TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Improvements Are Needed to Ensure Timely Resumption of Critical Business Processes After an Emergency

 

 

 

September 24, 2013

 

Reference Number:† 2013-10-102

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

 

Phone Number† /† 202-622-6500

E-mail Address /TIGTACommunications@tigta.treas.gov

Website†††††††††† /http://www.treasury.gov/tigta

 

 

HIGHLIGHTS

IMPROVEMENTS ARE NEEDED TO ENSURE TIMELY RESUMPTION OF CRITICAL BUSINESS PROCESSES AFTER AN EMERGENCY

Highlights

Final Report issued on September 24, 2013

Highlights of Reference Number:† 2013-10-102 to the Internal Revenue Service Chief, Agency-Wide Shared Services.

IMPACT ON TAXPAYERS

Effective continuity planning and emergency preparedness can facilitate the IRSís ability to prepare for, respond to, and recover from emergencies. †The IRS needs to improve selected aspects of its continuity program.† Absent effective continuity planning, the IRS may be challenged to effectively collect taxes, issue refunds, and respond to taxpayer inquiries after an emergency occurs.† ††

WHY TIGTA DID THE AUDIT

This review is included in our Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.† The overall objective of this review was to assess whether the IRSís continuity program will enable the IRS to resume critical functions in a timely manner.

WHAT TIGTA FOUND

The IRS did not always demonstrate that its continuity plan process would ensure that critical business processes are resumed in a timely manner.† For example, the IRS did not meet the Fiscal Year 2012 annual reporting requirement to the Department of the Treasury certifying its continuity capability plan.† In addition, some continuity plans were not prepared as required or were missing key information to facilitate the resumption of critical IRS operations. †For example, four of the 22 business unitsí systemwide continuity plans were not prepared.† In addition, one local office within a business unit did not have site‑specific continuity processes or a plan to resume its critical functions after an emergency.† Even when local site‑specific continuity processes and plans were prepared, some of them did not contain all of the elements consistent with both Federal and IRS guidance.†

Since August 2012, the IRS has not used a central repository for immediate access by management to continuity plans in the event of an emergency.† Also, continuity personnel responsible for updating and maintaining the plans often changed jobs, and new personnel were not adequately trained to carry out all of their responsibilities regarding continuity planning. †Finally, the IRS did not perform sufficient testing and exercises as required to validate recovery strategies and procedures or to adequately address weaknesses identified during continuity exercises to ensure the viability of the continuity plan in the event of an emergency.

WHAT TIGTA RECOMMENED

TIGTA recommended that the Chief, Agency-Wide Shared Services, implement a process to ensure that the annual certification requirement is met; ensure that continuity plans are immediately prepared for four business units and that the existing continuity plan template is used by all business units and functional offices; identify and monitor appropriate training to be completed by field personnel responsible for continuity planning; develop a plan that establishes time frames for the implementation of a fully functioning continuity plan database; and establish a process to monitor the continuity tests and exercise program so that business unit personnel meet the annual requirements.

In their response to the report, IRS management agreed with all eight recommendations and stated that they plan to take or have taken corrective actions, including updating policies and monitoring training requirements.

 

September 24, 2013

 

 

MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES

 

FROM:†††††††††††††††††††††† Michael E. McKenney /s/ Michael E. McKenney

†††††††††††††††††††††††††††††††††††††††† Acting Deputy Inspector General for Audit

 

SUBJECT:††††††††††††††††† Final Audit Report Ė Improvements Are Needed to Ensure Timely Resumption of Critical Business Processes After an Emergency (Audit # 201210008)

 

This report presents the results of our review to assess whether the Internal Revenue Serviceís (IRS) continuity plan program will enable the IRS to resume critical functions in a timely manner.† This review is included in our Fiscal Year 2013 Annual Audit Plan and addresses the major management challenge of Security for Taxpayer Data and Employees.

We would like to clarify one issue included in the IRSís response to our report.† The response raised a concern with the validity of certain facts included in our report. †Specifically, the IRS contended that information in Figure 4 in the report understates the Wage and Investment (W&I) Divisionís completion rate on tests and exercises.† The IRS stated that documentation was submitted to the Treasury Inspector General for Tax Administration (TIGTA) prior to issuance of the report verifying that the required testing was 100 percent complete and that TIGTA refused to consider documentation that was submitted.† We disagree with these statements.

TIGTA requested and received information on continuity testing performed from four different business units, including the W&I Division, between November 2012 and January 2013.† Between February 2013 and June 2013, TIGTA held multiple meetings with the IRS concerning audit findings and was not provided any additional information concerning the W&I Divisionís continuity testing documentation.† On June 17, 2013, we issued a discussion draft report, giving the IRS another chance to submit additional information to clarify and correct findings which it believed were inaccurate.†

On June 27 and July 8, 2013, the IRS submitted additional information for consideration.† As a result, we adjusted the draft report in cases where sufficient evidence was provided to justify a change.† However, certain documents provided by the W&I Division did not justify changes to our report.† For example, the documentation submitted as evidence of the alert notification and activation test for the Brookhaven Campus contained the exact same names of participants listed as evidence of the same test for the Philadelphia Campus. †The IRS later acknowledged that the Brookhaven and Philadelphia forms were inadvertently duplicated due to human error. †Due to those types of inaccuracies, we were unable to rely on some of the documentation submitted as evidence that 100 percent of the W&I Divisionís tests and exercises were completed.

Managementís complete response to the draft report is included as Appendix IV

Copies of this report are also being sent to the IRS managers affected by the report recommendations.† If you have any questions, please contact me or Gregory D. Kutz, Assistant Inspector General for Audit (Management Services and Exempt Organizations).

