IRS' Year 2000 Efforts:

Business Continuity Planning Needed for Potential Year 2000 System Failures

GGD-98-138: Published: Jun 15, 1998. Publicly Released: Jun 15, 1998.

Additional Materials:

Contact:

James R. White
(202) 512-5594
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the Internal Revenue Service's (IRS) efforts to have its information systems function correctly when processing dates beyond December 31, 1999, focusing on: (1) IRS' progress in converting its systems according to the guidelines in GAO's year 2000 assessment guide; (2) the risks IRS faces to completing the year 2000 effort on time; and (3) risks to the continuity of IRS operations in the event of year 2000-induced system failures.

GAO noted that: (1) according to IRS, before January 1999, it needs to complete 12 steps of its 14-step process for converting: (a) the applications for its existing systems; (b) the telecommunications networks; and (c) systems software and hardware for mainframes, minicomputers/file servers, and personal computers; (2) in addition, before January 1999, IRS needs to: (a) ensure that external data exchanges will be year 2000 compliant; (b) implement the Integrated Submission and Remittance Processing System and, at a minimum, the year 2000 portions of mainframe consolidation; and (c) modify application software to implement tax law changes for the 1999 and 2000 filing seasons; (3) if these efforts are not completed, IRS' tax processing and collection systems may fail to operate or may generate millions of erroneous tax notices, refunds, interest calculations, and account adjustments; (4) for the conversion of its existing systems, IRS has made more progress on its applications than on its information systems infrastructure; (5) specifically, as of April 24, 1998, IRS reported that it had completed the first 12 steps of its 14-step conversion process for applications for about 46 percent of the 127 systems it has deemed as mission-critical; (6) IRS expects to convert the applications for the remaining 54 percent of the mission-critical systems by January 1999; (7) the two major systems replacement efforts, which are also expected to follow IRS' 14-step conversion process, are experiencing some schedule slippages; (8) IRS officials said they expect to complete the year 2000 portions of the mainframe consolidation by the original completion date of December 1998; (9) GAO identified two risk areas for IRS' year 2000 effort: (a) the lack of an integrated master conversion and replacement schedule; and (b) a limited approach to contingency planning; (10) since GAO's briefing, IRS has decided to have a contractor develop an integrated schedule of its year 2000-related efforts, including making all of the necessary tax law changes for 1999; (11) IRS officials said they hope to have a baseline, master integrated schedule in June 1998; and (12) in part, due to IRS officials' concerns that the same resources that are doing year 2000 conversion work would be needed to do contingency planning, IRS officials decided to develop a process that would minimize the number of contingency plans that would have to be developed.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: According to IRS officials, they did do this assessment and found that existing plans were, for the most part, not applicable to Year 2000 failures. GAO requested a written copy of this analysis but IRS officials said that the results of their analysis were not documented.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by assessing any existing business continuity and contingency plans that may have been developed for non-year 2000 reasons to determine whether these plans are applicable to year 2000-induced failures.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: IRS established a business contingency planning working group that includes staff from business functional units. This working group: (1) identified core business processes,(2) developed failure scenarios for those processes and mapped subprocesses to systems, (3)assigned a business impact value to the core business process, (4) developed risk assessment ratings for processes by assigning a probability of risk multiplied by its business impact rating; and (5) determined that IRS needed to develop 37 contingency plans.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by determining the impact of information system failures on each core business process.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: IRS completed its mapping of systems to core business processes.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by mapping IRS' mission-critical systems to those core business processes.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Closed - Implemented

    Comments: IRS established a business contingency planning working group that includes staff from business functional units. This working group: (1) identified core business processes,(2) developed failure scenarios for those processes and mapped subprocesses to systems, (3)assigned a business impact value to the core business process, (4) developed risk assessment ratings for processes by assigning a probability of risk multiplied by its business impact rating; and (5) determined that IRS needed to develop 37 contingency plans.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by soliciting the input of business functional area officials to identify IRS' core business processes and prioritize those processes that must continue in the event of year 2000-induced failures.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Closed - Implemented

    Comments: According to IRS' September 15, 1999, Business Contingency Plan Weekly Status Report, 40 business contingency plans have been completed and all but 3 of those Plans have been tested. GAO's recent report (GAO/GGD-99-176) discusses the results of its review of two key business contingency plans and states that two plans were inconsistent and incomplete in two key areas and these weaknesses raise questions about whether these two plans provide sufficient assurance that IRS has taken all the necessary steps to reduce the impact of a potential Year 2000 failure. Moreover, the report said that the weaknesses in these two plans raise questions about the extent to which other plans may have similar weaknesses. Accordingly, IRS agreed to take steps to help ensure the completeness and consistency of all business contingency plans. On June 8, 2000, I contacted Carole Sheehy in IRS' Business Systems Requirements Office and she said IRS had completed these actions for the other plans.

    Recommendation: The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by developing and testing contingency plans for core business processes if existing plans are not appropriate.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 13, 2016

Sep 6, 2016

Jul 29, 2016

Jul 7, 2016

Jun 27, 2016

Jun 23, 2016

Apr 19, 2016

Apr 13, 2016

Apr 7, 2016

Mar 28, 2016

Looking for more? Browse all our products here