Just a few years ago, the "Year 2000 problem" was a challenge known to few outside the world of IS professionals. The "Millennium Bug" is now a creature of the popular culture, and has captured the attention of managers, regulators, Congress and, of course, the plaintiffs' bar. With the recently revised SEC Bulletin 5, scrutiny of the Year 2000 problem will only intensify and, with it, corporate managers and directors will increasingly ask "are we ready?" and wonder "how can we be sure?" For those inclined to look the other way, moreover, their outside auditors will most likely force them to examine those questions, especially if the company is publicly traded.
While only the millennium itself will ultimately answer the readiness question, senior management and boards of directors need to take immediate steps to discharge their duties to shareholders and protect themselves in the event of future litigation. Perhaps one of the best resources available to them, moreover, lies in their own internal audit staff. Internal audit staff know the company, frequently have access to all its departments, typically have some degree of independence and thus provide a means of testing an entity's Y2K readiness. To utilize this resource, management should direct internal audit to investigate and document the answers to five general questions.
Are Our Internal Bases Covered?
The place to start is with the question of scope: has your company correctly identified all the dimensions of the problem and developed a plan for addressing each? Internally, Y2K may be seen as a multi-layered challenge, which requires at least three levels to be examined and appropriate responses developed. Beginning with the most obvious, they are:
- The systems of the centralized IT Department: mainframes, networks and the like
- The distributed information technologies: PC's, laptops and notebooks
- The imbedded chips and process control technologies
- The non-technical dimension: pre-printed forms, check stock, etc.
Whether or not the enterprise has already completed an assessment process, it is important to review its scope and adequacy. Often in the effort to complete the assessment so as to get on with remediation, short-cuts may have been taken or areas over looked in the process. Thus the place to start is to have internal audit review the documentation generated in the assessment process, looking for departments, locations and systems that may have been missed or given comparative short-shrift.
That is not to say all Y2K issues are of equal concern. A key element in the assessment process is triage. A company has to identify those areas, systems and products that are mission-critical or high risk and focus on them, while leaving for later resolution of problems not posing a threat to the core business of the enterprise. On review, the issues are whether the assessment has been thorough and the resulting priorities deliberate. In most enterprises, the Y2K problem was initially identified at the first level, and awareness in other departments or of other layers followed more slowly. Too often that accident of timing rather than deliberate management decision may shape the allocation of resources.
All of this is susceptible to audit. The assessment process in an organization of any size and complexity requires the use of survey forms and should have generated a paper trail reflecting who was surveyed, what they were asked and the quality of the response. Those responses, in turn, should be traceable to documents reflecting the corporate or business unit plan, which in turn commands a budget. A scope review should examine this trail with an eye towards several warning signs:
- missing units or locations
- superficial questionnaires lacking critical detail
- responses that are either anonymous or at a clerical level
- uncritical reliance on third-party performance
- no assignment of priority among systems, functions or units
- no allocation of new resources or express reallocation of existing resources
- no plan, or a plan without identifiable milestones and dates
- in a manufacturing/distribution environment, the failure to consider the imbedded chip and process control issues
While the above review will not guaranty success, it should alert an auditor to potential shortcomings while corrective measures are still possible. Moreover if whoever is directed to conduct the audit is instructed to document the process and provide a written report, senior managers and directors who review and act on the audit findings help themselves by creating a record of diligence.
Are Our External Bases Covered?
A company's own internal systems and functions are, however, only part of the Y2K challenge. Almost every organization depends on a "food chain" of suppliers, distributors and customers, and the enterprise most likely is at least as dependent on the performance of those in the chain as it is on its own systems. That dependency may take many forms, from the supply of raw materials to the exchange of electronic data. An enterprise is dependent on the Y2K-readiness of those on its supply-side and in some cases its "downstream" side as well. This means more than ensuring that these key business partners will remain in business, but may also require an examination of whether the input they are supplying is compliant. Moreover, vendors of products and services need to consider whether their own products and services are compliant and, if not, consider how to bring current products and services into compliance and their obligations to their installed customer base.
To check the adequacy of the enterprise's response to the external risks, at least three questions need to be asked of those responsible for the Y2K effort:
First, have all the parties with whom you exchange electronic data been identified and their compliance programs assessed? This question should naturally arise during the inventory and assessment of a company's internal systems. Accordingly, it should be on the check list used when reviewing the documents reflecting what the company has done to bring its internal systems into compliance. If there is no paper trail reflecting a systematic review of this issue, then one needs to re-assess the company's internal systems to find an answer. Once all the interfacing parties have been identified, somebody needs to be assigned the responsibility for negotiating a compliance protocol with each interfacing entity.
Second, has there been an attempt to identify, prioritize and communicate with your key suppliers and distributors? Aside from dealing with those with whom your enterprise exchanges data, there is the larger question of key suppliers and distributors. While some enterprises are reportedly attempting to identify and determine the Y2K-readiness of all their business partners, for most enterprises the more realistic approach is to apply the triage principle: some will be ignored as immaterial, others will be sent a letter or questionnaire designed to elicit a commitment, and the most critical will be invited to participate in a coordinated effort to achieve mutual Y2K compliance. Thus management needs to direct internal audit to review the company's Y2K compliance program for evidence that this kind of exercise has been pursued on an enterprise-wide basis.
Third, has anyone considered whether there are risks posed by non-compliant products or services you have previously sold? Obvious examples include anyone selling software products or computer systems, but anyone selling products with embedded intelligence or services with a design component may have exposure. While there are undoubtedly a wide range of defenses that may be available in the event of a failure, companies cannot assume that a standard limitation of liability clause will insulate them from liability. Internal audit should therefore catalogue the firm's current and past product offerings and determine whether each has been assessed with the Y2K exposure specifically in mind.