 

 

Table of Contents

 

Background

Results of Review

Systemwide Continuity Plans Were Not Prepared or Lacked Sufficient Detail Page

Recommendations 1 through 4:

The Centralized Repository to Control Continuity Plans Is Not Functioning As Intended

Recommendations 5 and 6:

More Comprehensive Testing and Exercises of Continuity Plans Are Necessary

Recommendation 7:

Recommendation 8:

Appendices

Appendix I Ė Detailed Objective, Scope, and Methodology

Appendix II Ė Major Contributors to This Report

Appendix III Ė Report Distribution List

Appendix IV Ė Managementís Response to the Draft Report

 

 

Abbreviations

 

BU

Business Unit

FCD

Federal Continuity Directive

IRS

Internal Revenue Service

LB&I

Large Business and International

NCPOC

National Continuity Point of Contact

OCO

Office of Continuity Operations

SB/SE

Small Business/Self-Employed

TE/GE

Tax Exempt and Government Entities

TIGTA

Treasury Inspector General for Tax Administration

TSCC

Toolkit Suite Command Centre

W&I

Wage and Investment

 

Background

 

The Internal Revenue Service (IRS) has an obligation to protect the Federal Governmentís tax administration system.† This system is made up of a network of critical business processes that help carry out the mission of the IRS during both normal and adverse conditions.† Effective continuity planning and emergency preparedness can facilitate the IRSís ability to prepare for, respond to, and recover from emergencies.† These efforts include restoring critical IRS functions and providing human resources to support employee needs, which may involve approving alternative work schedules and personnel reassignments.† When an emergency occurs, it is important to timely resume business operations because an extended disruption to IRS facilities can affect key processes, such as collecting taxes, processing tax returns and refunds, and responding to taxpayer inquiries.† During Fiscal Year[1] 2011, the IRS reported that it processed almost 235 million returns, of which more than 133 million were filed electronically.† The IRS also provided nearly $416 billion in refunds and collected more than $2.4 trillion in taxes.† In addition, according to 2011 Filing Season statistics, there were nearly 323 million visits to IRS websites from January 1 through December 31, 2011.† Any sustained disruption to IRS operations and offices could ultimately have a negative impact on the Nationís economy as well as taxpayer data and compliance.

To facilitate the performance of critical functions in emergency situations, the Federal Government established policies that provide direction to Federal agencies for continuity planning and programs.† In May 2007, the President issued National Security Presidential Directive 51 to establish and maintain a comprehensive and effective national continuity capability to ensure the continuing performance of national essential functions under all conditions.† To provide additional operational guidance to implement this policy, the U.S. Department of Homeland Security developed Federal Continuity Directives (FCD) 1 and 2.[2] †This guidance provides direction for developing continuity plans and programs as well as the identification of agency essential functions.† To provide planning guidance to implement these policies, in Calendar Year 2009, the Department of Homeland Security also developed FCD 3, which provides a continuity plan template that agencies may use to establish continuity plans and programs.† Although the template is voluntary, it addresses each of the elements and requirements found in FCDs 1 and 2.† In July 2009, the IRS created the Toolkit Suite Command Centre (TSCC) to serve as a central storage point for all IRS continuity plans and provide easy access as needed during an emergency.†

The IRS is required to submit an annual report to the Department of the Treasury certifying that it has a continuity capability[3] plan which ensures its ability to continually perform its mission‑essential functions.† IRS guidance calls for senior management responsible for IRS business, operational, and functional units to ensure continuity plans are developed, exercised, maintained, and updated.† The IRS must also ensure that key leaders and support staff are trained on IRS mission‑essential functions as well as conduct comprehensive testing of its continuity plans. †The entire continuity plan must be reviewed annually and updated accordingly. †IRS guidance also requires the development of a separate continuity plan for each of its 22 business units (BU).[4] †In addition, several process recovery and subplans are also maintained for various locations and offices within those 22 BUs throughout the IRS. †Figure 1 lists the IRSís 22 BUs that are required to have a continuity plan.

Figure 1: †List of the IRSís 22 BUs

Affordable Care Act Program Office

Agency-Wide Shared Services

Appeals Office

Chief Counsel

Chief Financial Office

Communications and Liaison

Criminal Investigation

Equity, Diversity, and Inclusion

Human Capital Office

 

Information Technology

Large Business and International (LB&I) Division

Office of Compliance Analytics

Office of Online Services

Office of Professional Responsibility

Privacy, Governmental Liaison, and Disclosure

Research, Analysis, and Statistics

Return Preparer Office

Small Business/
Self-Employed (SB/SE) Division

Tax Exempt and Government Entities (TE/GE) Division

Taxpayer Advocate Service

Wage and Investment (W&I) Division

Whistleblower Office

 

 

Source:† Treasury Inspector General for Tax Administrationís (TIGTA) analysis of the IRSís BUs list.

In prior audits, TIGTA identified weaknesses in the IRSís emergency planning processes.† For example, in Fiscal Year 2011, TIGTA performed a review[5] to determine whether the IRS adequately prepared for and took the necessary actions to protect its employees, taxpayer data, and Government property following the intentional flying of an airplane into an IRS building.† Although the Fiscal Year 2011 review showed that the IRS took the necessary actions to evacuate and protect IRS employees, emergency planning was incomplete.† Specifically, we found that none of the business resumption plans for the eight BUs located at the IRS building included all of the required elements. †A similar condition was also reported in a Fiscal Year 2008 audit[6] in which we found that IRS business resumption plans were not adequately completed, lacked detailed planning, and would not facilitate the efficient recovery of critical business operations.

In March 2011, under the administration of the Office of Physical Security and Emergency Preparedness, the IRS agreed to the development of a Continuity Improvement Plan.† In January 2012, the Office of Continuity Operations (OCO) was established to manage and provide oversight of the IRSís continuity program. †Figure 2 illustrates the placement of the newly created OCO within the IRS.

Figure 2:† Placement of the Newly Created OCO

IRS Commissioner

Deputy Commissioner for Operations Support

Agency-Wide Shared Services

Employee Support Services

Office of Continuity Operations

Source: †TIGTAís analysis of the OCOís organizational structure.

