United States General Accounting Office GAO Report to the Commissioner of Internal Revenue September 1999 IRS’ YEAR 2000 EFFORTS Actions Are Under Way to Help Ensure That Contingency Plans Are Complete and Consistent GAO/GGD-99-176 United States General Accounting Office General Government Division Washington, D.C. 20548 B-283400 September 14, 1999 The Honorable Charles O. Rossotti Commissioner of Internal Revenue Dear Mr. Rossotti: The Internal Revenue Service (IRS) agreed with recommendations we made in June 1998 to broaden its Year 2000-related contingency planning approach by developing a comprehensive, business-based set of business 1 continuity and contingency plans. Because adequate plans are necessary for mitigating the impact of any Year 2000-related system failure, we followed up on our June 1998 report by reviewing two plans that address critical IRS business processes. We recognize that these plans are being revised to incorporate the results of testing that was done in July 1999. At the time we prepared this report, however, the testing reports were not completed. Because of the time-critical nature of Year 2000 business continuity and contingency planning, we are reporting the results of our work at this time, rather than waiting to review testing reports and any revisions that may be made to the plans as a result of that testing. Our objective was to evaluate two IRS business continuity and contingency plans for their consistency and completeness on the basis of IRS’ guidance for such plans. We focused on 2 of the 18 plans that IRS developed for its submission processing core business process. These two plans address processing paper tax returns that result in a refund and 2 receiving paper submissions (which include tax returns). We reviewed these plans because they are designed to address failure scenarios that, if they occur and are prolonged, could require IRS to revert to manual operations for issuing refunds—something that could potentially affect the majority of taxpayers that file individual tax returns. For example, in calendar year 1998, IRS processed about 91 million paper individual tax 1 IRS’ Year 2000 Efforts: Business Continuity Planning Needed for Potential Year 2000 System Failures (GAO/GGD-98-138, June 15, 1998). 2 As discussed later in this report, IRS identified five submission processing subprocesses: (1) receive paper submissions; (2) receive electronic submissions; (3) control and track tax and submissions; (4) process, correct, and forward payment data; and (5) process, correct, and forward tax information return data. Refund issuance includes aspects of several of these subprocesses. Page 1 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 3 returns and issued more than 82 million refunds totaling about $112 billion. Two IRS business continuity and contingency plans—one for processing Results in Brief paper tax returns that result in a refund (hereafter referred to as the refund plan) and the other for receiving paper submissions (hereafter referred to as the paper submissions plan)—were inconsistent and incomplete in two 4 key areas included in IRS’ guidance: performance goals and mitigating actions. These weaknesses raise questions about whether these two plans provide sufficient assurance that IRS has taken all the necessary steps to reduce the impact of a potential Year 2000 failure. IRS’ guidance requires that plans specify a desirable performance goal. The performance goal for the refund plan was inconsistent with the plan’s contingency actions. This inconsistency raises questions about the goal that IRS is trying to achieve with the refund plan. The paper submissions plan did not include a performance goal. Without appropriate performance goals, IRS has little assurance that the contingency actions specified in the plan are appropriate for reducing the impact of a potential Year 2000 failure. In addition, neither plan specified the completion dates for the mitigating actions, which IRS’ guidance defines as the steps that are to be completed in advance of a potential Year 2000-related failure, to help reduce its impact. Moreover, neither plan specified which individuals were to be responsible for completing the mitigating actions. IRS’ guidance requires that the plans include mitigating actions and completion dates, but does not require that responsible individuals be identified for completing mitigating actions. However, without assigning actions to specific individuals and identifying completion dates, IRS has little assurance that these actions will be completed before a potential Year 2000 failure. As part of our effort to provide IRS with timely feedback on our observations regarding its Year 2000 efforts, in June 1999, we informed IRS officials of our concerns regarding these two plans. We also told them that our concerns raise questions about the extent to which other plans may have similar weaknesses. In response to our concerns, IRS officials agreed to make changes to improve the completeness and consistency of these 3 In 1998, IRS received more than 24 million tax returns by means other than paper, either electronically or via the telephone. IRS prepared separate business continuity and contingency plans for Year 2000 system failures that would affect receiving electronic returns. 