Treasury Inspector General for Tax Administration

Office of Audit

Corrective Actions to Address the Disaster Recovery Material Weakness Are Being Completed

Issued on June 27, 2011

Highlights

Highlights of Report Number: 2011-20-060 to the Internal Revenue Service Chief Technology Officer.

IMPACT ON TAXPAYERS

Disaster recovery planning is a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, computer operations, and data after a disruption.The Internal Revenue Service (IRS) is completing corrective actions to address a material weakness in its disaster recovery capabilities.Effective disaster recovery capabilities are critical to ensuring that the IRSís key information systems can be recovered with minimal disruption to service.In addition to the IRS needing these systems to administer the Nationís tax system, data and services provided by these systems are needed by Congress, the Department of the Treasury, tax professionals, taxpayers, and other Government agencies.

WHY TIGTA DID THE AUDIT

This audit was initiated because the IRS requested that TIGTA evaluate the corrective actions for addressing its disaster recovery material weakness.In March 2005, the IRS declared its disaster recovery program a material weakness in accordance with the Federal Managersí Financial Integrity Act of 1982.The IRS prepared a corrective action plan that divided the material weakness into seven components and contained corrective actions for each of these components.The last of the corrective actions is scheduled to be completed in December 2011.The objective of the audit was to evaluate the IRSís progress in completing its corrective actions for addressing the disaster recovery material weakness.

WHAT TIGTA FOUND

Corrective actions for addressing the disaster recovery material weakness are being adequately completed for six of the seven components. The IRS 1) created two disaster recovery Internal Revenue Manuals, 2) developed a disaster recovery training curriculum, 3) prioritized the recovery order of its systems based on the criticality of the business processes the systems supported, 4) is creating a program for performing reviews of its disaster recovery efforts and activities, 5) prepared, exercised, and tested disaster recovery plans for all of its systems, and 6) performs ongoing analyses of its recovery capabilities to identify gaps in its ability to meet business recovery requirements and to prioritize corrective actions.

During the course of the audit, TIGTA auditors recommended several changes to the corrective actions that the IRS completed, or was in the process of completing, prior to issuance of this report.Two items remain outstanding.The IRS does not have 1) a system for tracking whether employees with disaster recovery roles attend required annual training and 2) adequate metrics to assess progress and track improvements in completing the corrective actions.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief Technology Officer ensure that the IRS develops 1) the capability to track the disaster recovery training of employees with disaster recovery roles and responsibilities and 2) metrics specifically designed to assess progress and track improvements in completing the disaster recovery corrective actions.

In its response to the report, the IRS agreed with TIGTAís recommendations.The IRS plans to 1) develop a formal process and monitoring system to track the completion of disaster recovery training by employees who have disaster recovery roles and responsibilities and 2) design metrics to assess the progress of the disaster recovery program.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2011reports/201120060fr.html.

 

Email Address: ††TIGTACommunications@tigta.treas.gov

Phone Number:†† 202-622-6500

Web Site:†† http://www.tigta.gov