ATO system outages review finds 'residual risk' remains

PwC’s post incident review of the ATO’s system outages in December 2016 found that the disruption was caused by multiple component failures on the Storage Area Network (SAN) located at the data centre.

The absence of definitive evidence on the specific conditions, or combination of conditions, that led to technical failures means that a level of residual risk still exists, PwC said.

Despite acknowledging that the ATO acted immediately once aware of the incident, the review further criticised the insufficient readiness level of the tax office for not considering the potential for such an incident occurring.

“No evidence was presented to the review to demonstrate that the design and/or implementation choices made by the service provider relating to technical resilience and recovery capacity had been explicitly presented by the service provider in sufficient detail such that relevant ATO governance forum(s) could fully understand and assess business risk,” PwC said.

“Design and build decisions made by the service provider for the SAN resulted in resilience levels insufficient to cater for the scale and scope of the technical failure, and also led to an extended recovery duration.”

The big four firm has made recommendations to mitigate further risks by replacing the current physical infrastructure and increasing the ATO’s technical knowledge and expertise on the area.

“Strengthening these capabilities will not only contribute to overall improvements in infrastructure resilience, but will also form a key building block for the effective transition to future infrastructure models (i.e. cloud),” PwC said.

Institute of Public Accountants chief executive Andrew Conway welcomed the review, calling on the ATO to act on the recommendations to rebuild the confidence within the tax agent community.

“We believe it is critical for the ATO to act to provide the community, particularly tax agents with the confidence that the vital ICT infrastructure is on the road towards stability and resilience,” said Mr Conway.

“We have and will continue to be very vocal in ensuring the vital role that tax agents play in the tax system and their reliance on stable ICT infrastructure is acknowledged and validated through clear accountability measures.

“This report signals a need for significant investment in the server infrastructure to build fundamental confidence in the resilience of the ATO systems.”