4 IRS’ guidance refers to a performance goal as the “event /achievement indicating success.” Page 2 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 two plans. They also said they have designated an individual that is to determine the extent to which other plans may have similar weaknesses and revise the plans as needed. In addition, IRS assigned one of its Year 2000 contractors to set up a mechanism by which IRS could track the implementation of business continuity and contingency plan actions. If properly implemented in a timely fashion, these actions will give IRS a higher level of assurance that its plans will help reduce the impact of a potential Year 2000-related system failure. In light of IRS’ actions, we are not making any recommendations at this time. Business continuity and contingency plans should describe the steps an Background organization would take to ensure the continuity of its core business processes in the event of a system failure. In a June 1998 report, we made a 5 series of recommendations aimed at broadening IRS’ Year 2000 contingency planning approach to encompass a core business system 6 focus as called for in our business continuity and contingency plan guide. IRS agreed with our recommendations and in July 1998 began to take action to develop a more comprehensive, business-based approach to contingency planning. 7 IRS’ Century Date Change Project Office hired a contractor to provide business continuity and contingency planning expertise and training and assist the business areas in developing and testing their plans. IRS established a working group comprised of representatives from IRS’ business areas to identify IRS’ core processes and associated subprocesses. For each core business process, IRS established a working group to (1) identify possible failure scenarios for subprocesses; (2) determine the business impact of these failures; (3) determine which failure scenarios should be addressed by business contingency plans, based on a scoring system that included business impact and risk; and (4) develop plans for those scenarios. IRS determined that business continuity 5 Specifically, we recommended that IRS (1) solicit the input of business functional area officials to identify IRS’ core business processes and prioritize those processes that must continue in the event of Year 2000-induced failures, (2) map IRS’ mission-critical systems to those core business processes, (3) determine the impact of information system failures on each core business process, (4) assess any existing business continuity and contingency plans that may have been developed for non-Year 2000 reasons to determine whether they are applicable to Year 2000-induced failures, and (5) develop and test contingency plans for core business processes if existing plans are not appropriate. See IRS’ Year 2000 Efforts: Business Continuity Planning Needed for Potential Year 2000 Failures (GAO/GGD-98-138, June 15, 1998). 6 Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, Aug. 1998). 7 The Century Date Change Project Office within IRS’ Information Systems organization is responsible for coordinating IRS’ Year 2000-related activities. Page 3 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 and contingency plans should be prepared for all of the failure scenarios for its five submission processing subprocesses (receive paper submissions; receive electronic submissions; control and track tax and submissions; process, correct, and forward payment data; and process, correct, and forward tax information return data), several of which involve issuing refunds. In November 1998, IRS’ Century Date Change Project Office issued its 8 business continuity and contingency plan guidance that describes the (1) methodology to be used to develop business contingency plans (the term IRS uses for plans prepared in accordance with this guidance) and (2) types of information that should be included in the plans. IRS’ guidance states that IRS used our guide to help develop its methodology for preparing business contingency plans. IRS’ Chief Operations Officer designated a Year 2000 business executive to help coordinate the efforts of the working groups and oversee the development of the plans. According to IRS officials, the groups used IRS’ guidance to develop the plans. These groups also received technical guidance from the contractor. Each business contingency plan was assigned to an executive-level official who was responsible for approving the plan. In the event of a Year 2000 system-related failure, this executive is also to decide if and when the trigger conditions have been met for implementing the business contingency plan. The plans were to be tested to identify any needed changes. The two plans that we reviewed were 9 tested on July 8 and 9, 1999, respectively. The refund plan and the paper submissions plan were inconsistent and Plans Were incomplete in two key areas of IRS’ guidance. These areas were Inconsistent and performance goals and mitigating actions. These weaknesses raise Incomplete questions about whether these two plans provide sufficient assurance that IRS has taken all the necessary steps to reduce the impact of a potential Year 2000 failure. IRS officials agreed to make changes to these two plans to improve their consistency and completeness in these areas. In addition, IRS officials said they have taken steps to help ensure the consistency and completeness of other business contingency plans and make changes to those plans if necessary. 8 Internal Revenue Service Century Date Change Business Continuity and Contingency Plan, Nov. 24, 1998. 