Treasury Inspector General for Tax Administration

Office of Audit

IMPROVEMENTS ARE NEEDED TO ENSURE TIMELY RESUMPTION OF CRITICAL BUSINESS PROCESSES AFTER AN EMERGENCY

Issued on September 24, 2013

Highlights

Highlights of Report Number:† 2013-10-102 to the Internal Revenue Service Chief, Agency-Wide Shared Services.

IMPACT ON TAXPAYERS

Effective continuity planning and emergency preparedness can facilitate the IRSís ability to prepare for, respond to, and recover from emergencies.† The IRS needs to improve selected aspects of its continuity program.† Absent effective continuity planning, the IRS may be challenged to effectively collect taxes, issue refunds, and respond to taxpayer inquiries after an emergency occurs.

WHY TIGTA DID THE AUDIT

This review is included in our Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.† The overall objective of this review was to assess whether the IRSís continuity program will enable the IRS to resume critical functions in a timely manner.

WHAT TIGTA FOUND

The IRS did not always demonstrate that its continuity plan process would ensure that critical business processes are resumed in a timely manner.† For example, the IRS did not meet the Fiscal Year 2012 annual reporting requirement to the Department of the Treasury certifying its continuity capability plan.† In addition, some continuity plans were not prepared as required or were missing key information to facilitate the resumption of critical IRS operations.† For example, four of the 22 business unitsí systemwide continuity plans were not prepared.† In addition, one local office within a business unit did not have site‑specific continuity processes or a plan to resume its critical functions after an emergency.† Even when local site‑specific continuity processes and plans were prepared, some of them did not contain all of the elements consistent with both Federal and IRS guidance.

Since August 2012, the IRS has not used a central repository for immediate access by management to continuity plans in the event of an emergency.† Also, continuity personnel responsible for updating and maintaining the plans often changed jobs, and new personnel were not adequately trained to carry out all of their responsibilities regarding continuity planning.† Finally, the IRS did not perform sufficient testing and exercises as required to validate recovery strategies and procedures or to adequately address weaknesses identified during continuity exercises to ensure the viability of the continuity plan in the event of an emergency.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Chief, Agency-Wide Shared Services, implement a process to ensure that the annual certification requirement is met; ensure that continuity plans are immediately prepared for four business units and that the existing continuity plan template is used by all business units and functional offices; identify and monitor appropriate training to be completed by field personnel responsible for continuity planning; develop a plan that establishes time frames for the implementation of a fully functioning continuity plan database; and establish a process to monitor the continuity tests and exercise program so that business unit personnel meet the annual requirements.

In their response to the report, IRS management agreed with all eight recommendations and stated that they plan to take or have taken corrective actions, including updating policies and monitoring training requirements.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to: †

http://www.treas.gov/tigta/auditreports/2013reports/201310102fr.html.†

E-mail Address: ††TIGTACommunications@tigta.treas.gov

Phone Number:†† 202-622-6500

Website:†† http://www.treasury.gov/tigta