The objective of the audit was to assess whether the Australian Taxation Office has effectively responded to recent system failures and unscheduled outages.
The high-level criteria were that the ATO:
- effectively responded to the particular system failures and outages;
- revised its information, communications and technology (ICT) governance, systems and processes in line with the agreed recommendations in the post incident reviews of the system failures; and
- has established and met service commitments and outage tolerances for ICT system availability.
The ATO’s responses to the system failures and unscheduled outages were largely effective, despite inadequacies in business continuity management planning relating to critical infrastructure. The post-incident reviews commissioned and conducted by the ATO have informed the ongoing management of its ICT environment, including through strategies and actions to improve ICT governance, strengthen business continuity processes and address availability and resilience gaps in systems infrastructure.
The ATO has structured its response to the system failures of December 2016 and February 2017 around the 14 recommendations included in the ATO systems report. The ANAO considers that, at November 2017, the ATO had implemented four recommendations and partly implemented the remaining 10 recommendations. The implemented recommendations mainly relate to technical solutions to the particular system failures, while the broader initiatives to strengthen ICT governance and processes are underway. Considerable work is required to implement the recommendations before many of the intended and agreed outcomes are achieved.
The ATO does not have service commitments specifically relating to the availability of ICT systems but does specify system outage tolerances in its major contracts with ICT service providers. To monitor the impact of ICT service outages on satisfaction with its services, the ATO should develop service standards that are aligned with system outage tolerances in its contracts with ICT service providers.