To further support the IRSís continuity program, each BU designated at least one staff person to serve as its National Continuity Point of Contact (NCPOC).† The NCPOCs are primarily responsible for ensuring that each BU is properly prepared and ready to respond should a significant incident occur.†

We performed on-site audit work at the IRS OCO Headquarters in Washington, D.C., and at the local field offices of the W&I Division in Kansas City, Missouri; LB&I Division in New York City, New York; SB/SE Division in Ogden, Utah; and TE/GE Division in Washington, D.C., during the period August through December 2012.† Another TIGTA audit reported[7] on the IRSís disaster recovery testing to recover major computing systems; therefore, we did not perform any information technology audit work at the Martinsburg, West Virginia, or Memphis, Tennessee, Computing Centers. †We conducted this performance audit in accordance with generally accepted government auditing standards.† Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.† We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.† Detailed information on our audit objective, scope, and methodology is presented in Appendix I.† Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

Systemwide Continuity Plans Were Not Prepared or Lacked Sufficient Detail

The IRS did not submit an annual report to the Department of the Treasury certifying that it has a continuity capability plan as required.† In addition, not all IRS BUs prepared a systemwide continuity plan, and none of the local site‑specific continuity processes and plans we reviewed were created or maintained in the TSCC so that they would be immediately available for management during an emergency.† Finally, adequate testing was not performed to ensure the viability of continuity plans.

The IRS did not submit its annual continuity certification report to the Department of the Treasury

The IRS did not meet the Department of the Treasuryís annual reporting requirement certifying its continuity capability plan for Fiscal Year 2012.† According to FCD 1, Federal Government executive agencies are to annually submit a report to the National Continuity Coordinator certifying that the agency has a continuity capability plan.† This guidance also provides key questions and measurements to use to certify that their organizations have a robust continuity capability.† To facilitate this requirement within the IRS, the Internal Revenue Manual[8] requires the IRS to submit an annual report to the Department of the Treasury certifying that it has a continuity capability plan that includes all the necessary requirements.† OCO management did not provide any documentation or specific reason why the annual reporting requirement to the Department of the Treasury was not met. †

Continuity plans for some IRS BUs were not prepared

We found that four of the 22 current systemwide continuity plans were not prepared. †Specifically, the four BUs are:

       Return Preparer Office: †Responsible for registration, testing, and suitability of Federal tax preparers.

       Office of Online Services: †Responsible for delivering strategy, policy, and initiatives to strengthen the IRS online services experience.

       Affordable Care Act Program Office: †Responsible for implementing tax provisions for Affordable Care Act legislation.[9]

       Office of Compliance Analytics: †Responsible for strategic compliance priorities.

Internal Revenue Manual 10.2.10.10.2.3, Senior Management/Executives, states that IRS management responsible for a business, operating, or functional units should ensure that continuity plans are developed, exercised, implemented, and maintained. †In addition, at a minimum, the entire continuity plan is to be reviewed annually and updated accordingly.† OCO management stated that the reason continuity plans were not prepared for these four BUs was because they were fairly new and three of the BUs were given verbal extensions to submit their continuity plans by the end of Calendar Year 2013.† However, management could not provide any documentation to support that a verbal extension was granted.† In addition, we found that all four BUs have been in existence for nearly two years. †The absence of a continuity plan increases the risk that the four IRS BUs will be unable to resume their critical functions following an emergency.

Continuity plans for some IRS BUs were incomplete

During our review of systemwide continuity plans for the four BUs selected, we found that continuity plans for two of the four BUs were incomplete.[10] †Specifically, the LB&I and TE/GE Divisionsí plans failed to include sufficient detail and all of the required elements prescribed in the IRSís standard continuity plan template.† For example, the two continuity plans provided limited details above the preformatted language contained in the standard template regarding their essential functions and plans for resuming their business processes. †Both plans stated that emergency conditions may require the relocation of staff to a continuity facility; however, the plans failed to identify the alternate continuity facilities and continuity communications, which include systems and information technology capabilities to support connectivity among key Government leadership.† In addition, the two plans did not identify the vital records needed by the employees to perform their duties or document key details and recovery strategies.† Furthermore, the LB&I and TE/GE Divisionsí systemwide plans did not identify delegation of authorities, which are critical in providing the legal authority for management to make key policy decisions during an emergency.† Figure 3 identifies the required key elements that we determined were both complete and incomplete for the four systemwide continuity plans reviewed.

Figure 3: †Incomplete Systemwide Continuity Plans[11]

Key Continuity Plan Elements

W&I Division

SB/SE
Division

LB&I
Division

TE/GE
Division

Essential Functions

Complete

Complete

Incomplete

Incomplete

Orders of Succession

Complete

Complete

Complete

Complete

Delegation of Authorities

Complete

Complete

Incomplete

Incomplete

Continuity Facilities

Complete

Complete

Incomplete

Incomplete

Continuity Communications

Complete

Complete

Incomplete

Incomplete

Vital Records

Complete

Complete

Incomplete

Incomplete

Human Capital

Complete

Complete

Complete

Complete

Tests, Training, and Exercises

Complete

Complete

Complete

Complete

Devolution

Complete

Complete

Complete

Complete

Reconstitution

Complete

Complete

Complete

Complete

Source:† TIGTAís analysis of the systemwide continuity plans for the four BUs we reviewed.

FCDs 1 and 2 guidelines call for continuity plans to be developed and documented so that, when implemented, the plans and procedures will provide for the continued performance of an organizationís essential functions under all circumstances.† Among other required elements, these plans should include a description of prioritized mission‑essential functions, critical activities, and identification and safekeeping of vital records.† Further, Internal Revenue Manual 10.2.10.8, Continuity Plan Content and Format,[12] calls for the development of a standardized continuity plan template that must be used by all business, operating, and functional units when preparing, updating, or creating a continuity plan.† Consequently, in June 2009, the IRS created a mandatory systemwide continuity plan template to be used by the BUs, which addressed each of the elements and requirements found in FCDs 1 and 2.† We determined that the continuity plans were to address the following key elements:

       Tests, Training, and Exercises Ė identifies measures to ensure that an agencyís continuity plan is capable of supporting the continued execution of the agencyís essential functions throughout the duration of a continuity situation.

