Computer Security:

Contingency Plans and Risk Analyses Needed for IRS Computer Centers

IMTEC-86-10: Published: Mar 27, 1986. Publicly Released: Mar 27, 1986.

Additional Materials:

Contact:

Howard G. Rhile, Jr
(202) 512-6418
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the Internal Revenue Service's (IRS): (1) plans for ensuring the continuity of its computer operations if any of its 12 computer centers were destroyed or significantly disabled for an extended period; and (2) efforts to implement a risk management program to assess and reduce potential threats to computer operations.

GAO conducted its review at IRS headquarters, the IRS National Computer Center (NCC), and 4 of the 10 service centers that process tax returns and related documents. GAO found that IRS draft automatic data processing (ADP) plans are incomplete and its emergency measures are inadequate because: (1) NCC has no designated backup processing site; (2) computer capacity problems may make it impossible for one service center to back up another, as currently proposed; (3) IRS has not identified the most critical work-load functions; (4) IRS does not always maintain backup tape files containing data and programs necessary to continue operations; and (5) testing to ensure the workability of ADP contingency plans has been limited. GAO also found that: (1) IRS has not periodically assessed potential risks to computer operations at its centers, although it has recently started a risk analysis program that it hopes to complete in 1987; (2) several IRS centers had physical security problems, making them susceptible to fire and smoke damage or to unauthorized entry after working hours; and (3) contingency plans at one center lacked adequate detail for emergency procedures.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: As of June 20, 1990, IRS had completed a service-wide disaster recovery strategy report for its computing centers. Contingency plans were being developed at each IRS processing site. Passage of time makes further evaluation of IRS actions difficult without additional audit work.

    Recommendation: The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to develop, certify, and periodically test ADP contingency plans for all IRS computer centers according to the criteria and procedures set forth in the IRS Internal Revenue Manual and Office of Management and Budget (OMB) Circular A-130.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: IRS has completed risk analyses at its 12 computer centers.

    Recommendation: The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to perform periodic risk analyses to: (1) aid in developing and maintaining effective ADP contingency plans; and (2) help assess the internal controls environment, as required by the Federal Managers' Financial Integrity Act of 1982 (FMFIA) and the OMB circular.

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Closed - Implemented

    Comments: IRS reported that these areas were material control weaknesses in its 1986 FMFIA report. IRS stated that it would continue to report them as weaknesses under FMFIA until they are properly resolved.

    Recommendation: The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to continue to report the lack of contingency plans and periodic risk analyses as material control weaknesses under FMFIA until contingency plans have been developed, certified, and tested, and risk analyses, as well as needed corrective action identified by such analyses, have been completed for all computer centers.

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Looking for more? Browse all our products here