9 At the time we were finalizing this letter, the reports showing the testing results were not completed. Page 4 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 Refund Plan IRS does not have viable, alternative backup systems for the various 10 information systems used for processing tax returns. Further, IRS’ refund plan acknowledges that in the event that one or more of these systems fail, IRS may experience “a major work stoppage,” depending on how long the failure continues. Given the lack of automated alternatives, the refund plan calls for (1) notifying the public and (2) reverting to manual issuance of refunds—a process that IRS currently uses for certain types of taxpayers (e.g., those receiving a refund of more than $1 million or those with a specific hardship). Although this business contingency plan includes a specific performance goal as required by IRS’ guidance, that goal is inconsistent with the recommended contingency actions. Specifically, the plan’s performance goal calls for issuing 20 percent of the normal refund volume, using a $5,000 minimum as the threshold for manual issuance. However, the plan’s contingency procedures call for instituting a manual operation that would give priority to processing refunds for 1040EZ returns. These returns are filed by taxpayers with taxable incomes of less than $50,000. Consequently, these returns may not generate a significant number of $5,000 refunds. The inconsistency between the performance goal and the business contingency plan procedures raises questions about the goal that IRS is trying to achieve with its contingency plan. For example, if IRS is trying to reduce the potential for incurring increased interest costs on late refunds, 11 high-dollar refunds should be targeted regardless of the type of return. However, if IRS is trying to expedite tax refunds for those taxpayers who may have the greatest financial need, a performance goal that focuses on issuing refunds of $5,000 or more may not be appropriate. In our June 1999 meeting with IRS officials, we pointed out this inconsistency, and they agreed that they needed to change the plan’s performance goal. In our meeting, the executive that was responsible for this plan said the plan’s performance goal should focus on issuing refunds to certain “hardship” taxpayers. According to IRS, hardship taxpayers 10 This plan addresses the business processes that would be implemented if one or more of the following systems fail: (1) Generalized Unpostable Framework, (2) Service Center Control File, (3) Generalized Mainline Framework, (4) Error Resolution System, and (5) Multiple Virtual Storage Enterprise System Architecture (MVSEA). This plan does not address business processes that fall under the purview of the Department of the Treasury’s Financial Management Service, which is responsible for, among other things, receiving and processing requests for issuance of IRS refund checks. 11 As stated in section 6611(e) of the Internal Revenue Code, IRS has until 45 days from the receipt of the tax return or the due date of the return, whichever is later, to issue a refund. If IRS fails to meet that time frame, the taxpayer is entitled to interest on his or her refund amount. Page 5 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 would be those that filed a return with (1) a Form 911, Application for Taxpayer Assistance Order; (2) an earned income tax credit, which is a refundable tax credit available to low-income, working taxpayers; or (3) an adjusted gross income within a certain dollar range that is to be determined if a Year 2000 failure actually occurs. With respect to mitigating actions, this plan did not include dates for completing them before a potential Year 2000 failure. Examples of the plan’s mitigating actions include (1) preparing a letter to the Department of the Treasury’s Financial Management Service outlining the process for transferring refund documents and files, (2) planning for one additional week of training on the manual refund issuance process, (3) identifying additional secure storage space in each service center, and (4) coordinating press release information with IRS’ Office of Public Affairs. Moreover, the plan did not specify which individuals were to be responsible for completing the mitigating actions. Although IRS’ guidance does not require that the plan identify specific individuals, without identifying responsible individuals and dates for completing the mitigating actions, IRS has little assurance that these actions will be completed before a potential Year 2000 failure. In our June 1999 meeting, the executive responsible for this plan acknowledged this omission and agreed that the mitigating actions should identify responsible individuals and completion dates. Paper Submissions Plan IRS receives paper submissions, including tax returns, at each service center loading dock. From the loading dock, the returns are taken to the mailroom for sorting. IRS’ Service Center Automated Mail Processing System (SCAMPS) is a new automated system that IRS uses to sort the mail. SCAMPS is to (1) open the envelopes to expedite the extraction process, in which employees remove the tax return information from the envelopes; (2) identify those tax returns with checks; (3) read the bar- coded tax return envelopes and sort them into one of 40 different categories; and (4) sort outgoing mail. The paper submissions plan focuses on the contingency actions to be implemented in the event that SCAMPS experiences a Year 2000 