the IMP template.

B.     Reviewed the actions of the IMT and determined whether the team provided an effective response to the incident.

V.                Determined whether the IMT and the execution of the BRPs operated as intended in recovering from the incident.

A.    Determined the timeline for the incident response and the business resumption efforts to resume normal IRS business operations.

B.     Determined whether the BRPs were sufficient to ensure the IRS could recover from the incident.

Internal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  IRS policies, procedures, and controls used in planning for and implementing emergency response plans and responding to emergency situations.  We evaluated these internal controls by:  1) interviewing management and other employees involved in the response, 2) reviewing documentation maintained by people involved in the response, and 3) making firsthand observations of physical security measures at the Austin Campus and Research Park Plaza IV building.

 

Appendix II

 

Major Contributors to This Report

 

Nancy A. Nakamura, Assistant Inspector General for Audit (Management Services and Exempt Organizations)

Alicia P. Mrozowski, Director

Darryl J. Roth, Audit Manager

David P. Robben, Lead Auditor

Chinita M. Coates, Auditor

Brett C. Thornock, Audit Evaluator

 

Appendix III

 

Report Distribution List

 

Deputy Commissioner for Operations Support  OS

Deputy Commissioner for Services and Enforcement  SE

Commissioner, Large Business and International Division  SE:LB

Commissioner, Small Business/Self-Employed Division  SE:S

Commissioner, Wage and Investment Division  SE:W

Acting Commissioner, Tax Exempt and Government Entities Division  SE:T

Chief Technology Officer  OS:CTO

Director, Employee Support Services  OS:A:ESS

Director, Physical Security and Emergency Preparedness, Agency-Wide Shared Services  OS:A:PSEP

Director, Procurement  OS:A:P

Director, Real Estate and Facilities Management, Agency-Wide Shared Services  OS:A:RE

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

            Chief, Agency-Wide Shared Services  OS:A

Director, Physical Security and Emergency Preparedness, Agency-Wide Shared Services 
OS:A:PSEP

            Director, Procurement  OS:A:P

Director, Real Estate and Facilities Management, Agency-Wide Shared Services 
OS:A:RE

 

Appendix IV

 

Timeline of Incident Response

 

February 18, 2010       At 9:40 a.m. a single-engine airplane crashed into the Austin[29] Echelon I building in Austin, Texas.

The Commissioner’s Representative for the building reported shortly after exiting the building that to his knowledge everyone in the building evacuated safely except one individual, a Small Business/Self-Employed Division manager.

By 1:00 p.m., the IRS confirmed that one employee was missing.

By 5:00 p.m., the Incident Commander arrived from Dallas, Texas, and took control of the scene from the Administrative Officer who was acting as the interim Incident Commander.

Shortly after 10:00 p.m., the Incident Commander sent an email advising that the IRS Commissioner had placed all Echelon I building employees on administrative leave and authorized employees with an Austin post of duty the use of liberal leave.

February 19, 2010       The Emergency Operation Center was opened at the Austin Campus and the members of the IMT began meeting.

The first of the twice daily conference calls with the Echelon I building employees began.

February 20, 2010       The Incident Commander asked two additional SCRs to join the IMT as Operations and Planning Section Chiefs. 

The IMT developed an assessment form for the Echelon I building employees to identify their needs.

February 22, 2010       A “One-Stop Shop” was set up at the Austin Campus.  The One-Stop Shop was staffed with Human and Employee Relations specialists from the IRS Benefits and Services Team, Employee Assistance Program,[30] and IRS Worker’s Compensation Center.  Assistance packets were given to each Echelon I building employee and included a survey requesting employee needs.

February 22, 2010       The Secretary of the Treasury and IRS Commissioner met privately with Echelon I building employees.

February 23, 2010       The IRS initiated the procurement process to select a vendor for asset recovery.

February 24, 2010       GSA and IRS Real Estate and Facilities Management employees began a market survey to identify sites for a new office building where temporary space could be leased for the Echelon I building employees.

February 26, 2010       The potential recovery/restoration contractor received necessary clearances to enter the building to determine projected cost estimates for document recovery and restoration.

                                    The IRS identified workstations at the Austin Campus for interim placement of the Echelon I building employees until a new office space could be leased.

March 3, 2010             The IRS selected the Research Park Plaza IV building as the temporary (18-24 month lease) office location to replace the Echelon I building.

                                    The IRS began deploying laptops to the Echelon I building employees.  All laptops were scheduled to be deployed by March 5, 2010.

March 8, 2010             Echelon I building employees returned to work.

