Treasury
Inspector General for Tax Administration
Office of Audit
Corrective
Actions to Address the Disaster Recovery Material Weakness Are Being Completed
Issued on June 27, 2011
Highlights
Highlights of
Report Number: 2011-20-060 to the
Internal Revenue Service Chief Technology Officer.
IMPACT ON TAXPAYERS
Disaster
recovery planning is a coordinated strategy involving plans, procedures, and
technical measures that enable the recovery of information systems, computer
operations, and data after a disruption.
The Internal Revenue Service (IRS) is completing corrective actions to
address a material weakness in its disaster recovery capabilities. Effective disaster recovery capabilities are
critical to ensuring that the IRS’s key information systems can be recovered
with minimal disruption to service. In
addition to the IRS needing these systems to administer the Nation’s tax
system, data and services provided by these systems are needed by Congress, the
Department of the Treasury, tax professionals, taxpayers, and other Government
agencies.
WHY TIGTA DID THE AUDIT
This
audit was initiated because the IRS requested that TIGTA evaluate the
corrective actions for addressing its disaster recovery material weakness. In March 2005, the IRS declared its disaster
recovery program a material weakness in accordance with the Federal Managers’
Financial Integrity Act of 1982. The IRS
prepared a corrective action plan that divided the material weakness into seven
components and contained corrective actions for each of these components. The last of the corrective actions is
scheduled to be completed in December 2011.
The objective of the audit was to evaluate the IRS’s progress in
completing its corrective actions for addressing the disaster recovery material
weakness.
WHAT
TIGTA FOUND
Corrective
actions for addressing the disaster recovery material weakness are being
adequately completed for six of the seven components. The IRS 1) created two disaster recovery
Internal Revenue Manuals, 2) developed a disaster recovery training curriculum,
3) prioritized the recovery order of its systems based on the criticality of
the business processes the systems supported, 4) is creating a program for
performing reviews of its disaster recovery efforts and activities, 5)
prepared, exercised, and tested disaster recovery plans for all of its systems,
and 6) performs ongoing analyses of its recovery capabilities to identify gaps
in its ability to meet business recovery requirements and to prioritize corrective
actions.
During the
course of the audit, TIGTA auditors recommended several changes to the
corrective actions that the IRS completed, or was in the process of completing,
prior to issuance of this report. Two
items remain outstanding. The IRS does
not have 1) a system for tracking whether employees with disaster recovery
roles attend required annual training and 2) adequate metrics to assess
progress and track improvements in completing the corrective actions.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Chief Technology Officer ensure
that the IRS develops 1) the capability to track the disaster recovery training
of employees with disaster recovery roles and responsibilities and 2) metrics
specifically designed to assess progress and track improvements in completing
the disaster recovery corrective actions.
In
its response to the report, the IRS agreed with TIGTA’s recommendations. The IRS plans to 1) develop a formal process
and monitoring system to track the completion of disaster recovery training by
employees who have disaster recovery roles and responsibilities and 2) design
metrics to assess the progress of the disaster recovery program.
READ THE
FULL REPORT
To view the report,
including the scope, methodology, and full IRS response, go
to:
http://www.treas.gov/tigta/auditreports/2011reports/201120060fr.html.
Email Address: TIGTACommunications@tigta.treas.gov
Phone
Number: 202-622-6500
Web Site: http://www.tigta.gov