Skip to main content

Computer Security: Contingency Plans and Risk Analyses Needed for IRS Computer Centers

IMTEC-86-10 Published: Mar 27, 1986. Publicly Released: Mar 27, 1986.
Jump To:
Skip to Highlights

Highlights

GAO reviewed the Internal Revenue Service's (IRS): (1) plans for ensuring the continuity of its computer operations if any of its 12 computer centers were destroyed or significantly disabled for an extended period; and (2) efforts to implement a risk management program to assess and reduce potential threats to computer operations.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Internal Revenue Service The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to develop, certify, and periodically test ADP contingency plans for all IRS computer centers according to the criteria and procedures set forth in the IRS Internal Revenue Manual and Office of Management and Budget (OMB) Circular A-130.
Closed – Not Implemented
As of June 20, 1990, IRS had completed a service-wide disaster recovery strategy report for its computing centers. Contingency plans were being developed at each IRS processing site. Passage of time makes further evaluation of IRS actions difficult without additional audit work.
Internal Revenue Service The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to perform periodic risk analyses to: (1) aid in developing and maintaining effective ADP contingency plans; and (2) help assess the internal controls environment, as required by the Federal Managers' Financial Integrity Act of 1982 (FMFIA) and the OMB circular.
Closed – Implemented
IRS has completed risk analyses at its 12 computer centers.
Internal Revenue Service The Commissioner of Internal Revenue should direct the Assistant Commissioner, Support and Services (for the Detroit Data Center), and the Assistant Commissioner, Returns and Information Processing (for all other computer centers), to expedite efforts to continue to report the lack of contingency plans and periodic risk analyses as material control weaknesses under FMFIA until contingency plans have been developed, certified, and tested, and risk analyses, as well as needed corrective action identified by such analyses, have been completed for all computer centers.
Closed – Implemented
IRS reported that these areas were material control weaknesses in its 1986 FMFIA report. IRS stated that it would continue to report them as weaknesses under FMFIA until they are properly resolved.

Full Report

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Agency missionsComputer backupsComputer capacityComputer equipment managementComputer securityContingency plansElectronic data processingIncome taxesPlanningRisk assessmentTax returns