We attribute the missing elements and lack of sufficient detail included in the continuity plans to organizational changes, lack of oversight, and inadequate training and guidance.† Since Calendar Year 2011, the NCPOCs responsible for updating and maintaining these two systemwide continuity plans have changed.† According to one NCPOC, no continuity plan guidance or instructions were provided by the OCO. †Furthermore, another NCPOC responsible for drafting the BUís systemwide plan stated that she has not received any formal continuity training since March 2011.† Even in situations in which staffing changes occur frequently, all appropriate staff must be adequately trained.† If proper training does not occur, continuity personnel may be unable to fulfill their responsibilities and duties in an emergency situation.

Local site‑specific continuity processes and plans were not prepared in a format consistent with the prescribed guidance and were missing key information

We found that the local site‑specific processes and continuity plans for three of four offices we visited were not prepared in the standardized format and did not contain all information consistent with Federal and IRS guidance.† For the remaining office, we determined that TE/GE Division management had not prepared a site‑specific continuity process and plan for its Washington, D.C., office. †Instead, TE/GE Division management used the overall TE/GE Divisionís systemwide plan for its local continuity plan.† However, we found that TE/GE Divisionís systemwide plan did not include specific details that would facilitate the resumption of key business operations nor any site-specific processes and information for the local Washington, D.C., office.† In assessing the ability of the IRS to resume key business operations at its local offices, we visited four local BU offices and reviewed the site‑specific continuity processes and plan for each location.† Specifically, we reviewed the W&I Divisionís plans for the Kansas City Campus,[13] the SB/SE Divisionís plans for the Ogden Campus, and the LB&I Divisionís plan for the New York City field office[14] ††

Through a comparison of the IRSís standardized template and the local site‑specific processes and plans, we found that the information contained in the old business resumption plans that were being used by the Kansas City and Ogden Campuses along with the New York City field officeís plan lacked several of the key elements included in both the Department of Homeland Security and IRS guidelines.† Specifically, the continuity plans completed for the three local offices were incomplete and lacked many of the following key elements:

Internal Revenue Manual 10.2.10.5, Requirements for Continuity Plans and Procedures, states that the key elements of continuity that shall be addressed include: †mission‑essential functions; orders of succession; delegations of authority; continuity facilities; continuity communications systems; vital records; human capital; test, training, and exercises; devolution; and reconstitution.† In addition, in January 2012, IRS Agency-Wide Shared Services management issued written guidance, Fiscal Year 2012 IRS Continuity Program Requirements, to facilitate effective business continuity planning and help ensure that the standard continuity plan template is used to meet all required elements on an annual basis.

We found that the local plans were incomplete due in part to the local IRS campus and field office staff being unaware of the IRSís standardized template and using their old business resumption plan format for several years.† We also found that local officials did not receive any recent training related to the preparation and testing of their local plans.† Further, the OCO has not prepared detailed guidance and procedures to assist local officials responsible for continuity planning, nor is there a formal review and approval process for continuity plans.† In addition, the TE/GE Divisionís continuity staff thought that its systemwide plan covered its local Headquarters office in Washington, D.C.†

We determined that although the Fiscal Year 2012 IRS Continuity Program Requirements included continuity testing and exercise requirements, it did not provide a process for the training of staff responsible for drafting continuity plans.† Through interviews, we learned that several staff responsible for managing and drafting plans at the locations we visited were not properly trained. †In addition, several key staff at three of the four local BUs we visited had not been provided or participated in any formalized continuity training.† For example, an IRS staff person at one campus location confirmed that she did not receive any instructions, written guidance, or training on how to prepare a continuity plan and, absent the use of another divisionís continuity plan, would not have known where to go, where to look, and what information to include in the plan.† Staff at one field office site located in the area affected by Hurricane Sandy received copies of a prior continuity plan from a co-worker who previously held the same position to use as a guide and had not received any guidance on preparing a continuity plan.†

In response to the impact of Hurricane Sandy[15] on the LB&I Divisionís Midtown office, we obtained its Employee Reporting Form dated November 7, 2012, to determine whether or not the Midtown office was able to account for its employees as part of its continuity process.† According to this report, the LB&I Division was able to account for all of its employees as of that date.†

According to the OCOís November 2012 Quarterly Report on NCPOC Training, only three of the 47 NCPOCs have completed all four of the introductory continuity planning courses offered through the IRSís training website.† Aside from the quarterly report, OCO management has no centralized tracking system to monitor the training courses continuity planning personnel complete.† IRS OCO management stated that it is the responsibility of the NCPOCs to monitor applicable training for personnel involved in continuity planning.† However, only the NPOCs for two of the four BUs we reviewed were able to provide us with comprehensive lists of training completed by staff involved in continuity planning for their respective BUs.†

Incomplete and inaccurate documentation of the recovery procedures and strategies in IRS continuity plans may impede the recovery of critical tax administration processes.

Recommendations

The Chief, Agency-Wide Shared Services, should:†

Recommendation 1:† Implement a process to ensure that the annual reporting requirement to the Department of the Treasury certifying its continuity capability plan is met.

Managementís Response:IRS management agreed with this recommendation and will ensure that updates to Internal Revenue Manual 10.6.1, Continuity Operations Ė Continuity Planning Requirements, will be completed once the Department of the Treasury has defined and issued the official reporting requirements for certifications at the bureau level.† They will then establish and implement a process to ensure that the annual reporting requirement of its continuity plan is met.