system failure. Although IRS’ guidance calls for plans to contain a performance goal, the paper submissions plan did not include one. According to the plan, “specific performance measures for manual mail handling operations are not yet available.” However, without a performance goal, it is unclear how IRS determined that it would be sufficient to “use available service center personnel to handle incoming mail” as specified in the plan. Page 6 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 While we recognize that IRS is developing new performance measures that may not yet be available for this business function, in our June 1999 meeting with IRS officials, we identified information that could be used to develop a performance goal for the plan. For example, the SCAMPS processing rate could be used as a guide for developing an acceptable (albeit reduced) level of service for a manual mail sorting process. IRS could also use its productivity data on employees that manually extract tax return information from envelopes as a basis for developing a performance goal. The IRS executive that was responsible for this plan agreed that a goal should be included and that these two data sources could be used to develop that goal. The plan’s mitigating actions were also incomplete. Like the refund plan, this plan did not include the dates and the responsible individuals for completing the plan’s two mitigating actions. Also, we told IRS officials that we had questions about the viability of one of the plan’s mitigating actions. That action calls for reverting back to a mail sorting system that is currently not Year 2000 compliant. Even if IRS could develop a workaround solution to make the older mail sorting system Year 2000 compliant, IRS officials said that they had planned to remove the equipment for the older system by the 2000 filing season. IRS officials told us that as a result of testing this plan, this mitigating action would be deleted in the revised plan. The executive responsible for this plan also agreed to add responsible individuals and the dates for completing the other mitigating action, which pertains to sorting outgoing mail. Actions Are Under Way to In addition to agreeing to make changes to the two plans, IRS officials said that actions are under way to help ensure that other business contingency Help Ensure Consistency plans are consistent and complete. According to officials in IRS’ Business and Completeness of All 12 Systems Requirements Office (BSRO), a staff member has been Plans designated to review all of the business contingency plans for consistency and completeness and for crosscutting issues among the plans. Heretofore, BSRO did not view this as its function, in part because according to BSRO officials, it had a limited number of staff. IRS also has issued a work request for one of its Year 2000 contractors to develop a database that BSRO staff could use to track the implementation of key elements of the business contingency plan (e.g., triggers, mitigating actions, contingency team actions). According to IRS, information from the business contingency plans is to be added to the database by late September 1999, and reports are to be generated shortly thereafter. 12 BSRO, among other things, provides support to business functions for contingency planning and helps ensure Year 2000 compliance for the Chief Operations Officer organizations. Page 7 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 If properly implemented in a timely fashion, these actions should provide IRS with a higher level of assurance that its business contingency plans will help reduce the impact in the event of a Year 2000–related system failure. Accordingly, we are not making any recommendations at this time. To achieve our objective of evaluating the consistency and completeness Scope and of two of IRS’ Year 2000 business contingency plans according to IRS’ Methodology guidance, we • reviewed the following business continuity and contingency plan guidance: (1) Year 2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-10.1.19, Aug. 1998); (2) Internal Revenue Service Century Date Change Contingency Management Plan, (Version 5.0, Mar. 1, 1999); and (3) Internal Revenue Service Century Date Change Business Continuity and Contingency Plan, (Version 1.0, Nov. 24, 1998); • interviewed officials from the Century Date Change Project Office; • interviewed members of the submission processing contingency plan working group, the executive that was responsible for the two plans we reviewed, the Business Year 2000 Executive, and other BSRO staff; • toured the Atlanta Service Center to learn more about how tax returns are processed through IRS’ information systems; and • reviewed 6 of the 10 sections of the two business contingency plans to determine whether they were consistent with IRS’ guidance. We did not analyze four sections of the plans (training and testing, post- event wrap-up, contingency actions log sheet, and information recovery) for several reasons. In lieu of including the testing procedures in the plan, IRS developed separate test plans for each contingency plan. To provide timely feedback to IRS so that they could begin corrective actions promptly, we focused our efforts on the business contingency plans themselves rather than the test plans. We did not analyze the post-event wrap-up information or the contingency actions log sheet because these sections are to be completed after the business contingency plan has been implemented. Both plans included little information about information recovery (i.e., regaining or retrieving data that may be lost or damaged as a 13 result of a system failure). 