March 11, 2010           The Incident Commander moved the Emergency Operation Center to Dallas, Texas, from which the Incident Commander and staff monitored the incident.

The document salvage contract was awarded and asset recovery began the following day.

June 2, 2010                The contractor delivered the first shipment of salvaged documents.[31]

July 6, 2010                 All Echelon I building employees were successfully moved into the new offices at Research Park Plaza IV building in Austin.

July 28, 2010               The IRS received the final shipment of documents from the document salvage contractor.

 

Appendix V

 

Key Lessons Learned From the Incident Response

 

The IMT solicited lessons learned from key participants involved with the response and prepared a list of lessons learned.  This list included positive lessons learned and areas that can be improved.  We also discussed lessons learned with key participants and IRS executives.  We reviewed the list and identified the key lessons learned that the IRS documented.

Lessons Learned Positive

·         Evacuation of the Echelon I Building proceeded as outlined in the OEP, as practiced through drills, and was completed within minutes of the attack.  The IRS credited the seriousness that the Echelon I building employees applied towards the evacuation drills as an important factor in the rapid building evacuation.

·         The Incident Commander made a decision to bring in two additional SCRs to assume the roles of the Planning Section and Operation Section Chiefs of the IMT.  This meant that these vital roles were staffed with IRS employees who had prior experience in providing support and direction in emergency response situations.

·         An Employee Information Sheet was created and used to quickly capture Echelon I building employee needs (e.g., equipment needs, reasonable accommodation needs, and other special needs).  Surveys of the Echelon I building employees facilitated the provision of the tools and resources employees needed to return to work.

·         Established a Damage Assessment Retrieval Team that directly reported to the Incident Commander, instead of through the Operations Section Chief.  Due to the severity of the incident, separating this section proved valuable, allowing the Incident Commander to be fully informed.

·         The availability of office space at the Austin, Texas,[32] Campus[33] as well as the extensive support from the Austin Campus Director and Site Coordinator were valuable resources for the IMT.

·         Twice daily conference calls were initiated with the Echelon I building employees to keep the employees up to date on the status of the incident response.

·         A network of external sources was identified and established with numerous other Federal and State agencies who offer assistance to trauma victims of disasters or emergencies.  For example, the Federal Bureau of Investigation’s Victim Assistance Unit, the State of Texas, and the National Transportation Safety Board all offered and provided IRS employee assistance.  This also assisted the IRS in obtaining a list of retrieval and restoration contractors and expedited the issuance of a contract.

·         “One-Stop Shop” service was provided to Echelon I building employees.  Specialists were onsite at the Austin Campus for the following areas:  counseling services, workmen’s compensation claims,[34] personal property claims, Social Security card replacement, and the Federal Bureau of Investigation’s Victims Assistance Unit.  An employee packet of these pertinent materials and forms was issued or mailed to every affected employee.

·         IRS employees nationwide with prior experience in providing direction during emergency situations were identified.  This was a critical human capital aspect because it significantly expedited the IRS response and recovery.

·         The emotion and sensitivity of this type of event, and the sense of personal loss, were acknowledged and recognition of the fact that the IRS could not return immediately to “business as usual” was affirmed.

Lessons Learned Areas That Can Be Improved

·         The sign-in log for the Echelon I building was limited to taxpayers.  IRS employees and contract employees/vendors assigned to other buildings were not required to sign in when visiting the Echelon I building; therefore, there was no way to determine who else was in the building at the time of the incident.

·         Some Echelon I building employees left the premises, which made it difficult to determine which employees were in the building at the time of the event.

·         An override is needed for door codes in the event of an emergency.  Floor wardens were unable to see the door codes due to the smoke.

·         Policies enacted due to emergency situations that affect taxpayer accounts must be timely communicated with taxpayers for effective tax administration.

·         Communications need to be issued periodically stressing the importance of sending records to the archive or disposing of records when no longer needed.  The number of documents that needed to be recovered may have been unnecessarily increased due to documents that could have been archived or disposed of earlier.

·         Define, develop, and deliver training to the IRS business units so they have a better understanding of vital records.

·         A policy library needs to be established to keep all policies enacted as a result of the incident for future IMT reference.

·         IRS employees need to understand their liability if personal property in the workplace is destroyed.

·         Business continuity plans need to be updated based on actions taken by the IMT to reestablish the critical functions affected by the Austin incident.

·         Managers and employees have a lot of work-related information on their computers.  It would ease future business resumptions if there was a continual backup of this information.  