Recommendation 2:† Ensure that systemwide continuity plans are immediately prepared for the Affordable Care Act Program Office, the Return Preparer Office, the Office of Compliance Analytics, and the Office of Online Services.

Managementís Response:IRS management agreed with this recommendation and stated that continuity plans were prepared for the Affordable Care Act Program Office, the Return Preparer Office, and the Office of Online Services.† Further research showed that the Office of Compliance Analytics was added as a component of the Commissionerís Complex in 2011 and is therefore included in their overall continuity plan.

Recommendation 3:† Ensure that the existing IRS continuity plan template is current and used by all BUs and local offices.

Managementís Response:IRS management agreed with this recommendation and will review and update the continuity plan template and communicate the mandatory use of the template to all affected BUs and local offices.

Recommendation 4:† Identify appropriate training that should be completed by field personnel responsible for continuity planning activities and establish an effective monitoring process to ensure that training is completed.

Managementís Response:IRS management agreed with this recommendation and will identify appropriate training required to be completed by field personnel responsible for continuity planning.† The IRS will also establish an effective monitoring process to ensure that required training is completed.

The Centralized Repository to Control Continuity Plans Is Not Functioning As Intended

We determined that none of the local continuity plans we reviewed were created or maintained in the TSCC.† In addition, most of the personnel at the campuses and field offices we visited responsible for continuity planning were unaware of the existence of the TSCC.† Those who were familiar with the system confirmed that the system was rarely used.

Since July 2009, the TSCC has been designated as the repository database for IRS continuity personnel to create and store IRS continuity plans and other related documents.† Agency-Wide Shared Servicesí August 2010 IRS Continuity Program Requirements called for BU staff to input their continuity plans into the TSCC.† Since that time, systemwide continuity plans have been maintained and updated within the system.† Currently, the OCO is responsible for maintaining the TSCC and ensuring that it contains all plans.† However, we determined that the TSCC is currently not being used to house and track continuity planning documents.† Consequently, OCO management does not have the necessary management information available in a centralized location to assist in continuity planning if a serious incident occurs.

Although the Fiscal Year 2012 IRS Continuity Program Requirements provides for the development and update of continuity plans using the standard template to ensure that all required elements are met annually, the guidance did not require the use of the TSCC as a management tool for IRS continuity plans.† OCO management stated that there have been numerous complaints about the functionality of the system, and the NCPOCs in one BU stated that the TSCC is not user friendly and is unable to generate useful reports by users.† As a result, OCO management stated that they have not directed BU personnel to create or update continuity plans in the TSCC since August 2012.†

OCO management indicated that in March 2012 a technology specialist was assigned to review the TSCC application for improvements. †In August 2012, OCO personnel informed us that they expected a new version of the TSCC to be completed and available for use in April 2013.† However, in April 2013, the OCO confirmed that although progress has been made, it does not expect a major part of its system reconfiguration process to be complete until June or July 2013 due to the lack of funding.† The OCO further stated that once the reconfiguration process is completed, the next steps will be to migrate all of the remaining BUs to the TSCC.† Consequently, the OCO was unable to provide an alternative or tentative release date for the new version of the TSCC.† Until the OCO rolls out a new centralized repository system or makes improvements to the existing TSCC, the IRS will not have a central location for immediate access to all BU continuity plans in the event of an emergency.

Recommendations

The Chief, Agency-Wide Shared Services, should:

Recommendation 5:Develop a plan that establishes the actions and time frames for the implementation of a centralized working database for continuity plan tracking.† In the interim, management should ensure that all current continuity plans are obtained from BU personnel and maintained for immediate reference.

Managementís Response:IRS management agreed with this recommendation and will develop a plan and time frame for implementation of a centralized working database in the TSCC for continuity plan tracking.† IRS management will also ensure that all current continuity plans are obtained from BU personnel and maintained for immediate reference.

Recommendation 6:Develop and issue written procedures requiring necessary personnel to create and update future continuity plans on the TSCC when the system is fully functional.†

Managementís Response:IRS management agreed with this recommendation and will ensure development and issuance of written procedures requiring personnel to create and update future continuity plans within the TSCC.

More Comprehensive Testing and Exercises of Continuity Plans Are Necessary

We determined that continuity testing was not comprehensive enough to ensure that IRS management could effectively resume critical operations in an emergency situation.† In addition, we determined that deficiencies identified during continuity exercises have not been adequately addressed.† Conducting continuity tests and exercises is critical to ensuring the viability of established continuity plans.† Our review of the testing and exercises completed in Fiscal Year 2012 showed that the BUs participated in some of the following tests and exercises:

During our audit, two of the four BUs we reviewed completed all their planned tests and exercises in Fiscal Year 2012. †Figure 4 shows the types and number of tests and exercises completed in Fiscal Year 2012:

Figure 4: †Fiscal Year 2012 Tests and Exercises Completed [16] for Four BUs

BU

Calling Tree Notification Tests

Alert, Notification, and Activation Tests

Communication Systems and Equipment Tests

Tabletop Exercises

 

Relocation Exercises

Integrated Functional Exercises

Totals and Percentages

W&I Division

0 of 1

7 of 13

3 of 3

0 of 0

0 of 1

4 of 5

14 of 23 (61%)

SB/SE Division

1 of 1

4 of 4

3 of 3

0 of 0

0 of 0

1 of 1

9 of 9 (100%)

LB&I Division

0 of 1

2 of 4

1 of 3

0 of 0

0 of 0

0 of 0

3 of 8
(38%)

TE/GE Division

1 of 1

4 of 4

3 of 3

1 of 1

0 of 0

0 of 0

9 of 9 (100%)

Source:† TIGTAís analysis of Agency-Wide Shared Serviceís Fiscal Year 2012 Test and Exercise Compliance Tracking information for IRS BUs.