Are We Keeping Pace?
Once one is assured that the assessment of risks has been comprehensive and adequate remediation plans developed, the key issue is whether the effort is on schedule or falling behind. Given the history of large IS projects falling behind schedule and the immovable nature of the Y2K deadline, keeping pace is a major issue. Many enterprises will undoubtedly experience slippage and may miss the ultimate deadline. The sooner such risks are identified, the more likely it is that additional resources or contingency plans may be brought into play.
In order to monitor progress, there are certain things to watch for in any Y2K effort. The most obvious approach is to insist on objective milestones against which progress can be tracked -- for example, setting dates by which applications or lines of code must be modified. Other techniques involve tracking the resources invested in the effort. While coming in "underbudget" may be an admirable goal in many contexts, in the Y2K effort, it may indicate lack of progress. Managers need to track head counts and expenditures to look for areas where for whatever reason the estimated or budgeted resources are not being spent.
What clearly can't be accepted are blanket representations that the effort is "on schedule." IS projects are notorious for "maintaining" schedule by simply revising the timetable whenever difficulties are encountered. Frequently this is achieved by compressing the time allotted to testing as application development consumes more and more effort. Many IS professionals estimate that fully 50% of the time and effort must be invested in testing. An organization that purports to "keep pace" by continuing to revise and compress the timeline is in trouble.
Given these pitfalls, senior management needs to insist upon both objective milestones and monitoring programs that track performance. Internal audit may then be used to provide an independent perspective and advice on whether the program is on track and where additional resources may need to be invested.
What If We Don't Make It?
The monitoring process is critical because only those companies with a realistic understanding of where they are and whether they will meet the deadline can do effective contingency planning. A "contingency plan" may consist of anything from reverting to manual systems in some instances to outsourcing the function. Whatever the plan, it takes time to develop and requires some lead time to implement. Most importantly, until one knows what the contingency plan is for each piece of the Y2K effort, it is impossible to know the requisite lead time. If, for example, a manual system is the only alternative to a key system and it will take two months to hire and train those who will run that manual system, there is a date certain by which that plan must be implemented.
A Y2K program office must require that business units develop such contingency plans, and either the program office or auditors need to devise ways to determine if contingency planning has occurred and a "trigger date" determined for each such plan. Senior management should require such contingency planning and insist that progress reports be submitted on mission critical Y2K projects well in advance of the identified trigger dates.
How's Our Coverage?
Aside from contingency planning, Y2K preparedness should also include a review of available insurance coverage. The risk manager in most companies will have a complete portfolio of the company's policies. While some commentators have ventured sweeping generalizations concerning whether standard CGL, property and D&O policies do or do not "cover" Y2K liabilities, the range of potential losses and coverage scenarios is so varied that simple conclusions are rarely warranted. Rather risk managers or their coverage counsel should assess the company's insurance portfolio in light of the progress of the company's remediation efforts and areas of greatest risk.
In those instances where favorable policy terms are identified, the policies need to be reviewed to determine renewal dates and extended reporting periods. Importantly one needs to consider when the duty to report arises with respect to each kind of risk and how best to handle any necessary disclosures at the time of policy renewal. Where significant gaps in coverage are identified, risk managers need to consider the new "Y2K policies" coming on the market and whether the exposures to the company are worth investing in such programs.
Here again, while insurance coverage is usually not the province of internal audit, given the importance of insurance to as an element of Y2K preparedness, auditors can certainly examine whether risk managers have reviewed the company's insurance portfolio with this particular set of risks in mind.
The Confidentiality Issue
Managers who have considered the difficulty of assuring Y2K preparedness and the potential liabilities that failure may entail frequently worry about whether there is not considerable risk in having internal auditors, or for that matter independent consultants, evaluate the company's Year 2000 effort. The fear so often articulated is that such efforts may uncover more potential problems than can reasonably be addressed and yet, if there is a failure, management's decision not to address every issue uncovered by the audit may be seized upon later by a plaintiff's lawyer as evidence of management neglect.
While it is certainly true that auditor and consultant reports may be used in such a fashion, that risk does not compare to the risk of the underlying failure. Managers and boards who "would rather not hear" run a far greater risk. Such an atmosphere increases the risk of failure and almost guarantees there will not be a record of diligence to point to in defense. Not all shortcomings identified by an audit, moreover, need be addressed. As with any other business issue, management has to exercise its "business judgment" as to which issues should receive priority and which may not be worth the effort in light of a full cost/benefit analysis. A company is far better off if it surfaces the issues and exercises that judgment than if it chooses not to take the steps necessary to be fully informed.
Moreover, a carefully structured internal audit may lead to two different sets of reports. One level might be an across-the-board assessment of the state of the Y2K program, while General Counsel may direct the auditors to look for certain situations or issues presenting legal risks to be reported only to the Office of General Counsel. While such a distinction might not ultimately hold up in litigation, it may afford some protection. In some companies, of course, internal auditors are already sensitized to such issues and are trained to draw just such distinctions in how and to whom they report their findings.
In any event, the five questions outlined above are the inquiries senior management and board members need to be asking. In some companies, the Y2K program office is well-situated to answer these questions and their role in fact may be to press the individual business units on exactly these kinds of issues. In such cases, the program office probably generates periodic reports which answer these key questions and provide an easy audit trail. In other companies, the program office may be weak or the Y2K effort more decentralized. Determining the enterprise's level of readiness in such circumstances may require more extensive audit resources and perhaps the assistance of third-part assessment providers. Whichever state a company may find itself in, the internal audit department provides a resource for systematically pursuing these issues. If the enterprise is to survive the millennium and position itself to defend potential litigation, directors and officers should consider using that resource.