Treasury Inspector General for Tax Administration
Office of Audit
DISASTER RECOVERY TESTING IS BEING ADEQUATELY PERFORMED, BUT PROBLEM REPORTING AND TRACKING CAN BE IMPROVED
Issued on May 3, 2012
Highlights of Reference Number: 2012-20-041 to the Internal Revenue Service Chief Technology Officer.
IMPACT ON TAXPAYERS
Disaster recovery planning is a coordinated strategy for recovering computer systems following a disruption. By testing disaster recovery plans, recovery problems can be identified and corrected before an actual disruption occurs. The IRS is adequately planning and conducting disaster recovery tests, but IRS reporting of problems identified during the tests and the tracking of progress to implement recommendations made at the conclusion of the tests need to be improved. Effective disaster recovery capabilities are critical to ensure that key information systems can be recovered with minimal disruption to the critical IRS business processes they support. The data and services provided by these systems are also needed by Congress, the Department of the Treasury, tax professionals, taxpayers, and other Government agencies.
WHY TIGTA DID THE AUDIT
During this audit, TIGTA observed and/or reviewed IRS disaster recovery tests. The IRS is required to conduct disaster recovery tests on its most critical computer systems. Disaster recovery testing is conducted to test the IRS’s ability to recover major computer systems at one Computing Center to another Computing Center. This review was requested by the Cybersecurity organization and is also part of our statutory requirements to annually review the adequacy and security of IRS technology.
WHAT TIGTA FOUND
The IRS is adequately planning and conducting disaster recovery tests of critical current production environment computer systems and is performing disaster recovery exercises and tests on the Customer Account Data Engine 2 system as it is being developed.
However, the IRS can improve disaster recovery test problem reporting and the tracking of progress to implement recommendations made at the conclusion of the tests. TIGTA found that problem tickets used by the IRS for identifying, resolving, and tracking problems encountered during the tests were not created for several problems. In addition, reports prepared by the IRS during the disaster recovery tests used to track the progress and problems it encountered in recovering systems did not have complete information on many of the processes run and problems identified during the tests. Finally, the IRS did not have a process for closely and formally tracking the implementation of the less serious recommendations it made at the conclusion of the disaster recovery tests. During the course of the audit, TIGTA auditors informed the IRS of the need to track these recommendations, and the IRS recently developed a tracking worksheet.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Associate Chief Information Officer, Cybersecurity, 1) revise reports the IRS prepares during disaster recovery tests to include required entries for references to problem tickets and 2) create a process for reviewing the completeness of problem tickets and reports prepared during the tests to help ensure that they contain complete information.
In its response to the report, the IRS agreed with TIGTA’s recommendations. The IRS 1) revised its disaster recovery test reports to require entries for references to problem tickets and 2) created a process for reviewing the completeness of problem tickets and reports.
E-mail Address: TIGTACommunications@tigta.treas.gov
Phone Number: 202-622-6500