Of the four local offices we visited, only one location participated in a required annual tabletop exercise in Fiscal Year 2012.† We also determined that the continuity exercises performed at the sites were either not documented in an After Action Report[17] as required or the deficiencies identified were not adequately addressed.† For example, an After Action Report was not drafted as required for the tabletop exercise conducted in Fiscal Year 2012 for the TE/GE Division.† †

Both FCD 1 and Internal Revenue Manual[18] guidelines require the development and maintenance of a continuity test, training, and exercise program for conducting and documenting activities to prepare personnel for the continuation of the performance of the IRSís mission‑essential functions.† These activities are to be performed annually and are essential to demonstrating, assessing, and improving the ability of the IRS to execute its continuity program, plans, and procedures.†

Agency-Wide Shared Servicesí Fiscal Year 2012 IRS Continuity Program Requirements called for BUs to quarterly report and update a designated SharePoint[19] site to reflect the schedule and completion of their continuity tests and exercises.† OCO management uses this SharePoint site to monitor the status and completion of BU testing and exercises.† OCO personnel are responsible for coordinating the overall continuity testing and exercise schedule for the BUs.

Except for staff at one local office who participated in a continuity exercise in Fiscal Year 2012, we found that a number of personnel involved in drafting and updating continuity plans at the remaining three locations have either never participated in an exercise or participated in exercises earlier than Fiscal Year 2012.† Consequently, guidance set forth in FCD 1 and the Internal Revenue Manual pertaining to the annual exercise requirement was not always followed.† For example, the LB&I Divisionís staff stated that they participate in tabletop exercises every two years but do not participate in integrated functional exercises.† In addition, TE/GE Divisionís continuity staff stated that they participated in both a tabletops and an integrated functional exercise in June 2012 but did not know why the June exercise was omitted from the training records maintained on the SharePoint site.† OCO management stated that all BUs are required to participate in tabletops and integrated functional exercises and are required to keep all test and exercise records current.

Continuity test and exercise activities validate the recovery strategies, assumptions, and procedures against likely disasters or emergency events.† However, if adequate continuity testing is not performed or testing deficiencies are not effectively addressed, there is an increased risk that the IRS will be unable to effectively and timely resume critical business processes.

Recommendations

The Chief, Agency-Wide Shared Services, should:

Recommendation 7:† Establish a process to monitor the continuity testing and exercise program to ensure that an adequate number of exercises are available so that BU continuity personnel meet the annual testing and exercise requirements.

Managementís Response:IRS management agreed with this recommendation and will establish a process to monitor the continuity testing and exercise program.† IRS management further stated that in consideration of budget constraints, annual testing and exercises will be conducted to the best of their ability as alternative methods of meeting the requirements are implemented.

Recommendation 8:† Establish a process to monitor deficiencies identified during continuity exercises to ensure that weaknesses are addressed as appropriate.

Managementís Response:IRS management agreed with this recommendation and will establish a process to monitor deficiencies identified during continuity exercises to ensure that weaknesses are addressed as appropriate.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to assess whether the IRSís continuity plan program will enable the IRS to resume critical functions in a timely manner.† To accomplish our objective, we:

I.                 Obtained and reviewed guidance and criteria regarding continuity plans.

A.    Obtained and reviewed Federal, U.S. Department of Homeland Security, and IRS criteria governing continuity plans.

B.    Obtained and reviewed guidance provided to the BUs on continuity plan preparation.

C.    Determined whether the IRS, on an annual basis, submits a report to the Department of the Treasury certifying that the IRS has a continuity capability plan with the required continuity requirements in accordance with the National Continuity Policy.

II.               Determined whether the IRS prepared continuity plans that addressed all critical processes.

A.    For the 22 BUs within the IRS required to submit continuity plans, determined the number of plans and/or subplans that have not yet been submitted or are not current.

B.    For those plans that have not been submitted or are not current, determined the cause and whether the plans should address any of the critical processes.

III.             Determined whether selected continuity plans were prepared in accordance with Federal guidelines.

A.    Reviewed the templates developed by the IRS for preparation of continuity plans to determine whether they were complete, adhered to guidance and criteria, and addressed the required critical business processes.

B.    Selected a judgmental[20] sample of four of the IRSís 22 BUs to determine if the plans contained all required IRS elements. †To select the plans, we considered and identified the IRSís critical processes, the BUs that perform these processes, the buildings in which the highest number of employees who perform these critical processes are located, and the sites that have been focal points for prior terrorist attacks and natural disasters.† We judgmentally selected and performed site visits to the W&I Divisionís offices at the Kansas City Campus located in Kansas City, Missouri; the SB/SE Divisionís offices at the Ogden Campus located in Ogden, Utah; the LB&I Divisionís Midtown field office located in New York City, New York; and the TE/GE Divisionís North Capitol Field Office located in Washington, D.C.† We judgmentally selected the Kansas City Campus because it was estimated to process the largest number of individual income tax returns in Calendar Year 2011.† We selected the Ogden Campus because it is the only campus responsible for processing corporate and tax exempt tax returns.† In addition, we selected the New York City and Washington, D.C., field offices because they are located in cities where past terrorist threats and incidents have occurred.† Because we only reviewed four systemwide plans along with local plans for one local office within each of the four BUs, the results of our detailed review cannot be projected beyond those four BUs.

IV.                    Determined whether the IRS conducted timely and complete tests to ensure the viability of continuity plans in the event of an incident.

A.    Determined whether the IRS implemented adequate policies and procedures to ensure that plans are tested and maintained.

B.    Reviewed the results of tests on sampled continuity plans to determine whether weaknesses identified during testing were corrected in a timely manner.

V.                    Evaluated the OCOís methodology for monitoring the continuity plan process.

A.    Determined where and how continuity plans are maintained.

B.    Determined whether continuity plans are annually reviewed independently of the preparer.

C.    Determined whether a ďchange control processĒ[21] was used to update and revise plans.

Internal controls methodology

Internal controls relate to managementís plans, methods, and procedures used to meet their mission, goals, and objectives.† Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.† They include the systems for measuring, reporting, and monitoring program performance.† We determined the following internal controls were relevant to our audit objective:† the OCOís policies, procedures, and practices for continuity planning.† We evaluated these controls by interviewing personnel located at the OCO and four field locations and reviewing continuity and business resumption plans, reports documenting continuity exercises, and other related documents.

