Review of Business Resumption
Plan Implementation at the
Philadelphia Service Center
Reference No. 690100 Report Date: October 9, 1998
Table of Contents
Attachment I - Detailed Objectives and Scope
The Director of the Philadelphia Service Center (PSC) requested that Internal Audit review the Business Resumption Plan (BRP) implementation process. The overall objective of the review was to evaluate the implementation to determine if the BRP provided for an effective response and recovery from any business interruption. A BRP is developed to provide immediate response and subsequent recovery from any unplanned business interruption.
Results
PSC effectively developed and tested their BRP. The BRP is comprehensive and flexible to cover a wide range of possible business interruptions.
The BRP meets Office of Management and Budget (OMB), Treasury Department, and Internal Revenue Manual (IRM) requirements. The BRP includes the Andover Service Center (ANSC) prototype components. The development process followed National Office guidelines. A simulated test was successfully developed and conducted to assess the adequacy of the BRP.
The Director of the Philadelphia Service Center (PSC) requested that Internal Audit review the Business Resumption Plan (BRP) implementation process. The overall objective of the review was to evaluate the implementation to determine if the BRP provided for an effective response and recovery from any business interruption.
To accomplish our objective, we: reviewed the development process; evaluated the BRP against the Office of Management and Budget (OMB), Treasury Department, and Internal Revenue Manual (IRM) requirements; compared the Andover Service Center (ANSC) prototype and PSC plans; reviewed the simulated test scenario and observed the test.
We performed this audit from May through October 1998. The review followed generally accepted government auditing standards.
A BRP, disaster recovery plan, and the occupant emergency plan are all components of a site recovery and resumption plan. OMB Circular A-130, Management of Federal Information Resources, requires agencies to establish and periodically test the capability to continue providing service based upon their needs and priorities.
In August 1997 a memorandum from the Executive Officer for Service Center Operations (EOSCO) initiated the BRP development process at all service centers. The ANSC prototype was provided to all service centers. In response PSC selected a BRP Coordinator, developed an action plan, selected coordinators in each function, and developed and conducted a simulated test.
The BRP is composed of a General Incident Management Plan and 26 individual branch plans based upon a worst case scenario. The management and recovery teams defined by the General Incident Management Plan allow for response to a wide range of incidents.
PSC effectively developed and tested their Business Resumption Plan
The BRP meets OMB, Treasury, and IRM requirements. The BRP also includes the components of the ANSC prototype. The BRP is comprehensive and flexible to cover a wide range of possible business interruptions.
The OMB and Treasury guidelines require agencies to establish and test contingency plans. The IRM and ANSC prototype detail specific items the plans should consider.
The IRM specifies priorities, alternate-processing facilities, personnel, supplies and equipment, security, command center, and damage assessment all be addressed. The ANSC prototype specifies overall recovery objectives, organization, strategy and notifications.
The development process followed National Office guidelines. They provide an outline of steps to follow in developing a BRP. The outline includes appointing a BRP coordinator, identifying BRP team members, briefing management, and developing and conducting a test.
PSC selected a BRP Coordinator and developed an action plan. Coordinators for each function were also appointed. Selected branches presented their BRP to a management review panel.
A simulated test scenario was successfully developed and conducted. The one-day test involved assessing damage, identifying objectives and priorities, and notifying all impacted stakeholders. Internal Audit participated as an independent observer during the test. Participants evaluated their performance against established criteria and suggested ways to improve the recovery process.
The participants and Internal Audit had similar observations. In addition, we observed:
Maintaining the BRP will be an on-going process. PSC will continually review and revise their BRP.
Edmond G. Watt
Audit Manager
Attachment I
The overall objective of the review was to evaluate the Philadelphia Service Center’s (PSC) Business Resumption Plan (BRP) implementation to determine if the plan provides for an effective response and recovery from any business interruption. Specifically, we reviewed the process used to develop, test and maintain the BRP.
To accomplish our overall objective, we:
I. Identified and evaluated the process used to develop the BRP.
II. Determined whether PSC’s BRP was developed according to applicable OMB Circulars, Treasury Department Publications, Internal Revenue Manual Sections and sound management principles.
III. Compared the PSC developed components to the Andover Service Center prototype model plan.
IV. Evaluated the test plan for the BRP to ensure:
a. Exercise plans included:
b. Revisions resulting from the test are corrected or a time frame to complete the revisions is established.
V. Determined if the BRP contains provisions for off-site storage of the hard copy plan.