 

Appendix VI

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

               CHIEF

      AGENCY-WIDE

SHARED SERVICES

 

 

SEPEMBER 7, 2011

 

 

MEMORANDUM FOR MICHAEL R. PHILLIPS

     DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM:                             David A. Grant /s/ David A. Grant

     Chief, Agency-Wide Shared Services

 

SUBJECT:                       Draft Audit Report - The Internal Revenue Service Adequately Prepared for and Responded to the Austin Incident

(Audit # 201110006)

 

Thank you for the opportunity to respond to the subject audit report. The audit was conducted to determine whether the Internal Revenue Service (IRS) was adequately prepared for and took the necessary actions to protect IRS employees, taxpayer data, and Federal Government property and to resume normal business operations following the airplane crash into the Austin, Texas, Echelon I building.

 

The audit review determined that emergency planning for the Echelon I Building was not complete, as none of the business resumption plans for the eight business units located at the Echelon I building included all of the required elements. In addition, the salvage contract used to recover documents, including taxpayer data at the incident site, did not include all of the required security provisions and did not contain an official designation appointing a Contracting Officer's Technical Representative. However, as noted in the audit report, these issues did not have a material impact on the response to the Austin incident and, taken as a whole, the IRS preparation and response ensured that the effect of the Austin incident on IRS employees and tax administration was minimized.

 

We agree that the Business Continuity Plans (formerly Business Resumption Plans) and the Incident Management Plan need to be updated to reflect lessons learned as outlined in the audit report (see attachment). Additionally, we agree that the Incident Management Plan needs to be updated to reflect the required provisions that emergency procurements include compliance with the Federal Acquisition Regulation (FAR) and other applicable procurement procedures and policies, including required security provisions.

 

We appreciate your continued support and the valuable assistance and guidance your team provides. If you have any questions, please contact me or a member of your staff may contact Richard Rodriguez, Director, Continuity Operations, at (202) 622-3069 or Norris Walker, Director, Physical Security and Emergency Preparedness, at (202) 622-0831. For matters concerning follow-up, please contact Larry Pugh, Office of Strategy and Finance, Agency-Wide Shared Services, at (202) 622-4541.

 

Attachment

 

RECOMMENDATION #1: The Chief, Agency-Wide Shared Services should ensure that lessons learned relative to the Business Resumption Plans (BRP) are applied to the development of the new Continuity Plans.

 

CORRECTIVE ACTION: We agree with this recommendation. We have addressed this recommendation by providing supplemental guidance (regarding the development of IRS' Continuity Plans) to the IRS Business Units. Additionally, Physical Security and Emergency Preparedness' Continuity Operations Office has initiated a new annual process of conducting Quality Assurance Reviews (QAR) of IRS' Business Continuity Plans that include lessons learned. Furthermore, we will ensure that lessons learned relative to the Business Resumption Plans (BRP) are applied to the development of the new Business Continuity Plans.

 

IMPLEMENTATION DATE: October 1, 2011

 

RESPONSIBLE OFFICIAL: Director, Physical Security & Emergency Preparedness, Agency Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN: PSEP will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES).

 

RECOMMENDATION #2: The Chief, Agency-Wide Shared Services should ensure that the lessons learned document and the Incident Management Plan (IMP) template are updated to reflect the required provisions that emergency procurements include compliance with the Federal Acquisition Regulation (FAR) and other applicable procurement procedures and policies including required security provisions.

 

CORRECTIVE ACTION: We agree with this recommendation. We will ensure that the lessons learned document and the Incident Management Plan (IMP) template are updated to reflect the required provisions that emergency procurements include compliance with the Federal Acquisition Regulation (FAR) and other applicable procurement procedures and policies including required security provisions.

 

IMPLEMENTATION DATE: July 31, 2012

 

RESPONSIBLE OFFICIAL: Director, Physical Security & Emergency Preparedness, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN: PSEP will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES).



[1] The IRS is a bureau of the Department of the Treasury and one of the world’s most efficient tax administrators.  In Fiscal Year 2010, the IRS collected more than $2.3 trillion in revenue and processed more than 230 million tax returns.

[2] The Prepared Remarks of IRS Commissioner Douglas H. Shulman at the National Press Club (IR-2010-41, April 5, 2010).

[3] In recent years, the Treasury Inspector General for Tax Administration has investigated roughly 900 threats made against IRS employees annually.  In Fiscal Year 2009, that number climbed above 1,000.  In addition, Treasury Inspector General for Tax Administration Semiannual Report to Congress October 1, 2010March 31, 2011, indicated that threats have continued to escalate, with 723 reported for the 6-month period ending March 31, 2011.  Treasury Inspector General for Tax Administration investigations include both threat investigations (a direct, specific threat of violence) and threat assessment investigations (when groups or individuals may pose a threat to an IRS employee or facility).