 

Appendix II

 

Major Contributors to This Report

 

Gregory D. Kutz, Assistant Inspector General for Audit (Management Services and Exempt Organizations)

Jeffrey M. Jones, Director

Jonathan Meyer, Director

Joseph F. Cooney Audit Manager

Jamelle L. Pruden, Lead Auditor

LaToya R. Penn, Senior Auditor

Michele N. Strong, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Acting Commissioner†

Office of the Commissioner Ė Attn:† Chief of Staff† C

Deputy Commissioner for Operations Support† OS

Director, Office of Continuity Operations, Employee Support Services, Agency-Wide Shared Services† OS:S:ESS

Chief Counsel† CC

National Taxpayer Advocate† TA

Director, Office of Legislative Affairs† CL:LA

Director, Office of Program Evaluation and Risk Analysis† RAS:O

Office of Internal Control† OS:CFO:CPIC:IC

Audit Liaison:† Chief, Agency-Wide Shared Services †OS:A

 

Appendix IV

 

Managementís Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

 

††††††††††† CHIEF

††† †AGENCY-WIDE

SHARED SERVICES

 

September 4, 2013

 

 

 

MEMORANDUM FOR MICHAEL E. MCKENNEY

†††††††††† ACTING DEPUTY INSPECTOR GENERAL FOR AUDIT

 

FROM: †††††††††††††† †††††††††††David A. Grant /s/ David A. Grant

†††††††††† Chief, Agency-Wide Shared Services

 

SUBJECT: ††††††††††††††††††††† Draft Audit Report - Improvements Are Needed to Ensure Timely Resumption of Critical Business Processes After an Emergency (Audit #201210008)

 

Thank you for the opportunity to respond to the subject draft audit report. †We are committed to ensuring our continuity program will enable the IRS to resume the processing of critical functions in a timely manner, in the event of an emergency.

 

We agree with all 8 recommendations and will develop and implement corrective actions detailed in our attached response. †Please note that one of the proposed corrective actions has already been implemented.

 

The IRS Wage and Investment (W&I) organization has raised a concern with the validity of certain facts included in your Draft Audit Report. †On page thirteen of the document, W&I is depicted as completing only 61% of the required testing; however, documentation was submitted to TIGTA prior to your issuance of the report, verifying that the required testing is 100% complete. †It was expected that your report would be updated to reflect 100% completion. †We contacted TIGTA to understand the discrepancies within the Draft Audit Report, but we were not given the opportunity to clarify the data, make corrections where needed, or to vet our disagreements with the findings. †We only received feedback in the form of an email stating they were not going to accept our documentation. †This data discrepancy does not change the recommendations, corrective actions or implementation dates, but it does reflect our position on W&I's compliance for Fiscal Year 2012 testing and exercise activity.

 

We appreciate the continued support and assistance provided by your office. †If you have any questions, please contact me at (202) 622 7500. †If there are technical questions, a member of your staff may contact Mary Beth Murphy, Director, Employee Support Services at (202) 283-7784. †For matters concerning audit procedural follow-up, please contact, Pat Alvarado, Resource & Operations Management, Agency-Wide Services at (202) 622-5542 or Pamela Cobbs, Resource & Operations Management, Agency-Wide Shared Services at (202) 622-5708.

 

Attachment

 

Attachment

 

 

RECOMMENDATION 1:

Implement a process to ensure that the annual reporting requirement to the Department of the Treasury certifying its continuity capability plan is met.

 

CORRECTIVE ACTION:

We agree with this recommendation. †The Chief, Agency-Wide Shared Services (AWSS), will ensure that updates to IRM 10.6.1, Continuity Operations - Continuity Planning Requirements will be completed once Treasury has defined and issued the official reporting requirements for certifications at the bureau level.† We will then establish and implement a process to ensure that the annual reporting requirement of its continuity plan is met.

 

IMPLEMENTATION DATE:

September 30, 2014

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services (ESS) will enter accepted corrective actions into the Joint Audit Management Enterprise System (JAMES). †These corrective actions are monitored on a monthly basis until completion.

 

RECOMMENDATION 2:

Ensure that system-wide continuity plans are immediately prepared for the Affordable Care Act Office; Return Preparer Office; Office of Compliance Analytics; and the Office of Online Services.

 

CORRECTIVE ACTION:

We agree with this recommendation. †The Chief, AWSS, had continuity plans prepared for the Affordable Care Act Office, Return Preparer Office and the Office of Online Services.† Further research showed that the Office of Compliance Analytics was added as a component of the Commissioner's Complex in 2011 and is therefore included in their overall continuity plan.

 

IMPLEMENTATION DATE:

August 6, 2013

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Corrective action will be entered into JAMES as completed.

 

RECOMMENDATION 3:

Ensure that the existing IRS continuity plan template is current and used by all (BUs) and local offices.

 

CORRECTIVE ACTION:

We agree with this recommendation. †The Chief, AWSS, will review and update the continuity plan template and communicate the mandatory use of the template to all impacted Business Units {BUs) and local offices.

 

IMPLEMENTATION DATE:

December 31, 2013

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services {ESS) will enter accepted corrective actions into the JAMES. †These corrective actions are monitored on a monthly basis until completion.

 

RECOMMENDATION 4:

Identify appropriate training that should be completed by field personnel responsible for continuity planning activities and establish an effective monitoring process to ensure training is completed.

 

CORRECTIVE ACTION:

We agree with this recommendation. †The Chief, AWSS, will identify appropriate training required to be completed by field personnel responsible for continuity planning.† In addition, we will establish an effective monitoring process to ensure required training is completed.