13 The refund plan stated that (1) lost data could be recovered from original documents given that returns are stored up to 6 months at the service centers, and (2) recovery of damaged data was under the purview of IRS’ Information Systems contingency plans. We did not review these plans. The paper submissions plan indicated that developing manual procedures for recovering the types of management information data generated by SCAMPS was not possible. Page 8 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 We also did not review any existing business resumption plans that IRS developed for other than Year 2000-induced failures, and we did not examine the relationship between individual Year 2000 business 14 contingency plans and IRS’ “End Game” activities, which IRS is currently developing. We conducted our review from May 1999 to July 1999 in accordance with generally accepted government auditing standards. On August 27, 1999, we obtained written comments on a draft of this Agency Comments and report from the Commissioner of Internal Revenue. (See app. I for a copy Our Evaluation of IRS’ letter.) IRS said that it generally agreed with the issues raised in our report and is taking the necessary steps to correct them. IRS also amplified on its business contingency plan testing process and clarified some facts and provided updated information, which we included in the report where appropriate. IRS said that it had envisioned that the business contingency plans were “living documents” that would be revised over time to reflect changes in technology, business processes, and legislation. Furthermore, IRS said that the plans were to be tested by subject matter experts, including field staff, to ensure their viability, which would result in modifications to the plans. We agree that the plans were to be living documents and designed our methodology accordingly. Recognizing that the plans were subject to change based on the results of business contingency plan testing (as stated on p. 1 of our draft report), we met with IRS in June 1999 to discuss our initial findings. We scheduled this meeting, in part, so that IRS would have the benefit of our feedback while the plans were still subject to change, and possibly before they were to be tested. IRS said that as a result of our findings on the weaknesses in the plans and the results of testing two plans, it has begun work to address our concerns. We are sending copies of this letter to Representative Amo Houghton, Chairman, and Representative William J. Coyne, Ranking Minority Member, Subcommittee on Oversight, House Committee on Ways and Means; Senator Robert F. Bennett, Chairman, and Senator Christopher J. Dodd, Vice-Chairman, Senate Special Committee on the Year 2000 Technology Problem; and Representative Stephen Horn, Chairman, and 14 IRS has a three-part “End Game” strategy that involves (1) preparing back-up data during the New Year’s weekend; (2) conducting validation checks of its systems, telecommunications, and facilities during the New Year’s weekend to identify any issues before the first day of business in 2000; and (3) proactively monitoring key events to mitigate Year 2000-related problems that may interrupt national tax processing. IRS’ monitoring efforts are scheduled to continue through March 2000. Page 9 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans B-283400 Representative Jim Turner, Ranking Minority Member, Subcommittee on Government Management, Information and Technology, House Committee on Government Reform. We are also sending copies to the Honorable Lawrence H. Summers, Secretary of the Treasury, and the Honorable Jacob J. Lew, Director of the Office of Management and Budget. Copies will be made available to others on request. If you have any questions about the information contained in this report, please contact me or Sherrie Russ at (202) 512-9110. Key contributors to this assignment were Jackie Nowicki, Joanna Stamatiades, and Linda Standau. Sincerely yours, James R. White Director, Tax Policy and Administration Issues Page 10 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Page 11 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Appendix I Comments From the Internal Revenue Service Page 12 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Appendix I Comments From the Internal Revenue Service Page 13 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Appendix I Comments From the Internal Revenue Service Page 14 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Page 15 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Page 16 GAO/GGD-99-176 IRS’ Year 2000 Business Contingency Plans Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Order by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 th th 700 4 St. NW (corner of 4 and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touch-tone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send e-mail message with “info” in the body to: email@example.com or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested (268897)
IRS' Year 2000 Efforts: Actions Are Underway to Help Ensure That Contingency Plans Are Complete and Consistent
Published by the Government Accountability Office on 1999-09-14.
Below is a raw (and likely hideous) rendition of the original report. (PDF)