Summary

GAO reviewed the Internal Revenue Service's (IRS): (1) plans for ensuring the continuity of its computer operations if any of its 12 computer centers were destroyed or significantly disabled for an extended period; and (2) efforts to implement a risk management program to assess and reduce potential threats to computer operations.

GAO conducted its review at IRS headquarters, the IRS National Computer Center (NCC), and 4 of the 10 service centers that process tax returns and related documents. GAO found that IRS draft automatic data processing (ADP) plans are incomplete and its emergency measures are inadequate because: (1) NCC has no designated backup processing site; (2) computer capacity problems may make it impossible for one service center to back up another, as currently proposed; (3) IRS has not identified the most critical work-load functions; (4) IRS does not always maintain backup tape files containing data and programs necessary to continue operations; and (5) testing to ensure the workability of ADP contingency plans has been limited. GAO also found that: (1) IRS has not periodically assessed potential risks to computer operations at its centers, although it has recently started a risk analysis program that it hopes to complete in 1987; (2) several IRS centers had physical security problems, making them susceptible to fire and smoke damage or to unauthorized entry after working hours; and (3) contingency plans at one center lacked adequate detail for emergency procedures.