 

IMPLEMENTATION DATE:

December 30, 2013

 

RESPONSIBLE OFFICIAL:

 

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services (ESS) will enter accepted corrective actions into JAMES. †These corrective actions are monitored on a monthly basis until completion.

 

RECOMMENDATION 5:

Develop a plan that establishes the actions and time frames for the implementation of a centralized working database for continuity plan tracking. †In the interim, management should ensure all current continuity plans are obtained from BU personnel and maintained for immediate reference.

 

CORRECTIVE ACTION:

We agree with this recommendation.† The Chief, AWSS, will develop a plan and timeframe for implementation of a centralized working database in Toolkit Suite Command Center (TSCC) for continuity plan tracking.† In addition, we will ensure all current continuity plans are obtained from BU personnel and maintained for immediate reference.

 

IMPLEMENTATION DATE:

September 30, 2014

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services (ESS) will enter accepted corrective actions into JAMES. †These corrective actions are monitored on a monthly basis until completion.

 

RECOMMENDATION 6:

Develop and issue written procedures requiring necessary personnel to create and update future continuity plans on the TSCC when the system is fully functional.

 

CORRECTIVE ACTION:

We agree with this recommendation.† The Chief, AWSS, will ensure development and issuance of written procedures requiring personnel to create and update future continuity plans within the TSCC.

 

IMPLEMENTATION DATE:

October 1, 2013

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services (ESS) will enter accepted corrective actions into JAMES. †These corrective actions are monitored on a monthly basis until completion.

 

RECOMMENDATION 7:

Establish a process to monitor the continuity testing and exercise program to ensure an adequate number of exercises are available so that BU continuity personnel meet the annual testing and exercise requirements.

 

CORRECTIVE ACTION:

We agree with this recommendation.† The Chief, AWSS will establish a process to monitor the continuity testing and exercise program.† In consideration of budget constraints, we will conduct the annual testing and exercises to the best of our ability as we implement alternative methods of meeting the requirements.

 

IMPLEMENTATION DATE:

October31, 2013

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services (ESS) will enter accepted corrective actions into JAMES. †These corrective actions are monitored on a monthly basis until completion.

 

RECOMMENQATION 8:

Establish a process to monitor deficiencies identified during continuity exercises to ensure that weaknesses are addressed as appropriate.

 

CORRECTIVE ACTION:

We agree with this recommendation.† The Chief, AWSS, will establish a process to monitor deficiencies identified during continuity exercises to ensure that weaknesses are addressed as appropriate.

 

IMPLEMENTATION DATE:

December31, 2013

 

RESPONSIBLE OFFICIAL:

Director, Employee Support Services, Agency-Wide Shared Services

 

CORRECTIVE ACTION MONITORING PLAN:

Employee Support Services (ESS) will enter accepted corrective actions into JAMES. †These corrective actions are monitored on a monthly basis until completion.



[1] A 12-consecutive-month period ending on the last day of any month.† The Federal Governmentís fiscal year begins on October 1 and ends on September 30.

[2] FCD 1 describes the key elements of a viable continuity capability and the importance of coordinating with non-Federal organizations to establish and maintain a comprehensive and effective national continuity capability.† FCD 2 provides implementation guidelines for the requirements identified in FCD 1.† It provides direction and guidance to Federal entities for identifying their mission‑essential functions and potential primary mission‑essential functions.† Primary mission‑essential functions represent a subset of agency-level mission‑essential functions that must be performed to support the performance of the national essential function before, during, and after an emergency; whereas, mission‑essential functions are activities that enable the IRS to provide vital services, exercise civil authority, maintain public safety, and sustain the industrial and economic base during an emergency.

[3] The IRS continuity capability refers to its ability to perform its mission‑essential functions continuously.

[4] The term used to include IRS business operating divisions as well as its principle, functional, and project offices.

[5] TIGTA, Ref. No. 2011-10-098, The Internal Revenue Service Adequately Prepared for and Responded to the Austin Incident (Sept. 2011).

[6] TIGTA, Ref. No. 2008-20-178, Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster (Sept. 2008).†

[7] TIGTA, Ref. No. 2012-20-041, Disaster Recovery Testing Is Being Adequately Performed, but Problem Reporting and Tracking Can Be Improved (May 2012).

[8] Internal Revenue Manual 10.2.10.2.1 (Sept. 25, 2008).

[9] Pub. L. No. 111-148, 124 Stat. 119 (2010) (codified as amended in scattered section of the U.S. Code), as amended by the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.

[10] The results of our detailed review of systemwide continuity plans for the four BUs cannot be projected beyond those four BUs. †A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.

[11] Incomplete indicates the plan did not include information to address the specific continuity element as required.

[12] Internal Revenue Manual 10.2.10.8 (Sept. 25, 2008).

[13] There are 10 IRS campuses across the country that provide customer service to taxpayers by responding to taxpayer questions and helping them understand and meet their tax responsibilities.

[14] See Appendix I for details on why we selected these BU locations.

[15] Hurricane Sandy, which reached New York City on October 29, 2012, was the deadliest and most destructive tropical cyclone of the 2012 Atlantic hurricane season and the second-costliest hurricane in U.S. history.

[16] Figure 4 exhibits the aggregate total of tests and exercises, which includes those completed by local offices and campuses within the four BUs reviewed.

[17] A document that captures a review of the effectiveness of continuity plans and procedures and the identification of areas for improvement.

[18] Internal Revenue Manual 10.2.10.6.8 (Sept. 25, 2008).

[19] The IRS intranet website designed for workgroup collaboration and for sharing files where access should be limited.

[20] A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.

[21] Refers to Continuity Plan Control and Maintenance (Internal Revenue Manual 10.2.10.8.1 (Sept. 25, 2008)), which includes procedures regarding the review and modification of continuity plans along with follow-up on planned controls.