[4] The United States House of Representatives approved a resolution (House Resolution 1127) on March 3, 2010, acknowledging the incident at the Echelon I building and strongly condemned the terror attack perpetrated deliberately against Federal employees of the IRS in Austin, Texas.

[5] National Continuity Policy Homeland Security Presidential Directive-20 (NSPD-51/HSPD-20).

[6] The Disaster Recovery Plan is the written instructions for processing critical applications in the event of a major hardware or software failure or destruction of facilities.  The Disaster Recovery Plan is a support piece, focusing on the recovery of the systems and data, ensuring that the cyber technology can enable the continuance of the essential business functions.

[7] The SCRs address time-sensitive administrative issues and direct activities in critical emergency incidents that affect IRS facilities, provide leadership and direction to Commissioner’s Representatives, and coordinate local administrative programs, such as flu shots.

[8] The Incident Commander is directly responsible for frontline management of the incident.  The Incident Commander, in conjunction with the other onsite Business Team Managers, will develop and implement response strategies and utilize Disaster Recovery and BRPs for recovery of business operations.

[9] We determined that the IRS emergency planning included the preparation of the OEP, IMP, and BRP.  Our audit included a review of the completeness of these plans, but we did not test these plans for accuracy.  We identified that the IRS’s BRPs were not complete.  See Page 10 of this report for details.  However, we did not identify any material deficiencies within the OEP and IMP documents.

[10] A passer-by stopped and used his ladder to rescue six people trapped on the second floor of the Echelon I building.

[11] 41 C.F.R. § 101-20.5, et seq.

[12] The Federal Government has responsibility for minimizing danger to life and property arising from the effects of fires, bomb threats, bombings, civil disturbances, and other disasters affecting Federal Government employees.

[13] The emergency response organization comprised of employees who have been designated and trained by the Designated Official to carry out the requirements of the OEP.

[14] The Employee Assistance Program is a free benefit program that provides confidential services to IRS managers, employees, and their family members.  The program provides access to a nationwide counseling network to help employees deal with a variety of personal and work related problems.

[15] The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. 

[16] 31 U.S.C. § 3721.

[17] The contractor removed and cleaned paper documents and personal items damaged in the incident.  We plan to conduct a future audit identifying the costs associated with the Austin incident.

[18] This contract did not include all required security provisions and did not contain an official designation appointing a COTR.  See Page 11 of this report for further information.

[19] The IRS moved into the new office space on July 6, 2010, and received the final shipment of recovered documents on July 28, 2010.

[20] Taxpayer Assistance Centers are a taxpayer’s source for personal tax help when the taxpayer believes his or her tax issue cannot be handled online or by telephone.

[21] Normal operations refers to the broad functions undertaken by an organization when it is assigned responsibility for a given functional area.  These functions include the planning and execution of day-to-day tasks.

[22] Vital records are the records essential to the continued functioning or reconstitution of an organization during and after an emergency.

[23] Critical business processes are those business processes and functions at the facility that are considered critical to the ongoing operation of the business unit.  These processes and functions should be recovered or resumed first.

[24] Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster (Reference Number 2008‑20‑178, dated September 17, 2008).

[25] Contracting officers serve as the legal agents of the Federal Government responsible for the integrity of the contracting process.

[26] Purchases of supplies or services less than $150,000 using simplified procedures described in Federal Acquisition Regulation Part 13.  Simplified acquisitions include purchase card buys, purchase orders, electronic purchasing, task and delivery orders against established contracts, imprest fund buys, and blanket purchase agreements.

[27] All references to Austin in this report refer to Austin, Texas.

[28] The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. 

[29] All references to Austin in this report refer to Austin, Texas.

[30] The Employee Assistance Program is a free benefit program that provides confidential services to IRS managers, employees, and their family members.  The program provides access to a nationwide counseling network to help employees deal with a variety of personal and work-related problems.

[31] This includes sensitive documents and personal effects damaged in the Austin incident.

[32] All references to Austin in this report refer to Austin, Texas.

[33] The data processing arm of the IRS.  The campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to taxpayer accounts. 

[34] The Federal Employees’ Compensation Act, under the authority of United States Code (5 U.S.C. § 8101 et. seq.) and the Code of Federal Regulations (20 C.F.R. Parts 1 and 10), provides compensation benefits to civilian employees of the United States for disability due to personal injury or disease sustained while in the performance of duty.